Cyber Defense eMagazine September 2019

4 Industries Being Hurt by Counterfeit
Materials (and How to Spot Them)
5 Most Disastrous Ransomware Attacks of
the Last Decade
How to Protect Yourself While Shopping
Online
Top 5 Questions about the Capital One
Data Breach
Ways to Protect Sensitive Data Online
5 Key Differences between Software and
Hardware Vulnerability Mitigations
…and much more…
1

CONTENTS
4 Industries Being Hurt by Counterfeit Materials (and How to Spot Them) .................................................... 13
5 Most Disastrous Ransomware Attacks of the Last Decade .......................................................................... 17
Better Safe than Sorry: How to Protect Yourself While Shopping Online ........................................................ 21
Conversation Marketing Security Pitfalls and Best Practices .......................................................................... 25
What Other Companies Can Learn from Facebook’s $5 Billion Fine ................................................................ 29
Why “Cloud Security 101” Isn’t So Simple After All ....................................................................................... 32
Anatomy of a Single Request Attack: The #1 Invisible Security Threat ............................................................ 36
Adhere to Cyber Security Solutions to Protect Your System from a Diverse Range of Issues ........................... 39
August Patch Tuesday .................................................................................................................................. 42
Top 5 Questions about the Capital One Data Breach ..................................................................................... 44
The Need of Automatics and Control in Incident Response ............................................................................ 47
Preventing Business Email Compromise – a $300 Million Dollar Problem ....................................................... 50
Security Research as an Anti-Malware Secret Weapon .................................................................................. 54
Ways to Protect Sensitive Data Online .......................................................................................................... 57
Artificial Intelligence-Driven Situational Awareness ...................................................................................... 61
Attracting and Retaining Staff for a Fusion Center ......................................................................................... 64
Have You Asked your eDiscovery Vendor ...................................................................................................... 66
Understanding Application Risk Management .............................................................................................. 71
Ransomware: A Municipality’s Achilles Heel ................................................................................................. 76
Do You Know What That App Is Doing? ........................................................................................................ 80
5 Key Differences between Software and Hardware Vulnerability Mitigations ............................................... 83
Data Risk Report Shows Lack of Security across Industries ............................................................................ 86
How the Internet of Things Could Compromise Online Security ..................................................................... 90
2

Public Sector Beware: 3 Steps to a Better Cyberattack Prevention Strategy ................................................... 93
Cybersecurity Checklist: How to Keep Your Business Secure .......................................................................... 96
Ready Position - Proactive Teams are Helping Solve the Cybersecurity Skills Shortage ................................. 101
Voice Commerce Calls for Built-in Security .................................................................................................. 105
Protecting Your Business against DDoS Attacks Requires Simple Best Practices ........................................... 108
Server less Security Analysis: The Best Practices on How to Enforce Them ................................................... 111
Stop! Vulnerable Software ......................................................................................................................... 115
The Dangers of the Integrated Home/Workplace ........................................................................................ 120
How Real-Time Asset Intelligence Enables Full Posture Control ................................................................... 123
Multi-factor Authentication Implementation Options ................................................................................. 125
3

@MILIEFSKY
From the
Publisher…
New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com
Dear Friends,
Can you believe it’s September 2019 already. We’re almost into 2020 but we still have so much to
accomplish this year. Don’t miss us at the Digital Transformation Expo in London this October https://dtx.io/europe/en/page/dtx-europe
and at InfoSecurity North America in November
https://www.infosecuritynorthamerica.com/ before we turn the corner into an early RSA Conference 2020
in late February, in San Francisco, CA, USA.
When you share a story or an article or information about CDM, please use #CDM – it helps spread the
word about our free resources even more quickly. We’re tracking our results on various independent
websites that track keywords across the global internet and here’s where we stand today:
https://essentials.news/en/future-of-hacking. We also offer our own statistics that you are free to reuse
anytime, from this page: http://www.cyberdefensemagazine.com/quotables/.
I am so thankful and honored to each of you – readers, partners, customers, employees, consultants,
supporters and so very importantly – Robert Herjavec and Dr. David DeWalt for joining in with me to
judge the Black Unicorn Awards for this year with notable mentions, finalist and winners found at
https://www.cyberdefenseawards.com/. Our Global Awards are now open and we hope to find more
winners this year who are market leaders, innovators and those offering some of the best solutions for
cyber security in the global marketplace. For those women who did not make our Top 25 Women in
Cybersecurity for 2019 or missed out on the deadline, we have added Global Awards for Women in
Cybersecurity as a new category this year.
We have many new interviews going live on https://www.cyberdefensetv.com and
https://www.cyberdefenseradio.com this month, so please check them out and share links to them with
your friends and co-workers. Let’s all keep on innovating and finding ways to get one step ahead of the
next threat!
Warmest regards,
Gary S. Miliefsky
Gary S.Miliefsky, CISSP®, fmDHS
CEO, Cyber Defense Media Group
Publisher, Cyber Defense Magazine
4

@CYBERDEFENSEMAG
CYBER DEFENSE eMAGAZINE
Published monthly by the team at Cyber Defense Media Group and
distributed electronically via opt-in Email, HTML, PDF and Online
Flipbook formats.
InfoSec Knowledge is Power. We will
always strive to provide the latest, most
up to date FREE InfoSec information.
From the Editor’s Desk…
As we wind up a beautiful summer and begin to
look at new themes throughout the year, we still
share our thoughts that training is a critical step in
turning on the human firewall. From KnowBe4 to
Hacker.House to InsiderThreatDefense.US we
see a common thread – you can dramatically
bolster your “Human Firewall” if you first, turn it on.
With training by experts. Kevin Mitnick will teach
you social engineering 101 and KnowBe4 will
provide you with the most advanced antiphishing
and compliance tools. Hacker.House will teach
you how to be the best penetration tester, yourself.
Why hire consultants who don’t care about your
business every day of their lives? Also, with most
breaches happening from the inside-out, it’s time
to get vigilant and train yourself for insider threat
mitigation at InsiderThreatDefense.US.
Going into the fall, we will look to other areas in
infosec for innovative ways to stop breaches and
will share with you our findings in articles and
updates through year-end.
To our faithful readers,
Pierluigi Paganini
Editor-in-Chief
PRESIDENT & CO-FOUNDER
Stevin Miliefsky
stevinv@cyberdefensemagazine.com
EDITOR-IN-CHIEF & CO-FOUNDER
Pierluigi Paganini, CEH
Pierluigi.paganini@cyberdefensemagazine.com
EDITOR-AT-LARGE & CYBERSECURITY JOURNALIST
Yan Ross, JD
Yan.Ross@cyberdefensemediagroup.com
ADVERTISING
Marketing Team
marketing@cyberdefensemagazine.com
CONTACT US:
Cyber Defense Magazine
Toll Free: 1-833-844-9468
International: +1-603-280-4451
SKYPE: cyber.defense
http://www.cyberdefensemagazine.com
Copyright © 2019, Cyber Defense Magazine, a division of
CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)
276 Fifth Avenue, Suite 704, New York, NY 10001
EIN: 454-18-8465, DUNS# 078358935.
All rights reserved worldwide.
PUBLISHER
Gary S. Miliefsky, CISSP®
Learn more about our founder & publisher at:
http://www.cyberdefensemagazine.com/about-our-founder/
WE’RE CELEBRATING
7 YEARS OF EXCELLENCE!
Providing free information, best practices, tips and
techniques on cybersecurity since 2012, Cyber Defense
magazine is your go-to-source for Information Security.
We’re a proud division of Cyber Defense Media Group:
CYBERDEFENSEMEDIAGROUP.COM
MAGAZINE TV RADIO AWARDS
5

6

SPONSOR OF THE MONTH…
7

8

9

Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those
vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep
understanding of your web application vulnerabilities, how to prioritize them, and what to do about
them. With this trial you will get:
An evaluation of the security of one of your organization’s websites
Application security guidance from security engineers in WhiteHat’s Threat Research Center
Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well
as share findings with internal developers and security management
A customized review and complimentary final executive and technical report
Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/
PLEASE NOTE: Trial participation is subject to qualification.
10

11

12

4 Industries Being Hurt by Counterfeit Materials (and How to
Spot Them)
By Kayla Matthews
There are many industries with a lot to lose when it comes to counterfeit parts and materials. Today, we’ll
talk about four of them.
The dangers are impossible to ignore, and range from having our sensitive information intercepted or
held for ransom to having our defense systems shut down at a critical moment. Specialists and decisionmakers
in these industries and every other need to know why they’re at risk and what to look for. Only
then can they protect themselves.
1. Health Care
The health care industry, and medical devices specifically, is a particularly worrisome hotspot for
counterfeit materials. Medical devices can be pricey, even when reconditioned and sold on legitimate
used markets. The definition of “medical device” expanded in recent years to include items ranging from
syringes, glucose meters and blood pressure monitors to implants and digital pacemakers.
13

The threats here range from making devices more susceptible to malware and remote hacking to
distributing devices, like patient monitoring devices, with the intent to gather as much information on us
as possible.
The high asking price of modern medical devices means customers across the world often turn to illicit
sources for some vitally important health equipment. To combat counterfeits and help protect the value
of legitimate aftermarkets in the health care industry, manufacturers can make more widespread use of
unique device identifiers and even turn to blockchain to ensure greater authenticity in the supply chain.
2. Defense
The defense industry keeps lots of people around the world employed and currently has a value of $398
billion globally. But this vertical unfortunately attracts a lot of counterfeiting activity. Apart from health
care, it’s hard to imagine an industry with more significant potential for collateral damage.
In 2017, the U.S. military estimated as much as 15% of their replacement parts pipeline consisted of
counterfeit parts. This supply chain is the same one that keeps ground, air and sea vehicles functioning,
ensures guidance systems work as expected and protects the integrity of countless other devices and
assets at home and in the field.
In a mission to stamp counterfeits out of the defense industry, the Defense Advanced Research Projects
Agency began developing “chiplets” that military contractors and authorized manufacturers could begin
incorporating into designs. These chips would identify when a device may have become compromised.
Before these prevention programs came online, it wasn’t uncommon for U.S. Customs to seize millions
of counterfeit microchips in a given year that would have found their way into defense systems.
In some cases, the parts in question came from missile defense systems. But hiring employees for their
attention to detail and training them to keep security a top-of-mind concern should help ensure counterfeit
defense products don’t make it as far as customs before getting detected. This type of public-private
collaboration is an essential tool as well.
3. IT, Security and Networking Gear
With a lot of the “front” and “back” doors covered at the commercial level with encryption, and at the
consumer level with strong passwords, good email security hygiene and virtual private networks, hackers
and counterfeiters are turning their attention to infiltrating the very structure of the “house” itself.
Given that networking and IT hardware can perform checks of their own against cybercrime, this trend is
especially worrying. Cisco and companies like it have, understandably, taken strong measures after
discovering authorized and unauthorized sellers who appeared to knowingly distribute counterfeit Cisco
products and pass them off as genuine. One suit by Cisco targeted defendants in New Jersey and
California, making this a nationwide phenomenon.
14

Local IT departments in small and medium-sized businesses need to know what they’re up against.
Chasing discounted or shady “renewed” IT equipment can sound like an excellent strategy to scale your
infrastructure affordably. But it can leave you vulnerable to any number of potential thieves and criminals
who can use that fake IT gear to commandeer your whole digital footprint.
Ask original manufacturers for a list of their authorized resellers. If they list the vendor you’re interested
in, it means the original equipment manufacturer has a reasonably high degree of confidence in that
reseller.
And even if you’re careful about who and where you buy your IT gear from, it’s possible you might still
get your hands on a fake network switch or router. Pay attention to the fit and finish of the product. See
if the build quality, the labels, the colors and the functionality match what you expect or you’re used to.
Don’t plug it in or install anything if you have concerns. Instead, take some photos and get in touch with
the original equipment manufacturer.
4. Construction Materials
Over the years, several high-profile deaths have resulted from counterfeit construction materials. One
case involved fake bolts, and the other was the result of a ruptured counterfeit cement kiln. A few years
later, in 2003, the Construction Industry Institute issued a study citing the cost of counterfeit goods in
construction at around $1 trillion per year.
Counterfeit parts in the construction industry can be deadly — and there’s never been a more essential
time to take it seriously now that electronic systems are making their way into construction equipment
and the very structures of our buildings like never before.
Companies sourcing raw metals, particularly steel, for the manufacture of nails, screws, beams and other
materials, need to know their sources aren’t sneaking in inferior metals than what they claim in their
specs. That’s how George Hedley puts it, anyway — he wrote “Get Your Business to Work!” and was a
contractor and subcontractor in sheet metal and steel fabrication.
Counterfeit steel is scary in one way, but counterfeit smart home components are frightening in a host of
fresh new ways. The Internet of Things is now an integrated part of the construction process, as homes
and buildings become smarter, greener and more self-sufficient. More systems have electronics and
internet-connected control mechanisms built right in.
Suffice it to say, builders right down to individual contractors and handymen need to know what they’re
installing, and how and whether the homeowner can take precautions to protect it from intrusion. Even
choosing a “smart” ceiling fan can’t be a throwaway decision.
Companies and governments can take steps to ensure electronic devices destined for the construction
industry pass muster and don’t mix with counterfeit doppelgangers. One way is to lobby for strong
intellectual property protections on the global stage. Part of the reason why shipments of counterfeit parts
are so common in some parts of the world is because not every region has taken appropriate measures
to prevent and respond to IP theft.
15

Because of this, counterfeit or lower-quality-than-advertised building materials keep putting our physical
safety in jeopardy, while compromised smart HVAC and lighting systems put our digital systems at risk.
As with other industries, blockchain could do the heavy lifting in the creation of a secure, immutable
database of trusted manufacturers and service providers.
No matter what, counterfeit goods are a stubborn problem and will stay that way for some time. But
awareness and technology go a long way toward keeping our supply chains and customers safe. An
ounce of prevention is worth a pound of cure and tons of regret, so consider suspected counterfeit
products a case of “see something, say something.”
About the Author
Kayla Matthews, a cybersecurity journalist, has written for sites like
Security Boulevard, the National Cyber Security Alliance,
Information Age and more. Matthews can be reached via Twitter
@KayleEMatthews or on ProductivityBytes.com.
16

5 Most Disastrous Ransomware Attacks of the Last Decade
In the past few years, we have seen a massive change in the hacking industry. Let’s take a look at the most
dangerous ransomware attacks and how to stay safe from these type of attacks.
By Susan Alexandra, Contributing Writer, None
Sending malware to systems and asking for ransom is not a new activity for hackers. They are doing it
since the 90s. Ransomware varieties have grown increasingly advanced in their capabilities for
spreading, evading detection, encrypting files, and asking users to pay ransom against their data. It is
now a prominent threat to enterprises, SMBs, and individuals these days. Take a look at the most
significant ransomware attacks, and the after effects of these threats.
1. TeslaCrypt (2015 - 2016)
This ransomware made its presence in the market in March 2015. It is also called a variant of
CryptoLocker. TeslaCrypt specifically targeted gaming industry by encrypting their saved game, profiles,
maps, downloadable content, and user-generated files of computer games. This ransomware hit 163
victims, netting $76,522 for the attackers behind it. After encrypting popular file types with the AES-256
encryption algorithm, TeslaCrypt holds the files for a ransom of $250 to $1000.
These encrypted files were backed up on the cloud, neither the external drive but stored locally. On the
very next year, the creators of TeslaCrypt shared the decryption key with the public, and it was a
significant relief to gamers whose data got compromised.
17

2. SimpleLocker (2014 - 2016)
In the past few years, we have seen a massive increase in the android industry. This change is in favor
of people as well as the hackers who want to target Android users. SimpleLocker also created for android
users as it was used to scan victim's SD memory cards for certain file types, including images, PDFs and
other documents, and audio files, encrypts them and demands some money or ransom in order to decrypt
the files.
If the device is attacked, the victim gets a pop-up window to restore the data against some Ukrainian
currency.
3. CryptoLocker (2013 - 2014)
This malicious program was to bring ransomware and its worst implications to the fore. CryptoLocker
spread via attachments to spam messages and used the RSA public-key encryption to seal up targeted
user files.
While ransomware usually freezes the device of the user, CryptoLocker followed a different route. It
allowed the users to run their systems and the downloaded software but encrypted their user files. The
data was not lost, but the hackers were demanding cash (millions of dollars) in return for the decryption
keys.
4. WannaCry (2017)
WannaCry ransomware was the most disastrous attacks that infected more than 250,000 systems around
116 different countries. This ransomware was initially started with the European countries and regions
and then spread into multiple countries. The prime target of this attack was hospitals, businesses,
government organizations, and radio stations.
This ransomware resulted in a massive loss of four billion dollars. Victims of this attack were the users of
the Windows operating system. After the attack, the encrypted files were saved in a hard drive and users
were forced to pay in bitcoins in order to get their data back.
5. NotPetya (2017)
Petya was a ransomware package that dated back to 2016, but just weeks after the WannaCry outbreak,
an updated version began to spread. It not only encrypts files but also overwrites and again encrypts the
overwritten files in Master Boot Record (MBR). Later, the cyber experts revealed that while the malware
was a variant of Petya, it was not Petya.
18

Ransomware Prevention - 5 Easy Steps to Protect Your System
In this world, no one is safe from cyberattacks, ransomware, and malware attacks. No matter how expert
you are, who you are, and what industry you belong to. You must keep your systems up to date because
It is a matter of data and if you have the data that holds personal information, you must take care of it
otherwise, your data can be gone into wrong hands. Below are some tips that can help you protect your
data.
1.Update Your System
It is essential to keep your system up to date with the best anti-malware, anti-virus, VPN, and other
encrypted tools that tighten your computer’s security. Systems running with outdated software are
vulnerable to attacks, and hackers can easily target those systems.
2. Regularly backup you’re Data
Make it your habit to back up your data twice a month. Store, all the data on the cloud or external hard
drive, would be the best option to store your data.
3. Don’t Click on Suspicious Links
Another way to prevent ransomware is to be extra vigilant about links on the emails. Many people click
on the malicious links or attachments that can download the ransomware to their system. Always think
twice before clicking so you can keep infected links and other malicious sources away from your computer
and valuable data.
4. Regularly Scan Your System
Scan your system with the tools and keep the scan scheduled so that you can easily detect the threats.
It will also help you in detecting real-time threats to your system.
5. Educate, Educate, Educate
If you are working in an organization, educate your employees and tell them all possible ways to avoid
ransomware. Give them training every month and keep them updated with the security tools and the
basics of online security.
19

About the Author
Susan Alexandra is an independent contributing author at Securitytoday and
Tripwire. She is a small business owner, traveler and investor in
cryptocurrencies.
20

Better Safe than Sorry: How to Protect Yourself While Shopping
Online
By Bailey Newman, Content Team, CouponChief.com
We may think nothing of filling out forms and providing data to ecommerce sites, social media sites, and
public forums, but thieves and swindlers are ready to take advantage of our lapses. Online danger comes
in all kinds of packages, from romance scams to phishing schemes.
Even huge companies are not immune to security breaches. An example of such is the eBay attack,
where cyber attackers stole names, addresses, even passwords from eBay’s entire database of over 145
million users. Although the incident was reported in May 2014, the hackers were active for almost the
entire prior year. Another example is the Yahoo Bust, where Yahoo lost the personal information of about
1.5 billion user accounts between 2013 and 2016.
So how do you stay safe online?
The only way to make absolutely sure your data is safe online is to stop using the internet. That would
be taking it too far, though. For most of us, the benefits of going online far outweigh the risks – we just
have to be smart about what we do there.
Here’s the root of the issue: When you’re at home using your computer, it feels like you’re safe – like it’s
just you and the screen. The truth, though, is that while you’re looking at the internet, it’s looking back at
you. You’re connected digitally to the billions of other internet users globally, and there’s a specific
identifier – your internet protocol address, or ‘IP’ – that sets your machine apart from the rest. It is the
basis of your digital footprint.
21

To stay safe online, it’s important to understand the five primary areas of attack and the steps you can
take to protect yourself from each.
1. Antivirus software isn’t always effective, so getting a robust antivirus program is an
essential.
This is one of the biggest security mistakes online shoppers make. New computers typically come
with antivirus software pre-installed. The new owner figures that means the machine is good to
go, then proceeds to surf indiscriminately – figuring the software will act as a bodyguard and fight
off any attackers.
That’s now always true, though. One reason is that the antivirus software that comes on new
computers is a trial version only (unless you specifically purchased it with the machine). Also,
there are a number of ways antivirus software can get turned off. Whether you shut it down on
purpose to install another program successfully, it gets turned off accidentally, or a cyberattack
shuts it down – if it’s not on, it’s not protecting you. No tool is perfect, but a robust antivirus program
is an essential. You should never go online without that first and persistent line of defense.
2. Do you really know what you’re clicking on?
Soldiers know one of the favorite tricks of the enemy is to bury explosives along the road or
trail. It’s a 24/7 way to catch someone off guard and exploit the situation. Cybercrooks do the
same thing. They don’t use artillery shells or high-explosive charges for their landmines, though,
they use clicks… YOUR clicks.
Common traps include pop-ups saying your computer has been infected with a virus and you
must click (or call a phone number) to fix the issue, ‘Unsubscribe’ links in emails that really
aren’t unsubscribe links, and pop-ups or emails saying you’ve just won a prize and must click to
claim it. As with most things, if it sounds too good (or bad) to be true… it probably is.
Threat levels have escalated with the rapid growth of internet speed capabilities. It may take
only a few seconds for the crooks to push their code to your machine. Those few seconds could
cause major upheaval to your life. Don’t risk clicking on risky links. Always hover to check that a
link is going to a familiar, friendly website you trust.
3. Every download is a potential landmine.
You don’t always have to be tricked into downloading malicious files. Sometimes, you go looking
for it. Special dangers are sites offering software, music, or videos for free. ‘Torrent sites’ are
especially prone to deliver more than you bargained for in the way of headaches.
22

When you click “Okay” to install a file, you’ve no control over what happens next. With many
malicious files, you don’t even need to acknowledge the installation. It happens automatically.
It’s also possible you won’t know anything’s going on at all.
Play it safe. Be smart. If you need a program, pay for it… otherwise you may pay a whole lot
more than you ever intended.
4. Be careful of where you leave your digital footprints.
Every post you make on social media, every website you visit, and every form you enter
information into can be a collection point for thieves and scoundrels. If they can collect enough
personal data from your posts, they may be able to ask for a password reset and access your
secure locations. Identity thieves and neighborhood break-in artists love social media. You tell
them everything they want to know there – including when your home is going to be vacant for an
extended period, your mother’s maiden name, and the make of your first automobile.
How can you protect yourself? That’s easy: stop doing that. Wait until you’re home from vacation
to post those photos, and never respond to those chain letter inquiries that require you to reveal
everything down to the color of your underwear.
Your digital footprints are like your tracks in wet sand. They tell everyone exactly where you’ve
been. The digital version doesn’t get washed away with the tide, though. They’ll be there for a
long, long time. Not only does that give potential employers a candid window to check up on what
you look like apart from a resume, your online tracks give marketers and cybercrooks an excellent
means of finding out more about you.
5. Your passwords say a lot about you.
What’s the most common password used? Nope, it’s not “password.” That one now sits at
number eight. Last year’s most-often chosen protector of the digital kingdom was “123456.”
Running close behind, in second place, was “123456789.”
How hard would that be to break?
Computerized password cracking machines are relatively inexpensive and can allow thieves to
access your account in seconds. And if you use the same password for multiple accounts, that
means one key fits all. Don’t try to be cute with passwords. Be safe. You wouldn’t hand out keys
to your home indiscriminately, and you hopefully won’t put a key under the doormat. Passwords
pay a huge part in online security. Use them well.
The internet is amazing. You can select goods from all around the globe and have them delivered to your
door the next day. Few people want to return to pre-internet days, but most people do want to get rid of
the crooks.
23

About the Author
Bailey Newman is part of the content team at CouponChief. She likes brisk
walking in the morning with her dog Chichi. She loves the smell of nature and
can’t imagine a life without it. Having pledged to reduce her environmental
impact, she reduces, reuses, and recycles.
Bailey can be reached online at bailey@couponchief.com and at our company
website https://www.couponchief.com/guides/online_shopping_safety
24

Conversation Marketing Security Pitfalls and Best Practices
By Morey Haber, CTO & CISO, BeyondTrust
According to Gartner’s recent ‘AI and ML Development Strategies’ study, 40% of organizations cite
customer experience (CX) as the number one motivator for use of artificial intelligence (AI) technology.
Not surprisingly, across the Middle East, we are seeing enterprises of all sizes and even several
government entities, start rapidly deploying chatbots on their websites, all in an effort to provide
customers faster responses to their queries. These chat applications are designed to field plain text
requests from humans that are fed into an AI engine, which can provide “smart”, scripted responses to
inquiries.
As the machine learning technology that powers many of these chat applications gets smarter, it is going
to get increasingly harder for users to determine if they are interacting with a real person or a machine.
As a case in point, some services classified as “conversation marketing” may actually route you to the
appropriate live person for a more in-depth conversation. But while we might never know the difference,
with a little social engineering, a threat actor can easily determine what is behind the scenes and exploit
any IT security vulnerability.
25

Understanding the security implications of chatbots
Irrespective of whether it’s a human or machine, there are some inherent security risks in chat-based
services. Ironically, while there is a plethora of information available on how to deploy chatbots and the
associated benefits, there isn’t the same level of attention and guidance around how keep it secure for
both your organization and for the end user.
As a case in point, consider an automated service that is either hosted by the company itself or connected
to a cloud-based AI engine as a service. To effectively respond to queries, this service needs to access
backend resources. This often means having a database fronted by middleware that allows queries via
a secure application programming interface (API). The contents of the database will vary from company
to company and may include anything from hotel reservation information to customer data—and it may
even accept credit card information.
Here's a checklist of basic security questions to cover before implementing a chatbot that is fully
automated and AI-driven:
• Is the API connecting your organization’s website and the chatbot engine secured using access
control lists (ACLs)? You can accomplish this by using IP addresses, geofencing, etc.
• How do you approach the management of authentications between the systems (webservice,
engine, middleware, cloud, etc.)?
• How do you apply vulnerability management best practices across the architecture supporting the
chatbot? You should also find a way to implement routine penetration testing.
• Have you adequately secured privileges/privileged access and enforced least privilege?
• What data can the chatbot query—is any of it sensitive? Do any specific regulations apply to how
this data is collected, stored, handled? For instance, do communications contain information that
may warrant extending your scope of regulations, like PCI DSS? Also, will communications “selfdestruct”
in accordance with certain regulations?
• Is there a process for logging and detecting potential suspicious queries that may be designed to
exploit the AI engine or leak data?
• Can you mitigate or prevent malware or distributed denial of services (DDoS) that target your
service?
• Do you ensure end-to-end encryption for all chatbot communication and what protocols are you
using?
In addition to carefully considering these security implications, organizations should continuously
inventory the supply chain based on assets and communications from chatbot, webservice, and provider
to maintain a risk assessment plan. Any changes can easily affect some of the best practices listed
above.
26

Protecting your employees during conversation marketing
In conversation marketing, a human is actually responding to the queries via the chat window. Several
organizations try to make the experience really “authentic” and, as a consequence, do not use fake
names or pictures for the human chat box representative.
However, if a company displays the full name of their chat representative inside the chat box, with just a
little social engineering, a bad actor can easily uncover data about the representative that can be used
as part of an exploit. This is particularly easy if the representative has a social media profile. So to that
end, if you do choose to use conversation marketing, it is critical that you follow a few key security best
practices.
• For one, never reveal the employees’ full name and instead use an alias. While this might seem
counterproductive (remember the whole making the experience more “authentic”), using the full
name or even just the first name and last initial poses a high risk as a little research could uncover
personal information about the representative.
• If the chat service displays a picture, photo, or avatar of the representative, use a unique image
that cannot be found anywhere else on the internet. The reason―a simple search by the
employee and company name will reveal their social media presence and, if the pictures easily
match, you might as well use their full name anyway! You will have done very little to mask their
identity and provide protection from a potential social engineering attack at home or at work.
• Have a detailed manual in place that clearly states what information the employee can share and
what he/she absolutely cannot—under any circumstances, irrespective of the inquiry―during a
chat conversation. These guidelines will vary, and can include everything from license keys to
password resets. Your business will have to establish this list based on the services the chat box
provides and any local and industry regulations governing data exposure, particularly across
country lines.
• Create a formal support and escalation path for inquiries into potentially sensitive information.
• Provide regular security training for all chat box representatives so that they know how to
recognize a potential attack, how to respond to suspicious requests, and how to escalate a
situation before it becomes a security incident for your organization.
Let’s face it—when it comes to improving customer service, the benefits of chatbots and conversation
marketing is undeniable, which means they are here to stay. But these tools do open up another attack
vector―cybercriminals will always exploit the simplest way to compromise an organization and,
unfortunately, humans are often the weakest link.
But by assessing the key questions and implementing these best practices, you can enable a chat service
that helps support your business initiatives, without opening up unnecessary risks.
27

About the Author
With more than 20 years of IT industry experience and author of Privileged
Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in
2012 as a part of the eEye Digital Security acquisition. He currently
oversees the vision for BeyondTrust technology encompassing privileged
access management, remote access, and vulnerability management
solutions, and BeyondTrust’s own internal information security strategies.
In 2004, Mr. Haber joined eEye as the Director of Security Engineering and
was responsible for strategic business discussions and vulnerability
management architectures in Fortune 500 clients. Prior to eEye, he was a
Development Manager for Computer Associates, Inc. (CA), responsible for
new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and
Maintainability Engineer for a government contractor building flight and training simulators. He earned a
Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.
28

What Other Companies Can Learn from Facebook’s $5 Billion
Fine
Organizations need to view government demands as the floor rather than the ceiling when it comes to
protecting consumer data
By Jacob Serpa, researcher, Bitglass
While Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade
Commision (FTC), one must take into consideration that not every company is going to be on the same
scale when it comes to penalties for mishandling consumer data. In Q2 2019, Facebook boasted 2.41
billion worldwide monthly active users on its platform, not including Instagram, WhatsApp, or Facebook
Messenger users. Additionally, the company is reported to have collected $16.9 billion in revenue for the
three months ending in June 2019, representing a 28% increase over the same period last year.
Regardless of the massive scale, this settlement highlights the growing importance of data privacy
moving forward. Companies will be held more accountable for securing user data and will need to
demonstrate how they are using it. However, instead of viewing government demands as a ceiling and
seeking to meet the minimum security requirements that they detail, organizations should view complying
with government demands as a floor for security and go beyond them to ensure the highest level of
29

comprehensive, proactive protection for user data - otherwise, they may find themselves faced with
similar penalties as Facebook.
The fact that Facebook was fined should come as no surprise. The social media giant has been under
fire for several data privacy incidents for some time. Consider, for example, the Cambridge Analytica
scandal wherein Facebook’s lax data controls were exploited in order to harvest user data (the debacle
also violated a 2012 settlement between the FTC and Facebook). Despite this, the amount that Facebook
was fined is fairly surprising. While the company can afford the $5 billion settlement (which represents
one month’s revenue), others are unlikely to be able to survive fines of this scale. Additionally, the cost
of a data breach typically involves a number of factors, including fines, cleanup and incident response
costs, reparations for customers exposed, and litigation expenses.
In light of the above (as well as other issues such as damage to brand reputation), it is not abnormal for
enterprises to declare bankruptcy after suffering data breaches. In fact, the Retrieval-Masters Creditors
Bureau, the parent company of the American Medical Collection Agency (AMCA), filed for Chapter 11
protection after an eight-month-long breach exposed the personally identifiable information (PII) of 20
million Quest Diagnostics, LabCorp and BioReference patients. The company spent $3.8 million mailing
notices to individual breach victims, and another $400,000 on the consultants and IT professionals that
were hired to assist with responding to the breach. In other words, there is no way that the AMCA could
have afforded a settlement that amounted to one month’s revenue.
Fines are supposed to have a material impact upon the companies against which they are issued;
however, they are not necessarily supposed to drive them out of business entirely. This fine will serve as
a warning to Facebook that mishandling users’ data in the future will have even more severe
repercussions. Facebook and other companies that deal with massive amounts of user data should take
this settlement as a lesson and proactively improve their cybersecurity efforts so that they are doing more
than just complying with regulations or trying to stay out of trouble.
The key to protecting customer data is to treat compliance as the floor for security rather than treating it
like the ceiling. By simply adhering to government demands, organizations may maintain compliance;
however, they are unlikely to be seen as champions of data protection, customer privacy, and corporate
social responsibility. As such, proactively securing users’ data, being transparent about how it's used and
who it may be shared with, as well as allowing users the right to be forgotten, will help establish any
company as a leading, trustworthy organization. As the U.S. begins to think more about regulations at a
state level, ensuring a robust cybersecurity posture will be the most effective way to ensure universal
compliance.
30

About the Author
Jacob Serpa works for Bitglass, the next-gen CASB company. Serpa is
passionate about helping others protect their personally identifiable
information (PII) and earned his MBA at San Jose State University,
where he graduated at the top of his class.
31

Why “Cloud Security 101” Isn’t So Simple After All
By Josh Stella, co-founder and CTO of Fugue
The term “cloud misconfiguration” may not seem like an adequate term to describe the leading cause of
cloud data breaches. It connotes a small, innocent mistake that is easy to fix. However, the recent Capital
One data breach teaches three lessons about the vulnerabilities that cloud misconfigurations create:
attackers can exploit them quickly without being detected, it’s become very difficult for enterprise security
teams to find them before the bad guys do, and the consequences for losing that race can be devastating.
Migrating IT systems from the data center to platforms like AWS and Microsoft Azure can improve
collaboration and productivity among employees, even when they’re scattered across remote locations,
and relieve IT teams of the dual financial and time management burdens of installing, maintaining and
upgrading on-premises systems. Just as the cloud has revolutionized how people get work done every
day, it’s also transformed the responsibilities of the security, risk management and DevOps teams. Cloud
service providers like Amazon, Microsoft and Google clearly explain the shared responsibility model -
they’re responsible for the security of the cloud, but the customer is responsible for their security in the
cloud--including the secure configuration of cloud services they use. Ignoring this responsibility is a recipe
for disaster.
32

New thinking, new strategies, new tools
It’s critical to understand that everything in the cloud—servers, databases, the network, security—is
defined through software, specifically via Application Programming Interfaces (APIs) defined by the cloud
providers. This provides tremendous flexibility, agility and power — including the power to know the state
of all infrastructure at any point in time. However, it also means there is great risk and potential
vulnerabilities stemming from what are effectively software errors—misconfiguration of the resources that
make up the cloud infrastructure.
The traditional approach to security of securing the network perimeter with antivirus, firewalls and other
outward-facing solutions is not adequate in the cloud because there is no perimeter (if there ever was
one). Instead of restricting inbound traffic, the focus must be mitigating cloud infrastructure
misconfiguration through the entire stack, whether due to human error, a lack of policy controls in CI/CD
pipelines, or bad actors.
That’s easier said than done. Today’s hackers use automation to find and exploit these misconfiguration
vulnerabilities before traditional manual remediation methods can fix them. In order to become more
proactive and prevent these threats from doing any damage, organizations need to simulate real-world
misconfigurations to identify security gaps before they are exploited.
Information on the breach that impacted Capital One (and likely dozens of other organizations) drawn
from the FBI complaint and the alleged attacker’s social media posts indicate she discovered a
misconfigured firewall in the Capital One Amazon Web Services (AWS) environment, and used it to
access more than 100 million Capital One customers' accounts in one of the biggest data breaches ever.
It’s just the latest example of how the nature of the threat landscape has changed, due in large part
because the bad guys have grown so adept at using automation technologies to find and exploit
vulnerabilities. The process takes mere minutes, making traditional manual remediation methods too
slow to be effective.
Consider the amount of time it takes—once you’ve found a vulnerability in your cloud configuration—to
create a ticket, get it assigned to an engineer and then have them fix it. Hours or even days could go by
before the issue is fixed. We call this “Time To Remediation”, and your “Mean Time to Remediation”
(MTTR) needs to be in the order of minutes.
33

That’s why your organization also needs to leverage security automation for the cloud. Yes, past issues
caused by security bots and other security automation tools that inadvertently brought down production
systems - have bred an understandable aversion to them among application and IT teams. But we’ve
reached a tipping point where the risks of potential harm are so great and advancements in automation
make it the only viable solution.
As a best practice, look for cloud security tooling that provides true automated remediation “out of the
box.” Otherwise your engineers will have to write lots of tedious and error-prone code that, without the
right application context, can cause destructive changes that can lead to costly downtime events.
Additionally, implement regular testing to determine if security automation is working do not focus on
whether compute resources reappear on deletion, but rather examines what happens if an IAM policy or
Security Group definition is changed. The list doesn't stop there. Other things you should test are S3
bucket configurations and VPC network configurations. Resilient security demands covering all
vulnerabilities an attacker may try to exploit.
Security’s “Shift Left”
Developers use the term “shift left” to describe moving a particular function to earlier phases of their
processes to make identifying and fixing bugs and other errors easier and less time-consuming. Security
teams should embrace shift left and work with DevOps to implement procedures for identifying and
remediating cloud misconfigurations early in the software development life cycle when making corrective
change is faster and less expensive.
This is not only a procedural change, it’s a cultural one. Developers typically relegate security and
compliance considerations as afterthoughts implemented as a gate during the test phase. Then they
grow frustrated when security forces them to perform rework in design, development, and testing, and
blame the security team for delays moving applications into production. Automating the shift left of
compliance and security into the design and development phases can eliminate these delays and
frustrations, and make better systems.
Shared security responsibility
Another important difference in the cloud is that security teams do not have direct access to all network
traffic to monitor for intrusions. This is something cloud providers do as part of the shared responsibility
model. Therefore, the security team’s chief responsibility becomes protecting the service configuration
layer.
34

Cloud services talk to each other via APIs, and the newer ones use identity to configure access, as
opposed to the older IP address space confirmation method. The network perimeter is defined via SDN
and security group configurations. Unlike in the data center, configuration changes to your basic security
posture are accessed via API and are subject to a lot of change for many reasons. IT’s goal is to establish
a more resilient configuration of these services.
This requires a mechanism to revert damaging changes to your cloud configurations back to the healthy
ones. The most effective option is to implement self-healing configuration, i.e., capturing a known-good
baseline and leverage an engine that knows how to revert all mutable changes. Automating the process
relieves the security team of the burden of manually monitoring for and remedying any potentially
damaging changes to the environment.
Better security, fewer tradeoffs
The good news is that your cloud infrastructure can be more secure than your datacenter ever was. The
datacenters run by cloud services providers like Amazon, Microsoft and Google are more likely secure
and more reliably operated than datacenters you are responsible for operating and securing. Additionally,
security and compliance is fully programmable, and that provides you with complete, real-time visibility
into your cloud environments, down to every configuration detail. That was not possible in the onpremises
datacenter with its enormous collection of “black boxes” that require manual configuration.
You no longer have to need to trade speed and agility for security and compliance. In the cloud, you can
have both! Equipped with the right tools, developers can move fast and more securely than ever before.
About the Author
Josh Stella is Co-founder and CTO of Fugue, the cloud infrastructure
automation and Security Company. Fugue identifies security and
compliance violations in cloud infrastructure and ensures they are
never repeated. Previously, Josh was a Principal Solutions Architect
at Amazon Web Services, where he supported customers in the area
of national security. He has served as CTO for a technology startup
and in numerous other IT leadership and technical roles over the past
25 years.
35

Anatomy of a Single Request Attack: The #1 Invisible Security
Threat
By Kevin Gosschalk, CEO and Cofounder, Arkose Labs
Hackers are employing a new type of attack that has quickly become the scourge of network
cybersecurity systems, getting around even advanced detection tools by using techniques that allow them
to impersonate authentic individual web requests. The attacks, in effect, hide in plain sight by posing as
everyday users, opening the door to a wide array of fraud and abuse.
Called Single Request Attacks, they are increasingly being used in the most advanced automated attacks
conducted at scale, such as account takeover (aka credential stuffing), creation of fake users, spam, use
of stolen account cards and denial of inventory. They’re also becoming common tools for hackers that
cheat online marketplaces, generate fake accounts, and scrape valuable content from websites.
Single Request Attacks, despite their name, don’t occur in a single instance, but are delivered through
an organized network of automation as part of a flood of malicious requests. While they may appear to
be a single request from one legitimate user, they are actually part of a large-scale coordinated campaign.
The attacks employ a sophisticated protocol of tactics designed to convince a receiving network that the
requests are coming from human users with authentic intent. Typically, the attacks are carried out using
36

a headless browser—which uses command line rather than a graphical user interface—that can execute
Javascript in just the way you’d expect from a legitimate user. They also use a dynamic fingerprint so the
device origination can’t be identified, and similarly adapt their network fingerprint to prevent identification
of the IP address.
By taking this approach, they avoid the tell-tale signs of an attack that most fraud prevention and bot
mitigation platforms look for, and thus can get waved into the network. They also get by defensive artificial
intelligence and dynamic rule-based systems, which study observable patterns in order to identify
anomalous behavior, because Single Request Attacks each appear to be unique instances.
As an example, Hong Kong Express Airways (HKE), a low-cost Asian carrier, released its online ticketing
platform and quickly began noticing a sharp increase in tickets reserved, but not purchased. This
effectively made the available ticket inventory invisible to genuine customers looking for low-cost airfares.
Despite increased reservations, the number of booking transactions decreased significantly with
noticeable impact on the carrier's revenue. HK Express later discovered that the attacks were particularly
sophisticated in that the reservations appeared to originate from unique users thanks to a multitude of
client-side data disguises. Masqueraded as genuine customers, hackers used bots to overwhelm the
online ticketing platform with seemingly legitimate reservations. Each bot in the attack was capable of
generating and repeating a large number of reservation requests, and was programmed to occupy as
much of the airline’s ticket inventory as possible.
The most effective way to defend against Single Request Attacks is to meet them face to face by
independently challenging suspicious requests that would otherwise not meet traditional risk thresholds.
In addition, this approach neutralizes hackers and eliminates their ability to adjust attack techniques on
the fly.
The Arkose Labs Platform leverages adaptive step-up to shine a light on hackers, stopping them at the
gate, while allowing genuine customers to pass. For authentic users, the process is seamless with no
added friction to the customer experience. Meanwhile, it eliminates the economic incentive that hackers
have by slashing the possible return on investment to such a point that their attack isn’t worth the effort–
or financial cost.
Single Request Attacks are the number one invisible security threat today because they undermine the
long-term effectiveness of incumbent cybersecurity defenses. Single Request Attacks facilitate a
dangerous blind spot in decisioning because they allow nefarious behavior to go unnoticed by enabling
hackers to operate invisibly. Enterprises must prepare for this latent threat by implementing a
continuously-validated approach that challenges suspicious requests without impacting the customer
experience.
37

About the Author
Kevin Gosschalk is the CEO and Cofounder of Arkose Labs, where
he leads a team of people focused on telling computers and humans
apart on the Internet. Before Arkose Labs, Kevin worked on gaming
hardware for the intellectually disabled at the Endeavour Foundation
and built a unique device incorporating Microsoft’s Kinnect Camera
technology. Noted for his involvement in interactive development and
machine vision, Kevin then turned his expertise to automated abuse
and human verification — often regarded as the Internet’s impossible
problem. Today, Arkose Labs has transformed the irritating chore of
comprehension into an SLA-guaranteed technology that prevents
automated abuse for brands like Electronic Arts, Singapore Airlines,
and Roblox. Kevin can be reached online at arkoselabs@10fold.com
and at our company website http://www.arkoselabs.com
38

Adhere to Cyber Security Solutions to Protect Your System from
a Diverse Range of Issues
By Pratik Kirve, Sr. Specialist - Content Writer, Allied Analytics
Irrespective of the kind of business you are running, the importance of digital systems and the Internet
for your daily operations can just not be ignored. And, that’s where IT security solutions appear as a
significant weapon to combat against the potential threats looming large on the World Wide Web.
Cyber security refers to those practices that are set in place to offer the much-needed protection from
cyber-attacks which are meant to impose substantial damage on a network system. And, the best kinds
of IT security for your venture would not only provide you with an all-inclusive solution to deal with an
array of issues, but would also make sure that your network system is safeguarded from the threats of
unauthorized intrusion.
Let’s discuss the common types of threats to your business security-
Spyware- One of the most malicious software, spyware is a typical cyber taint that is fabricated to scout
on your important computer actions and then, spread the information back to the world of cyber criminals.
Ransomware- Ransomware, on the other hand, is delineated to deny access to an individual’s system
until a certain amount of money is debited from their account.
39

Adware- Last but not the least; adware is a form of computer worm that unnecessarily fills your system
with advertisements. At the same time, it can also let other viruses enter your computer once you have
inadvertently clicked on them.
The best security solutions would check these types of bugs from taking effect and make sure that all
your important data are safe within your workplace.
Following are the ways your business can actually reap benefits from a cyber security solution-
Providing an overall digital protection to your business is perhaps the biggest advantage an IT security
solution can provide your business with. With some best cyber security solution on board, your employees
will be able to surf the Internet whenever they need. And, their actions will not be at any risk from the
potential threats.
Protecting personal information is again one of the main indices to consider. Once any personal
information about a customer or an employee is obtained by a virus, it can easily be utilized improperly
to snip money. A good cyber protection would certainly act as a savior in this regard.
Also, there’s no doubt that cyber security solutions would perk up your employees’ productivity to a
significant extent. Viruses can hold up computers to creep and, working on them practically becomes
impossible. When it becomes a sheer waste of time for employees, it can also bring the entire business
to cessation.
A good IT security solution would definitely check your website from going down. As a business
entrepreneur, chances are that you are hosting your own website. Once your system gets affected by
some virus, your website can just be forced to shut down. It will not only make you incur significant loss
from several missed transactions, but can also make you lose the confidence of customers. Viruses can
often do permanent damage to a system. So, your system definitely needs to include an online content
filtration, an anti-virus and a firewall.
As for example, providing a consolidated protection, security solution like Fortinet’s FortiGate firewall,
would make sure that all your employees’ actions are protected in the safest chest, thereby offering a
robust solution against a plethora of different networking issues. And then, when it comes to digital crime,
most of the cyber criminals happen to become much more experienced than any average employee.
And, the best security systems will offer your team the much-needed support they need to effectively
combat the gritty criminals.
Finally, when you give your clients the confidence that your business is well protected from all kinds of
cyber threats, you can actually infuse trust in them, which is highly important in running a successful
business. The more confident they would feel while purchasing your products or using your services, the
greater is the chance for you to pave the way for a strong profit margin.
According to Allied Market Research, the global cyber security market is expected to grow at a
significant CAGR from 2018–2025. Increase in phishing as well as malware threats among enterprises,
surge in adoption of IoT & BYOD trend, and rising need for cloud-based cyber security solutions fuel the
40

growth of the market. On the other hand, complications regarding device security and several budget
constraints among organizations restrain the growth to certain extent. However, mounting adoption of
mobile device applications, demand for strong authentication methods, and huge revolution in traditional
anti-virus software industry have almost modulated the factors and created lucrative opportunities for the
key players in the domain.
Also known as Information Technology security, the cyber security market is expanding quite profusely
and with cyber threats gaining immense importance these days, cyber security activities are getting
prioritized day by day. With this drift on board, the market is expected to thrive yet more in the years to
come.
About the Author
Pratik Kirve is writer, blogger, and poet. He holds a bachelor’s degree
in Electronics and Telecommunication Engineering and currently
working as a Content Writer at Allied Analytics LLP. He has avid
interest in writing editorial articles, news updates, and blogs across
different verticals ranging from technology to healthcare. He has
published his articles in magazines such as Saffron Media and
written for websites such as Genetic Literacy Project, Robotic
Business Review, Sensors Online, and others. When he is not
following updates and trends, he spends his time reading, writing
poetry, and playing football.
41

August Patch Tuesday
Take Advantage of Your August Patch Tuesday Break
By Chris Goettl, Director of Product Management, Security, Ivanti
August Patch Tuesday was a pleasant relief after the massive release of updates in July. But don’t sit in
your lawn chair and open that cold beverage just yet; you still have some things to do before you rest
comfortably.
Microsoft provided a light set of operating system and application security updates. On the operating
system side, we see 35 CVEs addressed for Server 2008 up through 78 CVEs for the latest Windows 10
updates. There are the updates for Office and SharePoint, but that’s about it. Microsoft has no Adobe
Flash Player update this month either!
Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR
publicly disclosed vulnerabilities! It has been a long time since I remember that happening. Glancing
through the list, I do see a lot of RDP vulnerabilities this month so make sure you apply these updates
soon. Microsoft calls out two CVEs, in particular CVE-2019-1181 and -1182, in their Response Center
this month which could be exploited via a worm attack. All of the operating system updates are rated
priority 1 due to critical vulnerability ratings and the possibility of remote code execution.
One vulnerability of interest is (CVE-2019-9506) titled Encryption Key Negotiation of Bluetooth
Vulnerability. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability,
42

which has a CVSS score of 9.3. It requires specialized hardware to exploit but can allow wireless access
and disruption within Bluetooth range of the device being attacked. Microsoft provided an update to
address the issue, but the new functionality is disabled by default. You must enable the functionality by
setting a flag in the registry. Check out the KB for more details.
Microsoft may have had a slow day, but Adobe released 8 updates. If you are a Creative Cloud or
Experience Manager user be sure to review the bulletins because several are rated Critical. Adobe also
released updates for Acrobat and the more common Acrobat Reader with details under APSB19-41.
This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important. There
are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products. There was also
a non-security update for Flash, but it was not included with the release from Microsoft.
With a light patch load this month, it may be a good time to revisit the asset inventory of systems you are
patching. We often set up our patch groups of systems and go through the motions each month of
applying the latest patches, but we may be missing the bigger picture. IT organizations are often
dispersed and the systems they support are constantly changing. Without ongoing communication
across the organization or dynamic settings in your patch products, you may be missing many machines
that need updates. The good news is the patch tools we use each month have extensive discovery
features and can help identify the latest systems on the network. Likewise, there are a whole host of
network and system tools you can use. Don’t forget to coordinate with your security operations team. The
vulnerability scanners they use have built-in discovery as well.
Armed with a consolidated list of systems on your network from all these sources, you can confirm your
patch groups are up-to-date and investigate any suspicious devices you may have discovered. Finally,
with an updated asset inventory and your patches all applied, you can now relax, enjoy the sun, and open
that cold beverage!
About the Author
Chris Goettl, is director of product management, security, Ivanti. Chris is a strong
industry voice with more than 10 years of experience in supporting, implementing,
and training IT Admins on how to implement strong patching processes. He hosts
a monthly Patch Tuesday webinar, blogs on vulnerability and related software
security topics, and his commentary is often quoted as a security expert in the
media.Chris can be reached on Twitter @ChrisGoettl and at Ivanti's website:
www.ivanti.com.
43

Top 5 Questions about the Capital One Data Breach
By Ilia Sotnikov, Vice President of Product Management, Netwrix
Data breaches that affect financial institutions always become hot topics to discuss. The recent hack at
financial giant and credit card issuer Capital One exposed records of almost 106 million people, which
makes it one of the largest hacks in banking industry ever. This breach took place just a week
after Equifax reached a $650 million consumer settlement related to the 2017 breach, which is a sad
reminder that no one is safe against breaches and we still lack security.
I would like to share the key facts about the hack to answer the most popular questions and provide
recommendations that may help organizations mitigate similar risks.
What happened?
According to Capital One, the breach happened on March 22 and 23, 2019, when an intruder exploited
a weakness in a misconfigured web application firewall to gain privileged access to company data stored
in an Amazon Web Services (AWS) database. Capital One learned about the breach from a tip sent via
email on July 17, which said that some of the company’s leaked data was posted on the software
development platform Github.
44

Who is to blame?
On July 29, FBI agents arrested the software developer and former Amazon Web Services (AWS) employee Paige
A. Thompson. According to the criminal complaint, Thompson exploited a misconfigured firewall to
access, copy and download nearly 30 GB of sensitive data from an AWS server, where Capital One
stored this data. Later she posted on GitHub about her theft of this information.
What was the damage?
This hack exposed the records of almost 106 million people from the U.S. and Canada. All this personal
information is related to credit card applications from 2005 to early 2019. Among the data exposed were
names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked
bank account numbers. Specifically, Capital One mentions 140,000 stolen Social Security numbers and
80,000 linked bank account numbers, as well as 1 million Social Insurance numbers for Canadian
customers and applicants.
How did Capital One handle the breach?
Despite Capital One became aware of the breach several months after it happened, the company has
demonstrated good cybersecurity practices during this breach. They appeared to know what data they
store and were able to selectively protect the most sensitive. For example, although credit applications
of millions of people were stolen, no credit card numbers and a relatively small amount of Social Security
numbers were compromised due to the bank’s practice to tokenize these pieces of information. Capital
One was also prepared to isolate and patch the vulnerability in under 10 days, once it was reported.
Finally, Capital One is demonstrating clear and timely communications, which is extremely important in
keeping the public’s trust in the aftermath of a breach.
Why is this breach unique?
This incident is different from most we hear about for several reasons. First, cybersecurity attacks are
usually hard to attribute. In this case, the alleged hacker has been arrested just 10 days after the breach
was discovered. While the defendant was trying to cover her tracks, she herself described the hack in
several messages on Slack and Twitter. Second, it looks like the hacker was not looking for financial or
political gain, but rather just enjoyed cracking complex puzzles. This leads us to believe the stolen data
was isolated and is less likely to be used for fraud or other unlawful activity.
Overall recommendations: how can you mitigate the risk of similar breaches?
This data breach highlights the importance of user activity monitoring. The attacker gained access to data
through a misconfiguration in web application firewall and likely compromised a privileged account. To
45

mitigate the risk of such incidents, you need to automatically track the activity of users and set up alerts
on both violations of security policy and deviations from normal patterns of behavior, such as attempts to
copy large number of sensitive files. You also need to have controls to investigate the activity of any user
across the IT infrastructure, especially when potentially suspicious actions are flagged.
About the Author
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management.
He is Vice President of Product Management at Netwrix, provider of a visibility
platform for data security and risk mitigation in hybrid environments. Netwrix is
based in Irvine, Calif.
46

The Need of Automatics and Control in Incident Response
By Milica D. Djekic
The incident response as a cyber defense active measure could require the highly skillful IT security
professionals who should get capable to detect, handle and mitigate the threat. The threat by itself is the
likelihood that something could get wrong with your cyber infrastructure and if you believe into the
Murphy’s Law – anything that can go wrong would go wrong. The similar situation is with the engineering
systems that could also cope with the risk or the real presence of mistake in their operating. In control
engineering, those potentials for some system’s inaccurate functioning are called the disturbances.
In the both cases, those risks would come from the outside and sometimes some inner factors could
cause so unpleasant working conditions. On the other hand, the experiences from the automatics and
control would suggest that you need to compensate the disturbance somehow if you want to make your
solution working accurately. The similar situation is with the incident response that would rely on the
human workforce that would get the task to think hard and resolve any unexpected occurrence in the
cyberspace. The cyberspace is so dynamic and complex ecosystem and similarly as in the physical
reality – its rules could be far more complicated. The reason for that is if you apply mechatronics and
control to your power plant – you can always expect that some external factors could disturb your control
system or there could be the other reasons to any potential catastrophic event.
The fact is the modern warfare would get transferred from the physical domain into the cyber
environment, but the impacts of those operations could get so far reaching as well. In other words, there
is the strong need to make your incident response team getting equipped with the cutting-edge solutions
as their role in cyber defense is from the strategic importance to the entire cyber security chain. Finally,
it’s so critical from the perspective of IT security to underestimate the significance of smart technologies
that could support you in your intent to make the task to your incident responders getting so convenient
and less difficult.
47

Anything cyber analyst knows could get automated
When we talk about the incident response – many would get the picture of ultra modern security operating
centers with the teams of analysts and incident responders. Those guys would shift from time to time and
do the great job, indeed, but the reality is far more different from that. In the practice, so many
organizations would not deal with any security operating centers or at least they would cope with the only
one IT security professional that would literally get overloaded with the plenty of heavy work mainly on
ad hoc or part-time basis. So, the cyber analysts would deal with the highly sophisticated tools, but they
would be the ones who would make a decision about any action being taken on. The good question is
that how we could tech our software to automatically make some decisions on and make the work to the
people getting much easier.
The mechatronics and control is the field that would progress, so far, through the past few decades and,
apparently, there would be so many autonomous systems that would manage the behavior and working
process of, say, aircrafts, vehicles or space industry advancements. Well, the idea is that you could apply
that adaptive algorithm to navigate your security tool to make so rational decisions as the real IT security
analyst would do. In other words, anything your incident responders know should get automated primarily
for their own convenience and secondly for the better usage of such intelligent equipment. Above all, the
human workforce would, in such a case, serve to monitor and maybe resolve some unpredicted scenarios
and the rest of the task would go into the hands of smart software. Further, as you have the self-driving
cars on the roads today – you could count on the self-responding tools that would work under the human
supervision, so far. Finally, it appears that the cyber industry got a lot of that to learn from the other
branches of science and technology.
Why incident response is a key pillar of defense
As it’s quite well-known, the good security would include the prevention, monitoring and incident response
into its practice. The incident response is any method of activities and actions that would give you an
opportunity to resolve any incidental situation happening within your IT devices and networks. Sometimes
in order to resolve some complications with your grid you need to disconnect your entire infrastructure
from the web which could mean some discontinuity from your work and consequently recovery from such
occurred disaster. The faster you respond to your incident – the better outcomes of your effort would be.
The incident responders and analysts are so bright and knowledgeable guys who could handle almost
any situation in the cyberspace, but the trouble is there is still the huge shortage for such a workforce. In
addition, the ongoing marketplace would need more and more such professionals and in the future we
can expect the big investments into that area of technology.
The role of control engineering in cybersecurity
As we would suggest through this effort, the modern self-driving systems would be the products of control
engineering and they would mostly cope with the adaptive algorithms of control. In order to adapt to your
environment you need to sense such a surrounding before you choose what you would do the next. The
adaptive control is far more beyond the feedback loop and even if you need the sensors in both cases –
you should figure out that in the both instances – the adaptive systems would get developed to deal with
much more variations of the practical engineering concerns. It would seem that the adaptive control would
offer us the quite robust solutions and that is the case, so only highly capable and experienced engineers
could take part into research and development of such improvements. Finally, if we use only the smallest
piece of brain getting with the good control engineers – we would realize that the software engineering
48

got the chance to cope with the self-responding and self-resolving algorithms for the incident
management.
Sensory software as an imperative for accuracy
The adaptive solutions would deal with a lot of sensors giving them the chance to develop some
situational awareness about their surroundings. Those sensors are usually the devices that would
measure some physical variable and send that information to the computing unit. In other words, just try
to imagine what it would happen if we would measure some cyberspace variables such as IP address,
password, traced route and so on. In such a case, we would get the heaps of findings and information to
process using some programming algorithms. If your measurements are accurate, you would get the
chance to cope with the trusted data and force your system operating in much more accurate manner as
given through its adaptive algorithm. In other words, if your intended behavior is so close to your real
behavior – you can trust to that system. Finally, your accuracy would go under the question mark if you
are not able to mitigate your threat as you are doing the compensation of the disturbance in the control
engineering.
The ending notes
It’s always good to deal with the diversity for a reason you would never know which area of science and
technology could inspire you to make a breakthrough in another field of interest. It’s not the news that
there would be the entire multidisciplinary teams of experts who would cope with a lot of brilliant ideas
and suggestions getting so helpful for the rest of the researcher’s community. In conclusion, there is the
obvious analogy between the cyber defense and control engineering and such a synergy could support
us in discovering the new ways in both arenas.
About The Author
Milica D. Djekic is an Independent Researcher from Subotica, Republic of
Serbia. She received her engineering background from the Faculty of
Mechanical Engineering, University of Belgrade. She writes for some domestic
and overseas presses and she is also the author of the book “The Internet of
Things: Concept, Applications and Security” being published in 2017 with the
Lambert Academic Publishing. Milica is also a speaker with the BrightTALK
expert’s channel and Cyber Security Summit Europe being held in 2016 as
well as CyberCentral Summit 2019 being one of the most exclusive cyber
defense events in Europe. She is the member of an ASIS International since
2017 and contributor to the Australian Cyber Security Magazine since 2018.
Milica's research efforts are recognized with Computer Emergency Response Team for the European
Union (CERT-EU). Her fields of interests are cyber defense, technology and business. Milica is a person
with disability.
49

Preventing Business Email Compromise – a $300 Million Dollar
Problem
Organizations Heavily Invested in Security Solutions Fall Victim to Social Engineering
Attacks and Human Error
By Ameet Naik, Director of Product Marketing, Armorblox
A recent report from the Financial Crimes Enforcement Network(FinCEN), a division of the US Treasury,
shows that Business Email Compromise (BEC) costs the US economy over $300 million each month.
This is a staggering amount, especially considering that a large portion of this is borne by small and midsized
businesses.
FinCEN has issued an advisory to financial institutions alerting them to the scope of the problem. While
banks can do their part in detecting and blocking suspicious transfers, information security practices also
need to evolve to counter these threats. BEC scams don’t just steal money, they also steal data, which
can then be used to perpetrate more sophisticated scams, and leave organizations exposed to liabilities
and compliance penalties.
50

Why BECs Work: Social Engineering Not Hacking
Unlike malware, or phishing links, BEC attacks are simple textual emails that look just like any other
email. Invoices, contracts and payroll documents are routinely shared over email both within an
organization and with external parties, such as vendors, contractors, business partners, and former
employees. An attacker with some knowledge of these workflows can inject a spoofed email into the flow
with a fake invoice, or a request for gift cards for example. These emails often use social engineering
tricks like pretending to be from an authority figure, or feigning urgency.
The top method for BEC scams according to the FinCEN report is invoice fraud, followed by gift cards.
The funds are usually first sent to an account within the US to take advantage of the high speed payment
networks. By the time the organization realizes they have been scammed, the funds are usually wired to
overseas accounts, or converted into hard-to-trace cryptocurrency.
The victims often have little recourse once this happens. The FBI’s Internet Crimes Complaint Center
(IC3), tasked with fighting BEC fraud, estimates that over $12 billion have been lost to such attacks since
2013. If the attack is detected early, the FBI can work with financial institutions to block or reverse wire
transfers. However, in majority of the cases the funds are lost for good.
Email is a Truck-Sized Hole
Email is a truck-sized hole in most organizations’ cyber defenses. It’s an open communication channel
over which employees can exchange documents, invoices, contracts with almost anybody on the Internet.
Email’s simplicity is very attractive to organizations that are more recent digital converts. Sadly, they’re
the ones most vulnerable to BEC attacks. According to the FinCEN report, manufacturing and
construction were the top hit industries in 2018, followed by real estate. BEC attacks not only cause
financial loss to these organizations, but also poison the ecosystem by eroding trust in digital channels
like email.
Traditional email defenses have focused on inbound threats, such as spam and malware. However, BEC
attacks are targeted, and contain no malware, which means they can sail past all legacy inbound email
defenses. Email data loss prevention (DLP) solutions try to prevent data exfiltration over email, but suffer
from a high rate of false positives, which clog up incident queues, and lead to alert fatigue. Hence most
organizations don’t have effective outbound controls in place to prevent BEC-induced data leakage.
Infosec teams are struggling to solve this problem since any restrictions on inbound or outbound emails
risk throttling business processes, impacting productivity. Technical controls, like DMARC, DKIM and
SPF, are blunt instruments that risk blocking vast swathes of legitimate emails. So most organizations
that validate DKIM/SPF have a fail-open policy that lets in non-compliant emails. Metadata controls like
these are ineffective in preventing BEC.
51

The Need for Understanding
Detecting and stopping BEC attacks requires thorough understanding of not just the metadata, but also
the contents of emails and attachments. Some of the indicators of BEC emails are:
• Impersonation: The email appears to be from a known party, but the email address is different.
Sometimes these differences are difficult to notice; ex. açme.com, instead of acme.com.
• Tone: The email has a tone of urgency, or it’s sent during busy periods, such as the end of the
quarter, or tax season.
• Writing Style: The email appears to be from a trusted party, but exhibits a different writing style.
• Content: The email contains sensitive information, like wire transfer details, gift card numbers etc.
Security awareness training can help users recognize signs of BECs, but human cognition has its limits.
Social engineering has been highly effective in exploiting these limits. Even the best of us have days
when we’re vulnerable to compromise.
Security Powered by Understanding
This is where machine intelligence can make a marked difference. Natural Language Understanding
(NLU) is a branch of Natural Language Processing dealing with language comprehension. (If you ever
used Siri or Alexa, you have already used NLU.) Using NLU, machines can actually understand the tone,
content and writing style of emails. This is a brand new signal which, when combined with legacy
metadata signals and an understanding of communication patterns, can accurately detect BEC attacks.
Machines are immune to social engineering, and their comprehension does not change with the time of
day or their workload. As a result, they can make objective observations and inform the recipient when
an email is a potential threat.
Armorblox has built the world's first natural language understanding (NLU) platform for cybersecurity to
help information security practitioners and organizations defend against BEC attacks. Amorblox analyzes
context, tone and writing styles across communications platforms, stopping today's biggest attacks by
detecting and preventing inbound threats and outbound data loss.
The Armorblox NLU-powered cybersecurity platform connects to your cloud-based or on-premises email
platform such as Office 365, G Suite or Microsoft Exchange. Using the latest advances in NLU and deep
learning, Armorblox analyzes emails to understand social interactions, writing styles, and conversation
topics between users both inside and outside your organization. When new emails come in, or are sent
out, Armorblox can detect if the email represent a BEC attack or data leakage. Depending on
customizable policies, Armorblox can then alert the user using labels within the email, or quarantine the
email and alert the security admin.
For more information, read our whitepaper on Securing the Human Perimeter with NLU, or see the
Armorblox NLU platform in action with a personalized live demo.
52

About the Author
Ameet Naik is the Director of Product Marketing at Armorblox, with
more than 20 years of experience in information security and data
networks. Having held senior solutions engineering roles for
several of the leading networking and security vendors, Ameet has
advised multiple global service providers and financial services
organizations on best practices in enterprise security since the
early days of the Internet. A nerd at heart, Ameet loves to write,
speak at industry conferences and travel the world in search of
clever ideas and good food. Ameet holds an MBA from the Kellogg
School of Management, and a Bachelors degree in Computer
Engineering from the University of Mumbai. Ameet can be reached
online at Ameet@armorblox.com or @naik_ameet, and at our
company website http://www.mycompany.com/
53

Security Research as an Anti-Malware Secret Weapon
By Milica D. Djekic
Any malware being known to the cyber community or still getting the status of the advanced persistent
threat is the potential risk to your IT asset. There are so many sorts of malware such as spyware, viruses,
worms, Trojan Horses and so on and all of these malicious applications are created to make harm to
some computer and its network. The malware is only about the piece of code that would cope with the
capacity to multiple itself and execute on its host machine or environment. It can infect the entire files,
folders and operating systems causing so many troubles and headache to its targets. So, this story could
sound a bit of scary and in the practice, there are some prevention measures such as anti-malware
software that can discover and destroy the malware literally occupying your system on.
On the other hand, we would mention the advanced persistent threats that are also the malware in their
basis, but they are not known to the cyber industry – so they can pass through any known way of defense.
This is quite trickery – you would agree – because those malicious programs would just get the access
to your surroundings and take a plenty of inappropriate actions that could confuse even the experienced
IT professional who may wonder what has happened for real for a reason his anti-malware prevention
would not signalize anything. Simply, the entire device and its network would start dealing in so crazy
way and you would probably lose some of your data, but your anti-malware application would just claim
everything is absolutely alright. As you can get, that is the quite inconvenient scenario and the fact is
even if you run your scanning capabilities, you would get nothing as the outcome.
In addition, the hackers would produce new and new bad software day by day and every single day in
the world someone would get infected with them and that person would not even know that, so if we
assume that the role of the defense community is to go at least one step in front of the threat – it’s quite
obvious why we need the effective mechanisms to combat such a risk and keep the hacking underground
under the control. In the essence, the modern Law Enforcement would cope with the capacity to answer
54

to these trends and briefly after the bad guys spread some malicious product over the internet – the good
guys would figure out that and through their hard work develop the certain procedures as well as solutions
how to respond to such incidents.
What is the security research?
The most effective method to deal with the malware threats is to invest into the security research. Such
an area of the interest is all about how to investigate what is happening in the cyberspace and attempt to
find the possible countermeasures to those schemes. So, in other words, you need some kind of
situational awareness about what could occur in your IT surrounding as well as find some ways of defense
to those risks. This is not the easy task at all and so many security researchers would spend a lot of their
time with the hacker’s spots either being on the Visible or Deep Web trying to realize what got new
amongst the bad guys. Basically, it takes a heap of time and effort to invest every single day into your
investigation and every single time you find out anything being novel you would need to prepare the
skillful report about so and transfer your findings to the forensic lab where all of those information would
get examined and tested.
The security research is the good starting point to many Law Enforcement investigations and once
someone reports that his IT asset got so strange behavior – the security analysts should deal with such
information and try to identify which sort of the bad code got responsible for such an attack. On the other
hand, the security research is about the hours being spent in front of the screen and investigating as well
as discovering the places on the web where the cyber criminals like to spend their time and leave some
trace. This sort of occupation needs the great skill and so patient professionals who would get capable
to investigate everything in so rational and critical manner.
Security research and malware identification
The purpose of security research is to identify the malicious code that is not previously known to the rest
of cyber community and try to include such a program into some anti-malware database. Once in such a
database – the malware would get recognized every single time when it approaches some IT
infrastructure that uses the adequate anti-malware system. In this case, we would mainly talk about the
end user’s experiences and possible about some business implications and impacts of such a tendency.
It’s not the rare occurrence that the hackers would attack some server or datacenter that would also deal
with some anti-malware protection and try to infect as many internet users as they can in order to obtain
some kind of sabotage and try to paralyze some business assets causing the total working discontinuity
and consequently some financial losses. For such a reason, it’s so important to follow the best practice
with the security research, because it’s quite obvious that the potential malware attacks could have so
dramatic consequences to the entire society and in some cases to the good portion of economy.
The purpose of anti-malware software
The anti-malware software is the good method of protection to the both – personal and business needs
and it’s quite clear why we need such a solution to remain cyber safe. Also, the anti-malware application
is not the silver bullet and, in other words, if you get that piece of program getting installed on your
machine you would be so far from being absolutely secure. In the practice, so many anti-malware
applications could get downloaded from the internet for free and those software would use the standard
updates as their security researchers and forensic laboratories are identifying new and new malware on
55

the web. The point is your anti-malware solution could prevent you from being infected from the malware
being known to the cyber industry, but it cannot protect you fully. In addition, so many web links could
get uploaded the bad piece of code with them and those connections are mainly applied in the phishing
campaigns, so the fact is there are some online applications that could support you in investigating such
links before you make a click on them and potentially get infected with some malware.
Forensic examinations of today
The modern teams of the cyber security forensic investigators would usually deal with the high-tech
equipment and get in position to cope with the security researchers’ reports doing some analyses and
testings of once discovered code. The experience would suggest that those experts would try to isolate
the malicious application trying to observe its behavior and if they get the chance to obtain its sourcecode
– they would also investigate that. Never underestimate the power of the good investigative team
for a reason those guys could be that skillful to find literally everything about some malware including
their code in some programming language environment. In other words, the field of digital forensics and
security research could offer us nearly limitless opportunities and it’s not surprising at all that the response
to any new vulnerability would be such fast.
The concluding remarks
It would appear that the human factor in the security research as well as cyber forensics could play the
crucial role in pushing a defense getting at least one step in front of the threats. As time is going on – the
bad guys would cope with some activities in sense of producing the emerging malware software and the
good guys would not stay without any response regarding such a situation. Apparently, they would also
work so hard in order to figure out how to manage the risk and resolve anything being so concerning to
some nation, business and economy, so far.
About The Author
Milica D. Djekic is an Independent Researcher from Subotica,
Republic of Serbia. She received her engineering background from
the Faculty of Mechanical Engineering, University of Belgrade. She
writes for some domestic and overseas presses and she is also the
author of the book “The Internet of Things: Concept, Applications and
Security” being published in 2017 with the Lambert Academic
Publishing. Milica is also a speaker with the BrightTALK expert’s
channel and Cyber Security Summit Europe being held in 2016 as well
as CyberCentral Summit 2019 being one of the most exclusive cyber
defense events in Europe. She is the member of an ASIS International
since 2017 and contributor to the Australian Cyber Security Magazine
since 2018. Milica's research efforts are recognized with Computer
Emergency Response Team for the European Union (CERT-EU). Her
fields of interests are cyber defense, technology and business. Milica is a person with disability.
56

Ways to Protect Sensitive Data Online
By Ebbe Kernel, data mining researcher & writer
The world has witnessed a number of high-profile data breaches over the last couple of decades. While
the impact of these breaches on individuals has been seriously underreported – lives have been
destroyed by identity theft and other intrusions made possible by massive data breaches – they have
highlighted a serious issue.
Many of the corporations involved in these breaches; Sony, Facebook, Equifax, and Target to name just
a few, aren’t exactly small fish. The fines levied on them so far in punishment have amounted to the
mildest of slaps on the wrist. They have not been effective deterrence and corporate complacency
continues to keep cybersecurity professionals eternally frustrated.
GDPR
The General Data Protection Regulations were bought in across the EU last year in response to repeated
incidents of corporate negligence resulting in data making its way into the wrong hands. GDPR fines are
57

levied as a percentage of a business’s earnings, and everything so far suggests they are an effective
deterrent.
British Airways and Marriott
In July 2019, British Airways and Marriott found themselves on the receiving end of the largest GDPRrelated
fine in history, by quite a considerable margin. The Information Commissioner’s Office (ICO), the
UK body that deals with data protection laws, has fined BA $230 million for a breach of data involving
500,000 customers. The fine relates to the actions of British Airways between June and September 2018.
Meanwhile, hotel chain Marriott received a proposed $123 million fine for losing the information of 339
million guests. The data loss was first reported in November 2018.
Before a final decision is made, both of the businesses will be able to respond to the allegations before
any final decisions are made. Predictably, both companies say they will appeal the fines. Researchers
notice we’ll continue to see such a massive data breaches in 2019.
Keeping Your Data Safe Online
Keeping your data safe and your identity secure online should be easy. However, the unfortunate reality
is that no matter what steps you take, you need to trust a business to look after your data properly.
Fortunately, there are some things you can do that will hugely reduce your chances of having your data
stolen and will enable you to avoid the most obvious traps.
Spotting a Fake Website or Email
Phishing attacks are a type of cyberattack that direct victims towards a malicious page that looks
legitimate. Targets enter their login information, thinking they can log in to the service, and this is then
passed on to the criminals. The most sophisticated phishing attacks can be very difficult to discern.
The most obvious sign that an email is a phishing email is that the address is spelled incorrectly or utilizes
the incorrect suffix. You should avoid clicking links in emails, especially if you aren’t expecting them. It is
very easy to set up a phishing email with disguised URLs. This means that even if you check the URL
target before you click, you may find yourself redirected.
You should still always check what URL shows when you hover your mouse over a link. If the website
you are being directed to is clearly wrong, you can avoid it.
The content within a website is another giveaway. If you are in doubt, navigate to the website you are
viewing from the homepage in your browser and make sure that the page you are looking at matches the
real thing.
58

Finally, check for the trusty padlock in your web browser that indicates the website uses a using a secure
https connection before you enter any sensitive information.
Using a Proxy
Whenever a device connects to the internet, it is assigned an IP address. By default, this IP address is
easily viewable to any server that your devices connect to. Even worse, IP addresses can be traced back
to specific physical addresses. An IP address is required to get online, there’s no getting around the need
for one.
However, by connecting to a proxy server before you connect to an internet server, you can ask the proxy
to access the website for you. From the perspective of the website server, a proxy server is connecting
to it and requesting websites in the same way a laptop or smartphone would.
With this being said, you should avoid free proxy services like the plague – they are the perfect way to
steal your data. If you choose to use proxies, stick to reputable paid-for services instead.
If you want to improve your online anonymity, a proxy service will enable you to obscure your IP address.
You can also connect via proxy servers around the world in order to circumvent region-blocking.
Get a Password Manager
Head on over to haveibeenpwned.com and enter your existing email address. Try a few of your previous
addresses as well and see if any results come up. This website will inform you if your details are found
in any hacked databases.
If any results do turn up, immediately change your password for that account and any other accounts that
might have used the same password. This is a neat illustration of how a single breach can reveal the
login credentials for multiple accounts.
The best solution to this problem is to use a password manager. There are lots of free and open-source
options, and yes, in this case, you can trust the free options. Open source means that their source code
is audited, vulnerabilities fixed, and minimal chance for any malicious activity.
Two-Factor Authentication
Two-factor authentication is an increasingly common security measure that you should take advantage
of whenever you can. What this usually means is that an email or text will be sent to you with an activation
code every time you log in. This means you need access to the code as well as the account password.
Some 2-FA systems utilize a code-generating app like authy instead.
Staying safe online is mostly a case of exercising common sense. As long as you steer well clear of any
websites that you aren’t completely certain about, or which are being presented from unknown sources.
59

If someone you know sends you a strange-looking email with an unexpected attachment or link, confirm
it is genuine before letting your guard down.
As long as you stick to the advice above, you can at least feel a little safer online.
About the Author
Ebbe is the data mining researcher & cybersecurity writer. He believes
in data power and everyone’s freedom to become a self-starter. Also, he
is here to help you stay anonymous online. Ebbe can be reached online
at info@ebbekernel.com.
60

Artificial Intelligence-Driven Situational Awareness
By Milica D. Djekic
Once you get into the new environment you would begin digging in the darkness trying to figure out what
is happening there. Maybe you would cope with so many ups and downs before you learn the rules of
such a surrounding. In other words, any new situation or event would seek from you to develop the certain
level of situational awareness. The situational awareness is about knowing what is going on around you
at some time and within some surroundings. In the security sector, there would be a plenty of education
and training getting provided that would teach the defense staffs how to recognize and handle some
situation. So, the people can learn such a practice and use their well-developed learning curve to cope
with some situation.
On the other hand, no situation is unique and it may take some time before you adapt to the ongoing
circumstances. The security area is so wide and it would normally cope with the Law Enforcement, armed
forces and intelligence community – so either you are gathering your findings for some investigation or
the military operation it may take a while before you obtain enough such findings and make a decision to
take the next step on. Sooner you develop the quite good situational awareness – better you would
progress with your security campaigns and missions. On the other hand, in order to figure out what is
happening within some zone you need to rely on some bases either coming from your training, everyday
routine or simply the experiences, so far.
The similar case is with the cyberspace environment. More you study, better you would do! From such a
perspective, it’s quite clear that the accuracy is the top imperative to any situational awareness mission.
Never let your situational awareness findings discourage you for a reason from time to time it may appear
that you would deal with so heavy and sometime irresolvable set of the occurrences. The ancient proverb
would say that the fortune favors the bold, so always believe in your bravery and some good luck getting
the chance to happen on your battlefield. The battlefield is not only the matter of military operations. Even
the entire investigation teams could feel as the warriors who got no opportunity to give up from their
combat before they resolve their case. As many experts would figure out, it’s only about the never ending
game between the cat and the mouse, so far.
61

Communications protocols in computer science
Let’s return to the cyber defense and try to explain how the communications between two devices
functions. First, the both computing units would get set up to exchange the information, but only under
the certain conditions. It’s quite well-known that anything within the electronics is about the low-voltage
electricity, so two devices in the computer’s network would exchange the electrical signals before they
provide the entire packets of the information. So, it’s all about the good programming and the way how
you would design your machine to operate. The communications protocols are nothing else but the
intelligently created quizzes that would make two machines questionize each other about some concerns.
Such a quiz could deal with a lot of questions and only if all the answers are correct – you would get the
permission to successfully exchange your data on.
In so many cases, those communications protocols could deal with some encryption making them hard
to get listened. That sort of cryptography could get recognized as the communications line encryption
and so many Darknet browsers would count on that technology offering some level of privacy, security
and anonymity to their users. On the other hand, we could see the developers as the key actors in making
such a solution, but never overestimate the possibilities of the programmers because they need to cope
with the subject matter experts in order to develop something that would get so useful and helpful in the
practice. In other words, the majority of the professional programmers are so smart guys, indeed, but
their daily routine would include the counting of the code’s lines and basically, they would cope with the
great mathematical and logical skills, but they would not be overpowerful. Only in the team with the other
experts – they would have the chance to make something getting so competitive and intelligent from the
point of view of the end users. In addition, if you want to develop the reliable communications protocol,
make your developer dealing with the engineers for telecommunications, electronics and computer
engineering at the same glance and then expect such a multidisciplinary team of the professionals would
resolve the majority of your concerns.
Everyday's check in security
Anyone serving in security business would know that there are some procedures, polices and protocols
that should get followed in order to remain active with your service. For instance, if the higher officer
wants to confirm something about his staff – he would so carefully make the questions on trying to gain
the confidence about his apprentice. If the answers to those questions are satifactionary, the higher
officer would give some piece of the information to that guy and afterward try to cover on the rest of such
a communications. Not every single day such a quizzing would be the same. The security professionals
would always make some changes in order to camouflage what they really know and do. Only the clever
people would get capable to cope with those changes and remain in the service and in so many cases,
such a way of thinking would get learned through the carefully prepared education and training courses.
So, from time to time everyone would get updated about the new tendencies and the better you get – the
higher you would go with your rankings.
How to teach machines to deal like humans
From the nowadays perspective, the machines are still many steps behind the humans, so the
straightforward answer to the question how to make them dealing like the folks would not completely
exist, so far. Our approach would suggest that any defense officer dealing with some checking skills
would get in mind the combinations of so many different questions and if we figure out it’s only about the
expert’s knowledge and the certain amount of accurate responses – we could get that such an approach
62

could get so handy in the world of the machines as well. In other words, it’s only about the expert’s
knowledge databases of questions and answers that should get appropriately matched with each other
in order to make the good linkage and allow the transfer of the accurate suggestions going through such
a communications channel. For such purposes, we can see the strong applications of the artificial
intelligence and machine learning as the key factors of the cyber security and defense, in general.
Get aware using artificial intelligence
Our suggestion would be that it’s so necessary to try to make your neural network learning through the
examples as it is the case with the today’s advancements, so far. So, if you put the expert’s knowledge
against the expert’s knowledge into two separated databases and if you try to compare the results of
those correlations – you would undoubtedly deal with the intelligent solution that would provide you some
level of the confidence about someone responding to those concerns. More you are confident about
someone’s knowledge, more credits that person would get. The similar scenario could get applied in the
case of the information collection and situational awareness development. In other words, you need to
compare so many stuffs with so many things in order to make the rational and objective conclusion about
the certain situation, so far.
The finalizing discussions
In conclusion, the accurate situational awareness could be from the vital significance for dealing with
some situation. Even if it would appear that there is no exit from some situation – just try to think twice! If
you put more effort with your thinking process, maybe you would figure out that there are some methods
to take even symbolic advantage over some condition. The point is to never give up and maybe if you
are not in position to win the battle today – you may get the entire war even tomorrow.
About The Author
Milica D. Djekic is an Independent Researcher from Subotica, Republic of
Serbia. She received her engineering background from the Faculty of
Mechanical Engineering, University of Belgrade. She writes for some
domestic and overseas presses and she is also the author of the book “The
Internet of Things: Concept, Applications and Security” being published in
2017 with the Lambert Academic Publishing. Milica is also a speaker with the
BrightTALK expert’s channel and Cyber Security Summit Europe being held
in 2016 as well as CyberCentral Summit 2019 being one of the most
exclusive cyber defense events in Europe. She is the member of an ASIS
International since 2017 and contributor to the Australian Cyber Security
Magazine since 2018. Milica's research efforts are recognized with Computer Emergency Response
Team for the European Union (CERT-EU). Her fields of interests are cyber defense, technology and
business. Milica is a person with disability.
63

Attracting and Retaining Staff for a Fusion Center
The best way to collaborate talent within a security eco-system
By Karl Sharman
Fusion Centers were formed following the devastating 9/11 terrorist attacks in New York and now mainly
form a way of analyzing and dissecting threat intelligence. It initially was started within government or
federal organizations but has more recently been seen in primarily the financial services industry. This
move has been seen with a lot of attention and is being seen both as a candidate attraction tool as well
as more importantly a way of collaborating to help mitigate risks to the organization.
Staffing within Fusion Center is an attractive space with salary growth outpacing the national average as
the talent gap widens. This means further strain on budgets within security so thinking outside the box
and understand how to attract a diverse pool of candidates are crucial within hiring for this area.
Often recruiting for Fusion Centers means we get a stronger response rate due to the excitement and
mystery it causes candidates. The collaborative approach and branding often interests people to want to
pursue a move into a Fusion Center. A Fusion Center often has a range of skillsets required so often
people with a range of skills are sought after, but more than that a person with soft skills are required with
this eco-system.
Soft skills in a Fusion Center are what is required for success. Skills such as critical thinking, knowing
how to challenge, being pragmatic, a strong communicator and someone who has a real passion about
64

the job. These skills are arguably the hardest to assess however, organizations should provide behavioral
questioning, situational questioning and spend time with candidates face to face in order to see common
trends in both body reactions and communication. Ultimately, a resume can only tell you so much, so
begin to adopt video earlier in the process to assist in screening candidates.
The range of skills required, and the widening talent gap means that organizations must look from
traditional and non-traditional fields to identify talent. For this to be successful diversity is required, that
is background, skillset, education, gender, experience and race in order to bring different views and ideas
to the table.
Retention across security is a real issue with 86% of people open to moving in 2019 (BeecherMadden,
2019). Our research suggests that people mainly move for the following three reasons: career
progression, increase in salary and the opportunity to join a new or growing function. This is a real
challenge if you’re a 100-year-old bank to compete in an ever-developing market. Some companies are
even entering a seller’s market in order to compete to attract and retain talent.
Fusion Centers can be different, they can be marketed differently in order to retain talent. They can cause
excitement, they can create a culture and they can develop people for the benefit of their career however,
ultimately like any other area of the organization it comes down to leadership. Talent wants to be heard,
see a pathway and have the opportunity to improve within this eco-system.
To achieve this, leaders within security and the business need to pro-actively act and engage with the
talent. This will include regular interactions, 1 on 1, recognizing achievements and providing education
programmes in order to the talent to keep engaged and thriving for the greater good of the organization.
About the Author
Karl Sharman is a Cyber Security specialist recruiter & talent
advisor leading the US operations for BeecherMadden. After
graduating from University, he was a lead recruiter of talent for
football clubs including Crystal Palace, AFC Wimbledon &
Southampton FC. In his time, he produced and supported over £1
million worth of talent for football clubs before moving into Cyber
Security in 2017. In the cyber security industry, Karl has become
a contributor, writer and a podcast host alongside his full-time
recruitment focus. Karl can be reached online
at karl.sharman@beechermadden.com, on LinkedIn and at our
company website http://www.beechermadden.com
65

Have You Asked your eDiscovery Vendor
These 6 Essential Data Security Questions?
By Brian Schrader, Esq., president and CEO, BIA
In today’s world of ever-increasing data theft, network hacks and other cyber threats, companies of all
sizes are finally taking data security seriously. Even so, many overlook how their data can be
compromised when situations require that data to exit the company’s custody. One such common
situation where significant amounts of often-sensitive data must be sent outside the corporate domain is
the eDiscovery process, which takes place when a company is involved in litigation, regulatory matters
and internal investigations.
During the eDiscovery process, your data — ranging from emails to financial reports and much more —
is collected from your company’s various computer systems. It is then sent out to eDiscovery vendors,
law firms, related consultants and potentially several subcontractors for all sorts of tasks. The data gets
processed and catalogued, reviewed for legal needs, and produced to third parties, the government and
others. What’s more, depending on your law firm and vendor’s workflows, throughout that process your
data can be transferred multiple times between the various parties.
Moving your data among and between so many parties outside your company’s firewalls substantially
increases risk. It also increases the number of organizations you must vet to ensure that their security
policies and practices are acceptable. While we encourage you to develop a full vendor vetting process
that looks at things like data center security certifications (like SOC2 or ISO 27001), penetration testing,
disaster recovery, physical security and more, here are six essential questions you must ask anyone or
anything that touches, transfers or stores your data.
66

1. Are systems and data encrypted at all times, both at-rest and in transit?
All computer systems and mobile devices should be protected by device-level encryption. All data
transferred using physical media (i.e.., disc media, external drives) or digital online data transfer solutions
(i.e., SFTP, cloud transfer/storage systems) should be likewise protected by an encrypting system, which
can be as simple as using a strong password-protected ZIP file, for example.
Today’s constant stream of stories about law enforcement’s ongoing difficulties in accessing various
mobile devices clearly illustrates how effective device encryption can be at keeping prying eyes from
accessing your data. Simply put, encryption turns your data into a garbled pile of useless gibberish that
can’t be used absent proper credentials or digital tokens. Thus, even if someone physically steals your
device, the data is protected.
Encryption is now available on nearly all modern computers, smartphones and other devices, and is so
effective and easy to deploy that there’s simply no reason any vendor shouldn’t be encrypting them all.
That’s especially true for mobile devices like laptops, tablets, smartphones, smart watches and the like
that are even more vulnerable because they routinely travel outside the corporate firewall.
While the other items below are very important, device and data encryption are two of the most important
security steps any company can and must take. These steps are simple, cheap and effective. So, if your
eDiscovery vendor isn’t doing those simple things to protect your data, it’s likely that they’re not doing
much else, either.
2. Is multi-factor authentication in use?
Multi-factor authentication, commonly called MFA, is another extremely effective tool in the fight to protect
your data from malicious actors. As such, it should be a central part of your law firm and vendor’s security
profiles.
With MFA in place, not only is a username and password required to access secure systems, but an
additional step is required where a code is sent to a separate device, usually your cellphone, which then
must be entered along with your username and password to complete the login or access process. Such
solutions are becoming increasingly common even in our daily lives; your bank may encourage or even
require MFA (sometimes called one-time codes), especially with more sensitive items like wire transfers.
For example, here at BIA, we utilize MFA any time an employee logs on to nearly any company computer
or system, especially if they are not physically in one of our offices and connected to our corporate
network. If one of our employees works remotely from their home or the neighborhood Starbucks, they
must always use MFA, which admittedly can be inconvenient at times, but undoubtedly worth it for the
protection it affords. Encryption and MFA working together ensures that if a device or data is lost or
stolen, the data will remain safe and secure, regardless of the thief’s skills.
67

3. Are role-based access controls configured in place?
Lately, we see almost weekly news reports of data breaches occurring not because of hackers, but
because of employees stealing something they shouldn’t have had access to in the first place. This is
especially common in departing employees. Indeed, the recent Capital One data breach that impacted
over 100 million customers came from an employee’s internal system hack.
Law firms and eDiscovery vendors should address this problem by adopting strong policies regarding
role-based access using the concept of least-privilege to drive those policies. That means an individual’s
access to various data stores and computer systems is limited based on their role and function within the
company and gives them privileges to the minimum set of actions needed. For example, a vendor’s
project managers may need access to key data shares, but only to read and edit files, not to delete them.
Those same project managers, like most employees, may never need access to the accounting or HR
department’s records. While many companies have put such controls in place for their own data, they
often fail to do so when it comes to the data they hold for others, including their customers.
Here at BIA, we use least-privilege role-based access across the organization, and we have systems and
procedures in place to narrow that access even further on especially sensitive matters. The logic is
simple: By limiting the number of eyes that can even see your data, we automatically reduce the
possibility of an internal data breach.
4. Are there written data security, acceptable use and other critical policies in place? Do
employees know about those policies and where to find them?
To paraphrase a certain web-shooting superhero, with great data comes great responsibility, and it’s
critical that not just your vendor, but its employees as well, truly understand their responsibilities. Even
with all the data security measures discussed here, those with proper credentials and sufficient need will
have access to even the most sensitive of data. Thus, an essential piece of the data security puzzle is
making sure that every person who legitimately has access to your confidential data clearly understands
their responsibilities and is committed to protecting that data.
Your law firm and eDiscovery vendor should have clear, written policies on data security and acceptable
system use policies, and those policies must be accessible by all. Other information security policies,
including data handling, employee conduct, confidentiality, disaster recovery, business continuity and
crisis management, if available, should also be reviewed. But written policies alone, without action, are
meaningless — management must show that employees know and follow those policies.
Employees should be required to sign strong confidentiality and nondisclosure agreements as part of
their initial hire onboarding, as well as whenever company policies are updated. Security review meetings
and presentations, held at least annually, can also be helpful for providing continuing education and
reminding employees of their data security responsibilities and how to be vigilant for the latest trends in
hacking, phishing and other such security attacks. Policies are great, but your vendor should be able to
prove that their employees know, accept and put those policies into practice.
68

5. Is there a secure and tested business continuity and data backup plan?
While data backup and business continuity (the ability to continue or quickly recover essential services
after a natural disaster, for example), are critically important topics to ask of any vendor, in doing so,
people often overlook the security aspect of those solutions, which must be at least as secure as the
primary, live systems.
Most backup and business continuity plans call for multiple physical locations for both data storage and
critical systems, which means data is stored both in the vendor’s primary location(s) and copied offsite
location(s). When asking your vendor about its data security policies and practices, make sure to include
questions about any such secondary locations — and about how securely the data is transferred between
those locations.
6. How is data handled once a case is closed?
Clients often ask about security before a new project starts or a new master services agreement is signed,
but what happens to your data after a given eDiscovery project concludes? You might be surprised to
learn that the case shutdown process at eDiscovery vendors varies widely, and it might not be as
comprehensive as you’d assume. Many of the vendors you have used in the past for projects that closed
long ago may still be storing copies of your data, which could expose you to further completely
unnecessary risk and violate your data retention policies.
Your vendor’s project shutdown process deserves as much focus as the kickoff process — if not more.
Your eDiscovery vendor’s project manager should present you with a summary of all the data the vendor
has — including not just the original data, but also copies stored in their data processing systems, review
tools, analytics platforms, productions and the like. Only then can you decide whether you want the data
returned, destroyed or stored for possible use later.
If your decision is to destroy the data, your eDiscovery vendor must be able to certify the destruction of
that data to industry acceptable standards. Hard drives should be fully overwritten so that the data is truly
irretrievable. And once hard drives reach the end of their useful life, vendors should physically destroy
them. The cost to do all of that is small and any credible vendor should have no problem providing those
services.
Data security is a job that never ends. If you’re serious about protecting your data while it’s on your
servers, you should be equally serious about keeping it safe when it travels outside your protected space.
You can start by making sure you ask the right questions through the eDiscovery process.
69

About the Author
Brian Schrader, Esq., is president & CEO of BIA (www.biaprotect.com), a
leader in reliable, innovative and cost-effective eDiscovery services. With
early career experience in information management, computer technology
and the law, Brian co-founded BIA in 2002 and has since developed the firm’s
reputation as an industry pioneer and a trusted partner for corporations and
law firms around the world. He can be reached at bschrader@biaprotect.com.
70

Understanding Application Risk Management
By Haythem Hammour, Product Marketing Manager, Brinqa
On April 25, Docker® 1 discovered a breach of unauthorized access to a single Docker Hub database
storing a subset of non-financial user data. Usernames and hashed passwords for approximately 190,000
accounts may have been exposed, as well as GitHub® 2 and Bitbucket® 3 tokens for Docker auto builds.
However, the risk the Docker breach poses to organizations varies based on usage, integration, and a
variety of business and environmental factors. How can organizations measure and respond to the
vulnerabilities in their software infrastructure? This article discusses some crucial aspects of Application
Risk Management that can help build a knowledge-driven, risk-aware application security process and
deliver accurate and swift risk analysis, prioritization and remediation.
1
Docker is a tool designed to make it easier to create, deploy, and run applications by using containers
2
GitHub brings together the world's largest community of developers to discover, share, and build better software.
3
Bitbucket is a web-based version control repository hosting service owned by Atlassian, for source code and development
projects
71

Defining Application Risk Management
Application Risk Management is the utilization of fundamental risk management principles to identify,
prioritize, remediate, and report security risks related to an organization's software infrastructure. This is
accomplished by analyzing data from various application testing and monitoring tools and programs –
Dynamic or Web Application Security Testing (DAST), Static Application Security Testing (SAST),
Interactive Application Security Testing (IAST), Software Composition Analysis (SCA), and Penetration
Testing – in context of relevant business metadata and threat intelligence to drive prioritized remediation
actions in IT Service Management (ITSM) tools and processes. The scope of Application Risk
Management is not limited to web or desktop applications but also covers all internally developed, third
party, open source, commercial off the shelf (COTS), custom, business, and enterprise applications, as
well as web services and APIs.
The Need for Better Application Security
In 2014 Verizon started analyzing breach trends and patterns through the Verizon Data Breach
Investigation Report (Verizon DBIR) 4 . Noticeably, in the 2019 report the web application pattern (one of
nine basic patterns used to categorize security incidents and data breaches) scored the highest for
breaches, with a probability of one in five breaches attributed to web applications as the vector of attack.
Moreover, by examining past years' reports, it is evident that web applications have consistently been a
top breach pattern in recent years.
Top Application Security Risks
Open Web Application Security Project (OWASP) commenced a project that annually outlines the ten
most critical web application security risks. To compile this list OWASP uses prevalence data in
combination with the consensus estimates of exploitability, detectability, and technical impact.
1. Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query.
2. Broken Authentication: Application functions related to authentication and session management
are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session
tokens.
3. Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive
data, such as financial, healthcare, and PII.
4. XML External Entities (XXE): Many older or poorly configured XML processors evaluate external
entity references within XML documents.
4
The Data Breach Investigations Report is a collaborative effort, developed by Verizon in cooperation with numerous
agencies.
72

5. Broken Access Control: Restrictions on what authenticated users are allowed to do are often
not properly enforced.
6. Security Misconfiguration: Commonly a result of unsecure default configurations, incomplete
or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error
messages containing sensitive information.
7. Cross-Site Scripting (XSS): XSS attacks occur when malicious scripts are injected, generally in
the form of a browser side script, into trusted websites. These can occur when a web application
uses input from a user in the output it generates without first validating or encoding it.
8. Insecure Deserialization: Object and data structure related attacks where the attacker modifies
application logic or achieves arbitrary remote code execution to change behavior during or after
deserialization.
9. Using Components with Known Vulnerabilities: Components, such as libraries, frameworks,
and other software modules, are often used in the development of web applications. Attackers
finding security holes in these components can leave applications vulnerable to exploits.
10. Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or
ineffective integration with incident response, allows attackers to compromise systems further,
maintain persistence, pivot to more systems, and tamper, extract or destroy data.
OWASP, Verizon, and many other organizations have done remarkable work in collecting and analyzing
data on cyber threats, vulnerabilities and attacks. However, when it comes to application security there
is no one-size-fits-all solution. Each organization is unique, and so are the threat actors for that
organization, their goals, and the impact of any breach. If a public interest organization uses a content
management system (CMS) for public information and a health system uses that same CMS for sensitive
health records, a vulnerability in the CMS software will result in very different risk exposure and business
impact for each organization. It is critical to understand the risk to an organization based on applicable
threat agents and business impact.
Determining Risk Criticality
Generally, risk is the combination of the probability of an event and its consequence (Risk = Likelihood ×
Impact). Particularly, IT risk is the business risk associated with the use, ownership, operation,
involvement, influence, and adoption of IT within an enterprise.
The information security community relies on Common Weakness Enumeration (CWE) 5 and Common
Vulnerabilities and Exposures (CVE) 6 organizations in standardizing severity, probability, and impact
measures.
5
https://cwe.mitre.org
6
https://www.first.org
73

The Common Vulnerability Scoring System (CVSS)
CVSS captures the principal technical characteristics of software, hardware, and firmware vulnerabilities.
Its outputs include numerical scores indicating the severity of a vulnerability relative to other
vulnerabilities. CVSS is composed of three metric groups – Base, Temporal, and Environmental.
1. The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics,
which are constant over time and assumes the reasonable worst-case impact across different
deployed environments.
2. The Temporal Metrics adjust the Base severity of a vulnerability based on factors that change
over time, such as availability of exploit code.
3. The Environmental Metrics adjust the Base and Temporal severities to a specific computing
environment. They consider factors such as the presence of mitigation in that environment.
The Common Weakness Scoring System (CWSS)
CWSS is part of the CWE project, co-sponsored by the Software Assurance program in the office of
Cybersecurity and Communications of the U.S. Department of Homeland Security (DHS). It provides a
mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. The CWSS
scoring method relies on multiple metric factors clustered in three groups.
1. Base Finding metrics capture the inherent risk of the weakness, confidence in the accuracy of
the finding, and strength of controls.
2. Attack Surface metrics represent the barriers that an attacker must overcome to exploit the
weakness.
3. Environmental factors capture characteristics of the weaknesses that are specific to a particular
environment or operational context.
For effective risk quantification and prioritization, organizations must build on these frameworks and
enhance this technical information with threat intelligence (factors such as exploit availability, associated
malware, zero-day, popularity, pervasiveness, etc.) and business impact considerations (operational
status, data classification, supported business services, monetary impact, compliance requirements, etc.)
to develop an accurate understanding of how these threats uniquely impact the business.
74

About the Author
Haythem Hammour Product Marketing Manager
haythem.hammour@brinqa.com I ☎ (512) 372-1004
8310 N Capital of Texas Hwy, Suite 155, Austin, TX 78731
www.brinqa.com |Twitter | LinkedIn | Free! Webinars
https://twitter.com/hammour_haythem
75

Ransomware: A Municipality’s Achilles Heel
By Russ Cohen, Vice President of Cyber Services, Chubb
From large metropolitan cities like Atlanta to smaller communities like Key Biscayne, every city in America
is vulnerable to cyber attacks.
In fact, according to the Chubb Cyber Index SM , cyber incidents for public entities have tripled over the
past three years. Further, the index data also shows that 77% of the cyber claims reported by Chubb’s
public entity clients in 2018 were the result of external actors.
What’s behind these numbers? During these attacks, bad actors exploit public entities’ employees
through phishing emails—which then allow these adversaries to deploy ransomware into a municipality’s
network. In turn, adversaries are able to bring an entire system to a halt. Fortunately, there are a number
of risk mitigation steps municipalities can take to help safeguard their systems, which begins by
understanding what makes municipalities the ideal target.
76

Increasing Vulnerabilities in Dollars and Data
While both the public and private sector are vulnerable to ransomware attacks, there are several
characteristics specific to municipalities that lead adversaries to target them more nefariously.
Like most local government debates, it generally starts with a question of funding. Particularly, cyber
security funding for smaller municipalities is generally not as robust as other for-profit companies. Thus,
cities and towns alike may lack the proper resources and expertise to upgrade equipment, install proper
security software and perform adequate data backups.
It’s not just citizens’ social security and tax information that makes municipalities ideal targets. If
adversaries gain unfettered access to a municipality’s systems, they can alter everything from traffic lights
and 9-1-1 systems to employee payments and official document records. In turn, if emergency systems
are affected, adversaries often feel emboldened to demand a higher ransom—as a municipality will likely
want to resolve the situation as quickly as possible.
During any cyber event, it can be difficult to know the right move to make—how do you know when to
pay a ransom or not? One critical element to keep in mind when weighing this decision is that, ultimately,
the affected institution is responsible for any financial loss, safety issues, or wage disruption that might
occur from a cyber incident—not to mention, there are also reputational and non-financial implications
associated with these events. Often, the cost of paying a ransom can be less than the alternative.
In March 2019, a large county was forced to pay $400,000 in crypto-ransom after a ransomware event
compromised its network, but also the entirety of its online backup. Because these information reserves
were also compromised, they had little choice—it was ultimately less expensive for them to simply pay
the ransom than it would have been to build a new system from scratch.
Compounding this issue is that while ransomware attacks are becoming more sophisticated, bad actors
now have the ability to destroy records instantaneously. This fact has the potential to permanently cripple
city systems in the event that their files are not only compromised, but also erased. These newfound
consequences have also led to a significant rise in costs associated with these attacks; and as a result,
public entities now often face six and seven-figure payout demands.
To make matters worse, municipalities’ cyber risks are not self-contained. As we get closer to having fully
integrated smart cities, the increasingly interconnected nature of municipalities has led to a heightened
cyber risk for all businesses. Ultimately, without proper cyber security protections in place, municipalities
can be a weak link that allows bad actors the ability to infiltrate the larger business community,
subsequently giving them access to vendor, supplier, and partner data. In essence, municipalities can
form the center of a spider’s web, with the larger business network and local community branching off
77

and expanding from that center—like a spider, ransomware attacks have the potential to travel across
the entire “web” of this interconnected ecosystem through each and every silky branch.
Pinpointing the Root Cause
Once municipalities understand why they are prime targets, they should then turn to how adversaries
penetrate their systems.
Put simply, in order to deploy these calculated ransomware attacks, bad actors often exploit human
vulnerabilities in city systems. For instance, these attacks can be triggered by an unsuspecting employee
who opens a malicious email on a computer that is not properly protected. In doing so, these bad actors
infiltrate the system and gather and hold vital data hostage until their demands for untraceable
cryptocurrency payments are made.
To make matters worse, once one device is infected with ransomware, the malicious code can spread to
other unprotected devices on the network. Often, the virus can do so without being noticed, and may stay
in the background for days, weeks, or even years—all the while, rooting itself deeper into a system—
adding to the troves of hostage data and allowing adversaries to demand exponentially more for its
release.
Fighting Back
While the threat can seem overwhelming, there are risk mitigation best practices municipalities can take
to reduce their exposure.
To start, city employees should be taught to recognize the warning signs of potentially malicious
content—such as, the inclusion of suspicious links, emails sent at an unusual time, misspelled words or
an unrecognized sender—and should know exactly who to contact if they suspect something is awry.
Employees should also have comprehensive social media education sessions, focusing on the dos and
don’ts of posting online and what type of content can make them a target.
Beyond employee training, local governments should upgrade their email security practices to help block
malicious emails at the perimeter. They should also install anti-malware protections and ensure the
regular backups of all files and information. Backups should be scheduled (daily, weekly, monthly) and
stored in a separate secure location (external drive, cloud) to prevent the backups themselves from being
corrupted during a breach. Backups should also be tested from time-to-time to ensure they are usable
and adequately protected.
78

However, no prevention tactic is perfect, so in addition to the appropriate preventative steps, a broad
cyber insurance policy can help offer additional peace of mind. If a ransomware attack does occur,
insurers—like Chubb—provide policyholders with access to forensics providers, IT and security
professionals, and legal counsel to recommend the best course of action for each unique scenario. In
many cases, an insurer can also connect municipalities with cyber security software vendors whose
products are specifically designed for their needs. Such platforms can offer municipalities another way to
help prevent ransomware attacks and contain the spread of malware to connected devices, in the event
of a successful attack.
In an interconnected world where cyber security risks are ever evolving, threats will always be present.
However, taking the right steps can afford you the knowledge that your community is protected, no matter
what.
About the Author
Russ Cohen serves as Chubb Vice President of Cyber Services, managing all
policyholder services associated with the company’s pre- and post-incident cyber
services, as well as supporting innovations in underwriting, data analytics, and
predictive modeling associated with enterprise cyber security risks. Russ can be
reached at russ.cohen@chubb.com and our company website is
www.chubb.com.
79

Do You Know What That App Is Doing?
The IT Security Risk of Third-Party Apps
By Christopher Kennessey, CEO, NetMotion Software
As mobile devices become more common in the workplace, IT departments need to understand and
prepare for the security risks that these devices introduce. Beyond the security of the device itself (which
is a significant issue in its own right), there’s a very real risk of third-party apps secretly accessing
corporate data. In some cases, the app is a legitimate service gathering user data on the side for their
own marketing purposes or to sell. Alternatively, many malicious apps will mimic real ones to trick users
into downloading spyware and adware to steal passwords or financial information. Despite the best efforts
of Apple, Google and Microsoft, data scraping remains an issue on iOS and Android devices as well as
the major desktop platforms. Legitimate or not, IT needs the ability to track how third-party apps are
accessing corporate data to protect their employees and keep that data secure.
The normal barriers between work and personal devices don’t always apply here. With bring your own
device (BYOD) policies being so common in the workplace, employees likely download apps, play
games, access their social networks and visit potentially risky websites using the same devices that they
80

ely on to access sensitive corporate data and applications. If they become the victim of malicious apps
or websites, it doesn’t matter whether they or their employer is the intended target. Once a device is
compromised, everything on it is at risk of being seen or stolen.
There are several ways organizations can reduce the risk of third-party apps scraping sensitive corporate
data. The first is training users to identify the telltale signs of a malicious app, email or website. Apps with
strange or poorly rendered icons, suspicious imagery or inaccurate or misspelled names are all good
indicators that something isn’t what it appears to be. Users should also be particularly cautious when an
app asks for permission to access data that is not relevant to its task. It’s also good practice to prevent
users from side-loading apps or going outside corporate approved app stores.
Technical security controls also play a large role in protection corporate date. Organizations deploy
hardware and software like firewalls and antivirus to protect their data, but employee devices are a new
weak link that often reside outside the corporate network for long periods of time. In response, many of
these organizations have added enterprise mobile management (EMM) or mobile threat defense (MTD)
solutions that provide some measure of protection and control over what devices and their users can do.
But even these solutions don’t provide real-time visibility into the behavior of devices, apps and data flows
when they are connected to an external network. Like most security spending, EMM and MTD solutions
are focused on protection – stopping malicious software from getting on devices. That is certainly
important, but organizations also need to improve their monitoring and visibility into mobile devices to
detect suspicious behavior that could indicate an infected device.
Like most things in security, this is easier said than done. A recent survey by the Enterprise Mobility
Exchange found that nearly half of mobile security professionals had no idea whether their organization
had been the victim of a mobile security event in the last year. More than 35% can’t tell when a device or
app is sending data to unwanted server locations at all, and an additional 30% can’t do it in real time.
Even legitimate apps will often communicate with numerous servers around the world. And numerous
apps and devices, either intentionally or as the result of poor design, have been shown to send data to
servers in countries that lack the high standards of data security that we expect, for no discernable
reason. At the end of the day, it’s impossible to tell whether a traffic pattern is potentially dangerous if
you’re not paying attention.
Once an organization understands its normal mobile traffic patterns, the next step is to implement policies
that automatically prevent unwanted or questionable connections. By adopting higher standards for user
and device authentication, data encryption and device control, IT and security teams have the power to
ensure the integrity of an organization’s data by automatically stopping mobile devices from sending
traffic through unapproved servers via unapproved connections. As always, full, standards-based
encryption should be used to ensure the data remains secure in transit.
Advancements in mobility have been an enormous enabler for enterprises and their employees over the
last decade in particular, but these benefits come with their own distinct set of costs and risks. In order
to maintain that high level of data security both inside and outside the walls of the office, companies need
to do a much better job of managing how apps, users and devices interact with their data. The most
effective approach is to employ a mixture of embedded software that can provide real-time, actionable
information about devices operating on third-party networks, enforce automated policies that restrict
81

dangerous activity and train users to become the front line of defense by recognizing threats from the
outset.
About the Author
Christopher Kennessey is the CEO of NetMotion Software. Christopher has
nearly two decades of cloud, data center and mobile networking industry
experience, including ten years leading sales and operations for Cisco’s
Intelligent Automation business unit. He holds a bachelor’s degree from the
University of Illinois Champaign-Urbana, with additional courses at Harvard
University and Complutense University Madrid. Christopher can be
reached via our company website https://www.netmotionsoftware.com/
82

5 Key Differences between Software and Hardware
Vulnerability Mitigations
By Anders Fogh, Senior Principal Engineer at Intel
The software stack has long been a fruitful target for hackers looking to exploit organizations – and this
is not likely to change anytime soon. As a matter of fact, according to the Common Vulnerability and
Exposures (CVE) list, there were 14,760 known security vulnerabilities logged in 2018 alone (a record
year). As the stakes continue to rise in this cat and mouse game, so too has the scrutiny of these systems,
resulting in more robust software security development lifecycles, enhanced vendor collaboration, and
increased mitigations that help combat malicious activity. If software vulnerabilities have reached
adolescence (metaphorically speaking), one could say that hardware vulnerabilities are just entering early
childhood. Take for example the nascent CPU exploits like Meltdown and Spectre, which were disclosed
in early 2018. Both of these hardware vulnerabilities have had a significant impact on the security
industry.
As hardware vendors work to overcome new security challenges and create an ecosystem capable of
properly disclosing, tracking and resolving these vulnerabilities, I wanted to share some of the key
differences between software and hardware mitigations.
1. The Flexibility Issue
In today’s threat landscape, software is still orders-of-magnitude easier to handle than hardware. One of
the most obvious reasons why is the simple fact that software can be updated frequently to deal with
security vulnerabilities. For example, if there is a buffer overflow attack in software, once the root cause
is identified, new code can quickly be pushed to address the issue. It’s even commonplace for some
83

vendors to release patch updates in less than 48 hours. The agility that’s present in software just simply
doesn’t exist in most hardware. And while there is some wiggle room built into hardware firmware – for
example the ability to modify a CPU’s UEFI (commonly referred to as BIOS), or the ability to turn things
on and off in hardware for mitigation reasons and product variants (what’s colloquially known as modifying
chicken bits) – none of these compare to the ultimate flexibility of a completely software architected
solution.
2. The Development Cycle
The software development cycle is dramatically different from that of hardware in many ways, and a
primary reason is the manufacturing component. In CPU hardware, when you eliminate the ability to fix
a problem through firmware or chicken bits, what’s left is a fundamental design change. This results in
the need to evaluate the old hardware, identify the problem, formulate the updates, coordinate with
ecosystem partners, and push to manufacturing for the new build. The challenges are complex and time
consuming. On the other hand, software can modify a feature via code changes and pushing an update,
hardware usually cannot. This is why with the advent of hardware vulnerabilities, security researchers
play a huge role in helping to build the next generation of hardware systems that are not only more
secure, but also architected in a way that can be updated or modularized for security mitigations.
3. The Stack Problem
Traditionally speaking, software sits on top of the system stack – meaning software depends on other
components, and not the other way around. For developers and security professionals in software, this
offers ultimate flexibility with other vendors and customers. But, the further down in the stack you go, the
more the elements above depend on you to function properly. For example, if an operating system were
to change its API significantly, the software running on top of it would likely break. But hardware is usually
the lowest element in the stack. For instance, a CPU has to interface with an operating system, which
interfaces with an application, and so on. Hardware changes in these complex relational environments
are ultra-sensitive. It requires a depth in testing that can take substantial resource and time. And, the
documentation and specification for usage have to be extremely comprehensive.
4. The Product Lifecycle
Very few things last forever. And in the world of hardware, there’s no such thing as partial replacement.
Software on the other hand is often continually being updated via code to the next version. With hardware,
it’s traditionally out with the old, in with the new. And unfortunately, hardware usually carries significant
cost implications, so products like CPUs and hard drives tend to have a long shelf life. This also means
that the number of models being supported in the wild are often much higher than with software. This can
have a major impact on hardware mitigations and add to the design pressure. In essence, with hardware,
you have to live with what you built ten years ago. As a result, today’s hardware vendors are transforming
R&D processes to be more inclusive of security teams in hopes of making future products more flexible.
84

5. The Update Challenge
In general, a software update is simple. Push the patch, update the code, fix the problem (at least that’s
the basic idea). In the world of hardware mitigations, it can be much more complex. Hardware is not often
directly connected to the internet or a network. This means hardware vendors rely on OEMs to set up
mechanisms to push or pull updates, or coordinate with software partners to push updates to customers.
For example, Intel has made micro code updates OS loadable, meaning when a mitigation can be fixed
via firmware, a micro code patch can be released through operating system partners. But, it’s much more
complex than that. It requires an incredibly high level of coordination between the stack layers. For
instance, the degree to which a CPU micro code update impacts a cloud provider versus a data center
can vary dramatically. It’s not a one-size-fits-all mitigation, yet it’s expected to be, which means these
partners need time to test the mitigation before they push it to their customers.
Looking Ahead
To help overcome the challenges of hardware vulnerability mitigations, there is a lot of great work
happening in this space today. To cite just a few examples, we’re seeing more flexibility being designed
into firmware, for example changes that give microcode more flexibility to fix potential security problems
are being designed into next generation hardware. Updates are becoming more agile, for example Intel
microcode updates are distributed as part of Microsoft’s patch Tuesday. And big vendors are participating
in more open source projects, for example Intel heavily contributes to the Linux Kernel.
The goal is to make hardware ecosystems of tomorrow more secure than today. While there are some
early successes we can point to – such as the quick integration of hardware mitigations for the Meltdown
vulnerability in Intel’s 8 th generation processor family (Coffee Lake) – our community must continue to
drive toward the development of more formal methods and standards for disclosing, tracking and sharing
hardware mitigations. This will ensure that research and education in hardware mitigations mirrors the
maturity of the software security industry, and as a complete industry we more effectively tackle security
mitigations.
About the Author
Anders Fogh is a Senior Principle Engineer at Intel. He has been involved
in software development and information security for more than two
decades, and in an expert in reverse engineering. Anders can be reached
on Twitter @anders_fogh and through the company website
http://www.intel.com.
85

Data Risk Report Shows Lack of Security across Industries
87% of companies lack data security
By Rob Sobers, software engineer, Varonis
When it comes to cybersecurity, one of the top concerns is the risk and vulnerability of sensitive data.
Varonis has completed their annual risk assessment in efforts to provide organizations with guidelines
for minimizing and reducing these risks.
The 2019 Data Risk Report is an analysis of almost 800 risk assessments conducted on data that
includes email, files, and folders across various organizations and companies. At risk and vulnerable data
is identified, followed by recommendations to reduce these risks and vulnerabilities.
The information within the 2019 Data Risk Report is just one way that organizations can gain more insight
into their cybersecurity strategies and what more they can do to improve data security.
Data Gathering Methods and Scope
Here’s an overview of how data was gathered, and the scope of data analyzed. Reports were chosen
from 785 security assessments – analysts went through data that focused on risk and exposure, stale
data no longer required for daily business operations, and users and password use.
86

The scope of the report covered over 30 different industries, including biotech, education, financial,
government agencies, healthcare, and tech. Also examined included:
• Over 54 billion files
• 4.3 billion Folders
• 54.58 petabytes of data
• 12.7 million User accounts
• Over 13.4 billion files with global access
• 3,144 exposed and sensitive files per terabytes
Report Conclusions
The results of the 2019 Data Risk Report including the following key findings. This information can help
your cybersecurity team come up with approaches and tactics for reducing your data security risks.
Risk and Exposure
Most organizations give users too much access to company files. Assigning global access gives
employees access to all vulnerable and sensitive information, putting this data at risk. Global access also
opens the door for cybercrime, giving attackers easy access to files that should be contained in tighter
security.
Report findings show that 17% of sensitive files could be accessed by all employees and that 15% of
companies had over 1 billion files accessible to each employee. As an average across the organizations
studied, each employee had access to 17 million files.
Add to this that many of the files at risk were in violation of data privacy laws such as the GDPR (General
Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), and HIPAA
(Health Information Portability and Accountability Act).
Sensitive data that is exposed and at risk can cost your company not just money and trust, it can also
irreparable harm to your reputation.
Stale Data
53% of company data is stale. Even though this data is no longer used, it still contains private and
personal information about clients and customers as well as other sensitive business information,
including finances. As with data still being used by an organization, this information is subject to privacy
laws.
Other findings on stale data show that 87% of companies have over 1000 stale files that contain sensitive
information and that 95% have over 100,000 folders that also contain private data. That amounts to
15,511 sensitive files that are stale for each terabyte.
87

The stale data an organization no longer needs should be dumped, otherwise, they open themselves up
to liability if this data is obtained through a security breach.
Passwords and User Accounts
Many organizations are ignoring best practices for passwords and user accounts. In fact, 61% of
companies have over 500 employees using passwords that never expire. And when it comes to user
accounts, 40% of companies had stale user accounts that were still enabled.
Not changing passwords on a regular basis presents cyber attackers with a great opportunity to break
into user accounts, giving them access to an organization’s sensitive business and customer information.
Unauthorized access to these active accounts also opens an organization up to disruption of service from
a DoS attack.
There is room for improvement across the board when it comes to reducing stale user accounts.
Takeaways from the Risk Report
The aim of the Risk Report is to give organizations tactics to increase security and keep data safe. Here’s
what your company can do to up the ante when it comes to data security.
Most At-Risk
Organizations and companies most at-risk are ranked from highest to lowest based on the average
percentage of sensitive files they have exposed:
• 21% - Financial services and manufacturing
• 15% - Biotech, healthcare, and pharma
• 14% - Energy and utilities, and retail
• 12% - Government and military
Minimize and Reduce Risk and Exposure
• Identify which users have been granted global access to sensitive data.
• Grant global access only to users who need to access this information.
• Apply controlled security access to users, minimizing their access to sensitive data.
88

Manage Stale Data
• Determine what is stale data and if it contains sensitive information.
• Dump or archive stale data you’re no longer using.
• Establish a schedule for retaining data before evaluating if it’s become stale information.
Manage Passwords and User Accounts
• Identify non-expiring passwords and change password policy.
• Identify and delete stale user accounts.
• Optimize your company’s ability to detect anomalies that don’t conform to security policies.
As per the 2019 Data Risk Report, there’s a lot of room where organizations can improve the security of
their business and customer data. Most companies have some areas where their data is at risk and
vulnerable to a security breach. Also, a huge concern is the number of companies that are in noncompliance
with privacy and security regulations of customer information.
Your organization can use these security guidelines to strengthen your cybersecurity strategies so you
can keep your data safe and secure.
About the Author
Rob Sobers is a software engineer specializing in web security at Varonis and is
the co-author of the book “Learn Ruby the Hard Way.”
89

How the Internet of Things Could Compromise Online Security
By Chris Usatenko, Content Creator, EveryCloud
The concept of an Internet of Things has been a dream held by many tech geeks. Up until a few years
ago, though, the idea was one that just wasn’t practical to manage. Which company had the resources
to maintain a network so that all the smart devices they manufactured could be brought online?
As our tech has advanced, though, we’re a lot closer to having all of our devices and appliances
online. We have smartphones, smartwatches, smart cars, and even smart appliances now. It’s
convenient – just hit a button on your app on the way home, and you can start the coffee maker or
kettle.
Now, that’s just a small example of what’s possible. With IoT, we could end up controlling everything,
from self-driven cars to the security systems of our homes remotely. It’s an exciting new world.
Security Issues
Unfortunately, it’s also opening the way for more cybercrime. 2017 saw a 600% increase in the
incidences of IoT attacks. According to EveryCloud, Cybercrime netted $445 billion globally in 2018, so
making things easier for cybercriminals by using IoT tech could well be a serious problem.
90

What’s the Potential Harm?
You might wonder what the big deal is. So what if someone takes control of your fridge? What are they
going to do, put the ice maker into overdrive? It doesn’t really seem like much of an issue until you
consider that all of your devices would be tied into a central hub.
You’d have one hub to control them all. And, like with Sauron in the Lord of the Rings, one by one the
last remaining free devices in your home or office would fall. Which, again, isn’t a huge issue when it
comes to things like coffee makers and fridges.
It becomes an issue when the hacker is able to use the hub to access your smartphone or computer.
They could hack into your smart speakers and eavesdrop on private conversations. They could hack
your security cameras and have a good look around your home.
What about that driverless smart car you’ll have parked in the garage? It could be hacked and driven
right to the thief’s location. Or, and here’s a scary thought, hacked while you or your kids are in it. Now,
that might sound a little paranoid, but it’s something that we’ll have to consider in the future.
Different Security on Different Devices
Part of the problem here would stem from the fact that there’d be differing levels of security on the
devices that we’re using. We’ve already seen this when it comes to different Android devices. The
devices themselves are only as secure as their basic operating software. There could well be loopholes
for hackers to exploit.
And, while the security on a driverless car, for example, would be impeccable, the same is probably not
true for your fridge or kettle. After all, who’d really want to hack those devices?
What Can We Do About It?
The safest bet would be to avoid using IoT devices. But who really wants to go to that length? Perhaps
instead, it would be better to buff up on our security awareness training so that we better understand
the concepts behind creating a completely secure system.
Fortunately, there’s a lot that we can do to secure our home and office systems against hacking. You
already know the basics like using a secure password and up to date anti-virus system. Now it’s time to
take things up a few notches.
You wouldn’t, for example, use the same password for both the hub and your car or other sensitive
sites. You’d encrypt information stored on your system and create regular backups. You know the drill –
by enhancing your online security, you can still enjoy the IoT.
91

About the Author
Chris Usatenko is the Content Creator & SEO Specialist of the EveryCloud. He
is a Computer geek, writer, and gamer. Chris is interested in any aspects of the
PC industry and videogames. Freelancer in his nature, he is willing to get
experience and knowledge from around the world and implement them in his life
Chris can be reached online at Email: chris@securitymedia.org, Twitter:
https://twitter.com/CUsatenko and at our company website
https://www.everycloud.com/
92

Public Sector Beware: 3 Steps to a Better Cyberattack
Prevention Strategy
By Phil Richards, CISO, Ivanti
Just as healthcare organizations were a popular target of ransomware attacks over the past two years,
public sector organizations (including school districts, municipalities and local and state public agencies)
– now seem to be active targets.
Most recently, three school systems in the state of Louisiana were victims of malware attacks, which shut
down phone systems and locked and encrypted data. The event was deemed serious enough that Gov.
John Bel Edwards issued a state of emergency which allows the state to access resources from the
state’s National Guard, technology office and state police to remediate the intrusions.
School Systems and Local Governments are an Increasing Target
But Louisiana school systems are not alone. In fact, according to CNN there have been as many as 22
known public sector attacks to date this year, already outpacing 2018. Among them is a RobinHood
ransomware infection on April 10 which impacted computers operated by employees in the city of
Greenville, North Carolina; a Ryuk ransomware attack on April 13 which hit both Imperial County, Calif.
and the city of Stuart, Fla. forcing websites to go dark and consumer service shut downs; and the stillunspecified
malware that struck the municipally owned Cleveland Hopkins International Airport on April
21 causing flight and baggage information to go down.
93

Perhaps a more heavily reported municipal ransomware attack was just over a year ago when the city of
Atlanta was crippled by SamSam ransomware. As a result of that attack the city ended up spending $2.6
million in hard costs alone to respond to the attack – reportedly 52 times the amount of the $50,000
ransom attackers demanded. Reports of the full cost to the city of Atlanta show an actual cost of more
than $17 million. SamSam was also the cause of the attack the Colorado Department of Transportation
experienced in February 2018 for which is also activated a state of emergency which helped to activate
state resources to help with traffic, road management and transportation.
But the state of emergency called by Louisiana is different. It centers more squarely on gaining assistance
from cybersecurity experts across multiple government agencies to help speed the recovery process.
While mitigating cost, like what Atlanta reportedly paid, may be one reason Louisiana called a state of
emergency, it also signals to residents (and attackers) they are taking the breach very seriously and
looking to recover as quickly as possible.
Three Steps for Cyberattack Prevention
While Louisiana works to get its impacted school systems back in action, the question is raised: “Can it
happen in my local schools? Will an attack hit my city’s systems?” The answer is of course, “yes it can.”
However, there are steps that can be taken to make the risk much lower. Consider these three steps:
• Patch All Systems. For most organizations, patching should be the first line of defense. Ensuring
that operating systems and third-party applications are up to date will limit or even prevent
cyberattacks. Special effort should be made to ensure that all critical patches and updates for
applications such as Adobe Flash, Java, Web browsers and Microsoft applications are kept
current. Patches should be prioritized based on criticality and policy and applied so that they don’t
disrupt users or operations.
• Train Employees Regularly. Most ransomware is spread using phishing or spam emails. Thus,
it is critical to train users to be savvy email consumers and careful web clickers. Criminals use
many professional marketing and social engineering tools to improve their capabilities to trick
users into opening fraudulent emails and increase their chances of success. It is likely that even
the most educated user will be tricked. Education isn’t enough. Users need to receive periodic
drills of phishing email campaigns that provide immediate feedback when they click on a
link. When users see themselves getting “caught” is when they begin to change their behavior.
• Minimize Computing Privileges. An important tactic to mitigate the damage caused by many
types of malware, including ransomware, is to limit administrative privileges to only those that truly
need them. For example, the Petya ransomware requires administrator privileges to run and will
do nothing if the user does not grant those privileges. Removing administrator rights is easy, but
balancing privileged access, user productivity and enterprise security is not. Effective access
control protects organizations against malware and ransomware. Access control that focuses
primarily or exclusively on privileged user access rights will likely prove less than
94

effective. Generalized access control can be highly beneficial for protecting files located in on
shared drives. Users have legitimate needs to access and modify files on shared drives. After all,
those files are document files created by legitimate users. As a result of this generalized access,
a ransomware attack that successfully infects the system of a user with legitimate access rights
can encrypt and hold hostage all the files on all connected, shared drives and folders.
In short, the recommendations of patching, user education and privilege management, are critical pieces
to prepare for and prevent cyberattacks. These steps are particularly important for public sector
organizations and school systems where budgets may be tighter and resources slimmer. However, taking
these steps can be mad easier through best-in-class software solutions that use automation to apply the
necessary protections. When properly implemented they can stave off risky, and costly attacks without
placing undue burden on security and IT teams.
About the Author
Phil Richards is the Chief Information Security Officer for Ivanti and is
CEO of an IT Security Consulting firm. He has held other senior security
positions, including the head of operational security for a medical device
manufacturer, Chief Security Officer for a financial services corporation
and Business Security Director for an investment company. In his
various leadership roles, he has created and implemented Information
Security Policies, has led organizations through many local, US Federal
and international compliance efforts, has implemented security
awareness programs, and established comprehensive compliance
security audit frameworks based on industry standards. He has
implemented Enterprise Risk Management and global privacy
programs to address compliance and privacy internationally as well as for specific regions such as
European Union and Australia. Phil has been the recipient of multiple CISO of the Year awards, written
and spoken extensively on a variety of security topics, and conducted training workshops for current and
future CISOs, CIOs and Board Members. Transforming an organization requires focus on the objectives,
clear communication, and constant coordination with executive leadership, which is where Phil has
focused during his security career.
95

Cybersecurity Checklist: How to Keep Your Business Secure
By Lucy Manole, Content Writer, Right Mix Marketing
Source: Freepik
In this era of digitalization, businesses are moving online faster than ever, resulting in an explosion of
data. Most companies have moved to a cloud-based platform, which helps facilitate business activities.
As a result, without significant cybersecurity protocols in place, a business cannot function properly in
today’s world. Every day, the data is increasing.
96

In fact, according to statistics, by 2020, the universe will have 44 zettabytes of data. To put this into
perspective, that is 40 times more data than the number of stars in the universe.
The statistics further suggest that it is more a question of when, rather than if you are under cyber-attack.
And no company is safe, even the giants like Yahoo. Three billion Yahoo accounts were hacked in 2013-
2014.
Statistics say that small to medium businesses are under greater threat of facing a cybercrime. Numbers
suggest that 61% of data breaches happen in companies with less than 1000 employees.
So how do you counter this? Well, for one, it always helps to build a checklist. A checklist ensures that
you get things right, the first time, saving valuable time and money.
Here is a brief checklist for cybersecurity that you can use to keep your business secure:
1. Are Your Employees Prepared to Deal With a Potential Cyber Threat?
No matter how many firewalls you have and how stringent your security protocol is, none of them will
work unless you educate your employees about cyber-attacks.
There is no graver liability than an untrained workforce. Your employees should be the first ones to be
aware of all the security checkpoints and policies in place, as well as the technologies in use. Two of the
97

most common cyber-crimes are in the form of phishing and malware. Designed to trick you in various
ways, it is also easy to prevent them by simple attention to the finer details.
For phishing, all you need is a keen eye for weeding out potential threats in the form of spammy links.
This is where the training becomes essential, and your employees must be trained to spot a phishing
attack from a mile away. However, the cyber-criminals are also getting smarter and using different
techniques to lure your employees into a trap.
An excellent way to put an end to this is mandatory employee phishing prevention training, whether at
the time of joining or after every six months. That way, they can keep abreast of the latest developments,
and avoid being duped by cybercriminals.
2. Is Your Data Stored in a Secure Location?
Another make-or-break question for you is the location where your data is stored. Irrespective of
whether your business is in a small network or hosted on a cloud platform synced with an off-line
center, it must be protected. There is no room for error in this case.
Apart from the security of your data center, physical security is also an essential factor to be taken into
account. In today’s world, data centers must have power and back-up service in the first instance.
Another area of your emphasis should be the physical protection you are providing to your hardware.
Physical barriers like door locks and biometrics to prevent old-school hardware tampering may sound
redundant and passé. However, it is something you should look into.
Graphically, you can imagine your data center as the center of all power, the nucleus in a human cell,
which needs maximum protection. While monitoring the outer circumference of your security, the center
should not be taken for granted and ignored. Data has already overtaken oil as the most valuable asset
and resource in the world. You should protect your data at all costs and do whatever is necessary,
whatever the price.
3. Are You Keeping a Constant Check on Your System?
“With great power, comes great responsibility.”
And this is why, the bigger your network, the more vulnerabilities you have. As a result, you would have
to be extra careful when it comes to keeping an eye on your system.
It is not to say that all is rainbows and sunshine with small businesses. The underlying security
checkpoints and protocol remain the same for all businesses.
Devices like telephones, smartphones, PCs, laptops, and wifi tend to increase your liability and make
you more vulnerable to cyber threats. A pre-determined and defined frequency of vulnerability scanning
98

is a great method for selectively identifying and weeding out weak links in your network. Things like outof-date
PCs, simple passwords and unsecured wifi networks are just the tip of the iceberg.
A full vulnerability scan will inspect your entire network and flag all potential hazards. Again, that is just
the start. Once you have identified potential loopholes, you need to get them fixed in such a way so as
to avoid similar threats in the future.
Hire a certified cybersecurity professional or a managed security services provider which will help you
alleviate your worries regarding cyber threats. Standard services include managed firewall, intrusion
detection, virtual private network, vulnerability scanning, and antiviral services, vulnerability scanning,
and remediation to keep your system in check.
With everything in place, you can now rest easy!
These are highly professional services aimed at managing and monitoring your security devices.
Seeking professional help to supplement your efforts is an excellent way to plug the gaps.
4. Deploy 2-Factor Authentication
You may think you are immune to cybersecurity mishaps, but only until it happens to you. More often
than not, businesses become victims of cybercrime due to minor things like an unsecured password.
Thankfully, there is a way to protect your password authentication systems, without going through any
hassle yourself.
You can simply use the two-factor authentication (2FA). Also known as MFA, this easy-to-use security
method stops password theft even before it can take shape. The process is quite easy. When logging in
to an account with 2FA, you type in your regular username and password combination, which is verified
on your phone. This secondary code helps ensure that you are really who you say you are.
Even big corporates like Google and Yahoo are using it to protect their system against potential cyber
threats. A simple code keeps your data and accounts protected. Using your phone as your ultimate
verifier is equivalent to a guarantee that a miscreant cannot merely hack your computer and gain
access to your data. The best part about 2FA is that it is inexpensive, and the set-up is straightforward.
If you haven’t got it, this should be your number one priority right now.
5. Secure Your End-points
By endpoints, we mean the devices that have become so prevalent in the 21st century. Here, an
endpoint is any device that you use to access a network. From your mobile devices to your laptops, it
can be anything!
However, this is the most commonplace for a security breach to take place. Businesses today have
understood that and that's why most of them have migrated to a model that uses technology outside of
the office. If you haven't, then now is as good a time as any.
99

Real-time protection and ensuring the continual and uninterrupted defense is the need of the hour. With
the advances in the technology of hackers, simple anti-virus software is not enough anymore. And the
automated systems can lead to countless false complacency that lulls your senses towards thinking
that you are entirely secure. However, you need persistence and focus, along with a significant amount
of skill to monitor your network all the time.
Endpoint Detection and Response is always possible, no matter the size of the business. Endpoint
security, though seemingly banal, has its uses. And as they say, better safe than sorry.
Wrap-Up
Having a cyber-security checklist is an outstanding practice that more and more companies are
adopting. Not only does it ease your job, but it also helps in immediate and sufficient identification of the
shortcomings of the protocols of your own business, which can help you take action quickly and
decisively. With these regulations in place, you can efficiently counter cyber-crime menace and conduct
your business without any hassle.
About the Author
Lucy Manole is a creative content writer and strategist at Right Mix Marketing
Blog. She specializes in writing about digital marketing, technology,
entrepreneurship and education. When she is not writing or editing, she spends
time reading books, cooking and traveling. Lucy can be reached online at
(https://twitter.com/rightmixmktg,https://www.facebook.com/RightMixMarketing/,
https://in.linkedin.com/company/right-mix-marketing ) and at our company
website https://www.rightmixmarketing.com/
100

Ready Position - Proactive Teams are Helping Solve the
Cybersecurity Skills Shortage
By Aidan McCauley, Vice President of Technology Investments, IDA Ireland
Some of the fans glancing toward the outfield at a baseball game may be recalling their own Little League
days. If they were in the outfield and looked to be unprepared, they would hear, “Ready position!” Most
likely this command would have been prefaced by yelling the young person’s name and come from the
coach, parents, or both at once. The four-step response is to place legs apart, bend slightly at the knees,
lean forward slightly, and look intently toward home plate. Should the next swing of the bat require them
to run, spring up, or bend down, they’re now ready to field the ball.
Good News Amid Grim Figures
Firms who must protect their intellectual property along with their own data and that of their customers
are heeding a “Ready Position” command that’s being expressed in numeric form: predictions that
cybercrime worldwide
101

will cost $6 trillion annually by 2021 and that more than three million cyber security job postings worldwide
will go begging over the next 5-7 years; IT professionals reporting the cybersecurity skills gap 7 at their
companies heads their list of worries for the fourth year in a row; a 300,000 worker shortfall of U.S cyber
employees last year; 64 percent of respondents telling the Ponemon Institute in 2018 that “one or more
endpoint attacks …successfully compromised data assets and/or IT infrastructure over the past 12
months.”
Yet for all these grim statistics, there is good news. Yes, the shortage of individuals to fill cybersecurity
roles is a challenge. The chasm between cybersecurity positions and people to fill them is growing at
triple the rate for other IT job shortages. 8 However, as with the steps Little Leaguers take to be versatile
fielders, steps to meet the evolving cybersecurity challenge are available to businesses. Some regions
and ecosystems offer more opportunity than others to leverage those steps.
Earlier this year senior principal analyst at the Enterprise Strategy Group Jon Oltsik wrote that measures
to address the severe worker shortage include: leadership at the governmental level; public/private
partnership; and “an integrated industry effort.” 9 Actions corresponding to these steps are already well
underway in Ireland, which has long had a tech-sector-supportive ecosystem.
Part of this ecosystem is the expansive cybersecurity initiative Cyber Ireland, a cluster organization,
created by Ireland’s foreign direct investment agency, IDA, and academic institute Cork Institute of
Technology that also includes US businesses to find a solution to the worldwide problem.
Representatives from U.S. businesses and the Irish government looked closely together at the key
challenges facing enterprises in the cyber sector. Putting their heads together enabled IDA along with
Google, Microsoft, Facebook, IBM, Dell, SAP, Cisco, and other firms with a commitment to ongoing
cybersecurity to lay the groundwork for Cyber Ireland. Cyber Ireland made sure to form a board that
includes representatives from industry, agencies including the National Cyber Security Centre and the
Garda Cyber Crime Bureau, government, and academia.
Joining a Robust Ecosystem
A natural result of following the integrated industry effort, was the launch of the well-funded Cybersecurity
Skills Initiative (CSI). CSI graduates have already joined the cybersecurity workforce in Ireland, most
employed by US multinational firms, a trend expected to continue. These graduates become part of a
thriving ecosystem that includes Forcepoint’s Cloud Security Centre of Excellence, the Hewlett Packard
Enterprise (HPE) Global Cyber Defence Centre, and McAfee’s Centre of Excellence for Enterprise
Security Solutions in Ireland, to name a few.
7 https://www.esg-global.com/blog/the-cybersecurity-skills-shortage-is-getting-worse
8 https://www.channelfutures.com/mssp-insider/cybersecurity-talent-shortage-intensifies-despitetraining-efforts
9 https://www.esg-global.com/blog/the-cybersecurity-skills-shortage-is-getting-worse
102

By 2022, CSI graduates will account for 5,000 new cyber security professionals joining this ecosystem.
That’s an achievement that could not have been contemplated without the engagement of U.S companies
with Irish locations. Firms such as Deloitte, IBM and Maxol collaborated with Skillnet, Ireland’s corporategovernment
training agency, to design the curriculum. Cork Institute of Technology, Dublin City
University and other colleges in Ireland deliver content both on-line and in classroom. Cross-training and
up training for IT professionals from all sectors takes place in programs that range from 12-week courses
to graduate programs. US companies can also access Europe’s working population of 250 million -
countries in the European Economic Area (EEA) do not require individuals from these EEA nations to
obtain work permits.
The pace and the curriculum of CSI take into account, as was emphasized recently on forbes.com, that
cyberattacks don’t come in just one flavor. Training, informed by industry, government, and academia in
partnership, helps prepare graduates to fit specific expertise to specific threats.
Conclusion
The ecosystem these graduates will continue to enter is one where Cyber Ireland’s goal will continue to
be encouraging and facilitating the unimpeded flow of R&D resources and knowledge among industry,
cybersecurity agencies, and academia.
Commitment to this goal is why Dr. Eoin Byrne, cluster manager of Cyber Ireland, explains, “It’s not only
that we can address issues that the industry faces and will face beyond just security, it’s also that we
have the advantage of building upon U.S. businesses, Irish government, and academia already having
put their heads together to understand the key challenges for the tech sector.”
Putting more cybersecurity professionals into ready position for defense of our connected world is already
happening. With teams that include all the stakeholders, strong government support, and a successful
cybersecurity history to draw upon, readiness, no matter what the bad guys throw at your enterprise, can
be counted on.
Caption for to-be-determined image: As the number of connected devices grows—25.1 billion in 2025,
compared to 2017’s 7.5 billion 10 —the attack surface for threat actors expands too, making initiatives to
rapidly increase the number of cybersecurity professionals vital.
10 https://www.globenewswire.com/news-release/2019/06/28/1875952/0/en/The-2019-Cloud-Robotics-
Market-25-1-Billion-IoT-Connected-Devices-are-Forecast-by-2025-Offering-a-Massive-Opportunityfor-Connected-Robots-Their-Platform-Market.html
103

About the Author
Aidan McCauley is Vice President of Enterprise Technology and
Cyber Security investments for IDA Ireland based out of its Mountain
View office, California. Aidan supports Bay Area companies looking
to assess the best location to establish and grow their European
operations. By providing critical data such as talent, productivity,
property, ease of doing business, financial incentives and freedom of
movement, companies can carry out thorough due diligence and be
informed of the benefits of doing business in the fastest growing
economy in Europe, Ireland.
104

Voice Commerce Calls for Built-in Security
By Julian Weinberger, NCP engineering
In the mid-1990s, retailers embraced the Internet to increase customers and to introduce new service
offerings. A new breed of online-only merchants quickly emerged to challenge traditional brick and mortar
stores for Internet-based transactions. Since then, successive advances from eCommerce to
mCommerce to omnichannel have forced retailers to make their virtual presence every bit as strong as
their physical one just to stay relevant. Today, the ever-evolving retail industry shows no signs of slowing
down. The latest phenomenon taking merchants by storm is voice-assisted shopping.
Retail Talk
As voice-activated IoT devices such as the Amazon Echo, Apple Homekit, and Google Home grow in
popularity, consumers are starting to use them to order goods using simple voice commands. A study by
Adobe Analytics showed that 22 percent of digital assistant owners use their devices for shopping.
While the Artificial Intelligence (AI) powering these voice systems is presently limited to accessing
automated customer services via voice-bots or repeat orders of items bought previously, the technology
is quickly becoming more sophisticated and will soon be capable of delivering a highly personalized
service. Walmart, for example, recently announced a new voice-ordering service available via Google’s
many smart devices.
Industry observers anticipate that, within a few years, consumers will be able to use voice-powered digital
assistants to shop with the vast majority of retailers. Manufacturers are already designing everyday
machines and appliances with built-in voice-powered technology. LG, for example, has demonstrated a
105

smart refrigerator that uses Alexa to order food items, while some car makers have integrated voicetechnology
into their vehicles to allow voice-shopping while driving.
Analysts forecast that voice-assisted shopping will grow by 500% over the next three years with more than
1.6 billion people regularly using the technology by 2021. OC&C reports that voice commerce spending will
reach $40 billion by 2022 and that more than half (55%) of households will have at least one smart speaker.
Cybersecurity Threats
When it comes to security and data privacy, manufacturers of voice-assisted IoT devices still have a long
way to go to reduce consumer fears. A 2018 Global Consumer Insights Survey by PwC found 13 % of
study participants were concerned about the security of AI devices.
Recent data breaches do little to help build trust – Amazon sent 1,700 Alexa voice recordings to the
wrong person by mistake following a data request in 2018. Without proper security measures in place,
digital assistants make attractive targets for cyber criminals looking to harvest personally identifiable
information (PII) to sell on the dark web.
Even though these devices are smart, they can still be triggered by random voices from TVs and radios
and can be controlled by unknown users. For example, a prerecorded message on a random Spotify
Playlist can easily say, “Alexa, buy me the new Mac Pro,” and the device will send orders to everyone
who plays the playlist on a speaker. This is basically a formjacking attack on voice-controlled devices.
Data Privacy
To protect voice commerce, the makers of AI-powered voice-activated IoT equipment must first ensure
that devices are designed with in-depth security and data privacy protection built-in.
While authentication is available on some smart devices already, it’s based on a biometric authentication
which, unfortunately, always has a false acceptance and rejection rate. Adding a second layer of
authentication to the smart device will make it more secure, e.g. smart devices can only order
merchandise when the user/owner is in the same room.
Recommended layers of defense include certificate-based authentication plus a unique hardware
identifier. Smart speakers should also feature multiple security mechanisms including authorization, virus
protection, and remote access management for business environments.
Finally, the best way to preserve the privacy of voice data exchanges is with end-to-end encryption, a
technique synonymous with remote virtual private network (VPN) services. End-to-end encryption
protects data at every stage of the communications process – at device-level, while in transit, and when
stored at its destination – by scrambling the content to render it unintelligible to outside observers.
In summary, smart speakers are quickly becoming a part of the average connected home. While the retail
industry is responding by adding AI-powered voice technology to a multitude of machines and devices,
manufacturers must ensure that security is built-in by design. Virtual private networks with end-to-end
encryption will effectively protect the data privacy of consumers who purchase merchandise from their smart
speakers.
106

About The Author
Julian Weinberger, CISSP, is Director of Systems Engineering for NCP
engineering. He has over 10 years of experience in the networking and
security industry, as well as expertise in SSL ‐ VPN, IPsec, PKI, and
firewalls. Based in Mountain View, CA, Julian is responsible for
developing IT network security solutions and business strategies for
NCP.
107

Protecting Your Business against DDoS Attacks Requires Simple
Best Practices
By Rodney Joffe, Senior Vice President, Senior Technologist and Fellow, Neustar
In the twenty years since a University of Minnesota computer came under attack from a network of over
100 computers infected with a malicious script, three things have seemed certain in life – death, taxes,
and that Distributed Denial of Service (DDoS) attacks would continue to steadily grow in size, scale and
impact.
From that first instance on, DDoS attacks seemed to adhere to a “grow always in all ways” philosophy.
Attackers would exploit vulnerable machines – or, in recent years, insecure IoT devices – to launch a
coordinated botnet against the target, the objective being to disrupt or block business traffic.
Revered for their ability to deliver blunt force trauma, DDoS attacks are capable of overwhelming even
the mightiest Fortune 500 company, causing untold impact to a business’ infrastructure and operations.
As companies began evolving their cybersecurity mechanisms, a funny thing happened—DDoS attacks
began to evolve, too.
A recent analysis of DDoS attack patterns found a clearer and more pronounced affirmation of a few
recent trends – a steady increase in the number of vectors being used by attackers, and an increase in
the volume of small attacks sized 5 Gigabits per second (Gbps) and lower. For perspective, the kinds of
massive attacks that make the news are typically above 100 Gbps.
As counterintuitive as it may seem to go tiny, attackers have recognized that small, targeted DDoS attacks
can evade an organization’s defenses by coming in below the threshold where defenses are triggered.
By remaining below this threshold, an attack might continue on for a long time undetected. While it may
seem like an oxymoron to some, the ability for bad actors to narrowly target their DDoS attacks is
becoming more and more precise. As the target becomes smaller, less traffic is required to bring it down.
Smaller DDoS attacks can narrowly target the weakest link in an organization’s infrastructure, degrading
108

the performance of a specific business application or damaging a single API to harm an organization via
the death by 1,000 paper cuts approach.
The volume of attacks sized 5 Gbps and below increased by 158% in Q2 of 2019 compared with the
same quarter last year – the single area with the highest percentage of growth. Additionally, over 75% of
all attacks mitigated by Neustar last quarter were sized 5 Gbps or less.
What’s more, a survey conducted this quarter by the Neustar International Security Council (NISC) found
a staggering 72% of senior cybersecurity leaders and decision makers were not confident in their
organization’s ability to notice a smaller attack. To protect against increasingly precise and inconspicuous
DDoS attacks, businesses must deploy best practices to ensure that they are defending the infrastructure
that is most valuable to their business. So how do you as an executive defend your business against
these attacks?
• Develop a Risk Register: This begins with an inward analysis of your company’s most critical
business assets and working outward towards your internet presence. Throughout this process,
your team should be asking, “If certain parts of our business were compromised or disabled, how
destabilized would our entire enterprise become?” Such destabilization could range from
intellectual property theft to compromised customer information or inhibited shopping cart
features. For some, a blog is as critical to their enterprise as customer billing logs. This exercise
helps you clarify between which parts of your business are valuable to your company’s existence
(such as a blog or a shopping cart feature) and which are simply vulnerable by their very nature
(such as routers or smart speakers). While valuable assets and vulnerable assets are not mutually
exclusive, you may be surprised in how little overlap there is between the two. Creating this
clarification will help your executive team deploy the right protection in the right place
• Reevaluate Your DDoS Protection: As multi-vector attacks increase, it is increasingly important
to ensure you are taking the right approach to DDoS protection. Between April-June 2019, more
than 82% of attacks mitigated by Neustar used two or more threat vectors – with 7% utilizing more
than four. There are two types of mitigation services to consider for DDoS protection—always-on
and on-demand. Because bad actors increasingly use multiple vectors for attacks, a best practice
is to begin with always-on DDoS protection to gain an understanding of how much malicious traffic
you are receiving, then moving to on-demand mitigation if necessary. By initially setting your
default to the always-on scenario, you will gain a strong understanding for what should be
protected and how much protection you need. Once you have a feel for your attack thresholds,
you can then work with your cybersecurity provider to determine which type of mitigation services
are needed to protect your critical assets.
• Understand Your IoT Risk: As the use of IoT devices increase, the number of critical assets
your company has will only compound the threat. Intel has projected that internet-enabled device
penetration will grow from 2 billion in 2006 to 200 billion connected devices by 2020 – that’s about
26 smart devices for each human on earth. IoT devices come with a unique set of cybersecurity
and privacy risks, so it is important for organizations to establish best practices now, before
connected devices with unknown vulnerabilities proliferate throughout the network. Ensure your
executive team has a solid understanding of your organization’s existing IoT footprint. Once a
database of connected devices is established, the IT and security teams must work together to
perform routine checks of those devices to ensure cybersecurity hygiene. Since one of the
greatest security risks to an organization is its people, taking the time to ensure employees
109

understand cybersecurity basics – such as how to spot a phishing email and the importance of
two-factor authentication – will help to build awareness and create a culture of security.
Although super massive DDoS attacks that overwhelm a target with a tidal wave of network traffic aren’t
going away, some attackers have traded in the sledgehammer and embraced subtlety. They have found
ways to launch attacks that are small enough to evade standard DDoS protection and precise enough to
target a single weak link in an organization’s infrastructure. Until we see drastic changes in the way
communications are handled on the internet, DDoS attacks large and small will remain formidable. But
by understanding where you are at risk around critical business operations, knowing how to protect them
and maintaining an active awareness of what IoT devices are being managed, you will put your company
in a strong position to weather DDoS attacks, regardless of size or complexity.
About the Author
Rodney Joffe, Senior Vice President, Senior Technologist and
Fellow, Neustar.Rodney Joffe serves as a Neustar Senior Vice
President and is a Senior Technologist and Fellow. His
accomplishments include founding the first commercial Internet
hosting company, Genuity, as well as the first outsourced and
cloud-based Domain Name System (DNS) company, UltraDNS,
where he invented Anycast Technology for DNS. Joffe has served
on a number of the U.S. government’s cybersecurity intelligence
panels and was the leader of the groundbreaking Conficker
Working Group. He is one of the first civilians to receive the Federal Bureau of Investigation (FBI)
Director’s Award due in no small part to his role in uncovering and taking down the Butterfly Botnet. He
has also been honored with the Mary Litynski Lifetime Achievement Award from M3AAWG, the global
Messaging, Malware and Mobile Anti-Abuse Working Group, and was most recently publicly recognized
for his years of work and dedication in helping protect against cybercrime, winning The Computing
Security Award for his contribution to Cyber Security in 2018.
Joffe is also the chairman of the Neustar International Security Council (NISC), which is comprised of an
elite group of cybersecurity leaders across industries and companies who meet regularly to discuss the
latest cyberattack trends.
110

Server less Security Analysis: The Best Practices on How to
Enforce Them
By Aaron Chichioco, content editorial manager/web designer, Design Doxa
Even before companies started making the jump to go serverless, security has already been a concern
in a world largely becoming digital. Now, with tech steadily turning towards the trends of serverless —
everything from architecture to applications are growing in number by the day — and with related cloudbased
operations, the question of security becomes even more prominent, as this form of structure may
require more complex considerations.
The Strength in Serverless
Computing can be seen as an evolutionary process. It went from physical machines to virtualization
before becoming cloud computing and containers, before finally making the jump to serverless.
Serverless architecture has numerous benefits compared to traditional counterparts. Serverless is
typically used for applications that require custom images and events, even fixed time triggers. It’s best
used for applications with rapid and high fluctuations in traffic, as it’s capable of scaling to cope with
rapidly rising and falling traffic.
111

However, with these benefits come a different set of security protocols, especially against the expected
standard of traditional. With no physical servers and processes running on ephemeral functions,
serverless can cut down on the more common concerns. It’s even able to take on heavier attacks than
traditional systems.
Security Strains on Serverless
Still, it’s not without faults. There are more areas to attack, data becomes at risk during transfers, and
keeping an eye on its many functions is challenging. There are several good practices to remember in
defending serverless architecture. Keep in mind that not all companies will need the same security
protocols. Still, it’s imperative to know them to be able to prepare for any occasion.
1. Add another layer of defense against a siege
Serverless systems are typically stronger against heavy DDoS attacks. DDoS attacks are performed by
overloading a website with repeated requests, taxing it to its limits and causing it to stall. Ultimately, the
site crashes and users won’t be able to use it. Serverless architecture is typically less vulnerable to these
types of attacks. Its scalable platforms can withstand heavy DDoSing.
However, they still have limits, and it may cost a company a great deal of money to hold the fort against
such an attack. In this end, using an API gateway adds another layer of protection. Rate limiting won’t be
a problem any longer, and your resources won’t get exhausted.
2. Partition the data during transfers
One of the main risks with serverless structures is that data may be vulnerable during transfers and
transmissions. Email, for example, is one such vulnerability. Most cybersecurity practices include email
security, but in the case of defending serverless emails, data partitioning is a great way to ensure that
the payload is transferred safely. The act of sending the email is separated into different partitions,
ensuring that the entire email is not sent all in one go. This makes it far safer and less likely for the entire
email to fall to anything malicious to extract data from it.
3. Establish clear authentication and authorization controls
Any cybersecurity expert will say that authentication and authorization protocols are some of the most
basic and initial concerns. Ever since programmers developed accounts and passwords, it has been the
pillar of digital security. The same is still true for serverless processes.
There are numerous functionalities that could be going on in a serverless system. Authentication and
authorization need to be heavily enforced, clear cut, and binding throughout all platforms. If an app can
be accessed through mobile, computer, or other platforms, the same solid reinforcement must be there
in each of the platforms individually. However, to avoid redundant checks and complexity, the API
gateway could be another excellent method to use.
112

4. Tie up the Dependencies and Third-Party Services
Another area that may produce security vulnerabilities is if an application has dependencies or is linked
to third party services. Payment gateways are some of the most common of them. In a traditional setting,
patches aren’t a particular fit for serverless architecture. However, it is still a major concern, especially
as third-party services such as payment gateways and platforms will have extremely sensitive user
information that gives access to their finances.
Security protocols used by the application and the third party must be rechecked to ensure that they
remain up to date at all times. Automated tools can also aid in checking the dependencies so there are
no vulnerable components being used as well. For third parties, security questionnaires can also meet
the necessary safety requirements. It’s also essential to stay on top of things and audit the status
whenever possible.
5. Keep an Eye in the Sky
Monitoring should be a regular part of security upkeep for serverless systems. There are numerous
functions being triggered and deployed at any given time, many of them short-lived. They grow as the
serverless application scales up.
While it may be easy to lose sight of everything going on, it’s imperative that there’s still constant
monitoring of the ongoing functions. This way, in spite of the increasing complexity of the system, you
will still be able to stay on top of any malicious attacks or attempts to force any unsafe processes. The
functions themselves need to be checked for any security vulnerabilities as they are developed and
updated.
What the Future Holds for Serverless
Security concerns aside, the future seems to only get brighter for serverless. It’s currently the fastest
growing cloud service model, growing at 97% a year. With its low cost, less complex operations, and
increased efficiency, it only gets more and more popular for developers worldwide. The rising trend
towards the next few years show the industry leaning towards innovation and improved performance.
There is also an expected growth in testing options, to truly be able to audit and gauge what limitations
serverless may have and how far it can still be taken.
Security is also seen to improve further. With the rapid growth of serverless, the security must also rise
with it. Cloud service providers are seen to be the next focal point in heightened security. Applications
also need serious boosts in security, as one in five of them have critical vulnerabilities. This year and the
next predicted that enterprises would be more likely to seek out the rest set of tools for protection. These
even include policies that make use of the full visibility of serverless, along with the unique cloud
deployments used.
Serverless is starting to become adopted more and more throughout the world. The wave sees multiple
application components as models, executed on triggers, providing greater speed, efficiency, and costeffectiveness.
The traction continues to gain speed as the benefits of a serverless architecture, most
113

especially all its important security benefits, continue to spread to d-evelopers who are looking for great
solutions for new applications.
As long as companies maintain a commitment to security, reinforcing cybersecurity protocols, and
understanding where serverless’ vulnerabilities lie, serverless can only develop to become even more
secure and efficient. In no time at all, serverless can fulfill the expectation of becoming the next great
evolutionary iteration of computing.
Stay up to date on the latest news and trends in cybersecurity, including vital knowledge about keeping
serverless architecture safe by visiting Cyberdefensemagazine.com
About the Author
Aaron Chichioco is the content editorial manager and one of the
designers behind the creation of Design Doxa.com. His expertise
includes not only limited to Web/mobile design and development, but
marketing, branding and eCommerce Strategies as well. As a former
operations manager, he used to oversee the day-to-day operations
of several online businesses since 2011. You can follow Aaron on
twitter at @Aaron_Chichioco and http://designdoxa.com/about-us/
114

Stop! Vulnerable Software
Know your vulnerabilities
By Joe Guerra, M.Ed, CySA+, C|EH, Cybersecurity Instructor, Hallmark University
Software is omnipresent, even in areas you wouldn’t envision
Software is so effortlessly meshed into the cloth of modern life that it blends into our everyday existence
without notice. We constantly work with software in everyday of our lives that has technology embedded
in it, from our tedious everyday actions—as we drive to the job in our automobiles, as we purchase
groceries at the local market, as we withdraw money from the local bank, and even when we listen to our
tunes or call a friend. Therefore, software needs the attention of security in its development.
Software security risks are ubiquitous. And in an age of cybersecurity risks, they affect everyone
— people, organizations, nations, etc.
I probably don’t need to devote much time convincing you that security flaws in software are normal, and
that it is imperative to look out for them. However, many developers do not comprehend how prevalent
the issue of insecure software really is.
115

Cyberattacks have been in the news the past decade. Duqu and Stuxnet had the industry talking in 2010
and 2011. And cyberattacks have only expedited since then. WannaCry struck vital systems in 2017,
including Britain’s National Health Service. And GitHub was struck by a denial of service (DoS) attack in
early 2018.
These attacks were done with the revelation of exploiting a vulnerability in the software. A software
vulnerability is a bug, error, or fault present in the software or in the Operating System. The issue of
software vulnerabilities has advanced at an unstoppable rate as software/firmware is everywhere. Of
course, all technology has vulnerabilities. The concern is whether or not they’re subjugated to exploits to
cause harm.
Software vulnerabilities are illuminated by three ultimate factors.
These being:
• Presence – The existence of a flaw in the software.
• Control Access – The possibility that hackers acquire access to the flaw.
• Exploitability (Risk) – The capability of the hacker to take gain of that flaw via tools or techniques.
Every day, numerous organizations are seeing vulnerabilities in their code exploited.
Software is at the origin of all collective computer security complications. If your software act ups, a
quantity of miscellaneous sorts of difficulties can crop up: dependability, accessibility, security, and
safety. The additional kink in the security condition is that an attacker is aggressively attempting to adjust
your software to misbehave. This surely brands security as a tricky proposition.
There are many software glitches out there and your software vulnerabilities will be different then
someone else’s. So it is imperative to get involved and examine your own software that you are utilizing.
In order to build or examine secure software, it is indispensable to have an understanding of software
vulnerabilities. Here, are three examples of some of important, and dangerous, vulnerabilities.
SQL Injection
SQL injection is a technique in which SQL code is introduced or attached into application/user input
constraints that are later executed to a back-end SQL server for implementation and execution. Any
process that builds SQL statements could possibly be susceptible to this type of attack, as the assorted
environment of SQL and the approaches available for building it provide a treasure of coding selections.
The main form of SQL injection comprises of direct insertion of code into limits that are combined together
with SQL code and implemented.
In this instance, you are going to try to insert your own SQL commands by attaching them to the input
parameter val. You can execute this by affixing the string ‘OR ‘1’= ‘1 to the URL:
• http://www.targetvictim.com/products.php?val=100’ OR ‘1’=‘1
116

The SQL command that the PHP code forms and performs will reveal all of the products in the database
irrespective of their price. This is the result of you altering the rationality of the query. This happens
because the attached command results in the OR operand of the query always returning true, that is, 1
will always be equal to 1.
Here is the SQL code that was built and performed:
SELECT
∗FROM ProductsTbl
WHERE Price < ‘100.00’ OR ‘1’ = ‘1’
ORDER BY ProductDescription;
There are countless methods to exploit SQL injection vulnerabilities to attain numerous goals; the
achievement of the attack is usually very dependent on the fundamental database and interrelated
systems that are under attack. Occasionally it can takes a tremendous amount of skill and persistence to
exploit a flaw to its full effect.
Command/Code injection
OS Command Injection flaws happen when software implements user-manageable information in a
command, which is controlled under the shell command terminal. If the data is unrestricted, an attacker
can utilize shell meta-characters to modify the command that is intended to be executed. This fault is
programming language independent.
There are a multitude avenues to exploit a command injection:
• injecting the command enclosed in backticks, for example `id`
• readdressing the result of the first command into the second | id
• executing another command if the first one works: && id (where & needs to be encoded)
• Executing another command if the first one flops (and making sure it does: error ||
id (where error is just here to cause an error).
It’s also feasible to implement the same value technique to operate this type of detection. For example,
you can substitute 123 with`echo 123`. The command enclosed in backticks will be performed first, and
return precisely the same value to be implemented by the command.
Buffer Overflow
In programming, a buffer is a zone that is utilized to stock data temporarily during the application
execution. The size of the buffer is typically fixed. Once the application exits, the contents of the buffer
are also cleared.
117

In a buffer overflow attack, the buffer is occupied with additional data than it can hold or handle, producing
the application to operate abnormally. Hackers implement this type of attack to acquire reverse shells
into a target computer by inserting shellcode as the payload.
Buffer overflows are usually implemented when the attacker figures out you have no controlled allocation
of your memory.
Lets’ look at a classic example in C programming:
The program below gives a situation where an applications expects a password from the user and if the
password is accurate then it applies “root privileges” to the user.
The program runs as expected if you supply the correct credentials.
However, in this program lies the undiscovered flaw of the possibility of a buffer overflow attack. The
gets() function in C does not account for implementing checks for the array size. This means that we can
write a longer string larger than the buffer size. Now, can you comprehend through this basic example of
the damage that can arise with this type of loophole?
118

The origins of software defects
From where do these problems arise? Developers writing custom applications for corporations to utilize
internally or on the web, programmers employed at software development firms that create moneymaking
off-the-shelf programs, programmers employed in the public domain, and those freelancing
coding and emancipating flawed code—all agonize from the same ultimate dilemma: They all suffer from
the same human condition that “they don’t know any better “ because they were “never taught” how to
write secure and resilient code for their applications.
Software, are inherently insecure in various types of vulnerabilities, unless the developer makes a mindful
effort to avert these vulnerabilities. If the programmer forgets to include suitable “output encoding
procedures” and “input validation techniques”, the application will surely be vulnerable to certain exploits.
The software may appropriate and suitable for its purpose just as the developer intended it to perform,
but it may never have been verified and validated to see how it works when it’s being served malicious
input or is directly attacked.
About the Author
Joe Guerra, M.Ed, CySA+,C|EH, Cybersecurity Instructor, Hallmark
University .Joe Guerra is a cybersecurity/computer programming
instructor at Hallmark University. He has 13 years of teaching/training
experience in software and information technology development. Joe has
been involved in teaching information systems security and secure
software development towards industry certifications. Initially, Joe was a
software developer/instructor working in C and Python projects. He is
constantly researching attack techniques, forensic investigations and
malware analysis. He is focused on training the new generation of cyber
first responders at Hallmark University.
Joe can be reached online at (Jguerra2@hallmarkuniversity.edu) and at our University website
http://www.hallmarkuniversity.edu/
119

The Dangers of the Integrated Home/Workplace
Personal data breaches are one of the fastest-growing cybercrimes in the US. As IoT devices become
increasingly common at home and in the workplace, measures must be taken to secure them at every
point.
By Damon Culbert, Content Writer, Cyber Security Professionals
Personal data breaches are one of the most common and fastest-growing cybercrimes in the US,
increasing by more than 60% between 2017 and 2018. While the issue of sensitive data is becoming
much more commonplace in the media, the full extent of the issue is far wider than most people perceive.
As more and more devices connect to the internet and each other, holes in the defences of both home
and workplace security could be leaving thousands of personal data records exposed at all times.
The Internet of Things is a phenomenon which is reaching into offices and homes across the world as
tech companies test consumer imagination about what devices can be connected to each other and for
what purpose. As smart thermostats, washing machines and light bulbs fill homes, integrated security
systems, smart desks and intelligent A/C systems fill offices. But these devices have specific security
concerns that are often forgotten about by consumers in the race to make their lives easier through
integration.
Workplace insecurity
In the workplace, one of the biggest challenges comes from Bring Your Own Device (BYOD) policies
where staff use external devices like laptops and phones to support their work. Enabling staff to access
their work wherever they are and have a high level of connectivity with their workplace even when on the
120

go is great for productivity but without the right security measures, devices from home could cost more
than their worth.
If a device is compromised outside of work and is allowed to connect to the office network, malicious
software could break through the organisations’ defences and cause problems from the inside.
Additionally, if not all devices are operating at the same level of security, the weak links could be exploited
by cyber criminals and result in personal data breaches of staff or client data.
The simplest way to avoid these kinds of issues is to ensure that all devices used by staff are approved
by security experts and where issues are found the devices are properly secured or replaced. Having a
consistent security policy which covers all devices that interact with the main organisation network is vital
to protecting any personal data the company holds in its employees and clients.
Integrated home devices
At home, the rise in products such as Amazon’s Alexa and the Google Home assistant have seen
integrated devices springing up everywhere, creating fully interconnected homes where everything can
be controlled with voice commands or centrally from a mobile phone. In the rush to create so many IoTready
devices, many suppliers have neglected to focus on security, meaning many devices are a risk to
consumers’ personal networks.
Some IoT devices store the wifi password insecurely; meaning hackers could break in through the weaker
defences around an IoT device like a home security camera or even a pair of hair straighteners and gain
access to the entire network from there. Manufacturers of IoT products need to make sure that measures
are taken to secure their devices before marketing them but consumers also need to be aware of the
potential issues a product may pose before they buy it and add it to their network.
Home assistant breaches
Given recent news about how Google Home assistants and Amazon Alexa devices have been sending
recordings to human operators and even accidentally leaking recordings to other users, how companies
use the person data we provide them with is also becoming an increasing concern. While users willingly
bring these devices into their homes, many don’t consider the safety implications of having a machine
that is constantly listening in their homes.
Even if home assistants are only sharing the voice recordings between other employees, there is still
always the possibility that these companies will be hacked and the personal data caught on the recording
will be leaked or exploited by hackers. As Natwest plans to introduce ‘voice banking’ in partnership with
Google in the UK, not only do the possibilities for integration seem endless, but also the possibilities for
exploitation.
Online security is becoming a much more popular concern as the ways we interact with the internet
become more diverse and in many ways more complex. Not only is it the responsibility of manufacturers
to ensure IoT devices are as secure as possible before marketing them, but those who introduce new
121

devices to their home or workplace environment need to keep security in mind to tackle the personal data
crisis emerging across the US.
About the Author
Damon Culbert is a Content Writer for Cyber Security Professionals. Cyber
Security Professionals is a specialist job site advertising vacancies in the
information security industry around the world.
Cyber Security Professionals can be found online at @cysecprofs (Twitter)
and at our company website: https://cybersecurity-professionals.com/
122

How Real-Time Asset Intelligence Enables Full Posture Control
By Ellen Sundra, VP of Americas Systems Engineering, Forescout Technologies
The massive growth of devices hitting our networks is not a secret or a new discussion. We have all seen
the predictions of growth from Gartner – 14.2 billions devices today growing to 25 billion devices by 2021.
Right along with device hyper-growth comes increased risk vectors, and the need for organizations to
adopt a willingness to automate their cybersecurity strategy.
The foundation of every well-planned security program is device visibility. Having intelligence on 100%
of the devices across all aspects of your extended enterprise, inclusive of IT, IoT, Data Centers, Cloud
and OT networks, helps prioritize risk and protect potential breach access points. Mind you, visibility isn’t
a silver bullet, it is the enabler of the critical step to turn that intelligence into action by layering on tools
like automation or network segmentation.
Automation can allow organizations to quickly authenticate authorized devices on the network,
and apply action controls and policies to devices which are unauthorized. The decision to automate is
often a level of comfort for trusting that you truly do know what is on your network and that
you don’t accidently block access to a mission-critical device or apply a patch to an older device that
might break it or void its warranty. Automation forces better behavior across the organization and allows
resources to focus on more strategic efforts when your security tools are configured to analyze device
function and compliance.
123

I see this every day within the industry, for example the Department of Homeland Security is one early
leader in this practice of understanding the importance of visibility and turning it into action. The first two
phases of its Continuous Diagnostics and Mitigation (CDM) program looked to discover what and who
were on DHS networks. The next phase will look to use that intelligence to kick start more advanced
cybersecurity conversations and capabilities, like automation and incident response. The Department of
Defense is also in the process of launching a similar program, called Comply to Connect.
Network segmentation is another tool that organizations can use to reduce risk using the information
gathered by visibility tools. Once you can identify what devices are attached to the network and
understand their context, network segmentation can limit what those devices can do and what they have
access to. For example, you may not want medical devices and payment and finance systems on the
same network. You may choose to segment those separately to reduce risk without eliminating
functionality. This can also help with audits and compliance in regulatory-sensitive organizations.
This is why visibility needs to serve as the foundation of automation and network segmentation. With full
device visibility and context, you are able to say with confidence what devices are on the network and
their specific attributes. That context allows for nuanced policies, which protects against these worries of
broad-spread automation.
We are living in the world of IoT, where billions of devices are coming online every year. There will always
be new devices coming onto the corporate network. Visibility is a tool that gives critical cybersecurity
intelligence into this rise, but it is just the building blocks for a sustainable and scalable enterprise
cybersecurity strategy.
About the Author
With more than 20 years of experience in the cybersecurity industry, Ellen
leads the Americas System Engineering team for Forescout Technologies.
Together, Ellen and her team are responsible for designing customized
security solutions for Commercial and Public Sector customers. Prior to
joining Forescout, Ellen was a network architect and security advisor with
iPass, UUNet and WorldCom. Ellen earned a Bachelor of Arts in computer
science from Rollins College and is a Certified Information Systems Security
Professional (CISSP).
124

Multi-factor Authentication Implementation Options
"2FA to 5FA - What are the options available?"
By David Smith
Independent Consultant at Smart Card Institute
At some point of time we have all used an OTP (One-time password) along with our password to
successfully complete an online banking or financial transaction. While the OTP has provided an added
sense of security that no one else besides you can authenticate that transaction, it heavily relies on the
fact that the mobile device or token is in your possession during the transaction. The use of password +
OTP for authentication is an example of Two-Factor Authentication (2FA). In order to ensure the
authenticity of the user performing any transaction online or in-person, service providers and governing
bodies are now emphasising the use of multi-factor authentication mechanisms.
Multi-factor authentication has become a necessity to avoid risk of identity theft caused by use of weak
or stolen user credentials, possible vulnerability of systems and phishing attacks. As the name suggests,
multi-factor authentication requires that a user provide 2 or more pieces of evidence as a proof of his
identity. The evidence provided should usually involve a mix of the below categories of factors.
• Knowledge factors - Something the user knows
• Possession factors - Something the user possesses
• Inherence factors - Something associated with the user’s body/personality.
• Location factor – Somewhere the user is
• Time factor – Time of the transaction.
We will now proceed to explore what are the different types of evidence that can be used to satisfy each
of the above factors to successfully implement a multi-factor authentication system.
125

Knowledge Factors: Probably the most commonly used factor, something the user knows is usually his
credentials like username, Email-Id, password, PIN etc. Using an ATM card with PIN is an example of
2FA where one of the factors is the ATM card (which the user possesses) and the second is the PIN
(which the user knows). Other examples for the use of knowledge factor include
• Security questions which are usually used when some-body wants to reset their password.
• CVV codes and expiry date on credit cards which are required during e-commerce transactions.
• Random One time passwords sent via SMS or emails when the user accesses a service
• Time-based one-time password generated by token devices based on a shared secret key and
current timestamp using a cryptographic function.
Possession Factors: The oldest example of the possession factor is probably the key to a lock. The
same principle continues to be used today in the digital age to control digital access. Smart cards are a
commonly used possession factor today for digital access. They come in many forms like magnetic stripe
and EMV cards used in credit/debit cards. RFID or NFC cards used in physical access control etc. Similar
technology may be used in key fobs, wrist bands etc. Hardware and software tokens are also used by
many mobile banking applications to implement multi factor authentication.
Inherent Factors: Biometric factors are commonly used to implement inherent factors. These include
behavioural identifiers as well as physiological identifiers.
Behavioural identifiers include voice recognition, key stroke and navigation patterns and engagement
patterns. These rely on matching patterns of a person’s vocal characteristics, speed and pressure of
typing and engagement with technology respectively. Voice recognition is typically used in call center/IVR
applications while key stroke and navigation patterns are used when implementing remote multi-factor
authentication.
Physiological identifiers include fingerprint, face and iris/retina scans. These make use of the unique
patterns formed by a person’s fingerprints, face structure or retinal blood vessels/iris colors. They are
commonly used to authenticate people on airports during immigration. Biometric payment cards are
proposed to be the next step in security in the online/in-person payments industry.
Location factors: These usually check where the user is accessing the service from. Use of mobile
phones has made it easier to track location. Example of implementation of location based authentication
is, when user is within the office premise, he can connect directly to the corporate network through Wi-Fi
or LAN. On the other hand to access the corporate network over a VPN, a soft token is usually required.
Time Factor: Systems could have an inbuilt logic to check if the time of access is in line with the expected
pattern. For example, a person may not be allowed to access a paid service from two geographically
distant locations within a matter of minutes.
2FA is the most commonly used type of authentication and relies mostly on any two of the first 3 factors
of knowledge, possession and inherence. 3FA, 4FA and 5FA using 1 of each type of factors are also
implemented in special cases. Finally it is important to note that reliability of the mechanism used depends
not only on which type of authentication is used but also on how it is implemented. A balance must also
126

e maintained to ensure that users don’t feel confused or overburdened by the number of steps required
to get access.
About the Author
David Smith is a cryptographer with 12 years of experience in
both the public and private sectors. His expertise includes:
system design and implementation with contact and contactless
smart cards, smart card personalization, mobile payments, and
general knowledge and experience with APAC market trends and
consumer preferences. David occasionally consults with smart
card companies at websites like Cardzgroup.com and you can
be reached David online at Linkedin
127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS
“Amazing Keynote”
“Best Speaker on the Hacking Stage”
“Most Entertaining and Engaging”
Gary has been keynoting cyber security events throughout the year. He’s also been a
moderator, a panelist and has numerous upcoming events throughout the year.
If you are looking for a cybersecurity expert who can make the difference from a nice event to
a stellar conference, look no further email marketing@cyberdefensemagazine.com
168

You asked, and it’s finally here…we’ve launched CyberDefense.TV
At least a dozen exceptional interviews rolling out each month starting this summer…
Market leaders, innovators, CEO hot seat interviews and much more.
A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.
169

Free Monthly Cyber Defense eMagazine Via Email
Enjoy our monthly electronic editions of our Magazines for FREE.
This magazine is by and for ethical information security professionals with a twist on innovative consumer
products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our
mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best
ideas, products and services in the information technology industry. Our monthly Cyber Defense e-
Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare
arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of
sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here
to sign up today and within moments, you’ll receive your first email from us with an archive of our
newsletters along with this month’s newsletter.
By signing up, you’ll always be in the loop with CDM.
Copyright (C) 2019, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.
SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a
CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com,
CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability
Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,
Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS#
078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com
All rights reserved worldwide. Copyright © 2019, Cyber Defense Magazine. All rights reserved. No part of this
newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,
recording, taping or by any information storage retrieval system without the written permission of the publisher
except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of
the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may
no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect
the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content
and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at
marketing@cyberdefensemagazine.com
Cyber Defense Magazine
276 Fifth Avenue, Suite 704, New York, NY 1000
EIN: 454-18-8465, DUNS# 078358935.
All rights reserved worldwide.
marketing@cyberdefensemagazine.com
www.cyberdefensemagazine.com
NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)
Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 09/03/2019
170

TRILLIONS ARE AT STAKE
No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES
Released:
https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH
In Development:
171

172

173

174

175

176

7 Years in The Making…
Thank You to our Loyal Subscribers!
We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know
What You Think. It's mobile and tablet friendly and superfast. We hope you
like it. In addition, we're shooting for 7x24x365 uptime as we continue to
scale with improved Web App Firewalls, Content Deliver Networks (CDNs)
around the Globe, Faster and More Secure DNS
and CyberDefenseMagazineBackup.com up and running as an array of live
mirror sites.
3m+ DNS queries monthly, 2m+ annual readers and new platforms coming…
177

178

179