Cyber Defense eMagazine January Edition for 2022

“Owning Your Identity” Through Biometric 

and Passwordless Innovations 

How To Thwart Fraud with Phone Numbers 

Phishing: How To Improve Cybersecurity 

Awareness 

Cybersecurity Alone Is Not Enough, Systems 

Need Cyber Resiliency 

…and much more… 

Cyber Defense eMagazine – January 2022 Edition 1 

Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.

CONTENTS 

Welcome to CDM’s January 2022 Issue ---------------------------------------------------------------------------------- 6 

“Owning Your Identity” Through Biometric and Passwordless Innovations --------------------------------- 38 

By Bob Eckel, CEO, Aware 

How To Thwart Fraud with Phone Numbers ------------------------------------------------------------------------- 41 

By Guillaume Bourcy, Vice President, Data & Identity Solutions, TeleSign 

Phishing: How To Improve Cybersecurity Awareness -------------------------------------------------------------- 45 

By Jason Stirland, CTO at DeltaNet International 

Cybersecurity Alone Is Not Enough, Systems Need Cyber Resiliency ------------------------------------------- 48 

By Eric Sivertson, VP of Security Business Development, Lattice Semiconductor 

Why Hackers Attack Mobile Devices and How to Prevent It ----------------------------------------------------- 51 

By Nicole Allen, Marketing Executive at Salt Communications 

How to Avoid Spam Texts and Protect Personal Information in the Digital Age ---------------------------- 56 

By Reinhard Seidel, Director Products at Clickatell 

Microsoft Successfully Defended The Azure Cloud From A Massive DDOS Attack. (Spoiler: You Can, 

Too.) ---------------------------------------------------------------------------------------------------------------------------- 59 

by Jason Barr, Senior Director of Innovation, Core BTS 

Why Americans Joined Europe in Not Paying Security Ransoms ------------------------------------------------ 63 

By Lee Pitman, Global Head of Response Services, BreachQuest 

First Steps to Alleviate Long-Term Consequences from A Cyberattack ---------------------------------------- 66 

By Sergey Ozhegov, CEO, SearchInform 

Looking Ahead: Five Security Trends For 2022 ----------------------------------------------------------------------- 70 

By Mark Guntrip, Strategy Leader at Menlo Security. 

OT/IT Security – Two Sides of the Same Coin ------------------------------------------------------------------------ 74 

By Sachin Shah, CTO of OT, Armis 



WatchGuard Technologies’ 2022 Predictions: State-Sponsored Mobile Threats, Space-Related Hacks 

and More ---------------------------------------------------------------------------------------------------------------------- 77 

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies 

What Are DeFi Flash Loans & How to Prevent Flash Loan Attacks? -------------------------------------------- 81 

By Kiril Ivanov, Founder and Technical Lead, Bright Union 

Protecting Critical Infrastructure Against Cyberattacks ----------------------------------------------------------- 87 

By Sean Deuby | Director of Services, Semperis 

Three Key Facts About AI-Driven Network Detection and Response ------------------------------------------- 91 

By Eyal Elyashiv, CEO, Cynamics 

Cybersecurity Experts Share Their Predictions for 2022 ----------------------------------------------------------- 94 

By Danny Lopez, CEO of Glasswall 

Our Cyber Defenses Need to Be Battle-Tested to Withstand Future Threats ------------------------------ 109 

by Hugo Sanchez, Founder and CEO of rThreat 

12 Tips for Improving Access Control in Your Organization ---------------------------------------------------- 113 

By Bryon Miller ASCENT 

Four Cybersecurity Predictions Federal Agencies Should Expect in 2022 ----------------------------------- 117 

By Mark Sincevich, Federal Director, Illumio 

Recognizing the Value of Secure Wi-Fi for Unified Security Platforms -------------------------------------- 120 

By Ryan Poutre, Product Manager at WatchGuard Technologies 

Cybersecurity Tips to Help Your Organization in 2022 ----------------------------------------------------------- 123 

By Jeffrey J. Engle, President of Conquest Cyber 

New Security Report Reveal 91.5% of Malware Arrives Over HTTPS-Encrypted Connections --------- 126 

By Corey Nachreiner, CSO, WatchGuard Technologies 



@MILIEFSKY 

From the 

Publisher… 

We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a 

Dear Friends, 

Platinum Media Partner of RSA Conference on June 6-9, 2022 – See You There! 

As we celebrate completing the first 10 years of Cyber Defense Magazine #CDM, our leading platform at 

the Cyber Defense Media Group (CDMG), we also renew our direction and energy toward expanding and 

deepening our publishing and information services; filling the needs of the cybersecurity community. 

While we still feel the widespread effects of COVID and WFH, we recognize the necessity of keeping 

current with developments in the industry and marketplace. The proliferation of points of vulnerability 

under the present cyber landscape has been accompanied by the creation and implementation of new 

and heretofore unseen attack vectors. 

Cyber criminals are not sitting idle while all of these developments take place. In response, we must 

constantly explore new ways to bring together cyber professionals with enlightened management and 

investors, in order to find and implement the most effective means of bringing the necessary resources 

together. 

We therefore are launching our ‘bridge’ from Q1 to Q2 with some incredible news. Learn more at: 

https://www.cyberdefenseconferences.com/ 

Please bookmark this website for a once-in-a-lifetime gathering in April, 2022… 

Warmest regards, 

Gary S. Miliefsky, CISSP®, fmDHS 

CEO, Cyber Defense Media Group 

Publisher, Cyber Defense Magazine 

P.S. When you share a story or an article or information about 

CDM, please use #CDM and @CyberDefenseMag and 

@Miliefsky – it helps spread the word about our free resources 

even more quickly 

p.s. Reminder, our favorite infosec event, RSAC 2022 has moved to June 6-9, 2022 a.k.a. D-Day or Operation 

Neptune. Don’t wait around for D-Day. Every day is cyberdefenseconferences.com day. More OSINT coming… 



@CYBERDEFENSEMAG 

CYBER DEFENSE eMAGAZINE 

Published monthly by the team at Cyber Defense Media Group and 

distributed electronically via opt-in Email, HTML, PDF and Online 

Flipbook formats. 

InfoSec Knowledge is Power. We will 

always strive to provide the latest, most 

up to date FREE InfoSec information. 

From the International Editor-in-Chief… 

In observing the behavior of governmental entities, we see different 

imperatives come into play. They tend to be related to the impact 

of taxes and regulation in encouraging economic development and 

employment choices by organizations to locate headquarters and 

operating facilities. 

In today’s international environment, we see these forces being 

played out in the cybersecurity arena, as reflected in such diverse 

areas as consumer privacy protection and antitrust law and 

regulation. 

What are the trade-offs? They are many and varied. In deciding 

where to locate a head office or service center or manufacturing 

facility, how to corporate executives weigh such values as the overall 

cost of doing business, labor costs, regulatory burdens, taxation, 

privacy and consumer protections, and many more. 

What is the value of operating in an environment of secure elements 

of critical infrastructure? In the world of competitive cybersecurity, 

we must always take into consideration the value of reliability, 

resilience, and sustainability. 

As always, we encourage cooperation and compatibility among 

nations and international organizations in responding to these 

cybersecurity concerns. 

To our faithful readers, we thank you, 

Pierluigi Paganini 

International Editor-in-Chief 

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER 

Pierluigi Paganini, CEH 

Pierluigi.paganini@cyberdefensemagazine.com 

US EDITOR-IN-CHIEF 

Yan Ross, JD 

Yan.Ross@cyberdefensemediagroup.com 

ADVERTISING 

Marketing Team 

marketing@cyberdefensemagazine.com 

CONTACT US: 

Cyber Defense Magazine 

Toll Free: 1-833-844-9468 

International: +1-603-280-4451 

SKYPE: cyber.defense 

http://www.cyberdefensemagazine.com 

Copyright © 2022, Cyber Defense Magazine, a division of CYBER 

DEFENSE MEDIA GROUP 

1717 Pennsylvania Avenue NW, Suite 1025 

Washington, D.C. 20006 USA 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 

PUBLISHER 

Gary S. Miliefsky, CISSP® 

Learn more about our founder & publisher at: 

http://www.cyberdefensemagazine.com/about-our-founder/ 

9+ YEARS OF EXCELLENCE! 

Providing free information, best practices, tips, and techniques 

on cybersecurity since 2012, Cyber Defense magazine is your 

go-to-source for Information Security. We’re a proud division 

of Cyber Defense Media Group: 

CYBERDEFENSEMEDIAGROUP.COM 

MAGAZINE TV RADIO AWARDS 

PROFESSIONALS 

VENTURES 

WEBINARS 

CYBERSECURITYMAGAZINE (FOR CONSUMERS) 



Welcome to CDM’s January 2022 Issue 

From the U.S. Editor-in-Chief 

In the first issue of Cyber Defense Magazine for 2022, we continue see patterns developing and 

extending into the future. The breadth of topics among the two dozen articles in this issue of Cyber 

Defense Magazine reflect the perceived concerns and (in many cases) solutions offered by our 

contributing authors. 

Our contributing authors have much to offer on current industry challenges from both high-altitude 

perspectives and down-to-earth practical analysis of the developments in cybersecurity today. 

We encourage you to read through the Table of Contents, where you will see numerous articles of 

immediate interest. In this manner, Cyber Defense Magazine strives to bring our readers actionable 

intelligence from highly knowledgeable cyber professionals. 

We always include a broad spectrum of threats, preventive measures, ways to assure resilience and 

sustainability, and operational advice for organizations needing to maintain the confidentiality, 

accessibility, and integrity of sensitive data. 

In this way, Cyber Defense Magazine keeps our readers current on emerging trends and solutions in the 

world of cybersecurity. That is our guiding star in proceeding on this journey with our readers. 

Wishing you all success in your cybersecurity endeavors, 

Yan Ross 

US Editor-in-Chief 


About the US Editor-in-Chief 

Yan Ross, J.D., is a Cybersecurity Journalist & U.S. Editor-in-Chief of Cyber 

Defense Magazine. He is an accredited author and educator and has 

provided editorial services for award-winning best-selling books on a variety 

of topics. He also serves as ICFE's Director of Special Projects, and the author 

of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® 

course. As an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, 

privacy, and cyber security for consumers and organizations holding sensitive personal information. You can reach 

him by e-mail at yan.ross@cyberdefensemediagroup.com 





MOVED TO JUNE 6-9, 2022… 



MUST ATTEND REPLAY 

AVAILABLE ON-DEMAND 

STARTING JANUARY 6, 2022 

AT 2PM EDT 



























































“Owning Your Identity” Through Biometric and 

Passwordless Innovations 

By Bob Eckel, CEO, Aware 

Consumers around the world have become increasingly comfortable engaging with businesses digitally. 

Between 2020 and 2021, driven in part by the pandemic, the proportion of U.S. consumers using digital 

financial services grew from 58 percent to 88 percent. Ecommerce has also grown significantly, especially 

when it comes to mobile commerce; Forbes reports that by the end of 2021 mobile will make up about 

73 percent of all ecommerce sales, up sharply from 52 percent in 2016. 

Unfortunately, there is also risk to these business transactions going online. Malicious actors have taken 

note of this growth, and identity fraud schemes have escalated in response. Identity fraud scams – which 

typically trick users into giving away their username and password to sensitive accounts, including 

banking, credit cards, or online shopping profiles, accounted for $43 billion lost in 2020. 



But in spite of this threat, consumers are growing increasingly frustrated with passwords. It’s 

understandable, given they now expect webpages to load in one to two seconds or less (including on 

mobile) - you can imagine that taking extra time to recall and input passwords can be aggravating. 

Authentication processes requiring customers to get codes sent via SMS or email before accessing their 

accounts may also result in users exiting online transactions; in fact, research shows that up to 60 percent 

of consumers do this for exactly those reasons. 

Customers want the best of both worlds – superior convenience combined with the best security out 

there. Businesses have no choice to deliver, lest they lose customer confidence and revenue. Is there a 

way to meet in the middle? 

Benefits of Biometric Security 

Biometric authentication is a form of security that verifies an individual’s identity via unique physical 

characteristics. Customers who own an iPhone that can be unlocked with their fingerprint or face are 

already very familiar with this kind of security. It is extremely effective because it relies on a person’s 

unique physical characteristics to secure their data as opposed to something a user has – like login 

credentials – that can be shared, stolen, or lost. 

Biometrics can also be used as a multifactor authentication tool, adding a level of security without adding 

significant processing time. Put simply, multifactor authentication is a method in which a user is logged 

in after successfully presenting two or more pieces of evidence – like a password, then a fingerprint – to 

an authentication mechanism. 

To revert to our iPhone example for a moment, customers looking to purchase from the App Store not 

only have to enter their passcode but must also use facial or fingerprint ID to verify their purchase. It’s an 

extra level of security without adding noticeable time to the process. This time-saving benefit doesn’t just 

apply to customers accessing digital services; it can also be used for effectively onboarding remote 

employees and ensuring that employees who need faster access to systems can get what they need 

quickly. 

Countering Concerns Around Implementation 

At a higher societal level, some issues have been raised around the use of biometrics, particularly facial 

recognition. Citing privacy concerns, one large social media company recently eliminated its facial 

recognition capabilities. Simultaneously, a major airline announced they were working to expand their 

facial recognition-enabled offerings in scale and scope so more customers can experience a hands-free 

journey in the future. 

The difference in societal response to the implementation of facial recognition can be traced to a series 

of security and procedural concerns. The majority of these concerns stem from the consent and 



transparency issues that often surround facial recognition use. Biometrics in the form of facial recognition 

can have huge benefits, when implemented properly. What does this mean? 

Organizations should ensure that all procedures are clear, consent-based, have easy opt-in and opt-out 

options, and are transparent about what information is being used or collected. This enables users to 

“own their identities” and helps them feel secure in how their data is being collected and/or used. 

Additionally, organizations should only deploy the biometric technologies that are sufficient and accurate 

for the given use case. Furthermore, it’s important that humans review a biometric system’s results when 

making important decisions. 

Additionally, organizations should work to ensure biometric data storage solutions are secure, 

anonymized and encrypted. Also, they should facilitate internal and external oversight of biometric 

technology deployments and require system operators to complete training on proper use. Along with 

these efforts, organizations should consistently conduct operational performance assessments when 

deploying these technologies – and keep doing it even after the initial launch. Lastly, it’s important to 

upgrade biometric systems to ensure the most accurate, secure and privacy-protective technologies are 

being used. 

With biometric solutions, everyone benefits; companies can offer greater security and minimize risks, and 

customers and employees enjoy a faster, frictionless experience while still owning their digital identity. 

There’s no doubt that biometrics is the present and future of authentication, but it needs to be done in a 

manner that is consistent with privacy. By following best security practices and ensuring there is always 

a human element in place to mitigate potential failures, organizations can ensure that they themselves, 

their customers and employees all reap the benefits from these solutions 

About the Author 

Robert A. Eckel has been Chief Executive Officer and President 

of Aware (NASDAQ: AWRE) since September 2019. Mr. Eckel 

also serves on the board of directors for the International 

Biometrics + Identity Association (IBIA), and as a strategic 

advisory board member of Evolv Technology. Over his 

distinguished career, he has held many positions of note within 

the biometric and identity space, including: Regional President 

and Chief Executive Officer of IDEMIA’s NORAM Identity & 

Security division from 2017 to 2018; President and Chief Executive Officer of MorphoTrust USA, LLC 

from 2011 to 2017; Executive Vice President and President of the Secure Credentialing Division of L-1 

Identity Solutions Company from 2008-2011; and President of the Identity Systems division of Digimarc 

Corporation from 2005 to 2008. Mr. Eckel has received his master’s degree in Electrical Engineering from 

the University of California Los Angeles, and his bachelor’s degree in Electrical Engineering from the 

University of Connecticut 

Robert A. Eckel can be reached online at bobeckel@aware.com and at our company website 



How To Thwart Fraud with Phone Numbers 

By Guillaume Bourcy, Vice President, Data & Identity Solutions, TeleSign 

During the peak of the global pandemic, online shopping and cybercriminal activity hit unprecedented 

figures, hitting merchants' bottom lines hard. Juniper Research predicts that merchant losses from 

eCommerce fraud in 2021 will be $20 billion, up from $17 billion in 2020. Slowing – or reversing – this 

trend makes prioritizing fraud prevention strategies across all eCommerce channels an imperative in 

2022 and beyond. The first step? Require that all new and existing customers provide their phone 

numbers. It may sound like an overly simplistic solution but leveraging the data and insights that the 

humble phone number offers is a game-changer for fraud protection. 

Setting the stage for phone verification with today's data challenges 

Understanding how phone numbers can play an essential role in verifying the legitimacy of a transaction 

or customer starts with understanding the ever-growing volumes of sensitive data consumers entrust to 

brands. 



This information falls into two categories: 

Online data: Think about everything created and stored on the internet, such as web browsing histories, 

digital ad interactions, previous in-app purchases, email addresses, social media posts, and a device's 

IP address. 

Offline data: This refers to anything related to life in the physical world, including demographics like age, 

race, ethnicity, gender, marital status, income, education, and employment, as well as past and current 

mailing addresses and social security numbers. 

Managing these disparate datasets has become increasingly arduous. They are typically segregated and 

scattered across CRM platforms and multiple on-site or cloud-based applications and databases. Evergrowing 

legal and regulatory requirements that govern the collection and use of consumers' personal and 

sensitive information only add to this complexity. These elements can make it very difficult for merchants 

to consistently create holistic customer profiles to verify customers' identities. 

The phone number as a game-changer 

A customer's phone number is unique from other personal identifiable information (PII) because it "lives" 

in both the online and offline data worlds. That makes it the primary customer identifier that links to other 

pieces of information to strengthen the KYC/CDD (know your customer/customer due diligence) process. 

For many, the first step is implementing one-time passcodes and multi-factor authentication (often 

through SMS messages) to reduce new types of account registration fraud and thwart thieves attempting 

to disguise themselves as legitimate customers. But because phone numbers bridge and verify identity 

between the online and offline world, they are a high-value target for fraudsters to steal. 

While it's hard to steal a phone number, it's not impossible. SIM swap attacks, where cybercriminals steal 

someone's identity by porting their phone number to a burner phone (often with the carriers' unwitting 

assistance) and using those phones to impersonate the victim, are on the rise. Deploying checks at highvalue 

and high-risk interactions with phone number intelligence can help prevent account takeovers from 

SIM Swap attacks. Phone number intelligence and risk scoring can look at attributes, including the last 

porting date, and tie it to other key user identity attributes such as emails, IPs, and devices to assess the 

likelihood that a phone is in the possession of its owner. 

Don't rely on manual processes 

The Juniper report mentioned above also recommends merchants implement artificial intelligence and 

machine learning-powered automated fraud prevention systems to validate customers' identities. 

Machine learning and AI learns, adapts, and delivers real-time behavioral and digital identity insights to 

protect systems and customer accounts better. These ML and AI-powered systems are constantly 



mutable and dynamic by continually assessing and tweaking parameters to analyze all potential fraud 

avenues at any given time correctly. 

Automated phone number reputation scoring is an excellent example of this type of technology. Phone 

number reputation scoring helps determine individual risk-level for each user and phone number on a 

merchant's platform – in near-real-time. It does this by scrutinizing and redetermining multiple behavior 

signals associated with that number for greater accuracy in identifying risky behavior and security threats. 

Adding in an association of multiple nodes of identifiers (e.g., associate phone numbers and IPs, emails, 

etc.) also helps to improve accuracy. 

Businesses that validate their customers behind the scenes with these systems are working to end the 

tradeoff between smooth online experiences and fraud prevention tactics. They also relieve security 

teams of the responsibility and burden of conducting thousands of manual and friction-inducing security 

checks. 

The Time is Now 

Over five billion people use their mobile phones every day, with millions more signing on by 2022 1 . As 

we approach 70% of the world actively using mobile technology, it highlights how truly connected the 

world is becoming and reveals the ever-growing potential for fraudulent activities 2 . As fraud becomes 

ever more imaginative and adaptive year-over-year, implementing nimble and intelligent fraud prevention 

strategies is vitally important. Starting this journey now will ensure a more secure and engaging 

experience for both you and your customers. 

To learn more about how you can work to protect your customers through phone numbers and establish 

continuous trust, please visit TeleSign. 

1 

https://www.gsma.com/mobileeconomy/wp-content/uploads/2021/07/GSMA_MobileEconomy2021_3.pdf 

2 

https://www.oberlo.com/blog/internet-statistics 




Guillaume Bourcy is the Vice President, Data & Identity 

Solutions of TeleSign 

Currently, Guillaume leads teams responsible for data 

science, partnerships, product, pre-sales and innovation. 

Prior to Telesign, Guillaume had more than 15 years’ 

experience in rapidly growing the Telco and Identity 

Solutions at BICS, a subsidiary of Proximus, from the 

ground up to becoming an industry leader using both 

organic and M&A growth. Guillaume’s work philosophy is 

to learn something new every day so you can bring new 

ideas to fuel innovation and drive results. If he is not 

working on the next identity solution, you will most likely find him writing comics books, surfing, 

or running. 

Guillaume can be reached online at (LinkedIN) and at our company website: https://telesign- 

3.webflow.io/ 



Phishing: How To Improve Cybersecurity Awareness 

By Jason Stirland, CTO at DeltaNet International 

According to research by Proofpoint, 75% of organizations around the world experienced a phishing 

attack in 2020, and 74% of attacks targeting US businesses were successful. Furthermore, a study 

by ENISA, found that 85% of the SMEs questioned agree that cybersecurity issues would have a 

detrimental impact on their businesses, with 57% saying they would go out of business if hit. The study 

also reveals that phishing attacks are the most common cyber incidents SMEs are likely to be exposed 

to, in addition to ransomware attacks, stolen laptops and CEO frauds. 

With many employees continuing to work remotely (or at least commence hybrid 

work), organizations must support their employees and educate them on 

the cybersecurity threats they will undoubtedly face. These include phishing and social engineering 

attacks. As employees are the front line of an organization, it should be their utmost priority to ensure 

employees and the organization don’t fall victim to potential phishing attacks. 

So how can organizations improve cybersecurity awareness training to protect against phishing attacks? 



1 – Educate employees using bitesize online training 

It’s no surprise that employees loathe long training sessions that take time out of their day, leading to low 

engagement. So, using bitesize learning to teach employees about phishing threats and general 

cybersecurity awareness will be better received. Shorter training interventions means employees s can 

fit learning around their day and work schedule, which will reduce reluctance to do mandatory 

training. Additionally, with attention spans decreased by constant notifications of emails and messages 

from collaboration platforms like Teams and Slack, it’s crucial to use interactive content to capture 

employees' interest. This way, they are more likely to understand phishing and cybersecurity threats the 

business faces daily. 

2 – Assess employees on knowledge retention 

While it’s easy to think of some compliance training as a mere tick-box exercise, organizations must 

check their employees have actually learnt something from the training. If not, then the training needs to 

improve - quickly! Phishing and cybersecurity attacks are becoming increasingly sophisticated, so 

organizations want to ensure that their employees can spot a phishing scam successfully when faced. A 

great way of assessing employee understanding of scams is by using a phishing simulation tool to send 

imitation phishing emails to employees to test their awareness levels. It's imperative to test employees 

against spear-phishing attacks too. This is a method where a cybercriminal targets individuals within the 

organization, posing as a trusted source (e.g., the CEO or a supplier) to gain confidential data. 

3 – Auto-enroll employees on correctional training 

Understanding which employees failed the simulated phishing scams is a significant way to analyze the 

cybersecurity risk employees pose. To reduce risk, organizations should auto-enroll employees who fail 

the phishing scam (e.g. by clicking on a suspicious URL or sharing confidential data) onto further 

cybersecurity awareness training. Follow up this correctional training with company compliance 

documents, internal discussions on the importance of recognizing threats, and how employees must play 

their part in keeping the organization safe. This will help to fortify the importance of cybersecurity 

awareness. 

4 – Track the value of training 

Organizations can track and analyze the results of their cybersecurity awareness training by 

using a learning experience platform, such as Astute LXP. Intelligent platforms like this can help 



organizations gather data all in one place to track the open rates and click rates on suspicious URLs and 

the completion of sharing any confidential data. Repeating this exercise once employees have been 

refreshed on cybersecurity awareness training, and analyzing their pass rate on the simulated phishing 

email, will reveal which employees have understood their training and put it into practice. This helps 

organizations to recognize how their security position has improved as a result of the training, making a 

clear case for continuous investment and refresher training in cybersecurity awareness going forward. 

5 – Update employees on current phishing trends 

An organization’s cybersecurity risk is only as strong as its weakest link. According to Tessian, nearly a 

quarter (22%) of UK citizens have received phishing emails asking them to download ‘proof of 

vaccination’ in the past six months - and in the US, this figure rose to 35%! Statistics like these go to 

show how keeping all employees trained, tested, and updated with the latest cybersecurity techniques 

and phishing scams is critical to protecting your company’s infrastructure. 

6 – Embedding a cybersecurity compliance culture 

Putting in place a cybersecurity culture within the organization is easier said than done. But what it means 

is that employees understand the importance of following cybersecurity guidelines, completing 

mandatory training, and using best practices, e.g., strong passwords and triple-checking emails for any 

malicious URLs before clicking on them. If employees are in a company environment where they are 

reminded of common phishing and ransomware attacks and what to look out for, it will become second 

nature to them and reduce susceptibility significantly. 


Jason Stirland, CTO at DeltaNet International. Having 

completed his degree in Networking & Communications 

Technologies, Jason Stirland has spent nine years 

working in eLearning. From starting his career as firstline 

technical support, Jason has expanded his role to 

incorporate programming and sales and often 

hosts consultative software meetings for key clients. 

Jason has been responsible for developing DeltaNet’s 

Astute Learning Management System, as well as the organization’s IT/security infrastructure and 

software strategy. 

Jason Stirland can be reached online via LinkedIn and via our company website https://www.deltanet.com/. 



Cybersecurity Alone Is Not Enough, Systems Need Cyber 

Resiliency 

Electronics systems today need to go beyond preparedness for an attack to resiliency during and after 

one. 

By Eric Sivertson, VP of Security Business Development, Lattice Semiconductor 

The National Vulnerability Database reported that between 2016 and 2019 the number of firmware 

vulnerabilities grew over 700 percent. Industry analyst group, Gartner, reports that by 2022 “70 percent 

of organizations that do not have a firmware upgrade plan in place will be breached due to a firmware 

vulnerability 1 .” 

Not only do these vulnerabilities jeopardize final products deployed in the field, but they can also impact 

individual components as they move through today’s rapidly changing and increasingly unpredictable 

global electronics supply chain, from initial component manufacturing and shipment to a contract 

manufacturer, to system integration and on through the device’s entire operating life in the field. Firmware 

vulnerabilities can be exploited by bad actors and expose organizations to different security issues, 

including data theft, data corruption, unauthorized hardware modification, equipment hijacking, product 

cloning, ransomware, and design theft. Because such exploits occur below the operating system level, 

they often go undetected my anti-virus software until the damage is done, potentially having a major 

impact on a company’s revenue and reputation. 

Electronic systems must be able to adapt to new threats as they evolve and automatically take 

appropriate action when compromised firmware is detected. To protect system firmware, security 

solutions need resiliency against firmware attacks based on a parallel, real-time, reactive solution that 



offers comprehensive firmware protection throughout a system’s lifecycle. Firmware protection must span 

the full life cycle of a component, beginning with the time spent moving through the supply chain, initial 

product assembly, end-product shipping, integration, through the product’s entire operational life. 

While cybersecurity is a widely known necessity, cyber resiliency is still an emerging concept for most 

organizations. Cybersecurity refers to the technologies, processes, and practices employed to protect 

network, devices, applications, and data from cyberattacks, Cyber resiliency goes a step further and 

deals with what is done after an attack takes place. Cyber resiliency is defined as the ability to 

continuously deliver an intended outcome despite adverse cyber events like an attack. Cyber resiliency 

embraces information security, business continuity, and overall organizational resilience in today’s rapidly 

evolving threat landscape. 

Cybersecurity is the foundation of cyber resiliency, but cybersecurity is becoming an overloaded term. 

Take the widely-used cybersecurity solution, the trusted platform module (TPM), as an example. The 

Trusted Computing Group describes a TPM as a computer chip that can securely store artifacts used to 

authenticate your PC or laptop, including passwords, certificates, or encryption keys. This is a strong 

cybersecurity component but lacks some key features needed to be truly cyber-resilient. 

While the TPM concept is certainly an important development in hardware security, it does have 

vulnerabilities, particularly during cold boot when some firmware elements are required for boot before 

the TPM typically becomes active. That short window of time between when components on a 

motherboard are powered up by their firmware and when the OS is an increasingly popular attack vector 

for today’s cybercriminals. To combat this threat, systems need to implement a Hardware Root of Trust 

(HRoT) with strong, dynamic, cyber resilient protections in addition to cybersecurity solutions like TPM. 

A Cyber-resilient HRoT validates the firmware of each mainboard component before activating it. As it 

boots the system, the HRoT checks itself to ensure its running valid firmware and holds other system ICs 

in reset mode until their firmware is cryptographically validated. It is essential to validate firmware before 

it is loaded into ICs, because malware-infected firmware can mask its presence from the OS once it’s 

installed itself. In addition to securely booting the hardware, the HRoT continuously monitors other 

protected components’ firmware against attacks. If corrupted firmware is detected by the HRoT IC, it can 

quickly replace the corrupt firmware with the last known-good firmware, log the violation for future 

examination, and resume system operation uninterrupted and un-corrupted. That ability to resume normal 

operations securely, quickly, and unassisted is what makes the system cyber resilient. 

In an increasingly sophisticated threat environment, organizations must take steps to not only secure 

their systems against cyberthreats, but they must also make their systems resilient enough to mitigate 

an attack in real-time and maintain the integrity of their firmware automatically. 

References: 

1 

Source: Gartner, July 2019 




Eric Sivertson is an experienced entrepreneur, executive and 

engineer with 30+ years developing technologies to enhance 

trust & security in embedded systems, wireless connectivity, and 

high performance & reconfigurable computing. He currently 

serves as Lattice Semiconductor’s Vice-President of its Security 

Business. He is focused on building business in this growth 

market for Lattice, as well as supporting leading edge solutions 

development within the organization. 

Prior to joining Lattice, he founded his own Security & Consulting Company in Silicon Valley and has 

been provider and/or advisor to many Silicon Valley Startups and Fortune 500 companies with regards 

to Security IP and implementations, blockchain, AI/ML based security solutions, markets and 

critical requirements. Additionally, he was Executive Vice-President of Kontron’s Aviation, Transportation 

and Defense Business Unit and before that he was General Manager of Xilinx Aerospace and Defense 

Business Unit. He also ran one of Thales largest North American engineering organizations that 

developed the world’s most secure and advanced Software Defined Radio (SDR) currently deployed 

extensively throughout the world. He earned his Electrical Engineering degree from Virginia Polytechnic 

Institute and State University (BSEE). 

Eric can be reached online at eric.sivertson@latticesemi.com and at the company website 

https://www.latticesemi.com/ 



Why Hackers Attack Mobile Devices and How to Prevent 

It 

By Nicole Allen, Marketing Executive at Salt Communications 

According to a Gallup poll, the frequency of remote work cyber-attacks has nearly doubled since the 

beginning of the pandemic. Employees were thrown into a world of remote work immediately, utilising a 

wide variety of cloud-based software and apps. With the need to adapt so quickly, many businesses have 

been left unprepared in terms of their cybersecurity protection. 

Businesses may not understand that in many cases their weakest link is their mobile security. To gain 

access to a company's whole network, a cybercriminal only has to break into one unprotected mobile 

device (phone, laptop, or tablet). 

Why it only takes one device 

Such intrusions can be crippling to a business. The implications can be vast with an immediate impact 

on costs, interrupting operations, jeopardising crucial data assets, and damaging customer relationships. 

In reality, when a small business is harmed by a cyber-attack, nearly 60% of those affected are unable 

to recover and go out of business within six months. 

Employee mobility has transformed the way we do business, but it has also introduced new security 

vulnerabilities. Mobile users, on average, spend about 80% of their time outside of the protected business 

network, accessing the internet from places other than the office or company locations. With this 

increased mobility, far too many devices are left vulnerable to more sophisticated hacking techniques – 

especially when enterprise IT departments fail to deploy mobile device security fixes and upgrades. 



Why Hackers Target Mobile To obtain company data 

About half of all cyber-attacks on organisations are aimed at collecting company information and/or 

proprietary data from customers, such as personal mobile data, social security numbers and credit card 

numbers. A hacker may be able to simply take a mobile device that an employee is using for email or 

accessing company data. Hackers know exactly where to search and download data on mobile devices 

because all emails and attachments are stored in one folder. 

Mobile Interception 

Your mobile phone could be used for industrial espionage, illicit data transfers, or exchanging business 

secrets. All of this is accomplished via intercepting mobile signals, listening in on voice calls, or utilising 

your phone as a bug. With the number of workers increasingly working from home there is a higher 

amount of business related communications being exchanged remotely which increases the danger if 

not protected. 

The Stingray/GSM interceptor/IMSI catcher is a piece of equipment that can collect data from hundreds 

of phones in a specific region, as well as launch denial-of-service attacks and intercept conversations. 

These products are not legally available, but they can be obtained on the black market or over the deep 

web. 

As well as NGN (Next Generation Networks, such as 3G, 4G, and 5G), GSM (Global System for Mobile 

Communications), and CDMA (Code Division Multiple Access) are the three types of mobile networks 

(Code Division Multiple Access) and multiple surveillance systems are tracking all three of them. Data 

from mobile phones is passively captured as it passes over these networks between the phone and the 

base station with which it is communicating. It is possible to intercept both uplink (outgoing voice or data) 

and downlink (incoming voice or data) transmissions. 

Land & Expand 

Land and expand is to move beyond device control to higher-value goals, such as the corporate network. 

Someone who has hacked a mobile device can acquire corporate access in a variety of ways. The basic 

technique is to utilise the smartphone that the hacker now controls to send messages and emails in the 

name of the real user in order to obtain additional information or cause disruption. Alternatively, the 

hacker can take advantage of the mobile device's access to the corporate Wi-Fi network when the user 

returns to the office and reconnects. 

The guest network in a target company's lobby can potentially be exploited by a hacker. They may 

observe if there are more persons connected than are actually waiting in the lobby once they log onto 



the network. This is a good indicator that employees are accessing the guest network to access apps 

and sites that the corporate network blocks. The hacker can then simply deceive a user into downloading 

what appears to be a game, take control of their device, and grant themselves super-admin capabilities, 

allowing them to access the entire network for nefarious purposes. 

Deliver Malware 

Ransomware and viruses can give a hacker an immediate cash advantage. That was the case with the 

WannaCry ransomware assault in 2017, which notified victims that their device had been encrypted and 

demanded payment in Bitcoin to unlock it. 

WannaCry's hackers specifically targeted Android devices and hacked into a Wi-Fi network and scanned 

all linked Android smartphones to see which were vulnerable to their ransomware. The hackers infected 

one phone, then used it to lock down entire firms and demand ransom payments when the user returned 

to the corporate office and connected onto the company network. 

Another example is a malware called ‘Pegasus’ was being used to target WhatsApp users through a flaw 

in the app. According to a product description filed as an exhibit in WhatsApp’s 2019 lawsuit, the Pegasus 

software was designed to “covertly collect information about your target’s relationships, location, phone 

conversations, plans and activities – whenever and wherever they are.” According to this description, the 

programme also tracked GPS whereabouts, monitored audio and VoIP communications, and gathered 

other data - leaving no trace on the device. 

Some organisations even after these events are still dealing with sensitive corporate, Government or 

client communications on consumer apps. . Using a closed system like Salt Communications protects 

businesses from the risk of crucial and sensitive data being compromised. 

How to prevent it 

Business cybersecurity has never been more critical than it is now, both to the pandemic and the rise of 

the mobile workforce. To guard against potential dangers and safeguard your firm from a potentially 

catastrophic cyber-attack, you must implement a zero-trust mentality. This necessitates a proactive 

strategy to threat management, as well as how you monitor the people, systems, and services that 

connect to your network. 

There are a number of ways that your organisation can protect themselves through simple strategies. 

Organisations can implement a unified endpoint management (UEM) which allows IT to manage, secure 

and deploy corporate resources and applications on any device from a single console. Mobile device 



management was the initial step toward unified endpoint management, followed by enterprise mobility 

management. The mobile device management strategy, on the other hand, does not offer BYOD 

flexibility, which allows employees to switch from personal to work use of their devices at any time and 

from anywhere. 

Another method is providing regular cybersecurity awareness best practices training. Rather than 

imposing regulations that impede employees' capacity to do their jobs, a good staff awareness 

programme should complement how people work. The goal is to assist them in gaining the necessary 

skills and knowledge to work, as well as recognising when to express any issues. No one is immune to 

making mistakes or being a victim of a scam. In fact, because senior personnel are higher-value targets, 

scammers are more likely to target them (for example, through business email infiltration techniques), as 

the information that they share is often deemed to be most valuable. 

This is often why organisations choose to implement a secure communications platform to communicate 

securely both internally and externally. This system allows professionals to carry out secure calls and 

message threads with the assurance of complete privacy of their communications. Applications such as 

Salt Communications protect your company's data from coming under threat from attacks from outside 

your organisation. 

To discuss this article in greater detail with the team, or to sign up for a free trial of Salt Communications 

contact us on info@saltcommunications.com or visit our website at saltcommunications.com. 

About Salt Communications: 

Salt Communications is a multi-award winning cyber security company providing a fully enterprisemanaged 

software solution giving absolute privacy in mobile communications. It is easy to deploy and 

uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications 

offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and 

secure communications, to protect their trusted relationships and stay safe. Salt is headquartered in 

Belfast, N. Ireland, for more information visit Salt Communications. 




Nicole Allen, Marketing Executive at Salt Communications. 

Nicole has been working within the Salt Communications 

Marketing team for several years and has played a crucial 

role in building Salt Communications reputation. Nicole 

implements many of Salt Communications digital efforts as 

well as managing Salt Communications presence at events, 

both virtual and in person events for the company. 

Nicole can be reached online at (LINKEDIN, TWITTER or by 

emailing nicole.allen@saltcommunications.com) and at our 

company website https://saltcommunications.com/ 



How to Avoid Spam Texts and Protect Personal 

Information in the Digital Age 

With Spam Texts on the Rise Consumers Must do their Due Diligence 

By Reinhard Seidel, Director Products at Clickatell 

How to Avoid Spam Texts and Protect Personal Information in the Digital Age 

There have been many advantages to the accelerated digital revolution we are experiencing, but a 

negative impact is the increased risk for cyber threats. In 2020, spam and phishing text messages were 

up 146% in the US, subjecting consumers to dangerous cybercriminals attempting to steal valuable 

personal information. While the FCC says they plan to crack down on these messages, it’s still more 

important than ever that consumers are aware of the tell-tale signs of spam texts and phishing messages, 

and how message content, encryption security and identity are handled by SMS providers and business 

chat technology vendors to protect themselves and their information. 



Know your customer 

As spam and phishing messages are on the rise messaging service providers need to ensure more than 

ever that its business customers are complying to rules and regulations. This includes communicating 

compliance rules to brands, ensuring the legitimacy of businesses, understanding the use cases and go 

through proper approval processes for new service offerings. 

These compliance efforts have been underway for several years now in the US when it comes to Short 

Code services (5-or 6-digit numbers that are used for sending messages). This year mobile operators 

have launched additional compliance requirements for message traffic that is sent on long numbers 

(standard 10-digit phone numbers). Those type of message traffic has been flowing largely unregulated 

in the US for the last 10 years and has been subjected to spamming and phishing attacks by bad actors. 

Not anymore, as now every entity who seeks to send SMS text traffic in the US is required to register its 

brand and campaign before being able to obtain a long number and send message traffic. The new 

regulatory regime is called 10DLC (10 Digit long code). It is the responsibility of SMS providers like 

Clickatell to enforce those rules and make sure its customers are fully compliant. 

Similar to how compliance is managed in the SMS world messaging service providers as well as the 

large chat app providers such as WhatsApp or Apple are also enforcing strict registration and verification 

rules. Messaging service provider are required to help qualify and register campaigns and services for 

its business customers on channels such as WhatsApp or Apple. In addition, they provide end to end 

service security via message encryption and manage authentication, verification and other security 

related services for its business customers. 

Spotting a Fraudulent Text Message 

The first step in identifying a fraudulent message is understanding the different types of phone numbers 

used to deploy messages. Most legitimate text messages are sent via short code numbers that contain 

5-6 digits and are primarily used only by large enterprise companies due to high costs. As mentioned, 

short code numbers have been strictly regulated for many years making it extremely rare to receive 

a spam text or phishing attack from a short code number. 

On the other hand, if you receive a message from a normal 10-digit phone number claiming to be your 

bank, network provider, or retailer you’ve engaged with, you need to be cautious. The message could 

still come from a non-compliant long number that was obtained before the introduction of stringent 

registration requirements allowing only established brands to send messages via 10DLC regulation. If 

the message is coming from an 1800 number, it will have also have gone through a verification process 

and can be considered relatively safe. 



What to do if you receive a message from a 10-digit number 

If a suspicious text message received on a 10-digit number requires action and includes a shortened 

URL, consumers should avoid the link provided and contact the brand directly to validate the 

claim. Chances are the message is fraudulent and the sender is attempting to steal valuable information, 

so ensure you are calling the company directly and not replying to the sender. Often the fraudster will 

impersonate a large brand asking for personal information, claiming an account reset, information update, 

missed shipment, failed payment or even a prize to be claimed. 

What can businesses do to mitigate fraud? 

Digitalization has transformed businesses, and business owners are increasingly realizing that using chat 

platforms to manage and mitigate fraud offers them immediate and significant gains. While retailers, 

banks, financial services providers have traditionally conducted the majority of transactions within a 

native branded application, there is an increasing shift to use SMS text for brief notifications and complete 

transactions in rich chat applications such as WhatsApp, Messenger, etc. Likewise, there is a shift to 

mitigate fraud in the chat channel. 

When someone is using a chat application, the identity of the user can be ascertained with a high level 

of certainty through various means. For example, biometric information such as fingerprint could be used 

in addition to a standard login and password or the mobile user can be asked to submit a picture of their 

ID in the rich chat for critical transactions. It is also possible to have additional security questions captured 

through a chat engagement. All of this means that the fraud department can flag suspicious behavior with 

a high level of confidence. 

In today’s business environment, forward-thinking businesses absolutely must ensure sensitive 

commercial and customer data remains secure. Incorporating chat commerce platforms with fraud alert 

programs allows customers to transact via secure chat apps with end-to-end encryption, multi-factor 

authentication, and privacy. 

Next time you receive a skeptical message from a brand, be sure to reference these tips to ensure your 

data is secure. Happy shopping! 


Reinhard Seidel is Product Director at Clickatell responsible for 

Clickatell’s communication platform including messaging APIs 

and channels such as WhatsApp, SMS, and more. He manages 

overall communication channel vision and strategy, collecting 

market input, and defining product roadmap and requirements. 

For more information, visit https://www.clickatell.com/. 



Microsoft Successfully Defended The Azure Cloud From A 

Massive DDOS Attack. (Spoiler: You Can, Too.) 

How can you fend off the largest DDoS attack in history? For Microsoft, early detection and investing in 

software as a service was key. Read on to learn more. 

by Jason Barr, Senior Director of Innovation, Core BTS 

Last month, European Azure Cloud users faced the largest Distributed Denial-of-Service (DDoS) attack 

in history. Yet, it was business as usual for Azure Cloud customers — all thanks to Microsoft’s well 

thought out security protections. 

For years, Microsoft has warned that cyberattacks are growing more sophisticated. Beyond predicting 

the future of the security landscape, the industry leader has worked hard to prevent attempted breaches 

before they happen. 

As technology environments continue to grow more complex, we can all take note of Microsoft’s 

successful defense strategy consisting of early detection, effective defense of data, and depth of 

coverage. 



Yet, no organization should entirely rely on its cloud provider for protection. Beyond the cloud, companies 

also need to invest in security software and services to protect themselves and equip their organizations 

to rapidly respond to the unexpected. 

Early detection made Microsoft stand out 

Over the course of just 10 minutes in August 2021, 70,000 sources across East Asia and the U.S. 

attempted to breach the Azure Cloud. They were unsuccessful. But this 2.4 Tbps DDoS attack was 140 

percent larger than 2020’s largest attack, proving the durability of Microsoft’s platform. 

At Microsoft, the Azure DDoS protection team protects the property in Microsoft and the wider Azure 

infrastructure. While no cloud system is infallible, Microsoft’s distributed DDoS detection can quickly scale 

to absorb tens of thousands of terabits of DDoS attacks in seconds. 

During the first half of 2021, Microsoft reported a 25% increase in the number of attacks compared to Q4 

2020. While it’s impossible for security analysts to pinpoint exactly how it blocked this particular attack, 

there are several key elements that contributed to its secure infrastructure: 

Early detection: Early warning indicators gave Microsoft instant visibility so the company could respond 

and scale its systems. The sooner your software detects a breach, the less likely it will get out of hand. 

Immediate mitigation: Azure’s DDoS control plane logic immediately took action when it detected the 

DDoS attack. By optimizing the fastest time-to-mitigation, they were able to prevent collateral damage 

from large-scale bad actors. 

Strategic allocation of resources: Like many of its counterparts, Azure DDoS protections trigger 

mitigating sequences that dynamically allocate resources closer to the attack sources — and as far away 

from the customer region as possible. 

5 steps to investing in security as a service 

Security is a shared responsibility between clients and cloud providers. As you consider your options, 

evaluate software as a service (SaaS), key infrastructure elements, and the UX of the app or platform 

hosting the technology. 

The more clients can push for software as a service (SaaS), the more protection and capabilities they’ll 

have in place. Providers like Microsoft also offer infrastructure optimization, which involves patching the 

infrastructure and ensuring all virtual machines are up to date. If you ask me, the app interface you’re 

interacting with regularly is paramount to a strong security platform. Microsoft is taking on these services 

to ensure they are delivering accessible and high-quality content at the tap of a button. 



However, you can’t rely 100% on the cloud provider to keep you safe in today’s landscape. The 

responsibility also falls to you. It’s important to build strong protections, evaluate the business implications 

of a breach, and determine which additional security software to invest in, independently of your cloud 

provider. 

As the bandwidth, frequency, and duration of attacks soars, here are a few key actions you can take to 

determine the right type of security protection for your organization. 

Ask yourself “Why me?” Requirements drive decision-making. The first step in defending your data is 

simple: Understand the scope of your risk in the short and long term. While the industry is doing a great 

job informing organizations that security should be top of mind, it is equally important to determine your 

organization’s unique vulnerabilities. 

Evaluate the business outcomes. Only 65% of organizations have a cybersecurity expert, yet the 

business implications of a breach can be astronomical. Remember, cyber criminals aren’t trying to steal 

your data. They’re trying to halt all business functions to stop revenue in its tracks. E-commerce platforms, 

for example, can lose millions of dollars every minute they are shut down by a DDoS. With that in mind, 

consider the impact of the breach on your products, supply chain, and brand visibility to make the case 

for better security technology. 

Assess the value of your tools regularly. Security and risk management spending grew 6.4% in 2021 

alone. Ever-evolving cloud capabilities come at a cost, so be sure to weigh your risk against relevant 

surfaces and tools. Since price models will continue to change, you should evaluate your risks and unique 

needs on a monthly basis. 

Build a business case. Many traditional mentalities don’t view security technology as a necessary 

investment. Counter outdated perspectives by educating your executive leadership, providing relevant 

total cost of ownership (TCO) financials, and presenting return on investment (ROI) evaluations. 

Establish your non-negotiables. From a security perspective, there are certain elements that are nonnegotiable 

on the cloud. Know your business requirements, people, apps, and data to inform your security 

needs. 

While the threat of cyberattacks is ongoing, you can reduce the risk of DDoS attack on the cloud by 

investing in a range of security solutions. As technology professionals, everything we do involves data. 

We see security threats every single day, and it’s essential to stay visible. 

The next biggest DDoS attack in history is around the corner. Learn more about how to face the future 

head on today. 




Jason Barr is the Director of Innovation of Core BTS. He specializes 

in leveraging Microsoft technologies to drive digital transformation 

across enterprise organizations. A supportive mentor and coach, 

Jason has 20 years of experience helping C-Level executives and 

technology professionals align IT initiatives to business goals. His 

expertise includes IT strategy development, cloud roadmapping, 

project management, software architecture, and cloud 

architecture. Jason is also a proud Walsh University instructor, 

supporting their skilled workforce training program which equips 

businesses with practical technology solutions. Jason Barr can be 

reached online at https://www.linkedin.com/in/jbarr1108/ and at 

https://corebts.com/. 



Why Americans Joined Europe in Not Paying Security 

Ransoms 

By Lee Pitman, Global Head of Response Services, BreachQuest 

As we close out 2021, the biggest trend in the security and insurance space has to be the heightened 

regulatory scrutiny on the payment of ransoms, and the general reduction in the number of ransoms 

being paid by insurers in a hardening market. It’s interesting that this shift only happened recently in the 

US. Having worked in the ransom recovery space for a number of years, I have seen only around 20% 

of companies in Europe pay ransoms, whereas in the US that number was closer to 90% of the time, just 

12 months ago. So what changed? 

There has been a litany of events this past year that have changed the equation on paying ransoms. At 

one point there was a sense from US-based companies that they would rather pay the money and get 

back to doing business. However, the practicality of that approach has shifted dramatically, new laws 

have been passed and public perception has changed. 



Shockingly, you can’t trust criminals 

There used to be a myth that acquiring a decryption key would make all problems post ransom attack 

magically disappear. But this has never been true. It should go without saying that you can’t trust 

criminals, but up until this year that is exactly the approach many businesses have taken. 

First off, the keys provided by the threat actors are never 100% effective in recovering all the data. 

Unsurprisingly, the threat actors are more focused on locking the valuable data away than with being 

able to unlock the data. In my experience, at least some data is always lost. The keys provided by the 

criminals are clunky and cumbersome to utilize and require more time, energy and money to go through 

the recovery process. 

Secondly, paying a ransom has never guaranteed that a threat actor would not publish stolen data further 

down the line. Whilst the premise of Ransomware as a Service (RaaS) would suggest it is in the best 

interests of the threat actor’s business model to comply and support their clients - victims - post a ransom 

being paid, the very nature of the criminal underworld underpinning these groups is unstable. As such, 

groups often merge or are acquired, or simply cease their operations, but the data they have stolen will 

remain and is often disclosed anyway. 

Laws are driving change 

While there aren’t any major laws in Europe that prevent businesses from paying ransoms, the United 

States has looked to curtail ransom payments with new legislation. The US Department of the Treasury 

released an advisory stating that organizations that facilitate ransomware payments to hackers on behalf 

of ransomware victims, including financial institutions, cyber insurance firms, and companies involved in 

digital forensics and incident response, are potentially violating OFAC regulations. The Biden 

administration has been particularly boisterous on the topic since the colonial pipeline attack, making it 

much more difficult for companies to pay threat actors - which is a good thing. 

Businesses can do a lot to protect themselves 

With the worsening risk-benefit equation and the changing laws, many businesses are now looking at 

alternatives to paying ransoms, and in most cases, there are good alternatives to paying ransoms. Or at 

the very least, better alternatives. With the right cyber hygiene, most companies can protect themselves 

fairly well. While there is no hard and fast solution that will always protect a business, they can certainly 

mitigate the potential damages by having some sound security principles in place. Having worked in the 

IR and recovery space for some time, here are some of the top tips companies need to take to protect 

themselves: 



Have a good backup policy. A good policy means that the backups are saved often and in intervals. Your 

company should have a recent backup of a week or so ago and a longer-term backup of a month ago. 

The more backups you have the more you are protected. It is very common that companies don’t know 

when they were breached and their backups don’t do them any good because the backup was saved 

after the hackers were already in the system. It is also critical to have both online and offline backups. If 

a company can protect their backups they are well on their way. 

Don’t assume that you are safe after restoring from a backup. Another common mistake is restoring from 

a backup and not rebuilding the OS to ensure that you can keep the hackers out. They obviously got in 

once so companies need to ensure that they can't get in again. 

Be insistent with security training, even if it is a little annoying. It is still true that most attacks are 

successful because an employee clicked on a malicious link or let the hacker in through some kind of 

social engineering hack. I know employees often don’t love those training courses, but increasing 

employee knowledge around the ways hackers will attempt to trick them is an underrated defense 

mechanism. This is particularly crucial for senior executives who are often the most targeted employees 

within an organization. 

Key Takeaways 

The decline of ransom payments in 2021 is a positive trend to come out of this year and I suspect we will 

see the number of payments drop even further in 2022. We have already seen a general tightening of 

controls around insurers underwriting cyber risks, such as the push to insist their insureds implement 

MFA if they want coverage. Moreover, the focus has shifted to preparing for and recovering from attacks 

more organically via restoration, rather than by simply paying a ransom. I am optimistic that this shift in 

thinking will lead to better security hygiene and a decrease in the lucrative nature of hacking. 


Lee Pitman is the Global Head of Response Services for 

BreachQuest, a company revolutionizing incident response, 

where he is focused on delivering reduced breach costs and 

maximum recovery speed in IR and Recovery services to clients 

globally. Lee began his career as an intern in Big 4 Risk 

Consulting, spending 6 years working at KPMG and EY. He has 

worked exclusively with the world’s largest conglomerates in a 

variety of sectors. 



First Steps to Alleviate Long-Term Consequences from A 

Cyberattack 

Brief Guide 

By Sergey Ozhegov, CEO, SearchInform 

When a cyberattack occurs it is easy to panic and forget all the steps you have been told to make before. 

What is the very first thing to do, to report, to find out every detail about what happened, to inform your 

users? 

Report 

According to the regulators, the first thing ever is to report a breach (although we solemnly swear that 

hoping ardently that comprehensive back up had been configured is believed to be the first thing to think 

of). It does create an unneeded problem quite often, as many companies can’t discover a source of an 

incident, aren’t aware of an incident or simply prefer to take time and solve it as soon as possible 

themselves because they fear ruining their reputation. More often a breach gets discovered by a 

researcher who, in case a company doesn’t respond to the researcher’s attempt to notify it, posts about 

it online bringing the situation to a dead end. 



Secure 

Apart from reporting, the affected systems should be secured promptly. In order to limit the possible 

spread of a cyberattack, the attack must be contained, which mostly include terminating as many system 

connections with outer world as possible in the first place, focusing on the Internet, devices and access 

rights. 

Prioritise 

Think of what can be affected first or what could be a priority target for a violator. It is fair to look at the 

matter making your point based on your industry. Depending on a certain industry, particular steps would 

be of primary importance. User accounts should be secured. Banks should be informed of the possibility 

of unverified transactions. 

Do not reboot 

As for the rebooting, there used to be an opinion that booting a computer during an attack might tamper 

with an attacker’s desire to look at one’s screen, but modern ransomware overwrite encryption keys while 

a PC is rebooting, it can also cause ransomware relaunch if its remains weren’t detected which would reencrypt 

the recovered assets. Today specialists suggest that users hibernate their computers instead. 

This also concern the advantages from back up. Back up helps you restore your data but in case of a 

wrongly treated ransomware situation the retrieved data can get encrypted again. 

Backup 

Backup ensuring is the first “to-do” one in the list which gets treated by both remediation plan mechanisms 

and information security. Covering all chances to avoid losing sensitive data, it is strongly advised against 

backing information with only one type of backup. Files should be insured onsite and offsite, the more 

different storages save the copies the lesser the risk of never retrieving them. It proves to be helpful 

storing a few copies on a bunch of your servers while trust a third-party center or cloud service with at 

least one copy as well to make sure that in case it “rains outside” there are some umbrellas waiting above, 

as if it leaks inside only the comprehensive information security plumbing, including prevention, 

monitoring and investigation tools can ensure that such a thing almost never happens. 



Monitor and alert 

The capability of monitoring all traffic may play the role of an occasional saviour – monitoring doesn’t 

neutralise a cyberattack, but it helps to notice it when the first alarming processes are triggered. 

Notify top management and employees who could be responsible for the affected assets and users first, 

then think of how to provide customers with correct and timely information as quick as possible, it can 

help them to rescue their information and money in case its integrity wasn’t or was partially ruptured. 

Investigation 

Investigation is commonly considered as a final step or rather a long-term phase in which every incident 

is destined to fade into. A third-party investigation team is usually hired to conduct an in-depth analysis 

which can take up months of research to inform of the key findings which would have been useful straight 

when the incident got detected. 

Thus, investigation – which usually gets launched after containing a cyberattack and reporting and can 

be truly time-consuming – is really the process the results of which are highly required right at the 

beginning of dealing with the consequences. These are the missing facts which can be extracted only 

from a “probe”. It doesn’t have to be detailed from the very start, but ongoing investigation already 

deployed in a corporate system helps an enterprise get its bearings significantly faster and with a good 

deal of transparency unavoidable when managing assets security risks. 

All things considered, investigation seems to be not just a first and foremost step to take after a 

cyberattack occurs but a pre-incident measure which would make every further step a bit more coolblooded 

and definitely much more elaborate and mature. 

Remediation 

Remediation or recovery has its own program under the whole business continuity and disaster recovery 

plan. This is another measure which should be taken rather in advance, but goes a long way and reminds 

of itself as the final step to make after an information security incident. Data protection and risk 

management are well suited for integration with the overall business continuity approach. 



Taking a hard look at the current security situation within an organisation, what is implemented and how 

many sensible measures there are to take yet is part of the continuity approach. Deploying a monitoring 

solution in an enterprise will alert to the issues which were never addressed and would give an opportunity 

to configure security policies and establish internal regulations which genuinely correspond with the 

company’s needs, thus helping enhance risk assessment. 

It is advised to ensure data visibility and user activity transparency as well as human behavior smart 

control allowing to prevent an incident at an early stage or predict a violation, mitigate human error and 

detect aiding hackers. 

A post-breach remediation step fully depends on how well-thought-out the risk management program is 

and how efficient it had proved itself before. Knowing what time length of a recovery period a certain 

company can afford, the extent of damage affecting finance due to a forced downtime, loss of data taken 

hostage or stolen, reimbursing impacted customers is essential for quick and full recovery. Often 

companies have to splash out on security solutions only after a disaster happens, which multiplies 

financial loss. 

Solid monitoring rules out the possibility of poor communication within a team when an incident occurs, 

as a specialist responsible for risk mitigation will be promptly alerted to a suspicious event and report it 

to the management. Corresponding regulations or instructions should be adopted within a company, thus 

everyone must know his or her role in the breach offset process. 


Sergey Ozhegov, CEO, SearchInform. He has 

been contributing to the company’s 

development, handling strategic decision 

making since 2015. Co-founder of the annual 

SearchInform Road Show series of 

conferences. He has been working in IT and 

information security for 15 years. Sergey can 

be reached online at serg@searchinform.com, 

www.linkedin.com/in/sergey-ozhegov- 

6b625681/ and at our company website 

https://searchinform.com/. 



Looking Ahead: Five Security Trends For 2022 

A look at some of the key security trends for next year 

By Mark Guntrip, Strategy Leader at Menlo Security. 

1. Ransomware and the fight back 

Ransomware has dominated the cybersecurity news for the past year, but how will the landscape change 

over the next 12 months? 

We have seen lots of commentary from vendors around remediation strategies, such as XDR. It’s not 

possible with ransomware. Remediation does not work; you must restore everything and set up separate 

systems. Companies need to focus on prevention first. 

Once ransomware has got you, it’s got you. Locking up your systems is the last action that attackers 

take. They have been in your systems for weeks, months, possibly even years, figuring out what they 

can steal. They are patient, they have been taking your credentials and looking at what they can use. 

Locking up your system is the last resort to see if they can extort a few more million dollars from you. 



There are plenty of organizations that have been breached but they simply don’t know until the switch is 

flicked and they then become a victim of ransomware. It’s lying in wait while attackers are in there 

harvesting everything else. 

Given the time of year, I expect to see a rise in seasonal ransomware. Every organization has seasonal 

weak points, whether it’s confectionary manufacturers, the travel sector, or a global enterprise holding a 

big annual event. Expect to be attacked when you are at your most vulnerable. This year we have seen 

attacks on critical national infrastructure, supply chains, healthcare and government. Attackers are just 

watching and waiting. 

We can also expect to see more questioning of the honesty of ransomware groups. As those behind the 

attackers become better known, being recognized as the group that gives the data back, once a ransom 

is paid, might make businesses more likely to pay. All too often we see ransoms being paid and the data 

not returned. 

There needs to more direction from government on regulation and tightening of existing practices. We 

should see clearer processes and mandatory reporting procedures on ransomware. We’re already seeing 

this in APAC, so may well see it replicated elsewhere. 

2. Future of Work 

Remote and hybrid working has led to an exponential increase in security breaches. So, how will 

staff going back into the office, with others still working remotely, impact organizations’ cybersecurity 

efforts? Will there be more or less breaches as people return to the office? 

Organizations will move to consolidate their security solutions. We know from our own research that 75 

per cent of businesses are re-evaluating their security strategy as a combination of remote and hybrid 

(home/office) working is set to remain. 

They will be looking to ensure they don’t get left with two security solutions – the one that existed before 

and the one implemented when employees switched to remote working. To avoid twice the work and 

twice the reporting (as well as other associated tasks for security teams) organizations need a common 

approach. There will be more focus on adopting zero trust network access, whether staff are working in 

the office, remotely, or a combination. 



3. Focus on zero trust architecture 

In May 2021, President Biden signed an executive order to improve the nation’s cybersecurity, with 

arguably the most important order of business being an emphasis on zero trust architecture within 

government. 

We have seen attacks on critical national infrastructure and supply chains. We have learnt that it doesn’t 

matter what you do and what industry, geography or sector you operate in, security is everyone’s 

problem. 

The US government calling out widespread security failings is a good thing and will force many 

companies to change their ways and move much more quickly. Businesses will realise that they must 

seek an alternative. We hope that this emphasis by government on implementing a zero trust architecture 

means that organizations recognise this to be the blueprint and the approach they should follow. 

4. The move to the cloud will finally happen 

While other industries moved operations to the cloud years ago, there has been some reluctance to shift 

away from on-premises operations for security professionals. With the increase in sophisticated threats, 

as staff continue to work remotely, organizations can no longer depend on legacy systems for protection, 

but instead shift to cloud-native solutions. 

Ultimately, what will drive business to move to the cloud is the need to do security better. 

We are also seeing the pendulum beginning to swing in the favour of the user experience. The emphasis 

is on how you can carry out your job without negatively impacting workflow processes and device choice 

for the end user. Users must be able to work as they expect to, and at speed, but with security a priority. 

That points to the cloud because you need the scalability, you need a global view, device coverage, and 

you need to be in between the end user and the cloud services they are accessing and using. 



5. The impact of the talent shortage 

Microsoft recently announced a partnership with community colleges around the US to provide free 

resources in an attempt to help end a shortage in cybersecurity workers by 2025. The question is whether 

the talent shortage will impact the security industry in 2022 and how technology can help to mitigate this? 

It stands to reason that if there are less security incidents to manage, the need to recruit new talent will 

be reduced and the impact of a talent shortage less. How can vendors take a services and people 

augmentation approach? We need to give them the tools that they were hiring services to do. The 

shortage is not going away – solutions will be built around it, but better solutions will mean fewer incidents. 


Mark Guntrip is the Strategy Leader at Menlo Security. Before, he 

worked as Director of Product Marketing at Proofpoint. Mark also worked 

as a product manager in companies like Symantec, Cisco Systems, and 

Websense. 



OT/IT Security – Two Sides of the Same Coin 

By Sachin Shah, CTO of OT, Armis 

The distinction between information technology (IT) and operational technology (OT) is rapidly 

converging as the Industrial Internet of Things (iIoT) – with cross-boundary traffic pollination from 

enterprise-connected devices, applications, and connectivity of all types – proliferates across the Federal 

ecosystem. 

Agencies have long managed and secured these two types of technologies in distinct silos, using different 

approaches and solutions, sharing little data, and relying on management by distinct teams with unique 

skill sets. They have also largely relied on control segmented networks to protect OT devices. The 

convergence of IT and OT is closing that gap, and in doing so is making the legacy siloed security model 

increasingly outdated and risky. 

Although many legacy control systems still maintain effective segmented networks, the trend is to connect 

OT devices on the edge directly to the enterprise network. As a result, the Purdue Enterprise Reference 

Architecture model, which for years indicated a standard hierarchy of applications, controls, data flows, 

and enforcement boundaries, is being flattened and the lines between levels are dissolving. Today, 

agencies simply can’t secure OT without securing IT along with it. 



The industry is already embracing a more integrated approach to IT/OT security, with Gartner projecting 

“by 2025, 75 percent of OT security solutions will be delivered via multifunction platforms interoperable 

with IT security solutions.” Gartner further notes that “brownfield operational technology/information 

technology convergence acceleration and a growing number of greenfield cyber-physical systems push 

OT security needs to evolve, and more IT security leaders to become involved, as threats and 

vulnerabilities increase.” 

Today’s agencies need a passive and agentless security approach that secures all types of connected 

devices—OT, IT, and IoT devices. It needs to be able to: 

● 

● 

● 

● 

Generate a comprehensive inventory of all connected devices – OT & IT 

Today’s enterprises still struggle to see their complete IT asset inventory – from managed to 

unmanaged to IoT devices, from virtual machines to clouds, and more. Most organizations cannot 

accurately identify all of the devices in their environment and airspace – on-premises and on the 

edge – leaving them exposed to compliance, vulnerability, and security issues. 

Ensure that all devices and technology are discoverable 

IT teams depend on asset discovery and configuration transparency to ensure visibility into the 

environments they manage. If the IT team cannot see a device, they cannot securely manage it. 

Therefore, government agencies must ensure discoverability – with the ability to track IT and OT 

devices in real-time – identifying critical information, such as location, users, which applications 

they are using, and more. 

Deliver comprehensive coverage for security controls, devices, and communication. 

The security controls should meet most of the important cybersecurity goals specified by security 

frameworks such as NIST CSF or CIS CSC, and NISTIR 8228. In the IT world, this typically 

requires the use of several different security tools. For the OT environment, it would be desirable 

to obtain comprehensive coverage of the required security controls using as few tools as possible. 

The security platform should work for all types and brands of devices common to agencies and 

their facilities, including IP security cameras, fire alarm systems, switches, firewalls, wireless 

access points, printers, and more. Finally, the platform must be able to directly monitor all 

communication pathways that could be used by a cyber attack, including Ethernet, Wi-Fi, 

Bluetooth, BLE, and possibly other wireless protocols such as Zigbee. Wireless coverage is 

important because attackers can exploit vulnerabilities such as BlueBorne, KRACK and 

Broadpwn to compromise OT devices over the air, without any user interaction. 

Identify risks associated with every device 

Beyond discovering the assets, agencies require a platform that enables them to identify risks 

and vulnerabilities for devices in the office, at remote locations, as well as those interacting with 

cloud environments. This requires understanding what a device is and how it is being used and 

an inherent understanding of device characteristics. The organization must then be able to 

compare the device’s individual risk profile with the agency’s risk posture to provide security and 

policy enforcement. Automation is critical to ensure accuracy and efficiency when managing 

environments with tens of thousands of devices and counting. 



● 

● 

Passively monitor the behavior and communication patterns of every device 

Real-time collective intelligence helps agencies make policy recommendations to better protect 

their environments, maintain mission continuity and operational resiliency, and reduce risk. The 

ability to passively monitor all unmanaged and OT, IT, and IoT devices on a network and in the 

airspace is key to not interfering with device performance. 

Take automated actions to thwart attackers 

When a device operates outside of its known-good profile, the platform should issue an alert 

and/or trigger automated actions. The platform must have the ability to correlate observed activity 

in the network with broader industry and device-specific threat intelligence, as well as take into 

account the presence of vulnerabilities and other risk factors to detect actual attacks with higher 

confidence. 

The security outcomes needed for OT environments are well understood but can’t be achieved using 

traditional security tools. Neither specialized OT security tools nor traditional IT security tools were 

designed for today’s hybrid OT/IT environment. With the continued convergence of OT and IT, agencies 

need a different approach to security—one that bridges the two domains for a more secure agency and 

greater mission continuity. 


Sachin Shah is the Chief Technology Officer, OT at Armis. A Chief 

Technology Officer, OT at Armis Security, He is responsible for setting a 

technology, outlining the goals, resources, and timelines for the research 

and development team of all technological services. Making executive 

decisions on behalf of the company's technological requirements, he 

also acts as a mentor to evangelize the technical leadership team, 

maintaining a consumer-focused outlook and aiding in the delivery of 

projects to market. He is also responsible for ensuring all technology 

practices adhere to regulatory standards. He is a visionary public 

speaker to meet current and future technology security needs. 

Sachin can be reached online at sachin@armis.com and at our company website 

https://www.armis.com/. 



WatchGuard Technologies’ 2022 Predictions: 

State-Sponsored Mobile Threats, Space-Related Hacks 

and More 

A look at the future of cybersecurity in 2022 and beyond 

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies 

2021 was another wild year in cybersecurity with the industry facing everything from hackers attacking 

remote workers to a deluge of ransomware attacks against critical infrastructure and much more. As we 

wave goodbye to 2021, it’s time for the WatchGuard Threat Lab to provide its annual predictions for 2022. 

This year the team decided to layer on some added humor and deliver our predictions with some fun 

“SNL Weekend Update” parody style videos – so if you’d rather watch than read, take a look here. If not, 

here are some of our 2022 predictions (you access the entire list here): 

1. State-Sponsored Mobile Threats Trickle Down to the Cybercrime Underworld 

Mobile malware certainly exists – especially on the Android platform – but hasn’t yet risen to the 

same scale of traditional desktop malware. In part, we believe this is due to mobile devices being 

designed with a secure mechanism (e.g., secure boot) from the start, making it much more difficult 



to create “zero-touch” threats that don’t require victim interaction. However, serious remote 

vulnerabilities have existed against these devices, though harder to find. 

Meanwhile, mobile devices present a very enticing target to state-sponsored cyber teams due to 

both the devices’ capabilities and information contained in them. As a result, groups selling to 

state-sponsored organizations are mostly responsible for funding much of the sophisticated 

threats and vulnerabilities targeting mobile devices. Unfortunately, like in the case of Stuxnet, 

when these more sophisticated threats leak, criminal organizations learn from them and copy the 

attack techniques. 

Next year, we believe we’ll see an increase in sophisticated cybercriminal mobile attacks due to 

the state-sponsored mobile attacks that have started to come to light. 

2. News of Hackers Targeting Space Hits the Headlines 

With renewed government and private focus on the “Space Race” and recent cybersecurity 

research concentration on satellite vulnerabilities, we believe a “hack in space” will hit the 

headlines in 2022. 

Recently, satellite hacking has gained investigative attention from the cybersecurity community 

among researchers and at conferences like DEF CON. While satellites might seem out of reach 

from most threats, researchers have found they can communicate with them using about $300 

worth of gear. Furthermore, older satellites may not have focused on modern security controls. 

Meanwhile, many private companies have begun their space race, which will greatly increase the 

attack surface in orbit. Between those two trends, plus the value of orbital systems to nation 

states, economies, and society, we suspect governments have quietly started their cyber defense 

campaigns in space already. Don’t be surprised if we see a space-related hack in the headlines 

soon. 

3. Spear SMSishing Hammers Messenger Platforms 

Text-based phishing, known as SMSishing has increased steadily over the years. Like email 

social engineering, it started with untargeted lure messages being spammed to large groups of 

users, but lately has evolved into more targeted texts that masquerade as messages from 

someone you know. In parallel, the platforms we prefer for short text messages have evolved as 

well. 



Users, especially professionals, have realized the insecurity of cleartext SMS messages thanks 

to NIST, various carrier breaches, and knowledge of weaknesses in carrier standards like 

Signaling System 7 (SS7). 

Where legitimate users go, malicious cybercriminals follow. As a result, we are starting to see an 

increase in reports of malicious spear SMSishing-like messages to messenger platforms like 

WhatsApp. We expect to see targeted phishing messages over many messaging platforms 

double in 2022. 

4. Password-Less Authentication Fails Long Term Without MFA 

It’s official. Windows has gone password-less! While we celebrate the move away from passwords 

alone for digital validation, we also believe the continued current focus of single-factor 

authentication for Windows logins simply repeats the mistakes from history. Windows 10 and 11 

will now allow you to set up completely password-less authentication, using options like Hello 

(Microsoft’s biometrics), a Fido hardware token, or an email with a one-time password (OTP). 

The only strong solution to digital identify validation is multi-factor authentication (MFA). In our 

opinion, Microsoft (and others) could have truly solved this problem by making MFA mandatory 

and easy in Windows. You can still use Hello as one easy factor of authentication, but 

organizations should force users to pair it with another, like a push approval to your mobile phone 

that’s sent over an encrypted channel. We predict that Windows password-less authentication will 

take off in 2022, but we expect hackers and researchers to find ways to bypass it. 

5. Companies Increase Cyber Insurance Despite Soaring Costs 

Since the astronomical success of ransomware starting back in 2013, cyber security insurers 

have realized that payout costs to cover clients against these threats have increased dramatically. 

In fact, according to a report from S&P Global, cyber insurers’ loss ratio increased for the third 

consecutive year in 2020 by 25 points, or more than 72%. This resulted in premiums for standalone 

cyber insurance policies to increase 28.6% in 2020 to $1.62 billion USD. As a result, they 

have greatly increased the cybersecurity requirements for customers. Not only has the price of 

insurance increased, but insurers now actively scan and audit the security of clients before 

providing cyber security-related coverage. 

In 2022, if you don’t have the proper protections in place, you may not get cyber insurance at the 

price you’d like, or at all. Like other regulations and compliance standards, this new insurer focus 

on security and auditing will drive a new focus by companies to improve defenses in 2022. 




Corey Nachreiner is the CSO of WatchGuard Technologies. A 

front-line cybersecurity expert for nearly two decades, Corey 

regularly contributes to security publications and speaks 

internationally at leading industry trade shows like RSA. He has 

written thousands of security alerts and educational articles and 

is the primary contributor to the Secplicity Community, which 

provides daily videos and content on the latest security threats, 

news and best practices. A Certified Information Systems 

Security Professional (CISSP), Corey enjoys "modding" any 

technical gizmo he can get his hands on and considers himself 

a hacker in the old sense of the word. Corey can be reached 

online via Twitter and WatchGuard’s company website 

https://www.watchguard.com. 



What Are DeFi Flash Loans & How to Prevent Flash Loan 

Attacks? 

Decentralized Finance is changing the way we borrow and invest. Flash loans, a type of uncollateralized 

lending, have gained in popularity, as well as bad press. Flash loan attacks are a common threat that 

enable hackers to steal massive amounts of cryptocurrency reaching up into the hundreds of millions. 

By Kiril Ivanov, Founder and Technical Lead, Bright Union 

What is a flash loan? 

A flash loan is an ultra-fast, unsecured loan, where the whole lending and returning process occurs 

within a single transaction on the blockchain. The loan is able to by-pass the numerous prerequisites 

of a traditional loan, used to guarantee their repayment. No credit checks, collateral and guarantors 

are needed, provided that the liquidity is returned to the pool within a single transaction block. If this 

fails to occur, the whole transaction is reversed, effectively undoing the actions executed up until that 



point. This guarantees the safety of the funds in the reserve pool. 

Watch this 1 min video to see how a flash loan works. Source: Coindesk. 

https://www.youtube.com/watch?v=4CEeP7ar2X0&ab_channel=CoinDesk 

The primary intended reason for these flash loans is for users to capitalize on 

arbitrage opportunities. Arbitrage is the simultaneous purchase and sale of the 

same asset in different markets in order to profit from marginal differences in the 

asset's listed price. Arbitrage traders are vital for their role in increasing market 

efficiency as they narrow the gap in these price discrepancies. Other use-cases 

include collateral swapping, self-liquidation, and more. 

Typically, the concept works well, but some misuse this form of lending, intending to drain 

vulnerable DeFi protocols of millions of dollars. 

Flash loan attacks - why they are easily executed 

Flash loan attacks are relatively common because they are easy for a hacker to perform and low-risk 

due to the probability of exposure being so low. The resources required to execute a flash loan attack 

are nothing more than a computer, internet connection and ingenuity as stated by Coinmarketcap. 

One of the most common types of economic exploit in DeFi involves a flash loan attack. Source: Elliptic 



DeFi hackers can easily exploit flash loans as they can be used to create artificial arbitrage opportunities. 

It involves manipulating asset prices in order to take advantage of arbitrage opportunities on DeFi 

services that would not otherwise have existed. In short, due to the theoretically infinite size of the loan, 

the attacker is able to ‘increase demand’ and raise the price. They can make a trade just like any other 

arbitrage opportunity [buy low, sell high], then pay off the loan and keep the profits. The maximum size 

of the loan could be as great as the liquidity pool could handle; theoretically reaching into the billions of 

dollars, draining the liquidity of the effect pools. 

Their unlimited and instantaneous nature mean that a well-planned attack can be executed in one go, 

with no risk if it fails [since the loan transaction will automatically reverse if the loan isn’t repaid. 

Examples of flash loan attacks in 2021 

● C.R.E.A.M. Attack October 2021 loss of ~$130m 

The hacker borrowed $500m DAI and $2bn ETH with two separate addresses. Through a series of 

trades, and using the loans as collateral for more loans, the attacker was able to artificially double the 

price of the yUSD and repay the loans. With the remaining $1bn of collateralized crYUSD, the attacker 

borrowed all the liquidity from the C.R.E.A.M. Ethereum v1 markets. 

In the post-mortem by C.R.E.A.M., it is stated that the key vulnerability lies within the price 

calculation of the wrappable token. 

● xToken Attack August 2021 loss of ~$4.5m 

This hack was the result of a flash loan being used to deflate an xSNX token price and the hacker’s 

ability to call a function which shouldn’t have been within their power to do so. The source of value 

extraction was the artificial arbitrage by the price manipulation of xSNX. Interestingly, xToken has 

since retired the xSNX product due to its complexity. 

● Pancake Bunny Attack May 2021 loss of ~$200m 

The hacker used pancakeswap to borrow BNB. They used this to manipulate the price of USD/BNB and 

BUNNY/BNB, gaining a huge amount of BUNNY. They then dumped the BUNNY and remaining BNB 

which was at the time worth around $200m. 

**The figures quoted are the amount of value extracted at the time of the hack. The protocols may 

have recovered some of the tokens or compensated the users after. 



Consequences of flash loan attacks 

Depending on the scale of the attack, consequences can vary. But one thing is certain, the reputational 

damage is great, and the other protocol users pay the adverse effects. Seemingly never out of the 

spotlight, C.R.E.A.M. has been attacked three times in 2021, two of which were flash loan attacks. In the 

case of flash loans, lightning can and does strike the same place twice. 

The primary and most important consequence is the impact that flash loan attacks can have on other 

users. DeFi would be nothing without the loyalty and money of the users who are all key players in an 

intricate autonomous ecosystem. It is presumptuous to assume that victims have available cash to put 

back into a system that has failed to protect their assets adequately. 

Questions about whose responsibility it is to ensure that flash loan attacks don’t occur will continue 

to rise and protocols will rightfully be expected to defend themselves. Is taking preventative 

measures enough to adequately prove that the platform isn’t responsible if an exploit occurs? A 

prudent protocol or exchange should also consider a post-exploit action plan, if the worst is to 

occur. 

5 Steps for protocols to take to minimize the likelihood and impact of flash loan exploits 

The recommendations here align with the three pillars of cyber security: security, vigilance and 

resilience. 

1. Design of the protocol matters 

Complexity comes with risk. While developing a large smart contract or building a dApp it is difficult to 

pinpoint loopholes. Therefore, all external calls should be located, to explore if these could serve as a 

path for the malicious actors in the contracts. In older versions of Solidity, even reading a public field 

could lead to unsafe external calls that can be easily manipulated. Therefore, developers should always 

use the stable and updated versions of Solidity. 

2. Use a decentralized oracle 

Oracle manipulations are the biggest cause of flash loan attacks. Smart contracts heavily rely on oracles 

which provide an effective interface between the contracts and the external source to push the required 

data. Decentralized Oracles like Chainlink, gather data about prices from multiple sources, which reduces 

the likelihood of a single data point influencing the oracle. If a platform relies solely on the data of one 

particular DEX, then its data is at risk of being flawed. Mal Intended users could directly manipulate the 

price of the singular DEX where the loan price is based off, resulting in loans issued with an inaccurate 

average price. On the other hand, limited data could form an inaccurate representation of the average 

market price and thus promote excessive slippage exploitation. 



3. Get audited 

Getting a smart contract audit is one of the most vital steps before launching your product. These 

audits identify and remediate vulnerabilities in the smart contracts before they can be exploited by 

someone with malicious intent. Source Consensys Source Certik 

Due to the interwoven nature of these protocols, just focusing the attention of the audit on the critical 

components isn’t enough to guarantee their security. A chain is only as strong as its 

weakest link, perfectly showcased by the recently detected Log4Shell vulnerability. If an audited protocol 

integrates with, for example, an un-audited bridge, well this might be the gap that a hacker is looking for. 

If a hole in the code of the platform is found, then it is crucial for the developers to remedy it as soon as 

possible. It may sound obvious, but apparently it isn’t to everyone. As described in the examples above, 

in May of 2021, Pancake Bunny was hit resulting in an enormous loss. Just days after, AutoShark was 

hit in a copy-cat attack, which fortunately resulted in significantly smaller losses. The kicker, however, 

is that AutoShark officially published its acknowledgement that it was vulnerable to a similar style hack. 

4. Participate in a Bug Bounty program 

Continual vigilance over the smart contracts while they are in operation is critical, especially if updates 

and integrations are occurring. Offering a bug bounty incentivizes those with ‘hacking skills’ to act 

ethically. They are prizes for ethical hackers who report holes in code, which they could have exploited. 

It encourages these white hat hackers to work with the protocols rather 

than against them. ImmuneFi is a platform that advocates for the rights of white hat hackers. Protocols 

list their bounty on the database and offer a portal for hackers to submit their findings. 

It isn’t enough to just offer a few thousand dollars as a bounty. ImmuneFi suggests 10% of TVL. It has 

to be enough to incentivize a hacker to act ethically when they know they have ‘illegal’ access to a much 

larger pool of funds. The incentives provided are attractive with a record amount of $10m being offered 

by BXH after a hack where over $139m was taken. 

5. Offer in-App coverage 

Despite all efforts to prevent a flash loan exploit, there is always a possibility for the event to occur. 

Proactively educating users about the risks of investing should be the responsibility of the protocols. Do 

your own research (DYOR) is one of the most thrown-around phrases. However, in the context of 

deciding which protocols to use, the protocols themselves should do the research about their risks and 

present these to users in a clear way. 

The impact of an exploit can cause a serious business crisis if the protocol doesn’t act transparently. 

By offering in-app coverage, crypto's alternative to insurance, protocols are acknowledging the risks 

and presenting their users with a discretionary option to mitigate the risks based on their risk appetite. 



How does it work in practice? There are multiple risk platforms offering coverage against smart contract 

failures for hundreds of protocols, exchanges and wallets. Nexus Mutual is currently the best known, 

with TVL around $1B. New players are slowly building up traction in the market like Bright Union and 

Bridge Mutual. 

Bright Union, DeFi coverage aggregator, has developed a way for protocols to offer their users coverage 

from their own app with an SDK. The cost of coverage can even be deducted from the APY so no out of 

pocket costs for users creating a seamless customer journey. 

A protocol proactively offering users coverage is Alpaca Finance. The app connects the users directly 

to these risk coverage platforms, where they are then able to buy coverage. Similarly Don-key finance, 

a social platform for yield farming, is soon offering a fully covered strategy for users to invest in, with 

coverage just a click away. 

About The Author 

Kiril Ivanov is the Founder and Technical Lead at Bright 

Union. He is one of the Bright Union founders, has 20 years 

of development experience comprising 15 years in finance, 

10 years in the insurance space and the last five in blockchain 

and decentralized finance. Before starting Bright Union, Kiril 

provided blockchain powered solutions for innovative digital 

insurance. He’s been highly interested in the growing DeFi 

space for years, where decentralized networks transform old 

financial products into trustless and transparent protocols that 

run without intermediaries. Kiril can be reached online at 

https://www.linkedin.com/in/kirivanov/ and our company website https://brightunion.io/. 



Protecting Critical Infrastructure Against Cyberattacks 

Understanding how attackers get in is the critical first step to mounting an effective defense. 

By Sean Deuby | Director of Services, Semperis 

Cyberattacks in any industry cause multiple forms of damage. But attacks on public infrastructure—such 

as transportation systems and public utilities—can cause wholesale disruptions in daily life or threaten 

public safety. The U.S. Department of Homeland Security (DHS), and its subsidiary Cybersecurity and 

Infrastructure Security Agency (CISA), administer the National Infrastructure Protection Plan to protect 

all sectors of “critical infrastructure” of fundamental concern for vulnerability and resiliency. See 

https://www.cisa.gov/national-infrastructure-protection-plan . 

A few high-profile attacks, such as the Colonial Pipeline ransomware attack in May 2021, brought 

cyberattacks to the forefront for people on the U.S. East Coast who experienced gas shortages and 

higher prices. Following the attack, Colonial Pipeline proactively took some systems offline—including 

8,850 kilometers of gas pipelines—to address the threat. 

The increase in attacks on public infrastructure signals that for some cybercriminals, the gloves are now 

off. For some, the goal of a ransomware attack isn’t solely to make money but rather to simply wreak 

havoc, disrupt services, and incite panic. Any sense of morality that might have been ascribed to threat 

actors in the past seems to have disappeared in the last couple of years. 

Another case that proves this point is the attack on a water treatment facility in the small U.S. town of 

Oldsmar, Florida, in April 2021. During the time that the breach went undetected, the threat actors were 

able to manipulate the system to increase the amount of sodium hydroxide in the water supply. Although 



the attack was mitigated before the substance reached a health-threatening level, the potential for 

cyberattackers to endanger lives is real. 

Public infrastructure organizations can strengthen their defenses against attacks by understanding the 

entry points for these attacks, addressing challenges inherent to the industry, and implementing new 

practices to guard against the current threat landscape. 

Addressing identity system challenges in public infrastructure organizations 

Public infrastructure organizations face unique challenges with securing their identity systems. Because 

many utilities manage infrastructure that is critical to daily life, nation states and other malicious actors 

have an interest in developing cyber weapons that target utilities, according to a 

Siemens/Ponemon Institute survey of global utility companies. The study called out several factors 

reported by utilities operators that undermine efforts to improve security posture, including: 

• Lack of technical skills needed to identify threats 

• Poor alignment between operational IT teams and security teams to recognize threats originating 

in the identity or other IT systems 

• Outdated security practices, including limited understanding of the current threat landscape and 

risk-based best practices 

• Lack of investment in training and personnel 

• Inadequate cyberattack response plan and slow response to past incidents 

• Deployment of digital and networked equipment, providing new targets for cybercriminals— 

and far-reaching consequences 

The obstacles are daunting, but by implementing a systematic approach to closing security gaps in the 

identity system, public infrastructure organizations can significantly improve their security posture—a 

worthy goal given that these systems are clearly becoming a favored target for cybercriminals. 

Closing the attack entry points in the identity system 

Understanding how attackers get in is the critical first step to mounting an effective defense. In both the 

Colonial Pipeline and the Oldsmar attacks, threat actors targeted Active Directory, which is the core 

authentication service used by 90 percent of businesses worldwide. AD is a common attack path for 

cybercriminals because of its size, complexity, and tendency toward configuration drift, especially in large 

organizations with 20-year-old AD implementations. 

The Colonial Pipeline attack was carried out by the DarkSide group, one of many ransomware-as-aservice 

(RaaS) organizations that have pooled their cybercrime skills to carry out attacks on behalf of 

clients. These groups operate systematically to gain access to an organization’s infrastructure through 

AD security weaknesses: 



• They use penetration tools to gain access to the system, then start their reconnaissance efforts 

• Next, the threat actors will spend days or weeks (or months, in the case of the SolarWinds attack) 

hunting for vulnerabilities and gaining access to privileged user accounts 

• After gaining control of the assets they crave, they complete their mission—whether it is poisoning 

a public water supply, encrypting sensitive data in exchange for a ransomware payment, or other 

evil deeds 

Although DarkSide claims to have some principles (declining to attack hospitals or schools, for example), 

the group strikes only lucrative targets and exhibits impressive patience by lurking within systems 

sometimes for months in order to locate the most valuable assets. 

Systematically identifying and addressing Active Directory vulnerabilities is an essential step in guarding 

against cyberattacks. Even the sophisticated RaaS groups prefer to take the easy path—when it works— 

rather than devising new tactics. Although the work can be tedious and time-consuming, implementing 

good AD security hygiene is achievable with focus, time, and effort. 

Protecting organizations before, during, and after the attack 

The first step in defending against identity system attacks is identifying and addressing vulnerabilities 

that are prime targets for cyberattackers. Especially for large, established organizations with legacy 

Active Directory systems, risky settings can accumulate over time, leading to easily exploitable security 

gaps. 

For example, some of the most common and riskiest configuration errors in Active Directory are related 

to the authentication process. Let’s say an organization uses an application that doesn’t directly integrate 

with AD, but the application needs to query AD for active users. The easiest way to facilitate this process 

is to enable anonymous access to Active Directory. But if that setting is enabled without any mitigating 

controls, the organization’s risk profile would substantially increase. This is just one example of lax 

password policies that can open the door to cyberattackers. 

Permitting excessive permissions is another practice that initially saves time or addresses a perceived 

need for urgent access to business-critical applications and services—but leaves dangerous security 

weaknesses. In too many cases, after the privileged access is granted, the ticket is closed and that 

access is never reviewed again. Over time, the number of excessive permissions continues to grow. It’s 

not uncommon for AD environments to have unnecessarily high numbers of domain administrators. 

Service accounts with excessive permissions also pose a high risk because their passwords are usually 

set to not expire, and many have weak passwords. 

To identify and address these security risks, organizations need to invest time and resources in evaluating 

risky AD settings. Regularly scanning AD provides insight into its security posture and reduces the risk 

of unauthorized changes or misconfigurations going undetected. (One tool that can help with this is 

Purple Knight, a free AD security assessment tool that scans the AD environment for indicators of 

compromise or exposure.) 



Beyond closing AD security gaps, public infrastructure organizations can implement solutions that 

continually monitor the environment for malicious changes. The ability to detect attackers moving laterally 

through the network can substantially limit the damage done. Attack paths can be closed before the 

malicious actors are able to deploy malware, for example. And setting up automated remediation can 

help defuse an attack when every minute counts. Cyberattacks can infect globally connected systems in 

minutes, so the ability to automatically reverse malicious changes helps contain the fallout. 

In the event of a cyberattack, one of the key factors in resuming delivery of public services is being able 

to quickly recover Active Directory to a known-secure state. As any IT administrator can attest, rebuilding 

an AD forest is a laborious, time-consuming process that is prone to errors. Rebuilding an AD forest while 

under the stress of an in-progress attack is the stuff of nightmares. Every organization needs to have a 

fully tested, documented plan for recovering AD—the system that authenticates and grants access to all 

other systems—in the event of a cyberattack. 

Ensuring public services are safe from cyberattacks 

Although public infrastructure organizations are in the crosshairs of attackers, they can improve their 

defenses against even the most sophisticated attacks. By evaluating the security posture of their Active 

Directory environment, setting up monitoring to detect malicious changes, and implementing a fully tested 

AD recovery plan, these organizations will be better positioned to combat attacks and continue to deliver 

vital public services. 


Sean Deuby | Director of Services, Semperis 

Sean Deuby brings 30 years’ experience in Enterprise 

IT and Hybrid Identity to his role as Director of 

Services at Semperis. An original architect and 

technical leader of Intel's Active Directory, Texas 

Instrument’s Windows NT network, and 15-time MVP 

alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience 

as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the 

challenges of today's identity-centered security. Sean is also an industry journalism veteran; as former 

technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure 

Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / 

Identiverse conferences. 

For more information, visit http://www.semperis.com 



Three Key Facts About AI-Driven Network Detection and 

Response 

By Eyal Elyashiv, CEO, Cynamics 

Most network detection and response solutions and network performance monitoring and diagnostic 

tools are using the same paradigm that was invented three decades ago. However, networks themselves 

have changed dramatically; modern networks grow more complex and interconnected every day, 

and these new connections increase potential for vulnerabilities. Malicious actors are constantly hunting 

for ways to infiltrate corporate networks, and overly complex, linked systems allow them to slip through 

the security gaps unnoticed. For years enterprises have been attempting to address this security 

challenge but have failed to gain the upper hand. 

The primary reason for this failure is two-fold: human analysts can’t keep up in this environment 

and legacy tools can’t either. Enterprises need assistance from AI-based solutions to enable full visibility 

into their network. Network detection and response (NDR) solutions derive particular benefit from AI. 

However, to implement NDR well, organizations need clarity on its key elements, both before and after 

implementation. 

AI helps fill in the security skills gaps 

As networks become more complex and data volumes continue to grow, the fact is human analysts are 

incapable of monitoring all of it, alone. To make matters worse, the industry is experiencing an 

estimated shortage of 2.72 million skilled cybersecurity professionals – there just aren’t enough skilled 

people to adequately defend organizations’ critical assets. Instead, the industry must learn how to use 

tools like AI and ML to supplement these skills gaps. The lack of capable and experienced cybersecurity 

talent can leave networks vulnerable to a myriad of threats. 



How AI addresses the network visibility problem 

Meanwhile, a seemingly intractable security hurdle arises as “smart networks" increase in scale and 

complexity. Anomalies, attacks and threats can start with one simple click and begin at one of the 

hundreds or thousands of devices connected to the network – workstations, routers, switches and 

more, significantly compromising network security. 

It’s both impractical and expensive to add specialized network monitoring and detection solutions to each 

network device, and it can negatively impact device performance. Monitoring each network component 

separately is insufficient, detecting a sophisticated attack requires a holistic view of the network 

and comprehensive analysis of network patterns across devices. 

Using AI/ML provides this holistic view. Machine learning techniques extrapolate the most likely behavior 

of all network traffic based on radically small traffic samples from every network device, including 

private or public cloud and legacy routers, using standard sampling protocols that are built-in in every 

network device. Then, the ML automatically learns the most important network fields, using these to 

summarize the network state in each device at each timestamp. It can also understand changing network 

trends autonomously. 

AI detection models constantly analyze network traffic patterns over time in several layers – including 

each device by itself, the entire network level and groups of devices, and looks for suspicious behaviors. 

These models are based on analysis of small samples of network traffic which greatly 

reduces processing time, compared to current solutions that must collect, process and analyze each and 

every packet. Such models enable early and faster detection. 

Previously unseen traffic patterns can uncover what’s really taking place on networks in real time, without 

the expense and impracticality of monitoring every device. This makes AI-based NDR solutions timeefficient, 

cost-effective and holistic in their network coverage. 

Predicting threats and anomalies 

AI-based NDR can autonomously predict threats and hidden patterns before attacks happen. It 

automatically monitors the network to detect threats and anomalies for rapid, precise prediction, while 

you focus on operations. This triggers appropriate policies to block today’s most damaging threats, 

including ransomware and DDoS attacks, long before they reach your sensitive assets. 

A significant benefit of this kind of solution is that it doesn’t require any changes to your network, some 

are even agnostic to network hardware and architectures. You don’t need to install any appliances or 

agent, and it’s non-intrusive, which reduces risk. 

Integral to network security 

Thirty years in the technology realm is like a lifetime due to the rapid pace of change. It’s unrealistic to 

think that solutions designed three decades ago can protect today’s complex networks against 

sophisticated attackers. Another massive technology change that has shaken up the industry is the 

advent of AI- and ML-based security applications, including NDR. 

These technologies provide full network visibility across all endpoints, some do so using only a fraction 

of network traffic. This enables fast and accurate threat detection that immediately identifies network 

deficiencies and vulnerabilities. These non-intrusive, cost-effective solutions create a comprehensive 

view of your network and are rapidly becoming an integral part of modern-day network security. 




Eyal Elyashiv is the CEO and co-founder of Cynamics the only 

Next Generation (NG) Network Detection and Response (NDR) 

solution in the market today using standard sampling protocols 

built-in to every gateway, patented algorithms, and AI and 

Machine Learning, to provide threat prediction and visibility at 

speed and scale. 

Eyal can be reached online at @cynamics_ai (Twitter) or on 

LinkedIn at https://www.linkedin.com/company/cynamics/. The 

company website is: https://www.cynamics.ai/ 



Cybersecurity Experts Share Their Predictions for 2022 

By Danny Lopez, CEO of Glasswall 

The year 2021 raised many major cybersecurity concerns including the rise in ransomware attacks, 

phishing scams, and data breaches. Many organizations have embraced a fully remote or hybrid work 

model which has led to an increase in security risks. In addition, there is a skills gap as 82% of employers 

have reported a shortage of cybersecurity skills in the workplace. 

This all creates an urgent need for cybersecurity professionals and best practices to be of higher priority. 

While some larger companies invest in robust solutions, unfortunately, many organizations fail to view 

cybersecurity as a necessity. It’s imperative that organizations implement a zero-trust method of security, 

where threats can come from anywhere, whether it be inside or outside the organization. 

We connected with a diverse group of cybersecurity executives to discuss their predictions for 2022. See 

their predictions below: 



Tyler Farrar, CISO, Exabeam 

“What do ransomware, phishing, advanced persistent threats and the like all have in common? Access. 

In the New Year, organizations should expect all of these attack methods to grow, but an all-too-important 

area to watch out for that often gets missed is initial access brokers. 

Initial access brokers are individuals or groups that resell credentials in the criminal marketplace. In turn, 

other adversaries can use the information to cause further damage for a company, often going 

undetected. According to a recent SANS Institute survey, 14% of organizations on average have 

indicated that the time between the compromise of a network and detection of an adversary is between 

one to six months. 

Nation-state groups in particular will continue to take advantage of this information to conduct continued 

and persistent access attacks. Similar to trench digging in actual warfare, they will keep manufacturing 

exploits to launch a full-on cyber war in the future. 

The key to stopping the most popular attack methods used by adversaries today is to control access 

points and reduce overall dwell time. One of the simplest ways for organizations to achieve this is by 

preventing compromised credentials incidents — which is the reason for 61% of breaches today —and 

monitoring user behavior. Doing so provides the necessary context needed to restore trust and react in 

real-time to protect user accounts -- halting malicious access in its tracks.” 

Steve Cochran, CTO, ConnectWise 

“Infosec will dominate our lives in the tech space for the foreseeable future. Companies may think they’re 

protected, however, many of them are using slingshots to protect themselves while the bad guys have 

tanks, bombs, and machine guns. We have a long way to go as a technology-driven society in terms of 

cybersecurity. Getting ourselves to the point where we aren’t at risk of a serious attack will be our focus 

for the next two to three years. On the less serious side, tools that allow us to better engage in the new 

hybrid working model will become more prevalent. Solutions will be developed that will allow us to work 

in a more meaningful way during this new era. Tools that let us set up conferences, arrange food 

deliveries, and show who is in and out of the office will take center-stage now that the majority of 

companies have introduced hybrid working models.” 



Neil Jones, cybersecurity evangelist, Egnyte 

“Ransomware-as-a-service (RaaS) will continue to grow and become more sophisticated over the next 

year. By September of 2021, the number of publicly reported data breaches had already surpassed the 

total of the previous year by 17%. This is not a new problem and with its increasing frequency it’s 

important for our leaders to understand how profitable an industry RaaS has become, and the risks they 

may be facing. 

While it’s easy to imagine these cybercriminals as an underground operation in someone’s basement, 

they don’t always appear that way. In fact the group linked to the Colonial Pipeline attacks were anything 

but ‘hackers in hoodies.’ They fronted themselves as an agency selling cybersecurity services, including 

a predictable schedule, benefits and lunch breaks as part of their job posting. 

If we can take any lessons from this, it’s that we cannot underestimate the intelligence of these RaaS 

gangs. They are constantly overcoming systems and evolving with new technological advancements. 

Don’t let your company be fooled by false notions or assumptions about cybercriminals, especially that 

paying ransom will magically restore access to your company’s files. Instead, stay proactive and vigilant 

as you create and manage your cybersecurity systems.” 

Jeff Sizemore, chief governance officer, Egnyte 

“We can expect to see a steep rise in US state-by-state data privacy requirements and movement toward 

a potential federal privacy law in 2022. In fact, by 2023, it’s expected that 65% of the world’s population 

will be covered by privacy laws. 

This becomes even more critical with many companies’ employees working from home or adapting to 

hybrid work models. Increasingly, these organizations are aiming to be more data-driven by measuring 

employee productivity. To achieve desired productivity, organizations will need to ask employees 

intrusive questions, and those questions will create their own privacy impacts. 

Increasingly, personal privacy is being viewed as a human right, and the way vendors handle consumer 

and employee data will determine how much the public trusts them and wants to conduct business with 

them. 



Protecting unstructured data will likely be one of the biggest challenges in the new year. If you can’t see 

it, you can’t govern it. If you can’t govern it, you definitely can’t manage privacy. However, organizations 

need to have visibility into structured and unstructured data to build out an effective data governance 

program, and there are data security and governance tools available to protect that information across 

the board. We also expect to see ongoing privacy assessments becoming more common. Organizations 

need to put privacy at the forefront and make sure they are solving the problem holistically in the new 

year and well beyond.” 


“In 2022, I hope to see executives finally view cybersecurity as a wise investment rather than an optional 

budget line-item. Significant investment is required to stay one step ahead of cyber-attackers, and 

ongoing, company-wide cybersecurity training is required for employees in our ‘work from home’ world. 

Modern businesses can’t have effective data governance and security programs that consist of a single 

person, and historically, far too many companies have relied on the CISO’s or CPO’s efforts alone. 

Cybersecurity needs to be an all-hands company effort. 

In the new year, we will be seeing the further distribution of risk management within companies and hope 

to see increased engagement from end-users and customers, so they can better understand what is 

happening at a security level. Any opportunity to educate individuals about security and privacy will be a 

step in the right direction as people are more drawn to being educated than being sold to. And, Just like 

travelers at a bus or a train station, ‘If end-users see something, they should say something.’ 

It is time for companies to make humans part of the solution, rather than the cause of the problem. 

Transparency of risk with the Board and internal staff will help stakeholders understand the importance 

of the security teams’ requests and will maximize organizational buy-in.” 

Jeff Sizemore, chief governance officer, Egnyte 

“The ransomware attacks that impacted Colonial Pipeline, SolarWinds, and Twitch in 2021 have put 

cybersecurity at the forefront of global business operations - both for consumers and businesses. The 

immediate impact of a data breach is devastating but it’s only the tip of the iceberg. According to an IBM 

study, the average cost of a data breach is more than $4 million per incident. Unfortunately, recovery 

from an attack is a perpetually uphill battle that will continue as we move into 2022. 



With the onslaught of breaches expected to continue, so will the spike in cybersecurity insurance 

premiums. Insurance carriers will perform their due diligence on hacked companies delving into their 

CSOs’ preparedness activities, data suppliers and supply chains, leaving no stone unturned. Currently, 

insurance policies are increasing at a rate of 200 - 300% at the time of renewal and that trend is 

anticipated for the foreseeable future. It’s a Catch-22; the higher the risk, the harder it can be for a 

company to find insurance coverage, which can impact new business and government contracts. 

The long-term damage a data breach does to a company, no matter the size, only exemplifies the 

importance of data protection. As we roll into 2022, companies must keep cybersecurity a number-one, 

top-of-mind issue in all of their business operations.” 


“In 2021, attackers noticed that major data breaches or ransomware attacks could influence a company’s 

stock and brand reputation, and public announcements could disrupt customers, partners and business 

markets. In 2022, we expect attackers to begin leveraging attacks to not only collect ransom but to make 

additional profits trading on the information by announcing ransomware attacks publicly. Ransomware 

attacks may even be timed to coincide with quarterly earnings announcements or other events.” 

John Noltensmeyer, chief technology officer at TokenEx 

“My advice to organizations in 2022, as we continue to see the proliferation of privacy laws both at the 

state level and potentially the federal level, is that globally, organizations need to ensure that they have 

a lawful basis for collecting data. That has been part of European data protection law for decades. In the 

United States, we have treated personal data as a free-for-all: if you can collect it, then you can do 

anything you want with it. That is obviously changing, so if organizations are not considering that, and 

not using something like the GDPR or CCP as a guide - even if an organization feels those laws don't 

apply to them - they should absolutely begin considering the effect of similar legislation on their 

organization. It is likely that there will be some type of comparable regulation that does apply to their 

business within 2022.” 

Matthew Meehan, chief operating officer at TokenEx 

“For data security and protection, if an organization has to extensively re-architect its internal 

environments to be secure, it will be difficult to ever reach project completion. And environments will 



change again before they’re done. Instead, organizations need to find data protection approaches that 

provide the flexibility to work with and conform to the specific environment.” 

Matthew Meehan, chief operating officer at TokenEx 

“Indeed, the continued rise in cyberattacks we witnessed in 2021 will cause C-level execs to take 

cybersecurity more seriously. There are two risk buckets to consider in this regard: business interruption 

risk (where the business goes down as the result of an attack); and liability for loss of sensitive customer 

and other data. The technologies to manage these risks are different, but both sets of risks are concrete, 

quantifiable, and have a direct, immediate economic impact as well as reputation and brand-value 

implications. Boards and executives that appreciate the quantifiable aspects of these risks will invest 

wisely to protect and build company value over the coming years.” 

Steve Moore, chief security strategist, Exabeam 

"Quality leadership is essential in running a successful company, but did you know that poor leadership 

methods result in poor performance and a heightened risk of cyberattacks? 

We've seen a steep rise in cybercrime in 2021 that we can expect to continue into the new year, and an 

effective defense begins with influential leaders. However, it would be a shame if leadership adapted to 

new work dynamics as they've historically adapted to adversaries - which is slowly. 

This cyber security climate applies more significant pressure to leaders; will strain the mediocre ones 

well beyond their value. In this example case, defenders' networks, already rife with gaps and missing 

capabilities for digital adversaries to exploit, will fail to meet the basics of relevance. Leaders must focus 

on outcomes for their staff - focus on 'why' instead of the 'how,' and reflect on their abilities to lead, retain, 

and recruit will come out on top. 

An unproductive and stressed security operations center (SOC) only places a target on a company's 

back, leading to the loss of talented workers in an already competitive sector -- and potential loss of 

business due to data breach-driven reputational damage. Instead, SOC leadership should carefully track 

the happiness and career fulfillment of their staff. 



Now, the question from a technical and human perspective is this: how quickly can the defending 

organization adjust to such rapid and frequent attacks -- and improve internal culture during change? In 

addition, cybercriminals are increasingly targeting companies going through significant financial events, 

such as acquisitions and mergers, knowing security teams are likely unstable, stressed, and managing 

integrations during the process. 

This tidal wave of cybercrime will not die down any time soon. Still, if SOCs dedicate themselves to 

understanding the adversary and hire leaders who focus on a healthy culture that boosts morale, a better 

outcome of defense will be fostered." 

Gorka Sadowski, chief strategy officer, Exabeam 

“If we’ve learned anything in 2021, it’s that cybercrime is a collaborative effort in which crime syndicates 

share and learn from each other to make their attacks increasingly sophisticated and damaging. With 

global ransomware payments on track to hit $265 billion by 2031, cybercriminals have the resources they 

need to work together in developing new and improved ways to breach organizational frameworks around 

the world. 

As the year draws to a close, I’m excited to see organizations take cybersecurity much more seriously 

and realize that we’re in this together. 2022 will be a test of how well we can work together, putting 

collaboration above the competition in order to fight against the growing threat that cybercriminals pose 

to industries of all scopes and kinds. Cybercriminals have shown to be highly coordinated, so the only 

hope we have in defeating them is to be just as united in our efforts. 

Another encouraging sign to take into the new year is that governments are finally beginning to mobilize 

and take action against cyberthreats. In the past, it has been largely down to each organization to fend 

for itself, which inevitably exacerbates asymmetry between well-funded attackers and individual 

defenders, leading to costly breaches. Initiatives such as California’s Cal-Secure plan show governments 

are taking a stand and promoting comprehensive, collaborative efforts in the fight against cybercrime. 

Cyberattacks can have devastating consequences on both the public and private sectors alike, making 

government support crucial. 

Cyber adversaries, unfortunately, won’t be going away anytime soon, so the key moving forward is for 

businesses and governments to consolidate their efforts and support each other as the threats grow both 

in complexity and ambition. We’re poised to achieve great things if we remember who the enemies are 

and focus on how we can help each other defend against the next threat that comes our way.” 



Samantha Humphries, head of security strategy EMEA at Exabeam: 

“Ransomware has been at the forefront of cybersecurity concerns this year and I think, unfortunately, 

we’ll continue to see the hold of ransomware leading to extortionware, and also as a distraction. 

Ransomware is an ‘end problem’ for companies. It’s not a case of getting struck by a cyberattack and 

asking ‘what do we do now?’ – by that point it’s far too late. Instead, it needs to be a question of ‘how do 

we make ourselves less of a target, to begin with?’. 

The crux of the problem is that there’s an overwhelming amount of false confidence by companies 

thinking ‘it won’t happen to us’ because they’ve added a new compliance tool, or moved to the cloud. It’s 

not that simple. Cybersecurity is not a ‘tick box exercise’ and then you’re safe. Too many organisations 

still have this mindset that sees them scrimp on the fundamentals of cyber hygiene. 

Everything starts with having visibility across your systems. Put simply, if you don’t know what you’ve 

got, you’re not going to be able to protect it. This insight will help to provide teams with a clear 

understanding of user accounts’ and devices’ normal behaviours, enabling them to spot anomalies more 

easily when they happen - and they will. Not to mention, distributed workforces and a work-fromanywhere 

culture have meant less visibility, less control, and less understanding of what covid-world and 

beyond ‘normal’ user behaviour is. 

I don’t think we’ve seen the whole brunt of the shift to remote work yet. The combination of dispersed 

workforces and more employees using personal devices for work will continue to open up the potential 

for an influx of Bring Your Own Device (BYOD) security risks, meaning growing attack surfaces and 

increased vulnerability to security threats. 

Though it may feel like we are against all odds, it’s important to not be discouraged, downtool, or divest 

our security teams. Companies must continue to tackle modern threats head-on, replacing outdated 

security tools to ensure security teams are prepared and have the ability to understand exactly what’s 

going on inside their changing IT environment.” 

Samantha Andrews, director of account-based marketing at Exabeam: 

“It’s apparent that many company boards are still not prepared for cybersecurity, and are not making the 

connection between the pervasiveness of cyber threats and their vulnerabilities. All too often, cyber is 

taking a backseat behind regulatory and reputational risks. 



The last 18 months have been eye-opening for everyone - we’ve seen the biggest shift in working patterns 

since the Industrial Revolution, it’s been a catalyst for change across numerous industries, and called for 

people to reflect and rethink their priorities. We also saw exponential growth in cyberattacks where threat 

actors took advantage of the disruption. As a number of prolific data breaches have hit headlines this 

year, you’d hope it serves as a reminder to boards and C-level executives to take cybersecurity more 

seriously. Cybersecurity needs to begin in the C-suite. 

C-suite executives are among the top targets for attackers and because of their growing exposure to 

cyber attacks, they need to ensure that they are not the weak link in the cybersecurity chain. I hope that 

this coming year will be the one where cybersecurity becomes a fixed board agenda item. It’s time to 

adjust thinking to discuss risks, review contingency plans, and shake off the false sense of ‘it won’t 

happen to us’ confidence - because cyberattacks are inevitable. It’s not a question of ‘if’ and more a 

question of ‘when’ you’ll be a target if you haven’t been already. 

2021 proved what we already knew… that nothing is off-limits. We’ve experienced monumental change 

and the C-suite must now make fundamental changes too, bolstering cyber-crisis preparedness in the 

fight against ever-changing, ever-evolving cyber threats. Next year will be a huge opportunity for 

everyone.” 

Danny Schaarmann, CEO, xSuite North America 

“E-invoicing is a disruptive technology that gives organizations the ability to easily digitize their processes. 

E-invoicing will become more common going forward as organizations transition into going paperless. 

From the customer’s perspective, many organizations are already relying on digital documentation, but 

suppliers need to catch up. Companies that have a stable Electronic Data Interchange (EDI) process can 

expect it to be replaced by e-invoicing in the near future. While some countries, like Aruba for example, 

have already implemented paperless invoicing, the US could follow suit in the future. In 2022, expect to 

see states begin to make moves, starting with California.“ 

Danny Lopez, CEO, Glasswall 

“Before we take a look at what organisations will be facing in 2022, it is important for security 

professionals to reflect on what has worked for adversaries in the past year. In 2021, a cyberattack 

occurred every 39 seconds. The world experienced a ransomware explosion, which will likely continue 

its upward trajectory in 2022. Strict sanctions on countries like Russia and China also increased tensions 

and led to several large-scale cyberattacks being attributed to the two nation states. 



Due to their successes, adversaries are going to get craftier in their practices in 2022. The attackers will 

use a more personalised approach and aim to blend into the network to look like an insider. 

Cybercriminals will target more customer success centers to increase the chances of a big cash payout. 

Ransomware crime organisations may ask for less and allow for payment flexibility, so they can receive 

steady income over say 12 to 18 months. 

Tension in the South China Sea is also going to have a lot of influence on the threat landscape. A large 

number of warships on both the Chinese and American sides are currently residing in a very small 

geopolitical zone. History shows when those things happen there tends to be an event that triggers an 

avalanche. Cyber is the newest warfare tactic, and a small spark could launch flames that engulf a large 

number of countries into a full-on cyber conflict threatening the global supply chain. 

We need to learn from our mistakes, and stay vigilant, in order to bolster cybersecurity defenses. It's 

impossible to look into a crystal ball and predict the future, but we have the past to learn from in order to 

move forward to a more secure future.” 


“With each new year, it’s important for executives and board members to view their cybersecurity 

measures with fresh eyes. Hackers will never rest when it comes to finding new angles to break into 

organisations’ critical systems. Once one problem is patched, they will just continue to poke and find new 

openings that will enable them to steal data or move laterally across the network. One way, this is 

expected to escalate over the next year is through the insurgence of bad actors and insider threats. 

According to IBM, 60% of organisations have more than 20 incidents of insider attacks a year and the 

cost related to these incidents was over $2.7 million. This means not only do companies need to be 

aware of exterior threats, but aware of internal vulnerabilities by implementing a zero trust approach. 

With all these things to consider in a board environment, the conversations need to be constructive and 

centered around a proactive approach. Not only do leaders need to be aware of the massive risk that 

isn’t going away, but ensure that a zero trust approach is in place. No organisation, large or small, is 

exempt from the risk of cyberattacks. Remaining vigilant will empower companies as they move forward.” 




“If there is any topic the cybersecurity industry will continue to discuss in 2022, it’s the talent shortage. In 

the U.S., there are almost 500,000 jobs to be filled in this industry alone. What’s more troubling is that 

it’s not just organisations competing to secure talent anymore since ransomware-as-a-service (RaaS) 

has entered the market. Cybercriminal groups are heavily recruiting in tandem. In an attempt to respond 

to the skills shortage exacerbated by the ‘great resignation,’ commercial enterprises will find themselves 

also looking at the talent pool of former (and now reformed) hackers in an effort to improve their own 

cybersecurity systems and pad their teams. 

The most easily achieved response to addressing the labour shortage today, beyond getting creative with 

hiring, is to ensure that organisations have the correct products to protect their systems and data and 

automate more menial tasks for their security analysts and leadership -- so they can spend their time 

focusing on stopping digital adversaries. Overall, companies must be proactive in both their recruitment 

and building out their cybersecurity infrastructure.” 

Steve Roberts, chief financial officer at Glasswall 

“Many organisations are currently still figuring out what a hybrid working model means for them. 

Permanent office space and long term leases are likely to be a thing of the past and this will inevitably 

lead to a shift in budget allocation. My advice for businesses in 2022 is to ensure any budget that is no 

longer attributed to office leases is reallocated to effective collaboration tools, increasing security and 

employee wellbeing. An unused budget is not a net saving, so it should be applied elsewhere to ensure 

that the new hybrid working model is secure and healthy. 

Companies implementing a hybrid working model should ensure both their office infrastructure and 

remote working environments are secure. Remote working can result in security vulnerabilities, 

particularly if employees are using their own devices to connect to corporate systems. The budget should 

be reallocated to invest in security solutions that will close these gaps and keep systems and data secure. 

With the uncertainties around long-term working models, most organisations don’t want to be tied into 

long-term contracts. Technology providers will need to rethink and evolve how they are selling their 

products. Offering short-term contracts for SaaS solutions that can be deployed solely in the cloud or as 

a hybrid solution will enable businesses to better support their customers. Organisations aren’t going to 

transition to the cloud overnight, so technology solutions need to be able to protect them in every 

environment.” 



Paul Farrington, chief product officer at Glasswall 

“We’re constantly seeing cybercriminals changing their methods, and this will continue in 2022. Not only 

do we anticipate the use of automation to create scale - for example in DDoS attacks and the 

communication of malware - but we’re seeing machine learning (ML) being used to make attacks more 

effective. It’s one thing for a human attacker to analyse email characteristics to work out what entices a 

reader to click on a malicious link - applying ML to this adds a completely new dimension. In doing so, 

attackers have an almost infinite ability to tweak variables and ultimately secure a better payoff for their 

efforts. 

This kind of analysis – where ML is used to make small changes to malware properties, for example in a 

PDF or a Word document – needs to be stopped in its tracks. Organisations need to seriously consider 

whether this type of malware will evade detection from their anti-virus tools. If the answer’s yes, the 

problem needs to be looked at in a new way. 

Polymorphic malware has been around for a decade – metamorphic malware, on the other hand, is a 

more recent phenomenon. It’s taking time for organisations to build up strategies to combat it. I predict 

that this form of malware will take off over the next few years, as cybercriminals increasingly leverage 

ML to make malware more personalised, and thereby easier to evade detection. 

At the extreme end, this will see every piece of malware become novel or unique. This makes it far more 

likely it will be able to slip through an unknown gap in the defenses. Delivered at scale, this has the 

potential to become a significant problem for organisations that are not taking a proactive approach to 

file sanitisation.” 

Paul Farrington, chief product officer at Glasswall 

“Cyber is now the weapon of choice for nation-state attacks and we can expect to see even more 

evidence of this in 2022. This means new cyber-focused legislation is, and will continue to be, a priority 

amongst governments, as reflected in Biden’s Executive Order. 

The positive side to this is that cybersecurity will continue to be spoken about more widely and openly 

among private sector organisations. At a high-level, businesses will need to take notice of the changing 

legislative landscape and adopt a compliance-first mindset, irrespective of whether cybersecurity is 



currently a priority focus for them. For those selling into the government, security will continue to be a 

competitive advantage, but this will increasingly become buying criteria more broadly. The value of 

security will continue to grow, and will no longer be just about functionality. 

In 2022, countries that are yet to adopt or improve cyber legislation to protect government and critical 

infrastructure will likely do so. We’ll also see countries becoming more granular with this by legislating 

around software development and data protection. Governments will start by focusing on critical national 

infrastructure, for example utilities, before moving on to any entity playing a pivotal role in keeping the 

country moving and the economy growing, such as financial services. By setting out legislation on how 

companies handle data and interact with the outside world, common standards around security can be 

developed that will help keep both organisations and customer data safe.” 


“With a 62% year-over-year increase of ransomware complaints, the demand for cybersecurity will 

continue to escalate. We expect to see more investors turn their attention to the market -- and invest in 

cybersecurity organisations addressing today’s most prevalent threats like file-based malware, critical 

infrastructure vulnerabilities and ransomware-as-a-service (RaaS)-- rather than those from 10-15 years 

ago that today’s public cyber companies were founded to protect. Since there is ample capital available 

for private companies, M&A deal flow is likely to increase in 2022.” 

Amit Shaked, CEO & co-founder, Laminar 

“When the pandemic first started, many organizations went into emergency infrastructure planning mode 

and shifted immediately to the cloud in order to continue business operations. As the dust continues to 

settle and enterprises have adjusted to our new normal, it has become very clear that organizations now 

have another enemy to face: data protection in the public cloud. 

Cloud transformation has overall been great for business, but has not come without its downsides — one 

of the top ones being that data protection has not kept pace with data democratization. A 2021 IDC survey 

reported that 98% of companies experienced at least one cloud data breach in the last year and a half. 

The solutions data protection individuals are using haven’t adjusted to this new public cloud environment, 

which makes work much more challenging than ever before. On top of that, most data protection teams 

are blind to what sensitive data they have in the public cloud. 



In 2022, it is going to become crucial that organizations use solutions that provide visibility, context, 

accountability and alert data protection teams to data leaks in order to halt adversaries in their tracks. 

The solution should be able to continuously and automatically discover and classify data for complete 

visibility, secure and control said data to improve data risk posture, and detect data leaks and remediate 

them without interrupting data flow. These simple approaches can go a long way in preventing 

devastating breaches in 2022 and beyond.” 

Oran Avraham, co-founder & CTO, Laminar 

“In 2022, data is going to be the most valuable currency around the world. As a result, the data breach 

culture we have seen emerge over the past few years is going to continue to permeate if we do not take 

a moment to reflect on the causes of attacks in the last year. 

It is imperative to understand where these attacks are originating from in order to discontinue the cycle 

of data abuse. If one were to examine some of today’s biggest data breaches, a pattern will immediately 

emerge — the majority by far originated from public cloud infrastructure. 

So what should organizations be looking for to protect public cloud environments? First, the solutions 

must be cloud-native. Second, data protection teams are almost blind when it comes to data residing in 

the cloud. Therefore, the solution must start by integrating with the public cloud itself in a modern, 

agentless way. It must be able to identify where and which types of data reside there. This way 

organizations can focus on protecting what matters most. Finally, the solution must not impact 

performance. 

It is my hope that organizations will take a moment to reflect on the importance of public cloud data 

protection in order to change the data breach narrative in 2022 and beyond.” 




Danny Lopez is the CEO at Glasswall. Danny has enjoyed a 

successful international career to date in banking, marketing, 

diplomacy, and technology. Glasswall delivers unique protection 

against sophisticated threats through its ground breaking 

technology. For two years up until August 2018 Danny was the 

COO at Blippar, a UK-based augmented reality (AR) pioneer. 

Between 2011 and 2016 Danny was the British Consul General 

to New York and Director General for trade and investment 

across North America. Before this diplomatic posting, Danny was 

appointed by the Mayor of London as the inaugural CEO of London & Partners, the UK capital’s official 

promotional agency. Previously, Danny was a Managing Director at the UK government’s Department 

for International Trade. The first ten years of Danny’s career were at Barclays Bank, where he held 

several senior international positions in corporate and investment banking in London, New York, Miami, 

and Mumbai. Danny is a Non-Executive Director at Innovate Finance – the UK industry body championing 

global FinTech – and a special advisor to New York-based venture capital firm, FinTech Collective. He 

is also a Council Member and Trustee at the University of Essex, his alma mater. Danny speaks regularly 

on platforms across the world on topics including geopolitics and the intersection of market disrupting 

technologies and government policy. Danny holds a Bachelor of Arts degree in economics and a Master’s 

degree in international economics and finance from the University of Essex. Born in England, Danny 

grew up in Spain and is a fluent Spanish speaker. Danny and his Australian wife Susan live in London 

with their three children. Danny can be reached online at @GlasswallCDR and at our company website 

www.glasswallsolutions.com 



Our Cyber Defenses Need to Be Battle-Tested to 

Withstand Future Threats 

by Hugo Sanchez, Founder and CEO of rThreat 

Just a few weeks ago, the FBI released a statement confirming that their server was hacked over the 

weekend, resulting in thousands of spam emails warning of a fake cyberattack that were sent to 

individuals and companies nationwide. In the statement released to address the incident, the bureau 

clarified that the attack did not compromise their system or allow an outsider to gain access to their data. 

The mere fact that this attack was possible, however, highlights the glaring problem with our cyber 

defenses: they are not impenetrable, and the gaps are not proactively identified because they are not 

battle tested. 

In a world where cyber criminals are getting smarter and our technology is becoming more advanced 

with every passing day, it is unthinkable that our approach to cyber defenses should remain unchanged. 

To combat the attacks of tomorrow and shore up our defenses to meet them, cybersecurity needs to pivot 

in favor of defending forward and using threat emulation - and not simulation - to determine any 

vulnerabilities. 



The 

concept of modern penetration testing was dreamed up in the 1960s, and in 1967, more than 15,000 

computer security experts, government and business analysts gathered together at the annual Joint 

Computer Conference to discuss concerns that computer communication lines could be penetrated. Early 

penetration testing was carried out primarily by the RAND corporation and the government, and most 

systems immediately failed the tests, confirming the validity of the concerns. 

Today, penetration testing has evolved to enable ethical hackers to test a system’s vulnerabilities through 

simulated cyber attacks. A recent survey found that 70% of organizations perform penetration tests as a 

way to measure their security level and 69% do so to prevent breaches. 

But these tests are flawed. Simulations using threat signatures are not enough to ensure defenses are 

adequate, and testing the capabilities of cyber protections in this way is akin to testing a bulletproof vest 

by firing blanks. 

The biggest difference between attack simulation and attack emulation is that attack emulation 

showcases a threat actor’s strengths and weaknesses. In an attack simulation, it is possible to recreate 



the exploitation aspect, but if testers aren’t using the same tools and making the same mistakes that 

threat actors do, they will be unable to create defenses that detect those same mistakes. 

Another problem is that current methods dictate the use of customized and refined attacks to test cyber 

defenses, when in reality, it’s essential to replicate exactly what the system will be responding to in a 

real-life scenario, utilizing the same tools and the same mistakes that threat actors use during security 

tests. 

Those that rely on a machine learning or AI-based solution also have to contend with the possibility of 

causing the program to learn the wrong behavior during simulated attacks, because the attacks are not 

based on the latest threat intelligence or indicative of what threat actors are using. Additionally, because 

attack simulations are not real attacks, they run the risk of not being recognized by security controls as a 

threat, making it impossible to be sure the controls will work in a real-world scenario. 

Experts who weighed in on the FBI breach pointed to the possibility that the lack of malicious email 

attachments was simply due to the hackers finding the vulnerability without a concrete plan to exploit it. 



But Austin Berglas, a former assistant special agent in charge of the FBI’s New York office cyber branch, 

summed up the problem quite succinctly: “It could have been a lot worse.” 

Leaving our systems vulnerable to attack is unacceptable when there is a better way. Breach and attack 

emulation solutions are more dynamic in nature, can expose gaps in a company’s infrastructure, and can 

mimic the tactics of real-world threat actors, allowing organizations to prioritize the gaps that represent 

the greatest threat to their networks. 

We have come a long way in our understanding of cyber threats and methods of detection, but our 

defenses remain lightyears behind. The government wouldn’t send soldiers into combat with faulty 

equipment, and it’s time we take that same tack with our cybersecurity. Battle testing our defenses is a 

necessary next step, and until we do, we are leaving ourselves open to the kind of threats that could 

bring our country to its knees. 


Hugo Sanchez is the founder and CEO of rThreat, a breach and 

attack emulation software that challenges cyber defenses using 

real-world and custom threats in a secure environment. Learn 

more about Hugo and his company at www.rthreat.net. 



12 Tips for Improving Access Control in Your 

Organization 

By Bryon Miller ASCENT 

In today’s world, we have more access to essentially all that’s available in our lives. More access to 

people and places. More access to information and knowledge. More access to everything and anything 

on the Internet. With this increased access comes an increased desire within us as human beings to 

control our proprietary or private data, especially as it relates to the organizations for which we work. 

However, there is a fear that the wrong people are going to access just the right information or systems 

to create major issues for our organizations. But there is no need to fear losing control over who is 

accessing these things if we make access control a priority in our overall Corporate Security Programs. 

By examining the strategy for access control, organizations can ensure appropriate practices are in place 

to govern user access. 

An effective Access Control Program is necessary to protect your people, information, and assets by 

enabling your organization to reduce the risk of harm to your people, customers, and partners, as well as 

reduce the risk of your information or assets accessed. An effective Access Control Program helps an 

organization make a reasonable determination that individuals are granted the proper access needed to 

effectively do their jobs without putting the organization in a compromising situation. 

To help you improve your organizational access control, consider the following tips: 



1. Develop requirements for an Access Control Program. A formal Access Control Program 

should be implemented that includes a documented user registration and de-registration process 

for requesting, approving, granting, modifying, reviewing, or revoking access. Access control rules 

should reflect the requirements of your organization for the authorization, access to, 

dissemination, and viewing of information. These rules should be supported by formal procedures 

with clearly defined responsibilities that are assigned to appropriate roles. Be sure your access 

control requirements address both logical and physical control measures which should both be 

based upon the principle of least-privilege. 

2. Identify and document account types. Account types (e.g., standard user, privileged user, 

system, service, etc.) used by your organization should be identified and documented. Access 

control rules for each user, or group of users, should be clearly stated. The conditions for group 

or role membership should be established as well. Users should have a clear understanding of 

the security requirements to be met by the access controls implemented by your organization. 

3. Ensure ongoing account management is in place. Unauthorized or inappropriate account 

access is likely to occur if ongoing maintenance is not in place for all accounts. Account 

management is not a “one-and-done” exercise but must be performed on a recurring basis to 

maintain effectiveness. Management approval should be required for all requests to create 

accounts. Accounts should be created, enabled, modified, monitored, disabled, and removed in 

accordance with an approved Access Control Policy. Supporting procedures should detail the 

steps required to meet the defined policy control requirements. Periodic internal account and 

access reviews or audits should be performed, at least annually, during which the privileges 

should be verified to validate that the need for currently assigned privileges still exists. 

4. Actions need to be associated with a unique, individual user. All users should be assigned a 

unique identifier (user ID) for their personal use only. Appropriate user authentication techniques 

should also be implemented to substantiate the claimed identity of any authorized user requesting 

access each time they log in to your organization’s networks, systems, or applications. Baseline 

controls should include settings for password or passphrase composition and complexity 

requirements. 

5. Set controls for accounts with privileged access. This is needed to reduce the likelihood of 

providing standard users with more access permissions than they require. Appropriate checks or 

validations for actions performed with privileged accounts should also be implemented to ensure 

authorized privileged account users are fulfilling their assigned roles in accordance with 

prescribed security control requirements. The principle of least privilege must be followed, 

authorizing only access that is necessary for each individual user to accomplish their assigned 

tasks in accordance with your organization’s mission or business functions. 

6. Implement and maintain secure logon processes. This verifies the identity of users and 

associates the user with the actions they perform. Secure logon processes may also help reduce 

the likelihood of password compromise that may lead to security incidents or data breaches. A 

limit of five (or less) consecutive invalid logon attempts by a user during a fifteen-minute period 

should be implemented. Accounts should be locked after this threshold of failed logon attempts 

is reached. It is encouraged to send failed logon alerts, along with other appropriate domain 

controller alerts, to personnel responsible for monitoring the networks of your organization. 

7. Provide for password management. This serves as one line of defense for protecting 

organizations, along with customer information they manage, from unauthorized access due to 



weak passwords. Password management systems should be interactive and should ensure only 

quality passwords are being used. Users should be required to follow best practices for the 

selection, use, and maintaining the confidentiality of passwords. It is recommended that your 

organization provides training on the selection, along with the safeguarding, of passwords. 

8. Implement controls to secure information systems when unattended. These controls should 

provide a layer of defense for organizations to decrease the risk of an unauthorized user gaining 

access to an authorized user’s system or the output from system devices. Your Access Control 

Policy should contain clean desk control requirements to ensure that papers or media that are not 

actively being used are kept in desk drawers or filing cabinets. Personnel should activate a screen 

lock when they leave their work area to reduce the opportunity for unauthorized personnel viewing 

potentially sensitive information displayed on a monitor or other peripheral device. Output devices, 

such as printers or faxes, should also be safeguarded to help prevent unauthorized individuals 

from obtaining the output from these devices. 

9. Provide for remote access management. Controls need to be implemented to protect remote 

access to networks, systems, and applications, thus minimizing the window of exposure 

organizations face regarding unauthorized access or potential intrusions associated with remote 

access activities. All remote access should be authorized prior to allowing remote connections to 

your organization’s network to occur. 

10. Manage and protect wireless access. Controls need to be implemented to manage how 

networks, systems, and applications are accessed using wireless technologies. Wireless access 

for users should be authorized prior to allowing wireless connections to be made. Wireless access 

to systems and applications should be protected using authentication of users or approved 

devices. 

11. Have defined controls to support the segregation of duties. Your organization should 

implement segregation of duties for conflicting functions, or areas of responsibility, to reduce the 

opportunities for the unauthorized or unintentional modification, fraud, or misuse of information 

and information systems. A system of dual controls (e.g., two individuals with separate 

responsibilities needing to work together to accomplish a single task) should be required and 

implemented whenever possible. 

12. Ensure effective controls are in place for mobile computing and working from home. Usage 

restrictions, configuration requirements, connection requirements, and implementation guidance 

should be established for all organization-controlled mobile devices. Full-device encryption or 

container-based encryption should be used to protect the confidentiality and integrity of 

information on mobile devices. Personnel should be required to report any lost or stolen mobile 

devices. Your organization should have the ability to wipe mobile devices remotely to remove all 

information if they are lost or stolen. 

Your organization should ensure that a comprehensive Access Control Program is developed and 

implemented consistently across the organization. Organizations that do not could potentially overlook a 

pivotal security function or leave a control unaddressed. By developing a comprehensive Access Control 

Program, supported by all organizational stakeholders, organizations can avoid key access control pitfalls 

for effective overall security. 




Thomas Bryon Miller is co-founder and CISO at ASCENT Portal, a leading 

Software-as-a-Service (SaaS) platform for comprehensive security and 

continuous compliance management. An expert in security and 

compliance best practices, Miller is also the author of the book, “100 

Security Program Pitfalls and Prescriptions to Avoid Them,” available on 

Amazon. 



Four Cybersecurity Predictions Federal Agencies Should 

Expect in 2022 

By Mark Sincevich, Federal Director, Illumio 

This last year thrust Zero Trust into the spotlight as the Biden administration released the Cyber Executive 

Order (EO) calling for all federal agencies to bolster their cybersecurity posture and implement a Zero 

Trust architecture. As the new year approaches, what can federal agencies expect the cybersecurity 

landscape to look like in 2022? 

1. Visibility-First Security 

In 2021, we learned you can’t protect your network from an attack if you don’t thoroughly understand your 

network. Visibility (also known as network discovery) is becoming more and more of a focus for federal 

agencies. If you look at the DoD (Department of Defense) Zero Trust Reference Architecture v.1, 

‘improved visibility control’ is one of the key tenants. 

Right now, federal teams do not have a real-time map of how applications and workloads communicate 

with each other on the network. How could you secure what you cannot see? Establishing visibility is 

going to emerge as the core focus of agencies’ Zero Trust efforts – it's a critical and impactful first step 

in any security strategy. 



2. What Is Zero Trust? 

In 2021, Zero Trust has become an overused and under-defined term. To clarify, Forrester defines the 

term this way: “Zero Trust is not one product or platform; it’s a security framework built around the concept 

of ‘never trust, always verify’ and ‘assume breach.’” It's really a security philosophy. 

Given the confusion in the market, it can be hard for security teams to figure out which strategies will 

really help them achieve their security goals. There are five main pillars of any Zero Trust Architecture 

and being able to prioritize one pillar from another is critical. A prioritization of pillars will lead to a change 

in focus in the coming year. 

Federal agencies are realizing they need visibility first and then they need to stop cyberattacks from 

spreading once they are inside the network with a host-based micro-segmentation approach. In 2022, 

agencies will do a better job of prioritizing their Zero Trust approach to those strategies that can show 

actionable results quickly – often in the workload and application pillar. 

3. Laser Focus Against Adversaries 

When it comes to threat defense, we are turning up the volume against our global adversaries in 2022. 

Artificial intelligence (AI) is increasing in sophistication, along with the complexity of cyberattacks – 

making breaches catastrophic. 

In a lot of ways, we are unaware of the multi-pronged approach that attackers are taking to target our 

high-value assets (HVA’s). These new attacks will be super creative and will often go undetected even 

though agencies and commands have endpoint detection and response (EDR) tools installed. EDR tools 

are not effective against attacks where we don’t know the method of attack. 

It is time to continue to defend forward as well as prioritize and execute on the plan. The reality is that no 

one can do everything perfectly, so we need to focus on one or two things at a time that make the biggest 

impact. 

Defending forward means you take the fight to the enemy, instead of waiting for them to come to you. 

We are going to see serious offensive operations to bring down attacker networks this year. There will 

be no more waiting for the attack to come to us, instead, we will seek out the attackers and take proactive 

security measures. 

The way we can do this is to shore up our own defenses with visibility and Zero Trust micro-segmentation. 

We need assurance that the attackers cannot move laterally while we are on the offensive. 



4. Cyber Funding Gets Granular 

In Federal Fiscal Year 2023 (which begins on 10/1/22), we’re going to start to see program dollars 

specifically designated for Zero Trust projects. There will be multiple Zero Trust ‘programs of record’ in 

the coming years, and another indication of the seriousness of this effort is the new Department of 

Defense (DoD) PMO (Program Management Office) for Zero Trust. Zero Trust is here to stay and in 

support of Zero Trust efforts, we will see a focus on specific initiatives such as network discovery and 

micro-segmentation. 

While none of us have a crystal ball, what we know is that we should expect (and prepare) for the 

unexpected – we know there will be many more cyberattacks in the coming year. While the Cyber EO 

laid an important foundation, its impact will only be as strong as the actions we take to shore up our 

cybersecurity posture over the next year. Agencies must carve out specific funding for Zero Trust, 

because the EO didn’t have any funding tied to it. A focus on improving visibility will help cybersecurity 

leaders take a proactive approach to defending critical networks to stop the spread, and thereby limit the 

impact of cyberattacks. 


Mark Sincevich the Federal Director at Illumio has 23 

years of experience working with the DoD and 

Intelligence Community implementing technology 

solutions. Sincevich has a background in the 

command-and-control market where he specialized in 

Cyber Operations Centers, and in the cybersecurity 

space. Sincevich is a frequent author and speaker on 

cyber topics. He is a graduate of the University of 

Maryland, College Park and is a current member of 

the Civil Air Patrol (CAP). 

Mark can be reached online on LinkedIn and at our company website https://www.illumio.com/ 



Recognizing the Value of Secure Wi-Fi for Unified 

Security Platforms 

Why Unified Security Platforms Need Secure Wi-Fi 

By Ryan Poutre, Product Manager at WatchGuard Technologies 

As we all know, telework is now the new normal for many organizations around the world. Recent 

research shows that 1 in 4 Americans worked from home in 2021, and that the number will increase to 

28% over the next five years (with some estimates as high as 51%). For many, the remote and hybrid 

work models are working just fine. But there is a problem – most organizations are still catching up when 

it comes to securing these remote connections, no matter the location. In fact, the threat of unsecured 

wireless connections is so widespread that over the summer the NSA published best practices on how 

to protect against cyberattacks stemming from compromised or unsecured wireless connections. 

While they were originally intended for government workers, the four recommendations outlined below 

can benefit those in the private sector as well. They include: 

1. Avoid connecting to public Wi-Fi whenever possible. Use a corporate or personal Wi-Fi hotspot 

with strong encryption instead. 

2. If using public Wi-Fi is unavoidable, use a virtual private network (VPN) to encrypt traffic. 

3. Only access websites using Hypertext Transfer Protocol Secure (HTTPS). 

4. Disable Bluetooth when not in use or working in a public environment. 



Of course, these recommendations are just a start. And they mostly provide best practices for individuals 

who are on the move. Securing connections for workers in the office or at places they work from regularly, 

like a home office, is a bigger challenge. 

Unfortunately, many small and medium-sized businesses grapple with the complexities of managing 

network security and Wi-Fi, just as larger organizations do. It can often be the Achille’s heel of IT, and a 

cost burden (especially when it breaks). Case in point: the 2007 TJX breach, in which a poorly secured 

Wi-Fi network at a single store was compromised by a hacker to gain access to sensitive data for the 

entire corporation. As many as 200 million credit card numbers belonging to T.J. Maxx, Marshalls, Home 

Goods and A.J. Wright customers were stolen, with estimates of financial damage to the company 

exceeding $1 billion. 

The challenges of good Wi-Fi security have led many companies to consolidate secure Wi-Fi 

management through unified security platforms, which is creating a growing demand for Managed 

Security Service Providers (MSSPs). A recent MarketsandMarkets report found that Wi-Fi-as-a-service 

is expected to be a $8.4 billion market by 2025 ($5 billion more than in 2020). 

But why do unified security platforms need secure Wi-Fi? Most organizations understand the value of Wi- 

Fi security, but stumble when it comes to implementation. They often do not realize just how simple it is 

to manage, resulting in poor execution. As cyber threats continue to grow and become increasingly more 

sophisticated, it is more apparent than ever that security is just not effective unless done at scale. 

Traditional solutions do not provide the automation, clarity and control, comprehensive security, 

operational alignment, and shared knowledge necessary to face today’s ever-evolving threat landscape. 

As a result, secure Wi-Fi is a critical component of comprehensive network security, as are layered 

services such as advanced endpoint protections, multi-factor authentication and more. Replacing 

traditional Wi-Fi solutions with more advanced infrastructure that leverages a unified approach and a 

cloud platform helps to automate and speed service delivery of secure Wi-Fi. With centralized 

management capabilities, IT teams (or MSPs) can quickly access important data like utilization, signal 

strength coverage and wireless client bandwidth consumption across their entire Wi-Fi deployment. They 

can also quickly pinpoint failures and irregularities, and even interrupt device network access when 

necessary. It also makes it easier for organizations to manage and customize any captive portals they 

may have. 

WatchGuard is committed to helping MSPs and organizations modernize and expand security by offering 

scalable, unified security platforms with Secure Wi-Fi. To learn more about Wi-Fi in WatchGuard Cloud, 

take a look here. 




Ryan Poutre is a Product Manager at WatchGuard 

Technologies. After joining WatchGuard in 2015 as a sales 

engineer he began supporting local partners and sales 

opportunities in the north central United States. In January 

2021 he joined WatchGuard’s Wi-Fi team where he is 

responsible for the market ownership of the company’s Wi- 

Fi product line. Ryan graduated from college in 2004 with a 

computer networking degree and has been in the IT field 

ever since. Ryan has held multiple certifications in network 

security including secure wireless, Firewall management, 

Virtualization and secure network management. Ryan 

currently resides in Iowa with his wife and family. He can be 

reached online at (EMAIL, TWITTER, etc..) and at 

WatchGuard’s company website 

https://www.watchguard.com. 



Cybersecurity Tips to Help Your Organization in 2022 

With the new year upon us there’s never been a better time to evaluate your company’s cybersecurity. 

By Jeffrey J. Engle, President of Conquest Cyber 

Recent cybersecurity breaches like the SolarWinds and Colonial Pipeline attacks have illustrated the 

importance of cybersecurity in all organizations. If protecting your company’s cybersecurity is at the top 

of your New Year’s resolutions list, these ideas will have you on your way to checking off that important 

item! 

Adopt a Risk-Based Approach to Cybersecurity 

Cybersecurity threats are a problem for all business segments, not just the IT or security department. 

Cyber maturity requires a team effort and must start with business leadership through focus on a resilient 

business culture. The IT and security teams may be masters of processes, but the company’s leaders 

know the business’ priorities best. A proactive, risk-based approach is the only way to gain a competitive 

edge on potential adversaries. Business leaders must think of their cyber posture just like they do their 

P&L, as an indicator of business health. This outside the box approach means we can’t rely on 

conventional methods. 



Get A Managed Security Service Provider (MSSP) 

Organizations across various industries have begun to turn to managed security service providers 

(MSSPs) to bolster their cybersecurity response. A great MSSP acts as a trusted advisor to your 

organization and takes cyber hygiene and business continuity to a new level. Most MSSPs offer 

continuous security monitoring, threat detection and response but a great one will go outside their SLAs 

to keep your organization one step ahead of cyber threats with a proactive approach. 

Be Adaptable, Agile, and Aware 

Traditional approaches on how to fight in this digital dimension are good in theory but are doomed to fail, 

because conventional wisdom is predictable, and predictability is exploitable. Companies must have the 

ability to adapt rapidly and not just follow the rules. In that sense, organizations must be agile and aware 

while aiming at the end result of deterrence, defense and resiliency. 

Today, the typical approach often falls short of that ending and far too often one settles for security 

compliance. We’re doing what we’re supposed to do, years ago, but not looking out for potential new 

and emerging challenges. Remember, compliance significantly trails the broad realization of risk. 

To start that journey, our evolving processes must be rooted in consistent principles. Sun Tzu offers three 

key ideas that can help to identify challenges and opportunities as they form in this new battlespace. 

They are: 

• Know the environment. If you’re going to climb a mountain, fight a battle, solve a problem, or 

face adversaries of any kind, the more you know about the terrain you’re operating on, the better 

off you are. Knowing the environment is your starting point, and you build outward and upward 

from there. 

• Know the enemy. The key to success in special operations and asymmetric warfare is to be able 

to put yourself in the position of your adversaries without demonizing them. You must be able to 

see the situation through their eyes without your emotions clouding your view, because looking 

at it from their perspective will enable you to better predict, prepare, respond and defeat them. 

• Know yourself. It doesn’t matter how tough you are. Eventually, you’re going to run into someone 

who’s tougher. Once you truly understand that, it frames the way you engage in fights from that 

day forward. You no longer fight for sport, you fight only to win. Your survival is at stake. 

Don’t Stop at Minimum Compliance Standards 

While meeting CMMC compliance or other regulations is imperative and valuable for organizations, it is 

merely the start. Compliance standards often follow years of evaluations before they are approved. Often, 

by the time a compliance standard is active, it is potentially years out of date from a risk perspective. 



Organizations can achieve true cyber maturity when they follow these requirements regularly and then 

go the extra mile by adapting programs based on what’s critical to their organization, what can hurt it and 

how that can happen. 

Achieving and maintaining compliance, maturity and program effectiveness requires dedicated resources 

to stay abreast of regulatory developments, threats seen in the wild and ways to educate the entire 

organization on potential security problems. 

Stay Consistent with Cybersecurity Tools 

Every organization wants to stay up to date with the latest software tools and products. However, 

constantly switching between different tools to manage your cyber program could increase the likelihood 

of a vulnerability slipping through. Companies can build better resiliency against threats by utilizing a 

system to manage reporting, communication, and incident response. 


Jeffrey J. Engle is Chairman & President at Conquest 

Cyber, a cyber risk SaaS company which provides cyber 

resiliency to the sectors critical to our way of life, where he 

brings a broad spectrum of experience in Risk 

Management, National Security and Business Process 

Optimization. He is responsible for the development and 

implementation of all strategic initiatives including cyber risk 

management and secure digital transformation programs. 

He has served as a consultant for the Department of 

Defense’s premier adversary emulation team and has conducted vulnerability assessments and training 

on advanced risk management all over the world. Jeffrey can be reached at our company website 

https://conquestcyber.com/ 



New Security Report Reveal 91.5% of Malware Arrives 

Over HTTPS-Encrypted Connections 

By Corey Nachreiner, CSO, WatchGuard Technologies 

Today’s cybersecurity landscape is constantly evolving, opening the door to threat actors targeting users 

with increasingly sophisticated attacks. To help professionals better understand the current state of these 

threats, we share the WatchGuard quarterly Internet Security Report (ISR), which details the latest 

malware and network attacks that plagued our community in Q2 2021. 

The most jaw-dropping statistic from this recent report revealed that a staggering 91.5% of malware 

arrives over HTTPS-encrypted connections. The research (done by the Threat Lab) also found that 

fileless malware, ransomware, and network attacks all increased. With most organizations continuing to 

operate in a hybrid or mobile workforce model, it’s more important than ever that organizations move 

beyond traditional cybersecurity strategies and embrace layered-security approaches and Zero-Trust. 

Let’s dive into some of the key insights from the Q2 ISR: 

1. Massive amounts of malware arrive over encrypted connections – As mentioned above, in Q2, 

91.5% of malware arrived over an encrypted connection, a dramatic increase over the previous 



quarter. Put simply, any organization that isn’t doing HTTPS encryption is missing 9/10 of all malware 

at the perimeter. 

2. Malware is using PowerShell tools to bypass powerful protections – AMSI.Disable.A showed 

up in WatchGuard’s top malware section for the first time in Q1 and immediately shot up for this 

quarter, hitting the list at #2 overall by volume and snagging the #1 spot for overall encrypted threats. 

This malware family uses PowerShell tools to exploit various vulnerabilities in Windows. But what 

makes it especially interesting is its evasive technique. WatchGuard found that AMSI.Disable.A 

wields code capable of disabling the Antimalware Scan Interface (AMSI) in PowerShell, allowing it to 

bypass script security checks with its malware payload undetected. 

3. Fileless threats soar, becoming even more evasive – In just the first six months of 2021, malware 

detections originating from scripting engines like PowerShell have already reached 80% of last year’s 

total script-initiated attack volume, which itself represented a substantial increase over the year prior. 

At its current rate, 2021 fileless malware detections are on track to double in volume YoY. 

4. Network attacks are booming despite the shift to primarily remote workforces – WatchGuard 

appliances detected a substantial increase in network attacks, which rose by 22% over the previous 

quarter and reached the highest volume since early 2018. Q1 saw nearly 4.1 million network attacks. 

In the quarter that followed, that number jumped by another million – charting an aggressive course 

that highlights the growing importance of maintaining perimeter security alongside user-focused 

protections. 

5. Ransomware attacks back with a vengeance – While total ransomware detections on the endpoint 

were on a downward trajectory from 2018 through 2020, that trend broke in the first half of 2021, as 

the six-month total finished just shy of the full-year total for 2020. If daily ransomware detections 

remain flat through the rest of 2021, this year’s volume will reach an increase of over 150% compared 

to 2020. 

6. Big game ransomware hits eclipse “shotgun blast”-style attacks – The Colonial Pipeline attack 

on May 7, 2021 made it abundantly and frighteningly clear that ransomware as a threat is here to 

stay. As the quarter’s top security incident, the breach underscores how cybercriminals are not only 

putting the most vital services – such as hospitals, industrial control, and infrastructure – in their cross 

hairs, but appear to be ramping up attacks against these high-value targets as well. WatchGuard 

incident analysis examines the fallout, what the future looks like for critical infrastructure security, and 

steps organizations in any sector can take to help defend against these attacks and slow their 

propagation. 

7. Old services continue to prove worthy targets – Deviating from the usual one to two new 

signatures seen in previous quarterly reports, there were four brand new signatures among 

WatchGuard’s top 10 network attacks for Q2. Notably, the most recent was a 2020 vulnerability in 

popular web scripting language PHP, but the other three aren’t new at all. These include a 20ll Oracle 

GlassFish Server vulnerability, a 2013 SQL injection flaw in medical records application OpenEMR, 

and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge. While dated, all still pose 

risks if left unpatched. 

8. Microsoft Office-based threats persist in popularity – Q2 saw one new addition to the 10 mostwidespread 

network attacks list, and it made its debut at the very top. The signature, 1133630, is the 

2017 RCE vulnerability mentioned above that affects Microsoft browsers. Though it may be an old 

exploit and patched in most systems (hopefully), those that have yet to patch are in for a rude 



awakening if an attacker is able to get to it before they do. In fact, a very similar high-severity RCE 

security flaw, tracked as CVE-2021-40444, made headlines earlier this month when it was actively 

exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. 

Office-based threats continue to be popular when it comes to malware, which is why we’re still 

spotting these tried-and-true attacks in the wild. Fortunately, they’re still being detected by tried-andtrue 

IPS defenses. 

9. Phishing domains masquerade as legitimate, widely recognized domains – WatchGuard has 

observed an increase in the use of malware recently targeting Microsoft Exchange servers and 

generic email users to download remote access trojans (RATs) in highly sensitive locations. This is 

most likely due to Q2 being the second consecutive quarter that remote workers and learners returned 

to either hybrid offices and academic environments or previously normal behaviors of on-site activity. 

In any event – or location – strong security awareness and monitoring of outgoing communications 

on devices that aren’t necessarily connected directly to the connected devices is advised. 

With most of the world still working from home or in a hybrid model, the traditional network perimeter is 

in flux, but still more important than ever. Strong perimeter security starts with robust network security, 

endpoint protection, multi-factor authentication, and secure Wi-Fi. These are all critical elements in a 

layered security approach. When done properly, organizations can significantly mitigate outsider threats. 


Corey Nachreiner is the CSO of WatchGuard Technologies. A 

front-line cybersecurity expert for nearly two decades, Corey 

regularly contributes to security publications and speaks 

internationally at leading industry trade shows like RSA. He has 

written thousands of security alerts and educational articles and 

is the primary contributor to the Secplicity Community, which 

provides daily videos and content on the latest security threats, 

news and best practices. A Certified Information Systems 

Security Professional (CISSP), Corey enjoys "modding" any 

technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word. 

Corey can be reached at @SecAdept on Twitter or via https://www.watchguard.com. 









































CyberDefense.TV now has 200 hotseat interviews and growing… 

Market leaders, innovators, CEO hot seat interviews and much more. 

A division of Cyber Defense Media Group and sister to Cyber Defense Magazine. 



Free Monthly Cyber Defense eMagazine Via Email 

Enjoy our monthly electronic editions of our Magazines for FREE. 

This magazine is by and for ethical information security professionals with a twist on innovative consumer 

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our 

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best 

ideas, products and services in the information technology industry. Our monthly Cyber Defense e- 

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare 

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of 

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here 

to sign up today and within moments, you’ll receive your first email from us with an archive of our 

newsletters along with this month’s newsletter. 

By signing up, you’ll always be in the loop with CDM. 

Copyright (C) 2022, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G. 

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a 

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com, 

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability 

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, Cyber 

Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com 

All rights reserved worldwide. Copyright © 2021, Cyber Defense Magazine. All rights reserved. No part of this 

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, 

recording, taping or by any information storage retrieval system without the written permission of the publisher 

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of 

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may 

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect 

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content 

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at 



276 Fifth Avenue, Suite 704, New York, NY 1000 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 


www.cyberdefensemagazine.com 

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) 

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 03/01/2022 



Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH 

(with others coming soon...) 

9+ Years in The Making… 

Thank You to our Loyal Subscribers! 

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You Think. It's mobile 

and tablet friendly and superfast. We hope you like it. In addition, we're past the five nines of 7x24x365 

uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) 

around the Globe, Faster and More Secure DNS and CyberDefenseMagazine.com up and running as an 

array of live mirror sites and our new B2C consumer magazine CyberSecurityMagazine.com. Millions of 

monthly readers and new platforms coming…starting with https://www.cyberdefenseprofessionals.com this 

month… 











THE Q1/Q2 GAME CHANGER… 

CYBERDEFENSECONFERENCES.COM 

COMING SOON… 



MOVED TO JUNE 6-9, 2022…

Cyber Defense eMagazine January Edition for 2022

Create successful ePaper yourself

Delete template?

Save as template?