CS May-Jun 2022
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
CHAINS OF FREEDOM<br />
Stabilising the wild swings and<br />
uncertainties of the supply line<br />
QUANTUM GOES BIG!<br />
Lift-off for commercial trial of quantum secured<br />
communication services<br />
GET THE BASI<strong>CS</strong> RIGHT<br />
Guidance to see you<br />
through tough times<br />
ISOLATED AND VULNERABLE<br />
Human error levels hit new high<br />
as hackers step up attacks on<br />
solitary workers<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong><br />
'ZERO TRUST'<br />
SPECIAL INSIDE
Nobody likes feeling<br />
vulnerable.<br />
It’s the same when it comes<br />
to information security.<br />
That’s why our information security services have<br />
been designed to provide you with the robust security<br />
assurances you require.<br />
Penetration Testing<br />
Red Teaming<br />
Information Security Consultancy<br />
www.pentest.co.uk<br />
0161 233 0100<br />
pentest<br />
INFORMATION SECURITY ASSURANCE
comment<br />
COLONIAL PIPELINE ATTACK REMEMBERED<br />
Saturday, 7 <strong>May</strong>, this<br />
year marked the first<br />
anniversary of the<br />
infamous Colonial<br />
Pipeline hack, which<br />
ended with a ransom fee<br />
of US$4.4 million being<br />
handed over. In July<br />
2021, ISA Cybersecurity<br />
of Canada published a set<br />
of takeaways from the<br />
event. "They are still valid<br />
today and sync well with the Biden administration Executive Orders that grew out of the<br />
attack," says Bedrock Open Secure Automation.<br />
LESSON 1: THE IMPORTANCE OF SYSTEM MONITORING<br />
Although the publicised attack was on <strong>May</strong> 7, 2021, the hackers reportedly breached<br />
the system on April 29, a week earlier. ISA says that Security Information and Event<br />
Management (SIEM) tools, coupled with advanced threat intelligence, detection and<br />
monitoring, can help to recognise anomalous activities.<br />
LESSON 2: THE IMPORTANCE OF IT GOVERNANCE<br />
In his testimony to the United States Senate, Colonial Pipeline President and CEO Joseph<br />
Blount said: "We believe the attacker exploited a legacy virtual private network (VPN)<br />
profile that was not intended to be in use."<br />
LESSON 3: OT AND IT NETWORK CONVERGENCE CREATES ADDITIONAL RISK<br />
Colonial Pipeline shut down its system, because it did not know who was attacking,<br />
why or how it might affect its OT network, demonstrating the need for complete<br />
visibility into OT network operations and integrations.<br />
LESSON 4: SUCCESSFUL BREACHES CARRY A VARIETY OF COSTS<br />
Although the FBI recovered about 85% of the ransom paid, the threat actors still reaped<br />
hundreds of thousands of dollars in extorted funds and Colonial's Blount revealed at the<br />
time that it would cost the company "tens of millions of dollars" to repair the damage<br />
and restore all its business systems fully.<br />
LESSON 5: A SUCCESSFUL BREACH BREEDS OTHER HACKING EFFORTS<br />
This is the timeliest warning for every vulnerable organisation - and it needs to heeded.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Lyndsey Camplin<br />
(lyndsey.camplin@btc.co.uk)<br />
+ 44 (0)7946 679 853<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2022</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
CHAINS OF FREEDOM<br />
Stabilising the wild swings and<br />
uncertainties of the supply line<br />
QUANTUM GOES BIG!<br />
Lift-off for commercial trial of quantum secured<br />
communication services<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
GET THE BASI<strong>CS</strong> RIGHT<br />
Guidance to see you<br />
through tough times<br />
ISOLATED AND VULNERABLE<br />
COMMENT 3<br />
Colonial Pipeline attack remembered<br />
Human error levels hit new high<br />
as hackers step up attacks on<br />
solitary workers<br />
'ZERO TRUST'<br />
SPECIAL INSIDE<br />
ARTICLES<br />
NEWS 6 & 8<br />
Cyberattack on Toyota sparks alarm<br />
Top court rules on misuse of data<br />
Malware back with a vengeance<br />
No let-up in lack of diversity<br />
ALL SET TO EXCEL! 10<br />
This year’s Infosecurity Europe show is<br />
now fast approaching - and promises<br />
to deliver a great line-up of exhibitors,<br />
events, presentations and more at the<br />
ExCeL in London. See our preview<br />
ABSOLUTE ZERO 18<br />
Organisations are starting to switch from a<br />
model based on 'trust anyone and anything<br />
inside the network' to a 'trust no one and<br />
nothing' architecture. Brian Wall reports<br />
SECURE SYSTEMS: IS HARDWARE<br />
THE STARTING POINT? 11<br />
Hardware-assisted security capabilities are<br />
CHAINS OF FREEDOM 26<br />
seen as critical to robust security strategy<br />
Supply chains are prone to wild swings and<br />
uncertainties. How exactly can those chains<br />
SEVEN KEY TIPS WHEN CHOOSING<br />
be stabilised and less exposed, in order to<br />
AN IDENTITY SECURITY SOLUTION 12<br />
create a cooperative supply-chain platform?<br />
SecurEnvoy points to the advantages of<br />
selecting an offering that can be deployed<br />
as public cloud, fully Managed Service<br />
Provider (MSP) or On-Premise<br />
THE CAPTIVATING QUESTION 14<br />
Why aren't more companies using packet<br />
capture? asks Cary Wright of Endace<br />
HACKING GETS BACKING! 15<br />
ISOLATED AND VULNERABLE 30<br />
A university ethical challenge platform has<br />
Hackers are driving up the levels of human<br />
won government backing in the build-up<br />
error by preying increasingly on solitary<br />
to its launch into the commercial market<br />
workers - especially those at home, cut off<br />
from immediate IT support<br />
RANSOMWARE AND THE CLOUD 16<br />
John Tipton, Adarma, looks at the deep<br />
impact that ransomware is now making,<br />
especially through 'RansomCloud'<br />
GET THE BASI<strong>CS</strong> RIGHT… 29<br />
Adoption of cyber security-related tools a<br />
growing problem in cyber security world,<br />
QUANTUM GOES BIG! 32<br />
warns Brookcourt Solutions' Steven Usher<br />
BT and Toshiba, along with EY, have<br />
IF YOU CAN'T STAND THE HEAT… 34<br />
launched the trial of what is described as<br />
… then do something about it. The time<br />
a "world-first commercial quantum-secured<br />
has arrived to fight back as Highly Evasive<br />
metro network". The infrastructure will be<br />
Adaptive Threats (HEAT) hit hard<br />
able to connect numerous customers<br />
across London. How safe will that be?<br />
PRODUCT REVIEW 24<br />
Endace Endaceprobe 9200 G4<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
news<br />
Senior lawyer<br />
Edward<br />
Machin<br />
TOP COURT STEPS IN TO RULE<br />
AGAINST THE MISUSE OF DATA<br />
The European Court of Justice has<br />
recently ruled that the general and<br />
indiscriminate retention of traffic and<br />
location data, for the purposes of<br />
combatting serious crime, is prohibited<br />
by EU law.*<br />
The court found in favour of convicted<br />
murderer Graham Dwyer who had<br />
duly challenged Ireland's use of mobile<br />
phone metadata in his conviction, with<br />
potential implications for criminal<br />
investigations across Europe.<br />
Comments Edward Machin, a senior<br />
lawyer in Ropes & Gray's data, privacy<br />
& cybersecurity practice: "This decision is<br />
no surprise, given the court's previous<br />
rulings on data retention. Indeed, the<br />
repeated references to 'settled case-law'<br />
perhaps betray its snark in having to<br />
reiterate that indiscriminate retention<br />
is not permitted for combatting serious<br />
crime," he states.<br />
"The case is timely, as it follows the<br />
recent agreement in principle of a new<br />
transatlantic data pact between the EU<br />
and US," continues Machin.<br />
"Given that the agreement is designed<br />
to rein in US government surveillance,<br />
that a European member state has again<br />
breached similar obligations under EU<br />
law doesn't look good when the US is<br />
being told that it needs to reform its<br />
snooping laws, if it wants a data deal,"<br />
he points out.*<br />
https://curia.europa.eu/jcms/upload/docs/application<br />
/pdf/<strong>2022</strong>-04/cp220058en.pdf<br />
CYBERATTACK ON TOYOTA SPARKS ALARM AND SERVES AS WARNING<br />
The fact that the world's largest car manufacturer Toyota<br />
was recently forced to shut down 14 factories and 28<br />
production lines for an entire day due to a cyberattack serves<br />
as a warning in these volatile times, warns Tim Wallen,<br />
LogPoint UK&I regional director. "While the manufacture<br />
of cars is not necessarily critical to societies, it's a warning<br />
of how cyberattacks can influence 'in real life', not limited<br />
to leaks of digital information or systems being held for<br />
Ransome. When production lines are halted, and workers<br />
have to stay at home, we have to carefully consider whether<br />
we have done enough to protect our digital infrastructures.<br />
"With some 180,000 people employed directly in<br />
automotive manufacturing in the UK and in excess of<br />
864,000 across the wider automotive industry," adds<br />
Tim Wallen, LogPoint<br />
Wallen, "this is a crucial industry to protect."<br />
MALWARE BACK WITH A VENGEANCE AS PANDEMIC APPEARS TO WANE<br />
Malwarebytes recently announced the findings of<br />
its <strong>2022</strong> Threat Review (formerly the 'State of<br />
Malware' report), showing that, while the global<br />
pandemic may be waning, the 'cyberthreat epidemic'<br />
is likely here to stay for businesses and consumers.<br />
The research has uncovered a massive 2021<br />
resurgence of cyberthreats across multiple categories<br />
after pandemic-induced declines in 2020, tracking<br />
a 77% increase in malware detections over 2020.<br />
Business-focused cyberthreats jumped 143%, while<br />
consumer-specific threats rose by 65% to more than<br />
152 million. The resurgence was much more than a<br />
"return to business as usual, with detection numbers<br />
far exceeding pre-pandemic numbers, too", according<br />
to the company.<br />
ONE IN THREE COMPANIES ARE VICTIMS OF CYBERATTACK STATES SURVEY<br />
Cyber security awareness provider SoSafe's<br />
Dr Niklas-<br />
'Human Risk Review <strong>2022</strong>' survey shows an<br />
Hellemann,<br />
SoSafe<br />
ever-worsening cyberthreat situation.<br />
According to the survey, a worrying one in three<br />
organisations (35%) has experienced a successful<br />
cyberattack in the past year. Furthermore, nine<br />
out of 10 (90%) cyber security experts confirmed<br />
this deteriorating situation. "With the Human Risk<br />
Review, we want to provide insights into current<br />
trends and developments in the European cyber threat landscape. Our goal is to further raise<br />
awareness of this topic - especially for the 'human factor' in information security," says Dr Niklas<br />
Hellemann, managing director of SoSafe.<br />
6<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Strengthen your data resilience with<br />
Immutable Backup from Arcserve<br />
Buy an Arcserve Appliance secured by Sophos,<br />
and get OneXafe immutable storage!<br />
Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve<br />
brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat<br />
ransomware and provide the best-in-class data management and data protection solution in the market.<br />
Arcserve UDP Data<br />
Protection Software<br />
Unified data and ransomware<br />
protection to neutralize<br />
ransomware attacks,<br />
restore data, and perform<br />
orchestrated recovery.<br />
Arcserve Appliances<br />
All-in-one enterprise backup,<br />
cybersecurity, and disaster<br />
recovery, with multipetabyte<br />
scalability.<br />
StorageCraft OneXafe<br />
Immutable Storage<br />
Scale-out object-based NAS<br />
storage with immutable<br />
snapshots to safeguard data.<br />
Get multi-layer protection!<br />
SCAN HERE
news<br />
Camellia Chan,<br />
X-PHY<br />
LACK OF DIVERSITY<br />
AND INCLUSION PERSISTS<br />
Asevere lack of diversity and inclusion in<br />
technology was one of the issues that<br />
was highlighted on International Women's<br />
Day. Camellia Chan, CEO and founder of<br />
cybersecurity company X-PHY (a Flexxon<br />
brand), firmly believes that talent is crucial<br />
to the industry, "especially as we witness<br />
an upheaval in innovation and digital<br />
transformation. Despite this, the number<br />
of tech roles held by women increased by<br />
a mere 2% in 2021".<br />
Chan also points out: "In order to increase<br />
this figure, as a society, we need to<br />
empower women from a young age and<br />
encourage them to be ambitious. Seeing<br />
women in high-powered roles is excellent<br />
and proactivity is key to ensuring they stay<br />
there."<br />
NORMS MUST BE CHALLENGED<br />
Businesses, too, have a crucial role to play,<br />
she adds. "Hiring and recruitment practices<br />
are incredibly important and, with visible<br />
female role models and leaders in the<br />
industry, we encourage women to envision<br />
a future in tech. Put simply, diverse talent<br />
brings new perspectives and innovation.<br />
Talented, driven women - as well as<br />
employees of different ages, nationalities<br />
and domains - create an impactful<br />
environment by challenging norms, building<br />
competencies and championing excellence."<br />
UK RANSOMWARE ATTACKS 'UP 200%' IN THE LAST YEAR, SAYS LAW FIRM<br />
New data released by law firm RPC has revealed that UK<br />
Jack Chapman, Egress<br />
ransomware attacks have doubled in the last year.<br />
Comments cybersecurity expert Jack Chapman, VP of Threat<br />
Intelligence at Egress: "Ransomware is one of the most serious<br />
cybersecurity threats facing UK organisations today. Our recent<br />
study found that less than a quarter of board of directors see<br />
ransomware as a top priority - organisations must tackle a<br />
number of serious threats, not just ransomware, and many<br />
just don't know where to focus their efforts."<br />
Preventing ransomware must become a top concern for<br />
organisations, and leadership must focus on building a robust<br />
security posture, he adds. "That includes evaluating overall<br />
spend and what's in the security stack, looking to intelligent<br />
technology to tackle sophisticated phishing attacks and other<br />
common entry points for malware."<br />
BEWARE THE LURKING DANGERS AS RETURN TO THE OFFICE GROWS<br />
The lifting of working from home restrictions means it's<br />
time for IT departments to consider that employees<br />
Chris Vaughan - Tanium<br />
returning to the office and reconnecting their devices to<br />
the corporate network may increase risks, warns Chris<br />
Vaughan, AVP - Technical Account Management, Tanium.<br />
"Employees working off personal laptops, tablets and<br />
mobiles often carry higher cybersecurity risks, due to<br />
issues like not having up-to-date patches installed.<br />
"Now, as employees return to the office, there is a<br />
possibility that they will unknowingly bring in devices that<br />
are infected with malware, trojans, viruses etc that have<br />
laid dormant until this point, ready to spread when an<br />
opportunity occurs."<br />
Once reconnected to a network, malware can then travel<br />
through a company, infecting every computer, he warns.<br />
SUPPLY CHAIN SECURITY RISKS SERVE AS 'BACK DOOR' FOR HACKERS<br />
New research unveiled by NCC Group suggests that cyber-attacks on supply chains<br />
soared by 51% in the last six months of 2021.<br />
"Organisations have an opportunity to reduce their third-party risk by clarifying whether<br />
they or their suppliers are responsible for supply chain risk management," says the company.<br />
Around one in three (36%) surveyed said they are more responsible for preventing,<br />
detecting and resolving supply chain attacks than their suppliers. Just over half (53%) said<br />
their company and its suppliers are equally responsible for the security of supply chains.<br />
"This could affect organisations' third-party risk, if it means that they are not conducting<br />
appropriate due diligence on their suppliers, and could expose them to regulatory<br />
penalties." Encouragingly, respondents recognised supplier risk as one of their top<br />
challenges for the next 6-12 months and report that they plan to increase their security<br />
budgets by an average of 10% this year.<br />
8<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
shows & events<br />
ALL SET TO EXCEL!<br />
INFOSECURITY EUROPE, BILLED AS THE BIGGEST GATHERING OF THE<br />
INFORMATION SECURITY COMMUNITY IN EUROPE, IS ALMOST HERE<br />
Infosecurity Europe has played a key role<br />
in connecting the Infosec community for<br />
more than 25 years. Attracting over 13,000<br />
visitors, 300 exhibitors and 170 speakers, this<br />
year's event will take place from 21-23 <strong>Jun</strong>e<br />
at ExCeL London, bringing industry peers<br />
together to network, share and ultimately, say<br />
the organisers, "become stronger together".<br />
CONFERENCE THEME & PROGRAMME<br />
Infosecurity Europe <strong>2022</strong>'s theme, Together<br />
we are Stronger, will focus on the need<br />
for cybersecurity professionals to increase<br />
collaboration to keep society safe and secure.<br />
The conference programme will explore<br />
several associated topics. The Keynote Stage<br />
will cover key threats and adversaries, tackling<br />
insider threats, building a security culture,<br />
the paradigm change in ransomware,<br />
monetisation of threats, Cybercrime-as-a-<br />
Service (CaaS), third party risk, how cyber<br />
criminals are changing their approaches,<br />
and improving the detection of known and<br />
unknown threats.<br />
Visitors will have the chance to engage in<br />
discussions around the latest cybersecurity<br />
challenges on the Insight Stage, equipping<br />
themselves with new strategies and techniques,<br />
and exchanging ideas and expertise.<br />
In the Talking Tactics theatre, real-world case<br />
studies will provide practical and actionable<br />
knowledge on how to keep up with the<br />
increasing sophistication of security threats.<br />
This year, Infosecurity Europe has also<br />
teamed up with NotSoSecure, which will<br />
deliver formal cybersecurity training courses<br />
live on the show floor for the first time.<br />
KEY SPEAKERS<br />
The Keynote Stage will give delegates direct<br />
access to information security knowledge and<br />
expertise from some of the industry's leading<br />
practitioners, policymakers, analysts and<br />
thought leaders.<br />
The main opening keynote speaker will be<br />
Major General Tom Copinger-Symes CBE,<br />
director of Strategy and Military Digitisation<br />
with UK Strategic Command, who will lead<br />
with his presentation, ‘Tackling the Uncertain<br />
Future of Security Threats’ (Tuesday 21 <strong>Jun</strong>e,<br />
10:20).<br />
Baroness Eliza Manningham-Buller, former<br />
Head of MI5 and now serving on the Lords<br />
Select Committee on Science and Technology,<br />
will discuss ‘Leadership in an Age of<br />
Uncertainty’ (Wednesday 22 <strong>Jun</strong>e, 10:10).<br />
Misha Glenny, author, journalist and<br />
specialist in organised crime and cybersecurity,<br />
has acted as consultant to European<br />
governments and the EU on the Balkans, and<br />
advised the US departments of State and of<br />
Justice on US-European relationships. He will<br />
discuss ‘Geopolitics and Cyber Insecurity’<br />
(Tuesday 21 <strong>Jun</strong>e, 15:20).<br />
FACTFILE<br />
Investigative journalist Geoff White, a<br />
reporter for the BBC and Channel 4 and<br />
author of The Lazarus Heist, will explore<br />
‘Lessons Learned from Most Recent<br />
Cybercrime Investigations’ (Wednesday 22<br />
<strong>Jun</strong>e, 16:10).<br />
WHY ATTEND?<br />
"With threats increasing [39% of UK<br />
businesses reported a breach in the last year],<br />
acquiring the right knowledge and tools has<br />
never been more important," add the<br />
organisers. "At Infosecurity Europe <strong>2022</strong>, you<br />
will have the opportunity to Learn, Explore<br />
and Network."<br />
Learn: Attend conference sessions and<br />
speak with industry experts. Earn CPE &<br />
CPD credits at a series of immersive<br />
workshops and demonstrations<br />
Explore: Discover, evaluate and benchmark<br />
products, solutions and innovations to<br />
transform your business<br />
Network: Meet new and established<br />
international suppliers from around the<br />
world. Build relationships with a diverse<br />
range of infosecurity professionals.<br />
To register to attend the show, go to:<br />
https://www.infosecurityeurope.com/en-gb<br />
WHAT: Infosecurity Europe <strong>2022</strong><br />
WHEN: 21-23 <strong>Jun</strong>e <strong>2022</strong><br />
WHERE: ExCeL London, Royal Victoria Dock, London E16 1XL<br />
OPENING TIMES:<br />
Tuesday 21 <strong>Jun</strong>e: 9:30am-5:00pm<br />
Wednesday 22 <strong>Jun</strong>e: 9:30am-5:00pm<br />
Thursday 23 <strong>Jun</strong>e: 9:30am-4:00pm<br />
10<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
esearch special<br />
SECURE SYSTEMS:<br />
IS HARDWARE THE<br />
STARTING POINT?<br />
ORGANISATIONS VIEW<br />
HARDWARE-ASSISTED SECURITY<br />
CAPABILITIES AS CRITICAL TO<br />
A ROBUST SECURITY STRATEGY<br />
Key findings in a new Intelsponsored<br />
study reveal that<br />
"organisations value security<br />
product innovation, especially at the<br />
hardware level, when purchasing<br />
technologies and services", states the<br />
company.<br />
Businesses are expected to spend some<br />
$172 billion in <strong>2022</strong> on increasing<br />
their cybersecurity commitments and<br />
enhancing measures to protect<br />
themselves. "Organisations recognise<br />
hardware-assisted security capabilities<br />
are critical to a robust security strategy,<br />
with many searching out transparent<br />
technology providers to supply<br />
innovative security solutions," adds Intel.<br />
And adoption is growing; while the<br />
study found only 36% of respondents<br />
say that their organisation's current<br />
cybersecurity protocols use hardwareassisted<br />
security solutions, 47% state<br />
that these solutions will be adopted<br />
within the next six months (24%) or<br />
12 months (23%).<br />
"The security threat landscape<br />
continues to evolve, becoming more<br />
sophisticated and challenging for<br />
organisations to defend against,"<br />
comments Suzy Greenberg, vice<br />
president, Intel Product Assurance and<br />
Security, pictured above. "Today more<br />
than ever, companies are demanding<br />
assurance capabilities and hardwareenhanced<br />
security solutions that help<br />
protect the entire compute stack."<br />
Key findings from the study include:<br />
64% of respondents say their<br />
organisations are more likely to<br />
purchase technologies and services<br />
from technology providers that are<br />
leading edge with respect to<br />
innovation.<br />
The top areas of focus for security<br />
innovation are security automation<br />
(41% of respondents), security at the<br />
silicon level (40%), cloud migration<br />
(40%), and education and training<br />
(38% of respondents).<br />
53% of those surveyed say their<br />
organisations refreshed their security<br />
strategy because of the pandemic.<br />
Of the 36% of organisations using<br />
hardware-assisted security solutions,<br />
85% say hardware - and/or firmwarebased<br />
security - is a high or very high<br />
priority in their organisation. And<br />
64% also say it is important for a<br />
vendor to offer both hardware- and<br />
software-assisted security<br />
capabilities.<br />
IMPACT OF ZERO TRUST AND<br />
TRANSPARENCY TRENDS<br />
Key findings indicate that organisations<br />
are looking to integrate hardware-based<br />
security solutions into their Zero Trust<br />
strategies. Of the 36% of organisations<br />
using hardware-assisted security<br />
solutions, 32% of respondents have<br />
implemented a Zero Trust infrastructure<br />
strategy and 75% expressed increased<br />
interest in Zero Trust models as the<br />
pandemic continues and the remote<br />
workforce grows.<br />
As organisations incorporate new<br />
security technologies, hardware-assisted<br />
security complements existing protocols<br />
and bolsters overall security hygiene.<br />
Additionally, the rapid sophistication<br />
of the threat landscape requires<br />
organisations to be one step ahead of<br />
security updates, although challenges<br />
remain when it comes to managing<br />
vulnerabilities and patching updates.<br />
The study reveals that fewer than half<br />
of organisations have visibility into<br />
newly disclosed vulnerabilities and<br />
patches/updates (48% of respondents)<br />
and mainly prioritise security updates<br />
for the latest product generation (42%),<br />
when there are still many legacy devices<br />
in use around the world.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
11
identity security<br />
7 REASONS WHY SECURENVOY MIGHT<br />
SERVE AS AN ALTERNATIVE TO MICROSOFT<br />
AZURE AD MFA FOR IDENTITY SECURITY<br />
THE SUMMER OF 2020 SAW MICROSOFT ROLL OUT AZURE AD<br />
PREMIUM 1 FEATURES TO ALL MICROSOFT 365 BUSINESS PREMIUM<br />
ACCOUNTS. IS THIS THE SILVER BULLET FOR ALL IAM ISSUES? ASKS<br />
TOM HILLS, PRE-SALES CONSULTANT AT SECURENVOY<br />
" This article is our experience and<br />
customer feedback over the past<br />
12-24 months, covering the key<br />
considerations and reasons why organisations<br />
might look outside of their Microsoft<br />
licensing schemes," states Tom Hills, pre-sales<br />
consultant at SecurEnvoy. Here follows his<br />
take on that topic and the suggested '7<br />
Reasons' for taking that path:<br />
1. Deployment Flexibility<br />
On-Premise & Cloud Deployment<br />
"SecurEnvoy's offering can be deployed<br />
either as a public cloud, fully Managed<br />
Service (MSP) or On-Premise," says Hills.<br />
"This flexibility is key for clients where<br />
security is paramount, or where clients are<br />
bound by local law and compliances."<br />
Speed of Deployment<br />
"SecurEnvoy product offerings are based<br />
around a quick time to deploy. The onpremise<br />
platform is light on requirements.<br />
SecurEnvoy IAM offers agents that, once<br />
installed, can enable synchronisation of user<br />
identities from Active Directory in moments."<br />
2. Simplified Administration & Management<br />
Intuitive Administration<br />
"The SecurEnvoy administration console is<br />
clutter free. Configurations are easily<br />
accessible and not hidden within nested<br />
menus. Administrators familiarise their way<br />
around the UI quickly. Often, configurations<br />
are only applied once, so there is little need<br />
to constantly tweak the solution."<br />
Integrations Out of the Box<br />
"Use prebuilt application integrations from<br />
the catalogue. The integration automatically<br />
generates identity provider (IdP) URLs and<br />
certificates. Enable single-sign-on (SSO)<br />
to the applications in a couple of clicks.<br />
Application access centralised from day one."<br />
Single Pane of Glass<br />
"An easy to interpret dashboard provides<br />
a visualisation of both live and historical<br />
activity, capturing user metrics such as logon<br />
activity, licence count, agent connection<br />
status, throughput and application access,"<br />
according to Hills.<br />
Self-Service<br />
"Reduce helpdesk overheads by providing the<br />
users with self-service password reset. The<br />
password reset can be completed from either<br />
Desktop, web portal or the mobile app.<br />
For users who have lost their MFA method,<br />
a self-service helpdesk portal can allow the<br />
user to securely create a new temporary MFA<br />
method."<br />
User Lifecycle Management<br />
"Onboarding is automatically controlled from<br />
the parent directory, (Azure AD, Microsoft<br />
AD, Google Directory). The synchronisation<br />
control granularity varies depending on<br />
domain, OU or group membership."<br />
3. Protecting Desktop Logon<br />
Protect Windows with MFA<br />
"The Windows Logon Agent is installed on<br />
Windows workstations and Servers. Console<br />
and RDP logins can be secured with MFA.<br />
Anyone attempting to access Windows<br />
will be prompted for MFA. MFA can still<br />
be provided, if a user is attempting to<br />
authenticate whilst offline. Users can be<br />
enabled for MFA via Group Memberships.<br />
For example, only Domain or Local<br />
Administrators can be prompted for MFA<br />
12<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
identity security<br />
when authenticating, mitigating the risk of<br />
credential misuse."<br />
Protect MacOS with MFA<br />
"Users of these devices are typically business<br />
executives, board members, software<br />
developers and security teams, meaning<br />
securing this attack vector should be a<br />
priority. The MacOS Logon Agent can be<br />
deployed to enable MFA access to the<br />
MacOS devices, reducing the risk of<br />
unauthorised access into the environment."<br />
4. Advanced RADIUS Support<br />
"On-premise environments are often<br />
protected by a VPN or other remote access<br />
methods. Predominantly, these methods<br />
support the RADIUS protocol. Microsoft<br />
Azure AD MFA can support the RADIUS<br />
protocol; however, it requires Network Policy<br />
Server (NPS), which can increase complexity.<br />
Also, some users feel that NPS does not<br />
always integrate well with all VPNs."<br />
Support RADIUS-Based Clients with MFA.<br />
"SecurEnvoy offers rich RADIUS capability,<br />
meaning support for a variety of use cases,<br />
including traditional VPN based technologies<br />
and Remote Desktop environments. Support<br />
for RADIUS clients extends to implementing<br />
a 'Trusted Networks' policy, where users<br />
connecting from a specific network would<br />
not get prompted for MFA. Secondly,<br />
'Blocked Networks' can be added.<br />
Authentication attempts from a specified<br />
network location(s) will get blocked. 'Trusted<br />
Groups' can also be configured, whereby<br />
users within specified groups will not<br />
require MFA. For example, users within the<br />
'administrators' group must always provide<br />
MFA. Authentication can only be permitted<br />
from specific domains, too, which is ideal<br />
with Managed Service Providers running<br />
multi-tenant environments."<br />
5. Increased Granularity of Authentication<br />
Policies<br />
"Challenges exist around authentication<br />
methods and some configurations are only<br />
available as a global 'on/off' setting. For<br />
example, this can leave organisations unable<br />
to configure policies to only allow mechanisms<br />
such as SMS OTP for some low-risk user<br />
activities. Organisations must have a broad<br />
range of authentication mechanisms at their<br />
disposal to address each use case and user<br />
group appropriately."<br />
Select Authentication Methods Based on<br />
Group/User Profile<br />
"SecurEnvoy offers the ability to configure<br />
a range of authentication methods that are<br />
available for user or group. Options vary<br />
from biometrically protected smart phone<br />
apps, hardware tokens, to SMS OTP options.<br />
The platform can report on which users are<br />
enrolled for which authentication methods<br />
at any time, providing a bird's eye view of<br />
selected authentication types."<br />
Reduce IT overhead with self-service<br />
"Providing users with the ability to select<br />
their desired Multi Factor method during<br />
enrolment speeds up deployment and<br />
creates a positive user experience.<br />
SecurEnvoy has self-service functionality<br />
built in, which allows users to change their<br />
authentication method securely, quickly and<br />
easily. A different method might be required<br />
in case of a new device, or the working<br />
environment changes."<br />
Implement True Location Awareness<br />
"SecurEnvoy can guarantee user location<br />
at time of authentication, so strict policies<br />
can be used to allow exact pre-defined<br />
'safe' locations, or an allowed amount<br />
of deviation between the request and<br />
the authentication (PUSH) response.<br />
Corporations can be assured not only<br />
the identity of the user, but also an exact<br />
location, to provide a deeper level of user<br />
access control."<br />
6. Multiple Directory Environments<br />
"Projects to consolidate multi-domain<br />
environments typically take a long time,<br />
drain internal resources, are costly and, if<br />
not well thought-out can lead to security<br />
issues," adds Hills.<br />
SecurEnvoy Universal Directory<br />
"A Universal Directory is the core of the IAM<br />
platform, synchronising bi-directionally<br />
against multiple directories and Domains.<br />
SecurEnvoy becomes the identity provider<br />
(IdP), creating a single digital user identity.<br />
This approach then allows for consistent<br />
security and access policies to be deployed,<br />
minimising security risks. Joiners, movers and<br />
leavers (JML) are handled on an automated<br />
basis: if a user is disabled somewhere, ALL<br />
their access is disabled, in real time."<br />
7. Enhanced Concierge Style Customer<br />
Support<br />
Dedicated Support Team<br />
"Calls are answered directly by an engineer.<br />
Calls are resolved quickly, without having to<br />
navigate time consuming 1st line helpdesk<br />
functions," he comments. "We often assign<br />
calls to engineers who have previously<br />
worked with the customer, maintaining<br />
deeper understanding of the customer<br />
environment. Customers benefit from our<br />
unique consultative approach, helping solve<br />
technical and business issues."<br />
"To summarise, Microsoft Azure AD MFA<br />
does work well in most environments, but<br />
certainly not all. The deployment and<br />
management can be complex and, in many<br />
areas, lacks flexibility and granular controls.<br />
To have all your eggs in one basket with one<br />
vendor may leave you open to unexpected<br />
downtime. Particularly with Microsoft, due<br />
to its global customer footprint, it could be<br />
a prominent target for hackers. Some of our<br />
customers have raised concerns about the<br />
licensing model, commenting they feel<br />
locked in, leaving them vulnerable to price<br />
increases. Prices increased on 1 March <strong>2022</strong><br />
(around 10% overall). Taking a Microsoft<br />
'plus' approach could be the way forward,<br />
subscribing to the minimum bundle and<br />
integrating best-of-breed solutions to<br />
achieve business objectives."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
13
ehavioural insights<br />
<strong>2022</strong>: WHERE PACKET CAPTURE<br />
WENT NEXT<br />
IN TODAY'S RAPIDLY CHANGING THREAT LANDSCAPE, WHY AREN'T<br />
MORE COMPANIES UTILISING PACKET CAPTURE? CARY WRIGHT,<br />
VP OF PRODUCT MANAGEMENT, ENDACE, OFFERS HIS VIEWS<br />
Historically, packet analysis has had<br />
real accessibility challenges. Security<br />
teams have often struggled to<br />
wrangle massive packet capture files to<br />
find the evidence they need within them.<br />
Packet capture has also mainly been used<br />
by senior security analysts with deep<br />
experience in packet forensics. How can<br />
we change things, so that even junior<br />
analysts can quickly find the data they need,<br />
get to relevant packets from alerts in their<br />
relevant tools and extract value from full<br />
packet data?<br />
ACCESS THE ACTUAL CONTENT OF<br />
NETWORK CONVERSATIONS<br />
Modern packet capture solutions have<br />
matured significantly. Companies are now<br />
deploying distributed, full packet capture<br />
solutions that provide the evidence needed<br />
to accelerate investigation and response<br />
times.<br />
They've moved beyond relying on logs and<br />
metadata to recording full packet data,<br />
which lets analysts analyse historical traffic to<br />
investigate threats more closely. This provides<br />
access to files, malware, ransomware,<br />
executables, zip archives, exfiltrated<br />
documents, code downloads and more -<br />
anything attackers use to compromise user<br />
and network security and steal data.<br />
Analysts can also re-analyse recorded<br />
packet data to generate detailed logs -<br />
including DNS, HTTPS, TLS, SMTP, database<br />
transactions, and more. And re-scan<br />
historical traffic using new detection rules to<br />
provide deep contextual insight into network<br />
activity.<br />
ACCELERATING INVESTIGATION<br />
AND RESPONSE<br />
Many organisations' previous experience<br />
with packet capture was that it was<br />
challenging both to accurately record and<br />
manage large volumes of data at high-speed<br />
- and then time-consuming to locate the<br />
specific data that is needed for an<br />
investigation.<br />
However, modern packet capture solutions<br />
are scalable, and can cost-effectively record<br />
weeks to months of history. They enable<br />
analysts to find packets of interest quickly<br />
and easily and integrate that critical evidence<br />
into workflows and investigations. Scalable<br />
solutions can provide always-on recording<br />
at today's fast network speeds (10 Gbps up<br />
to 100 Gbps or more) and deep storage<br />
capacity - giving analysts time to go back<br />
and investigate historical events.<br />
Analysts can search/data-mine recorded<br />
data to find and analyse relevant packets<br />
quickly from within what may be petabytes<br />
of data. Integration with a wide variety of<br />
cybersecurity solutions makes it possible to<br />
'pivot' in-context from an alert in a security<br />
or performance monitoring tool directly to<br />
the relevant packets. This speeds up and<br />
streamlines the investigation process and can<br />
also enable the automation of common<br />
evidence collection and analysis tasks (eg,<br />
using SOAR tools).<br />
EASY EXTRACTION AND<br />
ANALYSIS OF DATA<br />
Analysts can also extract and analyse useful<br />
information from packet data easily - such<br />
as reassembling files or generating detailed<br />
analysis logs - without needing deep packet<br />
analysis expertise.<br />
Recorded packet history can be easily<br />
and quickly reviewed for incident response,<br />
threat-hunting or troubleshooting network<br />
or application performance issues. Networkwide<br />
packet capture can be enabled using a<br />
scalable fabric with multiple capture points,<br />
which can be centrally searched and<br />
managed.<br />
With these improvements and more, the<br />
next generation of packet capture solutions<br />
can provide the gold standard for<br />
understanding the threats traversing<br />
networks and resolving IT operational or<br />
performance issues.<br />
14<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ethical hacking<br />
HACKING GETS BACKING!<br />
UNIVERSITY ETHICAL CHALLENGE PLATFORM WINS GOVERNMENT<br />
BACKING TO PREPARE FOR LAUNCH INTO COMMERCIAL MARKET<br />
internationally and there is potential for so<br />
many more people to gain from what we<br />
have developed - from security professionals<br />
to other universities and employers."<br />
Aunique and innovative cyber security<br />
hacking and education platform -<br />
created by academics at Leeds Beckett<br />
University - has received government funding<br />
to help prepare it to launch into the<br />
commercial market.<br />
Hacktivity Cyber Security Labs is a virtual lab<br />
environment, allowing computing students<br />
to remotely log into virtual machines (VMs)<br />
and receive randomly generated security or<br />
ethical hacking challenges, individualised to<br />
each user. The platform features hands-on<br />
tasks, league tables, progress monitoring<br />
dashboards, and instant feedback and<br />
challenges through a chatbot.<br />
Dr Z. Cliffe Schreuders, reader in Computer<br />
Security and Director of the Cybercrime and<br />
Security Innovation Centre at Leeds Beckett,<br />
designed the Hacktivity platform. "Hacktivity<br />
is the product of nine years of academic<br />
research and development," he says.<br />
"Creating hacking challenges for our<br />
students helps them to put theory into<br />
practice. We want to make it fun and<br />
engaging to learn cyber security - so we have<br />
been developing a lot of our own software<br />
and techniques."<br />
The £32,000 funding boost was awarded as<br />
part of Innovate UK's Cyber Academic Startup<br />
Accelerator Programme (CyberASAP),<br />
which aims to help universities commercialise<br />
cyber security research. The academic team<br />
will receive training to develop a value<br />
proposition, carry out market research and<br />
investigate the pathways to commercialising<br />
the platform. The team will then pitch for<br />
further stages of funding, to begin working<br />
with partner organisations and carry out<br />
further research and development.<br />
"CyberASAP is a great opportunity to learn<br />
from experts how we can commercialise our<br />
state-of-the-art platform, grow its user-base<br />
outside of the university and fund its<br />
continued growth," continues Schreuders,<br />
"including further technical development and<br />
content creation. Hacktivity is a unique and<br />
useful resource, and has had a great impact<br />
on our students. Our open-source framework,<br />
SecGen, is already used by many<br />
There are several unique features that<br />
Hacktivity provides in comparison to other<br />
existing platforms, according to Paul Doney,<br />
head of Subject for Computing at Leeds<br />
Beckett. "Most hacking challenges involve<br />
manually setting up a challenge, which you<br />
would use once, and each student would<br />
have the exact same challenge. Our software<br />
creates and automates that process and<br />
makes it interesting by randomising it, so<br />
that each student has a uniquely configured<br />
system and problem and a unique<br />
experience. We also have Hackerbot<br />
automated chatbots which present hacking<br />
and defensive challenges and carry out real<br />
attacks."<br />
Hacktivity has a large library of content. It<br />
has all been mapped to the Cyber Security<br />
Body of Knowledge (CyBOK), the national<br />
Body of Knowledge informing and<br />
underpinning education and professional<br />
training for the cyber security sector. It<br />
challenges students' skills on areas including<br />
systems security and defensive controls,<br />
web and network security, ethical hacking<br />
and penetration testing, malware analysis,<br />
software exploitation, and incident response<br />
and investigation.<br />
Last year, Leeds Beckett University's BSc<br />
(Hons) and MSc Cyber Security degree<br />
courses received accreditation from the<br />
National Cyber Security Centre N<strong>CS</strong>C, the<br />
UK's leading technical authority on cyber<br />
security. It is one of only nine universities in<br />
the UK to be awarded the accreditation for<br />
an undergraduate degree.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
15
ansomware<br />
RANSOMCLOUD: HOW RANSOMWARE<br />
IS ATTACKING THE CLOUD<br />
JOHN TIPTON, SENIOR SECURITY CONSULTANT AT ADARMA, LOOKS AT THE DEEPLY CONCERNING IMPACT<br />
RANSOMWARE IS NOW MAKING, ESPECIALLY WITH THE EMERGENCE OF 'RANSOMCLOUD'<br />
John Tipton, Adarma<br />
Within the mob of malware,<br />
ransomware appears to be leading<br />
the pack. While other malicious<br />
software - such as viruses, worms, spyware,<br />
and adware - ransack computer systems,<br />
ransomware goes further by making<br />
demands. It infiltrates computers and servers<br />
with intention, encrypting files and data<br />
along the way; thus, rendering devices<br />
unusable. Once satisfied, the operators<br />
behind the attack will insist that a hefty sum<br />
is paid up in return for the decryption key.<br />
It's the age-old tactic of extortion, but reenacted<br />
in the digital world. Now that our<br />
everyday lives have become highly dependent<br />
on the internet, the playing field for this<br />
particular strain of malware has expanded<br />
immeasurably. At the same time, cybersecurity<br />
threats are growing - in 2020, malware and<br />
ransomware attacks increased by 358%<br />
and 435% respectively - and are outpacing<br />
societies' Though ransomware may have<br />
started as an operation of opportunity, it<br />
has since become an established criminal<br />
enterprise in its own right. And in the same<br />
way a legitimate business might adapt and<br />
evolve to remain competitive in the market,<br />
threat actors leveraging ransomware are<br />
doing the same. The mass shift to the cloud<br />
is a prime example of this.<br />
Cloud migration is not a new phenomenon,<br />
but it has certainly been expedited by the<br />
pandemic. In an effort to maintain businesses<br />
continuity, companies have transferred their<br />
digital assets and operations to a cloud<br />
computing environment; minimising or even<br />
eliminating the use of on-premise databases.<br />
In other words, software, services and<br />
databases can now be accessed via the<br />
internet. Among a host of other benefits,<br />
cloud computing has enabled companies to<br />
be more flexible and mobile, while improving<br />
collaboration efficiency. It has also facilitated<br />
scalability and reduced overall IT costs.<br />
Unfortunately, cybercriminals have recognised<br />
this shift and the valuable data now held<br />
within the cloud; leading to 'Ransomcloud'<br />
attacks. Such attacks occur through three key<br />
methods: File sync piggybacking, remote<br />
connection with stolen credentials and<br />
attacking the cloud provider. Here is how<br />
these approaches work.<br />
FILE SYNC PIGGYBACKING<br />
The first type of ransomcloud attack leverages<br />
the common attack vector of phishing to<br />
infect the victim's local computer. Contrary<br />
to popular belief, the malicious attachment<br />
or link included in the email, often does not<br />
contain the malware payload. Rather, it<br />
delivers a small program that runs stealthily<br />
in the background, and it is this program<br />
that will then install the malware.<br />
Once in the system, the malware will<br />
disguise itself as a popup permission request<br />
from a trusted software like an anti-virus<br />
scan request. By approving, the malware is<br />
activated and can now disseminate itself;<br />
not just in the local computer, but across the<br />
network to any machine or server it may be<br />
16<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
connected to. As it spreads, threat actors will<br />
be on the lookout for a file sync service<br />
interacting with a cloud service. When it has<br />
been identified, the ransomware piggybacks<br />
on the file sync allowing threat actors to<br />
access, infect and encrypt data in the cloud.<br />
Of course, should the organisation have<br />
measures such as air gapping in place,<br />
ransomware may be unable to compromise<br />
a route to the cloud and settle on local<br />
infection instead. It's no wonder then that<br />
we are witnessing a rise in the use of Google<br />
Drive, Slack, Microsoft Teams etc. to distribute<br />
malicious software. These applications sit<br />
between the cloud and on-premise devices,<br />
syncing relevant files as appropriate. Once<br />
compromised, it becomes incredibly difficult<br />
to reverse the impact. This is where Advanced<br />
Cloud Access Security Broker (CASB) tools<br />
prove useful as they sit between the onpremise<br />
and cloud infrastructures, vetting<br />
the traffic between them.<br />
REMOTE CONNECTION WITH STOLEN<br />
CREDENTIALS<br />
The second tactic sees threat actors monitor<br />
network connections for authentication<br />
attempts. They will then capture the user's<br />
cloud credentials; usually, by presenting a fake<br />
login portal masquerading as the real cloud<br />
platform. By tracking the keystrokes on the<br />
infected local computer, connection details<br />
can be copied to a remote computer and<br />
automatically entered to the real cloud<br />
platform from there. As the local malware<br />
captures the keystrokes and passes this on to<br />
the remote computer, cybercriminals can gain<br />
entry to the cloud via simultaneous login.<br />
Therefore potentially bypassing two-factor<br />
authentication methods that ask for a code,<br />
as the user would type this in also. Now, they<br />
have a connection to the cloud from their<br />
own computer and gain as much or as little<br />
access as the cloned user, depending on their<br />
privilege level.<br />
ATTACKING THE CLOUD PROVIDER<br />
Last but not least, a ransomcloud attack<br />
could arise by targeting the cloud provider<br />
directly. This is the most damaging of<br />
methods and most lucrative for the attacker,<br />
because, if they are successful, it would mean<br />
they have compromised the entire cloud<br />
platform. In short, they could demand<br />
ransoms from some or all customers of the<br />
compromised service.<br />
Consider Microsoft Azure cloud. In August<br />
2021, Microsoft was notified of a vulnerability<br />
in their Azure Cosmos Database. The vulnerability,<br />
an issue identified within Jupyter<br />
Notebooks, enabled the perpetrator to<br />
escalate privileges and move laterally across<br />
the Microsoft cloud. Although it was quickly<br />
rectified and there were no reported incidents<br />
of ransomware, it does highlight the risk.<br />
Having now investigated the ways in which<br />
the cloud could be compromised, we might<br />
then ask who bears the responsibility of<br />
maintaining its security. The truth of the<br />
matter is the responsibility is shared. Cloud<br />
vendors, businesses or its managed service<br />
provider and even individual employees all<br />
have a role to play; though it may flex<br />
depending on how the business consumes<br />
cloud. For instance, a cloud provider will<br />
bear greater responsibility for businesses<br />
who adopt serverless computing. Conversely,<br />
the business will own a greater degree of<br />
responsibility if they utilise an Infrastructure<br />
as a Service (IaaS) model. One must simply<br />
establish who is responsible for what early in<br />
the cloud migration process.<br />
Nevertheless, it is important to remember<br />
that a business is always responsible for its<br />
data; regardless of where it is hosted. With<br />
that said, they need to be attentive to their<br />
permissive policies, insider threats, phishing<br />
campaigns and leaked credentials. The best<br />
way to combat some of these challenges is<br />
to adopt best-practice measures, like<br />
following the principle of least privilege to<br />
limit the damaging actions that may transpire<br />
should a cloud account be hacked. It also<br />
means investing in security awareness training<br />
to curb successful phishing attempts.<br />
Businesses must also ensure they have clear<br />
visibility of their cloud environments, so they<br />
can detect and remediate issues sooner,<br />
rather than later.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
17
special focus<br />
ABSOLUTE ZERO<br />
ORGANISATIONS ARE STARTING TO SWITCH FROM A MODEL BASED ON 'TRUST ANYONE AND ANYTHING<br />
INSIDE THE NETWORK' TO A 'TRUST NO ONE AND NOTHING' ARCHITECTURE. BRIAN WALL REPORTS<br />
Zero Trust has become an ever-growing<br />
mantra across the security community,<br />
but what exactly does it mean?<br />
According to Cloudflare, Zero Trust is an IT<br />
security model that requires strict identity<br />
verification for every person and device<br />
trying to access resources on a private<br />
network, "regardless of whether they are<br />
sitting within or outside of the network<br />
perimeter". ZTNA - Zero Trust Network<br />
Access - is the main technology associated<br />
with Zero Trust architecture; but Zero Trust<br />
is a holistic approach to network security<br />
that incorporates several different principles<br />
and technologies.<br />
"More simply put," states Cloudflare,<br />
"traditional IT network security trusts anyone<br />
and anything inside the network. A Zero<br />
Trust architecture trusts no one and<br />
nothing. Traditional IT network security is<br />
based on the castle-and-moat concept. In<br />
castle-and-moat security, it is hard to obtain<br />
access from outside the network, but<br />
everyone inside the network is trusted by<br />
default. The problem with this approach is<br />
that once an attacker gains access to the<br />
network, they have free rein over everything<br />
inside."<br />
This vulnerability in castle-and-moat<br />
security systems is exacerbated by the fact<br />
that companies no longer have their data in<br />
just one place, it adds. "Today, information<br />
is often spread across cloud vendors, which<br />
makes it more difficult to have a single<br />
security control for an entire network. Zero<br />
Trust security means that no one is trusted<br />
by default from inside or outside the<br />
network and verification is required from<br />
everyone trying to gain access to resources<br />
on the network. This added layer of security<br />
has been shown to prevent data breaches.<br />
Studies have shown that the average cost<br />
of a single data breach is over $3 million.<br />
Considering that figure, it should come as<br />
no surprise that many organisations are<br />
now eager to adopt a Zero Trust security<br />
policy.<br />
Meanwhile, Cloudflare is integrating its<br />
Zero Trust platform with CrowdStrike Falcon<br />
Zero Trust Assessment (ZTA) to ensure<br />
employees have secure access to<br />
applications wherever they are working.<br />
"Every business needs to protect users and<br />
teams, no matter where they are or how<br />
they're working," says John Graham-<br />
Cumming, chief technology officer at<br />
Cloudflare. "Cloudflare's Zero Trust platform<br />
delivers comprehensive protection to<br />
organisations of all sizes. Now we're<br />
making it even easier for joint customers<br />
of Cloudflare and CrowdStrike to benefit<br />
from new combined security features for<br />
the connect-from-anywhere economy."<br />
According to Zeki Turedi, CTO EMEA,<br />
CrowdStrike, it's natural for leaders to be<br />
complacent when a situation seems<br />
business-as-usual. But can a state of<br />
constant attack from adversaries,<br />
particularly when sheltered by national<br />
authorities, really be judged that way?<br />
"Moving to a strong state of cybersecurity<br />
preparedness is the only way organisations<br />
can control their fate," he states. "Best<br />
practices and technology constantly evolve,<br />
and working towards a Zero Trust policy<br />
and technology initiative is the part of the<br />
strongest defences we have. It's the way<br />
businesses can take control of their riskreadiness."<br />
HOT TOPIC, BUT NO SILVER BULLET<br />
Zero Trust is without doubt the hottest topic<br />
in cybersecurity right now, and certainly<br />
presents an approach for organisations to<br />
redress their approach to trust and secure<br />
access to apps, networks and data.<br />
However, like all models, it's not a silver<br />
bullet, cautions Neil Langridge, marketing<br />
director, e92plus, and for many<br />
organisations highlights significant<br />
challenges to be overcome before it can<br />
be deemed a success.<br />
"First, Zero Trust is often effectively used<br />
for a grouping of products, rather than a<br />
strategy, because it's those cybersecurity<br />
18<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
special focus<br />
products that form the actual defences.<br />
This means that the success of the Zero<br />
Trust strategy ends where those products<br />
end, not where the company needs it [as<br />
they are third party the company doesn't<br />
control or legacy software that could have<br />
critical vulnerabilities, but are businessessential<br />
and can't be simply replaced].<br />
"Secondly, that's compounded by having<br />
multiple vendors involved with their own<br />
definition of Zero Trust or consolidated to<br />
one single vendor, which is not just hard<br />
for a comprehensive, layered cybersecurity<br />
strategy but also presents its own risk with<br />
a single point of failure," states Langridge.<br />
"Finally, there's the cost and implementation<br />
- Zero Trust reverses the usual<br />
approach of allowing access and then<br />
controlling it, so can easily impact<br />
productivity as the IT learns what's<br />
essential and what's not, and sprawl can<br />
quickly happen as those lessons are learnt.<br />
It could even result in lower security to<br />
balance out the need for productivity in<br />
the short term."<br />
Nothing is non-negotiable, he adds,<br />
and, if the CEO can't connect his corporate<br />
laptop to his personal printer at home<br />
for something urgent, then red lines can<br />
become quickly blurred!<br />
"In terms of practical steps, the ideal<br />
approach would be to build from the<br />
ground up - but that's invariably not<br />
practical, in terms of overhauling strategy,<br />
processes and technology. We're seeing<br />
most engagement in the enterprise, but,<br />
as it filters down to smaller organisations,<br />
the focus is often on particular sections<br />
of a business, technology areas or newer<br />
deployments to start with. This means that<br />
Zero Trust is a guiding principle or best<br />
practice, but avoids consuming all focus<br />
and slowing down the realities of ensuring<br />
technology is keeping a business running,<br />
balanced against the promises that digital<br />
transformation brings."<br />
ACCELERATING MOMENTUM<br />
The pandemic has caused the existing<br />
momentum for Zero Trust to accelerate, as<br />
the approach aligns with the technological<br />
and cultural evolution taking place within<br />
organisations, points out Laurence Pitt,<br />
security strategist, <strong>Jun</strong>iper Networks.<br />
"With hybrid work fully in swing, the<br />
workforce is now distributed across<br />
multiple locations, expanding the network<br />
perimeter far beyond the traditional<br />
confines of an organisation. "As employees<br />
work from home, the door to network<br />
vulnerabilities is being opened by higher<br />
numbers of non-managed, mobile,<br />
Internet of Things [IoT] and other<br />
connected devices.<br />
"Organisations now have an extensible<br />
edge, extending to wherever data users<br />
are located. Even prior to the pandemic,<br />
the growth of technologies like IoT and<br />
5G meant data was increasingly being<br />
generated, processed and consumed at<br />
the edge of the network. Applications,<br />
workloads and data are anywhere and<br />
everywhere, spanning multiple clouds<br />
and multiple locations, rather than being<br />
confined to the corporate data centre."<br />
Therefore, to truly secure the data centre,<br />
organisations must consistently and<br />
reliably secure applications everywhere<br />
and anywhere. However, as the surface<br />
vulnerable to attack continues to expand,<br />
gaps in visibility and protection are<br />
widening, and companies are often forced<br />
to bolt on multiple, disconnected tools to<br />
see and secure everything, advises Pitt.<br />
"As organisations realise that inherently<br />
trusting internal users, networks and<br />
systems is no longer a viable option,<br />
Zero Trust is gaining traction. Its guiding<br />
principle is the belief that user and device<br />
identity must be authenticated every time<br />
to access a network and anything on it,<br />
such as business applications, servers or<br />
other devices.<br />
"By using controls to create micro<br />
perimeters around critical data, applications<br />
and services, IT teams can ensure that only<br />
known, allowed traffic and applications<br />
have access to assets. With a Zero Trust<br />
architecture, IT professionals can set<br />
controls close to the protected assets,<br />
preventing unauthorised access and<br />
potential exfiltration of sensitive, valuable<br />
data," he says.<br />
An extensible edge requires new<br />
architectures that enable users to connect<br />
directly to data wherever they are. In this<br />
case, the secure access service edge (SASE)<br />
is increasingly proposed, in conjunction<br />
with Zero Trust, to safeguard users, their<br />
applications and their infrastructure. SASE<br />
intends to move security from the enterprise<br />
data centre and closer to users and devices.<br />
"It must be noted, however, that SASE isn't<br />
a product - despite what some vendors<br />
might say," points out Pitt. "They may say<br />
that organisations can deploy SASE,<br />
regardless of what else they have on their<br />
network; but SASE is much more than that.<br />
The SASE umbrella can include a collection<br />
of components, such as software-defined<br />
WAN, centralised security management,<br />
zero-trust network access, advanced threat<br />
protection and next-generation firewall<br />
services."<br />
METEORIC RISE IN ATTACKS<br />
The <strong>2022</strong> SonicWall Cyber Threat Report<br />
clearly exposes why organisation should<br />
always follow a Zero Trust approach to<br />
cybersecurity, maintains David Trossell, CEO<br />
and CTO of Bridgeworks. Over the course of<br />
the last 12 months, the company's threat<br />
researchers have noticed what they describe<br />
as a "meteoric rise in cyberattacks…across<br />
all threat vectors", with significant increases<br />
in ransomware [623 million ransomware<br />
attacks in 2021, up 105% YoY], cryptojacking,<br />
encrypted threats, Internet of<br />
Things (IoT) malware and Zero-day attacks.<br />
Other kinds of cyber-attacks have also been<br />
noted - as has a significant increase in<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
19
special focus<br />
Ashley Stephenson, Corero: any company<br />
that hasn't made itself aware of Zero<br />
Trust is essentially being negligent.<br />
Brian Foster, ReliaQuest: Zero Trust stops<br />
security complacency, as it takes many of the<br />
key security questions out of human hands.<br />
activity following the start of the war in<br />
Ukraine.<br />
"These cyber-risks, threats and trends<br />
mean that small businesses, government<br />
agencies, enterprises and other<br />
organisations cannot be complacent,"<br />
Trossell comments. "Protecting themselves<br />
to remain able to operate without<br />
downtime is crucial. It's also about<br />
protecting their supply chains, their<br />
partnerships, their reputations and their<br />
customer relation-ships. All of them should<br />
therefore consider cyber-security as being<br />
non-negotiable - or face the reckoning of<br />
customers, partners and regulators<br />
worldwide."<br />
Cybersecurity isn't just about having<br />
firewalls, anti-virus software and other<br />
measures in place. Organisations,<br />
particularly those with large data centres,<br />
need to make sure data centres aren't<br />
located in the same circles of disruption by<br />
setting them far apart. "They ideally need to<br />
back up their data in three locations, having<br />
a service continuity plan that involves<br />
deploying WAN Acceleration solutions to<br />
mitigate the effects of latency and packet<br />
loss to allow accelerated backups and<br />
restores," adds Trossell. This approach can<br />
enable the organisation to keep running,<br />
even in the face of any type of cyber-attack.<br />
"Furthermore, it's important to create<br />
airgaps to protect an organisation's most<br />
sensitive data - including personal data -<br />
which falls under EU General Data<br />
Protection Regulation (GPDR) and under<br />
the UK version of it. By preventing data<br />
breaches, organisations can ensure<br />
regulatory compliance and forestall any<br />
need to pay huge fines: UK GDPR and Data<br />
Protection Act 2018 set a maximum fine<br />
of £17.5 million or 4% of annual global<br />
turnover. So, by taking a Zero Trust<br />
approach, data protection compliance can<br />
be achieved, data secured and penalties<br />
like this avoided."<br />
The challenge, he says, is that data<br />
volumes are increasing exponentially - and<br />
this can become a major issue, whether an<br />
organisation is backing up their data,<br />
restoring it after a ransomware attack or<br />
doing it for indexing purposes to comply<br />
with regulations, such as GDPR. Doing all<br />
this over Wide Area Networks (WANs) can<br />
be both slow and expensive. Slow, because<br />
WANs are often impacted by latency and<br />
packet loss; issues that WAN Optimisation<br />
can't adequately mitigate. "It also can't<br />
handle encrypted data, making data<br />
security a concern. SD-WANs are a good<br />
option, but they also need a boost and this<br />
can be achieved with a WAN Acceleration<br />
overlay - making it harder for hackers to<br />
divert data traffic, while providing a<br />
supporting platform for a Zero Trust<br />
approach to effective cybersecurity."<br />
WIDENING THE ATTACK VISTA<br />
As Dave Waterson, CEO, SentryBay,<br />
confirms, hybrid working has pushed up the<br />
number of companies that have adopted<br />
bring-your-own-device (BYOD) models.<br />
While this has the advantage of helping<br />
them to control, even reduce, capital<br />
expenditure on hardware, it also has the<br />
potential to leave organisations even more<br />
wide open to cybersecurity attacks.<br />
"The problem lies in the lack of control<br />
over employee's home PCs, laptops or<br />
mobile phones, many of which may not be<br />
adequately protected by up-to-date and<br />
appropriate security. The pandemic saw<br />
a rapid increase in malicious cyber activity,<br />
with attacks including keylogging, screen<br />
scraping, infiltration of browsers, file<br />
interception and RDP double-hop events,<br />
and the effect can be devastating to<br />
companies.<br />
"One way of combatting the risk is by<br />
adopting Zero Trust," he states. "This means<br />
that anybody and any device that wants to<br />
connect with an organisation's network,<br />
whether it's on-premise, in the cloud or<br />
20<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
special focus<br />
across a hybrid IT set-up, must first be<br />
verified before it - or they - can be allowed<br />
access to data, applications or platforms,"<br />
he adds.<br />
He also reiterates how Zero Trust is not a<br />
technology, but an approach, and requires<br />
a serious commitment to implement<br />
successfully. "Building Zero Trust into an<br />
organisation's IT and security strategy must<br />
be done in manageable stages and the<br />
first step for security teams is to elevate<br />
the company's security posture. A layered<br />
defence helps to ensure that attacks can be<br />
foiled by a second measure, even if they<br />
get past a first, so it's best to use a set of<br />
solutions that provide a common security<br />
baseline. Even better, if they are fit for<br />
purpose, wrap data and applications in<br />
a secure container, and do this without<br />
regard for the status or type of device that<br />
the employee is using."<br />
KEY SHIFT IN FOCUS<br />
Paul German, CEO, Certes Networks, hails a<br />
new set of standards relating to Zero Trust.<br />
"Until recently, the debate around Zero Trust<br />
has remained, in my view, focused solely on<br />
authenticating the user within the system,<br />
rather than taking a more holistic approach<br />
and looking at user authentication and<br />
access to sensitive data using protected<br />
micro-segments. This concept has changed<br />
with NIST's [US National Institute of<br />
Standards and Technology] Special Publication<br />
[SP 800-207]; no longer is the<br />
network the focus of Zero Trust, finally it<br />
is the data that traverses the network."<br />
At its core, NIST's Special Publication<br />
decouples data security from the network,<br />
he continues. "Its key tenets of policy<br />
definition and dynamic policy enforcement,<br />
micro-segmentation and observability offer<br />
a new standard of Zero Trust Architecture<br />
(ZTA), for which today's enterprise is responsible.<br />
Under NIST's Zero Trust standards,<br />
access to individual enterprise resources is<br />
granted on a per-session basis, based on a<br />
combination of component relationships,<br />
such as the observable state of client<br />
identity, application/service and the<br />
requesting asset-and may include other<br />
behavioural and environmental attributes -<br />
with operational policy enforcement."<br />
Authentication and authorisation to one<br />
resource does not grant access to another<br />
resource, he points out.<br />
"It is also dynamic, requiring a constant<br />
cycle of obtaining access, scanning and<br />
assessing threats, adapting and continually<br />
re-evaluating trust in ongoing communication."<br />
states Gerrman. "Moreover,<br />
cybersecurity best practice demands that,<br />
by creating fine-grain policies, authentication<br />
and authorisation are done on<br />
a 'per-packet' basis, only allowing access<br />
to the resources required.<br />
ZERO-DAY VULNERABILITIES<br />
EXPLOITED<br />
By the end of 2021, Mandiant Threat<br />
Intelligence had identified 80 zero-days<br />
exploited in the wild, more than double<br />
the previous record volume in 2019.<br />
State-sponsored groups continue to be<br />
the primary actors exploiting zero-day<br />
vulnerabilities, led by Chinese groups, says<br />
the company's James Sadowski. "The<br />
proportion of financially motivated actorsparticularly<br />
ransomware groups-deploying<br />
zero-day exploits also grew significantly,<br />
and nearly 1 in 3 identified actors exploiting<br />
zero-days in 2021 was financially<br />
motivated. We suggest that a number of<br />
factors contribute to growth in the quantity<br />
of zero-days exploited. For example, the<br />
continued move toward cloud hosting,<br />
mobile and Internet-of-Things (IoT)<br />
technologies increases the volume and<br />
complexity of systems and devices<br />
connected to the internet-put simply, more<br />
software leads to more software flaws."<br />
The expansion of the exploit broker<br />
marketplace also likely contributes to this<br />
growth, adds Sadowski, with more<br />
Dave Roche, DigiCert: business leaders<br />
can get distracted with trends and forget<br />
about fundamentals such as digital trust.<br />
John Graham-Cumming, Cloudflare: every<br />
business needs to protect users and teams,<br />
no matter where they are or how they're<br />
working.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
21
special focus<br />
resources being shifted toward research and<br />
development of zero-days, both by private<br />
companies and researchers, as well as threat<br />
groups. "Finally, enhanced defences also<br />
likely allow defenders to detect more zeroday<br />
exploitation now than in previous years<br />
and more organisations have tightened<br />
security protocols to reduce compromises<br />
through other vectors."<br />
Significant campaigns based on zero-day<br />
exploitation are increasingly accessible to<br />
a wider variety of state-sponsored and<br />
financially motivated actors, including as a<br />
result of the proliferation of vendors selling<br />
exploits and sophisticated ransomware<br />
operations potentially developing custom<br />
exploits. "The marked increase in<br />
exploitation of zero-day vulnerabilities,<br />
particularly in 2021, expands the risk<br />
portfolio for organisations in nearly every<br />
industry sector and geography," Sadowski<br />
adds. "While exploitation peaked in 2021,<br />
there are indications that the pace of<br />
exploitation of new zero-days slowed in the<br />
latter half of the year; however, zero-day<br />
exploitation is still occurring at an elevated<br />
rate, compared to previous years."<br />
PROFOUND PROBLEM<br />
Business complacency has become a<br />
profound problem for security, says Brian<br />
Foster, chief product officer, ReliaQuest.<br />
"It's that kind of attitude which prevents<br />
an organisation from spotting the gaps<br />
which attackers exploit. Zero Trust stops<br />
this security complacency, because it takes<br />
many of these key security questions out<br />
of human hands."<br />
Traditional security architectures have<br />
a binary vision of trust. "Those outside of<br />
the network perimeter are considered<br />
untrustworthy and those on the inside are<br />
trusted. However, once that wall is passed,<br />
security controls often stop and the<br />
supposedly trustworthy entity is given free<br />
rein of the corporate network. That's why<br />
cybercriminals have focused on, and have<br />
become so good at, getting past perimeter<br />
defences."<br />
Zero Trust architecture embeds security<br />
controls throughout the network and<br />
continuously ensures that entities on that<br />
network can be trusted. "While there is no<br />
single product that enables Zero Trust, there<br />
are a number of architectural elements that<br />
make Zero Trust possible," adds Foster.<br />
Asset Discovery: "Zero Trust architectures<br />
must first have a command over all the<br />
assets that sit within an enterprise's<br />
environment and be able to map network<br />
transaction flows."<br />
Data Classification and Access<br />
Management: "Zero Trust portions out<br />
access according to the potential risk of that<br />
interaction. More sensitive assets - such<br />
as classified or personally identifiable<br />
information - will need higher levels of<br />
protection and more restricted access."<br />
Continuous Monitoring and Automation:<br />
"Zero Trust architectures are constantly<br />
verifying the security of the entities within<br />
the network," Foster points out. "It ensures<br />
this hygiene by using multiple factors of<br />
identification and continuous monitoring<br />
to ensure that trust is maintained and that<br />
those entities are not behaving suspiciously."<br />
ZERO TRUST IN ACTION<br />
"To put it plainly, any company that hasn't<br />
made itself aware of Zero Trust is essentially<br />
being negligent," says Ashley Stephenson,<br />
CTO, for Corero Network Security, who<br />
points out that Zero Trust is often spoken<br />
about as if it were a single end-to-end<br />
solution. "But that's a misapprehension.<br />
The Zero Trust model is a series of design<br />
principles which adapt network architectures<br />
to both modern threats and modern<br />
computing. There are multiple parts to a<br />
Zero Trust Architecture and many companies<br />
are busily adopting those individual<br />
principles, if not the whole package."<br />
When it comes to trusting people, Multi<br />
Factor Authentication (MFA or 2FA) is<br />
already a widespread security practice, he<br />
adds. "The same goes for biometrics, single<br />
sign on (SSO), and identity and access<br />
management (IAM), which increasingly can<br />
be found throughout the most popular<br />
consumer apps and devices."<br />
When it comes to applications,<br />
organisations are beginning to use microsegmentation,<br />
restricting which applications<br />
can talk to each other and watching the<br />
communications that go on between them.<br />
"For networking, organisations are taking<br />
fundamental steps to reorganise how they<br />
interact with the open internet. When an IP<br />
address shows up at a network port from<br />
the internet, that IP address is often<br />
considered trustworthy. In most cases,<br />
anybody can come to a website without any<br />
prior validation or trust assessment at all.<br />
That's a big problem when it comes to<br />
DDoS attacks, in which a flood of malicious<br />
traffic attempts to overpower a targeted<br />
website or service.<br />
"As a result, Zero Trust principles are also<br />
being used to head off these threats. They're<br />
validating the origins of web traffic to make<br />
sure it doesn't come from a suspicious or<br />
spoofed IP addresses; they're also using<br />
proxies which could obscure or shield the<br />
true IP address, making them harder to<br />
target and they're using Captchas to make<br />
sure that the entity accessing their website<br />
is indeed a human being. Most importantly,<br />
they are also inspecting inbound traffic in<br />
real time and trying to build rules that can<br />
be used to remove untrustworthy or<br />
malicious traffic." Zero Trust may soon<br />
become non-negotiable, says Stephenson.<br />
"The price of entry into the digital market<br />
will be some form or elements of Zero Trust<br />
embedded within a security architecture."<br />
DON'T FIXATE!<br />
When it comes to security, business leaders<br />
can get distracted with trends and forget<br />
22<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
special focus<br />
about fundamentals such as digital trust,<br />
comments Dave Roche, senior product<br />
manager, DigiCert. "But it's those basic<br />
foundational elements that actually defend<br />
against attacks. While leaders get fixated<br />
on things like cloud native or blockchain,<br />
those foundational elements fall by the<br />
wayside.<br />
"In the meantime, stretched engineers<br />
and Infosec personnel are busy putting out<br />
fires when they should be stopping them<br />
from breaking out in the first place. In<br />
the last year, we've seen log4j, Zero Day<br />
Vulnerabilities for Spring Core Java and<br />
the Okta hack, among a long list of other<br />
widespread security problems."<br />
So, while business leaders are distracted<br />
with fashion trends and Infosec personnel<br />
are firefighting, fundamental security<br />
questions get left by the wayside, he points<br />
out. "Code Signing is a good example of<br />
this. It's a practice that secures code and<br />
engenders digital trust as it passes from<br />
link to link along the supply chain. It's a<br />
foundational part of creating connected<br />
trust throughout digital ecosystems. But<br />
many merely sign their software and stop<br />
there. They don't realise that it's not good<br />
enough just to sign the code; they also<br />
have to secure the process of signing itself."<br />
To adequately secure the process, states<br />
Roche, signing keys have to be protected<br />
and access to them has to be restricted<br />
and logged, so that the process can be<br />
audited at any time.<br />
"Furthermore, generation of those keys<br />
must also be a controlled and secure<br />
process, so that your infosec standards<br />
flow down to your engineers. Code<br />
repositories must be secured, too, so you<br />
can make sure the code is malware and<br />
vulnerability free. Then, code signing<br />
processes must be systematised and Code<br />
signing should be automated, using CI/CD<br />
tools to minimise human error."<br />
LOGICAL STEP<br />
With Zero Trust at its heart being a<br />
collection of IT security design principles<br />
attempting to reduce or eliminate the<br />
chances of the wrong entity getting a hold<br />
of vital information or resources possessed<br />
by your organisation, Felix Rosbach, VP of<br />
product management at comforte AG for<br />
the Zero Trust feature, sees this as "a logical<br />
step in a world where breaches are<br />
inevitable, due to the complexity of our<br />
modern IT landscape".<br />
When thinking of Zero Trust, most security<br />
practitioners think of network segmentation<br />
first. "But is network segmentation<br />
the real goal of a Zero Trust architecture?"<br />
he asks. "According to NIST, Zero Trust at its<br />
core removes any implicit trust or privilege,<br />
which might be granted to users or devices<br />
based on where those people/things are<br />
physically or on the network (NIST Special<br />
Publication 800-207). Keep in mind that<br />
what you're guarding is actually information<br />
[data] and services [resources], not<br />
parts of an environment.<br />
"Data isn't a supporting part of the IT<br />
infrastructure the way networks and devices<br />
and applications are. Data is on top, king<br />
of the hill, the crowning glory of your IT<br />
infrastructure and your entire organisation.<br />
We call it information technology for a<br />
reason. Remember, the ultimate objective<br />
is to protect the data itself by rendering it<br />
useless in the wrong hands."<br />
Another key point to recall, continues<br />
Rosbach, is that one of the basic premises<br />
of Zero Trust is to assume a breach has<br />
already occurred, meaning that perimeter<br />
defences have already failed and that a bad<br />
actor is actively working within your IT<br />
environment. "When we protect the data<br />
itself, we assume that it will fall into the<br />
wrong hands eventually," he adds, "but the<br />
outcome will not be severe, because<br />
sensitive knowledge is in some way made<br />
incomprehensible."<br />
Laurence Pitt, <strong>Jun</strong>iper Networks: Zero<br />
Trust’s guiding principle is the belief<br />
that user and device identity must be<br />
authenticated every time to access<br />
a network and anything on it.<br />
Neil Langridge, e92plus: for many<br />
organisations, the Zero Trust model<br />
highlights significant challenges that have<br />
to be overcome before it can be deemed<br />
a success.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
23
product review<br />
ENDACE ENDACEPROBE 9200 G4<br />
Packet capture is an essential tool for<br />
SecOps and NetOps teams but full<br />
visibility into network activity demands a<br />
solution that records with zero packet loss.<br />
For teams to respond quickly to cyberattacks<br />
and resolve network or application<br />
performance issues quickly the solution must<br />
be able to capture, store, index and analyse a<br />
completely accurate historical record of all<br />
activity.<br />
Endace specialises in high-speed packet<br />
capture. Its EndaceProbe Analytics Platform<br />
appliances offer a range of features you won't<br />
find elsewhere. Endace's flagship model, the<br />
EndaceProbe 9200 G4, is the world's first<br />
appliance to deliver petabyte storage capacity<br />
and record at a sustained 40Gbps with<br />
nanosecond accurate timestamping.<br />
This 4U rack-mount appliance achieves this<br />
storage density by combining a very high raw<br />
storage capacity with Endace's integral<br />
hardware compression and patented Smart<br />
Truncation technology. Compared with<br />
previous EndaceProbe models, the 9200 G4<br />
offers a four-fold increase in storage capacity<br />
and can record weeks or months of network<br />
traffic data enabling customers to go much<br />
further back in time when investigating<br />
security threats.<br />
Aimed at data centre deployments, the<br />
9200 G4 offers a choice of eight 1/10GbE or<br />
dual 40GbE recording interfaces. It scales<br />
easily with demand as multiple appliances<br />
can be stacked to increase storage capacity<br />
and capture rates. A stack of five 9200 G4<br />
appliances, for example, can deliver a<br />
sustained 200Gbits/sec recording speed with<br />
bursts up to 400Gbits/sec. The stack provides<br />
up to 5PB of storage allowing it to record up<br />
to five days of traffic at an average rate of<br />
100Gbits/sec.<br />
EndaceFabric takes scalability to the next<br />
level as single EndaceProbes and stacks<br />
located in globally distributed networks can<br />
be centrally managed by EndaceCMS, which<br />
provides a single pane of glass for all<br />
administrative functions, including health<br />
monitoring, configuration and upgrades.<br />
Likewise, searches, data mining and<br />
investigations are fully centralised with<br />
Endace's InvestigationManager application.<br />
Using InvestigationManager's integrated<br />
EndaceVision - a browser-based analysis tool<br />
- analysts can choose data sources from<br />
multiple EndaceProbes, view them<br />
simultaneously and use data visualisation<br />
tools to zero-in on areas of interest such as<br />
flows, top talkers, protocols and users. Its<br />
parallel, distributed architecture delivers rapid<br />
search that enables multiple users to conduct<br />
searches simultaneously across many<br />
appliances and petabytes of data with results<br />
delivered in seconds.<br />
An outstanding feature of EndaceProbe<br />
appliances is that they enable third-party<br />
applications to be hosted on the appliance<br />
where they can access and analyse real-time<br />
or recorded packet data. This is a major<br />
differentiator with competing full-stack<br />
solutions as it lets customers host best-ofbreed<br />
analytics solutions from multiple<br />
vendors.<br />
Endace partners with an impressive range of<br />
vendors. Its appliances can integrate with and<br />
host tools such as Cisco StealthWatch and<br />
Firepower, Palo Alto Networks NG Firewalls,<br />
Plixer Scrutinizer and many more. Even better,<br />
Endace's APIs enable integration directly into<br />
the user-interfaces of these products so<br />
analysts can analyse packet data directly from<br />
the tools they already use.<br />
For example, when Splunk shows alerts or<br />
events, analysts can click on that alert in<br />
Splunk to access related packets so there's no<br />
need to change their existing workflows.<br />
Analysts can create, share and customise<br />
investigations accessing data from multiple<br />
EndaceProbes, view conversations, extract<br />
files from suspicious communications,<br />
generate rich logs for insight into network<br />
activity, and decode packets directly in hosted<br />
Wireshark without needing to download<br />
pcap files.<br />
The EndaceProbe Analytics Platform gives<br />
SecOps and NetOps teams the visibility and<br />
agility they need to see everything that's<br />
happening on their networks and respond<br />
quickly to cyberattacks. EndaceProbes deliver<br />
industry leading performance and storage<br />
capacity and their 100% accurate packet<br />
recording fills the knowledge gaps other<br />
solutions leave behind.<br />
Product: EndaceProbe 9200 G4<br />
Supplier: Endace<br />
Web site: www.endace.com<br />
Sales: +44 (0)800 088 5008<br />
24<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ADISA ICT Asset Recovery Standard 8.0<br />
is formally approved by the UK ICO<br />
(Approval ICO – <strong>CS</strong>C/003 and ICO – <strong>CS</strong>C/004)<br />
Use an ADISA Certified company to be assured of UK GDPR compliance<br />
when disposing of your IT assets.<br />
Visit adisa.global to find out more<br />
Want to know how to retire assets<br />
so you can promote reuse AND meet<br />
data protection legislation?<br />
ADISA offers a range of training courses all presented by<br />
leaders in the field, including a brand-new course which helps<br />
data controllers write an asset retirement program to achieve<br />
the objective of meeting sustainability and security targets.<br />
Visit adisa.global/training to find out more
supply chain<br />
CHAINS OF FREEDOM<br />
SUPPLY CHAINS ARE PRONE TO WILD SWINGS AND UNCERTAINTIES. HOW CAN THEY BE STABILISED<br />
AND LESS EXPOSED, IN ORDER TO CREATE A COOPERATIVE SUPPLY-CHAIN PLATFORM?<br />
The third-party supply chain ecosystem of<br />
a modern business is much more farreaching<br />
and porous than ever before,"<br />
cautions Ewen O'Brien, SVP of Third-Party<br />
Cyber Risk Management at BlueVoyant. "This<br />
presents a cybersecurity threat that both<br />
government and industry should take very<br />
seriously. It is increasingly hard to have full<br />
visibility; only in recent years have businesses<br />
realised the scale of the threat that weakened<br />
cybersecurity amongst third parties can pose<br />
to their organisations, even if they have done<br />
a very good job in protecting their own<br />
networks."<br />
With supply chains growing at an<br />
exponential rate, risk visibility and risk<br />
mitigation should be a priority, he adds.<br />
"Security teams need an inherent<br />
understanding of an attacker's mindset and<br />
the vulnerabilities that they are looking to<br />
exploit. These weaknesses are unlikely to be<br />
present in the 'prime' organisation, which is<br />
usually the best-defended entity, but in those<br />
third-party providers that have left ports<br />
open, that haven't patched or have general<br />
poor cybersecurity practices. Whilst many<br />
attackers are described as 'sophisticated',<br />
many breaches are achieved using old<br />
methods. Therefore, organisations and their<br />
supply chain have to start getting the basics<br />
right."<br />
Recent cyber incidents and the COVID-19<br />
pandemic has highlighted the fragility of<br />
supply chains, and the resulting business<br />
disruption that incidents can cause, states<br />
O'Brien. "This has forced organisations to take<br />
a hard look at their software development<br />
security stance, particularly those within the<br />
critical national infrastructure. With opensource<br />
development becoming increasingly<br />
popular, organisations are particularly<br />
focusing on improving testing and standards<br />
to ensure that developers know what they're<br />
doing when it comes to security.<br />
"The scale of vendor ecosystems often<br />
means full visibility into cyber risk is beyond<br />
the capabilities of in-house teams. The<br />
businesses best able to protect their<br />
organisation and meet new government<br />
regulations will be those that seek external<br />
expertise to triage and manage incidents<br />
based on cyber risk tolerance and business<br />
context, freeing their in-house teams to focus<br />
on true cyber risk management.<br />
"However, recent, high-profile cyber-attacks<br />
have reinforced that, if one company in a<br />
supply chain doesn't have the security they<br />
need, this presents a sizeable risk for both the<br />
private and public sector. Most recently, we<br />
saw an illustration of this in the LAPSUS$<br />
breach at Okta, which caused a ripple effect<br />
across a wide network of customers from<br />
a range of industries.<br />
"For this reason, the solution demands<br />
a joint effort between governments and<br />
industry, in which the value of cybersecurity<br />
is enforced through regulatory efforts,<br />
incentives, and business competition," he<br />
concludes.<br />
MORE COMPLEX SUPPLY CHAINS<br />
Although businesses have always struggled<br />
with supply chain disruptions, it has become<br />
worse as the chains have grown longer and<br />
more complex, making them increasingly<br />
vulnerable to geopolitical and economic<br />
shocks.<br />
That is the view of Harry Powell, head of<br />
Industry Solutions, TigerGraph, who adds:<br />
"Although disruptions will always be with us,<br />
our ability to adapt would improve greatly,<br />
if we had better supply chain visibility."<br />
But how do we achieve this? "The obvious<br />
solution would be for all parts of the supply<br />
chain to pool their information into a single<br />
platform," he suggests. "Surely this would be<br />
easily done in the Cloud - and then everyone<br />
would have more certainty."<br />
However, there are commercial and<br />
technical reasons why this is not feasible,<br />
adds Powell. "First, each participant in the<br />
supply chain is competing as much with<br />
its partners as it is cooperating. Although<br />
cooperation is required at the operational<br />
level, businesses also seek to maximise<br />
revenues and profit at the expense of others,<br />
and it is in their best interests to withhold<br />
26<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
supply chain<br />
information from customers and suppliers to<br />
achieve greater leverage in negotiations."<br />
The second reason he singles out is that<br />
every IT system is different, and it is hard<br />
enough to combine information from<br />
different business units and geographies<br />
within a single business, let alone from<br />
separate companies.<br />
"Thirdly, the Cloud presents problems in<br />
itself. Who will control the information and<br />
how it is used? Can businesses trust that<br />
platform owners will only use the data as<br />
agreed? By putting the data on a common<br />
platform, will all the businesses in that supply<br />
chain become vassals of the platform owner?<br />
It only takes one link in the chain to have<br />
these doubts and the rationale behind a<br />
cooperative supply-chain platform falls apart."<br />
Some businesses are taking a different<br />
approach to how to deal with the wild<br />
swings and uncertainties in supply chains, he<br />
adds. "They are using graph databases and<br />
graph analytics to analyse supply chain data<br />
in real-time, run supply chain scenarios and<br />
feed high-value data to machine learning<br />
systems. And they are using data they already<br />
hold to do it.<br />
"Conventional data systems find it difficult<br />
to do 'what-if' analyses on complex systems,<br />
but graph data platforms are optimised to<br />
do this naturally and quickly, allowing these<br />
businesses to model and evaluate supply<br />
chains in real time, and act with greater<br />
speed and agility than their competitors."<br />
SECURITY HYGIENE<br />
Securing data with third-party vendors in<br />
mind will be critical, emphasises Bindu<br />
Sundaresan, director, AT&T Cybersecurity.<br />
"Today, a robust cybersecurity posture<br />
encompasses much more than your<br />
employees, your hardware and software,<br />
and security tools. Any third-party tools or<br />
vendors with access to your environment<br />
should be considered a critical component<br />
of your security hygiene." As she also points<br />
out, attacks via third parties are increasing<br />
every year, as reliance on third-party vendors<br />
continues to grow. "Organisations must<br />
prioritise the assessment of top-tier vendors,<br />
evaluating their network access, security<br />
procedures and interactions with the<br />
business. Unfortunately, there are many<br />
operational obstacles that will make this<br />
assessment difficult, including a lack of<br />
resources, increased organisational costs and<br />
insufficient processes. The lack of up-to-date<br />
risk visibility on current third-party ecosystems<br />
can lead to loss of productivity, monetary<br />
damages and damage to brand reputation."<br />
Vendor management is a complex and timeintensive<br />
task, to which many organisations<br />
do not - and, in many cases, cannot - dedicate<br />
the time and resources to managing.<br />
"For companies with a small number of<br />
vendors, this can be manageable, but most<br />
organisations will need additional support to<br />
create and implement these programmes<br />
effectively.<br />
By dedicating resources to developing<br />
a programme, organisations can begin to<br />
understand and mitigate the threats posed<br />
by third parties. For those organisations that<br />
do not have the resources to establish or<br />
maintain this type of programme, there<br />
are many options available to help create,<br />
implement and manage vendor management<br />
programs of any size." For a successful thirdparty<br />
risk management programme, she<br />
offers the following '4 Cs' as a guideline:<br />
• Comprehensive - evaluate all aspects<br />
of the third- party, including systems,<br />
processes and personnel<br />
• Configurable - 'one-size-fits-all' evaluations<br />
are not accurate; measure what matters<br />
• Collaborative - identifying the risks is only<br />
the first step; working to correct deficiencies<br />
is the key<br />
• Continuous - organisations evolve, so<br />
you need to monitor and adjust to truly<br />
understand the risks.<br />
Ewen O'Brien, BlueVoyant: the third-party<br />
supply chain ecosystem of a modern<br />
business is much more far-reaching and<br />
porous than ever before.<br />
CYBER SECURITY PRINCIPLES<br />
The National Institute of Standards and<br />
Technology (NIST) points out that<br />
cybersecurity in the supply chain cannot be<br />
viewed as an IT problem only. "Cyber supply<br />
chain risks touch sourcing, vendor<br />
management, supply chain continuity and<br />
quality, transportation security and many<br />
other functions across the enterprise and<br />
require a coordinated effort to address," it<br />
states, while offering these three cyber supply<br />
chain security principles:<br />
1. Develop your defences based on the<br />
principle that your systems will be breached.<br />
When one starts from the premise that a<br />
breach is inevitable, it changes the decision<br />
matrix on next steps. The question becomes<br />
not just how to prevent a breach, but how to<br />
mitigate an attacker's ability to exploit the<br />
information they have accessed and how to<br />
recover from the breach<br />
2. Cybersecurity is never just a technology<br />
problem, it's a people, processes and<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
27
supply chain<br />
Bindu Sundaresan, AT&T Cybersecurity: any<br />
third-party tools or vendors with access to<br />
your environment should be considered a<br />
critical component of your security hygiene.<br />
Harry Powell, TigerGraph: our ability to<br />
adapt would improve greatly, if we had<br />
better supply chain visibility.<br />
knowledge problem. Breaches tend to be<br />
less about a technology failure and more<br />
about human error. IT security systems won't<br />
secure critical information and intellectual<br />
property unless employees throughout the<br />
supply chain use secure cybersecurity<br />
practices<br />
3. Security is Security. There should be no<br />
gap between physical and cybersecurity.<br />
Sometimes the bad guys exploit lapses in<br />
physical security in order to launch a cyberattack.<br />
By the same token, an attacker<br />
looking for ways into a physical location<br />
might exploit cyber vulnerabilities to get<br />
access.<br />
"Cyber supply chain risks cover a lot of<br />
territory," the NIST adds. Some of the<br />
concerns include risks from:<br />
• Third-party service providers or vendors -<br />
from janitorial services to software<br />
engineering -- with physical or virtual<br />
access to information systems, software<br />
code, or IP<br />
• Poor information security practices by<br />
lower-tier suppliers<br />
• Compromised software or hardware<br />
purchased from suppliers<br />
• Software security vulnerabilities in supply<br />
chain management or supplier systems<br />
• Counterfeit hardware or hardware<br />
with embedded malware<br />
• Third-party data storage or data<br />
aggregators.<br />
NIST also points to a range of questions<br />
companies are using to determine how risky<br />
their suppliers' cybersecurity practices are:<br />
• Is the vendor's software/hardware<br />
design process documented?<br />
Repeatable? Measurable?<br />
• Is the mitigation of known vulnerabilities<br />
factored into product design (through<br />
product architecture, run-time protection<br />
techniques, code review)?<br />
• How does the vendor stay current on<br />
emerging vulnerabilities? What are<br />
vendor capabilities to address new 'zero<br />
day' vulnerabilities?<br />
• What controls are in place to manage<br />
and monitor production processes?<br />
• How is configuration management<br />
performed? Quality assurance? How is it<br />
tested for code quality or vulnerabilities?<br />
• What levels of malware protection and<br />
detection are performed?<br />
• What steps are taken to 'tamper proof'<br />
products? Are backdoors closed?<br />
• What physical security measures are<br />
in place? Documented? Audited?<br />
• What access controls, both cyber and<br />
physical are in place? How are they<br />
documented and audited?<br />
• What type of employee background<br />
checks are conducted and how<br />
frequently?<br />
• What security practice expectations<br />
are set for upstream suppliers? How is<br />
adherence to these standards assessed?<br />
• How secure is the distribution process?<br />
• Have approved and authorised<br />
distribution channels been clearly<br />
documented?<br />
• What is the component disposal risk<br />
and mitigation strategy?<br />
• How does vendor assure security<br />
through product life cycle?<br />
Finally, the NIST looks at some practices that<br />
companies have adopted to help manage<br />
their cyber supply chain risks, such as:<br />
• Security requirements are included<br />
in every RFP and contract<br />
• Once a vendor is accepted in the formal<br />
supply chain, a security team works with<br />
them on-site to address any vulnerabilities<br />
and security gaps<br />
• 'One strike and you're out' policies with<br />
respect to vendor products that are either<br />
counterfeit or do not match specification<br />
• Component purchases are tightly<br />
controlled; component purchases from<br />
approved vendors are prequalified.<br />
Parts purchased from other vendors<br />
are unpacked, inspected and X-rayed<br />
before being accepted.<br />
28<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
expert view<br />
GET THE BASI<strong>CS</strong> RIGHT…<br />
THE EXPONENTIAL ADOPTION OF NEW CYBER SECURITY RELATED TOOLS IS A GROWING PROBLEM IN<br />
THE CYBER SECURITY WORLD, CAUTIONS STEVEN USHER, SENIOR ANALYST, BROOKCOURT SOLUTIONS<br />
Year-on-year, the number of cyber<br />
security tools that are being used by<br />
companies of all sizes is growing at a<br />
rate that many consider unsustainable longterm<br />
and this almost frenetic rate of adoption<br />
could lead to cyber security issues; in fact,<br />
it is already.<br />
While this situation is notable, what is,<br />
in fact, more of a concern is that, while<br />
companies are rushing to adopt newer and<br />
more complex technologies to deal with the<br />
ever-expanding cyber security threats, they<br />
rarely, if ever, have even got the basics right.<br />
I am talking here about firewall rules, base<br />
endpoint security policies, data loss prevention<br />
or, at the very least, awareness of what<br />
data is on their network, a robust and<br />
sensible password policy and most of all -<br />
in my eyes at least - most companies do<br />
not have an up-to-date inventory of what<br />
hardware and software is on their network.<br />
ESSENTIAL BULDING BLOCK<br />
Knowing what you are protecting should be<br />
considered one of the main building blocks<br />
of creating a cyber security program within<br />
your organisation. The fact that this often<br />
seems to not be the case is a concern. How<br />
do you protect and defend what you do not<br />
know about? The same applies to a software<br />
inventory - without knowing what is currently<br />
in use in your organisation, how do you<br />
determine which patches have priority, where<br />
the major points of potential ingress are or<br />
who is at the greatest risk of exploitation?<br />
After decades of dealing with incidents, it is<br />
common for unknown hardware or software<br />
to have a hand in the incident.<br />
Both hardware and software inventories are<br />
made more complicated in the modern world<br />
with concepts like BYOD (Bring Your Own<br />
Device) which allow all sorts of hardware<br />
onto networks and inside the defences of<br />
an organisation. While there is the idea that,<br />
with solid security policies, BYOD can be<br />
managed appropriately, the truth is that<br />
BYOD is a true security nightmare and<br />
often results in the overall weakening of<br />
an organisation's security posture. Another<br />
concept that is worth considering here is<br />
WFH (Work From Home).<br />
While there is the fact that company<br />
hardware can be sent out to users and<br />
centrally managed, there are various other<br />
pieces of hardware on that home network<br />
and even the hardware - for example, routers<br />
- used to host the network in that home<br />
that are not only unknown, monitored<br />
or updated appropriately, but simply not<br />
capable of being managed in the first place.<br />
There is no magic method to solve this<br />
issue. There are products that can help<br />
considerably with scanning, listing and, more<br />
importantly, managing the various hardware<br />
and software found on the networks, but it<br />
is down to the people to constantly question,<br />
scan and investigate to ensure that any and<br />
every possible piece of hardware and<br />
software is documented and known about.<br />
Steven<br />
Usher,<br />
Senior<br />
Analyst,<br />
Brookcourt<br />
Solutions.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
29
insider threats<br />
ISOLATED AND VULNERABLE<br />
HACKERS ARE DRIVING UP THE LEVELS OF HUMAN ERROR BY PREYING INCREASINGLY ON<br />
SOLITARY WORKERS - ESPECIALLY THOSE AT HOME, CUT OFF FROM IMMEDIATE I.T. SUPPORT<br />
Oliver Paterson, VIPRE: hackers prey on<br />
those working from home, away from their<br />
trusted IT teams.<br />
As the yearly number of cyber-attacks<br />
continues to accelerate, hackers are<br />
becoming more innovative in their<br />
tactics. "They can spot weaknesses in<br />
workforces, preying on those who are<br />
working from home as a result of the<br />
pandemic, away from their trusted IT<br />
teams," points out Oliver Paterson,<br />
product expert, VIPRE<br />
Security Awareness<br />
Training and<br />
Safesend.<br />
It is no surprise that hackers use humans to<br />
their advantage, as human error is the cause<br />
of 90% of cyber data breaches, Paterson<br />
continues. "Humans make mistakes - stressed,<br />
tired employees who are distracted at home<br />
will make even more mistakes; whether<br />
it's sending a confidential document to the<br />
wrong person or clicking on a phishing email,<br />
no organisation is immune to human error<br />
and the consequences this can have on the<br />
business."<br />
Yet these risks can be mitigated by educating<br />
workforces on the modern threat landscape<br />
and the existing risks, he says. "Teamed with<br />
anti-malware solutions and technology,<br />
employees can be alerted to double-check<br />
their email attachments and recipients, as well<br />
as any potentially malicious incoming emails.<br />
Additionally, it is essential that businesses<br />
implement consistent training programmes<br />
to get the most value and retention out of<br />
this learning. Such educational programmes<br />
should be relevant, adding in real-life<br />
situations, including phishing simulations,<br />
that help to fortify crucial cyber threat<br />
prevention messaging and educate<br />
workforces on how to protect both the<br />
business and themselves. This, in turn,<br />
strengthens the workforce security culture,<br />
ensuring employees know what to do<br />
when faced with a cyber threat."<br />
Once educated on existing security<br />
risks, workforces must understand<br />
their responsibilities when securing<br />
an organisation's IT infrastructure.<br />
"Now, more than ever, the responsibility<br />
must be reinforced<br />
throughout the entire business.<br />
After all, the final choice in<br />
sending sensitive information<br />
via email is with them."<br />
Organisations have been spending millions<br />
in building defences against external threat<br />
actors, comments Gagan Arora, director in<br />
Protiviti UK's Technology Consulting Practice.<br />
"While this approach has been effective to<br />
some extent towards mitigating risks leading<br />
to a breach, the risks associated with the<br />
internal threat actors continue to remain<br />
unaddressed to a large extent. Significant<br />
reliance is placed on human and process<br />
elements of a capability/control [eg, forcing<br />
IT workers to change passwords as per rules<br />
written in a policy], which often leads to<br />
failure and significant exposure of the valuable<br />
assets in the organisation."<br />
PRIVILEGED CREDENTIALS RISKS<br />
One of the key capabilities to provide a strong<br />
defence against internal threat actors<br />
is Privileged Access Management (PAM), he<br />
states. "Today, the root cause of most of the<br />
breaches is the misuse of privileged credentials,<br />
whether this is on the cloud or for onprem<br />
assets. The risk is further heightened<br />
when privileged credentials remain with the<br />
users who are connecting remotely, which is<br />
a norm these days, or with third parties who<br />
are providing services to the IT organisation.<br />
"Many organisations have also embraced<br />
agile delivery practices, such as continuous<br />
integration/continuous delivery (CI/CD),<br />
for delivering business applications, which<br />
introduces a different set of risks from their<br />
DevOps environment. While statistics vary<br />
on the prevalence of breaches caused by<br />
attackers within an organisation, the existence<br />
of proven tools to mitigate these has made<br />
them a de facto expectation of boards,<br />
regulators and insurers."<br />
PAM capabilities offered by various leading<br />
solutions in the market today provide a strong<br />
30<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
insider threats<br />
defence against several scenarios that could<br />
lead to a breach, he further comments. "These<br />
capabilities include automatic password<br />
retrieval, pass-word rotation, session<br />
management, session isolation, just-in-time<br />
access, session recording and monitoring.<br />
The coverage over IT estate is also expanding,<br />
as various solution providers now offer<br />
capabilities for protecting DevOps secrets,<br />
SaaS applications access and even managing<br />
cloud infrastructure entitlements.<br />
Organisations lacking PAM capability and<br />
controls should assess their technology<br />
environment, risk landscape and invest into<br />
a solution that is relevant not only for their<br />
existing environment, but also for future<br />
needs."<br />
MORE DAMAGING IMPACT<br />
"Ever since the days of Edward Snowden<br />
leaking secrets, organisations have been<br />
considering what they could do to prevent<br />
insider threats," says Javvad Malik, lead<br />
security awareness advocate at KnowBe4.<br />
"While breaches caused by insiders may not be<br />
as prevalent as external attackers, the impact<br />
is often a lot more damaging. But before<br />
proceeding, let's take a step back to define<br />
precisely what we mean by an insider threat.<br />
"An insider could be defined as any individual<br />
with legitimate access to corporate assets,<br />
physical or virtual. It includes permanent and<br />
temporary employees, third-party contractors,<br />
as well as third-party support companies and<br />
outsourced service providers."<br />
In this context, states Malik, threat is better<br />
defined as abuse of the trust the company<br />
has placed in an insider. "To sum it up, an<br />
insider threat is someone who misuses<br />
legitimate access granted to them for the<br />
purposes of self-interest that could potentially<br />
harm the organisation. It's worth noting that<br />
not all insiders who fall within this definition<br />
of insider threats will harm the organisation.<br />
Abuse of trust could be as simple as someone<br />
trying to get their job done by using the<br />
wrong tools or, for example, using their<br />
personal unapproved device to work on<br />
sensitive documents."<br />
When breaking down the different types<br />
of insiders, insiders can be of three types,<br />
he adds: malicious, non-malicious or<br />
compromised. "A malicious insider, as the<br />
name suggests, is one that is knowingly<br />
undertaking activities that can cause harm to<br />
the organisation. A non-malicious insider is<br />
one who, in many cases, wants to get their<br />
job done, but goes about it in the wrong way,<br />
therefore weakening the security of the<br />
organisation. A compromised insider is where<br />
an account has been taken over by a third<br />
party, so it can be used to access internal<br />
resources."<br />
For risk purposes, organisations can map<br />
out the types of insiders and their impact with<br />
a matrix. Then, the various threats can be<br />
positioned in the matrix, depending on the<br />
intent and harm, with the size of the bubble<br />
representing the likelihood of it occurring.<br />
By way of example of a particular matrix,<br />
while espionage might show as the most<br />
severe harm to an organisation, the likelihood<br />
of it occurring is relatively low, compared, say,<br />
to a user falling for a spear phishing attack.<br />
"Organisations should use their own internal<br />
incident log data, in addition to external<br />
sources to build up a list of threats and the<br />
likelihood of them occurring," he states.<br />
A matrix could be used, for example, to<br />
identify the top three areas of focus for an<br />
organisation and the controls that would<br />
need be to implemented to reduce the<br />
likelihood of spear phishing, unskilled staff<br />
making errors and shadow IT. "By going<br />
through such a data-driven exercise,<br />
organisations will be far better placed to<br />
understand the actual insider threat they<br />
face and where to focus their efforts on<br />
to minimise the risk."<br />
i https://www.infosecurity-magazine.com<br />
/news/90-data-breaches-human-error<br />
Javid Malik, KnowBe4: insiders can be of<br />
three types - malicious, non-malicious or<br />
compromised.<br />
Gagan Arora, Protiviti: one of the key<br />
capabilities to provide a strong defence<br />
against internal threat actors is Privileged<br />
Access Management.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
31
quantum on trial<br />
QUANTUM GOES BIG!<br />
BT AND TOSHIBA LAUNCH FIRST COMMERCIAL TRIAL OF QUANTUM SECURED COMMUNICATION SERVICES<br />
BT and Toshiba, along with EY,<br />
have launched the trial of what<br />
is described as a "world-first<br />
commercial quantum-secured metro<br />
network". The infrastructure will be able<br />
to connect numerous customers across<br />
London, helping them to secure the<br />
transmission of valuable data and<br />
information between multiple physical<br />
locations over standard fibre optic links<br />
using quantum key distribution (QKD).<br />
QKD is an important technology, playing<br />
a fundamental role in protecting networks<br />
and data against the emerging threat of<br />
cyber-attack using quantum computing.<br />
The London network has been hailed<br />
as representing a critical step towards<br />
reaching the UK government's strategy to<br />
become a quantum-enabled economy.<br />
The network's first commercial customer<br />
EY will use the network to connect two of<br />
its sites in London, one in Canary Wharf<br />
and one near London Bridge. It will<br />
demonstrate how data secured using QKD<br />
can move between sites and showcase<br />
the benefits this network brings<br />
to its own customers.<br />
BT and Toshiba announced their<br />
commitment to creating a trial network<br />
in October 2021. BT will operate the<br />
network, providing a range of quantumsecured<br />
services, including dedicated high<br />
bandwidth end-to-end encrypted links,<br />
delivered over Openreach's private fibre<br />
networks, while Toshiba will provide<br />
quantum key distribution hardware and<br />
key management software. In the<br />
network, QKD keys will be combined with<br />
the in-built ethernet security, based on<br />
public-key based encryption, which will<br />
enable the resultant keys to be used to<br />
encrypt the data.<br />
Quantum computing certainly represents<br />
a unique challenge and opportunity, due<br />
to the scale and complexity of activity<br />
required, the size of the opportunity,<br />
the time to market, and the challenges<br />
quantum computing presents to modern<br />
encryption, states the government.<br />
"This requires a different approach to<br />
bring the community together and realise<br />
opportunities for growth. Being quantumready<br />
requires companies and government<br />
to engage now to upskill and<br />
explore applications that could have a<br />
significant impact on industry and wider<br />
society. Through the newly established<br />
National Quantum Computing Centre, we<br />
will undertake a programme of hardware<br />
building and software development,<br />
developing a UK capability, skills and<br />
knowhow and enabling the UK economy<br />
to explore useful applications."<br />
PROFOUND IMPACT<br />
Howard Watson, chief technology officer,<br />
BT, points to how quantum-enabled<br />
technologies are expected to have a<br />
profound impact on how society and<br />
business operates in the future, but adds<br />
pointedly: "they are remarkably complex<br />
to understand, develop and build: in<br />
32<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
quantum on trial<br />
particular, ensuring that the end-to-end<br />
service designs meet the stringent<br />
security requirements of the market. I'm<br />
incredibly proud that BT and Toshiba<br />
have successfully united to deliver this<br />
unique network, and with EY as our first<br />
trial customer, we are paving the way for<br />
further commercial explorations for<br />
quantum technologies and their use in<br />
commercial, and societal applications in<br />
the future".<br />
Preparation, technical deployment and<br />
testing for the network commenced in<br />
late 2021. This included equipment<br />
deployment in racks, adding security<br />
systems and resilience testing, and finally<br />
running and optimising the network.<br />
While 26 April marked the official launch<br />
of the network, it has been running since<br />
early April and will operate for an initial<br />
period of up to three years.<br />
Shunsuke Okada, corporate senior vice<br />
president and chief digital officer of<br />
Toshiba, states that both Toshiba and<br />
BT have demonstrated world-class<br />
technology development and leadership<br />
through decades of innovation and<br />
operation. "Combining BT's leadership<br />
in networks technologies and Toshiba's<br />
leadership in quantum technologies has<br />
brought this network to life, allowing<br />
businesses across London to benefit from<br />
quantum secured communications for<br />
the first time."<br />
VAST POTENTIAL - AND RISKS<br />
Moreover, the role of quantum and its<br />
vast potential are pinpointed by Praveen<br />
Shankar, EY UK & Ireland managing<br />
partner for Technology, Media and<br />
Telecoms (TMT). "Quantum technology<br />
creates new and significant opportunities<br />
for business, but presents potential risks.<br />
Quantum secure data transmission<br />
represents the next major leap forward in<br />
protecting data, an essential component<br />
of doing business in a digital economy.<br />
Our work with two of the world's leading<br />
technology innovators will allow us to<br />
demonstrate the power of quantum to<br />
both EY and our clients."<br />
The UK Government's 'strategic intent'<br />
to develop a quantum-enabled economy<br />
was first published in 2020. It sets out<br />
a vision for the next 10 years in which<br />
quantum technologies will become an<br />
integral part of the UK's digital<br />
backbone, unlock innovation to drive<br />
growth and help build a thriving and<br />
resilient economy, and contribute<br />
significant value to the UK's prosperity<br />
and security. This new era of quantum<br />
technologies will, claims the government,<br />
"transform economies in our maturing<br />
digital age and help to address society's<br />
challenges; advancing health care and<br />
environmental protection, achieving<br />
net zero targets and better land use,<br />
supporting financial services and<br />
communications, providing defence and<br />
security capabilities and computing<br />
power".<br />
These technologies will focus on<br />
creating new global market opportunities<br />
and competitive advantage for those able<br />
to develop and exploit them, unlocking<br />
innovation by integrating them into<br />
complex systems, it continues, and for<br />
this reason significant efforts are being<br />
put into developing quantum<br />
technologies globally. The National<br />
Quantum Technologies Programme<br />
(NQTP) was established in 2014 by<br />
several partners with the objective of<br />
making the UK "a global leader in the<br />
development and commercialisation of<br />
these technologies". The partners are:<br />
The Engineering and Physical Sciences<br />
Research Council, Science and Technology<br />
Facilities Council, Innovate UK,<br />
Defence and Science and Technology<br />
Laboratory, Ministry of Defence, National<br />
Physical Laboratory, Department for<br />
Business, Energy and Industrial Strategy,<br />
Government Communications Headquarters<br />
and the National Cyber Security<br />
Centre.<br />
A REVOLUTION GATHERING PACE<br />
According to the government: "In the<br />
past five years, remarkable progress has<br />
been made towards both producing<br />
integrated systems, many of which are<br />
now nearing the market, and creating<br />
a UK quantum technologies industry.<br />
Our thriving and unique interconnected<br />
ecosystem is comprised of world-leading<br />
research institutes, innovative quantum<br />
technology spin-outs, systems integrators<br />
and components suppliers from existing<br />
industries, as well as major multinationals,<br />
all interacting to generate real<br />
successes and drive the development of<br />
products and services." But the UK needs<br />
to progress quickly, the government<br />
concedes, as the next technological<br />
revolution, driven by a fusion of<br />
technologies, data and advanced<br />
computational abilities, gathers pace.<br />
BT's Howard Watson adds: "This is a<br />
significant moment in the UK's journey<br />
towards a quantum-enabled economy,<br />
but we're not there yet. Further investment<br />
commitments will be required to<br />
broaden the study of quantum technologies<br />
that will contribute to this new<br />
economy, including quantum computing,<br />
quantum cryptography and quantum<br />
communications. We look forward to<br />
working with our government and<br />
industry partners to continue the<br />
momentum BT has started and shaping<br />
the UK's quantum strategy."<br />
The technical collaboration for this<br />
network was conducted in BT's Adastral<br />
Park labs in Suffolk, UK, and the<br />
Quantum technology Business Division<br />
of Toshiba, based in Tokyo, Japan and<br />
Cambridge, UK, where the quantum<br />
key distribution technology has been<br />
developed and is manufactured.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> computing security<br />
33
threats insights<br />
IF YOU CAN'T STAND THE HEAT…<br />
… THEN DO SOMETHING ABOUT IT. TIME TO FIGHT BACK<br />
AS HIGHLY EVASIVE ADAPTIVE THREATS STRIKE HARD<br />
Mark Guntrip, Menlo Security: web<br />
threats are being more and more<br />
successfully deployed using HEAT<br />
techniques.<br />
Web malware (47%), along with<br />
ransomware (42%) now come<br />
out top of the list of security<br />
threats that organisations are most<br />
concerned about. Yet, despite these<br />
growing risks, less than a third (27%)<br />
have advanced threat protection in place<br />
on every endpoint device that can access<br />
corporate applications and resources.<br />
This is according to new research, 'The<br />
state of threat prevention: evasive threats<br />
take center stage', that has been<br />
published by Menlo Security, exploring<br />
what steps organisations are taking to<br />
secure themselves in the wake of a new<br />
class of cyber threats - known as Highly<br />
Evasive Adaptive Threats (HEAT). As<br />
employees spend more time working in<br />
the browser and accessing cloud-based<br />
applications, the risk of HEAT attacks<br />
increases substantially. Indeed, almost<br />
two-thirds of organisations have had a<br />
device compromised by a browser-based<br />
attack in the last 12 months.<br />
The report suggests that organisations<br />
are not being proactive enough in<br />
mitigating the risk of these threats, with<br />
45% failing to add strength to their<br />
network security stack over the past year.<br />
There are also conflicting views on the<br />
most effective place to deploy security to<br />
prevent advanced threats, with 43%<br />
citing the network, and 37% the cloud.<br />
"Threat actors seek to exploit gaps in<br />
traditional security defences and the fact<br />
that security capabilities haven't really<br />
changed over the past decade," states<br />
explains Mark Guntrip, senior director<br />
of Cybersecurity Strategy, Menlo Security.<br />
"One of the areas of focus for attackers is<br />
using web threats and we're seeing more<br />
and more of them successfully deployed<br />
using HEAT techniques. Last year, we<br />
saw Nobelium use HTML smuggling, a<br />
HEAT tactic to avoid static and dynamic<br />
content analysis, to deliver malware and<br />
ransomware attacks. The fact that these<br />
are successful means their usage will<br />
increase, which could have devastating<br />
consequences for companies of all sizes."<br />
"Working practices have changed," he<br />
points out, "and companies must stop<br />
relying on traditional tools and strategies<br />
that just don't cut it anymore. Adopting<br />
a prevention-driven approach to security<br />
is the only way to achieve this and using<br />
isolation-powered security to do so stops<br />
the browser from having any direct<br />
interaction with the website and content<br />
and ensures that HEAT attacks don't stand<br />
a chance."<br />
COMPETING SECURITY PRIORITIES<br />
According to the research among 500-<br />
plus IT decision makers in the UK and the<br />
US, hybrid/remote working (28%) is the<br />
biggest challenge that organisations<br />
expect to face this year when it comes<br />
to protecting their corporate network<br />
from advanced threats. This is followed<br />
by budget restrictions (15%), the<br />
presence of unmanaged devices (14%),<br />
and out-dated security solutions (13%).<br />
There are also a number of competing<br />
priorities for IT professionals when it<br />
comes to improving their security posture<br />
in <strong>2022</strong>. Training staff tops the list (61%),<br />
followed by technology investment to<br />
protect the corporate network (60%),<br />
adapting to new ways of working (50%),<br />
and investing in skilled security members<br />
at 45%.<br />
ADDITIONAL RESEARCH FINDINGS:<br />
Although 55% of respondents have<br />
invested in their security stack over the<br />
past year and 27% have advanced threat<br />
protection in place, it is simply not having<br />
the desired effect, as attacks are still<br />
successfully penetrating their defence<br />
lines. Half of respondents to the survey<br />
believe that firewalls are an effective way<br />
of mitigating HEAT attacks, while a total<br />
of 31% favour VPNs.<br />
34<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Product Review Service<br />
VENDORS – HAS YOUR SOLUTION BEEN<br />
REVIEWED BY COMPUTING SECURITY YET?<br />
The Computing Security review service has been praised by vendors and<br />
readers alike. Each solution is tested by an independent expert whose findings<br />
are published in the magazine along with a photo or screenshot.<br />
Hardware, software and services can all be reviewed.<br />
Many vendors organise a review to coincide with a new launch. However,<br />
please don’t feel that the service is reserved exclusively for new solutions.<br />
A review can also be a good way of introducing an established solution to<br />
a new audience. Are the readers of Computing Security as familiar with<br />
your solution(s) as you would like them to be?<br />
Contact Edward O’Connor on 01689 616000 or email<br />
edward.oconnor@btc.co.uk to make it happen.
PLAY IT<br />
SAFE WITH<br />
365 TOTAL<br />
PROTECTION!