Cyber Defense eMagazine June 2019

WMD vs. Cyber Attacks: Similarities
Suggesting
Why Federal Agencies Need AIOps
Safeguarding Your Organization from
Attacks via Your Third-Party Vendors
Cyber Security Facts and States For 2019
Threat and Incident Response
Ransomware: Are We Really Prepared For
Cyber-Attacks?
You’re Guide to Encrypting Files in Linux
1

CONTENTS
WMD vs. Cyber Attacks: Similarities Suggesting a Cyber Arms Race ................................................. 20
Why Federal Agencies Need AIOps .................................................................................................. 25
Safeguarding Your Organization from Attacks via Your Third-Party Vendors .................................... 29
Departing Employees: A Bigger Threat than Hackers........................................................................ 33
Why You Should Always Use A VPN When Connected To Public Wi-Fi .............................................. 36
Cyber Security Facts and States For 2019 ......................................................................................... 40
By The Numbers: Defining Risk in Cyber Insurance .......................................................................... 45
Threat and Incident Response – Closing the Loop in Cyber Defense ................................................. 48
The Ways of Collecting Threat Intelligence in Cyber Defense ........................................................... 52
Ransomware: Are We Really Prepared For Cyber-Attacks? .............................................................. 57
Improving Cybersecurity Intrusion Detection ................................................................................... 60
What to Pay for Cybersecurity Professionals? .................................................................................. 62
The Difference between Consumer and Enterprise VPNs ................................................................. 64
Making Actual Private Networks A Reality ....................................................................................... 67
Ways to Protect the System from Cyber Ransomware Attack .......................................................... 70
The Dangers of Backdoor Software Vulnerabilities and How to Mitigate Them ................................ 74
How Security Automation Mixed With an IT Culture Shift Can Prevent Data Leakage ....................... 77
2

CONTENTS (cont')
Three Cyber Attacks on the Rise According To New Research .......................................................... 80
Cybersecurity Jobs in the Private vs. Public Sector ........................................................................... 83
Proxy vs. API CASB: An Overlooked Choice in Cloud Security ........................................................... 86
Security for Your Holidays ............................................................................................................... 89
A Vision for Cybersecurity 2019 ....................................................................................................... 92
Don’t Let a Data Breach Cost You $1.4 Billion .................................................................................. 96
The Digital Promised Land is Riddled with Risk ................................................................................ 98
Mitigating the Risks of Multi-Cloud ............................................................................................... 100
Is Your Business Cyber Resilient? ................................................................................................... 103
You’re Guide to Encrypting Files in Linux ....................................................................................... 106
Network Security Using Honeypots and Deception Technologies ................................................... 109
4 Signs Your Organization Is a Good Cyber Attack Target, And What to Do About It ....................... 112
How to Take Competitive Advantage Using Machine Learning ....................................................... 115
3

@MILIEFSKY
From the
Publisher…
80+ Cybersecurity Top Executive Hotseats on CyberDefenseTV.com and more plus CyberDefenseRadio.com is up!
Dear Friends,
We are so hard at work with a humble goal – to be the #1 source of all things InfoSec knowledge – best
practices, tips, tools, techniques and the best ideas from leading industry experts. We’re tracking our
results on various independent websites that track keywords across the global internet and here’s where
we stand today: https://essentials.news/en/future-of-hacking. We also offer our own statistics that you
are free to reuse anytime, from this page: http://www.cyberdefensemagazine.com/quotables/.
We believe in sharing information and helping educate others with as much open source intelligence
(OSINT) and unique, daily updated content as possible. Speaking of OSINT, there’s a great live Webinar
coming up this month with Kevin Mitnick. Ever wonder how hackers, spies, and con-artists gather such
detailed and convincing intel on their targets? Kevin Mitnick, the world's most famous hacker and
KnowBe4's Chief Hacking Officer, knows. Date/Time: Wednesday, June 12 at 2:00 pm (ET). Click here
to signup – you won’t want to miss this one!
Also, after 7 years of prestigious InfoSec Awards during RSA Conference and Global Awards during
IPEXPO Europe, we have now just launched Black Unicorn Awards for 2019 which will be given out to
only 10 winners during Black Hat USA this August in Las Vegas, Nevada, USA; With some amazing
Judges this year, like Robert Herjavec and David DeWalt! Learn more at:
www.cyberdefenseawards.com
With much appreciation to our all our sponsors – it’s you who allow us to deliver great content for free
every month to our readers…for you, our marketing partners, we are forever grateful!
Warmest regards,
Gary S. Miliefsky
4

Gary S.Miliefsky, CISSP®, fmDHS
CEO, Cyber Defense Media Group
Publisher, Cyber Defense Magazine
InfoSec Knowledge is Power. We will
always strive to provide the latest, most
up to date FREE InfoSec information.
From the Editor…
The market continues to evolve and we’re seeing a lot
of talk about the Internet of Things (IoT) being an
unmanageable and insecure mess.
We’re seeing social engineering expanding into new
attack methodologies with an insider threat landscape
that is also evolving.
Artificial Intelligence for Cybersecurity is moving out of
the hype phase and into the real world implementation
phase, with CISOs and teams asking the right question:
‘what can actually work to accelerate my defenses
against the next breach?’
Always on the rise, data theft, cybercrime, cyberwarfare
and hacktivism are not slowing down so we hope to help
you find some winners and recognize them in our Black
Unicorn Report for 2019 out in August so stay tuned.
Please Enjoy This May Edition of CDM!
To our faithful readers,
Pierluigi Paganini
@CYBERDEFENSEMAG
CYBER DEFENSE eMAGAZINE
Published monthly by the team at Cyber Defense Media Group and
distributed electronically via opt-in Email, HTML, PDF and Online
Flipbook formats.
PRESIDENT & CO-FOUNDER
Stevin Miliefsky
stevinv@cyberdefensemagazine.com
EDITOR-IN-CHIEF & CO-FOUNDER
Pierluigi Paganini, CEH
Pierluigi.paganini@cyberdefensemagazine.com
ADVERTISING
Marketing Team
marketing@cyberdefensemagazine.com
CONTACT US:
Cyber Defense Magazine
Toll Free: 1-833-844-9468
International: +1-603-280-4451
SKYPE: cyber.defense
http://www.cyberdefensemagazine.com
Copyright © 2019, Cyber Defense Magazine, a division of
CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)
276 Fifth Avenue, Suite 704, New York, NY 10001
EIN: 454-18-8465, DUNS# 078358935.
All rights reserved worldwide.
PUBLISHER
Gary S. Miliefsky, CISSP®
Learn more about our founder & publisher at:
http://www.cyberdefensemagazine.com/about-our-founder/
WE’RE CELEBRATING
7 YEARS OF EXCELLENCE!
Providing free information, best practices, tips and
techniques on cybersecurity since 2012, Cyber Defense
magazine is your go-to-source for Information Security.
We’re a proud division of Cyber Defense Media Group:
CYBERDEFENSEMEDIAGROUP.COM
MAGAZINE TV RADIO AWARDS
5

SPONSOR OF THE MONTH…
6

7

8

9

10

11

12

13

14

15

Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those
vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep
understanding of your web application vulnerabilities, how to prioritize them, and what to do about
them. With this trial you will get:
An evaluation of the security of one of your organization’s websites
Application security guidance from security engineers in WhiteHat’s Threat Research Center
Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well
as share findings with internal developers and security management
A customized review and complimentary final executive and technical report
Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/
PLEASE NOTE: Trial participation is subject to qualification.
16

17

18

Empower your Kid with Cybersecurity
19

WMD vs. Cyber Attacks: Similarities Suggesting a Cyber Arms
Race
Similarities between a cyber-attack and a WMD attack push countries into a cyber arms race like the
one between the U.S. and the U.S.S.R. during the Cold War.
By Julien Chesaux, Cyber Security Consultant
Different Types for Different Missions
A WMD is a powerful weapon that is capable of a high order of destruction, causing mass deaths and
casualties. Usually, we refer to different categories of WMDs: nuclear, radiological, chemical and
biological. Despite that all of them are still stocked and used by some states, the most destructive and
feared one is the nuclear bomb. Several international conventions and treaties try to govern their
development and use, like the Nuclear Non-Proliferation Treaty (NPT) with little success. Since its
signature in 1968, the treaty did not prevent a vertical (in the number of warheads) and horizontal (in the
number of states having the bomb) proliferations. Hopefully, the only country to have launched a nuclear
attack remains the U.S. with their World War II bombing of Hiroshima (August 6, 1945) and Nagasaki
(August 9, 1945). In those attacks, around 100,000 people died, instantly burned to ashes, and 95,000
were injured or died after the blasts due to side effects (radiations, burns, illness or malnutrition). Today,
eight states officially have nuclear capabilities, namely the U.S., Russia, France, the U.K., China, India,
Pakistan, and North Korea. Israel also has it but has chosen a policy of ambiguity for strategic reasons,
as the country is in an unstable region surrounded by hostile Arab states.
The Absolute Weapon
According to the latest figures of the Stockholm International Peace and Research Institute (SIPRI), the
U.S. has 1,930 nuclear warheads that are operational and ready to be launched within minutes. An
additional 5,070 are kept in stock. With a total of 7,000, these warheads would be enough to destroy
20

several planets within few hours. With a Russian arsenal of roughly the same size, Washington and
Moscow together hold around 90% of the total warheads around the world. Currently four nations (U.S.,
Russia, China and India) have the possibility to deliver their nuclear payloads towards what is called the
‘nuclear triad’; through strategic bombers (air delivery), intercontinental ballistic missiles (land delivery),
and submarine-launched ballistic missiles (sea delivery).
Due to predictability and intelligence, most of the nuclear warheads delivered by plane can be detected
quickly and the positions of the land-based ones are already known. Thus, the only really functional
missiles in the triad remain the submarine-launched ballistic missiles (called SLBMs), as ballistic missile
submarines (i.e. SSBNs) can stay undetected under water for months thanks to their nuclear-powered
engines. They have the capacity to contain between 16 (for the Russian ‘Borei’ class submarines) and
20 (for the American ‘Ohio’ class submarines) Multiple Independently Targetable Reentry Vehicles
(MIRVs), which are ballistic missiles that can aim at different places within a given area. Every MIRV can
contain 6 to 12 warheads, with the power of 100 to 150 Kilotons (kt). As a comparison: The ‘Little Boy’
and the ‘Fat Man’ bombs that hit Hiroshima and Nagasaki in WWII had an explosive power of 15 kt and
21 kt respectively 1 . Therefore, only one ballistic missile submarine can carry, in theory, around 100
warheads with the potential explosive force of 10,000 kt (which is equivalent of 10,000,000 tons of TNT).
Submarine Vulnerability
Classical submarine network architecture is air-gapped, meaning that it is physically isolated from public
Internet or unsecured local area network (LAN), like most critical infrastructure. Nevertheless, this does
not ensure total security, as evidenced by the 2010 “Operation Olympic Games” where Iranian Natanz
nuclear enrichment lab plant was attacked by a worm malware named Stuxnet. This cyber weapon,
developed jointly by the U.S. CIA and the Israeli Mossad (probably the UNIT 8200, specialized in SIGINT
[SIGnal INTelligence]) overheated the uranium-enriching centrifuges and seriously damaged the military
nuclear program of Iran. This cyber attack was the first one having kinetic consequences on a critical
infrastructure.
According to a publication from the British American Security Information Council (BASIC), a Londonbased
think tank, the UK Trident II D-5 ballistic missile, used as the SLBM (Submarine-Launched Ballistic
Missile) by the U.S. and the U.K. in their SSBNs (Submersible Ship Ballistic Missile Nuclear Powered),
is sensitive to cyber-attacks 2 . The paper argues that although submarines in patrol and the trident’s
sensitive cyber systems are air-gapped, “the vessel, missiles, warheads and all the various support
systems rely on networked computers, devices and software, and each of these have to be designed and
programmed. All of them incorporate unique data and must be regularly upgraded, reconfigured and
1
CHESAUX Julien. “Do We Really Need Thousands of Nuclear Warheads?”, Foraus blog, May 05, 2017
http://www.foraus.ch/#!/blog/c!/content-6811-do-we-really-need-thousands-of-nuclear-warheads
2
ABAIMOV Stanislav & INGRAM Paul. “Hacking UK Trident: A Growing Threat”, British American Security Information Council (BASIC), Jun, 2017
http://www.basicint.org/sites/default/files/HACKING_UK_TRIDENT.pdf
21

patched” 3 . For example, underwater drones, nano and bionic technologies such as implantable and
subdermal data storage and communication devices may be smuggled into the vessel and activated
autonomously, manually or remotely. If not directly within the vessel, a malware injection could happen
during the manufacturing of a submarine, missile, warhead, hardware or software, the refurbishment,
maintenance or update of it or data during transmission when not in operation. This vector of attacks
considerably complexities the attack surface of an armament.
Differences and Similarities between WMDs and cyber attacks
Governments do not yet know how to retaliate from a cyber-attack: What is the red line? How to retaliate?
With a cyber or a conventional attack? At which scale? Most of these unresolved questions create
instability and let hackers proliferating and navigating within the cyber space with low or no
consequences. Therefore, militaries are trying to develop analogies between the nuclear world and cyber
space using the nuclear arms race as a starting point.
Indeed, Joseph Nye, an American political scientist and theoretician of neoliberalism and soft power,
established that there are similar elements between the nuclear arms race of the Cold War and cyber
warfare 4 : (1) superiority of offense over defense; (2) use of weapons for tactical and strategical purposes;
(3) possibilities of first and second use scenario; (4) possibility of automated responses; (5) the likelihood
of unintended consequences and cascading effects.
Still, differences remain. The commercial predominance, accessibility, and low cost of cyber warfare
make it a far more accessible option for an asymmetrical approach, especially for nonstate actors. Also,
a cyber-attack does not carry with it the existential dread associated with nuclear attacks. As American
scholar Martin Libicki pointed out, destruction or disconnection of cyber systems could return us to the
economy of the 1990s, a huge loss of GDP, but a major nuclear war could return us to the Stone Age 5 .
Nonetheless, the cyber threat is becoming ever more dangerous, and malware could be assumed as the
new “absolute” weapon, referring to the military strategist Bernard Brodie’s book “The Absolute Weapon:
Atomic Power and World Order”, published in 1949. The book explains the fundamentals of the nuclear
deterrence strategy where its main purpose was not in its use but in the threat of it: “Thus far the chief
3
ABAIMOV Stanislav & INGRAM Paul. “Hacking UK Trident: A Growing Threat”, British American Security Information Council (BASIC), Jun, 2017
http://www.basicint.org/sites/default/files/HACKING_UK_TRIDENT.pdf
4
NYE Jr. Joseph S. “Nuclear Lessons for Cyber Security? Strategic”, Studies Quarterly 5(4), pp. 18-38., 2011
https://dash.harvard.edu/bitstream/handle/1/8052146/Nye-NuclearLessons.pdf
5
LIBICKI Martin. “Cyberwar as a Confidence Game”, Strategic Studies Quarterly 5, no.1, 2011
https://www.files.ethz.ch/isn/153779/spring11.pdf
22

purpose of our military establishment has been to win wars. From now on its chief purpose must be to
avert them. It can have almost no other useful purpose” 6 . Therefore, the cyber weapon can also become
a deterrent tool.
Cyber Arms Race
The current instable global situation could potentially lead to a cyber arms race like the nuclear one
between the U.S. and the U.S.S.R. during the Cold War. Then, an act of war would have meant the
annihilation of both opponents, due to the excessive number and power of weapons at their disposal. For
this reason, the Cold War resulted in the Mutual Assured Destruction (MAD) doctrine. What the result will
be of the cyber arms race remains to be seen but malware are cheap, easily accessible and efficient.
What is known is that the cyber arms race will almost certainly be fought chiefly between the U.S. and
China, with Russia as a potential third player. In September 2017, President Vladimir Putin stated that
artificial intelligence (related to cyber capacities) is “the future, not only for Russia, but for humankind” 7 .
China also recognized the power of the digital world. According to Tencent’s “Internet Security Report:
First Half of 2017”, China currently suffers from a severe shortage of cyber security professionals. Thus,
Beijing aims to graduate 1.4 million cyber security majors in the next decade (a significant increase from
the roughly 30,000 graduates it produces today) 8 . To do so, China claims it will establish four to six worldclass
cyber security schools in Chinese universities to create “cyber warriors” within 10 years 9 .
6
BRODIE Bernard. “The Absolute Weapon: Atomic Power and World Order”, Yale Institute of International Studies, New Heaven, U.S., 1949
https://www.osti.gov/opennet/servlets/purl/16380564-wvLB09/16380564.pdf
7
MEYER David. “Vladimir Putin Says Whoever Leads in Artificial Intelligence Will Rule the World”, Fortune, Sep 04, 2017
http://fortune.com/2017/09/04/ai-artificial-intelligence-putin-rule-world/
8
TENCENT COMPUTER MANAGER. “2017 Internet security report in the first half of the year”, Tencent, Aug 04, 2017
https://guanjia.qq.com/news/n1/2039.html
9
ZI Yang. “China Is Massively Expanding Its Cyber Capabilities”, The National Interest, Oct. 3, 2017
http://nationalinterest.org/blog/the-buzz/china-massively-expanding-its-cyber-capabilities-22577%22
23

About the Author
Julien Chesaux is a Cyber Security Consultant at Kudelski Security, a Swiss
and American cyber security company. Julien mainly works on cyber
security, information security and geopolitics analysis in order to help clients
to find solutions regarding their threats. He is also a mediator and writer for
the Swiss Think Tank Foraus and the co-founder of the www.stralysis.com.
He has worked in diplomacy and cyber security for seven years in
Switzerland, Australia and France. His main research interests are Global
Security, Cyber Geopolitics, and International Affairs.
LinkedIn profile: www.linkedin.com/in/julien-chesaux-65279456
You can reach me at julien.chesaux@gmail.com
24

Why Federal Agencies Need AIOps
By Jim DeBardi, CIO, and Justin Long, Sr Systems Administrator, NetCentrics
Federal government Security Operations Center (SOC) and Network Operations Center (NOC) teams
are overwhelmed with tools. Dozens, even hundreds are not uncommon, which are designed to monitor
and alert on various systems, applications, behaviors and other factors of the IT enterprise environment.
This commonly leads to one of two scenarios: 1. being overwhelmed with false positives which
desensitizes security staff to legitimate alerts such as the famous Target Stores breach, or 2. Not getting
alerts to legitimate concerns/breaches. In addition this also adds a complex learning curve and tedious
upkeep of the latest software, sensors and integration requirements. To address this, AIOps are emerging
as a key asset in federal IT teams’ arsenal.
The challenge with existing tools is that they often fail to “talk” to each other to share key data in the
interest of the improved prediction, correlation and resolution of events such as cyber threats and service
disruptions. When they do “talk”, they are not doing so in a manner does performs correlation fast enough,
meaning critical security issues may be discovered too late. Subsequently, agencies employ scores of
SOC/NOC specialists who “stay within their silos,” focused strictly on their own, individual monitoring
solutions with no cross-correlating and analysis of the data produced by the tools. These specialists often
foster a mentality of ownership, which sometimes leads to possessiveness as well as not lending itself to
sharing with other systems. This “legacy” security operation model can greatly benefit from the
implementation of processes which incorporate automation, machine learning and analytics to maximize
the predictive value of the tools as a collective whole, thus gaining enterprise-wide IT visibility.
25

Fortunately, Artificial Intelligence for IT Operations (AIOps), first known as algorithmic intelligence, can
help agencies address these issues through benefits such as automation, machine learning and
analytics. Gartner originally coined the term AIOps, defining it as a platform that utilizes big data, modern
machine learning and other advanced analytics technologies to directly and indirectly enhance IT
operations (monitoring, automation and service desk) functions with proactive, personal and dynamic
insight. AIOps platforms enable the concurrent use of multiple data sources, data collection methods,
analytical (real-time and deep) technologies and presentation technologies.
Given the vast range of potentially positive outcomes, AIOps platforms are expected to account for a $11
billion global market by 2023, up from $2.5 billion last year, according to a forecast from
MarketsandMarkets.
AIOps is all about enterprise performance management (i.e., monitoring, analyzing and instantly acting
on data via end-to-end situational awareness and absolute command and control of network resources).
It establishes a “single pane of glass” view of your entire infrastructure so data from every tool is ingested,
correlated and analyzed to generate quantitative outputs that tell us how to improve. It launches
advanced automation, machine learning and analytics which inform proactive event management while
reducing response times, to protect networks, systems and devices while ensuring optimal user
experiences. It allows teams to acquire a true understanding of possible cyber-attacks, help desk ticket
spikes and other SOC/NOC events. It can also leverage the power of elastic and auto-scale cloud
computing to be able to compute massive amounts of data in a fraction of the time vs a traditional on
premise data center.
With this, teams and machines do more than just identify root causes; they resolve events proactively
with AIOps “self-healing” automation orchestration and deep learning functionality. This also eliminates
the traditional binary “if-this-then-that” ruleset. AIOps can truly learn, to the most granular levels, the
behavior and patterns of your organization and dynamically adjust its alerts and sensors accordingly,
giving a level of insight and security without causing significant end-user experience frustration, which
was previously unattainable.
The machine element cannot be understated. As AI innovation takes hold throughout organizations
worldwide – dramatically expanding capabilities to accurately and swiftly detect incidents, and then
respond – agencies cannot be left behind. Ultimately, AIOps elevates monitoring and data
correlation/analytics to a level at which events are treated one in the same: Whether there is an influx of
service desk tickets, an isolated incident, a service affecting an enterprise or a critical business
application that appears degraded, or even an unusual surge of traffic from one specific machine after
hours: AIOps drives toward the core, using root-cause analysis and actionable intelligence that tells
teams what action to take based upon lessons learned, mature processes and recommendations through
AIOps in its entirety.
To take this concept even further – by leveraging machine learning and automation to the maximum
extent practicable – we are able to address an event without involving human interaction and resolve
potential events before they become actual events. AIOps services and solutions will increasingly enable
machines to make these decisions and take appropriate action, reducing IT staffing costs for agencies
while increasing the performance and uptime of the service. AIOps is already heavily utilized to maintain
the largest of computing environments: Azure, AWS, Google Cloud, Oracle Cloud, etc.
26

AIOps is readily available to government customers via a number of contract vehicles, including DISA
ENCORE III, FAA eFast, GSA Schedule 70, Seaport-e, and the C5 Consortium Other Transaction
Agreement (OTA). To position an agency for success here, we recommend these critical
components/steps:
• Control and management of AIOps solutions and services in a multi-tenant environment with an
integrated array of best-fit commercial off-the-shelf (COTS) solutions
• Integrated capabilities across development, deployment, management, monitoring and
collaboration platforms on-premise, off-premise and in the cloud
• Detail-driven project management in which every activity is initiated, planned and controlled to
meet overall objectives within agreed-upon time and budget constraints
• System integration that is tested and proven before new capabilities are implemented
• Compliance with all security requirements and regulations
• Instruction sets and training plans for new features
The pursuit of enterprise-wide IT visibility has emerged as quite a quest for organizations in general,
including government agencies. The accumulation of multiple tools to oversee a growing number of tech
functions/areas adds to the complexities and challenges. Yet, as AI continues to advance in terms of its
capabilities and impact, we can leverage AIOps solutions and services to drive toward a consolidated,
cohesive and completely integrated ecosystem, capturing it all within that long-sought “single pane of
glass” view for proactive, effective responses to events.
As a result, agencies are well-positioned to not only address what’s needed now – but what will be needed
in the immediate or even longer-term future. That’s what happens when man and machine work together
to best benefit the enterprise. Most importantly, eliminating repetitive, manual “labor” work by IT SME’s
may be seen as a threat to some, however this is quite the opposite. By offloading the day to day routine
“Ops” monitoring and alerting tasks, your organizations IT Experts are now free to work on the next
evolution of services and technologies for your organization.
27

About the Author
Jim brings 40 years’ experience in the Research & Development, Operations
Excellence, and IT fields in contributing to NetCentrics’ technical leadership and its
sustained growth. Jim has extensive experience supporting DoD and Federal
Government customers. Since the late 1990s, Jim has primarily supported Dept. of
Defense clients within the Pentagon reservation and DHS/USCG customers in their
move to enterprise-wide security and monitoring systems. As CIO, Jim leads
NetCentrics’ IT support services for its internal infrastructure and operations, where
he evaluates emerging technology for incorporation into NetCentrics’ infrastructure.
Justin Long has been in the Information Technology industry for 12 years. His current
role is the lead Security Operations Manager at NetCentrics Corporation. His
responsibilities include managing and operating their corporate environment to
include instructing new and emerging technologies in support of their customers. His
passion for technology can be seen through the various projects and staff he
supports.
28

Safeguarding Your Organization from Attacks via Your Third-
Party Vendors
By Morey Haber, Chief Technology Officer & Chief Information Security Officer, BeyondTrust
Realizing that most large organizations today have sophisticated security defences, bad actors are
beginning to target third-party vendors, as a means to gain access to an enterprises’ network. In fact, in
2018, over 11 significant breaches were caused by exploitation of third-party vendors and according to
Carbon Black’s 2019 Global Incident Response Threat Report, 50% of today’s attacks leverage what
they call, “island hopping”, where attackers are not only after an enterprises’ network, but all those along
the supply chain as well 10 .
IT admins, insiders, and third-party vendors need privileged access to perform their roles, but this
shouldn’t mean ceding control of the IT environment to them. Organizations typically allow vendors to
access their networks to perform a variety of different functions. However, this privileged access should
be secured to the same (or higher) extent as the organization’s internal privileged users. Neglecting to
do so will create a weak spot in your organization’s security that is ripe for exploit.
Because organizations typically use IT products and software solutions from a variety of vendors, IT is
tasked with the enormous burden of having to secure remote access for these vendors, so that they may
provide maintenance and troubleshooting for their products. As a consequence, organizations are faced
10
https://www.carbonblack.com/global-incident-response-threat-report/april-2019/
29

with the dilemma of having to provide the needed access while also guarding against malware and bad
actors entering through third-party connections.
Given that third-party vendors are an integral part of most organizations’ ecosystem―something that isn’t
going to change anytime soon—there are seven steps you can take to exert better control over thirdparty
vendor network connections and secure remote access.
Monitor & examine vendor activity
First, it’s imperative to scrutinize third-party vendor activity to enforce established policies for system
access. You want to understand whether a policy violation was a simple mistake, or an indication of
malicious intent. You should implement session recording to gain complete visibility over a given session.
And finally, you should correlate information so that you have a holistic view that enables you to spot
trends and patterns that are out of the ordinary.
Here are some ways to approach monitoring:
• Inventory your third-party vendor connections to understand where these connections come from,
what they are connected to, and who has access to what
• Look for firewall rules that permit inbound connections for which you are unaware
• Perform vulnerability scans on your external-facing hosts to search for services that are listening
for inbound connections
• Validate that your enterprise password security policies apply to accounts on inbound network
connections
• Implement policies and standards specific to third-party issues, and use technical controls to
enforce them
• Monitor for any security deficiencies and then address them
Limit network access
Most of your vendors only need access to very specific systems, so to better protect your organization,
limit access using physical or logical network segmentation and channel access through known
pathways. You can accomplish this by leveraging a privileged access management solution to restrict
unapproved protocols and direct approved sessions to a predefined route.
Apply multiple robust internal safeguards
As with other types of threats, a multi-layered defense is key to protecting against threats arising from
third-party access. Apply encryption, multi-factor authentication (MFA), and a comprehensive data
security policy, amongst other measures.
30

Educate your internal and external stakeholders
On average, it takes about 197 days for an organization to realize that it has been breached. A lot of
damage can be done in 197 days. Educate across the enterprise and continually reinforce the message
that the risks are real.
Conduct vendor assessments
Your service-level agreement (SLA) with third-party vendors should spell out the security standards you
expect them to comply with, and you should routinely review compliance performance with your vendors.
At a minimum, your vendors should implement the security basics, such as vulnerability management.
You should also enforce strong controls over the use of credentials—always with a clear line-of-sight into
who is using the credential, and for what purpose.
Authenticate user behavior
Vendor and partner credentials are often very weak and susceptible to inadvertent disclosure. Therefore,
the best way to protect credentials is to proactively manage and control them. You can do this
by eliminating shared accounts, enforcing onboarding, and using background checks to identity-proof
third-party individuals that are accessing your systems.
Prevent unauthorized commands & mistakes
One step you want to take is to broker permissions to various target systems using different accounts,
each with varying levels of permission. You should restrict the commands that a specific user can apply,
via blacklists and whitelists, to provide a high degree of control and flexibility. To this end, use a privileged
access management solution, enable fine-grained permission controls, and enforce the principle of least
privilege (PoLP).
Vendor access is often inadequately controlled, making it a favoured target of cyber attackers. By layering
on these seven steps, you can exert better control over third-party access to your environment and make
significant progress toward reducing cyber risk.
31

About the Author
With more than 20 years of IT industry experience and author of Privileged
Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust
in 2012 as a part of the eEye Digital Security acquisition. He currently
oversees the vision for BeyondTrust technology encompassing privileged
access management, remote access, and vulnerability management
solutions, and BeyondTrust’s own internal information security strategies.
In 2004, Mr. Haber joined eEye as the Director of Security Engineering
and was responsible for strategic business discussions and vulnerability
management architectures in Fortune 500 clients. Prior to eEye, he was
a Development Manager for Computer Associates, Inc. (CA), responsible
for new product beta cycles and named customer accounts. Mr. Haber
began his career as a Reliability and Maintainability Engineer for a
government contractor building flight and training simulators. He earned
a Bachelor’s of Science in Electrical Engineering from the State University
of New York at Stony Brook.
32

Departing Employees: A Bigger Threat than Hackers
By Brian Schrader, Esq., president and CEO, BIA
Staff retention is perpetually on the minds of many employers, but maybe a more pressing concern for
them should be data retention.
That’s because the evidence shows that departing employees are actually a much larger threat to a
company’s data security than external hackers. Simply put, data theft is more common than employers
may think.
A whopping 87 percent of employees who leave a job take data they created, and 28 percent take data
that others created, according to a survey from Biscom. Don’t think 28 percent is alarming? Just one
person with the right access and credentials could cause irreparable loss. The majority of that stolen data
includes corporate presentations and/or strategy documents (88%), customer lists (31%) and intellectual
property (25%). In addition, one in five employees has intentionally shared sensitive, confidential
corporate data with others by uploading it to an external cloud service, according to a survey by Osterman
Research.
Most employees take data inadvertently or because they think it’s their rightful property — wanting to
keep a copy of their work, for example. However, a smaller number do so with malicious intent. For
instance, they might plan to compete with their former employer and hope to use the data or corporate
collateral to gain an advantage.
Data can be stolen in a variety of ways, and the options continue to increase as technology changes.
The most common are web-based email apps like Gmail or Yahoo; cloud storage services, like Box.net,
Dropbox or Google Docs; social media platforms, including Instagram or Facebook; instant message
33

apps, such as WhatsApp, SnapChat or Signal; and physical devices, including
external drives, USB keys or cellphones.
Although it might be unrealistic to completely stop employee data theft, companies
can take proactive steps to increase the safety of their proprietary data.
First, companies should preserve their data by making a forensically sound copy
of a departing employee’s computer, tablet or phone before issuing it to another
employee, especially if the departing employee was in a sensitive position such as
sales, executives or other such roles that routinely have access to a company’s
most sensitive information. This process, called “imaging,” makes a bit-for-bit copy
of the entire device’s storage, capturing all active data in addition to essential items
like deleted files (even if they’ve been emptied from the recycle bin); fragments of
old deleted files; event, system and log files; link files and file access histories;
USB device usage; and unallocated, slack and free space.
Taking this precautionary step can improve your company’s ability to prosecute IP
theft in the future. However, because of the potential of spoliation or unintentional
compromise of the data, it’s crucial that it be done only by licensed, certified
personnel or by an external vendor.
Second, companies can proactively protect their data by creating and enforcing
data controls. They can begin by making data security a part of their corporate
culture, so that employees understand from their first day on the job that the
organization is serious about protecting data.
Ask your employees to sign an employment contract that includes language that
establishes ownership of data and the company’s expectations on how that data
is used, protected and secured. The contract should also include a confidentiality
clause where the employee agrees not to take or share company information
during their employment or after they leave the organization.
Proactive data security should continue once employees are on the job.
Companies can put controls in place allowing employees to only access the
systems and data that directly relate to their jobs. Employers should also encrypt
data and devices wherever possible and employ multi-factor authorization so that
data can’t be accessed by unauthorized employees or outside bad actors.
Ongoing education and training programs for current employees can help further
underline the importance of data security. And finally, using a departing employee
protocol and checklist can help address any remaining security gaps when you’re
at the greatest risk of data being stolen.
An overwhelming majority of companies — almost 9 in 10 — have plans to
increase their cybersecurity spending in the next 12 months, according to a recent
report by Thales Data Security. Yet, as those businesses bolster their defense
against external hackers, they may be simultaneously ignoring potential threats
34

from within. The question companies should be asking themselves is this: Who knows your company’s
data best?
To continue reading about this subject, view our downloadable, shareable infographic, which
accompanies this article.
About the Author
Brian Schrader, Esq., is president & CEO of BIA (www.biaprotect.com), a leader
in reliable, innovative and cost-effective eDiscovery services. With early career
experience in information management, computer technology and the law, Brian
co-founded BIA in 2002 and has since developed the firm’s reputation as an
industry pioneer and a trusted partner for corporations and law firms around the
world. He can be reached at bschrader@biaprotect.com
35

Why You Should Always Use A VPN When Connected To Public
Wi-Fi
By Katherine Barnett, Digital Rights & Cybersecurity Researcher, Top10VPN.com
Having an internet connection is a necessary part of both our personal and working lives. As well as
keeping us connected with news and social media, businesses need their staff to be able to connect to
WiFi to work and access networks remotely. This has seen the rise of free, public WiFi networks to cater
for these demands.
However, with increased access to WiFi comes increased risk. Free public WiFi in particular provides
plenty of opportunity for malicious individuals to access and steal your data. With an estimated 81% of
individuals connecting to public WiFi networks, it’s important to be educated on the risks. Using a VPN
and taking other precautionary measures can ensure you remain safe when connecting to public WiFi is
a necessity.
The Risks
Unfortunately, all unsecured public WiFi networks are unsafe. The very thing that makes them convenient
- their easy accessibility and no-cost - is what makes them an easy target for those looking to steal
personal information or distribute malware.
There are a variety of ways public WiFi can put an individual's security at risk. The most common of these
are:
●
WiFi ‘honeypot’ networks. These are networks that appear to be owned by a legitimate
establishment i.e. Starbucks WiFi, when in reality they’ve been set-up by an ill-intentioned
individual. By connecting to these fake public WiFi networks, users not only hand over their IP
address and device information but any other sensitive information they have shared over the
network.
36

Fake WiFi networks such as this can also be used by criminals to redirect a users traffic to unsafe
sites that mimic popular websites. Individuals can then be manipulated into passing over
information they would usually enter into the trusted version of the site.
●
Man-in-the-Middle attacks. These types of attacks are when an individual intercepts and
manipulates the connection between a user’s device and the site they’re attempting to reach. This
enables them to not just read data packets and personal data, but inject content or redirect traffic
to an untrustworthy site.
●
●
●
●
Distribution of malware over unsecured WiFi. Attackers can use the MiM method to exploit
software vulnerabilities in your device and infect it with malware. Unsecured networks facilitate
this sort of attack.
Connection points can also be hacked to display a pop-up window when a user attempts to
connect, offering a software update which, if clicked, downloads malware onto their device.
Snooping & sniffing. Special tools and pieces of software allow attackers to eavesdrop on WiFi
signals, giving them visibility on sites a user has visited. Any login credentials or other information
passed over to a non-HTTPS site by the user then become visible to the eavesdropper.
For instance, relatively simple Linux software can help a criminal intercept and view packets of
data travelling between your device and the router.
Peer-to-Peer attacks. If a users device is set-up to automatically discover new networks it is
possible for hackers to connect directly to them. Once connected, attackers can then infect a
device with malware.
This can also be done via file sharing if a user has this setting turned on.
Address Resolution Protocol (ARP) Spoofing. ARP is the method used by all devices to
discover the unique identifying code of each device connected to a network. The unique code
given to each device ensures that packets of data can travel from the router to the correct
destination.
Unfortunately, ARP can be tampered with. This means that your device can be tricked into
believing another router possesses the identity code of the public WiFi router you’re trying to
connect to. Your device will then send data to the copycat router instead of the legitimate public
WiFi router, allowing whoever set it up to manipulate your traffic and view unencrypted data.
All of these attacks put personal data and security at risk. For those handling sensitive information, the
results could be catastrophic. Worryingly, attacks via WiFi take, on average, less than two minutes,
meaning users would not need to be connected long to fall victim to foul play.
The fact that these attacks can be executed quickly using inexpensive tools and software such as Linux
demonstrates the need to always ensure you’re adequately protected before connecting to a public WiFi
network.
37

How can VPNs offer protection?
VPNs (Virtual Private Networks) encrypt a users connection and redirect it to a remote server, hiding their
IP address and making any information they pass over the network unreadable.
When connected to public WiFi, VPNs offer substantial protection against attacks through the encryption
of your data. Any attacker who finds a way to eavesdrop on your connection and intercept data packets
will be unable to view the information you’ve shared without committing to a time-consuming decryption
process. This makes attackers more likely to disregard your unreadable, encrypted data and chose a
less security-savvy individual to attack.
VPNs therefore provide an extra layer of security to a users network and will protect against the majority
of security threats posed by public WiFi.
Other forms of protection
As well as investing in a reliable VPN, there are other necessary precautions that should be taken if
connecting to public WiFi is unavoidable.
●
Keep your devices up-to-date. This is crucial to resolve any software vulnerabilities that may be
present in your device. Updates often include security patches and bug fixes as well as new
features.
●
Only ever visit sites that use HTTPS. HTTPS-enabled sites provide extra security to your
connection through the SSL encryption protocol. HTTP websites on the other hand do not have
such security, meaning that any information you enter into the site is visible to someone spying
on your connection.
●
Turn off auto-connect network settings and Bluetooth. This will make attackers unable to
launch a malicious attack on your device by connecting to it directly.
●
Invest in a robust security solution. While spending money on security software is something
users often avoid, it’s highly recommended if you want to prevent your device from becoming
infected with a virus, worm or other form of malware. A good piece of software will be constantly
scanning your device and downloads for any issues, preventing you from installing anything
suspicious.
38

●
Avoid all unprotected networks. Though there are obviously times when it has to be done, not
connecting to public WiFi at all is the best way of ensuring your data security and privacy. Carrying
out important, private activities via public WiFi is definitely to be avoided.
Conclusion
While public WiFi is incredibly beneficial to those needing to work remotely, or simply browse on the
move, the many ways it can be abused by cyber criminals means you should think twice before you
connect.
If you do decide to connect to public WiFi, using a VPN and taking other precautions will vastly improve
your security and limit the chances of you falling victim to an attack.
Nothing is ever truly free, and connecting to public WiFi without the appropriate precautions in place may
just leave you paying with your data.
About the Author
Katherine Barnett (@thekatbarnett) is a researcher at leading VPN
review site Top10VPN.com. Her writing focuses predominantly on global
censorship, digital rights and cybersecurity.
39

Cyber Security Facts and States For 2019
By Janny Thomas, Technical Content Writter
The most touted term in recent years, cybersecurity isn’t going to die soon. In fact, people are more aware
of advanced security mechanism they should follow to keep their data privacy & security intact. Despite
the all security mechanism user put in place for better security, still, cybercriminals manage to break
user’s system security using different tactics. The recent studies & data suggest that users are more
prone to cyber-attacks than ever. Now when we know that the threat is real and emerging there comes
certain cyber security terms, facts and states we should know to keep data security & privacy intact.
IoT Devices will be on target: Recent studies suggest the next target of cyber criminals could be the
IoT devices. Here, most IoT devices run without elaborated security mechanism that makes them prone
to security threats at an all-time high. You may find devices running on IoT like smart TVs, connected
toys, smart speakers, smart appliances, wearables, and more doesn’t follow stringent security
mechanism that increases the threat to these devices. Poor network security is another nefarious threat
that is causing serious trouble to households and businesses. While open networks are known for its
security loopholes, even the private networks are on target. Thus, encrypted and password protected
networks could be the best solution for better security.
40

Source: softonic
Email spam will remain persistent: Like any previous year, email spam is going to persist. Here, you
receive tons of email every day in your spam folder while roughly 49% of total emails go to the spam
folder. Here, you may receive these emails from unknown senders and cybercriminals who ask you to
click on certain links or asking you to open certain attachments. While most of these links or attachments
remain malicious, it visibly increases the risk for your data and system security. Studies suggest 69% of
total spam emails ask you to click on malicious links while the remaining 31% attempt to trick users into
opening malicious attachments. Studies also suggest that every one out of three phishing emails is
opened while a small percentage of users also click on links and open attachments sent in these
malicious emails.
41

Source: lifewire
Cybercrime is becoming a lucrative business: Cybercrime is turning to be a lucrative business for
many. Estimates suggest it's going to cost over $6 trillion dollars to combat it by the year 2021. It is
estimated to be more than the global trade of all major illegal drugs combined. Here, companies like
Yahoo and Equifax has been targeted in recent times, that displays the size, sophistication, and cost it
will attract to fight this menace. While cybercrimes are growing at an astronomical rate, it is duping
millions of dollars from users around the world. Here, importance of cyber security is increasing with
increase in cybercrimes.
42

Source: ET
Information loss cost more: While most cybercrimes are targeted to steal your data and trade it for
ransom or some other reason, restoring data is a pricey deal. Here, 43% of total loss occurs in the form
of data loss. It becomes more complicated when the data belongs to third-party sites and you need to
recover it.
Source: cislive
43

The healthcare industry is on target: In between the numerous other facts, recent studies suggest that
almost half of the recent ransomware attacks were targeted at the healthcare industry. While 90% of
healthcare organizations have seen the surge in ransomware infection from the year 2017 to 2018, it is
still a major cause of worry.
Source: franchiseindia
Conclusion: The increasing threat to the cybersecurity, the users are more alert than ever to avoid &
block cyber-attacks in the first place. Here, knowing the recent cybersecurity facts & states help users
understand what the challenges in front of them in the coming year could be and how they can fix the
problem. Here, we have discussed some of these useful facts & figures that could help you understand
and avoid cyber threats. In addition to these facts & states, if you know more such information related to
cybersecurity in 2019, then feel free to share in the comments below.
About the Author
Janny Thomas is a technical content writter. As from being a capable
engineer, her technical knowledge and expertise in research, blended
with an intimate passion to write made him love his profession to the
core. She is an avid reader.
44

By The Numbers: Defining Risk in Cyber Insurance
By Matthew Mckenna, VP EMEA at SecurityScorecard
As organisations continue to adjust to the reality of the threat presented by cyberattacks, one of the most
important factors has been the growth of cyber insurance. An increasing number of businesses are
beginning to align their views on cyber risks with more traditionally understood risks such as property
damage and financial difficulties.
A recent report by the global insurance broker Marsh estimated that cyber insurance market in the US
had increased to $1.8bn in 2018, roughly tripling in size from 2015. Marsh stated that the overall number
of US companies purchasing cyber insurance had doubled over the past five years, while there was also
growth for policy limits for existing buyers.
On a global scale, the cyber insurance market has been predicted to reach $17.55bn in 2023, up from
$4.52bn in 2017. All this growth is a positive sign of companies taking cyber threats more seriously and
assimilating risks such as ransomware and data breaches alongside more traditional business risks.
However, the cyber insurance market is still in a nascent stage and both organisations and insurance
underwriters are still working through a number of serious challenges. The scope and complexity of
cybersecurity means that fully understanding the risks can be a difficult proposition. While premiums have
gone down and policies have become more accessible, obtaining cyber insurance is still a more difficult
and expensive proposition than in many other fields.
The challenge for underwriters
Perhaps the biggest issue is the sheer number of vectors involved in accurately assessing cyber risks –
many of which are continuing to evolve and change. By comparison, in the long-established auto
insurance industry, premiums are based on several well-defined and understood factors, primarily the
individual’s historical driving record. A motorist with a history of accidents and traffic violations will
45

obviously be seen as a greater risk and will face more expensive premiums in order for insurers to absorb
the risk.
Because cyber security is a relatively new field which is not widely understood, cyber liability insurance
is much harder to define. There is a very limited availability of breach data and assessing a company’s
inner workings around security is usually an expensive and invasive affair. Additionally, the cyber health
of a company’s suppliers, partners and customers can be as important as its own internal security. This
means insurers must also deal with a complex and often vast network of interlinked companies in order
to arrive at an accurate conclusion.
Similarly, the insurance industry must also contend with the lack of a commonly agreed taxonomy around
cyber risk. Brokers, insurers and insurance staff are unlikely to have more than a passing familiarity with
all the technical terms and key issues involved in cybersecurity – particularly as the field is changing and
evolving at a rapid rate.
Aside from complicating the process of establishing policies and setting premiums, this also creates
several issues when it comes to informing customers on their company’s cyber risk as it relates to the
premium price of a policy. Since the decision makers with overview of insurance premiums are also likely
to be unfamiliar with the industry, it can easily be a case of the blind leading the blind.
To overcome the difficulties presented by understanding and defining such a complex and fast-moving
field, we need to translate cyber risk issues into a format that can be more easily understood and
compared.
Cutting through the complexity
One of the most effective ways of presenting the myriad vectors involved in cyber risk is to boil everything
down to a simple numeric score. The practice has been widely used for decades to handle financial risk
for organisations, individuals and even entire nations. A numeric credit score provides a useful shorthand
that summarises an often-vast number of factors contributing to the entity’s financial solvency and
potential risk as a debtor.
By the same token, a cyber security score can be used to provide a simple and easily understood
representation of a company’s cyber risk level. A good score will indicate that a company represents a
low risk and can be granted a lower premium, while a poor score shows that the firm is a riskier proposition
and accordingly needs a higher premium until it can improve.
Translating so many different factors into a single numeric score is easier said than done of course. Just
as with any other area of risk assessment, this audit needs to be conducted by experts in the field, in this
case armed with a deep understanding of both cyber security and business structure.
How are cyber risks defined?
Several key factors must be assessed to establish an accurate security score. A firm’s ability to follow
basic cyber hygiene is one of the most important elements, as many successful cyberattacks are the
46

esult of poor practice around tasks such as updating and patching operating systems, services,
applications, software and hardware. Similarly, poor practices such as open access points, insecure or
misconfigured SSL certificates, or database vulnerabilities are commonly exploited by cyber attackers
and therefore indicate a higher level of risk.
As a single device can lead to a serious cyber incident, a proper assessment must include every device
used to connect to the firm’s systems, including laptops, mobiles and IoT devices.
Finally, because cybercriminals will facilitate attacks through trusted third parties, the assessment must
go beyond the walls of the organisation and include its network of partners, service providers and other
connections. Even if the company itself is well-secured, it could still be considered at a high risk of attack
if a poorly secured third party can access its systems.
Condensing these cyber issues and other key factors down into a single score will provide insurers with
a shorthand reference to a company’s level of cyber risk. This will enable insurers to create more accurate
policies for each client, rather than having to rely on generic higher premiums because they are unable
to accommodate all of the risk factors involved.
With cyber risk becoming more accessible and widely understood by the insurance industry,
organisations will be better able to access affordable policies that will help them mitigate the impact of a
serious cyber incident.
About the Author
Matthew McKenna – Vice President EMEA at Security Scorecard – has
extensive experience in the technology and security industry. Matthew is
a high-energy strategy and operations executive with a track record of
commercializing emerging technologies across sectors in global
markets.
47

Threat and Incident Response – Closing the Loop in Cyber
Defense
By Timothy Liu, CTO & Co-Founder, Hillstone Networks
Two of the Gartner’s 2019 top 10 security projects involve threat detection response and incident
response. This highlights the importance of remediation and response aspects in cyber security, they are
the last steps taken to close the loop in threat and attack defenses.
Threat or incident response refer to the techniques and processes as well as the remediation actions that
are taken based on the analytical conclusions together with the forensic evidences and other threat
detection enrichment from threat intelligence. The purpose is to throttle the attacks in progress, break the
attack kill chain, isolate or confine any collateral damages as the result of these attacks.
Once an attack alert is triggered or an abnormal behavior is detected, the security analyst or admin must
conduct threat analysis to validate the threat alert, remove any possible false positive, assess the risks
this have brought to the attacking surfaces and take proper actions. This is the threat and incident
response process, It usually contains several stages:
• Forensic evidence collections and threat data enrichment:
Various techniques and tools are used to collect forensic evidences including getting information
from the associated packets captures, extracting metadata from the network and traffic logs,
retrieving files or process information from the end points, collecting global threat event feeds
from the cloud etc.
On the continuous monitoring system, which most systems are today, these information usually
have already been collected, cleansed, normalized and stored in the security data lake, and for a
certain period of time. With necessary data available, threat hunting can be conducted to zoom in
the offending sources of the attacks as well as to prepare the any forensic evidences.
Threat enrichment usually involve integrating threat intelligence feeds from internal or external
sources, such as IP, domain names or URL reputations, IP GEO information, DNS registration,
48

WHOIS information, various blacklists and reputation data, also importantly, any possible
relationships in the past and present. Threat enrichment can be great helps in assisting the threat
analysis process, improve the accuracy of detection and strengthen the confidence of the findings.
• Triage and analysis:
In this stage of the process, various techniques, tools and algorithms are applied to the threat
data assembled earlier. This generally includes statistical based analysis as well as behavioral
based analysis. These mechanisms are used to correlate traces of the attacker over time and
space spectrums, connect all the dots together, reconstructs kill chains and provide security
analysts and admins insights of the attacking in progress and provide conclusive evidences that
a real threat attack has occurred and either host machine or server assets have being
compromised.
Many companies and products utilize machine learning and AI driven analytical mechanisms to
derive final predictions based on either big data analysis or user behavioral analysis (UEBA). This
has been a very active area in threat analysis and have quite number of products. ML and AI
based mechanisms have been effective in assisting to find and detect unknown malware or
malware with mutations as well as preventing 0-day or more sophisticated, hidden attacks.
• Decision making and action taking:
In this stage, various remediation actions can be taken as the result of analysis when necessary,
these can include:
o
o
o
o
o
Firewall policy generation and enforcement
Global signature update
Compromised host or server machine isolation and quarantine
Incident ticket generating process and notifications
Network situation awareness and risk assessments
Effective threat and incident response can be challenging. As the result, the wide adoptions of the threat
and incident response platforms largely depend on the effectiveness.
Most of the products in this space today still focus on the alert reporting, visibility and other presentation
optimizations. On the other hand, incident response often largely conducted manually which is often
resource consuming, tedious and ineffective.
The rudimental requirements for effective threat and incident response include:
• Accuracy and effectiveness:
Technologies must be in place to extract those real valuable threat data out of vast amount of
information, much of them are usually normal traffic data but considered noises to the threat
analysis. There are also requirements for threat attack visibility to provide more clear and focused
visibility to security analysts and admins to avoid distractions or get bogged down by either false
positives or false negatives.
49

• Non-disruptive to normal business:
It is critical that the remediation actions taken based on the threat analytical process should not
cause disruptions to normal business. Any misfires or disruptions to normal business will
eventually undercut the purpose of threat incident response. In real deployments, remediation
actions should be prioritized and in some cases, use two steps confirmations to ensure
accuracies. Today, more companies are adopting cloud based analytical platform to conduct
multi-dimension threat analysis on global bases to ensure threat accuracy and effectiveness.
• Automated analysis and response process:
Threat data need to be collected on a continuous bases in order to establish any possible threat
and attack contexts over a period of time. It becomes infeasible to do efficient threat data mining
or threat analysis manually.
Automating analysis process has becoming vital to help to quickly find out the root cause of the
threat alerts among ocean loads of data, free security analysts and admins from daily workloads
and those repetitive jobs and instead, to focus energies and resources on high value and high
priority targets. This is particular true after large scale security analytical platforms mature. Threat
incident response automation tools and process has formed a new sector in cyber security called
Security Orchestration and Automation Response (SOAR) where the processing workflows are
defined in so called playbooks. Each playbook can be used to handle certain types of threat
incident analysis and response.
Threat and incident response products can come in a standalone, all in one form, it can also be part of
the security analytical platform or SOC/SIEM based platforms. These days, most security vendors are
using cloud based platform to collect threat feeds from different sources globally, conduct analysis and
update results to the deployed entities globally.
This year at RSAC 2019, quite a few security vendors are coming to 2019 to showcase their products
which integrate threat and incident response capabilities.
The intelligence capabilities on Hillstone Networks iNGFWs and breach detection system carry multiple
detection engines that can conduct conventional signature based detection as well as behavioral based
analysis using machine learnings, after threat alerts are triggered, threat analysis are conducted, either
manually or automatically, after mitigation actions can be done at the iNGFW or endpoints upon admin’s
confirmation.
In the near future, there will be more threat and incident response capabilities from Hillstone Network’s
security product portfolios.
50

About the Author
Timothy Liu is a veteran of the technology and security industry for over 25
years. Mr. Liu is co-founder and CTO of Hillstone Networks, responsible for
global marketing and sales. As CTO, he is also responsible for the company’s
product strategy and technology direction. Prior to founding Hillstone, Mr. Liu
managed the development of VPN subsystems for ScreenOS at NetScreen
Technologies, and Juniper Networks following its NetScreen acquisition. He
has also been a co-architect of Juniper Universal Access Control. In the past,
he has served key R&D positions at Intel, Silvan Networks, Enfashion and
Convex Computer. Tim can be reached at our company website
https://www.hillstonenet.com/
51

The Ways of Collecting Threat Intelligence in Cyber Defense
By Milica D. Djekic
Cyber defense is an area that has found its applications over the globe. In so recent past, when we say
cyber – we would mean by that computers, internet and mobile technologies. On the other hand, with the
very first beginnings of a digital transformation – we would realize that even the most developed
engineering systems would get its correlations with the cyber security. So, cyber is not only about the
computers, web and mobile devices – but rather about the connected objects dealing with their web
connectivity. Let’s say that any cyber system either being purely the digital one or even some industrial
asset could cope with some software and hardware. The practice would suggest that any of these
solutions could get vulnerable to the hacker’s attacks, so what we need here the most is the good cyber
defense. The reason for that is the modern cyber-physical systems got so sensitive to the threat and if
we want to formulate the useful security tactics and strategies in order to protect our infrastructure – we
need to better understand anything bringing the risk to our solutions. Some experts would say that the
good defense is about understanding your threat, so it’s quite obvious – why any finding about the threat
matters. In sense of cyber security, the threats could get virtual, physical or human. The virtual threats
are any piece of the code including some malware applications that could make harm to some new
generation system. On the other hand, threats to physical solutions could cause the disadvantage to the
system’s hardware, while the threats being linked with the people are those sorts of risks coming from
the human factor. Anyhow, the purpose of this effort is to discuss the topic of threat intelligence being the
vital pillar to the helpful cyber defense tactics, strategies and procedures.
52

What we mean by threat intelligence
In case you want to understand your threat, there are the several steps you need to follow in order to
produce some threat intelligence. First, you need to collect some findings about the stuff that’s worrying
you in a security manner. Those findings are usually the data about the malware behavior, hacker’s
tactics and approaches as well as some insider risks. Collecting the threat findings is a long-term
business and once you are in progress with such a task you would figure out that you are getting the new
and new things about your threat. Those novel stuffs you are discovering amongst your threat findings
are the threat information. Finally if you put those information under some analysis and statistical review
you would get the threat intelligence. The entire process is given in the Figure 1 as follows.
Figure 1. The threat intelligence block diagram
As represented in the threat intelligence block diagram – there are three main steps in producing the
threat intelligence. In other words, the things are not that simple in the practice for a reason you could
need the hours and hours being spent in front of your computing device researching and researching any
anomaly that may appear in the cyberspace. Once you obtain your source of information on the web, you
should start thinking how to document the entire process and separate the new findings from the wellknown
ones. Once you achieve so you would get the clear information that could get lately processed
and used as the threat intelligence. This is not the easy task at all, but any effort is worth that for a reason
it could support you from protecting yourself from the threat.
The hacker's forums as a good starting point
The good place to find the information about the threats is any hacker’s forum being available with the
visible or deep web. For such a purpose, we would give the example of the Tor’s Hidden Wiki being the
spot where the cybercrime and organized crime networks offer their goods and services. In order to deal
with such an environment you need to get the Tor’s browser being installed on your machine. The Tor is
a de-centralized system that may provide the certain amount of privacy and it will not get applied by the
defense community only, but also it would find its usages with the bad guys. Some instances of the Tor’s
black market are given in the Figure 2 as follows.
53

Figure 2. The Tor’s Hidden Wiki example
As illustrated above, the hacker’s and criminal websites could offer a plenty of useful findings to the entire
defense community that can invoke so many security researchers who would collect the data from there
in order to prepare the skillful reportings about the situation on the internet. The given instance is only an
illustration how those stuffs look like and how we could choose them as the good starting point with our
research. It’s not the rare case that researching the visible or deep internet you can discover some
malicious applications which links could be given with some of the hacker’s forums. Such a discovery is
the quite handy outcome to the malware researchers who could try to isolate such a code in order to
understand how it works and how such a finding could get used for the further cyber industry needs. For
instance, once you discover the new malware you can send that information to some anti-malware
application developer’s team that could include its signature to the upgraded version of their product.
That’s how the threat intelligence could serve for the preventive purposes.
The need for a deep research of Dark net environment
The Darknet surrounding has become so critical part of the internet. The most applied Darknet browser
of today is the Tor and such a system would deal with the millions of user every single day. The brief
illustration of the Tor’s user being online during some period of time is given in the Figure 3 as follows.
54

Figure 3. The Tor’s users being online
The results of this graph could get found with the Tor’s project website using the well-known Tor’s Metrics
web-based tool. In our opinion, analyzing those tendencies could help us making the better approach to
our research and its methodologies.
The methods of producing threat intelligence
In order to produce the threat intelligence you should think a bit how to make the threat information and
further put them under some analysis. All the findings being gathered on the web should be carefully
reported and if you want to cope with some trends and tendencies you need to do some mathematical
and statistical processing of such collected data. This could require some analytics skills and we would
encourage anyone getting such an affinity to attempt to make his contribution as a security researcher.
The entire simplified procedure how it works is represented in the Figure 4 as follows.
Figure 4. The threat intelligence procedure
Finally, we should mention that the entire threat intelligence production is about so hard work and in order
to make any sort of documentary reportings you need a plenty of knowledge and experience at once.
Above all, the security researchers need to deal with the great learning skill and get capable to use some
of the expert’s tools, so far. In other words, the security research is the quite demanding field and there
is some skill shortage that could make us think hard how to overcome so.
55

The next steps in getting security challenges
The security is always-changing landscape that can offer us a lot of challenges. In order to beat them we
need to adopt the new approaches, methods and techniques, so far. It’s quite trickery to think about the
security business as about something that could get resolved using the silver bullet. It’s more the longterm
game between the cat and the mouse or – in other words – the good guys and the bad guys. As
long as we put some effort to understand the threat we can talk about some best practices and the
measures of remaining safe.
About The Author
Milica D. Djekic is an Independent Researcher from Subotica,
Republic of Serbia. She received her engineering background from
the Faculty of Mechanical Engineering, University of Belgrade. She
writes for some domestic and overseas presses and she is also the
author of the book “The Internet of Things: Concept, Applications and
Security” being published in 2017 with the Lambert Academic
Publishing. Milica is also a speaker with the BrightTALK expert’s
channel and Cyber Security Summit Europe being held in 2016 as well
as CyberCentral Summit 2019 being one of the most exclusive cyber
defense events in Europe. She is the member of an ASIS International
since 2017 and contributor to the Australian Cyber Security Magazine
since 2018. Milica's research efforts are recognized with Computer
Emergency Response Team for the European Union (CERT-EU). Her
fields of interests are cyber defense, technology and business. Milica is a person with disability.
56

Ransomware: Are We Really Prepared For Cyber-Attacks?
By Timothy Liu, CTO & Co-Founder, Hillstone Networks
On Black Friday of 2018, a powerful ransomware attack hit the San Francisco light rail system,
threatening to destroy more than 30 GB of critical databases such as email, staff training, payroll, ticketing
and other system data, unless they paid the authors 100 Bitcoins (which equals to approximately $
355,966 USD).
The company refused, resulting in the suspension of the ticketing system for two days and forcing the
agency to absorb thousands of free passenger trips.
The Cisco Cybersecurity Report in 2018, declares that ransomware is “the most profitable type of
malware in history,” echoing other studies that have tracked the rapid rise of ransomware to one of the
most dangerous business security threats. Prevalent and virulent in all business sectors.
According to an Osterman Research survey in June 2017, almost one in three organizations surveyed
suffered a ransomware attack in the last 12 months.
Another report, this time from ESET Security Report 2018, revealed that in the year 2017, 1,190 variants
of FileCoder families were identified (a detection for ransomware). If this figure is compared with the 744
that were identified in 2016, there is an increase of 60% in less than one year.
Ransomware blocks the companies from their systems by encrypting critical data, releasing the data only
after the victim pays the attackers a monetary ransom.
One reason why this threat has become so widespread and effective is the ease with which hackers can
acquire and take advantage of ransomware tools.
57

Once infected, owners can choose to hire security professionals to disinfect their systems. Unfortunately,
the whole process can take hours, days or weeks, at a cost that is probably much higher than the ransom
demanded by the attackers.
That’s why business owners simply pay the ransom so they can get back to work as soon as possible,
and why ransomware is such a profitable and rapidly growing business.
With the rapid increase in ransomware attacks, businesses and organizations have a hard time finding
and implementing viable security solutions that can detect and mitigate these attacks early, quickly and
effectively before they can cause damage.
Examples: Locky Ransomware Attack
Ransomware is one of the most prevalent ransomware vulnerabilities on the Internet. A typical Locky
Ransomware attack takes a series of steps to paralyze the systems and extract the ransom:
The attacker sends unsolicited emails with malicious attachments to dozens of staff members in an
organization. Thanks to the sophisticated social engineering tactics of the attacker, one or more victims
are tricked into clicking and executing the attachment.
The malicious upload of the attached file runs, connects to a ransomware hosting server over the Internet
and downloads a copy of Locky Ransomware on the corporate network.
When executed, Locky Ransomware is installed secretly on the network and communicates with a
command and control server (CnC) over the Internet to retrieve an encryption key, which it uses to encrypt
critical local files and shared folders on the network.
Once the encryption is complete, Locky Ransomware opens a window in the user’s system and demands
a ransom in return for recovering the encrypted files.
These are just the tactics and steps that were used to attack the San Francisco light rail system, tricking
an employee of the light rail system to run a malicious email attachment.
Conclusions:
Given this landscape, are we really prepared for cyberattacks? You are with Hillstone’s next-generation
intelligent firewall (iNGFW) — a solution for this type of scenario with a multi-layered defense and a
unique architecture used to detect and mitigate ransomware before it can damage to the business.
The layered defense delivered by the iNGFW uses several high-level security engines to protect against
Ransomware threats: Antivirus (AV), Intrusion Prevention System (IPS), Advanced Threat Detection
(ATD), Abnormal Behavior Detection (ABD) etc.
With its layered defense, Hillstone iNGFW can detect and mitigate even the most sophisticated and
rapidly evolving ransomware variants in any or all attack stages, including subsequent violations.
58

About the Author
Timothy Liu is a veteran of the technology and security industry for over 25
years. Mr. Liu is co-founder and CTO of Hillstone Networks, responsible for
global marketing and sales. As CTO, he is also responsible for the company’s
product strategy and technology direction. Prior to founding Hillstone, Mr. Liu
managed the development of VPN subsystems for ScreenOS at NetScreen
Technologies, and Juniper Networks following its NetScreen acquisition. He
has also been a co-architect of Juniper Universal Access Control. In the past,
he has served key R&D positions at Intel, Silvan Networks, Enfashion and
Convex Computer. Tim can be reached at our company website
https://www.hillstonenet.com/
59

Improving Cybersecurity Intrusion Detection
By Sidney Smith, Computer Scientist, CCDC Army Research Laboratory
With billions of people affected by data breaches last year, cybersecurity has become one of the nation’s
top security concerns and government and businesses are spending more time and money defending
against it.
One of the challenges with today’s cybersecurity is that many protection systems use distributed network
intrusion detection, which allows a small number of highly trained analysts to monitor several networks
at the same time, reducing cost through economies of scale and more efficiently leveraging limited
cybersecurity expertise. The problem with this approach is that it requires the data to be transmitted from
network intrusion detection sensors on the defended network to central analysis severs. Transmitting all
of the data captured by sensors requires too much bandwidth for systems to manage, and bandwidth is
extremely costly.
Because of this, most distributed network intrusion detection systems only send alerts or summaries of
activities back to the security analyst. With only summaries, cyber-attacks either can go undetected
because the analyst did not have enough information to understand the network activity, or, alternatively,
time may be wasted chasing down false positives.
I, along with my research team, wanted to figure out a way that we could compress network traffic without
losing the ability to detect and investigate malicious activity. Using this strategy in a distributed network
intrusion detection system, we would bring back more, but not all of the data, so the analysts can make
a better determination about the activity that they’re investigating.
Working with researchers at the U.S. Army Combat Capabilities Development Command’s Army
Research Laboratory and Towson University, our team conducted research that identified a new way to
improve network security. The findings were presented at the 10th International Multi-Conference on
Complexity, Informatics and Cybernetics.
Working on the theory that malicious network activity would manifest its maliciousness early, we
developed a tool that would stop transmitting traffic after a given number of messages had be transmitted.
60

We analyzed and compared the resulting compressed network traffic to the analysis performed on the
original network traffic.
As suspected, we found cyber-attacks often do manifest maliciousness early in the transmission process.
When we identified malicious activity later in the transmission process, it was usually not the first
occurrence of malicious activity in that network flow.
Based on these findings, we determined that using our strategy to truncate flows should be effective in
reducing the amount of network traffic sent from the sensor to central analyst system, and ultimately
could be used to increase the reliability and security of Army networks.
For the next phase, we want to integrate this technique with network classification and lossless
compression techniques to reduce the amount of traffic that needs to be transmitted to the central
analysis systems to less than 10% of the original traffic volume while losing no more than 1% of
cybersecurity alerts.
The future of intrusion detection is in machine learning and other artificial intelligence techniques;
however, many of these techniques are too resource intensive to run on the remote sensors, and all of
them require large amounts of data. A cybersecurity system incorporating our research technique will
allow the data most likely to be malicious to be gathered for further analysis.
About the Author
Sidney Smith, Computer Scientist, U.S. Army Combat Capabilities
Development Command Army Research Laboratory (http://www.arl.army.mil/)
began his career with the Army in 1990. He graduated from Towson University
with a bachelor of science in computer science in 1990 and a master of science
from Towson University in 2013. He is expected to earn his doctorate May 24,
2019. Smith holds professional certifications including, CISSP, CISA and CAP.
He can be reached at sidney.c.smith24.civ@mail.mil.
61

What to Pay for Cybersecurity Professionals?
The increase in salaries is more dramatic this year, as companies fight each other for talent
By Karl Sharman, Vice-President, BeecherMadden
With 16 states banning salary history information for future employers, salaries will more likely
dramatically increase. It is hard to benchmark your current offering if you are unable to ask what your
prospective employees are currently earning. There are great reasons why this law has been
implemented and it is obviously not unique to cybersecurity. What makes cybersecurity more greatly
affected, is the growing skills shortage in the industry. Organizations are having to pay more to attract
talent and there are limited ways for them to benchmark what they should offer.
At BeecherMadden, we have conducted salary reports for the past 5 years in the United States, which
show salaries increasing year on year. Candidates are achieving increases of over 25% on basic salary
alone for moving jobs. Staying in your role is far less lucrative with the majority achieving a rise of 10%
or lower. Alongside this interesting data is where people have moved to in that five-year period and where
the greater increases have been seen.
Regions such as Dallas, Charlotte and San Francisco have seen a dramatic increase in salary for
cybersecurity professionals. As an example, San Francisco has seen a rise of up to 33% in base salaries
within certain positions for professionals in the industry.
Specific job titles have also seen increases over the last 12 months due to the need and the apparent
lack of talent for example two areas stand out: Incident Response (IR) and Security Architecture. Both IR
& Security Architecture have seen an increase of 16% across North America in the last year.
The biggest salary increases have been within levels of positions, often seen as years of experience, as
many junior or entry level candidates have witnessed the greatest rise. These positions have seen a 33%
rise in salary within the last 12 months as many companies attempt to get talent at an earlier stage of the
professional’s career.
62

Locations, titles, skillsets and years of experience are a few of the factors that organizations need to be
aware of when budgeting for jobs, in fact understanding what motivates professionals into the move is
just as crucial. Cybersecurity is often seen as cost center, meaning budgets cannot always be increased.
Offering remote work or flexible working is a great start to attracting talent, that may be out of reach or
not affordable in other cases.
The war for cyber talent is here and will only get more challenging. The only way to compete against this
is through data. Every organization needs to fulfil their need through the right salaries, benefits and talent
mapping before they begin their search. This is why, benchmarking will allow organizations to fully
understand every area of attracting the best talent to give each one the best chance to recruit the best.
For BeecherMadden’s 2019 salary report or benchmarking, please email
karl.sharman@beechermadden.com
About the Author
Karl Sharman is a Cyber Security specialist recruiter & talent
advisor leading the US operations for BeecherMadden. After
graduating from University, he was a lead recruiter of talent for
football clubs including Crystal Palace, AFC Wimbledon &
Southampton FC. In his time, he produced and supported over £1
million worth of talent for football clubs before moving into Cyber
Security in 2017. In the cyber security industry, Karl has become
a contributor, writer and a podcast host alongside his full-time
recruitment focus. Karl can be reached online
at karl.sharman@beechermadden.com, on LinkedIn and at our
company website http://www.beechermadden.com
63

The Difference between Consumer and Enterprise VPNs
By Julian Weinberger, CISSP, Director of Systems Engineering for NCP engineering.
Data privacy scandals have fueled a rising interest in virtual private network (VPN) software among
consumers. Many people have adopted them for protecting their data at public Wi-Fi hotspots, or to
digitally encrypt their information against possible surveillance by governments or service providers when
traveling.
A wide range of consumer VPNs are now available for PCs, smartphones and other mobile devices.
According to GlobalWebIndex, 26% of consumers use VPNs to encrypt their data connections while
online. Unfortunately, there are plenty of hidden risks that users may not be aware of.
Due to security concerns, business often do not allow employees to use their own consumer VPNs for
work. Instead, businesses choose to implement a commercial, enterprise-grade VPN service for the
entire organization to use. This is really the only way to guarantee that confidential business information
is protected as it moves across the Internet.
To understand why consumer VPNs are ineffective for protecting corporate data, let’s take a look at five
common issues associated with consumer VPNs:
1. Data Leakage
A key motivation for acquiring a VPN is to encrypt Internet digital communications and render it
unintelligible to outsiders. Yet, coding and configuration errors in a small number of consumer systems
actually allow data to pass outside the encrypted tunnel, thus defeating the whole purpose.
Some consumer VPNs even monitor user traffic and have the ability to share it with third parties such as
advertisers, government departments and data brokers. Despite a company’s advertising promises to
respect user privacy, their legal policies hold no guarantees when it comes to protecting users.
64

2. Limited Scope
One of the main attractions of a VPN is to bypass local Internet censorship laws that may be applied
for television streaming services or for GDPR compliance reasons. By establishing an encrypted link to
a provider’s many VPN servers around the world, users hope to access content via an IP address outside
local restrictions.
A few consumer VPNs, however, mislead users with respect to their international credentials. Some may
claim to have hundreds of servers in many different countries when in fact they only have a relatively
small number grouped together in just a few areas. In this case, they adjust the routing data to make it
look like they are providing a service in one country when in reality it is happening somewhere else
entirely.
3. Fake Reviews
As the consumer end of the VPN market is very crowded, vendors are forced to compete for attention.
While positive reviews on third-party websites are prized, the authenticity may vary.
Oftentimes, independent websites have more in common with advertisements than honest evaluations
by independent journalists and are known to publish a five-star review in exchange for a small fee. This
makes it very difficult for the average consumer to get genuine, unbiased information to help them choose
between various solutions and providers.
4. Manual Log-in
In an ideal world, a VPN connection should be always-on, or at the very least activated with a simple click
or swipe. They should also support all of your devices (desktop, tablet, smartphone and TV) with the
same account.
Yet, some VPN solutions expect users to enter their log-ins every time they go online. This is not only
inconvenient, but also impractical as the majority of users tend to forget to turn on their VPNs.
5. Poor Privacy Protection
Privacy policies for VPNs at the consumer end of the market can fall way short of the standard multipage
documents that we associate with major software brands. In flagrant disregard for the law, some
consumer VPN providers have no privacy policy for people to view online at all.
Among those that do, a significant number choose to be circumspect about what they do with users’ data
and others do not back up advertising promises with commitments written into their policies.
65

Protecting Corporate Communications
Of course, there are some basic VPNs in the market that do exactly what they are supposed to
do. Businesses, however, have more complex needs.
Businesses are responsible for protecting their customers’ privacy and must stay compliant with data
protection laws. It’s simply too risky for companies to allow everyone to use their own personal choice of
VPN for remote connections when sharing company confidential information.
To guarantee secure data communications, employees must use an enterprise-grade VPN system
managed by IT support staff from a single, central point of control. A centrally managed professional VPN
service automatically encrypts all company data connections to protect customers’ personally identifiable
information (PII) and comply with privacy laws.
Overall, while consumer VPNs may be fine for protecting the privacy needs of individual consumers, the
fact that they are not all created equally with robust security features makes them unsuitable for use in a
business context.
About the Author
Julian Weinberger, CISSP, is Director of Systems Engineering
for NCP engineering. He has over 10 years of experience in the
networking and security industry, as well as expertise in SSL ‐
VPN, IPsec, PKI, and firewalls. Based in Mountain View, CA,
Julian is responsible for developing IT network security
solutions and business strategies for NCP.
NCP engineering can be emailed at info@ncp-e.com, followed
on Twitter at @NCP_engineering and reached online at
https://www.ncp-e.com/en/.
66

Making Actual Private Networks A Reality
By Brian Penny, Co-Owner, Encrypted Sensors
Virtual private networks (VPNs) have long been considered the bread-and-butter of enterprise security.
VPNs were designed to funnel all user traffic through an encrypted, secure, private network, making it
more difficult for a third party to monitor browsing than if the data were exposed on a public network.
However, VPNs are still vulnerable to intrusion, thanks to hackable software in which VPNs are placed.
Software-based VPNs a national security risk
Several notable security risks and flaws of software-based VPNs have come into light in recent months.
In April 2019, the Mueller report revealed that the Russian Intelligence Agency (GRU) in 2016 gained
access into the data, files and emails of the Democratic Congressional Campaign Committee (DCCC)
and Democratic National Committee (DNC), through the VPN which supported the organizations’ network
computers. The Mueller report, on page 38, cites:
“Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers
gained access to the DNC network via a virtual private network (VPN) connection between the DCCC
and DNC networks. Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than
30 computers on the DNC network, including the DNC mail server and shared file server.”
Around the same time when the Mueller report findings were revealed, the Cybersecurity and
Infrastructure Security Agency (CISA) of the Department of Homeland Security in April 2019 issued an
67

alert after CERT/CC revealed that several enterprise VPN apps built by four vendors — Cisco, Palo Alto
Networks, Pulse Secure and F5 Networks – contain a security bug that can allow an attacker to remotely
break into a company’s internal network. Scores of other VPNs may be affected, as well.
Considering these vulnerabilities, why risk the potential for intrusion and future hacking? A solution is
finally here.
The “Next Generation” of encryption systems
Cybersecurity company Encrypted Sensors is the first to program a quantum computer-proof encryption
onto a Field Programmable Gate Array (FPGA) hardware chip. Unlike the software-based VPNs, the
encryption is run on hardware and functions without any software controls or operating systems upon
which VPNs are based.
This non-algebraic encryption algorithm is considered by cybersecurity experts to be the next generation
encryption solution. Because the encryption is not based on math, it challenges the way computers
operate. Any computer trying to break it would have to decide what is - and isn’t - reality.
Encrypted Sensors has applied to trademark its encryption system as an actual private network
(APN).
“The security risks revealed in the Mueller report and elsewhere showcase one of the main
problems with virtual private networks,” said B.K. Fulton, an advisory board member of Encrypted
Sensors and a former vice president of Verizon Communications, Inc. “Because VPNs are softwarebased,
they can be tricked by software to allow access. In most cases, a simple password will allow
access. If government agencies and enterprises want to stop these kinds of security problems in the
future, they need to start using actual private networks. APNs highly disruptive, patented encryption
technology will further eliminate the anxiety over possible computer hacking.”
As an encryption system that is hardware-based, APNs function independently without any software
controls or operating systems. An attacker would have to physically gain control of the specific APN
hardware that is set up for the network.
Benefits of APN
Being programmed into an FPGA chip awards the APN encryption numerous benefits. The APN controls
the entire encryption environment. The APN encryption can run a lot faster, near real-time, compared
with other encryption systems. This allows for encrypted secure connections in new places like drones,
68

wearables and any sensor-type system. Running on a stand-alone FPGA chip, the encryption is already
configured thus greatly reducing potential user error.
The Solution Awaits
APN’s plug-and-play functionality with TCP/IP devices allows an end user to secure legacy systems
alongside newer technology. For example, voting machines all over the nation are at vastly different
stages of technological development. A machine from the 1990s that lacks interface with modern
networks is a giant welcome sign to hackers wanting access. Thus, having an APN always encrypting
every single bit going in and out of the machine creates a physical barrier from cyber intrusion.
About Encrypted Sensors
Founded in 2018 with headquarters in Richmond, Va., Encrypted Sensors is powered by a patented,
non-algebraic encryption algorithm that works at the bit level. Encrypted Sensors’ innovative approach
provides a proactive cyber security solution. For more information on Encrypted Sensors, including its
founding members and advisory board, please visit http://encryptedsensors.com/.
About the Author
Brian Penny is co-owner of Encrypted Sensors and
the inventor of its patented algorithm. As a musician
and sound engineer, Brian shares a passion for
sound design, which led him to tampering with clocks
to create unusual sounds. He combined binary word
lengths and clocks to create Encrypted Sensors.
Brian can be reached online at bripenny@gmail.com
and at the Encrypted Sensors website
http://encryptedsensors.com/.
69

Ways to Protect the System from Cyber Ransomware Attack
By Duncan Kingori, Ways to Protect the System from Cyber Ransomware Attack, Ottomatik.io
Ransomware is a common malicious malware that attacks a computer when least expected.
Cybercriminals spread ransomware and it holds your system hostage. It encrypts your data and the entire
system until a ransom is paid. Today, ransomware is a major problem for home and business system
users. Therefore, if you are not backing up your data using a reliable option like otttomatik.io, you are at
risk of a ransomware attack.
In the event of an attack, it can be hard to recover your data if you do not have a solid backup plan.
Therefore, it is always crucial that you employ a solid data backup plan for your systems. Remember,
70

there are many businesses that have not accessed their crucial information after paying a ransom. With
such, you need to protect your system from a cyber-ransomware attack by:
Having an updated antimalware tool
With advancements in technology, there are many advanced tools that you can use to protect your
system. They include McAfee Anti-Malware, Malwarebytes and other protection systems. They are
important, effective and they work best based on a wide range of computer systems. To get the most of
your antimalware tool, it is crucial that you define your needs and settle for the most ideal option.
Most importantly, ensure the tool you use is up to date. It should work across all ends within your cyber
business. This is because cybercriminals always devise new ways that can slip through all security
loopholes.
Similarly, it is crucial to have additional protection and security features for your system. This includes
firewalls, heuristics, and even behavior-based threat or malware prevention multi-faced cybersecurity
solutions. These provide a module that works against all ransomware in your operating system.
It is also vital that you back up your system offsite and locally. For example, the cloud helps to protect
your system from ransomware more effectively. Cloud introduces an extra protection layer to keep your
system safe all around.
Security awareness
https://phoenixnap.com/blog/wp-content/uploads/2018/11/facts-malware-attacks.png
It is imperative that you establish effective security awareness campaigns. Train your employees to
protect your business right from your vendor to your IT personnel. Some of the most important tips to
focus on include;
71

●
●
●
●
●
Not clicking on links and any attachments in an email without verifying the source.
Determine whether the link is related to the business.
Learn how to identify malicious emails by checking carefully on the sender's addresses.
Always have a backup plan in place and contact your IT team before opening or forwarding a
malicious mail.
Scan emails or any attachments before opening.
Remember, phishing is one of the most popular methods that cybercriminals use to attack with
ransomware. Therefore, it is important for employees to master the art of thinking twice before opening
a link.
Restrict ransomware
GPO restrictions play a major role in preventing malware attacks from getting installed in your system. It
has the immense ability to provide the best granular protection over file execution at an endpoint. This
means that it adds rules that helps to block malicious activities from running in your attachments.
You can also limit administrative rights on different endpoints. This may sound cultural and political
request, but it is an excellent way to keep your system safe. It reduces the privileges that could increase
the chances of attacks amongst your end users. What’s more, it helps to prevent activities such as
downloading movies and games by end users.
Patching
Patching is also another efficient way to protect your system from ransomware. Over the past years, it
has been widely exploited by third-party software including Adobe, Flash, and Java. Patching is reliable
because it works by preventing different types of malware from being successful.
Have a detection software
When running a cyber-system, you need to implement a solid detection software. Have the right IT
security methods and measures in place. It helps to detect any suspicious activities and malware and
prevents them from attacking or infecting your systems.
With these measures, data backup and security awareness are very crucial. This is because it is people
who usually present the biggest ransomware security attack.
72

About the Author
Duncan Kingori is the author of the Ottomatik.io.He has been in the writing
profession for a decade now. He has great experience writing informative
articles and his work has been appreciated and published in many popular
publications. His education background in communication and public
relations has given him a concrete base from which to approach different
topics in various niches.
Duncan can be reached online at
https://www.linkedin.com/in/danny-kariuki-31733374/
https://www.facebook.com/dunco.kingori
and at https://ottomatik.io/
73

The Dangers of Backdoor Software Vulnerabilities and How to
Mitigate Them
By Bob Flores, President and CEO of Applicology, and Former CTO of the Central
In the world of cyber espionage and nation-state hacking, backdoor software vulnerabilities are often
thought of as a cloak and dagger tactic. But the reality is that backdoors continue to grow in popularity
and present very real threats to organizations and governments around the world. As a matter of fact, for
industrial automation systems alone, Kaspersky recently reported that in the second half of 2018, 3.1
percent of all attacks blocked by its distributed antivirus network were backdoor attacks (double the
number from the first half of 2017). And, Malwarebytes reported a 173 percent increase in backdoor
detections in business between 2017 and 2018.
What is a backdoor? In the most traditional sense, a software backdoor is a way to bypass normal
authentication or encryption to gain access into a closed system. These can be created as a special
credential backdoor (for example, to give legitimate admin access), as an intentionally hidden backdoor
for a threat actor (for example, created by an insider to enable others to infiltrate an electric grid or steal
IP), or can be the result of sloppy software coding. Regardless, backdoors are security vulnerabilities that
can be used to access computer systems and the data they contain.
Unfortunately, we see these types of vulnerabilities and attacks littering today’s headlines. For example,
hackers (supposedly state-sponsored and tied to China) recently compromised ASUS and created
backdoor access to thousands of computers (dubbed ShadowHammer). Then there’s the WordPress
SMTP vulnerability that allowed hackers to create backdoor admin accounts, and the ongoing debate
over whether security risks in Huawei code was intentionally designed to create backdoors. And these
are just the vulnerabilities that are publicly disclosed (for example, what about the alleged Russia hack
that brought down electrical grids in Ukraine?).
74

Cyber security has always been hard, but in the past, there were limits to how you could insert backdoor
vulnerabilities into programs – initially you had to have some sort of insider. The investment this required
often meant nation states only went after high-profile targets. For example, Backdoor Regin, which was
an advanced malware believed to be used by nation-states back in 2014 for spying.
Unfortunately, as the complexity and scale of application development has advanced, and the
components and dependencies have expanded (open-source, software development kits (SDKs), and
more) the attack surface is significantly broader. What used to be an intensive, complex and highly
targeted exploit can now be done with much less effort. Couple this with the dramatic reduction in
compute and storage costs, and we’re seeing a rise in the “spray and pray” approach to backdoor
vulnerabilities. Or, to use another term: the “sit and wait” hack of third-party systems.
Federal agencies and banks are no longer alone as targets for nation-state attacks. Every business is a
potential target now, and depending on the type of backdoor, it’s no longer just state-sponsored hackers
that pose a threat.
To demonstrate just how prolific third-party source code is, a recent report from Synopsys scanned IoT
applications. On average, 77 percent of the codebase was shown to comprise open source components
(with an average of 677 vulnerabilities per application). This example highlights the trend of increased
reliance on third-party code from open-source library SDKs. As software evolves into an increasingly
complex mashup of code from siloed sources, as it relies more and more on microservices and cloud,
and as it is constantly updated by developers via continuous delivery models, it becomes harder and
harder to protect. When not audited properly, it can allow threat actors to more easily insert backdoors
or exploit hidden flaws in code.
Traditionally, reviewing code was a heavily manual one-dimensional process. But this approach is nearly
impossible today given the scale and complexity of software development. For example, you inherit the
dependencies of your dependencies. So, when a common open source library, such as Jacksondatabind,
repeatedly has deserialization vulnerabilities in it, you are at the mercy of your SDK vendors to
update and release as fast as possible to minimize your own exposure.
As a result, application development security solutions have emerged that allow teams to identify code
vulnerabilities. This capability is an invaluable first step in helping reduce backdoors that result from
sloppy code. That said, most of these solutions are incapable of understanding contextual vulnerabilities
(like the SDK in Twilio) or business logic vulnerabilities, which are defined as a way of using the legitimate
processing flow of an application in a way that results in a negative consequence to the organization.
This is an important distinction. A backdoor could be intentionally placed (not due to faulty code), or it
could be the result of a dependency on a third-party service or code base. Being able to identify that
contextual vulnerability or business logic flaw has historically been nearly impossible to automate.
Fortunately, we’re starting to see technology emerge that allows teams to overcome this issue in
application security testing. How does this work? At a high-level it involves allowing teams to map code
analysis to unique application requirements (essentially to make a unique query request and/or rule) and
automate the testing. Traditional tools use generic queries, security auditors, and reviewers, which result
in high false positives and negatives when testing. By misunderstanding the complex routes between
data sources and the ultimate goal of the application (or processes), the ability to be effective at scale is
75

eliminated. Just imagine working through false positives associated with pushing 10 or 20 updates a day
– it’s not going to happen.
The good news is that security innovation is continuing at a blistering pace. Application security testing
continues to be the fastest growing segment of information security (with 14 percent CAGR through
2021), and the market was projected by Gartner to hit $775 million by the end of 2018. As the pace of
software development quickens, it’s imperative that we raise the bar around security and increasingly
automate code auditing to help root out vulnerabilities like software backdoors. Ultimately, it’s going to
take tools that both deliver more automation and enable security and development teams to apply their
knowledge of the code. One such example is an emerging open-source project called Joern. If we can’t
modernize application security, organizations will increasingly find themselves the victim of attacks that
have crippling impacts on consumer confidence, market economies, or worse, international nation-state
conflicts.
About the Author
Bob Flores, President and CEO of Applicology.Bob Flores is a cyber
security expert and founder of Applicology, a security consulting firm. He
previously worked for the Central Intelligence Agency (CIA) for 30 years,
holding positions in the Directorate of Intelligence, Directorate of Support,
and the National Clandestine Services. He also served as the CTO of the
CIA for several years, and was awarded the CIA’s Distinguished Career
Intelligence Medal. Bob has a bachelors and masters degree in statistics
from Virginia Tech, and has done graduate studies at George
Washington University and the Kellogg School of Management at
Northwestern university. He can be reached through his company
website https://www.applicology.com/Home/contact-1
76

How Security Automation Mixed With an IT Culture Shift Can
Prevent Data Leakage from Misconfigured Servers
By Chris DeRamus, CTO, DivvyCloud
In 2018, misconfigured AWS S3 servers accounted for multiple data breaches across a wide span of
industries from companies including Voxox, Pocket iNet, Arik Air, and the Tea Party PAC. In 2019,
organizations continue to suffer breaches of millions of records, due mostly to misconfigure Elasticsearch
servers. Voipo lost 6.7 million documents containing call log information, 24 million banking and mortgage
documents from Ascension were compromised, a Dow Jones list of 2.4 million high profile individuals
was left publicly accessible, and Gearbest exposed over 1.5 million customers’ personally identifiable
information. These are just a small handful of companies that have suffered significant losses from
misconfigurations in the last few months alone.
The repercussions of data breaches are immense. While the majority of recently misconfigured
Elasticsearch servers have been discovered by white hat security researchers, servers that are exposed
for excessive periods of time can easily be found and exploited by cyber thieves as well. Suffering a data
breach, whether discovered by an ethical or malicious hacker can result in the loss of user trust, damage
to the company’s brand reputation, lawsuits or fines levied against the company from data privacy
regulations, decreased stock price, or even lower revenue.
With such potentially devastating consequences, one may wonder why so many companies continue to
allow misconfigurations and resulting data breaches to occur. A few primary factors contribute to
misconfigurations being so rampant.
First, enterprise cloud migration has been led by developers and engineers, not corporate IT teams.
These developers and engineers, eager to take advantage of the speed and flexibility the cloud offers,
can unknowingly put their company’s data at risk as they either have not been taught proper security
hygiene, or they bypass the appropriate protocols in the name of speed and innovation. Today, 3,000
people are actively deploying applications and making engineering changes to infrastructure and are
pushing production deployments on an hourly basis. These continuous integration and deployment
77

approaches lead to massive infrastructure, mixed with a large number of users, and changes happening
all at once. This, in turn, leads to loss of control and a self-service bypass that avoids the lessons learned
from IT in the traditional data centers.
Second, most companies still rely on manual configurations by people, and humans by nature, are prone
to error. The rate of change and the dynamic nature of software-defined infrastructure has outstripped
human capacity; and enterprises need to be able to deal with faults in real-time. If companies get a list of
a thousand problems, even with 100 people tasked with resolving them, problems either disappear,
move, or are replaced with even more significant issues. Enterprises need to be able to deal with faults
in real-time.
Lastly, it is very challenging for IT professionals, developers, and engineers to configure these powerful
services in a way that mitigates security and compliance risk. Many IT leaders and professionals make
the mistake of approaching security in the cloud the same way they approached security in a traditional
data center. Migration to the cloud has led to an explosion in resources yet the number of people
managing the security of those resources hasn’t increased.
To overcome these challenges and prevent misconfigurations and resulting data breaches, companies
must enforce a full cultural shift in their IT departments and adopt security automation. Automated cloud
security solutions give organizations the ability to detect misconfigurations and alert the appropriate
personnel to correct the issue, or even trigger automated remediation in real-time. Automation also grants
enterprises the ability to enforce policy, provide governance, impose compliance, and provide a
framework for the processes everyone in the organization should follow — all on a continuous, consistent
basis. As part of the adoption of automated security, organizations must change the culture of their IT
departments. Developers and engineers will need to learn to build and deploy applications within the
guardrails the company has provided. It’s also important to keep in mind that these misconfigurations are
fairly simply problems with potentially disastrous consequences. For example, a developer may have
tweaked the configuration of a resource, leaving it open to the public, and as the application began
working again, moved on to another project. Now they have an exposed Elasticsearch server. It may not
have even been the developer’s fault, as someone else may have altered the configurations at a later
date for any number of reasons. The point is, so many organizations are made vulnerable because a lot
of them don’t have processes that prevent insecure software deployments. The right automated solution
will ensure the end of the “wild, wild west” DevOps culture that has resulted in so many misconfigurations
and other security risks. This will allow companies to maintain the integrity of their technology stack, apply
the policies necessary to continue business operations, and enabled developers to remain agile and
innovative, without compromising security.
Automated cloud security solutions are able to detect misconfigurations that Voipo, Ascension, Gearbest,
and Dow Jones have all suffered. Proactive detection and remediation of these vulnerabilities likely would
have saved these companies from significant financial costs and damaged brand reputation resulting
from their data leaks. These solutions are essential to enforcing security policies and maintaining
compliance across the large-scale hybrid cloud infrastructures these organizations boast.
78

About the Author
Chris is the co-founder and CTO of DivvyCloud where he leads
the engineering teams while driving new innovation. Chris is a
technical pioneer whose passion is finding innovative and
elegant new ways to deliver security, compliance, and
governance to customers running at scale in hybrid cloud
environments. He keeps his hands dirty and spends much of his
time writing code and diving deeply into the latest technologies
and services being deployed by partners like Amazon, Microsoft,
Google, VMware, and OpenStack. Before co-founding
DivvyCloud, Chris was the Online Operations Manager at
Electronic Arts for the Mythic Studio where he helped design,
build and operate large scale cloud infrastructure spanning
public and private clouds to run Electronic Art’s largest online
games (including Warhammer Online: Wrath of Heroes and Warhammer Online: Age of Reckoning). He
started his career as a Network & System Administrator at the U.S. Department of Energy where he was
mandated with a broad array of technical responsibilities including security and compliance.
Chris earned his Bachelor of Business Administration in Computer Information Systems from James
Madison University.
Chris can be found on LinkedIn and at our company website https://divvycloud.com/
79

Three Cyber Attacks on the Rise According To New Research
By Marc Laliberte, Sr. Security Analyst, WatchGuard Technologies
Article text… Cyber security threats are continuously evolving as attackers constantly vary their methods
and tools to sidestep improved cyber defenses. To better understand this behavior, the WatchGuard
Threat Lab analyzes these changing trends in our quarterly Internet Security Report. Not surprising, in
Q4 2018 our team saw a mix of threats targeting organizations of all sizes. However, there were several
attack methods that stood out and are worth exploring in more detail.
Perhaps the biggest trend throughout the quarter was a rise in phishing attacks. Specifically, we tracked
two separate campaigns that made it into the most prolific and most widespread threat lists respectively.
Phishing – or using spoofed emails to trick victims as part of an attack – isn’t a new threat in and of itself.
Cyber criminals have been using phishing as a method to initiate some truly devastating attacks for years,
from the Target data breach to taking down Ukrainian power grids. But, this quarter highlighted two unique
types of phishing attacks that everyone should be aware of:
Your Dirty Little Secret – Sextortion
The first phishing attack was actually detected by a malware signature called Trojan.Phsihing.MH and
claimed the #2 overall rank by volume for the quarter’s threats. Despite the name, this particular attack
didn’t actually use a Trojan or any malware. This phishing campaign was actually a sextortion attack
designed to extort its victims out of hundreds of dollars using bogus claims.
In the email, the attacker clams to have infected the victim’s computer with malware several months prior.
The cyber-criminal states that he/she has been monitoring the victim for some time, including browsing
behavior and using the victim’s webcam. The attacker claims they will release all of the victim’s dirty
secrets to their friends and family unless they send $528 in bitcoin.
While on the surface, this type of phish may seem obviously fake, some of the variants we found used
tricks to add additional credibility. For example, the attacker spoofed the “From” address in the email to
make it look like they sent the message from the victim’s own account. To someone not versed in the
technicalities of email delivery this may seem like proof, but in reality, spoofing the “From” address in an
email message is incredibly easy.
Some other variants “prove” they have access to the victim’s computer by including one of the victim’s
passwords, taken from one of the many password breach databases available on the dark web. These
80

little extra additions could be enough to trick an unsuspecting victim into believing the authenticity of the
message.
Time to Cash in – Wells Fargo
The second phishing campaign showed up ranked 5th in our list of most widespread detections, meaning
it affected a large number of unique organizations. This attack masqueraded as a notification from Wells
Fargo bank, informing the victim that their contact information was updated, and prompting them to
download their “contact information file” to view the change or make additional updates. This is a common
method attackers use to trick victims into downloading malware into their computers.
Phishing remains one of the primary avenues for initiating an attack. End users are typically the weakest
link in any cyber defense. It isn’t entirely their fault either, many organizations still don’t set their end users
up for success with phishing and security awareness training. As phishes become more believable, antiphishing
training becomes even more important. Without training, most industries suffer from phishing
“click rates” between 20 and 30 percent, according to baseline tests from KnowBe4. Getting that number
down to single-digits can go a long way towards reducing your organization’s risk.
Crypto miners (Still) Reign…
Phishing wasn’t the only trend in Q4 2018. Cryptojackers or cryptocurrency-mining malware continued to
plague organizations throughout the quarter. Even though cryptocurrencies as a whole have plummeted
in value since their record highs in December 2017, cyber criminals haven’t backed off hijacking computer
resources to mine them.
Cryptojacking comes in a few different forms, JavaScript-based miners that run in a user’s browser, and
traditional malware applications that run on the victim’s operating system. We saw both show up across
malware detections during Q4. The #1 most widespread threat from the quarter was CoinHive, a popular
JavaScript-based cryptocurrency miner. CoinHive started out as a “legitimate” cryptominer for websites
to use as an alternative revenue stream, mining cryptocurrency in a visitor’s web browsers in place, or in
addition to, advertisements. Attackers quickly stole the idea, and much of the code, to inject into other
websites and earn coin for themselves.
CoinHive wasn’t the only cryptocurrency miner we saw during the quarter. A standalone cryptominer
malware payload showed up ranked #3 in the top attacks by volume. Additionally, Razy, a trojan with a
recently-added cryptomining module, stayed in the top ten for the second quarter in a row.
Attackers don’t care if an individual cryptojacker infection only earns them fractions of a cent per day. If
they can create a botnet of a few thousand infected hosts, the revenue can quickly add up. Cyber
criminals are getting better at hiding these attacks too. They’ve started throttling the amount of resources
their malware uses to make users less likely to notice an infection. This allows them to sit around for even
longer, turning stolen CPU cycles into cash.
81

In general, attackers are getting better at masking their tracks, which means organizations need to rely
on tools that can detect evasive threats. Signature-based anti-malware is no longer sufficient on its own.
The good news is, more advanced tools that use machine learning or behavioral analysis are available
to even the smallest organizations. By using the latest defensive tools, and ensuring employees are
properly trained, companies can ensure they are on the best footing to defend themselves against the
latest attack trends.
These were just a few of the most compelling threat trends from last quarter. Read the full report for more
information and best practices.
About the Author
Marc Laliberte is a Senior Security Analyst at WatchGuard Technologies.
Specializing in networking security protocols and Internet of Things
technologies, Marc’s day-to-day responsibilities include researching and
reporting on the latest information security threats and trends. He has
discovered, analyzed, responsibly disclosed and reported on numerous
security vulnerabilities in a variety of Internet of Things devices since joining
the WatchGuard team in 2012. With speaking appearances at industry
events including RSA and regular contributions to online IT, technology and
security publications, Marc is a thought leader who provides insightful
security guidance to all levels of IT personnel.
82

Cybersecurity Jobs in the Private vs. Public Sector
Which Is Right for You?
By Leo Taddeo, Chief Information Security Officer, Cyxtera
It’s a good time to be a cybersecurity professional. Private and public enterprises increasingly recognize
the need to manage cyber risk as part of their digital transformation, putting cybersecurity skills in high
demand.
Whether you’re thinking about moving from one sector to another, or just beginning a career in
cybersecurity, it’s important to know yourself and the environment you’re considering.
With the benefit of hindsight and decades of experience, it’s clear that job satisfaction and success is
determined in large part by how well your personal expectations and goals align with the culture, tempo,
and expectations of your future employer. While there are always exceptions to the rule, it’s important to
be familiar with the differences between working in the private sector versus the public.
As a hiring manager who has worked in both the private and public sectors, the following are a few
questions and personal insights to help security professionals make their best choice.
Do you desire a fast paced, agile work environment, or one that is highly structured and
Process-driven?
Most government IT positions are highly structured and process-driven. The average government IT job
is highly specialized, and in many ways repetitive. In the private sector, the responsibilities of a
cybersecurity professional are subject to change as business needs change, which also means you’re
more likely to work with the latest technology.
83

Do you have highly ambitious career plans?
The career trajectory for cybersecurity jobs in the public sector is very structured. Working harder in a
government job won’t necessarily get you promoted at the pace you expect. On the other hand, hard
work in the right job in the private sector often pays off. Private sector jobs are often results-driven and
offer faster progression up the corporate career ladder.
How important is job security to you and what is your risk tolerance?
Government shut-downs notwithstanding, public sector jobs tend to offer a higher degree of job security
than private-sector cybersecurity jobs, but with lower compensation. Cybersecurity professionals working
in the private sector tend to receive higher salaries, but also face a higher risk of job loss.
What are your qualifications?
When hiring cybersecurity professionals, the federal government looks for specific qualifications. These
commonly include a bachelor’s degree, applicable certifications, a background check, and polygraph and
drug tests. In most cases, you won’t get a second look without the minimum degree or certification.
Instead of specific degrees and certifications, many employers in the private sector emphasize technical
skills and references. In addition, many jobs in the private sector come by way of networking and
establishing your skills within a group of professionals. Employers in the private sector will also rely more
on recommendations from existing team members. Your reputation for work ethic and productivity can
make more of a difference in the private sector than in the government hiring process.
In Summary
Cybersecurity professionals most likely to have high job satisfaction in the private sector are those who…
• want a dynamic role that involves working with cutting-edge technology
• expect that hard and skills be closely tied to salary and promotions
• can tolerate the risk of a job loss in exchange for higher pay
Cybersecurity professionals most likely to have high job satisfaction in the public sector are those who…
• consider the satisfaction of public service to compensate for lower salary
• emphasize the value of job security
• are comfortable with pay and promotions tied to seniority and time in grade
Cybersecurity professionals face no shortage of career options. That’s all the more reason why time
should be taken to decide what you want out of a job and what you’re willing to put into it. Transitioning
84

successfully from a public to private sector job (or vice versa) isn’t impossible, but it does take some extra
effort. Making the right choice now will ensure job satisfaction over the long term.
About the Author
Leo Taddeo is responsible for oversight of Cyxtera’s global security
operations, investigations and intelligence programs, crisis
management, and business continuity processes. He provides deep
domain insight into the techniques, tactics and procedures used by
cybercriminals, to help Cyxtera continue to develop disruptive solutions
that enable customers to defend against advanced threats and breaches.
Taddeo is the former Special Agent in Charge of the Special
Operations/Cyber Division of the FBI’s New York Office. In this role, he
directed over 400 special agents and professional support personnel
conducting cyber investigations, surveillance operations, information
technology support, and crisis management. Previous responsibilities
focused on FBI international operations, including service as a Section
Chief in the International Operations Division, where he managed
operations in Africa, Asia, and the Middle East.Taddeo received a B.S. in applied physics in 1987 from
Rensselaer Polytechnic Institute. After completing his studies, Taddeo served as a tank officer in the US
Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for his service
in the Gulf War. Following his service, Taddeo earned a J.D. from St. John’s University. Upon graduation,
he joined the law firm of Mound, Cotton & Wollan in New York, where he practiced in the field of civil
litigation until entering duty with the FBI. Taddeo is a graduate of the CISO Executive Program at
Carnegie Mellon University. He maintains the Certified Information Systems Security Professional
(CISSP) and GIAC Certified Incident Handler certifications.
85

Proxy vs. API CASB: An Overlooked Choice in Cloud Security
Choosing The Right Cabs Architecture Is Critical In Securing Your Company’s Data
By Katie Fritchen, Director of Content Marketing, ManagedMethods
The availability of cloud computing and SaaS applications have pushed us into a new era of computing.
These solutions have allowed teams to achieve greater efficiency and collaboration. They’ve also
enabled globally dispersed teams and unshackled us from traditional desk-jockeying.
Cloud computing, however, has also created unique challenges for data security, personal privacy and
the professionals responsible for securing IT infrastructures. For most organizations, cloud security is no
longer a luxury, it’s a necessity.
The cloud has effectively killed the perimeter. Without a perimeter, traditional cybersecurity solutions,
such as firewalls, are rendered nearly useless. A firewall is designed to prevent unauthorized access
(typically from the public internet) to a private network, but as companies move toward cloud computing
through the use of SaaS apps in the public cloud, data is no longer stored in the private network.
Why is Cloud Security Important?
Companies that moved to the cloud without evolving their IT security strategy lost the ability to control
access to sensitive data. Without proper security configurations and monitoring, information can be
improperly shared with the public. An account takeover can wreak havoc for weeks or months and
compliance restrictions go ignored.
Cybersecurity leaders need to shift their focus from defending the perimeter to protecting data itself. In
reality, this should have been the focus all along.
86

Cloud security evolved to solve these issues by providing functionalities such as automating data loss
prevention, 24/7 account monitoring and the ability to revoke access manually. The most important
questions now revolve around not if you need cloud security, but what type of CASB solution you should
choose.
Proxy CASB Architecture
To secure cloud access in the early years of cloud security, perimeter security technology was basically
repurposed and then lobbed up into the cloud. This partially explains the inclusion of the word “broker” in
the industry segment dubbed by Gartner as cloud access security broker.
A proxy-based CASB architecture fits more comfortably in the cloud access security broker term. A proxybased
CASB places a proxy, agent or broker (some use browser extensions and call themselves
“agentless”) between the user and the cloud application. On a basic level, the proxy checks for known
users and devices as they attempt to access the cloud resource and either approves or denies access.
The main benefit of a proxy CASB is that it provides a greater level of control over outgoing traffic and
can take security action in real time. The downside is that it significantly reduces network speed and
duplicates the functionality of your firewall without providing significant added protection. Further, both
Google and Microsoft, the most commonly used cloud applications, have published recommendations
against using proxy-based CASB technology for cloud security, mainly because they can’t guarantee that
third party technology will be able to keep up with continual updates in product technology.
API CASB Architecture
API-based CASB architecture was developed as an alternative solution to the drawbacks of using legacy
technology to solve a modern security problem. The API CASB security solution uses each cloud
application’s native APIs to secure access and data stored in the cloud. This approach creates a cloud
security solution that works almost as though it is a native function of the application.
The benefits of an API-based CASB solution are that it secures and monitors information within the cloud
application itself, rather than attempting to put up a perimeter. It also doesn’t have any impact on network
speed and is much easier to install and activate. Additionally, API-based CASBs provide a symbiotic
relationship with existing firewalls and gateways to create an additive, rather than a duplicative, security
layer. The main pitfall is that inspection and remediation don’t happen in real time, but rather when the
API hit is fired—usually within seconds.
Both CASB architecture types have benefits and pitfalls. Choosing the right one for your organization is
an important decision that is often overlooked. Understanding the differences between the two main types
of CASBs will help you determine which solution is best for your organization’s needs and budget.
87

About the Author
Katie Fritchen is the Director of Content Marketing at ManagedMethods,
the fastest growing cloud application security platform for SMBs,
educational and government institutions, and nonprofits. She is
passionate about creating educational content focusing on the issues
Information Security professionals face at the intersection of cloud
computing and data security. With ManagedMethods, organizations
gain data security from internal and external breaches, threat protection
from malware and phishing schemes, and full control over account
behavior. ManagedMethods is easy to use, affordable, and requires no
special training for administrators. Best of all, it has no impact on
network speed or end users. Katie can be reached online at
kfritchen@managedmethods.com and on Twitter @managedmethods.
88

Security for Your Holidays
Tips for the Holidays — Go in security!
By Pedro Tavares, Founder of CSIRT.UBI & Cyber Security Blog seguranca-informatica.pt
Holidays usually mark the absence of the office, but they are not a strong reason to leave the office
unorganized and much less to undervalue cybersecurity.
Nowadays, accessing professional email on the personal smartphone has become a daily practice of any
citizen, and more, many projects are closed through your smartphone. Summer holidays are therefore
the ideal time to implement some necessary procedures to avoid exposure or emerging threats.
Prepare now your pre-summer checklist and avoid undesired surprises.
89

Take care of your digital footprint
You are on holidays. Leave most of your devices at home and disconnected from the Internet. In this
way, you will not only have a small number of devices, fewer distractions, and so take advantage of the
good family moments. It also reduces the risk of losing any equipment and that your valuable information
falls into the hands of the wrong people, much less in the cybercriminals' tentacles.
Take your own power adapters
Connecting your devices to third-party adapters can generate vulnerabilities on your own device. For
example, the power adapter may exploit your smartphone in an attempt to install malware or steal
sensitive data that you are bringing on it.
Cyber thieves may install malware onto hotel lamps, airport kiosks and other public USB charging
stations. If you still wish to charge your device to a third-party adapter, turn it off at least before connect
it.
Stay updated and install security updates and patches
Make sure that the operating systems and applications on the devices you carry with you have up-todate
security updates. This measure could prevent known vulnerabilities from being exploited by
cybercriminals.
Install the updates and security patches before you start traveling!
Change your passwords
Are you going to wear the same toothbrush while on vacation? So why not also change some of your
passwords? At least the passwords of the systems and applications you use most regularly in your day
to day.
Do not make it easy to set a password. Remember a phrase, and choose the first letters of each word.
E.g., "Tomorrow about 12 o'clock I will be traveling!" Potential password: Ta1oIwbt!
Set a lock screen on your phone
Regardless of the devices you take with you, make sure that your screen is protected with a strong and
unique PIN or password, or one of the biometric authentication methods available, such as fingerprint
reader or facial recognition.
90

Sensitive or sensitive information - Use encryption
If you are traveling and do not need sensitive information, then do not take it with you. Use encryption
whenever necessary, e.g., encrypt your laptop's disk, this will add an extra protection layer if your
computer is stolen. Cybercriminals could not read your disk without first entering a password to decrypt
the entire disk.
Make backups
The loss of personal information stored on a laptop or smartphone can cause even more problems than
the loss of the device itself. So make sure that all of your important information is well stored in several
locations, preferably away from each other.
Be moderate
Leave geolocation disabled. Turn off the bluetooth on your smartphone, you probably will not need it and
it is a channel of infection that is constantly "wanted" by cybercriminals.
Moderation is extremely important. The cybersecurity of your home should also be taken into account.
Resist sharing on social networks you are away from home. Geolocation photos can be a lethal weapon
against you, and may expose you to a physical intrusion of your own home, compromising not only
devices and backups but other kind of material.
Have a great summer holiday in (cyber) security!
About the Author
Pedro Tavares is a cybersecurity professional and a
founding member and Pentester of CSIRT.UBI and the
founder of seguranca-informatica.pt. In recent years he
has invested in the field of information security, exploring
and analyzing a wide range of topics, such as pentesting
(Kali Linux), malware, hacking, cybersecurity, IoT and
security in computer networks. He is also a Freelance
Writer.
Segurança Informática blog: www.segurancainformatica.pt
LinkedIn: https://www.linkedin.com/in/sirpedrotavares
Contact me: ptavares@seguranca-informatica.pt
91

A Vision for Cybersecurity 2019
Relying on Actionable Intelligence to Thwart Emerging Cyber Threats
By Gene Yoo, Chief Executive Officer, Resecurity
Cyberspace has long been an incubator from which security threats arise, but more and more, it is the
incubator. And the conduit. And the arena in which security battles are fought. And it’s no longer merely
the domain of hacktivists and cybercriminals. Increasingly, the actors are state-sponsored, and the tools
and tradecraft in use are increasingly sophisticated. After land, sea, air and space, cyberspace has
become the fifth domain of warfare.
For all these reasons, cybersecurity has become much more important — and much more challenging
— than ever, and no organization, public, private or governmental, is too small or too large to be immune
from attack. Here’s what we’re up against:
• The Dark Web: The rapidly growing dark web is an ecosystem where threat actors collaborate,
exchange and monetize stolen data. It’s a place where threat actors offer cybercriminal services
and products, including new tradecraft for cyberespionage campaigns and targeted attacks
against enterprises and governments. It’s also a valuable source of data for nation-states actors,
who use it as a resource for recruiting other cybercriminals and acquiring new tradecraft for further
attacks.
• A Multitude of Motives: Cybercriminals seek opportunities to enrich themselves or their
organizations. Hacktivists launch attacks both to further geopolitical goals and because they enjoy
disruption. Government intelligence services or their mercenaries conduct cyberespionage and
cyber offensive operations on behalf of the states they serve.
92

• Evolving Tradecraft: Increasingly, the tradecraft ranges from the simple to the most
sophisticated. Hacktivists and cybercriminals routinely rely on a range of modified tools acquired
on the dark web while nation-state actors and their proxies may use unique, highly advanced
tools, including zero-day vulnerabilities and sophisticated implants that can deliver a malicious
payload without being detected.
• Accelerating Change: With new actors and new tradecraft continuously emerging, the threat
landscape is changing faster than ever. Even the targets and goals are evolving rapidly: Threat
actors are attacking targets of all sizes — to extort money, to steal intellectual property, to
penetrate into the supply chain, to cripple critical operations, even to exert leverage by threatening
the target’s customers.
An Intelligence-Driven Approach to Cybersecurity
In the face of a highly dynamic threat environment, all organizations — in the public, private and
governmental sectors — require a new approach to cybersecurity. We can combat the threats from
cyberspace, but doing so requires a more holistic and integrated response than we’ve seen in the past.
Two elements that have been missing include timely, high-quality cyber threat intelligence and the ability
to transform that intelligence — rapidly — into a stronger defensive posture.
Human, Contextualized Intelligence
Why start with threat intelligence? Because good threat intelligence is the key to helping an enterprise
minimize its risk profile. Too much of what passes for threat intelligence today is misleading and
speculative. Good threat intelligence goes beyond the raw data that has been culled by machines, even
those using well-designed AI tools. Good threat intelligence has been analyzed, validated and
contextualized by human intelligence professionals and threat hunting teams. The synergy between
operatively sourced high-quality intelligence with experienced security researchers enables an
organization to establish proper protection and mitigation measures.
Good threat intelligence will include technical, tactical and strategic intelligence that provides leadership
with finished information to facilitate decision-making and mitigate risk. Technical threat intelligence
includes everything from indicators of compromise (IOCs) and indicators of attack (IOAs) to details on
the latest tools, techniques and processes (TTPs). Tactical intelligence includes threat actor attribution,
tradecraft use details, and more. Strategic intelligence includes information of unique relevance to an
individual organization’s industry, geography, and digital footprint. Each type of intelligence must be
contextualized and actionable, as the time-to-live for some indicators is very short, though they still may
be valuable for threat identification. Good threat intelligence will also include input from domain experts,
who can take into account an organization’s geographies of operation, unique threat landscape, and
operational profile. Domain experts can make threat intelligence targeted, relevant and actionable for the
organization consuming this intelligence.
93

With quality threat intelligence, security professionals can connect the dots between seemingly disparate
artifacts and visualize a coherent picture of the true threat landscape. That’s a critical advance because
it’s easier to thwart the attack you know is coming than to respond after the attack is already underway.
Operationalized Intelligence
The second element that 21st century organizations will require is a way to work with the threat
intelligence — on technical, tactical and strategic levels. The age of “threat feeds” has passed. The
information they provided lacked context and quality, as anyone who tried to work with them quickly
discovered. The age of isolated endpoint agents and legacy anti-virus applications has also passed.
Focusing only on endpoint protection misses vital areas of vulnerability.
We need to view the enterprise as an ecosystem, one that changes dynamically and grows rapidly. That
ecosystem needs an integrated, enterprisewide platform of security tools that can ingest good threat
intelligence and then operationalize that intelligence properly throughout that ecosystem — including an
organization’s endpoints, networks, clouds, IoT devices, supply chains and more. This would enable the
organization to protect its people, data and processes — even its brand and reputation — from any
emerging cyber threat.
Stealing the Fight from the Bad Guys
Cybercriminals, nation-state agents and other threat actors will continue to appear at an accelerating
rate. New and updated tradecraft will continue to find its way into the markets of the dark web. If we
accept these realities and do nothing but hope that our existing technological defenses will hold, we
increase the likelihood that those who would attack us will eventually land a blow — one that could be
catastrophic.
High-quality threat intelligence, though, can help us stay ahead of the threats, give us advanced insight
about what threat actors are doing, and learn what tradecraft is gaining traction in the dark web. When
we have a mechanism enabling us to operationalize that intelligence throughout the enterprise, we can
adjust our defenses to provide optimal protection the moment we have insight into what could be coming.
In short, we steal the fight from the bad guys. That’s going to be the best way to ensure security going
forward. We need to be proactive. We need access to high-quality, human-vetted threat intelligence. We
need to be able to transform that intelligence into real and meaningful action. We’ll never be fully immune
to attacks emanating from cyberspace, but we can be very well prepared when they arrive.
94

About the Author
Gene Yoo is CEO at Resecurity, which provides endpoint
protection, risk management, and threat intelligence for large
enterprises and government agencies worldwide. He has more
than 25 years of experience in cybersecurity for some of the
world’s largest brand names, such as Warner Bros., Sony,
Computer Science Corporation, Coca-Cola Enterprise,
Capgemini, and Symantec. Most recently, he served as senior
vice president and head of information security for Los Angelesbased
City National Bank. He also served in an advisory role to
Phantom (acquired by Splunk), ProtectWise (acquired by
Verizon), Elastica (acquired by Blue Coat), and Vorstack
(acquired by ServiceNow).
For more information on Resecurity, please visit www.resecurity.com; follow the company blog at
https://resecurity.com/blog/ and on LinkedIn and Twitter.
95

Don’t Let a Data Breach Cost You $1.4 Billion
By Randy Reiter, CEO, Sql Power Tools
On May 13, 2019 Bank Info Security reported that Equifax’s 2017 data breach cost Equifax $1.4 billion
per their latest Security and Exchange Commission filings. The Equifax data breach exposed the
confidential data on 148 million individuals in the United States. That’s over half the adult population of
the United States.
How do Hackers gain access to the inside of the Security Perimeter?
Hackers and Rogue Insiders gain access to the inside of the Security Perimeter using Zero Day Attacks,
Phishing Emails, 3 rd Party Cyber Risks and Dev Ops Exploits. Once inside the Security Perimeter
Hackers can use SQL Injection Attacks or installed database utilities to steal confidential database data.
A Zero Day Attack is a Hacker favorite. A Zero Day Attack is the time between when a security
vulnerability in software is published by a software vendor and a security patch is applied by organizations
to prevent the security threat. How quickly do organizations apply security patches to application server,
browser, CRM, email, medical, military, payroll, reservation, web server, web application or other
production software? Semi-annually, quarterly, monthly or weekly? Based upon the nature of the security
patch, software to be upgraded, time for testing and deployment to production a software vulnerability can
be present in an organization for weeks or months. Meanwhile Hackers are aware of the Zero Day
vulnerability once it has been publically announced. Hackers will immediately attempt to exploit it to gain
inside access to the Security Perimeter and steal confidential database data.
How to Protect Confidential Database Data from Hackers or Rogue Insiders?
Confidential database data includes: credit card, tax ID, medical, social media, corporate, manufacturing,
law enforcement, defense, homeland security and public utility data. This data is almost always stored in
Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server
96

and Sybase databases. Once inside the security perimeter commonly installed database utilities can be
used by Hackers to steal confidential database data.
Non-intrusive network sniffing can capture the normal database query/SQL activity from a network
tap/proxy server with no impact on the database server. This SQL activity is very predictable. Database
servers servicing 10,000 end-users process daily 2,000 to 10,000 unique query/SQL operations that run
millions of times a day. Advanced SQL Behavioral Analysis of the SQL activity can learn what the normal
database activity is.
Advanced SQL Behavioral Analysis of the Database Query or SQL Activity
Advanced SQL Behavioral Analysis of the real-time SQL activity from a network tap/proxy server allows
non-normal Hacker SQL activity to be immediately detected within a few milli seconds. The Hacker
database session can then be immediately terminated and the Security Team notified so that confidential
database data is not stolen.
Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum
amount of data queried plus the IP addresses all queries were submitted from for each of the unique
query sent to a database. This type of data protection can detect never before observed query activity,
queries sent from never observed IP addresses and queries sending more data to an IP address than
the query has ever sent before. This allows real-time detection of Hackers and Rogue Insiders attempting
to steal confidential database data.
About the Author
Randy Reiter is the CEO of Sql Power Tools. He the architect of the
Database Cyber Security Guard product, a database data breach prevention
product for DB2, Informix, Microsoft SQL Server, MySQL, Oracle and
Sybase databases. He has a Master’s Degree in Computer Science and has
worked extensively over the past 25 years with real-time network sniffing and
database security. Randy can be reached online at rreiter@sqlpower.com or
at www.sqlpower.com/cyber-attacks.
97

The Digital Promised Land is Riddled with Risk
By Reuven Harrison, CTO and co-founder, Tufin
As technology continues to reshape business, organizations globally are embracing the digital age to
drive growth, operate more efficiently and advance above the competition. Ask any C-level executive
today what initiatives are top of mind this year, and their response will most likely include, ‘digital
transformation.’ In fact, a recent survey from AppDirect shows that nearly 80% of companies are in the
process of digital transformation.
While enterprises march towards the digital promised land of efficiency and agility, they also find
themselves wandering into a territory riddled with risk. With digital transformation comes the advent of
DevOps, the cloud, containers and more – and while keeping pace with the latest technologies and
approaches is important for agility, so is remaining secure amidst constant change.
Managing the evolving network in the age of digital transformation can no longer rely on outdated and
manual processes. With organizations on track to continue their digital journeys, your IT teams must turn
to automation to keep up with the pace of business. In order to ensure hybrid networks remain secure
and compliant through this constant change, enterprises should take a security policy-based approach
to automating firewall, policy and application changes. A focus on security policy provides the foundation
for organizations to automate network and application changes and ensure hybrid networks remain
secure and compliant.
There are three elements of digital transformation that highlight the need for policy-based automation:
Fast Is Not Fast Enough
In today’s software-driven world, speedy and agile development is one of the most important
functions at an organization. Unfortunately, because of its manual and often cumbersome
processes, IT security teams are sometimes seen as roadblocks to DevOps teams. While
98

developers surely want to know that their apps are secure, they also don’t want security to slow
business down or get in the way of rolling out new features. Automation of security policy as part
of the CI/CD process can ensure both teams are successful and happy as it operates in the
background, effectively embedding policy changes into the automation pipeline.
The Rise of Cloud, Containers and Microservices
The advent of cloud, containers, microservices have enabled rapid deployments and scalability
as they are lightweight, faster, more portable and more scalable. However, with speed comes
consequences, and according to the Cloud Security Spotlight report by Alert Logic, 62% of
cybersecurity and IT professionals name misconfiguration of cloud platforms as the single biggest
threat to cloud security. By eliminating error-prone manual processes through the automation of
security policy changes, organizations can proactively detect and correct security issues before
they get into production to ultimately avoid a damaging breach.
Too Much Work, Too Few Resources, Never Enough Time
While networks become more complex and change requests increase, the number of skilled
security professionals across the industry decreases, making it nearly impossible for security
teams to keep up with business demand. As a force-multiplier, the automation of security policy
changes alleviates the manual and tedious tasks that take up time and resources so that IT teams
can focus on more important tasks – all without sacrificing security.
As long as digital transformation continues on, the need for policy-based automation grows. If your
organization is looking to embrace the fast new digital age, there’s no better time to begin implementing
security policy-based automation.
About the Author
Reuven Harrison is CTO and Co-Founder of Tufin. He led all development efforts
during the company’s initial fast-paced growth period, and is focused on Tufin’s
product leadership. Reuven is responsible for the company’s future vision, product
innovation and market strategy. Under Reuven’s leadership, Tufin’s products have
received numerous technology awards and wide industry recognition. Reuven brings
more than 20 years of software development experience, holding two key senior
developer positions at Check Point Software, as well other key positions at Capsule
Technologies and ECS. He received a Bachelor's degree in Mathematics and
Philosophy from Tel Aviv University. Reuven can be reached through Twitter
(@reuvenharrison), LinkedIn, and at Tufin’s website http://www.tufin.com.
99

Mitigating the Risks of Multi-Cloud
By Claude Schuck, regional head, Middle East at Veeam
The ways businesses leverage cloud to manage and maximise the value of their data continue to evolve.
The years when adopting cloud-based solutions felt like the first step into some brave new world may be
behind us, but with every new cloud-consumption model comes new questions. Multi-cloud, the current
variation of cloud deployment, is attracting attention, questions and scepticism from businesses.
Whereas a hybrid cloud is a single entity, an amalgamation of a private cloud with public cloud
environments, multi-cloud simply includes multiple clouds. It is a nod towards the fact that businesses
are increasingly using different clouds for different purposes. In today’s digital economy, 81% of
enterprises are embracing a multi-cloud strategy.
It is common for the IT industry to promote the idea of a one-stop shop model – a single point of failure
– to avoid the perceived inefficiency and confusion of dealing with multiple vendors and cloud service
providers (CSPs). Data is now described as the oil of the digital economy, a company’s most valuable
resource, so as businesses demand an infrastructure which maximises the potential value of that data,
IT departments are under pressure to deliver.
For example, a business may wish to store data from its fastest growing business unit in Google Cloud
for scalability at relatively low expense but use AWS for its R&D databases to enjoy the benefits of AI
and voice-assisted search. Whereas previously the only viable decision for the business would have been
to make a judgment call based on its priority needs and budget constraints, the best strategic option is
now to adopt a multi-cloud approach.
100

Data-driven transformation
There is a movement from organisations to become more data-driven, with business leaders recognising
the importance of data in both high-level business strategy and operational decision-making.
Furthermore, consumers and employees are beginning to appreciate the true value of their data, which
means businesses must ensure that the people who share data with them see the value in doing so
through receiving more personalised experiences. People want to know that their data is protected and
is secure, but they also want greater transparency about what it is being used for.
Creating this data-driven culture is underpinned by continuous digital transformation – embracing the
latest and greatest technologies which allow the business to repeatedly lift its performance levels.
According to Gartner’s 2018 CIO Agenda report, making progress towards becoming a digital business
is a top priority for CIOs – and the proliferation towards multi-cloud reflects this trend.
Despite this, the latest Veeam Availability Report reveals that two thirds of senior IT leaders admit their
digital transformation has been held back by unplanned downtime. And successful multi-cloud
deployments depend on the availability of all apps and data, at all times. So, businesses looking to take
advantage of multi-cloud environments must ensure that their apps and data are always available – and
that their culture of data-driven decision-making is fully supported to maintain customer confidence and
brand reputation.
Availability in the multi-cloud
The complexity of maintaining availability within a multi-cloud environment is the reliance on multiple
CSPs. While all major vendors and CSPs will make backup and disaster recovery (DR) solutions available
to their customers, each provider has different protocols, service level agreements (SLAs) and
capabilities; and the last thing any business wants to hear when disaster strikes is that they are not
adequately protected or that recovery has failed. While no business, regardless of whether it is using
multi-cloud or not, can guarantee that it will never experience unplanned downtime, every business can
ensure that it is prepared for this possibility.
Therefore, businesses opting for multi-cloud need to ensure that they have an availability solution which
sits cross their entire cloud provision, making cloud data protection easy with a seamless process for
sending data offsite to the cloud. As well as a reliable backup and DR solution which is interoperable with
all major CSP solutions, the platform should provide businesses with full visibility of data availability
across their entire multi-cloud infrastructure.
For businesses using multi-cloud to power their digital transformation in the bid to establish a more datadriven
culture across the organization, data is akin to running water – a utility which all rely on and must
be available at all times. Businesses embracing multi-cloud should not be put off by the prospect of
working with multiple vendors as certain software-based platforms can give the peace of mind and a
turnkey solution to minimizing downtime.
101

About the Author
Claude is an ICT industry veteran with over 22 years of experience in various
roles including account manager, sales manager, channel manager and PC
engineer in companies like Dell, EMC and HP.
Claude can be reached online at (Claude.Schuck@veeam.com) and at our
company website https://www.veeam.com
102

Is Your Business Cyber Resilient?
By Philip S. Renaud, II, MS, CPCU, Executive Director, the Risk Institute
Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016, according
to a recent report from the White House. When it comes to cyber risk, effective risk management can
mean the difference between achieving prosperous growth and bankruptcy.
Research from The Risk Institute, a research center at The Ohio State University, found 28 percent of
financial, non-financial, public and private firms have been victims of a cyber-attack. Thirty-three percent
of firms don’t think that they are at risk of a cyber-attack.
The firms who choose to turn a blind-eye to the risks of a cyber-attack are doing themselves and their
companies a disservice. The risk is enormous: cyber-attacks can shut down industrial facilities, utilities
and infrastructure systems, interfere with military operations and compromise national security, yet firms
according to our survey are continually decreasing their risk management units. The growing
dependence on cyber networks means a cyber-attack is one of few threats that can have truly national
implications.
In 2018, a cyber-attack is not an “if” scenario. It’s a “when”.
Leaders in all industries need to understand the implications of security breaches and how to prepare
before a crisis. Cyber defense will continue to be a major task for companies. According to the Risk
Institute research, 65 percent of companies feel that they are somewhat or extremely vulnerable to a
cyber-attack, and 28 percent acknowledge being a victim of one. A 2017 national survey from Nationwide
Insurance found nearly half of businesses have been the victims of cyber-attacks.
So in the face of overwhelming odds that your company will be the victim of a cyber-attack, what’s the
answer?
103

Resilience.
Resilience is the capacity of an enterprise to survive, adapt and grow in the face of turbulent change.
Resilience means improving the adaptability of cyber networks, collaborating with stakeholders and
leveraging information technology to assure continuity, even in the face of catastrophic disruptions.
Resilience goes beyond mitigating risk; it enables a business to gain competitive advantage by learning
how to deal with disruptions more effectively than its competitors and possibly even using those
disruptions to its advantage.
Resilient systems don’t fail in the face of disturbances; rather, they adapt.
In order for a business to become resilient they don’t necessarily need fancy software or consultants to
get started. Businesses often just need to use the resources at hand to implement business continuity
planning and then test that plan through crisis and/or business simulation exercises.
Business continuity planning is a building block of enterprise risk management, but it’s often overlooked
because of its perceived simplicity. The core components of business continuity are prevention,
response, resumption and recovery. Prevention means protecting corporate assets and managing risk
before a crisis. Once a crisis occurs, the business response is to manage the incident while protecting
life and property and working to resume time-sensitive operations as soon as possible. Once essential
operations are back up and running, the business should work on recovering other operations, while
repairing and restoring facilities and contents.
Once the business continuity plan is in place, it is vital for a company to test the plan through a crisis
simulation. The crisis simulation can be as simple as a tabletop exercise with representatives from each
business function working through a scenario using the business continuity plan as the map to the
solution. These exercises are typically multi-day events that stress-test the firm’s business impact
analysis.
In addition to the business continuity plan and crisis simulation, a company can show its commitment to
resilience by investing in predictive analytics. Predictive analytics is one of the most exciting
developments for enterprise risk management over the last decade; it allows a business to be more
resilient and adapt faster during a crisis, especially a cyber-attack, by determining the probability of future
outcomes and allowing a firm to create a plan ahead of time.
And yet 55 percent of firms do not utilize predictive analytics, and those that do have only been using
them for the last two years.
It is evident there is a lot of room for businesses to become more resilient to a cyber-attack. Building
resilience is not a one-and-done corporate objective — it’s an ongoing process that enables companies
to embrace change in a turbulent and complex business environment by expanding their portfolio of
capabilities.
104

At The Risk Institute, we help corporations prepare for risk — before problems become a million dollar
setback. The Risk Institute at The Ohio State University’s Fisher College of Business exists to bridge the
gap between academia and corporate America. By combining the latest research with the real-world
expertise of America’s most forward-thinking companies, the Risk Institute isn’t just reporting risk
management’s current trends — it’s creating tomorrow’s best practices.
About the Author
Phil Renaud Headshot: Linked.Phil Renaud, Executive
Director of The Risk Institute
Phil Renaud joined The Risk Institute from Risk
International, where he served as a managing director
and led the Columbus offices. With more than 25 years of
experience creating and managing several large multilocation,
international risk management departments, he
has extensive expertise in the practice of risk
management, direct insurance, and safety and health. In
addition to his position at Risk International, Renaud
managed risk programs at Deutsche Post/DHL (Supply Chain), Kmart Corporation, Limited Brands, Inc.
(L Brands) and, prior to that, SCOA Industries Inc. (Shoe Corporations of America). He is a regular
speaker at various national, regional and local risk management forums. He also serves on the Board of
Directors for the National Kidney Foundation of Ohio, Kentucky, Middle and Eastern Tennessee and
board chairman for Central Ohio, serves on the board for the Make-A-Wish Foundation of Ohio, Kentucky
and Indiana and on the Foundation Board for the Knox Community Hospital in Knox County, Ohio, and
is the Board Director for Columbus Humane.
Phil can be reached online at renaud.19@osu.edu and at our company website fisher.osu.edu/risk
105

You’re Guide to Encrypting Files in Linux
If your organization is one of the many that uses Linux operating systems to run key business processes,
it’s important to implement the tried-and-true, successfully tested Linux security practices that support
critical files from point A to point B, as they transfer from one system to another. One requirement that
tends to pop up more frequently for Linux users is file encryption. Linux files must be encrypted
seamlessly and quickly in order to prevent critical business data from being at risk while traveling to
external networks, trading partners, or a cloud environment.
The good news is, there are several worthwhile encryption solutions that work well for Linux which are
currently in the marketplace. Any of these options will do the trick and sufficiently secure important
documents, all without taking up too many resources or costing a fortune. Let’s explore the three most
popular encryption technologies available for Linux files.
The Best Options
When it comes to protecting sensitive files at rest, Open PGP, GPG, ZIP, and AES are the top contenders
out of the various options accessible. Read on to explore how each one operates and determine which
method might be the best option for your organization’s encryption needs.
PGP File Encryption & Open PGP
The best place for Linux users to start when it comes to file encryption is with PGP. Open PGP is currently
what’s known as the standard which vendors must follow when delivering PGP-encryption features. PGP
file encryption uses asymmetric cryptography, or public PGP keys, to ensure data authentication, as well
as help organizations deal with non-repudiation by allowing recipients to “sign” received files with an
embedded PGP signature.
106

Most Open PGP solutions on the market offer logging, alongside PGP, for encryption activity. This allows
for your encryption processes to be tracked for auditing and successfully follow any regulatory or industry
requirements your company must comply with. Workflows, one of the robust automation features offered
in GoAnywhere Managed File Transfer, can additionally be defined on Linux systems to ensure automatic
file encryption and streamline data movement.
GnuPG Encryption
GnuPG (aka GPG) is open-source alternative to PGP encryption software. It is virtually identical to PGP
and Open PGP tools and because it’s open source, it’s supported by a community and can be changed
or developed to your liking.
GPG is free and defined by the Open PGP standard. It is frequently used on Linux systems and can also
open and decrypt files that have been encrypted by PGP software if your trading partners or third-party
vendors us an Open PGP solution.
GZIP and ZIP with AES Data Encryption
You may be able to automate the zipping and unzipping of files that use ZIP and GZIP standards
depending on the solution you choose for encryption. This means that when a file transfer is sent or
retrieved from a partner, your sensitive Linux files will be automatically encrypted or decrypted without
manual intervention.
A product like GoAnywhere MFT can create a ZIP file to package, compress, and encrypt multiple files
before a file transfer. ZIP files for Linux can not only reduce disk space, but they can minimize the time it
takes to transfer a file, as well as keep related files in a singular location for easy organization. ZIP files
can also be password protected. To add an extra layer of security, Advanced Encryption Standard (AES)
can be used symmetrically as a form of encryption, in which one password can be used to zip and unzip
the file(s).
Choosing a Solution
Deciding what solution is right for your Linux file encryption needs comes with plenty of different factors,
typically relying heavily on your business and compliance requirements.
With the significant array of vendors in the marketplace today, it might be worth asking yourself these
questions first, before you decide on the best way to secure and protect your data:
1. How much budget do you have?
2. What other features could you benefit from?
3. Do you need to maintain compliance with regulatory or industry requirements?
4. How many files do you need encrypt a week?
107

5. Is this a short-term project? Or is this a permanent solution?
6. Do you handle or process sensitive information, like personal data, PHI, or card information?
Care to learn more about how you can improve the security and efficiency of your file transfers? Take a
look at our on-demand webinar for some great insight: How to Improve Security & Efficiency for Your File
Transfers.
Source: HelpSystems
108

Network Security Using Honeypots and Deception Technologies
By Milica D. Djekic
The private computers as well as computer’s networks are the assets that could get equally used in the
everyday life and business environment, so far. So many of these systems would deal with the
confidential and valuable data, files, folders and applications and there would be the strong need to
assure those devices. Also, the emerging technologies would bring the connected objects that would
show the tendency to get secured as well. Well, the highest priority in such a matter is to think a bit about
the both – device and network security. As it’s well-known, the IT infrastructure could get protected relying
on passive and active techniques of defense. Some people would believe that it’s enough to get some
anti-malware software being installed on your machine, but that’s not sufficient at all. That’s only the
preventive measure and additionally – we should think hard about the monitoring and incident response
being the active ways of security. Also, there would be so many methods to track the hacker’s behavior
or investigate any cyber incident using the well-known cyber security assessment and auditing
methodologies. So, would there be the way to secure your computer or the entire network using any kind
of intelligent defense? It’s well-known that the bees like anything being sweet and especially the honey.
In other words, if you offer the honey to your bees they would not sting you and they would rather get
pleased and simply stick with such a sweet meal. The similar situation is with the cyber defense. The
hackers could get assumed as the bees that got the capacity to attack, but they could also get lured with
some delicious portion of feed. The aim of this article is to explain a bit how such an approach could get
applied in cyber security and why the good portion of honey could get the best way to protect from those
insects’ attacks.
109

What are the honeypots and honeynets?
The honeypots are the computer that are as any other computing units which purpose is to attract the
hackers to leave their trace within them. On the other hand, the honeynets are the computer’s networks
which are similar to any computing network and they also serve as the network security weapon. The
both – honeypots and honeynets – are only the trap to the cybercrime individuals who would want to
exploit the vulnerabilities of some infrastructure. Those assets would use the files, folders and
applications as any other similar assets and their purpose would be to catch the hackers into such a grid
and make them demonstrate some sort of malicious behavior. The honeypots could be the part of some
computing network that would use the other computers serving – let’s say – for the business purposes.
No one can guarantee that the hackers would simply fall into such a trap, but if you find the way to drag
their attention to those IP addresses you would undoubtedly get the chance to trick them and once you
get them – you would become familiar with their tactics and strategies. The fact is you need to be the
claver strategist who would make the perfect plans how to lure the cyber criminals to such a trap.
Deception technologies in cyber security
As it’s well-known, the hacker’s community would make a deep dig on the internet in order to find the
information about some well-protected IT systems. They would feel such a task as the challenge and
they would be proud on themselves once they discover some confidential IP address. There are so many
phishing and scamming tactics that would get widely applied by the cybercrime underground and the bad
guys would enjoy dealing in such a fashion. The cybercrime professionals would see the financial
advantage as the main motive to commit the cybercrime and they could work for some transnational
crime and terrorist organizations. The Darknet is the deep web spot being full of those sorts of people
and the cyber criminals would so generously offer their service to anyone being willing to pay for so. On
the other hand, so skillful defense professionals would count on some kind of deception techniques and
technologies in order to trick the hackers to choose the honeypots machines as their ultimate destination.
For instance, if you publish on the web some IP addresses suggesting they are so confidential and no
one should even try to cope with them – that could be the smart way to attract the bad guys to taste the
good portion of honey.
How active defense works and why it matters
The active defense is the method of dealing with the hackers who have made the breach to some cyber
environment and the good tactics would suggest to try to follow the hacker’s behavior in the cyberspace
in order to make them being delusional about what it’s happening for real. Even the honeypots could get
assumed as the helpful active defense weapons for a reason they would definitely fool anyone to try to
do anything he wants to attempt leaving the trace about his activities. The real advantage of such an
approach is that if you adopt such techniques you would clearly get an opportunity to deeply understand
the criminal behavior and even get into the cyber criminal’s mind getting in position to predict any further
step in such an offense.
110

The link between network security and digital forensics
The honeypots could serve to protect some critical and business assets, but they can also get applied
for research, prevention, detection and incident response needs. The ways to play with the honeypots
systems could be so numerous and once you catch someone getting into your honeypots trap – you
could try to investigate such an incident. For such a purpose, so many cyber professionals and experts
would recommend the forensics analyses and the entire teams of forensics detectives could get invoked
to conduct such an investigation in order to collect the findings and evidence. Next, those folks would
reconstruct what has happened at the crime scene and skillfully report about everything they have figured
out about that incident.
The next generation cyber defense approaches
The main question here is what we could expect in the future in terms of honeypots and deception
technologies. Well, such a question literally can open the Pandora’s Box and offer us so many
suggestions. In our opinion, we can expect the more sophisticated methods of those techniques and
methodologies, so we believe the strategists of the coming times could get much wiser and a bit smarter,
so far. In such a manner, we mean that the luring tactics could get better developed and the entire
honeypots and honeynets systems could become much more covered and protected. The point is to trick
the hackers in such a sense to make them hardly recognize they are in the trap. We believe that anyone
could get sooner or later that he got delusional, but let make him getting so far more lately. That’s the
good challenge for a tomorrow, isn’t it?
About The Author
Milica D. Djekic is an Independent Researcher from Subotica,
Republic of Serbia. She received her engineering background from
the Faculty of Mechanical Engineering, University of Belgrade. She
writes for some domestic and overseas presses and she is also the
author of the book “The Internet of Things: Concept, Applications and
Security” being published in 2017 with the Lambert Academic
Publishing. Milica is also a speaker with the BrightTALK expert’s
channel and Cyber Security Summit Europe being held in 2016 as
well as CyberCentral Summit 2019 being one of the most exclusive
cyber defense events in Europe. She is the member of an ASIS
International since 2017 and contributor to the Australian Cyber
Security Magazine since 2018. Milica's research efforts are
recognized with Computer Emergency Response Team for the
European Union (CERT-EU). Her fields of interests are cyber defense, technology and business. Milica
is a person with disability.
111

4 Signs Your Organization Is a Good Cyber Attack Target, And
What to Do About It
By Nathan Burke, CMO, Axonius
By now we’re all well aware of the transformative technologies accelerating across the enterprise today.
Trends like cloud, virtualization, BYOD, work-from-home, mobile devices, and IoT have completely
transformed the way we work. However, in the process it removed the perimeter from the security picture,
creating a massive, distributed attack surface.
As a result, organizations are under a continual onslaught of cyber attacks leading to well-publicized data
breaches. As their security defenses become more sophisticated, attackers will become increasingly
opportunistic, looking to exploit lapses in IT environments.
This is especially true for organizations with complex IT environments. In 2019, companies that exhibit
the following four characteristics are most likely prime targets for attackers:
1. Proximity to Value: Whether it’s money or data, organizations that store valuable information will
be targets. Banks are an obvious target since they are just one step away from actual dollars.
However, organizations that store personal data (such as identity) to open a credit card or bank
account need to be on guard.
2. Centralized Data: Companies that centrally store valuable information will be attractive targets
to attackers. Taking the Marriott breach as an example, it was far easier for the attackers to obtain
500M records from the hotel’s centralized reservation database than it would have been to go
after individual franchise networks.
3. Heavy Reliance on third-parties: As we saw during the Target breach, the more organizations
rely on third-parties, ecosystem providers and supply chain players, the higher risk of a breach
that is outside of the organization’s control.
112

4. Cloud and Speed: Companies that prioritize speed and convenience over adhering to security
best practices to ensure all of their cloud instances are covered will be prime targets for costly
data breaches.
So how can these types of organizations best shore up their security postures?
If you can identify with any of the above characteristics, the best course of action is to identify weaknesses
and address the security fundamentals. Here are a few steps:
1. Understand What Assets You Have
You can only secure what you can see, and until you know which assets are in your environment, it’s
impossible to know whether those devices are satisfactorily secure. Understanding your inventory of
laptops, desktops, servers, VMs, mobile devices, IoT devices, and cloud instances sounds simple, but
organizations have a remarkably difficult time doing this. The first step should be establishing an ongoing
device discovery, classification and inventory process to help you keep track.
2. Distinguish Between Managed and Unmanaged Assets
In any environment, assets can be split into two distinct categories: known/managed and
unknown/unmanaged. Managed assets are known to security management systems (think endpoint
agents and Active Directory.) Meanwhile, unmanaged devices may be known to the network, but do not
have any security solutions installed so you aren’t able to access its risk profile. Both types of devices
are important but should be treated differently.
For example, a smart TV in a conference room is different from the CEO’s laptop. While the Smart TV
doesn’t need an endpoint security solution or isn’t part of a patch schedule, the laptop does. Creating a
process to identify and take action based on asset classification is critical.
3. Address the Gaps in Security
Every organization has devices that are missing security solution coverage, whether it’s iPhones without
Mobile Device Management, or AWS instances not known to a VA scanner. Addressing these gaps in
an ongoing basis is necessary, especially given the dynamic and elastic nature of these assets.
By following through on Steps 1 and 2, you’ll be in a position to know all of the assets and their type in
your environment, making it easier to identify where security holes are and how to best close those gaps.
4. Establish Ongoing User Access Auditing
For large organizations especially, keeping track of user permissions can be difficult. Are there users in
your environment with local administrative access to all machines? Users with passwords that are not
required or set to expire? Service accounts with keys to the kingdom? Even with strict access controls
and regular policies, creating an ongoing auditing process is needed to ensure proper access rights.
5. Implement Security Policy Validation
The biggest question left to ask is this: How can I be sure that my security policies are being adhered to
continuously? Whether you mandate that all assets must be scanned weekly, or you’ve determined that
113

all Windows machines must have a specific endpoint agent, any security policy on paper is only as good
as it is enforced and validated in reality.
Implementing a security policy validation process is the only way to make sure that nothing is being
missed and that exceptions are being addressed and fixed instead of being exploited.
A Basic Framework
Putting solutions and technologies aside, cybersecurity is a discipline centered around understanding,
addressing, and minimizing risk. Until you have a credible, comprehensive understanding of your
environment and are able to understand where coverage gaps exist, you’re at a disadvantage to those
looking for a simple way in. With an understanding of all assets, gaps in security coverage, and the ability
to see where the security policy is not being adhered to, organizations are in the best possible position
to minimize their attack risk.
About the Author
Nathan Burke is the Chief Marketing Officer at Axonius.
Passionate about bringing new technologies to market to
solve real problems, he has held marketing leadership roles at
Hexadite (acquired by Microsoft), Intralinks (acquired by
Synchronoss), MineralTree, CloudLock (acquired by Cisco),
and is a frequent speaker and contributing author on topics
related to the intersection of collaboration and security. He
lives on Cape Cod with his wife, daughter, and dogs, and
enjoys watching the unfairly dominant New England Patriots.
Nathan can be reached on Twitter at @nathanwburke, through LinkedIn, and on www.axonius.com.
114

How to Take Competitive Advantage Using Machine Learning
By Milica D. Djekic
The digital transformation as being the part of the 4 th industrial revolution would so deeply evolve the
entire technological landscape. There would be some discussions if the emerging age would cope with
the revolution or simply evolution. From this perspective, we can notice that some stuffs would get
improved leaving a lot of space for the innovations, while the rest of them could simply get transformed
from one form to another. In other words, it’s all about the technological progress and at this stage; we
cannot talk about the purely branding new things on the marketplace because everything existing today
would just be the part of the evolution with technology. So many researchers of nowadays would deal
with the artificial intelligence or AI and one of the segments to such an area got the machine learning of
ML. The ML is basically a set of static algorithms that would use data at their input and produce some
outcomes being so analytical by their nature. So, if we want to send some amount of data to ML software
– we need such a solution to accept those data and give us some results either being the segments of
predictive or descriptive analytics. In such a manner, it’s quite clear why those advancements could find
their place in the modern business environment and it’s quite logical that such a product could get so
useful in understanding the business intelligence or BI. So many companies and enterprises over the
globe would count on a BI-driven marketplace and if we can obtain the certain level of accuracy with the
ML approaches – we would impact a decision making regarding the business surroundings getting more
and more rational. In this effort, we would try to go through this so exciting topic and explain how an ML
could serve in order to take competitive advantage.
115

The challenges of a modern business landscape
The ongoing business landscape would be so challenging environment for a reason there would be so
many products and services being so attractive offerings that would get provided for the quite suitable
prices. That would make the competition amongst the economies being more exciting and not even
everyone would survive on the marketplace. It’s well-known that the investment into new and new
technological solutions could be from the crucial significance for the marketplace players to succeed in
so competitive surroundings. Everyone would want to be the leader and only the few of them could obtain
such a requiring task. The global economy’s landscape would deal with both – small and large businesses
– and they would need to play intelligently in order to stay on the marketplace or even expand.
So, the good question here would be how we could take any sort of competitive advantage on the
marketplace making us better from our competition. For instance, if some small enterprise selling the
home appliances invests some funds into the competitors’ tracking software – it would definitely get in
position to take competitive advantage and make the good incomes simply coping with what the
competitors do. Also, it’s well-known that the accurate information could offer us some kind of advantage
over all our business opponents, so the big business players would just be in the competition about who
would get what the first. For such a purpose, you can pay someone for some advice or buy some accurate
information from the intelligence sources. The next question here would be what to do with those findings
and how to use them in order to get smarter than your competitors. The good point here is you can always
rely on the emerging technology and give it those data to do some analytics and possibly forecasts.
Descriptive vs. predictive analytics and why they matter
In the practice, the ML could deal with the descriptive and predictive analytics and it’s so significant to
make a brief overview why both of them matter. For instance, in case of descriptive analytics – you would
cope with the set of data being given to the ML either online or offline software and such a tool would
produce you some rational reportings and statistics. That could offer the chance to the decision makers
to get the quite accurate insight into the business needs and feasible courses as well as directions that
should get followed in order to get beneficial in the competition. On the other hand, the predictive analytics
could provide you an opportunity to use the skillfully and automatically analyzed data in order to make
some business predictions. If those sorts of predictions got with the high level of accuracy – the decision
makers would create an opportunity to their businesses in order to smartly invest their resources into
some marketplace stream.
How to get emerging applying machine learning
In order to choose to invest into some ML products for your business purposes – you can make the right
choice on. Such an investment could bring you some kind of competitive advantage within your
marketplace and if you are amongst the pioneers applying such a technology – you would definitely
operate with the huge profit being gotten on. The emerging economy is the arena of smart players and
only the best could be the leaders. It takes a lot of time and effort to obtain so, but once you get positioned
with that level you need to manage yourself to remain there. This may appear as the quite handy outcome
of the digital transformation and practically – it is, so it’s such a good to know how to select and apply
your secret weapon for shooting your competitors on.
116

The advantages and disadvantages of machine learning
First of all, any kind of AI or ML cannot replace the human brain and its functions. The machines would
work using so static or dynamic algorithms and they would not deal with intuition, instinct, thinking process
or any other things getting correlated with the human mental system. Some experts would suggest that
the machines got more accurate than the people are and the human beings need to get concentrated
and extremely skillful in order to avoid any kind of mistakes. Anyhow, the people are those who created
the machines and gave them the option to learn, but such learning is so limited with the heaps of
programming functions and procedures. So, even the machines got the quite limited set of rules they can
cope with and even they could be somehow more accurate resolving those concerns than humans are –
you should always get in mind that the machines cannot feel and they cannot play the role of intuitivejudging
thinkers at least not at this stage of the human kind’s progress and development.
The future of a machine learning technology
Some futurists would suggest that the machines would become that smart, so they would get in such a
phase of their development to take control over the human race. Maybe that’s the part of some science
fiction movies at this scale, but there are some serious prognoses that could convince us that probably
not in that close future we could get the slaves of some scary Matrix’s machine world. Let’s say at this
moment everything is under our control and we should proceed with the projects that would bring us
much more convenient solutions that would serve to our needs and make us being more skillful with our
businesses, so far.
About The Author
Milica D. Djekic is an Independent Researcher from Subotica,
Republic of Serbia. She received her engineering background from
the Faculty of Mechanical Engineering, University of Belgrade. She
writes for some domestic and overseas presses and she is also the
author of the book “The Internet of Things: Concept, Applications and
Security” being published in 2017 with the Lambert Academic
Publishing. Milica is also a speaker with the BrightTALK expert’s
channel and Cyber Security Summit Europe being held in 2016 as
well as CyberCentral Summit 2019 being one of the most exclusive
cyber defense events in Europe. She is the member of an ASIS
International since 2017 and contributor to the Australian Cyber
Security Magazine since 2018. Milica's research efforts are
recognized with Computer Emergency Response Team for the
European Union (CERT-EU). Her fields of interests are cyber defense, technology and business. Milica
is a person with disability.
117

Suggested head:
From real-world cybersecurity incident responders to keeping top leaders informed, choose a cyber
training platform that prepares you on all fronts
The everyday things of life—shopping online at a big box store, staying in a hotel, visiting social media
websites—have, through the personal and financial information involved in those everyday transactions,
put most Americans in the crosshairs of cybercriminals, hackers, and in some cases, nation-state actors.
Cyberattacks and breaches of businesses big and small are reported daily, as are the continued reports
regarding the short supply of qualified professionals to combat them. It’s estimated that within two years,
cybercrime damage will reach $6 trillion while there are more than three million vacancies in the
international cybersecurity workforce.
The Regent University Institute for Cybersecurity (IFC), located in Virginia Beach, Virginia, is primed to
respond to the lack of qualified professionals through rigorous programs that combine cybersecurity
theory and hands-on experience on its state-of-the-art live-fire cyber range.
Don Murdoch, a SANS-certified GIAC Security Expert (GSE) and IFC associate director, said the equal
emphasis Regent places on classroom theory and the development of practical, real-world proficiency,
is at the foundation of all of the IFC’s industry focused cybersecurity programs which include experiential
cyber training, certifications and executive training.
Certifications and Emulation Training
“The Regent Certified Cyber Practitioner Program (CCP) is an industry-facing three-course program
consisting of basic, intermediate and advanced levels, all of which have range-focused exercises to
support the learning objective,” he said. Many of the exercises are based on actual cases from the
frontlines of cybercrime including ransomware, data exfiltration, network misuse, disruption, and web
defacement.
Regent’s live-fire cyber range, one the most technically advanced in the country, has 20 stations where
trainees analyze cases and perform incident triage, cyber incident investigations, and can also perform
forensics with enterprise-grade tools found in the military and Fortune 2000 companies.
118

The disruption scenario, which we ran through this morning, is similar to an event I experienced while
working in industry. A user with elevated access installed an application that was supposed to be a
system utility, but wasn’t, and the utility disrupted network operations for over 200 staff within minutes of
being launched.” Murdoch recalled.
“The utility was malicious software that installed applications that sent the processor to 100 percent
whenever a system management tool was executed. It was a really nasty resource exhaustion attack
coupled with a really low-level network attack.”
Murdoch, author of industry-impacting books including his latest, “Blue Team Handbook: SOC, SIEM,
and Threat Hunting Use Cases: A condensed field guide for the Security Operations team (Volume 2),”
said working through those scenarios puts Regent’s trainees ahead of the game when it comes to
mastery in the field because scenarios include both network and host level investigations and trace data.
What Makes Incident Response Reports So Valuable?
In addition to gaining that mastery, he added, students are trained to create a strong incident response
report including a timeline, a root-cause analysis, a corrective action plan, in some cases a formal
Corrective Action Plan or CAP that could find its way to a corporate risk register, and an executive
summary that is invaluable to their enterprises and to the executives who manage them.
“Trainees who come through our range environment have a good understanding of many different attack
types and how to connect the dots from one piece of evidence to another,” Murdoch said. “They
understand how to identify the sources of attack and how to investigate it. They can determine how much
risk an organization has, how far the attacker got through the network and, in the end, write a good
summary on the case.”
Cyberpsychology: Understanding an Attackers Motivation
The skills of detection needed to identify and prevent cyberattacks make cybersecurity experts the
gumshoes of the modern age and, as such, all of the Institute’s courses feature elements of psychology
in their examination of cybercriminals—how to identify them and what makes them tick.
“We strive to understand their motivations, their methods, their means, and what they are likely to do. For
instance, a cyberterrorist is more likely to disrupt your environment, and they don’t care about getting
119

paid, whereas a cybercriminal will likely try to fly as under the radar as possible until they have established
sufficient leverage on you and then demand money because they are financially motivated,” Murdoch
explained.
“Activists are motivated by a geopolitical issue or a social-moral issue, and they will act on that. They
don’t necessarily care about getting paid. They care about supporting their cause, and if you are critical
of their cause, they care a lot about attacking you.”
Even Top Executives Need Cyber Training
In addition to offering an introduction to cyberpsychology with their live-fire simulation training, Regent’s
Executive Workshops provide military, corporate and government leaders with the ability to understand,
measure and manage the risk their organizations face.
The informal, interactive one-day workshops are structured like board-level discussions. They are led by
world-class cybersecurity experts who provide a solid foundation in enterprise risk management, giving
attendees proven models to take back to their organizations.
“While the level of cyber risk varies, all organizations face similar challenges when it comes to identifying
and protecting the value chain and the assets it depends on,” Murdoch said. “While many in the C-Suite
(CEOs, CFOs, COOs, etc.) don’t have the technical knowledge to be involved in day-to-day IT operations,
Regent can provide them with a foundation to discern how cybersecurity risk fits into their enterprise and
to learn the right questions to ask, such as ‘How prepared are we to respond to an attack and what’s my
role should an incident happen?’”
The Institute for Cybersecurity is located in Virginia Beach, Virginia on the campus of Regent University.
Home to one of the nation’s most powerful and agile commercially facing cyber simulation ranges, the
institute is dedicated to closing the gap between classroom theory and practical, real-world proficiency.
Regent offers a series of courses under the Certified Cyber Practitioner (CCP) program with the
option to earn the CCP certification, powered by live-fire simulation training.
Regent’s Institute for Cybersecurity is disrupting and transforming the cyber defense industry with a stateof-the-art
training platform and world-class trainers. To learn more about cyber training opportunities, visit
regent.edu/cyber or contact the institute at 757.352.4215.
120

121

Ever wonder how hackers, spies, and con-artists gather such detailed and convincing
intel on their targets? Kevin Mitnick, the world's most famous hacker and
KnowBe4's Chief Hacking Officer, knows.
The truth is that it is shockingly easy to gather detailed intelligence on individuals and
organizations. Everything the bad guys need to specifically target your end users is out
there for the taking. Banking and credit card accounts, driver's license numbers,
geolocation details and even IT secrets can be found easily and through public
resources! There’s even a name for it: Open Source Intelligence (OSINT).
In this mind-blowing webinar, Kevin and Perry Carpenter, KnowBe4's Chief
Evangelist and Strategy Officer, will give you an inside look into some of Kevin’s most
prized, underground OSINT secrets and how the bad guys use those techniques to
target your users and your organizations.
Find out what to watch out for and learn how to strengthen your end-user “human
firewall” against OSINT-fueled attacks before it's too late!
Date/Time: Wednesday, June 12 at 2:00 pm (ET)
Save My Spot
Don't like to click on redirected URLs? Cut & paste this link into your browser:
https://event.on24.com/wcc/r/1987306/120DACBD77DBFB3669AC398388105E40?partnerref=CDMG
122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS
“Amazing Keynote”
“Best Speaker on the Hacking Stage”
“Most Entertaining and Engaging”
Gary has been keynoting cyber security events throughout the year. He’s also been a
moderator, a panelist and has numerous upcoming events throughout the year.
If you are looking for a cybersecurity expert who can make the difference from a nice event to
a stellar conference, look no further email marketing@cyberdefensemagazine.com
155

You asked, and it’s finally here…we’ve launched CyberDefense.TV
At least a dozen exceptional interviews rolling out each month starting this summer…
Market leaders, innovators, CEO hot seat interviews and much more.
A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.
156

Free Monthly Cyber Defense eMagazine Via Email
Enjoy our monthly electronic editions of our Magazines for FREE.
This magazine is by and for ethical information security professionals with a twist on innovative
consumer products and privacy issues on top of best practices for IT security and Regulatory
Compliance. Our mission is to share cutting edge knowledge, real world stories and independent
lab reviews on the best ideas, products and services in the information technology industry. Our
monthly Cyber Defense e-Magazines will also keep you up to speed on what’s happening in the
cyber-crime and cyber warfare arena plus we’ll inform you as next generation and innovative
technology vendors have news worthy of sharing with you – so enjoy. You get all of this for
FREE, always, for our electronic editions. Click here to sign up today and within moments,
you’ll receive your first email from us with an archive of our newsletters along with this month’s
newsletter.
By signing up, you’ll always be in the loop with CDM.
157

Marketing and Partnership Opportunities
Banners, E-mails, InfoSec Awards, Downloads, Print Editions and Much More…
Copyright (C) 2019, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.
SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a
CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com,
CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability
Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, Cyber
Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS#
078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com
All rights reserved worldwide. Copyright © 2019, Cyber Defense Magazine. All rights reserved. No part of this
newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,
recording, taping or by any information storage retrieval system without the written permission of the publisher
except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of
the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may
no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect
the views of the publisher, and the publisher hereby disclaims any responsibility for them.
Job Opportunities
Send us your list and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at
marketing@cyberdefensemagazine.com
Cyber Defense Magazine
276 Fifth Avenue, Suite 704, New York, NY 1000
EIN: 454-18-8465, DUNS# 078358935.
All rights reserved worldwide.
marketing@cyberdefensemagazine.com
www.cyberdefensemagazine.com
NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)
Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 06/01/2019
158

TRILLIONS ARE AT STAKE
No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES
https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH
159

Regent University’s Institute for Cybersecurity is disrupting and transforming the Cyber
Defense industry with a state-of-the-art training platform and world-class trainers. To learn
more about commercial training offerings, visit regent.edu/cyber or contact the institute at
757.352.4215.
Learn more about this program: https://www.regent.edu/institutes/cybersecurity/industrytraining/
Space is limited, so register today: http://www.regent.edu/cyber
160

161

162

163

164

165