Cyber Defense eMagazine April 2020 Edition

Cybercriminals Exploit Coronavirus with 

Wave of New Scams 

WatchGuard’s RSA Conference 2020 

Recap 

Cyber Leads Global Business Risks for First 

Time: Allianz Risk Barometer 2020 

Facebook’s $550 Million Settlement: A 

Warning to Companies Collecting 

Biometric Data 

How to Avoid Being Breached In 2020 

…and much more… 

Cyber Defense eMagazine – April 2020 Edition Page 1 

Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.

CONTENTS 

Welcome to CDM’s April 2020 --------------------------------------------------------------------------- 6 

Cybercriminals Exploit Coronavirus with Wave of New Scams ------------------------------- 22 

By David Ruiz, Malwarebytes Labs 

WatchGuard’s RSA Conference 2020 Recap -------------------------------------------------------- 29 

By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies 

Cyber Leads Global Business Risks for First Time: Allianz Risk Barometer 2020 --------- 32 

By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz 

Global Corporate & Specialty 

Facebook’s $550 Million Settlement: A Warning to Companies Collecting Biometric 

Data ----------------------------------------------------------------------------------------------------------- 36 

By Billee Elliott McAuliffe, Member, Lewis Rice 

How to Avoid Being Breached In 2020 --------------------------------------------------------------- 39 

By Randy Reiter CEO of Don’t Be Breached 

What You Need to Know About DDoS Weapons Today ---------------------------------------- 42 

By Ahmad Nassiri, Security Solutions Architect at A10 Networks 

Better Network Visibility: Removing the Security Blindfold ----------------------------------- 45 

By Cary Wright, VP Product Management, Endace 

Enabling Agility to Accelerate Incident Response ------------------------------------------------ 47 

By John Attala, Vice President of Worldwide Sales, Endace 

Economic Efficiency in Cyber Defense ---------------------------------------------------------------- 50 

By Mark Evans, VP Marketing, Endace 



Does SASE Tick the Box for The Future of Network Security? --------------------------------- 53 

By Yair Green, CTO at GlobalDots 

Achieving Effective User Lifecycle Management Through Automation -------------------- 55 

By Jeff Stein, Information Security Architect, Reputation.com 

Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk ---------------- 58 

By Kevin Landt, VP of Product Management at Cygilant 

The Cost of Cybercrime Is Constantly Rising: How to Combat Ransomware Attacks on 

SMBs ---------------------------------------------------------------------------------------------------------- 61 

By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security 

How To Manage Your Small Business In Time Of Crisis ----------------------------------------- 65 

By Milica D. Djekic 

What the Latest Enterprise Endpoint Security Survey Shows Us: Big Concerns but Hope 

for The Future ----------------------------------------------------------------------------------------------- 68 

By Jeff Harrell, Vice President of Marketing, Adaptiva 



@MILIEFSKY 

From the 

Publisher… 

New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com 

Dear Friends, 

Looking back at RSA Conference 2020, the view in our rearview mirror suggests that 

convention may have been among the last of the “live” conferences for a while. On 

behalf of Cyber Defense Media Group, we are fortunate to be able to build on our 

very positive experience there and use that foundation to provide support to others 

during this challenging time resulting from the corona virus COVID-19 pandemic. 

With this disruptive set of circumstances, we must consider ourselves to be on a battlefield of 

asymmetrical warfare. Cyber criminals have access to nearly all of our communications and educational 

materials, giving them valuable intelligence on how to defeat our best security practices. On the other 

side, we are in the less advantageous position of waiting for their next move to become visible. 

While this imbalance may appear to tip the scale against us, it also emphasizes the importance of keeping 

each other informed and up to speed on all known attack vectors. Only this way can we hope and expect 

to prevail and maintain steadiness and security in the many critical activities in our society and economy. 

From our own point of view, this leads us to double and redouble our efforts as both a media participant 

and a committed organization to provide the tools to assure a favourable outcome. 

With that background, we commit to continuing our monthly magazines as well as daily (or more 

frequent) updates on the Cyber Defense Magazine home page. As always, your participation and sharing 

from your own experiences are welcome. 

Warmest regards, 

Gary S. Miliefsky 

Gary S.Miliefsky, CISSP®, fmDHS 

CEO, Cyber Defense Media Group 

Publisher, Cyber Defense Magazine 

P.S. When you share a story or an article or information about CDM, please use #CDM and 

@CyberDefenseMag and @Miliefsky – it helps spread the word about our free resources even more 



quickly 

InfoSec Knowledge is Power. We will 

always strive to provide the latest, most 

up to date FREE InfoSec information. 

From the International 

Editor-in-Chief… 

The current dynamics of the COVID-19 pandemic would seem to 

demand more international coordination, as opposed to a crazy 

quilt of national, regional, and local actions. 

Statistics are showing very different national and regional 

patterns of infection and mortality, even within geographic 

regions. Whether it’s the European Community, or the Asian 

region, or the Americas, there is a vast difference in the extent of 

diagnosed cases, and also of recorded deaths. 

In our world of cybersecurity, it’s possible to be both more and 

less challenging to seek and effect global solutions. In some ways, 

the interconnectedness of the cyber world carries with it a 

homogeneity of applications and programs. In contrast, the 

cultural diversity and role of national governments tend to 

emphasize our differences. As these developments play out, we 

will have an opportunity to take the lead in creating cybersecurity 

defenses to protect all aspects of IT in our lives, including (but not 

limited to) medical, financial, social, and government functions. 

In the days ahead, let us agree to put our differences aside in favor 

of responding to our common enemies: the COVID-19 itself and 

those who would take advantage of this crisis to perpetrate 

criminal schemes. 

@CYBERDEFENSEMAG 

CYBER DEFENSE eMAGAZINE 

Published monthly by the team at Cyber Defense Media Group and 

distributed electronically via opt-in Email, HTML, PDF and Online 

Flipbook formats. 

PRESIDENT & CO-FOUNDER 

Stevin Miliefsky 

stevinv@cyberdefensemagazine.com 

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER 

Pierluigi Paganini, CEH 

Pierluigi.paganini@cyberdefensemagazine.com 

US EDITOR-IN-CHIEF 

Yan Ross, JD 

Yan.Ross@cyberdefensemediagroup.com 

ADVERTISING 

Marketing Team 

marketing@cyberdefensemagazine.com 

CONTACT US: 

Cyber Defense Magazine 

Toll Free: 1-833-844-9468 

International: +1-603-280-4451 

SKYPE: cyber.defense 

http://www.cyberdefensemagazine.com 

Copyright © 2019, Cyber Defense Magazine, a division of 

CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a) 

276 Fifth Avenue, Suite 704, New York, NY 10001 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 

PUBLISHER 

Gary S. Miliefsky, CISSP® 

Learn more about our founder & publisher at: 

http://www.cyberdefensemagazine.com/about-our-founder/ 

8 YEARS OF EXCELLENCE! 

Providing free information, best practices, tips and 

techniques on cybersecurity since 2012, Cyber Defense 

magazine is your go-to-source for Information Security. 

We’re a proud division of Cyber Defense Media Group: 

To our faithful readers, we thank you, 

Pierluigi Paganini 

International Editor-in-Chief 


Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide. 

CYBERDEFENSEMEDIAGROUP.COM 

MAGAZINE TV RADIO AWARDS

Welcome to CDM’s April 2020 

As the April issue of Cyber Defense Magazine reaches publication, we find ourselves in a state similar to limbo, 

awaiting the next announcement of a cancelled event, a cyber vulnerability exploited by crooks, or a government 

initiative imposed under crisis conditions. 

Crisis, like necessity, can serve as the mother of both invention and opportunity. In the case of cybersecurity, it’s 

clear that there are new vulnerabilities arising from the new patterns of working remotely from locations with less 

robust cyber security than the main workplace of the organization. 

Anecdotally, only a relatively small percentage of affected organizations had adequately prepared for this 

eventuality. Most of the reports reflect “quick-and-dirty” arrangements for office and HQ workers to work remotely. 

From a cybersecurity POV, effective preparation would usually be the responsibility of an internal or outsourced 

CISO. In concept as well as practice, this would or should include pre-emergency activities and red-teaming 

exercises. 

Outside the 17 areas of critical infrastructure (see www.dhs.gov for more detailed information) there do not appear 

to be standardized procedures to be followed in such events as a pandemic. Even listed sectors of critical 

infrastructure have shown lapses; a notable example would be commercial air transport. 

Consider how different the health and financial impacts on our nation might have been if there had been pandemic 

emergency plans in place on a broad scale to deal with the cybersecurity challenges we face today. 

Although not well documented (at least so far), again anecdotally, there have been success stories. Accordingly, 

we invite CISOs and others who have been successful to share their experiences. We hope to share this important 

body of knowledge in both feature articles on the CDM home page and the May issue. 

We trust this information will be of great value to our over 5 million individual reader inquiries each month, as CDM 

maintains its position as the leading publication for cybersecurity professionals. 

Wishing you all success in your cyber security endeavors, 

Yan Ross 

US Editor-in-Chief 


About the US Editor-in-Chief 

Yan Ross, J.D., is a Cybersecurity Journalist & US Editor-in-Chief for Cyber 

Defense Magazine. He is an accredited author and educator and has provided 

editorial services for award-winning best-selling books on a variety of topics. He 

also serves as ICFE's Director of Special Projects, and the author of the 

Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As 

an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy, 

and cyber security for consumers and organizations holding sensitive personal information. You can reach him via 

his e-mail address at yan.ross@cyberdefensemediagroup.com 



















Your website could be vulnerable to outside attacks. Wouldn’t you like to know where those 

vulnerabilities lie? Sign up today for your free trial of WhiteHat Sentinel Dynamic and gain a deep 

understanding of your web application vulnerabilities, how to prioritize them, and what to do about 

them. With this trial you will get: 

An evaluation of the security of one of your organization’s websites 

Application security guidance from security engineers in WhiteHat’s Threat Research Center 

Full access to Sentinel’s web-based interface, offering the ability to review and generate reports as well 

as share findings with internal developers and security management 

A customized review and complimentary final executive and technical report 

Click here to sign up at this URL: https://www.whitehatsec.com/info/security-check/ 

PLEASE NOTE: Trial participation is subject to qualification. 















Cybercriminals Exploit Coronavirus with Wave of New 

Scams 

By David Ruiz, Malwarebytes Labs 

With no vaccine yet developed, and with much of the world undergoing intense social distancing 

measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed 

promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails 

are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of 

keyloggers, ransomware, and data stealers. 

Click here to open a new tab with extensive graphic information on the 4th Quarter of 2019 DDoS 

Weapons 

The problem expands beyond pure phishing scams. 

On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and 

COVID-19-related hostnames that sprang up in just 24 hours. 

On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at 

ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains. Just 

click the link and watch possible scam sites get registered every minute. 

Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last 

weekend, and more than 35,000 domains the next day, too. 



Here are some of the many email scams that our Malwarebytes threat intelligence team spotted in the 

wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying 

to install on your machines. 

Impersonating the World Health Organization 

Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World 

Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which 

pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That 

download is just the first step in a more complex scheme. 

GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in 

encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its 

simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, 

keylogging, and stealing browser data. Stolen data is sent back to a command and control server 

maintained by the threat actors. 

Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO 

professionals as a way to trick victims into downloading malicious attachments. 

Agent Tesla Keylogger Campaign 

On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an 

invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent 

increase in activity across three months in 2018, can steal a variety of sensitive data. 

As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent 

Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and 

clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail, 

Facebook, etc.) attacks.” 

The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line: 

Covid19″ Latest Tips to stay Immune to Virus !! 

The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of 

“sarah@who.com.” Notice that the sender’s email address ends with “.com” when legitimate WHO email 

addresses instead end with “.int.” 

The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected 

with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO. 



A quick online search reveals that the WHO has a public website for contacting its media relations 

representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr. 

Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based 

phone resulted in an error message from the mobile service provider. 

The above scam is just one example of an email campaign that both impersonates the 

WHO and attempts to deliver Agent Tesla. 

Agent Tesla Campaign 2 

On the same day we found the above-mentioned Agent Tesla scam, we found another that mirrored its 

tactics and payload. 

The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health 

Organization/Let’s fight Corona Virus together” 

Savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and 

“Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we’ve seen 

previously. 

The entire body of the email reads verbatim: 

We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we 

want to take a moment to reassure you that your safety and well-being remains our absolutely 

top priority. 

Please be assured that our teams are working hard and we are monitoring the situation and 

developments closely with the health and governmental authorities of all countries we operate in. 

See attached WHO vital information to stay healthy. 

we personally thank you for your understanding and assure you that we will do our utmost to limit 

disruptions this event brings to your travel plans while keeping your well-being our top priority. 

This campaign attempts to trick victims into downloading a fake informational packet on coronavirus, with 

the file title “COVID-19 WHO RECOMMENDED V.gz.” Instead of receiving trustworthy information, 

victims are infected with Agent Tesla. 

While this campaign does not include as many smoke-and-mirror tactics, such as a fake media 

representative and a fake phone number, it can still do serious damage simply by stoking the fears 

surrounding COVID-19. 



NetWire Remote Access Trojan 

Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT). 

RATS can allow hackers to gain unauthorized access to a machine from a remote location. 

These types of Trojans can have devastating effects. If Remote Access Trojan programs are found on a 

system, it should be assumed that any personal information (which has been accessed on the infected 

machine) has been compromised. Users should immediately update all usernames and passwords from 

a clean computer and notify the appropriate system administrator of the potential compromise. They 

should also monitor credit reports and bank statements carefully over the following months to spot any 

suspicious activity on financial accounts. 

The NetWire campaign included a slapdash combo of a strange email address, an official-looking WHO 

logo inside the email’s body, and plenty of typos. 

Sent from “Dr. Stella Chungong” using the email address “brennan@caesars.com,” the email subject line 

is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.” The body of the text 

reads: 

To whom it may concern, 

Go through the attac=ed document on safety measures regarding the spreading of Corona-virus. 

Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties. 

Regards. 

Dr. Stella Chungong 

Specialist whuan=virus-advisory 

The litany of misplaced “=” characters should immediately raise red flags for potential victims. These 

common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to 

operate under the mindset of “Send first, spellcheck later.” 

Other Malspam Campaigns 

Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email 

campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware 

delivery. Here are a number of malspam campaigns that our threat intelligence team found since March 

15. 

First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes 

from the vague sender “Marketing,” with an email address of “info@bcsl.co.ke.” A Google search reveals 

that bcsl.co.ke appears to point to Boresha Credit Service Limited, a debt collector based in Kenya. 



The short email reads: 

Hello, 

We have been instructed by your customer to make this transfer to you. 

we are unable to process your payment as the SWIFT CODE in your bank account information is 

wrong, 

please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP 

before bank close.” 

Again, scrutinizing the details of the email reveals holes in its authenticity. 

The email is signed by “Rafhana Khan,” a supposed “Admin Executive” from the United Arab Emirates. 

The email sender includes this extra bit of info that leads us nowhere: TRN No. 100269864300003. 

What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax 

registration number,” but think about the last time anyone signed an email with the US equivalent—their 

tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are 

meant to be private, and not shared in email signatures. We can assume that the threat actors included 

this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense. 

The email’s attached invoice, once again, pushes GuLoader to the potential victim. 

HawkEye credential stealer 

Another spotted malspam example pushes neither GuLoader or Agent Telsa. Instead, it tries to trick 

users into downloading a malware called HawkEye, a credential stealer that has plagued users since at 

least 2013. 

According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various 

hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.” 

The HawkEye scam comes packaged in an email with the subject line “CORONA VIRUS CURE FOR 

CHINA,ITALY” from the alleged sender “DR JINS (CORONA VIRUS).” Again, potential victims receive a 

short message. The entire email body reads: 

Dear Sir/Ma, 

Kindly read the attached file for your quick remedy on CORONA VIRUS. 

The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL 

ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL. 



UK email scam pushing GuLoader 

On March 15, we also found an email scam targeting victims in the UK and pushing, yet again, GuLoader. 

This time, threat actors promised updated statistics on the number of confirmed coronavirus cases in the 

United Kingdom. 

The malicious email comes from the sender “PHE” with the email address paris@mfa.go.ke, which, like 

one of the examples above, appears to come from Kenya. 

Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort— 

the content of the email is simple and short. The email reads: 

Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom. 

Find out how many cases have been reported near you. 

There is no email signature, and not even a greeting. Talk about a lack of email etiquette. 

Campaign Targeting Spain 

Finally, we found another campaign on March 18 that targets Spanish-speaking victims in Spain. The 

email, titled “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID- 

19,” pushes GuLoader. 

The email is signed by “Adriana Erico,” who offers no phone number, but does offer a fax number at 93 

784 50 17. 

Protect Yourself 

Threat actors are always looking for the next crisis to leverage for their own attacks. For them, 

coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing 

availability, and best practices during social distancing makes for a fearful public, hungry for answers 

anywhere. 

The best places for information are the WHO and the US Centers for Disease Control and Prevention 

(CDC). You can find updated statistics about confirmed COVID-19 cases from the WHO’s daily, situation 

reports here. You can also find information on coronavirus myths at the WHO’s Myth Busters webpage, 

along with its Q&A page. 

This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider 

that, right now, banding together as a global community is our best shot at beating this. That advice 

extends to the online world, too. 



While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best 

across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with 

ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their 

contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user 

decompiled the malicious app and posted the universal passcode to defeat the ransomware. The 

passcode was then shared on Twitter for everyone to use. 

About the Author 

David Ruiz is a writer and reporter for Malwarebytes Labs, an online blog 

about cybersecurity, online privacy, hackers, data breaches, and digital 

rights. David primarily covers online and data privacy issues, along 

with US and global regulation. David can be found on Twitter 

@davidalruiz and at https://blog.malwarebytes.com/author/davidruiz/ 



WatchGuard’s RSA Conference 2020 Recap 

By Marc Laliberte – Sr. Security Analyst, WatchGuard Technologies 

Every year, tens of thousands of IT and information security professionals gather at Moscone Center in 

downtown San Francisco to take in the latest security trends and technology from hundreds of exhibitors 

and speakers at RSA Conference. In just a few short days, it’s almost impossible to see and learn 

everything a conference of this magnitude has to offer, but I did my very best. 

Here’s a brief recap of several key happenings, trends and takeaways from my time at RSA Conference 

2020: 

COVID-19 Concerns Were Front and Center 

Taking place amid the growing global unease over the spread of COVID-19, the show went on as planned 

despite the fact that big industry names like IBM, AT&T and Verizon pulled out of the conference and 

banned their employees from attending entirely. With the specter of a global pandemic hanging overhead, 

many attendees practiced heightened, borderline obsessive personal hygiene and settled for distanced 

hand waves in lieu of handshakes as we walked the expo floor and attended various sessions discussing 

the latest security trends, threats, technologies and best practices. It’s still early, but very clear at this 

point that we’re only just beginning to get a sense of how this outbreak will impact the security industry 

itself and world at large. 



A Focus on The Human Element in Security 

This year’s theme was “The Human Element,” a fitting premise given that individuals play just as 

important a role in securing the digital world (or failing to) as any emerging technology, vendor product 

or service, or new research finding. The RSA Conference opening keynote addresses played to the 

theme by calling for changes to better harness the strengths and potential of the human behind the 

computer. 

RSA President Rohit Ghai advocated that a shift toward publicly celebrating cybersecurity wins, instead 

of only focusing on cybersecurity losses or failures will help inspire security professionals and move the 

industry forward. Wendy Nather, head of advisory CISOs at Cisco’s DUO Security, followed up with calls 

to democratize security with the goal of enabling buy-in and personal ownership of security from end 

users. Almost everywhere you went at RSA Conference this year, the human element of security was a 

topic of discussion. 

The Cryptographers’ Panel 

Rounding out the opening keynotes was a staple of RSA Conference – the Cryptographers’ Panel, where 

several prominent cryptography and security experts took the stage to answer questions about a wide 

range of industry topics. They covered problems with facial recognition, increasingly popular “right to be 

forgotten” laws and much more. The panelists didn’t always come to the same conclusions, but all agreed 

that there are realistic concerns with advanced technology like AI and Machine Learning that will need to 

be resolved before these tools become more widely adopted. 

IoT Security Insights 

Beyond the human element, Internet of Things (IoT) security was major trends across speaking sessions 

throughout the week. From securing healthcare IoT products to creating baseline IoT security standards, 

adoption and security concerns continue to grow worldwide in this slice of the industry. In one talk late in 

the week, Gary Hayslip of SoftBank Investment Advisers used his previous experience as CISO of the 

city of San Diego to discuss the concerns of deploying IoT and other technologies in smart cities, covering 

topics like increased complexity, patch deployment issues and limited security budgets leading to the rise 

in breaches impacting municipalities in recent years. 

Privacy Considerations 

Privacy was another major focus at RSAC Conference 2020. I saw Daniel Ayoub and Dean Winert of 

Lexis Nexis Risk Solutions present fascinating research on web browser fingerprinting and its privacy 

and security implications. They started and ended their session by weighing the benefits of browser 

fingerprinting in fraud prevention against the drawbacks (which I personally found enlightening as digital 

privacy has always been a passion of mine). Daniel and Dean made several good points about the 



enefits of identifying anomalies in metadata from user authentications to identify potential account 

compromises that could give credit to keeping the privacy-invading information available to websites. 

When all was said and done, this year’s RSA Conference squeaked through right before San Francisco 

enacted a ban on events at city-owned facilities like the Moscone Center. Even though the event was 

overshadowed at times by concerns about the spread of COVID-19, the content and takeaways from it 

were compelling and quite important for industry participants to consider in today’s threat landscape. IoT 

adoption continues to skyrocket, bringing with it increasing security risks for organizations. The tradeoffs 

between privacy and security are still very much open to discussion and debate. And of course, the 

humans responsible for addressing these challenges and improving our collective security aren’t going 

anywhere. 


Marc Laliberte is a Senior Security Analyst at WatchGuard Technologies. 

Specializing in networking security protocols and Internet of Things 

technologies, Marc’s day-to-day responsibilities include researching and 

reporting on the latest information security threats and trends. He has 

discovered, analyzed, responsibly disclosed and reported on numerous 

security vulnerabilities in a variety of Internet of Things devices since 

joining the WatchGuard team in 2012.With speaking appearances at 

industry events including RSA and regular contributions to online IT, 

technology and security publications, Marc is a thought leader who 

provides insightful security guidance to all levels of IT personnel. 

Marc can be reached only at @XORRO or via http://www.watchguard.com. 



Cyber Leads Global Business Risks for First Time: Allianz 

Risk Barometer 2020 

By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz Global 

Corporate & Specialty 

For the first time ever, Cyber incidents (39% of responses) ranks as the most important business risk 

globally in the ninth Allianz Risk Barometer 2020, relegating perennial top peril Business Interruption (BI) 

(37% of responses) to second place. Awareness of cyber threats has grown rapidly in recent years, driven 

by companies increasing reliance on data and IT systems and a number of high-profile incidents. Seven 

years ago, cyber ranked 15th with just 6% of responses. 

The annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS) 

incorporates the views of a record 2,718 experts in over 100 countries, including ceos, risk managers, 

brokers and insurance experts. 

Here are some of the reasons why cyber has overtaken the top spot and is likely to remain a leading 

business risk for the foreseeable future. 

Data breaches larger and more expensive 

As companies collect and use ever greater volumes of personal data, data breaches are becoming larger 

and costlier. In particular, so- called mega data breaches (involving more than one million records) are 

more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest 



ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach 

is by no means the largest in recent years. 

Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to 

have involved the personal data of over 300 million and 140 million customers respectively. Both 

companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data 

protection regulator intends to fine Marriott $130mn for the breach, among the earliest and largest fines 

under the EU’s new privacy laws to date. 

The General Data Protection Regulation (GDPR) rules that came into force across Europe in 2018 will 

likely bring further fines in 2020. The European Data Protection Board (EDPB) released a preliminary 

report stating that of the 206,326 cases reported under the GDPR across 31 countries in the first nine 

months of its implementation, the national data protection agencies had only resolved around 50% of 

them. 

A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of 

nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn 

(11% higher than in 2018). 

Ransomware brings increasing losses 

According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cyber crime 

threat. 

Already high in frequency, incidents are becoming more damaging, increasingly targeting large 

companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware 

demand would have been in the tens of thousands of dollars. Now they can be in the millions. The 

consequences of an attack can be crippling, especially for organizations that rely on data to provide 

products and services. 

Extortion demands are just one part of the picture. Business interruption brings the most severe losses 

from ransomware attacks, and in some cases ransomware is a smoke screen for the real target, such as 

the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to 

be highest for law firms, consultants and architects, for which IT systems and data are their life blood. 

Bec attacks result in billion-dollar fraud 

Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have 

resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US. 

Such attacks typically involve social engineering and phishing emails to dupe employees or senior 

management into revealing login credentials or to make fraudulent transactions. 



Litigation prospects rising 

Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected 

consumers, business partners and investors. When they do, legal expenses can add substantially to the 

cost. 

Data breach litigation in the US is a developing situation. A number of large breaches have triggered 

class actions by consumers or investors. Outside the US, a number of countries have expanded group 

action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy 

breach to seek legal redress. 

In addition, claimant law firms and litigation funders are actively looking to bring class actions for data 

breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach 

was recently given the go- ahead in the UK courts. Consumer groups are also looking to test the GDPR 

and challenge some organizations’ interpretation of the new law. 

M&A can bring cyber issues 

Cyber exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data 

breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel 

group it acquired in 2016. 

Even the best protected companies will be exposed if they acquire a company with weak cyber security 

or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents which predate 

the merger. 

Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority 

for businesses during M&A, as many companies are not doing enough due diligence in this area. At the 

same time, once a deal has been completed many companies do not address any weaknesses in 

acquired systems quickly enough. 

Political factors play out in cyber space 

The involvement of nation states in cyber-attacks is an increasing risk for companies, which are being 

targeted for intellectual property or by groups intent on causing disruption or physical damage. For 

example, growing tensions in the Middle East have seen international shipping targeted by spoofing 

attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware 

campaigns. 

Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation 

state involvement is providing increased funding to hackers. Even where companies are not directly 

targeted, state- backed cyber-attacks can cause collateral damage. In 2017 the notpetya malware attack 

primarily targeted the Ukraine but quickly spread around the world. 



Risk mitigation 

Preparation and training are the most effective forms of mitigation and can significantly reduce the 

likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be 

mitigated by training, especially in areas like phishing and business email compromise, which are among 

the most common forms of cyber-attack. 

Training could also help mitigate ransomware attacks, although maintaining secure backups can also 

limit the damage from such incidents. Business resilience and business continuity planning are also key 

to reducing the impact of a cyber incident, although response plans need to be tested, practiced and 

regularly reviewed. 

More information on the Allianz Risk Barometer 2020 is available here: 

• Top 10 global business risks 

• Full report 

• Individual country and industry sector results 


Kelly B. Castriotta is the Regional Head of Product Development in 

North America for Financial Lines at Allianz Global Corporate Specialty. 

Ms. Castriotta develops new products for all Financial Lines in North 

America, including cyber, directors and officers liability and all 

professional liability offerings. Most recently, Ms. Castriotta led the 

company’s initiative to address non-affirmative cyber across nearly 100 

discrete product lines. 

She can be reached online at https://www.agcs.allianz.com/ 



Facebook’s $550 Million Settlement: A Warning to 

Companies Collecting Biometric Data 

Facebook’s significant settlement could incite future class action lawsuits, further emphasizing the need 

for companies to comply with biometric privacy laws. 

By Billee Elliott McAuliffe, Member, Lewis Rice 

Thanks to a class action suit filed against Facebook under the Illinois Biometric Information Privacy Act 

(BIPA), Facebook users in Illinois may receive part of a $550 million settlement. The settlement 

compensates users for Facebook’s utilization of facial recognition technology known as “tagging” without 

the user’s consent. If approved by the California district court, this settlement could spur others to bring 

similar lawsuits, putting businesses throughout the country at risk. 

So, what are biometrics and biometric privacy? Biometrics is the measurement and analysis of unique 

physical or behavioral characteristics, such as fingerprints or voice patterns, especially as a means of 

verifying personal identity. Hence, biometric privacy is an individual’s right to keep his or her biometric 

information private and to control how that information is collected and used by third parties. 

Biometric privacy laws, including BIPA, are like many new privacy laws that have promulgated over the 

last few years. All are informed consent laws, which generally require third parties gathering the biometric 

data, including fingerprints, facial scans, retina scans, DNA, gait analysis or voice recordings, to provide 

notice of their collection and use, the reason for the use, and how the data will be destroyed. Additionally, 

third parties must obtain permission from individuals to use their biometric information. Failure to provide 

both notice and control could result in liability for the data collector and users. 

In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court ruled the mere failure to 

comply with statutory requirements of BIPA by any entity that collects, maintains, stores or transfers 

biometric data is enough injury to allow the affected consumers to sue for damages and injunctive relief. 

This means no data breach, wrongful disclosure or actual injury to the consumer is required for a business 

to be subject to civil liability under BIPA. 



To avoid potential liability, all businesses handling information subject to BIPA should review their 

policies, procedures and methods for collecting, using, storing and protecting biometric data. 

And it is not just Illinois companies that need to comply. In Patel v. Facebook, the case resulting in the 

$550 million settlement, Facebook argued that if any BIPA violations did occur, they did not primarily 

occur in Illinois, as Facebook’s servers are located in California. However, the California federal district 

court hearing the case disagreed, suggesting that a consumer’s mere use of Facebook in the State of 

Illinois was enough to make BIPA applicable. This extraterritorial holding in Patel, along 

with Rosenbach’s ruling that statutory non-compliance is sufficient injury to bring suit, means all entities 

must be aware of these laws and the restrictions on the use of biometrics. 

In order to ensure compliance with BIPA, every business should audit its operations to understand if it 

collects or uses any biometric data through systems such as time clocks that require fingerprints, security 

access systems utilizing palm prints or facial recognition, or even surveys gathering biometric data for a 

wellness program. If your business does collect or use biometric information, then it must determine 

whether it is protected under any biometric privacy law. 

While Illinois’ BIPA was the first and remains the most robust, Texas and Washington also have specific 

biometric privacy statutes. Additionally, many states include biometric information within their data breach 

notifications and other privacy and employee protection statutes. Certain biometric data is also protected 

under the federal Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information 

Nondiscrimination Act (GINA) and the Fair Credit Reporting Act (FCRA), which imposes requirements 

and restrictions on employers conducting background checks. 

Unfortunately, as with many other privacy laws, the types of biometrics that are protected and the 

requirements that must be implemented are different under each law. Therefore, understanding what is 

protected and the steps that must be taken to ensure full compliance may require a consultation with 

legal counsel. 

After the business has determined what laws apply and the requirements of those laws, it will need to 

review and appropriately revise its policies, procedures, and methods of collecting, using, storing and 

protecting biometric information. Generally, revisions include giving notice to individuals, obtaining their 

consent for the collection and use of their data, and including documented retention schedules and 

guidelines for the destruction of the information. 

The Facebook settlement shows that failure to comply with biometric privacy laws can result in substantial 

liability for companies. Under Illinois’ BIPA, individuals can receive more than $1,000 for negligent 

violations or $5,000 for intentional violations. Under Texas’ Capture or Use of Biometric Identifier Act 

(CUBI), violations could result in civil penalties of up to $25,000 per violation. In Washington, the attorney 

general has the right to seek up to $500,000. 

Because these lawsuits can be quite costly, businesses must review the information they collect and 

determine if any actions need to be taken to comply with biometric privacy laws. If they don’t, they may 

get “tagged” like Facebook. 




Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm’s 

corporate department. Although she focuses on information technology, 

Billee also has extensive experience in corporate law, including 

technology licensing, cybersecurity and data privacy, and mergers and 

acquisitions. She is a member of the American Bar Association and the 

Bar Association of Metropolitan St. Louis. Billee can be reached online at 

bmcauliffe@lewisrice.com and at https://www.lewisrice.com/. 



How to Avoid Being Breached In 2020 

By Randy Reiter CEO of Don’t Be Breached 

Recent Data Breaches Disclosed in 2020 

In February, 2020 the United States Department of Defense (DOD) disclosed a data breach that occurred 

at its IT and telecom agency the Defense Information Systems Agency (DISA). DISA does the IT and 

telecommunications support for the White House, diplomats and military troops. The breach exposed 

Personally Identifiable Information (PII) of its employees between May and July 2019. DISA has about 

8,000 civilian and military employees. The employee personal information breached is believed to include 

social security numbers. 

Other major 2020 data breaches include: 

• January, 2020. Wawa who has 850 US convenient stores reported that Hackers put up the 

payment card details of more than 30 million Wawa customers for sale on Joker’s Stash on the 

Dark Web where cyber criminals buy and sell payment card data. 

• January, 2020. 250 million Microsoft "Customer Service and Support" (CSS) records were 

exposed online. The leaked database contained data on customers including their email 

addresses, IP addresses, locations, case numbers and internal notes marked confidential. 

Hackers potentially could try to trick users into paying for support solutions by impersonating 

Microsoft support representatives. 



• March, 2020. UK telecommunications provider Virgin Media reported that the personnel 

information of 900,000 customers was exposed in a data breach. Customer names, home 

addresses, email addresses, phone numbers and date of birth were leaked. 

• March, 2020. US telecom giant T-Mobile suffered another data breach. Cyber Hackers gained 

unauthorized access to sensitive information on customers and employees. 

How to Protect Confidential Database Data from Insider Threats and Hackers? 

Confidential database data includes: credit card, tax ID, medical, social media, corporate, manufacturing, 

law enforcement, defense, homeland security and public utility data. This data is almost always stored in 

Cassandra, DB2, Informix, MongoDB, MariaDB, MySQL, Oracle, PostgreSQL, SAP Hana, SQL Server 

and Sybase databases. Once inside the security perimeter a Hacker or Rogue Insider can use commonly 

installed database utilities to steal confidential database data. 

Non-intrusive network sniffing can capture and analyze the normal database query and SQL activity from 

a network tap or proxy server with no impact on the database server. This SQL activity is very predictable. 

Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique query or 

SQL commands that run millions of times a day. 

Advanced SQL Behavioral Analysis of Database Query and SQL Activity 

Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database 

activity is. Then from a network tap or proxy server the database query and SQL activity can be nonintrusively 

monitored in real-time and non-normal SQL activity immediately identified. Non-normal SQL 

activity from Hackers or Rogue Insiders can be detected in a few milli seconds. The Hacker or Rogue 

Insider database session can be immediately terminated and the Security Team notified so that 

confidential database data is not stolen. 

Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum 

amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to 

10,000 unique SQL queries sent to a database. This type of data protection can detect never before 

observed query activity, queries sent from a never observed IP address and queries sending more data 

to an IP address than the query has ever sent before. This allows real-time detection of Hackers and 

Rogue Insiders attempting to steal confidential web site database data. Once detected the security team 

can be notified within a few milli-seconds so that a data breach is prevented. 




Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools 

company. He is the architect of the Database Cyber Security Guard 

product, a database data breach prevention product for Informix, 

MariaDB, Microsoft SQL Server, MySQL, Oracle and Sybase databases. 

He has a Master’s Degree in Computer Science and has worked 

extensively over the past 25 years with real-time network sniffing and 

database security. Randy can be reached online at 

rreiter@DontBeBreached.com, www.DontBeBreached.com and www.SqlPower.com/Cyber-Attacks. 



What You Need to Know About DDoS Weapons Today 

By Ahmad Nassiri, Security Solutions Architect at A10 Networks 

A DDoS attack can bring down almost any website or online service. The premise is simple: using an 

infected botnet to target and overwhelm vulnerable servers with massive traffic. Twenty years after its 

introduction, DDoS remains as effective as ever—and continues to grow in frequency, intensity, and 

sophistication. That makes DDoS defense a top cybersecurity priority for every organization. The first 

step: understanding the threat you face. 

To help organizations take a proactive approach to DDoS defense, A10 Networks recently published a 

report on the current DDoS landscape, including the weapons being used, the locations where attacks 

are being launched, the services being exploited, and the methods hackers are using to maximize the 

damage they inflict. Based on nearly six million weapons tracked by A10 Networks in Q4 2019, the study 

provides timely, in-depth threat intelligence to inform your defense strategy. 

Here are a few of our key findings. 



Reflected Amplification Takes DDoS to the Next Level 

The SNMP and SSDP protocols have long been top sources for DDoS attacks, and this trend continued 

in Q4 2019, with nearly 1.4 million SNMP weapons and nearly 1.2 million SSDP weapons tracked. But in 

an alarming development, WS-Discovery attacks have risen sharply, to nearly 800,000, to become the 

third most common source of DDoS. The shift is due in part to the growing popularity of attacks using 

misconfigured IoT devices to amplify an attack. 

In this key innovation, known as reflected amplification, hackers are turning their attention to the 

exploding number of internet-exposed IoT devices running the WS-Discovery protocol. Designed to 

support a broad variety of IoT use cases, WS-Discovery is a multicast, UDP-based communications 

protocol used to automatically discover web-connected services. Critically, WS-Discovery does not 

perform IP source validation, making it a simple matter for attackers to spoof the victim’s IP address, at 

which point the victim will be deluged with data from nearby IoT devices. 

With over 800,000 WS-Directory hosts available for exploitation, reflected amplification has proven highly 

effective—with observed amplification of up to 95x. Reflected amplification attacks have reached recordsetting 

scale, such as the 1.3 Tbps Memcached-based GitHub attack, and account for the majority of 

DDoS attacks. They’re also highly challenging to defend; only 46 percent of attacks respond on port 3702 

as expected, while 54 percent respond over high ports. Most of the discovered inventory to date has 

been found in Vietnam, Brazil, United States, the Republic of Korea, and China. 

DDoS is Going Mobile 

Unlike more stealthy exploits, DDoS attacks are loud and overt, allowing defenders to detect their launch 

point. While these weapons are globally distributed, the greatest number of attacks originate in countries 

with the greatest density in internet connectivity, including China, the United States, and the Republic of 

Korea. 

A10 Networks has also tracked the hosting of DDoS weapons by autonomous number systems (ASNs), 

or collections of IP address ranges under the control of a single company or government. With the 

exception of the United States, the top ASNs hosting DDoS weapons track closely with the countries 

hosting the majority of attacks, including Chinanet, Guangdong Mobile Communication Co. Ltd., and 

Korea Telecom. 

In another key trend, the prevalence of DDoS weapons hosted by mobile carriers skyrocketed near the 

end of 2019. In fact, the top reflected amplified source detected was Guangdong Mobile Communication 

Co. Ltd., with Brazilian mobile company Claro S.A. the top source of malware-infected drones. 



The Worst is Yet to Come 

With IoT devices coming online at a rate of 127 per second and accelerating, hackers are poised to enter 

a golden age of possibilities. In fact, new strains of DDoS malware in the Mirai family are already targeting 

Linux-powered IoT devices—and they’ll only increase as 5G brings massive increases in network speed 

and coverage. Meanwhile, DDoS-for-hire services and bot herders continue to make it easier than ever 

for any bad actor to launch a lethal targeted attack. 

The A10 Networks report makes clear the importance of a complete DDoS defense strategy. Businesses 

and carriers must leverage sophisticated DDoS threat intelligence, combined with real-time threat 

detection, to defend against DDoS attacks no matter where they originate. Methods such as automated 

signature extraction and blacklists of the IP addresses of DDoS botnets and available vulnerable servers 

can help organizations proactively defend themselves even before the attacks starts. 

For additional insight, including the top IoT port searches and reflector searches performed by attackers, 

download the complete A10 Networks report, “Q4 2019: The State of DDoS Weapons,” and see the 

accompanying infographic, “DDoS Weapons & Attack Vectors.” 


Ahmad Nassiri is the security solutions architect for A10 Networks’ 

Eastern region. Nassiri is responsible for supporting pre-sales efforts of 

A10 Networks’ security solutions portfolio. He is also focused on 

providing visibility to market, trends and developments within the 

security field to help A10 Networks expand its security solutions 

offering. Before joining A10 Networks, Nassiri was asystems engineer 

at Arbor Networks, focused on network security and monitoring solutions for global networks. In this role, 

he assisted with the pre- and post-sales engineering support for Arbor’s service provider-focused account 

teams. Nassiri has also held sales/systems security engineering roles with Verisign’s Network 

Intelligence and Availability (NIA) division. During his tenure, he was focused on security intelligence, 

cloud-based DDoS protection, and managed DNS services. Earlier, he held numerous security and 

engineering roles with BT Global Services. 

Ahmad can be reached online at (anassiri@a10networks.com) and at our company website 

https://www.a10networks.com/ 



Better Network Visibility: Removing the Security 

Blindfold 

By Cary Wright, VP Product Management, Endace 

Recent research shows that enterprise teams are very concerned about the ability to protect their 

networks from cyber threats. Concerns run the gamut: insufficient insight into network activity, lack of 

integration between security tools, inability to respond to threats quickly enough, resource constraints, 

and obsolete solutions. Enterprises are frustrated with existing security solutions that don’t provide 

sufficient visibility, agility and economic efficiency. This article is the first of a three-part series from 

Endace, and looks at the issue of network visibility. 

Without the right tools in place, detection and resolution of security events is cumbersome and often 

inconclusive. Lacking sufficient visibility into network activity, organizations are left vulnerable. 

A recent enterprise survey conducted by Enterprise Management Associates reveals that only 31% of 

incursions were identified and stopped at the earliest two stages of the Lockheed Martin Kill Chain model. 

This indicates that most threats proceed to the dangerous exploitation phase. A key reason for being 

unable to stop a compromise early enough is the overflowing backlog of issues that are never 

investigated. 89% of enterprises surveyed by ViB say a lack of visibility into network activity prevents 

them from reacting promptly, with confidence. 

At first glance, you might think lack of network visibility is caused by a lack of data. But the issue often 

isn’t a lack of data, but an inability to correlate data collected in order to provide useful insights. It’s like 

trying to assemble a collection of scattered jigsaw puzzle pieces when you don’t have a picture of the 

final result. Enterprise teams are overwhelmed by the sheer volume of data to analyze from multiple, 

disparate sources: log files, SNMP traps, monitoring tools, etc. Often this data is scattered across the 

infrastructure, hard to correlate, and incomplete because of blind spots in network coverage, which make 

seeing the full context of security threats difficult or impossible. 



When teams efficiently collate data sources to provide full context around detected issues, then data 

becomes “actionable information” used to investigate and resolve problems quickly and accurately. 

Network metadata and full-packet capture data together give teams the perfect combination of evidence 

for investigating and resolving security threats. 

Network metadata delivers a summary of activity across your infrastructure that provides insight into the 

behavior of users, devices, applications and threats. This summary can be easily stored and correlated 

with other data sources from endpoints, applications, AAA, firewall logs and other key elements. Having 

diverse datasets in one place helps investigators triangulate on potential issues rapidly. Since all this is 

a summary of what happened, access to full packet data is often needed to confidently understand the 

breadth of a security event. Fortunately, metadata provides an index into full packet capture data that 

enables teams to quickly and accurately reconstruct events, in context, to see exactly what has occurred 

and respond at once. 

This combination of network metadata with full packet history facilitates quick and confident investigations 

and threat resolutions. Analysts can query and mine the metadata, then quickly get definitive evidence 

by drilling down to the packets. The combination of network metadata and packet data also provides the 

all-important context for data from other sources – such as log files and alerts from monitoring – by 

providing a timeline and record of affected hosts against which these data sources can be correlated 

easily. 

Access to the right data at the right time with the combination of metadata and full packet capture 

facilitates end-to-end visibility, and enables enterprises to detect, triage, investigate and respond to 

threats and incidents with speed, certainty and confidence. It lets teams efficiently assemble the pieces 

of the data puzzle to create a clear picture of precisely what’s happening on their network. 

The second article in this series will address how to increase agility and accelerate incident response. 


Cary Wright, VP Product Management at Endace, has more than 25 

years’ experience in creating market-defining networking, cybersecurity 

and application delivery products at companies including Agilent, HP, 

Ixia and NEC. sales@endace.com, www.endace.com. 



Enabling Agility to Accelerate Incident Response 

By John Attala, Vice President of Worldwide Sales, Endace 

In the first article in this series, Endace VP of product management Cary Wright discussed the importance 

of end-to-end network visibility in protecting valuable enterprise data, and how the combination of network 

metadata and full packet data provides definitive evidence of network activity. To leverage this data 

effectively, however, it is crucial to make it available to the tools and teams throughout the enterprise for 

examining and resolving issues more quickly and accurately. Which brings us to the topic of this article: 

agility. 

Agility, as it relates to cyberdefense and performance management, can mean two things: 

1) faster, more efficient investigation of, and response to, threats/issues (“agile incident response”); and 

2) rapid installation and deployment of new solutions to address these threats and issues (“agile 

deployment”). 

Agile Incident Response 

Research published last year revealed that SecOps, NetOps and DevOps teams are buried in alerts, 

each of which typically requires a resource-intensive investigation and resolution process involving 

multiple personnel. Sadly, the norm is that there simply isn’t sufficient time to triage, prioritize and 

investigate all the alerts. 

In addition, many of the tools SecOps and NetOps teams use don’t integrate well with each other, so 

beleaguered teams must switch from tool-to-tool ( “swivel chair integration”) to determine actual network 

activity – resulting in time delays, stress, and organizational risk. 



Integrating network metadata and full packet information into security and performance monitoring tools, 

so analysts and teams can pivot directly to the related packets, can dramatically simplify and accelerate 

investigations, reducing alert backlog and analyst fatigue. The end result is streamlined investigation 

workflows, more efficient and productive teams, richer contextual information for dealing with threats and 

– crucially – faster, more accurate incident response. 

Agile Deployment 

The same research report cited above found that 90% of respondents reported the process of acquiring 

and deploying security, network or application performance platforms is challenging. It’s a fact: selecting 

and deploying new security and performance monitoring tools can take months to years when an 

organization must consider budget, evaluation, selection, purchase, installation and integration. It’s a 

slow process. 

Further compounding the acquisition problem is that once purchased, these security and performance 

monitoring solutions are expected to last their full depreciation cycle – even though security threats and 

network standards frequently change and evolve. The end result is organizations are often stuck with 

solutions which are no longer fit-for-purpose, requiring a “rip-and-replace” to meet new threats or resolve 

performance issues. 

The lack of ability to quickly evolve systems to meet new threats or address new requirements is 

hampering organizations’ ability to protect and manage their networks effectively. Attackers, on the other 

hand, aren’t constrained by the same CAPEX and budget issues – often using the victim’s own 

infrastructure to host their attacks – enabling them to be extremely agile in staging their attacks. 

To counter this, organizations need more agile deployment. One solution is to adopt a standardized, 

open hardware platform as the foundation for security and performance monitoring: a platform that can 

provide full packet capture, metadata indexing and deep storage, allow standard RESTful API 

connections to existing toolsets, and enable virtualized hosting of the network security and performance 

analytics applications that best suit the organization’s environment. 

Adopting a standardized platform ensures a good foundation (accurate, time-stamped, quickly 

searchable data), the RESTful API ensures existing workflows are maintained and minimizes training, 

and virtualizing monitoring and analytics solutions enables the speed and flexibility to deploy required 

solutions on-demand. 

The standard, open platform approach allows for maximum agility and has the potential to deliver the 

same benefits enterprise datacenters have realized through virtualization: rapid deployment, massive 

flexibility, operational efficiencies, and huge cost savings. 

The next article in the series will discuss the economics and cost savings in more detail. 




John Attala is vice president of worldwide sales at Endace. He has more 

than twenty years’ experience in providing network visibility, forensic 

solutions, and security services to global enterprise, service providers and 

government agencies. 

John Attala can be reached online at www.endace.com. 



Economic Efficiency in Cyber Defense 

By Mark Evans, VP Marketing, Endace 

The previous two articles in this series addressed Visibility and Agility as key requirements for 

stronger cyber defense. This last article in the series looks at the third leg of robust cybersecurity: 

Economic Efficiency. 

According to recent research, gleaned from more than 250 global enterprises, organizations use, on 

average, ten different security management tools. In large enterprises, that number jumps to between 10 

and 18 different security solutions. 

The research also showed that even though organizations have deployed numerous security solutions, 

at great cost, they: 

• Don’t have enough tools in the right places to detect and investigate security events (80% of 

respondents!) 

• Find the challenge of constraints caused by Capital Expenditure (CAPEX) “significant” (75%) 

• Take 6-12 months OR LONGER to acquire and deploy new solutions (budget, testing, product 

selection, deployment) (90%) 



Additionally, organizations said they “lack visibility into network activity”, have “difficulty responding 

quickly enough to threats” and “find it hard to integrate tools and correlate data” 

It’s clear then, that despite considerable investment in security, organizations are still not achieving their 

desired objectives. They are constantly on the back foot, unable to keep ahead of a rapidly evolving 

threat landscape. And, as covered in previous articles in this series, teams are overwhelmed by alert and 

platform fatigue due to lack of visibility and inefficient workflow processes that constrain productivity. 

Reducing Cost and Increasing Efficiency 

Network security functions typically rely on specialist hardware that can capture network traffic at high 

speed for analysis, therefore many solutions are appliance-based. As a result, organizations must deploy 

many different appliances to deliver the range of required security functions (IDS/IPS, data leakage 

prevention, malware detection, email scanning, etc.) 

This has a number of cost and budget implications: 

1. Hardware-based appliances are expensive to purchase and maintain. 

2. Organizations pay for packet capture capability in each appliance they purchase. 

3. Hardware purchases consume so much budget that organizations can’t afford to deploy solutions 

everywhere they need them, leaving blind spots. 

4. Functionality is inextricably tied to appliance hardware - upgrading functionality often means a 

“rip-and-replace”. Without CAPEX budget for replacements, organizations must make do with 

solutions that are well past their “use by” date. 

Virtualization has delivered significant benefits in the datacenter: lower cost, simpler infrastructure, 

efficient hardware utilization, greater flexibility and rapid deployment. However, organizations have been 

unable to virtualize their network security solutions to realize these same benefits due to the lack of a 

common hardware platform. 

What’s needed is a hardware platform that provides high-performance, hardware-based packet capture 

and recording that can be shared by all the tools and teams that need to analyze packet data. This 

approach eliminates unnecessary functional duplication and allows security and performance monitoring 

tools to be consolidated onto a common platform. 

The cost of this common infrastructure can be shared across SecOps, NetOps, DevOps and IT teams, 

reducing Operational Expenditure (OPEX) and CAPEX costs and facilitating closer collaboration. New 

functionality can be deployed without replacing hardware. 



Increasing Productivity 

With packet history integrated into all their tools, analysts can more efficiently detect, investigate and 

resolve security threats; moving from an alert or suspicion directly to evidence quickly and accurately. 

This is vastly more productive than the current swivel-chair integration resulting from managing multiple, 

non-integrated hardware appliances. 

This series looked at three key issues facing enterprises in protecting and defending their networks: 

Visibility, Agility, and Economic Efficiency. By addressing all three issues together organizations can 

gain the clarity, confidence, and certainty necessary to effectively protect against cyberthreats. 


Mark Evans has worked in the technology industry for more than 30 years, 

starting as a developer and moving into CIO and CTO roles prior to joining 

Endace as Vice President of Marketing. He has also written extensively as 

an expert columnist for many technology publications. www.endace.com, 

@endace. 



Does SASE Tick the Box for The Future of Network 

Security? 

By Yair Green, CTO at GlobalDots 

The enterprise of today works with an upgraded portfolio which can be viewed as the result of an overall 

digital transformation. This in turn has brought about the need to rethink and enhance the consequences 

for the network. In response, Gartner introduced the concept of Secure Access Service Edge (SASE) as 

a new enterprise networking technology, whereby organizations could ditch time-honoured networking 

and security designs by merging network and security point functionality globally into a consolidated, 

cloud-native service. 

There is certainly a shift these days where we are seeing organizations transitioning all of their users, 

applications and data (currently located on-premise), to a general move into the cloud, towards edge 

applications and a workforce that is spending more of its time working out of the office - ‘on the road’. 

Together, the forces of cloud, mobility and edge have all brought pressure upon the enterprise’s old and 

weary network and security architecture. It doesn’t help to have data spread out all over SaaS 

applications, or across the increasing number of cloud applications. Whilst there is no doubt that such a 

digital transformation can improve overall agility and competitiveness, it will also require a rethink with 

respect to how the enterprise connects and secures their connections. As the landscape evolves, so 

must technology. Perhaps it was inevitable then that something like SASE should make an appearance. 

The digital transformation has forced the enterprise to evolve by running more applications in the cloud 

as SaaS rather than on-premise - more of their data and workloads live in cloud data centers and more 



of their workforces are mobile - mobile users routinely accessing the cloud and increasing numbers of 

employees working off-site. The two main challenges for organizations as they ponder how to network 

and secure offices, users and resources, will be the cloud and mobility. When the data center is no longer 

at the core of enterprise activity then where do you inspect traffic and where do you apply policy? 

Similarly, if the networks are going to be built by connecting resources and users that exist in large part 

outside of physical buildings, then how will the business deliver optimal network experiences? Of course 

it can be done - it does require though, binding together a potentially disparate range of security 

technologies so that enterprise is satisfactorily protected; this could prove both costly and timeconsuming 

for most businesses. In an ideal world, there should be one way to network any kind of 

resource, location or user, without leaving the business vulnerable to the wide array of security threats. 

Organizations have been all too busy trying to use additional services as a stopgap, as a way to paper 

over the cracks; but this just complicates things and drives costs upwards. This approach won’t work in 

today’s digital landscape. By pushing security as close to the user as possible, SASE helps to reduce 

cost and complexity by focusing on the users that are accessing the applications; it can all be done 

through one single service now. Also, SASE ensures that all connections are inspected and secured, no 

matter what. Bear in mind the unique challenges of risk whereby both users and applications are so 

widely spread apart. In addition, where you have security enforced close to the users, SASE delivers a 

much better user experience overall. Traditionally, the old model brought the user to the security, but 

that’s not such a great UX scenario. 

Whilst some might argue that SASE’s primary focus IS user experience. There’s no doubt that SASE will 

be a major disruption to both network and network security architecture. Ultimately businesses will need 

SASE if they wish to continue their adoption of cloud-native computing and increase their adoption of 

edge computing platforms. Lessons will have to be learned regarding specific security and risk 

management actions that will need implementing as SASE adoption picks up. When we see a truly full 

competitive solutions marketplace, then big business will be in a position to gauge more accurately how 

capabilities are delivered. In the meantime, businesses will require a converged, secure and clouddelivered 

access to the edge in order to adopt this shift. Digital transformation is shifting the focal point 

away from the data center, to the identity of the user. 


Yair Green is the CTO of GlobalDots, and a Cloud, Security and Web 

Performance Evangelist. 

www.globaldots.com 



Achieving Effective User Lifecycle Management Through 

Automation 

By Jeff Stein, Information Security Architect, Reputation.com 

When considering the security of an enterprise, a key area ripe for automation should be user lifecycle 

management. The topic is important not only to the security of an organization but also to the overall 

function of an enterprise. By achieving effectiveness through automation in your user lifecycle 

management process you will not only increase the productivity of your operational teams through the 

reduction of work required to manage the user lifecycle, but also add effective security controls to your 

information security program. 

User lifecycle management covers the full array of activities executed during the lifetime of a user at an 

enterprise. It begins with the initial contact of a prospective employee or business partner to the eventual 

onboarding of the user into their defined role at the organization. Any changes to user access or status 

and role at the organization are also covered in the lifecycle. The lifecycle management then comes full 

circle and is completed through the offboarding process when the user ends their responsibilities at the 

enterprise. 

From a security prospective, user lifecycle management should be an important domain to include in your 

security program. While many of the operational tasks related to the lifecycle management are associated 

with Human Resources or Information Technology business units, the need to instill security controls into 

the related workflows and processes is paramount. This is because, one of the core functions of user 

lifecycle management pertains to access control which is fundamental to a security program because it 

deals with the identity, authentication and authorization of users in the enterprise. 



The need to automate the provisioning (creating) or deprovisioning (removal) of tasks related to the user 

lifecycle management process is derived from ensuring that there is better accountability in the 

operational tasks associated with access control. To not only have a well-defined lifecycle management 

process but also to ensure that those processes are initiated through automation, reduces the number of 

administrative controls required to validate proper completion of tasks and replaces them with more 

reliable technical controls. 

In my previous experiences as a Security Engineer, as well as my current role as an Information Security 

Architect for Reputation.com, an industry leader in online reputation management providing customers 

with a full range of solutions to handle their presence online, I have found that any time you replace a 

reliance on a human task with an automated technical one, the likelihood of a breakdown in process is 

reduced. It also frees up the human element to be leveraged in the process in a more intelligent way than 

previously utilized. Once repeatable tasks can be replaced with automation, the person can be used as 

a means to validate on a regular basis that the automated technical control has not failed. This is done 

through measures such as auditing and approval reviews for sensitive circumstances or types of access. 

Another simple way of looking at this is to use your human staff for intelligent processes and automate 

the mundane repeatable processes that do not deviate from the norm. 

When looking to automate the user lifecycle at an enterprise there are numerous technical tools at your 

disposal. Whether you choose to leverage internal scripts or programs, or utilize a managed technical 

solution, is a personal preference pertaining to your available budget and technical skill sets on staff. 

However, if you implement the tooling to automate user lifecycle management, in my opinion, it is more 

important to ensure you include a number of key components in your automated lifecycle strategy and 

technical design, which will support your tooling. 

The first component to ensure you incorporate into your lifecycle management should be an allencompassing 

source of truth for your user records. Whether this is a directory service or a human 

resource information system (HRIS), the key is to ensure that it is accurate and continually maintained. 

Your source of truth should be the foundation to building out user lifecycle management and automate it 

because it will serve as the starting point for the overall process. In essence, until the user is in your 

source of truth the lifecycle has not yet begun. 

Additionally, access control should be properly built in to your strategy. As mentioned above, access 

control is a key security process and having proper controls in place will ensure you have security baked 

into your design and automation process. Consider using role-based access control (RBAC) or attributebased 

access control (ABAC) as a model for designing your access control component. When I have 

personally rolled out user lifecycle management automation, I have done a combination of the two. 

However, relying primarily on RBAC will be easier to implement or at least serve as a starting point for 

your design. 

The final component, which should be included into the lifecycle management strategy should be 

ensuring that data between your source of truth and any source of records that are utilized by various 

applications in your enterprise are updated as a part of your automation. This is again important in 

keeping your source of truth accurate as well as ensuring aspects such as deprovisioning or a status 

change in the user’s role, function properly. Once these three key components have been worked into 

your lifecycle management design, the tooling you choose will layer on top and function efficiently. It will 



also offer a higher level of implementation success and a holistic approach to your workflow and 

processes. 

Automation provides an excellent means to layer repeatable and scalable security controls into an 

organization. By automating the user lifecycle management process you can ensure better accountability 

into the operational tasks associated with access control in the enterprise. Proper tooling combined with 

a well-maintained source of truth, an effective access control model and baking in the updating of 

information between sources allows you to add effective security controls to your information security 

program. 


Jeff Stein, is currently the Information Security Architect at Reputation.com, 

an industry leader in online reputation management. His prior experience 

includes the FinTech space and both the United States House of 

Representatives and the United States Senate. In addition to holding 

numerous security and IT certifications, including his CISSP, he received a 

Master of Science in Information Security and Assurance from Western 

Governors University. Jeff can be found online on his blog, 

https://www.securityinobscurity.com and reached at both jeff@sioblog.net or on twitter at 

@secureobscure and at our company website https://www.reputation.com and on twitter at 

@Reputation_Com. 



Credential Stuffing: Why It’s on The Rise and How to 

Decrease Your Risk 

By Kevin Landt, VP of Product Management at Cygilant 

Reports of high-profile data breaches like Equifax’s, LinkedIn’s or Yahoo’s always cause an initial, 

widespread panic -- and for good reason. But after having massive amounts of their sensitive information 

exposed such as usernames and passwords, many consumers and organizations move on far too 

quickly. Whether it’s because they assume there’s nothing they can do to rectify the situation or due to a 

lack of understanding of their risk level, too many individuals and companies remain dangerously 

oblivious to what happens after a data breach. 

Post-breach, many cybercriminals turn to the Dark Web to purchase data stolen from high-profile data 

breaches. For instance, recently eight hacked databases containing data for 92.75 million users were put 

up for sale on the Dark Web Marketplace "Dream Market" for 2.6249 bitcoins (about $9,400 USD at the 

time). Hackers will then use their newly acquired, stolen data to fuel credential stuffing attacks, i.e. attacks 

that leverage stolen account credentials to gain unauthorized access to user accounts through largescale 

automated login requests directed against a web application. 

Unlike credential cracking, credential stuffing doesn’t rely on brute force or attempts to guess passwords. 

Instead, cybercriminals simply automate the logins for thousands to millions of previously discovered 

credential pairs using standard web automation tools or tools designed specifically for credential stuffing 

(e.g. services that manipulate login requests to make them look like they came from many different 

browsers and/or products that integrate with platforms designed to defeat Captchas). On average, 

hackers find matches between stolen credentials and a website about only one percent of the time, 



however with every new large-scale breach, the credential stuffing process becomes easier and more 

effective. 

To combat credential stuffing, both consumers and companies need to recognize the danger these 

attacks pose and adhere to the following four best practices: 

1. Monitor data breaches -- It’s critical to stay apprised of large-scale breaches so that if/when you 

have an account with a company that experiences a data breach, you can immediately change 

your password. Also, if you use the same username and password for other accounts, be sure to 

change those passwords as well. Keeping up with the near-daily occurrence of data breaches 

can feel like an overwhelming task, so consider leveraging tools like this to determine if any of 

your credentials have been leaked at any time. 

2. Improve your passwords -- One of the top factors driving the credential stuffing epidemic is poor 

password hygiene. Never reuse the same username and password across multiple sites, change 

your passwords regularly, make sure each password has no resemblance to the old, don’t use 

the same core word(s) and refrain from placing the same special characters in the same positions. 

Password managers can help by creating and easily managing the types of highly secure 

passwords that are impossible to remember. 

3. Implement two-factor authentication -- By turning on two-factor authentication whenever 

available, an additional authentication is requested when you enter your password. This provides 

another vital layer of protection in the event of a network attack and should always be turned on. 

4. Blacklist suspicious logins -- Companies should consistently track logins that result in fraud 

and then blacklist the associated IP addresses. Also, if users are located in a specific region, they 

can create geofences that block traffic that comes from elsewhere. Such tactics can make the 

proxy lists cybercriminals rely on to mask their mass login attempts far less effective, not to 

mention more complex and costly. Web-based security products can also be leveraged to block 

a single IP address or a range of IP addresses that result in too many unsuccessful login attempts. 

A recent report from Akamai found that an average of 4.15 billion malicious login attempts from bots were 

detected in both May and June of 2018, and that’s up from an average of 3.75 billion per month between 

November 2017 and June 2018. Credential stuffing attacks will continue to become even more prevalent 

in the years ahead, especially as data breaches expose hundreds of millions of usernames and 

passwords on a regular basis. 

By recognizing the credential stuffing problem head on and abiding by simple cybersecurity best 

practices, however, both consumers and companies alike can drastically reduce their risk and at the 

same time make cybercriminals’ jobs far more challenging. 




Kevin Landt is VP of Product Management at Cygilant and has over 

a decade of experience helping Security and IT Operations teams 

increase efficiency and reduce risk. At Cygilant, he leads a team of 

PMs dedicated to providing enterprise-class security-as-a-service 

for companies of all sizes. Prior to Cygilant, Kevin held director and 

leadership roles at Opsgenie (now part of Atlassian), Kanguru 

Solutions, and Intel. 



The Cost of Cybercrime Is Constantly Rising: How to 

Combat Ransomware Attacks on SMBs 

By Rui Lopes, Sales Engineering and Technical Support Director, Panda Security 

Cybercrime is an undeniable constant in the business landscape these days. The cost of cybercrime is 

constantly rising—it is estimated that by 2021, it will have reached $6 trillion worldwide. Cyberattacks on 

large companies tend to grab headlines all around the world because of their spectacular impact. 

However, there is one sector that, though it doesn’t normally generate headlines, suffers devastating 

effects of ransomware attacks: small- to medium-sized-businesses (SMBs). 

According to Beazley Breach Response Services, 71% of ransomware attacks target SMBs. The average 

ransom demand for this kind of attack is $116,234. In more general terms, 43% of all cyberattacks target 

this kind of company, while just 14% of these businesses are prepared to defend against their effects. In 

the business world, cybersecurity awareness is the main challenge: employees’ actions are often the first 

line of defense against a cyberattack. To ensure that a cyber incident does not cause serious damage to 

a company, it is important that its employees follow a series of vital tips: 

• Never open attachments from unknown senders. 92% of the malware in the world arrives via 

email. 

• Don’t plug in an unknown USB device. It may contain malware that could cause grave problems 

for the company. 

• Get into the habit of updating passwords. This way, even if a password is leaked in a data breach, 

it won’t become a security risk. 

• Updates for endpoints, devices and for third-party applications are an important barrier against 

security breaches. 



That being said, the best way to combat ransomware is by not becoming a victim in the first place. To 

that end, here are five immediate steps that SMBs can take to avoid ransomware attacks. 

Step 1: Set Operating Systems to Automatically Update 

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to 

the web works better when the OS is updated. Tech companies like Microsoft and Apple regularly 

research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a 

cybersecurity game of cat and mouse. Cyberthieves search for “holes,” and companies race to find them 

first and “patch” them. 

Users are key players in the game because they are the ultimate gatekeepers of their operating systems. 

If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs 

better with an updated OS. 

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows 

10 automatically updates (you have no choice), older versions don’t. But setting auto updates is easy, 

whether you’re on a Mac or PC. 

Step 2: Screenshot Bank Emails 

Cybercriminals use trojans or worms to infect your computer with ransomware. So, avoiding these will 

help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams, 

which trick users into opening email attachments containing viruses or clicking links to fake websites 

posed as legitimate ones. 

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing 

emails that look like they come from banks, credit card companies or the IRS. Phishing emails kickstart 

your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent 

action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn 

in your account”? 

Cybercriminals use this fear to distract people so they will overlook the telltale signs of the phishing email 

like misspellings or common fear-inducing subject lines. 

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others 

business that manage your sensitive information. Use these screenshots to compare with future emails 

you receive so you can spot phishing phonies and avoid ransomware. 



Step 3: Bookmark Most Visited Websites 

The next step in your ransomware-avoidance journey is to bookmark all of your most visited websites. 

Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then 

they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or 

infect your computer with malware. 

Think twice before you visit a website by clicking a link in an email, comments section or private 

messaging app. Instead, bookmark your most visited or high-value websites and visit them through your 

browser. 

Step 4: Backup Data to the Cloud and a Hard Drive 

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable, 

then cyberthieves have the upper hand, but if you have multiple copies, you have taken away the power 

behind the threat. 

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available 

anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage 

are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target. 

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed 

up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup 

at all. 

Step 5: Install Cybersecurity Software 

Ransomware is constantly evolving as hackers develop new, more dangerous strains. For users, 

preemptive steps rock, but unless you download and install comprehensive cybersecurity software, your 

data is still vulnerable to malware infection. 

Here’s a phrase worth remembering: ransomware is a nightmare. After cyberthieves encrypt your data, 

the chances of recovering it are slim to none…and slim just left town. The story of ransomware doesn’t 

have the Hollywood, happily-ever-after ending. It will definitely leave you teary-eyed…just for the wrong 

reasons. 




Rui Lopes has spent the last 15 years working for Panda Security and 

currently heads up the Pre-Sales Engineering team in North America. 

A cybersecurity expert with extensive industry knowledge, he’s 

passionate about solving complex technical challenges for customers 

and educating them on the latest cybersecurity developments. He 

holds several technical certifications and has contributed to multiple IT 

publications as an IT Security columnist. Rui can be reached online at https://www.linkedin.com/in/ruilopes-6966161/ 

and at our company website https://www.pandasecurity.com/en-us/. 



How To Manage Your Small Business In Time Of Crisis 

By Milica D. Djekic 

It's always a challenge to manage your small business, but especially in times of crisis. Such a situation 

requires special skills, such as crisis management skills, pragmatism and critical thinking. How can we 

create the a new generation of the business leaders who are capable of responing to all these demands? 

Human psychology would suggest that the child is the parent of someone’s personality and it’s quite 

obvious that if we want to produce the new leaders we should try to teach them starting at the very 

beginning of the life. The fact is so many young individuals spend the majority of their time on the web 

and as it is quite well known that cyberspace is often the busiest spot of the people’s activities. It’s quite 

impressive how good the new generations deal with cyber technologies and, apparently, modern 

strategists should use such a finding in order to direct the youth into some sort of the usefulness to the 

entire society. 

The point is if we want the competitive human resources in the decades ahead, we should begin working 

hard on that project now. A good education system matters, but will that be enough to make the new 

generation of the people think, deal and make decisions in such a manner? The answer to this question 

could be quite unclear, but what we see at this stage is that, de facto, we need something both impactful 

and simple at the same time. In addition, we should study the psychology of the child’s development or 

probably try to cope with some habits being adopted early on and later used to define someone’s life 

choices. 

So, what would be such common to all kids worldwide and how would they build on their first habits? The 

quite obvious stuff is all kids anywhere would love to play games and in that way develop their first skills 

and social contacts. We all would remember Monopoly and the experiences about how some simple 

banking works in practice. Nowadays children would also love to play these games, but in cyberspace. 



So, if you offer them the chance to do so on their own or as a team – you would undoubtedly teach them 

thinking in this way. 

Kids often have very poor life experience, and the point is to make something so simple in order to 

motivate them to use their brains in order to resolve situations appearing on their screen. On the other 

hand, many of today’s army officers would select their current occupations just playing strategies and 

making decisions about how to manage their people and resources on some military basis. 

If you want your kid to learn how to be a good manager, you should lead him into the world of business, 

enterprises and management. First, many kids cannot imagine how it works spending your time in the 

office, and if you provide them the opportunity to see how it looks and make some kind of interactive and 

engaging communications, then those young people would definitely become capable of responding to 

tomorrow’s competitive marketplace challenges. Also, if you put some obstacles into such a scenario 

making the players deal with some critical situations, you would also make them develop problem solving 

skills in crisis management tactics and strategies coming from best practices and experts knowledge. 

So, let’s return to the beginning of our topic and let’s introduce some graphical representation showing 

how dealing with a crisis in your small business might look. Such an illustration would offer you some 

constructive insights and hopefully help you better understand how todeal with those problems. The 

diagram is given in the Figure 1. 

Figure 1. Crisis conditions in business 

As shown in the previous illustration, the small business crisis condition could depend on many factors. 

They could include social, environmental, technological and economic conditions, for example. In 

practice, the social elements could include political, religious, safety & security and ideological reasons, 

while the environmental conditions might include natural disasters, biological factors and even diseases. 

On the other hand, the technological and economic pillars could be positive, negative or neutral, for 

example. 

The fact is if we distinguish all these elements in such a manner, we could straightforwardly develop the 

algorithm or the decision making tree about how we could in operational, tactical and strategic way 

respond to these challenges. The point is once you figure out what got correlated with what you could 

easily recognize some rules of those correlations and realize how they could get applied in sense of the 

problem solving algorithms. 

In such a case, the cyber defense could be linked to the technological impacts and, in my opinion, anyone 

in that field can position himselfto prepare for resolving those concerns. Also, the crisis management skill 

is something that would come with experience and it takes some time to become confident in such a role. 



Any empirical scenario would differ in some way from another and before you learn to recognize the 

similarities between them,you would need a lot of practice in your preofessional experience. 

The time of crisis can come at any time, so it’s important to remain rational and realistic in approaching 

such a situation from a calm perspective. The small businesses are certainly an importnat part of the 

critical infrastructure, and that’s why any economy needs plenty of good ideas and proposals about how 

to protect its strategically significant assets. 

Emerging technologies will play a valuable role in our everyday life and work, so they could serve us in 

making rational decisions and training a new generation of the workforce that will be more competitive 

and sophisticated than any generation before them. The task is challenging, but the results could be so 

far reaching. 


Milica D. Djekic is an Independent Researcher from Subotica, 

Republic of Serbia. She received her engineering background from 

the Faculty of Mechanical Engineering, University of Belgrade. She 

writes for some domestic and overseas presses and she is also the 

author of the book “The Internet of Things: Concept, Applications 

and Security” being published in 2017 with the Lambert Academic 

Publishing. Milica is also a speaker with the BrightTALK expert’s 

channel. She is the member of an ASIS International since 2017 

and contributor to the Australian Cyber Security Magazine since 

2018. Milica's research efforts are recognized with Computer Emergency Response Team for the 

European Union (CERT-EU) and EASA European Centre for Cybersecurity in Aviation (ECCSA). Her 

fields of interests are cyber defense, technology and business. Milica is a person with disability. 



What the Latest Enterprise Endpoint Security Survey 

Shows Us: Big Concerns but Hope for The Future 

By Jeff Harrell, Vice President of Marketing, Adaptiva 

More bad news when it comes to IT security. The fourth annual Enterprise Endpoint Security Survey was 

recently released, showing that just 17% of companies believe they have enough staff to handle security 

correctly, and vulnerabilities continue to take a remarkably long time to fix, particularly without solutions 

that meet their needs. These findings (and more) come as organizations face unprecedented threats. 

So, what’s going on? 

Vulnerabilities on the Rise 

Cybercrime is predicted to cost $6 trillion annually by 2021, with new threats becoming the number one 

pain point for endpoint security buyers. Deloitte points out one reason for this is that as workforces 

become more distributed and organizations are responsible for securing more devices, it becomes harder 

and harder to secure the endpoint, calling it companies’ “weakest security link.” 

Shoring up the endpoint is critical, however, because that’s where approximately 80% of cyberattacks 

occur—and these attacks are increasing at a blistering pace. Research shows that between 2016 and 

2017 there was a 600% increase in attacks against IOT devices alone. Any Google search can turn up a 

multitude of other scary stats that underscore just how great today’s cyberthreat is and how it is expected 



to get worse. But the bottom line is vulnerabilities at the endpoint are a tremendous concern, one that 

must be addressed if organizations hope to protect their networks, IP, and customer data. 

Current Solutions Don’t Solve the Problem 

According to the annual Enterprise Endpoint Security Survey, IT professionals cited vulnerability 

scanning as their top cybersecurity challenge. One of the reasons shared was that current vulnerability 

management scanning solutions don’t solve their problems. In fact, they may increase frustration and 

stress by generating reports of hundreds of vulnerabilities that teams can’t address in a timely manner. 

Additionally, they suck up bandwidth and hinder network performance. 

It’s not as though IT teams are throwing up their hands and pretending that vulnerabilities don’t exist, 

however. Ninety-one percent of respondents indicated that “maintaining current, compliant security 

configuration” is very or extremely important; they want to improve the speed and scale with which they 

can address vulnerabilities—they’re just a bit hamstrung. 

Staff Can’t Handle the Surge—And It’s About to Get Worse 

But fixing the problem is not simple. In addition to the exponential increase in vulnerabilities and devices 

managed, and the fact that vulnerability management solutions can hinder more than help, teams simply 

don’t have the staff. Nearly two-thirds of respondents to the Enterprise Endpoint Security Survey 

indicated that they struggle to keep up as their teams are stretched to the max, often limiting their ability 

to handle security operations the way that they want or wish that they could. 

Unfortunately, in light of internal staff shortages, their work is about to get harder. The survey reveals that 

only 29% of companies will complete migration to Windows 10 before Microsoft ceases support for 

Windows 7 on January 14, 2020. This means that potentially millions of endpoints will present openings 

for cyberattackers to take advantage of an outdated OS that is no longer monitored and supported by 

Microsoft and that also lacks the latest security features available in Windows 10. While 87% of 

companies reported that they will have more than half of their systems running Windows 10, close may 

not be good enough. It takes cyberattackers only minutes to wreak havoc. Given that it requires 52% of 

organizations surveyed more than a week—and 22% more than a month—to remediate vulnerabilities 

after they are discovered, this could spell big trouble. 

Automation Must Be Part of the Solution 

With staff being swallowed up trying to handle all of the threats and issues their organizations face, and 

those threats increasing each day, something’s got to give. Significant talent shortages make finding 



enough skilled IT workers to conquer these issues unlikely. And, even the best funded, best staffed 

organizations are fighting a losing battle against the clock. It would be nearly impossible for humans alone 

to write the code and execute remediations at the scale that they need to keep all endpoints up to date 

100% of the time. 

Automation has to be part of the solution. There have been knocks against it—from the time required to 

learn how to use new solutions to the limits of present capabilities—but solutions are improving rapidly. 

The next generation of vulnerability management solutions includes instant remediation capabilities. 

Even if a solution could automatically remediate only 50% of issues, that would be a vast improvement 

over the circumstances teams operate in today. It would not only accelerate the speed at which basic 

issues are fixed enterprise-wide, it would also open up considerable resources to address more complex 

issues in a timely manner. 

While enterprise IT security faces a difficult road ahead, all is not lost. The intense commitment of existing 

staff to fight cyberthreats coupled with exciting advancements in automation could ensure that the results 

of next year’s survey look markedly different. Winning modern cyberwars will require man + machine. 


Jeff Harrell, vice president of marketing at Adaptiva, manages the 

company’s marketing strategies and initiatives across a growing 

range of products designed to assist global enterprises with pressing 

endpoint management and security needs. With more than 20 years’ 

experience, Jeff is known for his domain knowledge, creativity, and 

vision as well as the ability to execute. In his free time, Jeff can 

usually be found looking for birds through a pair of binoculars. For more information, please visit 

https://adaptiva.com/, and follow the company on LinkedIn, Facebook, and Twitter. 



Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS 

“Amazing Keynote” 

“Best Speaker on the Hacking Stage” 

“Most Entertaining and Engaging” 

Gary has been keynoting cyber security events throughout the year. He’s also been a 

moderator, a panelist and has numerous upcoming events throughout the year. 

If you are looking for a cybersecurity expert who can make the difference from a nice event to 

a stellar conference, look no further email marketing@cyberdefensemagazine.com

You asked, and it’s finally here…we’ve launched CyberDefense.TV 

At least a dozen exceptional interviews rolling out each month starting this summer… 

Market leaders, innovators, CEO hot seat interviews and much more. 

A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.

Free Monthly Cyber Defense eMagazine Via Email 

Enjoy our monthly electronic editions of our Magazines for FREE. 

This magazine is by and for ethical information security professionals with a twist on innovative consumer 

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our 

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best 

ideas, products and services in the information technology industry. Our monthly Cyber Defense e- 

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare 

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of 

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here 

to sign up today and within moments, you’ll receive your first email from us with an archive of our 

newsletters along with this month’s newsletter. 

By signing up, you’ll always be in the loop with CDM. 

Copyright (C) 2020, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G. 

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a 

CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com, 

CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability 

Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, 

Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 

078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com 

All rights reserved worldwide. Copyright © 2020, Cyber Defense Magazine. All rights reserved. No part of this 

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, 

recording, taping or by any information storage retrieval system without the written permission of the publisher 

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of 

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may 

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect 

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content 

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at 



276 Fifth Avenue, Suite 704, New York, NY 1000 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 


www.cyberdefensemagazine.com 

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) 

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 04/02/2020

TRILLIONS ARE AT STAKE 

No 1 INTERNATIONAL BESTSELLER IN FOUR CATEGORIES 

Released: 

https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH 

In Development – Hacking the Human Firewall (Q2, 2020) and The Art of Cybere War (Q1, 202):

8 Years in The Making… 

Thank You to our Loyal Subscribers! 

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know 

What You Think. It's mobile and tablet friendly and superfast. We hope you 

like it. In addition, we're shooting for 7x24x365 uptime as we continue to 

scale with improved Web App Firewalls, Content Deliver Networks (CDNs) 

around the Globe, Faster and More Secure DNS 

and CyberDefenseMagazineBackup.com up and running as an array of live 

mirror sites. 

Millions of monthly readers and new platforms coming…

Cyber Defense eMagazine April 2020 Edition

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?