Cyber Defense eMagazine April 2020 Edition
Cyber Defense eMagazine April Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine April Edition for 2020 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, Co-founder & International Editor-in-Chief, Stevin Miliefsky, President and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Cyber</strong>criminals Exploit Coronavirus with<br />
Wave of New Scams<br />
WatchGuard’s RSA Conference <strong>2020</strong><br />
Recap<br />
<strong>Cyber</strong> Leads Global Business Risks for First<br />
Time: Allianz Risk Barometer <strong>2020</strong><br />
Facebook’s $550 Million Settlement: A<br />
Warning to Companies Collecting<br />
Biometric Data<br />
How to Avoid Being Breached In <strong>2020</strong><br />
…and much more…<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 1<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
CONTENTS<br />
Welcome to CDM’s <strong>April</strong> <strong>2020</strong> --------------------------------------------------------------------------- 6<br />
<strong>Cyber</strong>criminals Exploit Coronavirus with Wave of New Scams ------------------------------- 22<br />
By David Ruiz, Malwarebytes Labs<br />
WatchGuard’s RSA Conference <strong>2020</strong> Recap -------------------------------------------------------- 29<br />
By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies<br />
<strong>Cyber</strong> Leads Global Business Risks for First Time: Allianz Risk Barometer <strong>2020</strong> --------- 32<br />
By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz<br />
Global Corporate & Specialty<br />
Facebook’s $550 Million Settlement: A Warning to Companies Collecting Biometric<br />
Data ----------------------------------------------------------------------------------------------------------- 36<br />
By Billee Elliott McAuliffe, Member, Lewis Rice<br />
How to Avoid Being Breached In <strong>2020</strong> --------------------------------------------------------------- 39<br />
By Randy Reiter CEO of Don’t Be Breached<br />
What You Need to Know About DDoS Weapons Today ---------------------------------------- 42<br />
By Ahmad Nassiri, Security Solutions Architect at A10 Networks<br />
Better Network Visibility: Removing the Security Blindfold ----------------------------------- 45<br />
By Cary Wright, VP Product Management, Endace<br />
Enabling Agility to Accelerate Incident Response ------------------------------------------------ 47<br />
By John Attala, Vice President of Worldwide Sales, Endace<br />
Economic Efficiency in <strong>Cyber</strong> <strong>Defense</strong> ---------------------------------------------------------------- 50<br />
By Mark Evans, VP Marketing, Endace<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 2<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Does SASE Tick the Box for The Future of Network Security? --------------------------------- 53<br />
By Yair Green, CTO at GlobalDots<br />
Achieving Effective User Lifecycle Management Through Automation -------------------- 55<br />
By Jeff Stein, Information Security Architect, Reputation.com<br />
Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk ---------------- 58<br />
By Kevin Landt, VP of Product Management at Cygilant<br />
The Cost of <strong>Cyber</strong>crime Is Constantly Rising: How to Combat Ransomware Attacks on<br />
SMBs ---------------------------------------------------------------------------------------------------------- 61<br />
By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security<br />
How To Manage Your Small Business In Time Of Crisis ----------------------------------------- 65<br />
By Milica D. Djekic<br />
What the Latest Enterprise Endpoint Security Survey Shows Us: Big Concerns but Hope<br />
for The Future ----------------------------------------------------------------------------------------------- 68<br />
By Jeff Harrell, Vice President of Marketing, Adaptiva<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 3<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
@MILIEFSKY<br />
From the<br />
Publisher…<br />
New <strong>Cyber</strong><strong>Defense</strong>Magazine.com website, plus updates at <strong>Cyber</strong><strong>Defense</strong>TV.com & <strong>Cyber</strong><strong>Defense</strong>Radio.com<br />
Dear Friends,<br />
Looking back at RSA Conference <strong>2020</strong>, the view in our rearview mirror suggests that<br />
convention may have been among the last of the “live” conferences for a while. On<br />
behalf of <strong>Cyber</strong> <strong>Defense</strong> Media Group, we are fortunate to be able to build on our<br />
very positive experience there and use that foundation to provide support to others<br />
during this challenging time resulting from the corona virus COVID-19 pandemic.<br />
With this disruptive set of circumstances, we must consider ourselves to be on a battlefield of<br />
asymmetrical warfare. <strong>Cyber</strong> criminals have access to nearly all of our communications and educational<br />
materials, giving them valuable intelligence on how to defeat our best security practices. On the other<br />
side, we are in the less advantageous position of waiting for their next move to become visible.<br />
While this imbalance may appear to tip the scale against us, it also emphasizes the importance of keeping<br />
each other informed and up to speed on all known attack vectors. Only this way can we hope and expect<br />
to prevail and maintain steadiness and security in the many critical activities in our society and economy.<br />
From our own point of view, this leads us to double and redouble our efforts as both a media participant<br />
and a committed organization to provide the tools to assure a favourable outcome.<br />
With that background, we commit to continuing our monthly magazines as well as daily (or more<br />
frequent) updates on the <strong>Cyber</strong> <strong>Defense</strong> Magazine home page. As always, your participation and sharing<br />
from your own experiences are welcome.<br />
Warmest regards,<br />
Gary S. Miliefsky<br />
Gary S.Miliefsky, CISSP®, fmDHS<br />
CEO, <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />
Publisher, <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
P.S. When you share a story or an article or information about CDM, please use #CDM and<br />
@<strong>Cyber</strong><strong>Defense</strong>Mag and @Miliefsky – it helps spread the word about our free resources even more<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 4<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
quickly<br />
InfoSec Knowledge is Power. We will<br />
always strive to provide the latest, most<br />
up to date FREE InfoSec information.<br />
From the International<br />
Editor-in-Chief…<br />
The current dynamics of the COVID-19 pandemic would seem to<br />
demand more international coordination, as opposed to a crazy<br />
quilt of national, regional, and local actions.<br />
Statistics are showing very different national and regional<br />
patterns of infection and mortality, even within geographic<br />
regions. Whether it’s the European Community, or the Asian<br />
region, or the Americas, there is a vast difference in the extent of<br />
diagnosed cases, and also of recorded deaths.<br />
In our world of cybersecurity, it’s possible to be both more and<br />
less challenging to seek and effect global solutions. In some ways,<br />
the interconnectedness of the cyber world carries with it a<br />
homogeneity of applications and programs. In contrast, the<br />
cultural diversity and role of national governments tend to<br />
emphasize our differences. As these developments play out, we<br />
will have an opportunity to take the lead in creating cybersecurity<br />
defenses to protect all aspects of IT in our lives, including (but not<br />
limited to) medical, financial, social, and government functions.<br />
In the days ahead, let us agree to put our differences aside in favor<br />
of responding to our common enemies: the COVID-19 itself and<br />
those who would take advantage of this crisis to perpetrate<br />
criminal schemes.<br />
@CYBERDEFENSEMAG<br />
CYBER DEFENSE eMAGAZINE<br />
Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media Group and<br />
distributed electronically via opt-in Email, HTML, PDF and Online<br />
Flipbook formats.<br />
PRESIDENT & CO-FOUNDER<br />
Stevin Miliefsky<br />
stevinv@cyberdefensemagazine.com<br />
INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER<br />
Pierluigi Paganini, CEH<br />
Pierluigi.paganini@cyberdefensemagazine.com<br />
US EDITOR-IN-CHIEF<br />
Yan Ross, JD<br />
Yan.Ross@cyberdefensemediagroup.com<br />
ADVERTISING<br />
Marketing Team<br />
marketing@cyberdefensemagazine.com<br />
CONTACT US:<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
Toll Free: 1-833-844-9468<br />
International: +1-603-280-4451<br />
SKYPE: cyber.defense<br />
http://www.cyberdefensemagazine.com<br />
Copyright © 2019, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />
CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a)<br />
276 Fifth Avenue, Suite 704, New York, NY 10001<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
PUBLISHER<br />
Gary S. Miliefsky, CISSP®<br />
Learn more about our founder & publisher at:<br />
http://www.cyberdefensemagazine.com/about-our-founder/<br />
8 YEARS OF EXCELLENCE!<br />
Providing free information, best practices, tips and<br />
techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />
magazine is your go-to-source for Information Security.<br />
We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />
To our faithful readers, we thank you,<br />
Pierluigi Paganini<br />
International Editor-in-Chief<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 5<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.<br />
CYBERDEFENSEMEDIAGROUP.COM<br />
MAGAZINE TV RADIO AWARDS
Welcome to CDM’s <strong>April</strong> <strong>2020</strong><br />
As the <strong>April</strong> issue of <strong>Cyber</strong> <strong>Defense</strong> Magazine reaches publication, we find ourselves in a state similar to limbo,<br />
awaiting the next announcement of a cancelled event, a cyber vulnerability exploited by crooks, or a government<br />
initiative imposed under crisis conditions.<br />
Crisis, like necessity, can serve as the mother of both invention and opportunity. In the case of cybersecurity, it’s<br />
clear that there are new vulnerabilities arising from the new patterns of working remotely from locations with less<br />
robust cyber security than the main workplace of the organization.<br />
Anecdotally, only a relatively small percentage of affected organizations had adequately prepared for this<br />
eventuality. Most of the reports reflect “quick-and-dirty” arrangements for office and HQ workers to work remotely.<br />
From a cybersecurity POV, effective preparation would usually be the responsibility of an internal or outsourced<br />
CISO. In concept as well as practice, this would or should include pre-emergency activities and red-teaming<br />
exercises.<br />
Outside the 17 areas of critical infrastructure (see www.dhs.gov for more detailed information) there do not appear<br />
to be standardized procedures to be followed in such events as a pandemic. Even listed sectors of critical<br />
infrastructure have shown lapses; a notable example would be commercial air transport.<br />
Consider how different the health and financial impacts on our nation might have been if there had been pandemic<br />
emergency plans in place on a broad scale to deal with the cybersecurity challenges we face today.<br />
Although not well documented (at least so far), again anecdotally, there have been success stories. Accordingly,<br />
we invite CISOs and others who have been successful to share their experiences. We hope to share this important<br />
body of knowledge in both feature articles on the CDM home page and the May issue.<br />
We trust this information will be of great value to our over 5 million individual reader inquiries each month, as CDM<br />
maintains its position as the leading publication for cybersecurity professionals.<br />
Wishing you all success in your cyber security endeavors,<br />
Yan Ross<br />
US Editor-in-Chief<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
About the US Editor-in-Chief<br />
Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & US Editor-in-Chief for <strong>Cyber</strong><br />
<strong>Defense</strong> Magazine. He is an accredited author and educator and has provided<br />
editorial services for award-winning best-selling books on a variety of topics. He<br />
also serves as ICFE's Director of Special Projects, and the author of the<br />
Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As<br />
an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy,<br />
and cyber security for consumers and organizations holding sensitive personal information. You can reach him via<br />
his e-mail address at yan.ross@cyberdefensemediagroup.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 6<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 7<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 8<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 9<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 10<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 11<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 12<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 13<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 14<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those<br />
vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep<br />
understanding of your web application vulnerabilities, how to prioritize them, and what to do about<br />
them. With this trial you will get:<br />
An evaluation of the security of one of your organization’s websites<br />
Application security guidance from security engineers in WhiteHat’s Threat Research Center<br />
Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well<br />
as share findings with internal developers and security management<br />
A customized review and complimentary final executive and technical report<br />
Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/<br />
PLEASE NOTE: Trial participation is subject to qualification.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 15<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 16<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 17<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 18<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 19<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 20<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 21<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong>criminals Exploit Coronavirus with Wave of New<br />
Scams<br />
By David Ruiz, Malwarebytes Labs<br />
With no vaccine yet developed, and with much of the world undergoing intense social distancing<br />
measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed<br />
promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails<br />
are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of<br />
keyloggers, ransomware, and data stealers.<br />
Click here to open a new tab with extensive graphic information on the 4th Quarter of 2019 DDoS<br />
Weapons<br />
The problem expands beyond pure phishing scams.<br />
On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and<br />
COVID-19-related hostnames that sprang up in just 24 hours.<br />
On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at<br />
ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains. Just<br />
click the link and watch possible scam sites get registered every minute.<br />
Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last<br />
weekend, and more than 35,000 domains the next day, too.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 22<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Here are some of the many email scams that our Malwarebytes threat intelligence team spotted in the<br />
wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying<br />
to install on your machines.<br />
Impersonating the World Health Organization<br />
Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World<br />
Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which<br />
pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That<br />
download is just the first step in a more complex scheme.<br />
GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in<br />
encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its<br />
simplicity and its wide range of capabilities, including swiping content from the Windows clipboard,<br />
keylogging, and stealing browser data. Stolen data is sent back to a command and control server<br />
maintained by the threat actors.<br />
Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO<br />
professionals as a way to trick victims into downloading malicious attachments.<br />
Agent Tesla Keylogger Campaign<br />
On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an<br />
invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent<br />
increase in activity across three months in 2018, can steal a variety of sensitive data.<br />
As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent<br />
Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and<br />
clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail,<br />
Facebook, etc.) attacks.”<br />
The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line:<br />
Covid19″ Latest Tips to stay Immune to Virus !!<br />
The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of<br />
“sarah@who.com.” Notice that the sender’s email address ends with “.com” when legitimate WHO email<br />
addresses instead end with “.int.”<br />
The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected<br />
with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 23<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
A quick online search reveals that the WHO has a public website for contacting its media relations<br />
representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr.<br />
Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based<br />
phone resulted in an error message from the mobile service provider.<br />
The above scam is just one example of an email campaign that both impersonates the<br />
WHO and attempts to deliver Agent Tesla.<br />
Agent Tesla Campaign 2<br />
On the same day we found the above-mentioned Agent Tesla scam, we found another that mirrored its<br />
tactics and payload.<br />
The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health<br />
Organization/Let’s fight Corona Virus together”<br />
Savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and<br />
“Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we’ve seen<br />
previously.<br />
The entire body of the email reads verbatim:<br />
We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we<br />
want to take a moment to reassure you that your safety and well-being remains our absolutely<br />
top priority.<br />
Please be assured that our teams are working hard and we are monitoring the situation and<br />
developments closely with the health and governmental authorities of all countries we operate in.<br />
See attached WHO vital information to stay healthy.<br />
we personally thank you for your understanding and assure you that we will do our utmost to limit<br />
disruptions this event brings to your travel plans while keeping your well-being our top priority.<br />
This campaign attempts to trick victims into downloading a fake informational packet on coronavirus, with<br />
the file title “COVID-19 WHO RECOMMENDED V.gz.” Instead of receiving trustworthy information,<br />
victims are infected with Agent Tesla.<br />
While this campaign does not include as many smoke-and-mirror tactics, such as a fake media<br />
representative and a fake phone number, it can still do serious damage simply by stoking the fears<br />
surrounding COVID-19.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 24<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
NetWire Remote Access Trojan<br />
Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT).<br />
RATS can allow hackers to gain unauthorized access to a machine from a remote location.<br />
These types of Trojans can have devastating effects. If Remote Access Trojan programs are found on a<br />
system, it should be assumed that any personal information (which has been accessed on the infected<br />
machine) has been compromised. Users should immediately update all usernames and passwords from<br />
a clean computer and notify the appropriate system administrator of the potential compromise. They<br />
should also monitor credit reports and bank statements carefully over the following months to spot any<br />
suspicious activity on financial accounts.<br />
The NetWire campaign included a slapdash combo of a strange email address, an official-looking WHO<br />
logo inside the email’s body, and plenty of typos.<br />
Sent from “Dr. Stella Chungong” using the email address “brennan@caesars.com,” the email subject line<br />
is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.” The body of the text<br />
reads:<br />
To whom it may concern,<br />
Go through the attac=ed document on safety measures regarding the spreading of Corona-virus.<br />
Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties.<br />
Regards.<br />
Dr. Stella Chungong<br />
Specialist whuan=virus-advisory<br />
The litany of misplaced “=” characters should immediately raise red flags for potential victims. These<br />
common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to<br />
operate under the mindset of “Send first, spellcheck later.”<br />
Other Malspam Campaigns<br />
Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email<br />
campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware<br />
delivery. Here are a number of malspam campaigns that our threat intelligence team found since March<br />
15.<br />
First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes<br />
from the vague sender “Marketing,” with an email address of “info@bcsl.co.ke.” A Google search reveals<br />
that bcsl.co.ke appears to point to Boresha Credit Service Limited, a debt collector based in Kenya.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 25<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The short email reads:<br />
Hello,<br />
We have been instructed by your customer to make this transfer to you.<br />
we are unable to process your payment as the SWIFT CODE in your bank account information is<br />
wrong,<br />
please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP<br />
before bank close.”<br />
Again, scrutinizing the details of the email reveals holes in its authenticity.<br />
The email is signed by “Rafhana Khan,” a supposed “Admin Executive” from the United Arab Emirates.<br />
The email sender includes this extra bit of info that leads us nowhere: TRN No. 100269864300003.<br />
What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax<br />
registration number,” but think about the last time anyone signed an email with the US equivalent—their<br />
tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are<br />
meant to be private, and not shared in email signatures. We can assume that the threat actors included<br />
this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense.<br />
The email’s attached invoice, once again, pushes GuLoader to the potential victim.<br />
HawkEye credential stealer<br />
Another spotted malspam example pushes neither GuLoader or Agent Telsa. Instead, it tries to trick<br />
users into downloading a malware called HawkEye, a credential stealer that has plagued users since at<br />
least 2013.<br />
According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various<br />
hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.”<br />
The HawkEye scam comes packaged in an email with the subject line “CORONA VIRUS CURE FOR<br />
CHINA,ITALY” from the alleged sender “DR JINS (CORONA VIRUS).” Again, potential victims receive a<br />
short message. The entire email body reads:<br />
Dear Sir/Ma,<br />
Kindly read the attached file for your quick remedy on CORONA VIRUS.<br />
The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL<br />
ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 26<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
UK email scam pushing GuLoader<br />
On March 15, we also found an email scam targeting victims in the UK and pushing, yet again, GuLoader.<br />
This time, threat actors promised updated statistics on the number of confirmed coronavirus cases in the<br />
United Kingdom.<br />
The malicious email comes from the sender “PHE” with the email address paris@mfa.go.ke, which, like<br />
one of the examples above, appears to come from Kenya.<br />
Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort—<br />
the content of the email is simple and short. The email reads:<br />
Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom.<br />
Find out how many cases have been reported near you.<br />
There is no email signature, and not even a greeting. Talk about a lack of email etiquette.<br />
Campaign Targeting Spain<br />
Finally, we found another campaign on March 18 that targets Spanish-speaking victims in Spain. The<br />
email, titled “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-<br />
19,” pushes GuLoader.<br />
The email is signed by “Adriana Erico,” who offers no phone number, but does offer a fax number at 93<br />
784 50 17.<br />
Protect Yourself<br />
Threat actors are always looking for the next crisis to leverage for their own attacks. For them,<br />
coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing<br />
availability, and best practices during social distancing makes for a fearful public, hungry for answers<br />
anywhere.<br />
The best places for information are the WHO and the US Centers for Disease Control and Prevention<br />
(CDC). You can find updated statistics about confirmed COVID-19 cases from the WHO’s daily, situation<br />
reports here. You can also find information on coronavirus myths at the WHO’s Myth Busters webpage,<br />
along with its Q&A page.<br />
This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider<br />
that, right now, banding together as a global community is our best shot at beating this. That advice<br />
extends to the online world, too.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 27<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best<br />
across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with<br />
ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their<br />
contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user<br />
decompiled the malicious app and posted the universal passcode to defeat the ransomware. The<br />
passcode was then shared on Twitter for everyone to use.<br />
About the Author<br />
David Ruiz is a writer and reporter for Malwarebytes Labs, an online blog<br />
about cybersecurity, online privacy, hackers, data breaches, and digital<br />
rights. David primarily covers online and data privacy issues, along<br />
with US and global regulation. David can be found on Twitter<br />
@davidalruiz and at https://blog.malwarebytes.com/author/davidruiz/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 28<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
WatchGuard’s RSA Conference <strong>2020</strong> Recap<br />
By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies<br />
Every year, tens of thousands of IT and information security professionals gather at Moscone Center in<br />
downtown San Francisco to take in the latest security trends and technology from hundreds of exhibitors<br />
and speakers at RSA Conference. In just a few short days, it’s almost impossible to see and learn<br />
everything a conference of this magnitude has to offer, but I did my very best.<br />
Here’s a brief recap of several key happenings, trends and takeaways from my time at RSA Conference<br />
<strong>2020</strong>:<br />
COVID-19 Concerns Were Front and Center<br />
Taking place amid the growing global unease over the spread of COVID-19, the show went on as planned<br />
despite the fact that big industry names like IBM, AT&T and Verizon pulled out of the conference and<br />
banned their employees from attending entirely. With the specter of a global pandemic hanging overhead,<br />
many attendees practiced heightened, borderline obsessive personal hygiene and settled for distanced<br />
hand waves in lieu of handshakes as we walked the expo floor and attended various sessions discussing<br />
the latest security trends, threats, technologies and best practices. It’s still early, but very clear at this<br />
point that we’re only just beginning to get a sense of how this outbreak will impact the security industry<br />
itself and world at large.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 29<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
A Focus on The Human Element in Security<br />
This year’s theme was “The Human Element,” a fitting premise given that individuals play just as<br />
important a role in securing the digital world (or failing to) as any emerging technology, vendor product<br />
or service, or new research finding. The RSA Conference opening keynote addresses played to the<br />
theme by calling for changes to better harness the strengths and potential of the human behind the<br />
computer.<br />
RSA President Rohit Ghai advocated that a shift toward publicly celebrating cybersecurity wins, instead<br />
of only focusing on cybersecurity losses or failures will help inspire security professionals and move the<br />
industry forward. Wendy Nather, head of advisory CISOs at Cisco’s DUO Security, followed up with calls<br />
to democratize security with the goal of enabling buy-in and personal ownership of security from end<br />
users. Almost everywhere you went at RSA Conference this year, the human element of security was a<br />
topic of discussion.<br />
The Cryptographers’ Panel<br />
Rounding out the opening keynotes was a staple of RSA Conference – the Cryptographers’ Panel, where<br />
several prominent cryptography and security experts took the stage to answer questions about a wide<br />
range of industry topics. They covered problems with facial recognition, increasingly popular “right to be<br />
forgotten” laws and much more. The panelists didn’t always come to the same conclusions, but all agreed<br />
that there are realistic concerns with advanced technology like AI and Machine Learning that will need to<br />
be resolved before these tools become more widely adopted.<br />
IoT Security Insights<br />
Beyond the human element, Internet of Things (IoT) security was major trends across speaking sessions<br />
throughout the week. From securing healthcare IoT products to creating baseline IoT security standards,<br />
adoption and security concerns continue to grow worldwide in this slice of the industry. In one talk late in<br />
the week, Gary Hayslip of SoftBank Investment Advisers used his previous experience as CISO of the<br />
city of San Diego to discuss the concerns of deploying IoT and other technologies in smart cities, covering<br />
topics like increased complexity, patch deployment issues and limited security budgets leading to the rise<br />
in breaches impacting municipalities in recent years.<br />
Privacy Considerations<br />
Privacy was another major focus at RSAC Conference <strong>2020</strong>. I saw Daniel Ayoub and Dean Winert of<br />
Lexis Nexis Risk Solutions present fascinating research on web browser fingerprinting and its privacy<br />
and security implications. They started and ended their session by weighing the benefits of browser<br />
fingerprinting in fraud prevention against the drawbacks (which I personally found enlightening as digital<br />
privacy has always been a passion of mine). Daniel and Dean made several good points about the<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 30<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
enefits of identifying anomalies in metadata from user authentications to identify potential account<br />
compromises that could give credit to keeping the privacy-invading information available to websites.<br />
When all was said and done, this year’s RSA Conference squeaked through right before San Francisco<br />
enacted a ban on events at city-owned facilities like the Moscone Center. Even though the event was<br />
overshadowed at times by concerns about the spread of COVID-19, the content and takeaways from it<br />
were compelling and quite important for industry participants to consider in today’s threat landscape. IoT<br />
adoption continues to skyrocket, bringing with it increasing security risks for organizations. The tradeoffs<br />
between privacy and security are still very much open to discussion and debate. And of course, the<br />
humans responsible for addressing these challenges and improving our collective security aren’t going<br />
anywhere.<br />
About the Author<br />
Marc Laliberte is a Senior Security Analyst at WatchGuard Technologies.<br />
Specializing in networking security protocols and Internet of Things<br />
technologies, Marc’s day-to-day responsibilities include researching and<br />
reporting on the latest information security threats and trends. He has<br />
discovered, analyzed, responsibly disclosed and reported on numerous<br />
security vulnerabilities in a variety of Internet of Things devices since<br />
joining the WatchGuard team in 2012.With speaking appearances at<br />
industry events including RSA and regular contributions to online IT,<br />
technology and security publications, Marc is a thought leader who<br />
provides insightful security guidance to all levels of IT personnel.<br />
Marc can be reached only at @XORRO or via http://www.watchguard.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 31<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
<strong>Cyber</strong> Leads Global Business Risks for First Time: Allianz<br />
Risk Barometer <strong>2020</strong><br />
By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz Global<br />
Corporate & Specialty<br />
For the first time ever, <strong>Cyber</strong> incidents (39% of responses) ranks as the most important business risk<br />
globally in the ninth Allianz Risk Barometer <strong>2020</strong>, relegating perennial top peril Business Interruption (BI)<br />
(37% of responses) to second place. Awareness of cyber threats has grown rapidly in recent years, driven<br />
by companies increasing reliance on data and IT systems and a number of high-profile incidents. Seven<br />
years ago, cyber ranked 15th with just 6% of responses.<br />
The annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS)<br />
incorporates the views of a record 2,718 experts in over 100 countries, including ceos, risk managers,<br />
brokers and insurance experts.<br />
Here are some of the reasons why cyber has overtaken the top spot and is likely to remain a leading<br />
business risk for the foreseeable future.<br />
Data breaches larger and more expensive<br />
As companies collect and use ever greater volumes of personal data, data breaches are becoming larger<br />
and costlier. In particular, so- called mega data breaches (involving more than one million records) are<br />
more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 32<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach<br />
is by no means the largest in recent years.<br />
Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to<br />
have involved the personal data of over 300 million and 140 million customers respectively. Both<br />
companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data<br />
protection regulator intends to fine Marriott $130mn for the breach, among the earliest and largest fines<br />
under the EU’s new privacy laws to date.<br />
The General Data Protection Regulation (GDPR) rules that came into force across Europe in 2018 will<br />
likely bring further fines in <strong>2020</strong>. The European Data Protection Board (EDPB) released a preliminary<br />
report stating that of the 206,326 cases reported under the GDPR across 31 countries in the first nine<br />
months of its implementation, the national data protection agencies had only resolved around 50% of<br />
them.<br />
A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of<br />
nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn<br />
(11% higher than in 2018).<br />
Ransomware brings increasing losses<br />
According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cyber crime<br />
threat.<br />
Already high in frequency, incidents are becoming more damaging, increasingly targeting large<br />
companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware<br />
demand would have been in the tens of thousands of dollars. Now they can be in the millions. The<br />
consequences of an attack can be crippling, especially for organizations that rely on data to provide<br />
products and services.<br />
Extortion demands are just one part of the picture. Business interruption brings the most severe losses<br />
from ransomware attacks, and in some cases ransomware is a smoke screen for the real target, such as<br />
the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to<br />
be highest for law firms, consultants and architects, for which IT systems and data are their life blood.<br />
Bec attacks result in billion-dollar fraud<br />
Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have<br />
resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US.<br />
Such attacks typically involve social engineering and phishing emails to dupe employees or senior<br />
management into revealing login credentials or to make fraudulent transactions.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 33<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Litigation prospects rising<br />
Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected<br />
consumers, business partners and investors. When they do, legal expenses can add substantially to the<br />
cost.<br />
Data breach litigation in the US is a developing situation. A number of large breaches have triggered<br />
class actions by consumers or investors. Outside the US, a number of countries have expanded group<br />
action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy<br />
breach to seek legal redress.<br />
In addition, claimant law firms and litigation funders are actively looking to bring class actions for data<br />
breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach<br />
was recently given the go- ahead in the UK courts. Consumer groups are also looking to test the GDPR<br />
and challenge some organizations’ interpretation of the new law.<br />
M&A can bring cyber issues<br />
<strong>Cyber</strong> exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data<br />
breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel<br />
group it acquired in 2016.<br />
Even the best protected companies will be exposed if they acquire a company with weak cyber security<br />
or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents which predate<br />
the merger.<br />
Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority<br />
for businesses during M&A, as many companies are not doing enough due diligence in this area. At the<br />
same time, once a deal has been completed many companies do not address any weaknesses in<br />
acquired systems quickly enough.<br />
Political factors play out in cyber space<br />
The involvement of nation states in cyber-attacks is an increasing risk for companies, which are being<br />
targeted for intellectual property or by groups intent on causing disruption or physical damage. For<br />
example, growing tensions in the Middle East have seen international shipping targeted by spoofing<br />
attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware<br />
campaigns.<br />
Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation<br />
state involvement is providing increased funding to hackers. Even where companies are not directly<br />
targeted, state- backed cyber-attacks can cause collateral damage. In 2017 the notpetya malware attack<br />
primarily targeted the Ukraine but quickly spread around the world.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 34<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Risk mitigation<br />
Preparation and training are the most effective forms of mitigation and can significantly reduce the<br />
likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be<br />
mitigated by training, especially in areas like phishing and business email compromise, which are among<br />
the most common forms of cyber-attack.<br />
Training could also help mitigate ransomware attacks, although maintaining secure backups can also<br />
limit the damage from such incidents. Business resilience and business continuity planning are also key<br />
to reducing the impact of a cyber incident, although response plans need to be tested, practiced and<br />
regularly reviewed.<br />
More information on the Allianz Risk Barometer <strong>2020</strong> is available here:<br />
• Top 10 global business risks<br />
• Full report<br />
• Individual country and industry sector results<br />
About the Author<br />
Kelly B. Castriotta is the Regional Head of Product Development in<br />
North America for Financial Lines at Allianz Global Corporate Specialty.<br />
Ms. Castriotta develops new products for all Financial Lines in North<br />
America, including cyber, directors and officers liability and all<br />
professional liability offerings. Most recently, Ms. Castriotta led the<br />
company’s initiative to address non-affirmative cyber across nearly 100<br />
discrete product lines.<br />
She can be reached online at https://www.agcs.allianz.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 35<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Facebook’s $550 Million Settlement: A Warning to<br />
Companies Collecting Biometric Data<br />
Facebook’s significant settlement could incite future class action lawsuits, further emphasizing the need<br />
for companies to comply with biometric privacy laws.<br />
By Billee Elliott McAuliffe, Member, Lewis Rice<br />
Thanks to a class action suit filed against Facebook under the Illinois Biometric Information Privacy Act<br />
(BIPA), Facebook users in Illinois may receive part of a $550 million settlement. The settlement<br />
compensates users for Facebook’s utilization of facial recognition technology known as “tagging” without<br />
the user’s consent. If approved by the California district court, this settlement could spur others to bring<br />
similar lawsuits, putting businesses throughout the country at risk.<br />
So, what are biometrics and biometric privacy? Biometrics is the measurement and analysis of unique<br />
physical or behavioral characteristics, such as fingerprints or voice patterns, especially as a means of<br />
verifying personal identity. Hence, biometric privacy is an individual’s right to keep his or her biometric<br />
information private and to control how that information is collected and used by third parties.<br />
Biometric privacy laws, including BIPA, are like many new privacy laws that have promulgated over the<br />
last few years. All are informed consent laws, which generally require third parties gathering the biometric<br />
data, including fingerprints, facial scans, retina scans, DNA, gait analysis or voice recordings, to provide<br />
notice of their collection and use, the reason for the use, and how the data will be destroyed. Additionally,<br />
third parties must obtain permission from individuals to use their biometric information. Failure to provide<br />
both notice and control could result in liability for the data collector and users.<br />
In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court ruled the mere failure to<br />
comply with statutory requirements of BIPA by any entity that collects, maintains, stores or transfers<br />
biometric data is enough injury to allow the affected consumers to sue for damages and injunctive relief.<br />
This means no data breach, wrongful disclosure or actual injury to the consumer is required for a business<br />
to be subject to civil liability under BIPA.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 36<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
To avoid potential liability, all businesses handling information subject to BIPA should review their<br />
policies, procedures and methods for collecting, using, storing and protecting biometric data.<br />
And it is not just Illinois companies that need to comply. In Patel v. Facebook, the case resulting in the<br />
$550 million settlement, Facebook argued that if any BIPA violations did occur, they did not primarily<br />
occur in Illinois, as Facebook’s servers are located in California. However, the California federal district<br />
court hearing the case disagreed, suggesting that a consumer’s mere use of Facebook in the State of<br />
Illinois was enough to make BIPA applicable. This extraterritorial holding in Patel, along<br />
with Rosenbach’s ruling that statutory non-compliance is sufficient injury to bring suit, means all entities<br />
must be aware of these laws and the restrictions on the use of biometrics.<br />
In order to ensure compliance with BIPA, every business should audit its operations to understand if it<br />
collects or uses any biometric data through systems such as time clocks that require fingerprints, security<br />
access systems utilizing palm prints or facial recognition, or even surveys gathering biometric data for a<br />
wellness program. If your business does collect or use biometric information, then it must determine<br />
whether it is protected under any biometric privacy law.<br />
While Illinois’ BIPA was the first and remains the most robust, Texas and Washington also have specific<br />
biometric privacy statutes. Additionally, many states include biometric information within their data breach<br />
notifications and other privacy and employee protection statutes. Certain biometric data is also protected<br />
under the federal Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information<br />
Nondiscrimination Act (GINA) and the Fair Credit Reporting Act (FCRA), which imposes requirements<br />
and restrictions on employers conducting background checks.<br />
Unfortunately, as with many other privacy laws, the types of biometrics that are protected and the<br />
requirements that must be implemented are different under each law. Therefore, understanding what is<br />
protected and the steps that must be taken to ensure full compliance may require a consultation with<br />
legal counsel.<br />
After the business has determined what laws apply and the requirements of those laws, it will need to<br />
review and appropriately revise its policies, procedures, and methods of collecting, using, storing and<br />
protecting biometric information. Generally, revisions include giving notice to individuals, obtaining their<br />
consent for the collection and use of their data, and including documented retention schedules and<br />
guidelines for the destruction of the information.<br />
The Facebook settlement shows that failure to comply with biometric privacy laws can result in substantial<br />
liability for companies. Under Illinois’ BIPA, individuals can receive more than $1,000 for negligent<br />
violations or $5,000 for intentional violations. Under Texas’ Capture or Use of Biometric Identifier Act<br />
(CUBI), violations could result in civil penalties of up to $25,000 per violation. In Washington, the attorney<br />
general has the right to seek up to $500,000.<br />
Because these lawsuits can be quite costly, businesses must review the information they collect and<br />
determine if any actions need to be taken to comply with biometric privacy laws. If they don’t, they may<br />
get “tagged” like Facebook.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 37<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm’s<br />
corporate department. Although she focuses on information technology,<br />
Billee also has extensive experience in corporate law, including<br />
technology licensing, cybersecurity and data privacy, and mergers and<br />
acquisitions. She is a member of the American Bar Association and the<br />
Bar Association of Metropolitan St. Louis. Billee can be reached online at<br />
bmcauliffe@lewisrice.com and at https://www.lewisrice.com/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 38<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How to Avoid Being Breached In <strong>2020</strong><br />
By Randy Reiter CEO of Don’t Be Breached<br />
Recent Data Breaches Disclosed in <strong>2020</strong><br />
In February, <strong>2020</strong> the United States Department of <strong>Defense</strong> (DOD) disclosed a data breach that occurred<br />
at its IT and telecom agency the <strong>Defense</strong> Information Systems Agency (DISA). DISA does the IT and<br />
telecommunications support for the White House, diplomats and military troops. The breach exposed<br />
Personally Identifiable Information (PII) of its employees between May and July 2019. DISA has about<br />
8,000 civilian and military employees. The employee personal information breached is believed to include<br />
social security numbers.<br />
Other major <strong>2020</strong> data breaches include:<br />
• January, <strong>2020</strong>. Wawa who has 850 US convenient stores reported that Hackers put up the<br />
payment card details of more than 30 million Wawa customers for sale on Joker’s Stash on the<br />
Dark Web where cyber criminals buy and sell payment card data.<br />
• January, <strong>2020</strong>. 250 million Microsoft "Customer Service and Support" (CSS) records were<br />
exposed online. The leaked database contained data on customers including their email<br />
addresses, IP addresses, locations, case numbers and internal notes marked confidential.<br />
Hackers potentially could try to trick users into paying for support solutions by impersonating<br />
Microsoft support representatives.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 39<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
• March, <strong>2020</strong>. UK telecommunications provider Virgin Media reported that the personnel<br />
information of 900,000 customers was exposed in a data breach. Customer names, home<br />
addresses, email addresses, phone numbers and date of birth were leaked.<br />
• March, <strong>2020</strong>. US telecom giant T-Mobile suffered another data breach. <strong>Cyber</strong> Hackers gained<br />
unauthorized access to sensitive information on customers and employees.<br />
How to Protect Confidential Database Data from Insider Threats and Hackers?<br />
Confidential database data includes: credit card, tax ID, medical, social media, corporate, manufacturing,<br />
law enforcement, defense, homeland security and public utility data. This data is almost always stored in<br />
Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server<br />
and Sybase databases. Once inside the security perimeter a Hacker or Rogue Insider can use commonly<br />
installed database utilities to steal confidential database data.<br />
Non-intrusive network sniffing can capture and analyze the normal database query and SQL activity from<br />
a network tap or proxy server with no impact on the database server. This SQL activity is very predictable.<br />
Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique query or<br />
SQL commands that run millions of times a day.<br />
Advanced SQL Behavioral Analysis of Database Query and SQL Activity<br />
Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database<br />
activity is. Then from a network tap or proxy server the database query and SQL activity can be nonintrusively<br />
monitored in real-time and non-normal SQL activity immediately identified. Non-normal SQL<br />
activity from Hackers or Rogue Insiders can be detected in a few milli seconds. The Hacker or Rogue<br />
Insider database session can be immediately terminated and the Security Team notified so that<br />
confidential database data is not stolen.<br />
Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum<br />
amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to<br />
10,000 unique SQL queries sent to a database. This type of data protection can detect never before<br />
observed query activity, queries sent from a never observed IP address and queries sending more data<br />
to an IP address than the query has ever sent before. This allows real-time detection of Hackers and<br />
Rogue Insiders attempting to steal confidential web site database data. Once detected the security team<br />
can be notified within a few milli-seconds so that a data breach is prevented.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 40<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools<br />
company. He is the architect of the Database <strong>Cyber</strong> Security Guard<br />
product, a database data breach prevention product for Informix,<br />
MariaDB, Microsoft SQL Server, MySQL, Oracle and Sybase databases.<br />
He has a Master’s Degree in Computer Science and has worked<br />
extensively over the past 25 years with real-time network sniffing and<br />
database security. Randy can be reached online at<br />
rreiter@DontBeBreached.com, www.DontBeBreached.com and www.SqlPower.com/<strong>Cyber</strong>-Attacks.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 41<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
What You Need to Know About DDoS Weapons Today<br />
By Ahmad Nassiri, Security Solutions Architect at A10 Networks<br />
A DDoS attack can bring down almost any website or online service. The premise is simple: using an<br />
infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its<br />
introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and<br />
sophistication. That makes DDoS defense a top cybersecurity priority for every organization. The first<br />
step: understanding the threat you face.<br />
To help organizations take a proactive approach to DDoS defense, A10 Networks recently published a<br />
report on the current DDoS landscape, including the weapons being used, the locations where attacks<br />
are being launched, the services being exploited, and the methods hackers are using to maximize the<br />
damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study<br />
provides timely, in-depth threat intelligence to inform your defense strategy.<br />
Here are a few of our key findings.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 42<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Reflected Amplification Takes DDoS to the Next Level<br />
The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued<br />
in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in<br />
an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the<br />
third most common source of DDoS. The shift is due in part to the growing popularity of attacks using<br />
misconfigured IoT devices to amplify an attack.<br />
In this key innovation, known as reflected amplification, hackers are turning their attention to the<br />
exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to<br />
support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications<br />
protocol used to automatically discover web-connected services. Critically, WS-Discovery does not<br />
perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at<br />
which point the victim will be deluged with data from nearby IoT devices.<br />
With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly<br />
effective—with observed amplification of up to 95x. Reflected amplification attacks have reached recordsetting<br />
scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of<br />
DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702<br />
as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has<br />
been found in Vietnam, Brazil, United States, the Republic of Korea, and China.<br />
DDoS is Going Mobile<br />
Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch<br />
point. While these weapons are globally distributed, the greatest number of attacks originate in countries<br />
with the greatest density in internet connectivity, including China, the United States, and the Republic of<br />
Korea.<br />
A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs),<br />
or collections of IP address ranges under the control of a single company or government. With the<br />
exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries<br />
hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and<br />
Korea Telecom.<br />
In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the<br />
end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication<br />
Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 43<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Worst is Yet to Come<br />
With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter<br />
a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting<br />
Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed<br />
and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever<br />
for any bad actor to launch a lethal targeted attack.<br />
The A10 Networks report makes clear the importance of a complete DDoS defense strategy. Businesses<br />
and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat<br />
detection, to defend against DDoS attacks no matter where they originate. Methods such as automated<br />
signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers<br />
can help organizations proactively defend themselves even before the attacks starts.<br />
For additional insight, including the top IoT port searches and reflector searches performed by attackers,<br />
download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons,” and see the<br />
accompanying infographic, “DDoS Weapons & Attack Vectors.”<br />
About the Author<br />
Ahmad Nassiri is the security solutions architect for A10 Networks’<br />
Eastern region. Nassiri is responsible for supporting pre-sales efforts of<br />
A10 Networks’ security solutions portfolio. He is also focused on<br />
providing visibility to market, trends and developments within the<br />
security field to help A10 Networks expand its security solutions<br />
offering. Before joining A10 Networks, Nassiri was asystems engineer<br />
at Arbor Networks, focused on network security and monitoring solutions for global networks. In this role,<br />
he assisted with the pre- and post-sales engineering support for Arbor’s service provider-focused account<br />
teams. Nassiri has also held sales/systems security engineering roles with Verisign’s Network<br />
Intelligence and Availability (NIA) division. During his tenure, he was focused on security intelligence,<br />
cloud-based DDoS protection, and managed DNS services. Earlier, he held numerous security and<br />
engineering roles with BT Global Services.<br />
Ahmad can be reached online at (anassiri@a10networks.com) and at our company website<br />
https://www.a10networks.com/<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 44<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Better Network Visibility: Removing the Security<br />
Blindfold<br />
By Cary Wright, VP Product Management, Endace<br />
Recent research shows that enterprise teams are very concerned about the ability to protect their<br />
networks from cyber threats. Concerns run the gamut: insufficient insight into network activity, lack of<br />
integration between security tools, inability to respond to threats quickly enough, resource constraints,<br />
and obsolete solutions. Enterprises are frustrated with existing security solutions that don’t provide<br />
sufficient visibility, agility and economic efficiency. This article is the first of a three-part series from<br />
Endace, and looks at the issue of network visibility.<br />
Without the right tools in place, detection and resolution of security events is cumbersome and often<br />
inconclusive. Lacking sufficient visibility into network activity, organizations are left vulnerable.<br />
A recent enterprise survey conducted by Enterprise Management Associates reveals that only 31% of<br />
incursions were identified and stopped at the earliest two stages of the Lockheed Martin Kill Chain model.<br />
This indicates that most threats proceed to the dangerous exploitation phase. A key reason for being<br />
unable to stop a compromise early enough is the overflowing backlog of issues that are never<br />
investigated. 89% of enterprises surveyed by ViB say a lack of visibility into network activity prevents<br />
them from reacting promptly, with confidence.<br />
At first glance, you might think lack of network visibility is caused by a lack of data. But the issue often<br />
isn’t a lack of data, but an inability to correlate data collected in order to provide useful insights. It’s like<br />
trying to assemble a collection of scattered jigsaw puzzle pieces when you don’t have a picture of the<br />
final result. Enterprise teams are overwhelmed by the sheer volume of data to analyze from multiple,<br />
disparate sources: log files, SNMP traps, monitoring tools, etc. Often this data is scattered across the<br />
infrastructure, hard to correlate, and incomplete because of blind spots in network coverage, which make<br />
seeing the full context of security threats difficult or impossible.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 45<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
When teams efficiently collate data sources to provide full context around detected issues, then data<br />
becomes “actionable information” used to investigate and resolve problems quickly and accurately.<br />
Network metadata and full-packet capture data together give teams the perfect combination of evidence<br />
for investigating and resolving security threats.<br />
Network metadata delivers a summary of activity across your infrastructure that provides insight into the<br />
behavior of users, devices, applications and threats. This summary can be easily stored and correlated<br />
with other data sources from endpoints, applications, AAA, firewall logs and other key elements. Having<br />
diverse datasets in one place helps investigators triangulate on potential issues rapidly. Since all this is<br />
a summary of what happened, access to full packet data is often needed to confidently understand the<br />
breadth of a security event. Fortunately, metadata provides an index into full packet capture data that<br />
enables teams to quickly and accurately reconstruct events, in context, to see exactly what has occurred<br />
and respond at once.<br />
This combination of network metadata with full packet history facilitates quick and confident investigations<br />
and threat resolutions. Analysts can query and mine the metadata, then quickly get definitive evidence<br />
by drilling down to the packets. The combination of network metadata and packet data also provides the<br />
all-important context for data from other sources – such as log files and alerts from monitoring – by<br />
providing a timeline and record of affected hosts against which these data sources can be correlated<br />
easily.<br />
Access to the right data at the right time with the combination of metadata and full packet capture<br />
facilitates end-to-end visibility, and enables enterprises to detect, triage, investigate and respond to<br />
threats and incidents with speed, certainty and confidence. It lets teams efficiently assemble the pieces<br />
of the data puzzle to create a clear picture of precisely what’s happening on their network.<br />
The second article in this series will address how to increase agility and accelerate incident response.<br />
About the Author<br />
Cary Wright, VP Product Management at Endace, has more than 25<br />
years’ experience in creating market-defining networking, cybersecurity<br />
and application delivery products at companies including Agilent, HP,<br />
Ixia and NEC. sales@endace.com, www.endace.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 46<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Enabling Agility to Accelerate Incident Response<br />
By John Attala, Vice President of Worldwide Sales, Endace<br />
In the first article in this series, Endace VP of product management Cary Wright discussed the importance<br />
of end-to-end network visibility in protecting valuable enterprise data, and how the combination of network<br />
metadata and full packet data provides definitive evidence of network activity. To leverage this data<br />
effectively, however, it is crucial to make it available to the tools and teams throughout the enterprise for<br />
examining and resolving issues more quickly and accurately. Which brings us to the topic of this article:<br />
agility.<br />
Agility, as it relates to cyberdefense and performance management, can mean two things:<br />
1) faster, more efficient investigation of, and response to, threats/issues (“agile incident response”); and<br />
2) rapid installation and deployment of new solutions to address these threats and issues (“agile<br />
deployment”).<br />
Agile Incident Response<br />
Research published last year revealed that SecOps, NetOps and DevOps teams are buried in alerts,<br />
each of which typically requires a resource-intensive investigation and resolution process involving<br />
multiple personnel. Sadly, the norm is that there simply isn’t sufficient time to triage, prioritize and<br />
investigate all the alerts.<br />
In addition, many of the tools SecOps and NetOps teams use don’t integrate well with each other, so<br />
beleaguered teams must switch from tool-to-tool ( “swivel chair integration”) to determine actual network<br />
activity – resulting in time delays, stress, and organizational risk.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 47<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Integrating network metadata and full packet information into security and performance monitoring tools,<br />
so analysts and teams can pivot directly to the related packets, can dramatically simplify and accelerate<br />
investigations, reducing alert backlog and analyst fatigue. The end result is streamlined investigation<br />
workflows, more efficient and productive teams, richer contextual information for dealing with threats and<br />
– crucially – faster, more accurate incident response.<br />
Agile Deployment<br />
The same research report cited above found that 90% of respondents reported the process of acquiring<br />
and deploying security, network or application performance platforms is challenging. It’s a fact: selecting<br />
and deploying new security and performance monitoring tools can take months to years when an<br />
organization must consider budget, evaluation, selection, purchase, installation and integration. It’s a<br />
slow process.<br />
Further compounding the acquisition problem is that once purchased, these security and performance<br />
monitoring solutions are expected to last their full depreciation cycle – even though security threats and<br />
network standards frequently change and evolve. The end result is organizations are often stuck with<br />
solutions which are no longer fit-for-purpose, requiring a “rip-and-replace” to meet new threats or resolve<br />
performance issues.<br />
The lack of ability to quickly evolve systems to meet new threats or address new requirements is<br />
hampering organizations’ ability to protect and manage their networks effectively. Attackers, on the other<br />
hand, aren’t constrained by the same CAPEX and budget issues – often using the victim’s own<br />
infrastructure to host their attacks – enabling them to be extremely agile in staging their attacks.<br />
To counter this, organizations need more agile deployment. One solution is to adopt a standardized,<br />
open hardware platform as the foundation for security and performance monitoring: a platform that can<br />
provide full packet capture, metadata indexing and deep storage, allow standard RESTful API<br />
connections to existing toolsets, and enable virtualized hosting of the network security and performance<br />
analytics applications that best suit the organization’s environment.<br />
Adopting a standardized platform ensures a good foundation (accurate, time-stamped, quickly<br />
searchable data), the RESTful API ensures existing workflows are maintained and minimizes training,<br />
and virtualizing monitoring and analytics solutions enables the speed and flexibility to deploy required<br />
solutions on-demand.<br />
The standard, open platform approach allows for maximum agility and has the potential to deliver the<br />
same benefits enterprise datacenters have realized through virtualization: rapid deployment, massive<br />
flexibility, operational efficiencies, and huge cost savings.<br />
The next article in the series will discuss the economics and cost savings in more detail.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 48<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
John Attala is vice president of worldwide sales at Endace. He has more<br />
than twenty years’ experience in providing network visibility, forensic<br />
solutions, and security services to global enterprise, service providers and<br />
government agencies.<br />
John Attala can be reached online at www.endace.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 49<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Economic Efficiency in <strong>Cyber</strong> <strong>Defense</strong><br />
By Mark Evans, VP Marketing, Endace<br />
The previous two articles in this series addressed Visibility and Agility as key requirements for<br />
stronger cyber defense. This last article in the series looks at the third leg of robust cybersecurity:<br />
Economic Efficiency.<br />
According to recent research, gleaned from more than 250 global enterprises, organizations use, on<br />
average, ten different security management tools. In large enterprises, that number jumps to between 10<br />
and 18 different security solutions.<br />
The research also showed that even though organizations have deployed numerous security solutions,<br />
at great cost, they:<br />
• Don’t have enough tools in the right places to detect and investigate security events (80% of<br />
respondents!)<br />
• Find the challenge of constraints caused by Capital Expenditure (CAPEX) “significant” (75%)<br />
• Take 6-12 months OR LONGER to acquire and deploy new solutions (budget, testing, product<br />
selection, deployment) (90%)<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 50<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Additionally, organizations said they “lack visibility into network activity”, have “difficulty responding<br />
quickly enough to threats” and “find it hard to integrate tools and correlate data”<br />
It’s clear then, that despite considerable investment in security, organizations are still not achieving their<br />
desired objectives. They are constantly on the back foot, unable to keep ahead of a rapidly evolving<br />
threat landscape. And, as covered in previous articles in this series, teams are overwhelmed by alert and<br />
platform fatigue due to lack of visibility and inefficient workflow processes that constrain productivity.<br />
Reducing Cost and Increasing Efficiency<br />
Network security functions typically rely on specialist hardware that can capture network traffic at high<br />
speed for analysis, therefore many solutions are appliance-based. As a result, organizations must deploy<br />
many different appliances to deliver the range of required security functions (IDS/IPS, data leakage<br />
prevention, malware detection, email scanning, etc.)<br />
This has a number of cost and budget implications:<br />
1. Hardware-based appliances are expensive to purchase and maintain.<br />
2. Organizations pay for packet capture capability in each appliance they purchase.<br />
3. Hardware purchases consume so much budget that organizations can’t afford to deploy solutions<br />
everywhere they need them, leaving blind spots.<br />
4. Functionality is inextricably tied to appliance hardware - upgrading functionality often means a<br />
“rip-and-replace”. Without CAPEX budget for replacements, organizations must make do with<br />
solutions that are well past their “use by” date.<br />
Virtualization has delivered significant benefits in the datacenter: lower cost, simpler infrastructure,<br />
efficient hardware utilization, greater flexibility and rapid deployment. However, organizations have been<br />
unable to virtualize their network security solutions to realize these same benefits due to the lack of a<br />
common hardware platform.<br />
What’s needed is a hardware platform that provides high-performance, hardware-based packet capture<br />
and recording that can be shared by all the tools and teams that need to analyze packet data. This<br />
approach eliminates unnecessary functional duplication and allows security and performance monitoring<br />
tools to be consolidated onto a common platform.<br />
The cost of this common infrastructure can be shared across SecOps, NetOps, DevOps and IT teams,<br />
reducing Operational Expenditure (OPEX) and CAPEX costs and facilitating closer collaboration. New<br />
functionality can be deployed without replacing hardware.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 51<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Increasing Productivity<br />
With packet history integrated into all their tools, analysts can more efficiently detect, investigate and<br />
resolve security threats; moving from an alert or suspicion directly to evidence quickly and accurately.<br />
This is vastly more productive than the current swivel-chair integration resulting from managing multiple,<br />
non-integrated hardware appliances.<br />
This series looked at three key issues facing enterprises in protecting and defending their networks:<br />
Visibility, Agility, and Economic Efficiency. By addressing all three issues together organizations can<br />
gain the clarity, confidence, and certainty necessary to effectively protect against cyberthreats.<br />
About the Author<br />
Mark Evans has worked in the technology industry for more than 30 years,<br />
starting as a developer and moving into CIO and CTO roles prior to joining<br />
Endace as Vice President of Marketing. He has also written extensively as<br />
an expert columnist for many technology publications. www.endace.com,<br />
@endace.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 52<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Does SASE Tick the Box for The Future of Network<br />
Security?<br />
By Yair Green, CTO at GlobalDots<br />
The enterprise of today works with an upgraded portfolio which can be viewed as the result of an overall<br />
digital transformation. This in turn has brought about the need to rethink and enhance the consequences<br />
for the network. In response, Gartner introduced the concept of Secure Access Service Edge (SASE) as<br />
a new enterprise networking technology, whereby organizations could ditch time-honoured networking<br />
and security designs by merging network and security point functionality globally into a consolidated,<br />
cloud-native service.<br />
There is certainly a shift these days where we are seeing organizations transitioning all of their users,<br />
applications and data (currently located on-premise), to a general move into the cloud, towards edge<br />
applications and a workforce that is spending more of its time working out of the office - ‘on the road’.<br />
Together, the forces of cloud, mobility and edge have all brought pressure upon the enterprise’s old and<br />
weary network and security architecture. It doesn’t help to have data spread out all over SaaS<br />
applications, or across the increasing number of cloud applications. Whilst there is no doubt that such a<br />
digital transformation can improve overall agility and competitiveness, it will also require a rethink with<br />
respect to how the enterprise connects and secures their connections. As the landscape evolves, so<br />
must technology. Perhaps it was inevitable then that something like SASE should make an appearance.<br />
The digital transformation has forced the enterprise to evolve by running more applications in the cloud<br />
as SaaS rather than on-premise - more of their data and workloads live in cloud data centers and more<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 53<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
of their workforces are mobile - mobile users routinely accessing the cloud and increasing numbers of<br />
employees working off-site. The two main challenges for organizations as they ponder how to network<br />
and secure offices, users and resources, will be the cloud and mobility. When the data center is no longer<br />
at the core of enterprise activity then where do you inspect traffic and where do you apply policy?<br />
Similarly, if the networks are going to be built by connecting resources and users that exist in large part<br />
outside of physical buildings, then how will the business deliver optimal network experiences? Of course<br />
it can be done - it does require though, binding together a potentially disparate range of security<br />
technologies so that enterprise is satisfactorily protected; this could prove both costly and timeconsuming<br />
for most businesses. In an ideal world, there should be one way to network any kind of<br />
resource, location or user, without leaving the business vulnerable to the wide array of security threats.<br />
Organizations have been all too busy trying to use additional services as a stopgap, as a way to paper<br />
over the cracks; but this just complicates things and drives costs upwards. This approach won’t work in<br />
today’s digital landscape. By pushing security as close to the user as possible, SASE helps to reduce<br />
cost and complexity by focusing on the users that are accessing the applications; it can all be done<br />
through one single service now. Also, SASE ensures that all connections are inspected and secured, no<br />
matter what. Bear in mind the unique challenges of risk whereby both users and applications are so<br />
widely spread apart. In addition, where you have security enforced close to the users, SASE delivers a<br />
much better user experience overall. Traditionally, the old model brought the user to the security, but<br />
that’s not such a great UX scenario.<br />
Whilst some might argue that SASE’s primary focus IS user experience. There’s no doubt that SASE will<br />
be a major disruption to both network and network security architecture. Ultimately businesses will need<br />
SASE if they wish to continue their adoption of cloud-native computing and increase their adoption of<br />
edge computing platforms. Lessons will have to be learned regarding specific security and risk<br />
management actions that will need implementing as SASE adoption picks up. When we see a truly full<br />
competitive solutions marketplace, then big business will be in a position to gauge more accurately how<br />
capabilities are delivered. In the meantime, businesses will require a converged, secure and clouddelivered<br />
access to the edge in order to adopt this shift. Digital transformation is shifting the focal point<br />
away from the data center, to the identity of the user.<br />
About the Author<br />
Yair Green is the CTO of GlobalDots, and a Cloud, Security and Web<br />
Performance Evangelist.<br />
www.globaldots.com<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 54<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Achieving Effective User Lifecycle Management Through<br />
Automation<br />
By Jeff Stein, Information Security Architect, Reputation.com<br />
When considering the security of an enterprise, a key area ripe for automation should be user lifecycle<br />
management. The topic is important not only to the security of an organization but also to the overall<br />
function of an enterprise. By achieving effectiveness through automation in your user lifecycle<br />
management process you will not only increase the productivity of your operational teams through the<br />
reduction of work required to manage the user lifecycle, but also add effective security controls to your<br />
information security program.<br />
User lifecycle management covers the full array of activities executed during the lifetime of a user at an<br />
enterprise. It begins with the initial contact of a prospective employee or business partner to the eventual<br />
onboarding of the user into their defined role at the organization. Any changes to user access or status<br />
and role at the organization are also covered in the lifecycle. The lifecycle management then comes full<br />
circle and is completed through the offboarding process when the user ends their responsibilities at the<br />
enterprise.<br />
From a security prospective, user lifecycle management should be an important domain to include in your<br />
security program. While many of the operational tasks related to the lifecycle management are associated<br />
with Human Resources or Information Technology business units, the need to instill security controls into<br />
the related workflows and processes is paramount. This is because, one of the core functions of user<br />
lifecycle management pertains to access control which is fundamental to a security program because it<br />
deals with the identity, authentication and authorization of users in the enterprise.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 55<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The need to automate the provisioning (creating) or deprovisioning (removal) of tasks related to the user<br />
lifecycle management process is derived from ensuring that there is better accountability in the<br />
operational tasks associated with access control. To not only have a well-defined lifecycle management<br />
process but also to ensure that those processes are initiated through automation, reduces the number of<br />
administrative controls required to validate proper completion of tasks and replaces them with more<br />
reliable technical controls.<br />
In my previous experiences as a Security Engineer, as well as my current role as an Information Security<br />
Architect for Reputation.com, an industry leader in online reputation management providing customers<br />
with a full range of solutions to handle their presence online, I have found that any time you replace a<br />
reliance on a human task with an automated technical one, the likelihood of a breakdown in process is<br />
reduced. It also frees up the human element to be leveraged in the process in a more intelligent way than<br />
previously utilized. Once repeatable tasks can be replaced with automation, the person can be used as<br />
a means to validate on a regular basis that the automated technical control has not failed. This is done<br />
through measures such as auditing and approval reviews for sensitive circumstances or types of access.<br />
Another simple way of looking at this is to use your human staff for intelligent processes and automate<br />
the mundane repeatable processes that do not deviate from the norm.<br />
When looking to automate the user lifecycle at an enterprise there are numerous technical tools at your<br />
disposal. Whether you choose to leverage internal scripts or programs, or utilize a managed technical<br />
solution, is a personal preference pertaining to your available budget and technical skill sets on staff.<br />
However, if you implement the tooling to automate user lifecycle management, in my opinion, it is more<br />
important to ensure you include a number of key components in your automated lifecycle strategy and<br />
technical design, which will support your tooling.<br />
The first component to ensure you incorporate into your lifecycle management should be an allencompassing<br />
source of truth for your user records. Whether this is a directory service or a human<br />
resource information system (HRIS), the key is to ensure that it is accurate and continually maintained.<br />
Your source of truth should be the foundation to building out user lifecycle management and automate it<br />
because it will serve as the starting point for the overall process. In essence, until the user is in your<br />
source of truth the lifecycle has not yet begun.<br />
Additionally, access control should be properly built in to your strategy. As mentioned above, access<br />
control is a key security process and having proper controls in place will ensure you have security baked<br />
into your design and automation process. Consider using role-based access control (RBAC) or attributebased<br />
access control (ABAC) as a model for designing your access control component. When I have<br />
personally rolled out user lifecycle management automation, I have done a combination of the two.<br />
However, relying primarily on RBAC will be easier to implement or at least serve as a starting point for<br />
your design.<br />
The final component, which should be included into the lifecycle management strategy should be<br />
ensuring that data between your source of truth and any source of records that are utilized by various<br />
applications in your enterprise are updated as a part of your automation. This is again important in<br />
keeping your source of truth accurate as well as ensuring aspects such as deprovisioning or a status<br />
change in the user’s role, function properly. Once these three key components have been worked into<br />
your lifecycle management design, the tooling you choose will layer on top and function efficiently. It will<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 56<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
also offer a higher level of implementation success and a holistic approach to your workflow and<br />
processes.<br />
Automation provides an excellent means to layer repeatable and scalable security controls into an<br />
organization. By automating the user lifecycle management process you can ensure better accountability<br />
into the operational tasks associated with access control in the enterprise. Proper tooling combined with<br />
a well-maintained source of truth, an effective access control model and baking in the updating of<br />
information between sources allows you to add effective security controls to your information security<br />
program.<br />
About the Author<br />
Jeff Stein, is currently the Information Security Architect at Reputation.com,<br />
an industry leader in online reputation management. His prior experience<br />
includes the FinTech space and both the United States House of<br />
Representatives and the United States Senate. In addition to holding<br />
numerous security and IT certifications, including his CISSP, he received a<br />
Master of Science in Information Security and Assurance from Western<br />
Governors University. Jeff can be found online on his blog,<br />
https://www.securityinobscurity.com and reached at both jeff@sioblog.net or on twitter at<br />
@secureobscure and at our company website https://www.reputation.com and on twitter at<br />
@Reputation_Com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 57<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Credential Stuffing: Why It’s on The Rise and How to<br />
Decrease Your Risk<br />
By Kevin Landt, VP of Product Management at Cygilant<br />
Reports of high-profile data breaches like Equifax’s, LinkedIn’s or Yahoo’s always cause an initial,<br />
widespread panic -- and for good reason. But after having massive amounts of their sensitive information<br />
exposed such as usernames and passwords, many consumers and organizations move on far too<br />
quickly. Whether it’s because they assume there’s nothing they can do to rectify the situation or due to a<br />
lack of understanding of their risk level, too many individuals and companies remain dangerously<br />
oblivious to what happens after a data breach.<br />
Post-breach, many cybercriminals turn to the Dark Web to purchase data stolen from high-profile data<br />
breaches. For instance, recently eight hacked databases containing data for 92.75 million users were put<br />
up for sale on the Dark Web Marketplace "Dream Market" for 2.6249 bitcoins (about $9,400 USD at the<br />
time). Hackers will then use their newly acquired, stolen data to fuel credential stuffing attacks, i.e. attacks<br />
that leverage stolen account credentials to gain unauthorized access to user accounts through largescale<br />
automated login requests directed against a web application.<br />
Unlike credential cracking, credential stuffing doesn’t rely on brute force or attempts to guess passwords.<br />
Instead, cybercriminals simply automate the logins for thousands to millions of previously discovered<br />
credential pairs using standard web automation tools or tools designed specifically for credential stuffing<br />
(e.g. services that manipulate login requests to make them look like they came from many different<br />
browsers and/or products that integrate with platforms designed to defeat Captchas). On average,<br />
hackers find matches between stolen credentials and a website about only one percent of the time,<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 58<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
however with every new large-scale breach, the credential stuffing process becomes easier and more<br />
effective.<br />
To combat credential stuffing, both consumers and companies need to recognize the danger these<br />
attacks pose and adhere to the following four best practices:<br />
1. Monitor data breaches -- It’s critical to stay apprised of large-scale breaches so that if/when you<br />
have an account with a company that experiences a data breach, you can immediately change<br />
your password. Also, if you use the same username and password for other accounts, be sure to<br />
change those passwords as well. Keeping up with the near-daily occurrence of data breaches<br />
can feel like an overwhelming task, so consider leveraging tools like this to determine if any of<br />
your credentials have been leaked at any time.<br />
2. Improve your passwords -- One of the top factors driving the credential stuffing epidemic is poor<br />
password hygiene. Never reuse the same username and password across multiple sites, change<br />
your passwords regularly, make sure each password has no resemblance to the old, don’t use<br />
the same core word(s) and refrain from placing the same special characters in the same positions.<br />
Password managers can help by creating and easily managing the types of highly secure<br />
passwords that are impossible to remember.<br />
3. Implement two-factor authentication -- By turning on two-factor authentication whenever<br />
available, an additional authentication is requested when you enter your password. This provides<br />
another vital layer of protection in the event of a network attack and should always be turned on.<br />
4. Blacklist suspicious logins -- Companies should consistently track logins that result in fraud<br />
and then blacklist the associated IP addresses. Also, if users are located in a specific region, they<br />
can create geofences that block traffic that comes from elsewhere. Such tactics can make the<br />
proxy lists cybercriminals rely on to mask their mass login attempts far less effective, not to<br />
mention more complex and costly. Web-based security products can also be leveraged to block<br />
a single IP address or a range of IP addresses that result in too many unsuccessful login attempts.<br />
A recent report from Akamai found that an average of 4.15 billion malicious login attempts from bots were<br />
detected in both May and June of 2018, and that’s up from an average of 3.75 billion per month between<br />
November 2017 and June 2018. Credential stuffing attacks will continue to become even more prevalent<br />
in the years ahead, especially as data breaches expose hundreds of millions of usernames and<br />
passwords on a regular basis.<br />
By recognizing the credential stuffing problem head on and abiding by simple cybersecurity best<br />
practices, however, both consumers and companies alike can drastically reduce their risk and at the<br />
same time make cybercriminals’ jobs far more challenging.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 59<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Kevin Landt is VP of Product Management at Cygilant and has over<br />
a decade of experience helping Security and IT Operations teams<br />
increase efficiency and reduce risk. At Cygilant, he leads a team of<br />
PMs dedicated to providing enterprise-class security-as-a-service<br />
for companies of all sizes. Prior to Cygilant, Kevin held director and<br />
leadership roles at Opsgenie (now part of Atlassian), Kanguru<br />
Solutions, and Intel.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 60<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
The Cost of <strong>Cyber</strong>crime Is Constantly Rising: How to<br />
Combat Ransomware Attacks on SMBs<br />
By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security<br />
<strong>Cyber</strong>crime is an undeniable constant in the business landscape these days. The cost of cybercrime is<br />
constantly rising—it is estimated that by 2021, it will have reached $6 trillion worldwide. <strong>Cyber</strong>attacks on<br />
large companies tend to grab headlines all around the world because of their spectacular impact.<br />
However, there is one sector that, though it doesn’t normally generate headlines, suffers devastating<br />
effects of ransomware attacks: small- to medium-sized-businesses (SMBs).<br />
According to Beazley Breach Response Services, 71% of ransomware attacks target SMBs. The average<br />
ransom demand for this kind of attack is $116,234. In more general terms, 43% of all cyberattacks target<br />
this kind of company, while just 14% of these businesses are prepared to defend against their effects. In<br />
the business world, cybersecurity awareness is the main challenge: employees’ actions are often the first<br />
line of defense against a cyberattack. To ensure that a cyber incident does not cause serious damage to<br />
a company, it is important that its employees follow a series of vital tips:<br />
• Never open attachments from unknown senders. 92% of the malware in the world arrives via<br />
email.<br />
• Don’t plug in an unknown USB device. It may contain malware that could cause grave problems<br />
for the company.<br />
• Get into the habit of updating passwords. This way, even if a password is leaked in a data breach,<br />
it won’t become a security risk.<br />
• Updates for endpoints, devices and for third-party applications are an important barrier against<br />
security breaches.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 61<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
That being said, the best way to combat ransomware is by not becoming a victim in the first place. To<br />
that end, here are five immediate steps that SMBs can take to avoid ransomware attacks.<br />
Step 1: Set Operating Systems to Automatically Update<br />
The first step to avoiding ransomware is to update your operating system (OS). Anything connected to<br />
the web works better when the OS is updated. Tech companies like Microsoft and Apple regularly<br />
research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a<br />
cybersecurity game of cat and mouse. <strong>Cyber</strong>thieves search for “holes,” and companies race to find them<br />
first and “patch” them.<br />
Users are key players in the game because they are the ultimate gatekeepers of their operating systems.<br />
If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs<br />
better with an updated OS.<br />
Set your OS to update automatically and you won’t need to remember to do it manually. While Windows<br />
10 automatically updates (you have no choice), older versions don’t. But setting auto updates is easy,<br />
whether you’re on a Mac or PC.<br />
Step 2: Screenshot Bank Emails<br />
<strong>Cyber</strong>criminals use trojans or worms to infect your computer with ransomware. So, avoiding these will<br />
help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams,<br />
which trick users into opening email attachments containing viruses or clicking links to fake websites<br />
posed as legitimate ones.<br />
One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing<br />
emails that look like they come from banks, credit card companies or the IRS. Phishing emails kickstart<br />
your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent<br />
action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn<br />
in your account”?<br />
<strong>Cyber</strong>criminals use this fear to distract people so they will overlook the telltale signs of the phishing email<br />
like misspellings or common fear-inducing subject lines.<br />
Take screenshots of all of the legitimate emails from your bank, credit card companies, and others<br />
business that manage your sensitive information. Use these screenshots to compare with future emails<br />
you receive so you can spot phishing phonies and avoid ransomware.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 62<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Step 3: Bookmark Most Visited Websites<br />
The next step in your ransomware-avoidance journey is to bookmark all of your most visited websites.<br />
Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then<br />
they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or<br />
infect your computer with malware.<br />
Think twice before you visit a website by clicking a link in an email, comments section or private<br />
messaging app. Instead, bookmark your most visited or high-value websites and visit them through your<br />
browser.<br />
Step 4: Backup Data to the Cloud and a Hard Drive<br />
This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable,<br />
then cyberthieves have the upper hand, but if you have multiple copies, you have taken away the power<br />
behind the threat.<br />
Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available<br />
anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage<br />
are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.<br />
After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed<br />
up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup<br />
at all.<br />
Step 5: Install <strong>Cyber</strong>security Software<br />
Ransomware is constantly evolving as hackers develop new, more dangerous strains. For users,<br />
preemptive steps rock, but unless you download and install comprehensive cybersecurity software, your<br />
data is still vulnerable to malware infection.<br />
Here’s a phrase worth remembering: ransomware is a nightmare. After cyberthieves encrypt your data,<br />
the chances of recovering it are slim to none…and slim just left town. The story of ransomware doesn’t<br />
have the Hollywood, happily-ever-after ending. It will definitely leave you teary-eyed…just for the wrong<br />
reasons.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 63<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
About the Author<br />
Rui Lopes has spent the last 15 years working for Panda Security and<br />
currently heads up the Pre-Sales Engineering team in North America.<br />
A cybersecurity expert with extensive industry knowledge, he’s<br />
passionate about solving complex technical challenges for customers<br />
and educating them on the latest cybersecurity developments. He<br />
holds several technical certifications and has contributed to multiple IT<br />
publications as an IT Security columnist. Rui can be reached online at https://www.linkedin.com/in/ruilopes-6966161/<br />
and at our company website https://www.pandasecurity.com/en-us/.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 64<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
How To Manage Your Small Business In Time Of Crisis<br />
By Milica D. Djekic<br />
It's always a challenge to manage your small business, but especially in times of crisis. Such a situation<br />
requires special skills, such as crisis management skills, pragmatism and critical thinking. How can we<br />
create the a new generation of the business leaders who are capable of responing to all these demands?<br />
Human psychology would suggest that the child is the parent of someone’s personality and it’s quite<br />
obvious that if we want to produce the new leaders we should try to teach them starting at the very<br />
beginning of the life. The fact is so many young individuals spend the majority of their time on the web<br />
and as it is quite well known that cyberspace is often the busiest spot of the people’s activities. It’s quite<br />
impressive how good the new generations deal with cyber technologies and, apparently, modern<br />
strategists should use such a finding in order to direct the youth into some sort of the usefulness to the<br />
entire society.<br />
The point is if we want the competitive human resources in the decades ahead, we should begin working<br />
hard on that project now. A good education system matters, but will that be enough to make the new<br />
generation of the people think, deal and make decisions in such a manner? The answer to this question<br />
could be quite unclear, but what we see at this stage is that, de facto, we need something both impactful<br />
and simple at the same time. In addition, we should study the psychology of the child’s development or<br />
probably try to cope with some habits being adopted early on and later used to define someone’s life<br />
choices.<br />
So, what would be such common to all kids worldwide and how would they build on their first habits? The<br />
quite obvious stuff is all kids anywhere would love to play games and in that way develop their first skills<br />
and social contacts. We all would remember Monopoly and the experiences about how some simple<br />
banking works in practice. Nowadays children would also love to play these games, but in cyberspace.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 65<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
So, if you offer them the chance to do so on their own or as a team – you would undoubtedly teach them<br />
thinking in this way.<br />
Kids often have very poor life experience, and the point is to make something so simple in order to<br />
motivate them to use their brains in order to resolve situations appearing on their screen. On the other<br />
hand, many of today’s army officers would select their current occupations just playing strategies and<br />
making decisions about how to manage their people and resources on some military basis.<br />
If you want your kid to learn how to be a good manager, you should lead him into the world of business,<br />
enterprises and management. First, many kids cannot imagine how it works spending your time in the<br />
office, and if you provide them the opportunity to see how it looks and make some kind of interactive and<br />
engaging communications, then those young people would definitely become capable of responding to<br />
tomorrow’s competitive marketplace challenges. Also, if you put some obstacles into such a scenario<br />
making the players deal with some critical situations, you would also make them develop problem solving<br />
skills in crisis management tactics and strategies coming from best practices and experts knowledge.<br />
So, let’s return to the beginning of our topic and let’s introduce some graphical representation showing<br />
how dealing with a crisis in your small business might look. Such an illustration would offer you some<br />
constructive insights and hopefully help you better understand how todeal with those problems. The<br />
diagram is given in the Figure 1.<br />
Figure 1. Crisis conditions in business<br />
As shown in the previous illustration, the small business crisis condition could depend on many factors.<br />
They could include social, environmental, technological and economic conditions, for example. In<br />
practice, the social elements could include political, religious, safety & security and ideological reasons,<br />
while the environmental conditions might include natural disasters, biological factors and even diseases.<br />
On the other hand, the technological and economic pillars could be positive, negative or neutral, for<br />
example.<br />
The fact is if we distinguish all these elements in such a manner, we could straightforwardly develop the<br />
algorithm or the decision making tree about how we could in operational, tactical and strategic way<br />
respond to these challenges. The point is once you figure out what got correlated with what you could<br />
easily recognize some rules of those correlations and realize how they could get applied in sense of the<br />
problem solving algorithms.<br />
In such a case, the cyber defense could be linked to the technological impacts and, in my opinion, anyone<br />
in that field can position himselfto prepare for resolving those concerns. Also, the crisis management skill<br />
is something that would come with experience and it takes some time to become confident in such a role.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 66<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Any empirical scenario would differ in some way from another and before you learn to recognize the<br />
similarities between them,you would need a lot of practice in your preofessional experience.<br />
The time of crisis can come at any time, so it’s important to remain rational and realistic in approaching<br />
such a situation from a calm perspective. The small businesses are certainly an importnat part of the<br />
critical infrastructure, and that’s why any economy needs plenty of good ideas and proposals about how<br />
to protect its strategically significant assets.<br />
Emerging technologies will play a valuable role in our everyday life and work, so they could serve us in<br />
making rational decisions and training a new generation of the workforce that will be more competitive<br />
and sophisticated than any generation before them. The task is challenging, but the results could be so<br />
far reaching.<br />
About the Author<br />
Milica D. Djekic is an Independent Researcher from Subotica,<br />
Republic of Serbia. She received her engineering background from<br />
the Faculty of Mechanical Engineering, University of Belgrade. She<br />
writes for some domestic and overseas presses and she is also the<br />
author of the book “The Internet of Things: Concept, Applications<br />
and Security” being published in 2017 with the Lambert Academic<br />
Publishing. Milica is also a speaker with the BrightTALK expert’s<br />
channel. She is the member of an ASIS International since 2017<br />
and contributor to the Australian <strong>Cyber</strong> Security Magazine since<br />
2018. Milica's research efforts are recognized with Computer Emergency Response Team for the<br />
European Union (CERT-EU) and EASA European Centre for <strong>Cyber</strong>security in Aviation (ECCSA). Her<br />
fields of interests are cyber defense, technology and business. Milica is a person with disability.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 67<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
What the Latest Enterprise Endpoint Security Survey<br />
Shows Us: Big Concerns but Hope for The Future<br />
By Jeff Harrell, Vice President of Marketing, Adaptiva<br />
More bad news when it comes to IT security. The fourth annual Enterprise Endpoint Security Survey was<br />
recently released, showing that just 17% of companies believe they have enough staff to handle security<br />
correctly, and vulnerabilities continue to take a remarkably long time to fix, particularly without solutions<br />
that meet their needs. These findings (and more) come as organizations face unprecedented threats.<br />
So, what’s going on?<br />
Vulnerabilities on the Rise<br />
<strong>Cyber</strong>crime is predicted to cost $6 trillion annually by 2021, with new threats becoming the number one<br />
pain point for endpoint security buyers. Deloitte points out one reason for this is that as workforces<br />
become more distributed and organizations are responsible for securing more devices, it becomes harder<br />
and harder to secure the endpoint, calling it companies’ “weakest security link.”<br />
Shoring up the endpoint is critical, however, because that’s where approximately 80% of cyberattacks<br />
occur—and these attacks are increasing at a blistering pace. Research shows that between 2016 and<br />
2017 there was a 600% increase in attacks against IOT devices alone. Any Google search can turn up a<br />
multitude of other scary stats that underscore just how great today’s cyberthreat is and how it is expected<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 68<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
to get worse. But the bottom line is vulnerabilities at the endpoint are a tremendous concern, one that<br />
must be addressed if organizations hope to protect their networks, IP, and customer data.<br />
Current Solutions Don’t Solve the Problem<br />
According to the annual Enterprise Endpoint Security Survey, IT professionals cited vulnerability<br />
scanning as their top cybersecurity challenge. One of the reasons shared was that current vulnerability<br />
management scanning solutions don’t solve their problems. In fact, they may increase frustration and<br />
stress by generating reports of hundreds of vulnerabilities that teams can’t address in a timely manner.<br />
Additionally, they suck up bandwidth and hinder network performance.<br />
It’s not as though IT teams are throwing up their hands and pretending that vulnerabilities don’t exist,<br />
however. Ninety-one percent of respondents indicated that “maintaining current, compliant security<br />
configuration” is very or extremely important; they want to improve the speed and scale with which they<br />
can address vulnerabilities—they’re just a bit hamstrung.<br />
Staff Can’t Handle the Surge—And It’s About to Get Worse<br />
But fixing the problem is not simple. In addition to the exponential increase in vulnerabilities and devices<br />
managed, and the fact that vulnerability management solutions can hinder more than help, teams simply<br />
don’t have the staff. Nearly two-thirds of respondents to the Enterprise Endpoint Security Survey<br />
indicated that they struggle to keep up as their teams are stretched to the max, often limiting their ability<br />
to handle security operations the way that they want or wish that they could.<br />
Unfortunately, in light of internal staff shortages, their work is about to get harder. The survey reveals that<br />
only 29% of companies will complete migration to Windows 10 before Microsoft ceases support for<br />
Windows 7 on January 14, <strong>2020</strong>. This means that potentially millions of endpoints will present openings<br />
for cyberattackers to take advantage of an outdated OS that is no longer monitored and supported by<br />
Microsoft and that also lacks the latest security features available in Windows 10. While 87% of<br />
companies reported that they will have more than half of their systems running Windows 10, close may<br />
not be good enough. It takes cyberattackers only minutes to wreak havoc. Given that it requires 52% of<br />
organizations surveyed more than a week—and 22% more than a month—to remediate vulnerabilities<br />
after they are discovered, this could spell big trouble.<br />
Automation Must Be Part of the Solution<br />
With staff being swallowed up trying to handle all of the threats and issues their organizations face, and<br />
those threats increasing each day, something’s got to give. Significant talent shortages make finding<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 69<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
enough skilled IT workers to conquer these issues unlikely. And, even the best funded, best staffed<br />
organizations are fighting a losing battle against the clock. It would be nearly impossible for humans alone<br />
to write the code and execute remediations at the scale that they need to keep all endpoints up to date<br />
100% of the time.<br />
Automation has to be part of the solution. There have been knocks against it—from the time required to<br />
learn how to use new solutions to the limits of present capabilities—but solutions are improving rapidly.<br />
The next generation of vulnerability management solutions includes instant remediation capabilities.<br />
Even if a solution could automatically remediate only 50% of issues, that would be a vast improvement<br />
over the circumstances teams operate in today. It would not only accelerate the speed at which basic<br />
issues are fixed enterprise-wide, it would also open up considerable resources to address more complex<br />
issues in a timely manner.<br />
While enterprise IT security faces a difficult road ahead, all is not lost. The intense commitment of existing<br />
staff to fight cyberthreats coupled with exciting advancements in automation could ensure that the results<br />
of next year’s survey look markedly different. Winning modern cyberwars will require man + machine.<br />
About the Author<br />
Jeff Harrell, vice president of marketing at Adaptiva, manages the<br />
company’s marketing strategies and initiatives across a growing<br />
range of products designed to assist global enterprises with pressing<br />
endpoint management and security needs. With more than 20 years’<br />
experience, Jeff is known for his domain knowledge, creativity, and<br />
vision as well as the ability to execute. In his free time, Jeff can<br />
usually be found looking for birds through a pair of binoculars. For more information, please visit<br />
https://adaptiva.com/, and follow the company on LinkedIn, Facebook, and Twitter.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>April</strong> <strong>2020</strong> <strong>Edition</strong> Page 70<br />
Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.
Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS<br />
“Amazing Keynote”<br />
“Best Speaker on the Hacking Stage”<br />
“Most Entertaining and Engaging”<br />
Gary has been keynoting cyber security events throughout the year. He’s also been a<br />
moderator, a panelist and has numerous upcoming events throughout the year.<br />
If you are looking for a cybersecurity expert who can make the difference from a nice event to<br />
a stellar conference, look no further email marketing@cyberdefensemagazine.com
You asked, and it’s finally here…we’ve launched <strong>Cyber</strong><strong>Defense</strong>.TV<br />
At least a dozen exceptional interviews rolling out each month starting this summer…<br />
Market leaders, innovators, CEO hot seat interviews and much more.<br />
A new division of <strong>Cyber</strong> <strong>Defense</strong> Media Group and sister to <strong>Cyber</strong> <strong>Defense</strong> Magazine.
Free Monthly <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> Via Email<br />
Enjoy our monthly electronic editions of our Magazines for FREE.<br />
This magazine is by and for ethical information security professionals with a twist on innovative consumer<br />
products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our<br />
mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best<br />
ideas, products and services in the information technology industry. Our monthly <strong>Cyber</strong> <strong>Defense</strong> e-<br />
Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare<br />
arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of<br />
sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here<br />
to sign up today and within moments, you’ll receive your first email from us with an archive of our<br />
newsletters along with this month’s newsletter.<br />
By signing up, you’ll always be in the loop with CDM.<br />
Copyright (C) <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G.<br />
SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a<br />
<strong>Cyber</strong><strong>Defense</strong>Awards.com, <strong>Cyber</strong><strong>Defense</strong>Magazine.com, <strong>Cyber</strong><strong>Defense</strong>Newswire.com,<br />
<strong>Cyber</strong><strong>Defense</strong>Professionals.com, <strong>Cyber</strong><strong>Defense</strong>Radio.com and <strong>Cyber</strong><strong>Defense</strong>TV.com, is a Limited Liability<br />
Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465,<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine® is a registered trademark of <strong>Cyber</strong> <strong>Defense</strong> Media Group. EIN: 454-18-8465, DUNS#<br />
078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com<br />
All rights reserved worldwide. Copyright © <strong>2020</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved. No part of this<br />
newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying,<br />
recording, taping or by any information storage retrieval system without the written permission of the publisher<br />
except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of<br />
the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may<br />
no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect<br />
the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content<br />
and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at<br />
marketing@cyberdefensemagazine.com<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />
276 Fifth Avenue, Suite 704, New York, NY 1000<br />
EIN: 454-18-8465, DUNS# 078358935.<br />
All rights reserved worldwide.<br />
marketing@cyberdefensemagazine.com<br />
www.cyberdefensemagazine.com<br />
NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA)<br />
<strong>Cyber</strong> <strong>Defense</strong> Magazine - <strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> rev. date: 04/02/<strong>2020</strong>
TRILLIONS ARE AT STAKE<br />
No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES<br />
Released:<br />
https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH<br />
In Development – Hacking the Human Firewall (Q2, <strong>2020</strong>) and The Art of <strong>Cyber</strong>e War (Q1, 202):
8 Years in The Making…<br />
Thank You to our Loyal Subscribers!<br />
We've Completely Rebuilt <strong>Cyber</strong><strong>Defense</strong>Magazine.com - Please Let Us Know<br />
What You Think. It's mobile and tablet friendly and superfast. We hope you<br />
like it. In addition, we're shooting for 7x24x365 uptime as we continue to<br />
scale with improved Web App Firewalls, Content Deliver Networks (CDNs)<br />
around the Globe, Faster and More Secure DNS<br />
and <strong>Cyber</strong><strong>Defense</strong>MagazineBackup.com up and running as an array of live<br />
mirror sites.<br />
Millions of monthly readers and new platforms coming…