CS Jul-Aug 2022

Computing
Security
Secure systems, secure data, secure people, secure business
QUANTUM FACE-OFF
The race for advantage has
begun and it could get nasty
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
WELL VERSED
Interest in the metaverse is
on the up and up,
but what's it all about?
BURNING AMBITIONS
Cyber Power is being
bigged up as the future
great protector. Can it
live up to that billing?
UNREADY, STEADY, GO!
Businesses invest heavily,
but are still poorly prepared
for ransomware attacks
Computing Security July/August 2022

comment
MAY THIS FORCE NOT BE WITH YOU
The main feature on page 20 in this issue is focused on a topic that provokes a
great deal of response, as it becomes an ever more malignant and increasingly
sophisticated force: ransomware.
As the National Cyber Security Centre advises: "Since there's no way to completely
protect your organisation against malware infection, you should adopt a 'defence-indepth'
approach. This means using layers of defence with several mitigations at each
layer. You'll have more opportunities to detect malware, and then stop it before it
causes real harm to your organisation. You should assume that some malware will
infiltrate your organisation, so you can take steps to limit the impact this would cause
and speed up your response."
Amongst those in our article calling on organisations to adopt basic best practice,
educate users and reinforce through repetition is Joseph Carson, chief security scientist
and advisory CISO at Delinea: "Whether made by a public or private organisation,
security processes should ultimately be the same and user access should be a top
priority, given insider threats are the predominant cause of phishing and other
breaches," he states.
Meanhile, Richard Watson, EY Global & Asia-Pacific cybersecurity leader, says that 77%
of security leaders have witnessed an increase in the number of disruptive attacks over
the last year (according to the latest EY Global Information Security Survey). "Leaders
need to put in place a comprehensive cybersecurity strategy that incorporates both
technology and human elements," he says, "especially since phishing attacks take
advantage of human vulnerabilities and weaknesses."
It is a problem that will undoubtedly grow worse over time. Organisations need to
devote the right resources to carefully thought-through strategies that will enable them
to shield against the kinds of mayhem that ransomware is already leaving in its wake.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Lyndsey Camplin
(lyndsey.camplin@btc.co.uk)
+ 44 (0)7946 679 853
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2022 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk July/August 2022 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security July/August 2022
contents
CONTENTS
Computing
Security
QUANTUM FACE-OFF
The race for advantage has
begun and it could get nasty
BURNING AMBITIONS
Cyber Power is being
bigged up as the future
great protector. Can it
live up to that billing?
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
WELL VERSED
Interest in the metaverse is
on the up and up,
but what's it all about?
UNREADY, STEADY, GO!
COMMENT 3
May this force NOT be with you
Businesses invest heavily,
but are still poorly prepared
for ransomware attacks
ARTICLES
NEWS 6 & 8
Tackling threats, showing resilience
No let-up in ransomware attacks
UK data reform bill warning
Cautious welcome for digital strategy
COMPLIANCE AND INFORMATION
SECURITY IN THE SPOTLIGHT 13
Paul Harris, Managing Director at Pentest
Limited, looks at the key issues and how
to tackle them
PHISHING IN THE DARK 10
Phishing is no new phenomenon. In the new
hybrid working world, organisations have
been left seriously exposed to cyberattacks,
used as a formidable weapon with which
to target victims. What can be done to
counteract the damage?
INFOSEC EUROPE SHOW MAKES
WELCOME AND WINNING RETURN 14
After all the trials and tribulations of Covid
lockdowns, the cybersecurity community
‘MOST MALWARE ENCRYPTED’ 18
was finally able to come back together in
A new report suggests that, without HTTPS
person for Infosecurity Europe 2022
inspection of encrypted traffic and advanced
behaviour-based threat detection and
STEERING ON THE SAFE
response, organisations are missing up to
SIDE OF AUTONOMY 16
two-thirds of incoming threats. The report
Peter Lane, Information Security Consultant,
Xcina Consulting, offers his insights on
also highlights that the UK was a top target
how networks and systems can be properly
for cyber criminals in Q1.
protected from concerted attacks or the
vulnerabilities of autonomy
A WORLD APART 28
Interest in the metaverse is on the up,
but is it an illusory world fraught with
RANSOMWARE DEVASTATION 20
dangers or one with real promise?
Despite spending billions on cybersecurity
tools, businesses are alleged still to be
CYBER WOES 30
poorly prepared for ransomware attacks.
Many organisations are feeling no more
What then might be the best means to
confident in their ability to respond to
tackle this huge problem - or has
cyber risks now than they did in 2019.
What has taken its toll on them?
ransomware become a law unto itself?
STEAL NOW, PROTECT NOW 32
Global cyber security experts Norman
Willox and Tom Patterson defend the
change of quantum computing from
POWER VACUUM 24
science fiction to science fact
Cyber Power - the ability to protect and
AT WAR WITH CYBER-ATTACKS 34
promote national interests in and through
The ongoing conflict in Ukraine has
cyberspace - may be a vital component in
seen the resurrection of the infamous
protecting national interests, but how
Industroyer malware and other threats.
effectively will it play out back on terra
What impact are these having?
firma?
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk
4

news
Muhi Majzoub,
OpenText.
NEW ERA OF REAL-TIME VISIBILITY
OpenText has announced the release
of BrightCloud Cloud Service
Intelligence, enabling Cloud Access
Security Brokers (CASB) and other
security and technology vendors to
enforce data-centric security policies
and prevent unwanted interactions
with cloud services and associated
applications, the company states.
"The risks in securing cloud
applications are fairly straightforward,"
says OpenText chief product officer Muhi
Majzoub. "If IT doesn't know about an
unsanctioned application or service, they
can't adequately protect it or the data
it accesses and stores.
"Modern user practices, tools and
remote work are demanding a new era
of real-time visibility. Which is why realtime
threat intelligence is built into this
new cloud-specific solution, utilising
over 10 years of innovation at the
forefront of AI and ML."
Through a suite of three components -
Cloud Application Classification,
Cloud Application Function and Cloud
Application Reputation - partners can
use BrightCloud Cloud Service
Intelligence to identify, classify, and
block/allow access based on the
application's classification, functions,
and reputation score.
TACKLING THREATS, SHOWING RESILIENCE
The Scottish Business Resilience Centre (SBRC) is SBRC team at cyberQuarter.
taking space at Abertay University's newly
launched Abertay cyberQuarter in Dundee and
becomes one of the founding members of the
cybersecurity research and development centre.
This increased presence in the city looks set to
boost opportunities for the organisation to engage
with businesses from Tayside as it hosts workshops
and meetings, as well as provide a space for its 20-
part-time ethical hackers based out of Abertay University to work and collaborate. The SBRC will
contribute to the Dundee centre's aim to bring together students, academics and organisations
to help solve global cyber security challenges. "Abertay has long held an excellent reputation
in the cyber industry," says Jude McCorry, CEO of the SBRC. "This launch of the brand-new
cyberQuarter at Abertay University will extend this, and we have no doubt that it will be a
positive space where academia and industry can unite to tackle cyber threats."
SEAL OF APPROVAL
AGlasgow Caledonian University cyber security programme
has been hailed as the first Scottish Graduate Apprenticeship
to achieve full National Cyber Security Centre Certification.
The MSc Cyber Security Graduate Apprenticeship has been
given the seal of approval by the National Cyber Security
Centre, along with a programme at another Scottish university.
The MSc Apprenticeship is targeted towards existing IT
professionals who need to develop their current skills and
experience in assessing security risks across a broad range of
technical security solutions and designs. Head of department
Dr Jackie Riley said: "Achieving NCSC Certification is the
culmination of three years of work for the department. The
process includes evaluation of the degree content, the staff
skill set, the facilities available to the students and the Dr Jackie Riley.
commitment of the university to cyber security."
NO LET-UP IN RANSOMWARE ATTACKS
Arcserve has released the first in a series of findings of its
annual independent global research study on current
experiences and attitudes of IT decision makers (ITDMs)
around data protection and recovery. Key findings show
that ransomware attacks continue to impact organisations
worldwide with high costs, but they are still largely
unprepared. "As our annual survey confirmed, ransomware
attacks continue to significantly disrupt business worldwide,
with staggering costs and the real threat of losing missioncritical
data," says Florian Malecki, executive vice president,
marketing at Arcserve. "IT decision makers must review and
modernise their IT security infrastructure by making data
Florian Malecki, Arcserve.
6
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

news
John Hetherton,
Evervault.
UK DATA REFORM BILL WARNING
Prince Charles' announcement in the
Queen's speech that a new data
reform bill will allow the UK to deviate
from EU privacy legislation has caused
mutterings in many quarters.
Amongst those urging caution was
John Hetherton, head of compliance at
encryption firm Evervault: "Given the
current stalemate between the US and
Europe over Schrems (ii), the UK would
be unwise to deviate too far from the
GDPR and risk losing its adequacy
status."
Schrems II is the short name given to
the 2020 decision by Europe's top court
(the CJEU), that invalidated Privacy
Shield, the adequacy decision that we all
relied on to legitimately transfer personal
data from the EEA (effectively including
the UK at the time) to the USA.
Adds Hetherton: "It's fair to say that,
while some white smoke has risen
between Presidents Biden and Von der
Leyen [Ursula Von der Leyen, president of
the European Commission], an adequacy
agreement between the two countries is
likely a ways away.
"Large Tech currently find themselves in
the unenviable position of having to
duplicate infrastructures already present
in the US into Europe in order to process
EU citizens' data in line with GDPR, a fate
that UK organisations are keen to avoid."
CALL FOR BACKUP - AND RESTORE!
In a survey, almost all (99%) of IT decision makers stated they
Jon Fielding, Apricorn.
have backup strategies in place, but just over a quarter (26%)
admitted they were unable to fully restore all data/documents
when recovering from a backup. This is according to an annual
survey conducted in April 2022 by Apricorn. Almost 60% of
those that have backups in place acknowledged they did so via
an automated backup to a central repository only. "This is
concerning," says Jon Fielding, managing director, EMEA
Apricorn, "as using the cloud (or any storage repository) as the
sole backup location risks costly business disruption, if a
business suffers a cyber-attack or a technical issue that renders
that service or their data unavailable." Backups are essential,
but backups that work even more so, he adds. "Organisations
need to embrace the '3-2-1 rule': have three copies of data, on
two different media, one of which is offsite."
ENCRYPTION TAKES CENTRE STAGE
The number of UK organisations implementing data encryption as a core part of
their cybersecurity strategy has continued to rise, with 32% introducing a policy
to encrypt all corporate information as standard in the last year. Almost half (47%)
of organisations now require the encryption of all data, whether it's at rest or in
transit. This is according to an annual survey of IT decision makers carried out by
Apricorn.
"Thirty-two per cent of organisations encrypt all data when it's stored on their
systems or in the cloud. Only 2% do not currently see encryption as a priority,"
states Apricorn. "The stakes are getting higher for those organisations that don't
give the approach sufficient attention."
Some 16% of those surveyed admitted a lack of encryption had been the main
cause of a data breach within their company, up from 12% in 2021. When asked
the main reason their organisation has increased the implementation of encryption
over the past year, 24% of respondents said this was due to the increase in remote
working, with 16% citing the rise in ransomware attacks.
CAUTIOUS WELCOME FOR DIGITAL STRATEGY
Having security at the heart of the government's latest UK Digital Strategy has been
welcomed by Verona Hulse, senior public affairs manager at NCC Group, with the
focus on secure infrastructure and environments, data and 'pro-innovation'
regulatory frameworks, seen as particularly pleasing.
"Considering these within the geopolitical landscape, given the ever-evolving,
global digital environment we operate in, will be key to truly realising this
strategy's ambitions," she adds. "The focus on education and skills is also
encouraging, with nods to Ofsted's review of computing education and the need to
retrain adults for roles in the cyber sector. However, there's definitely scope to go
further, so that we have a clear approach to education, recruitment and retention
across the sector."
8
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

ADISA ICT Asset Recovery Standard 8.0
is formally approved by the UK ICO
(Approval ICO – CSC/003 and ICO – CSC/004)
Use an ADISA Certified company to be assured of UK GDPR compliance
when disposing of your IT assets.
Visit adisa.global to find out more
Want to know how to retire assets
so you can promote reuse AND meet
data protection legislation?
ADISA offers a range of training courses all presented by
leaders in the field, including a brand-new course which helps
data controllers write an asset retirement program to achieve
the objective of meeting sustainability and security targets.
Visit adisa.global/training to find out more

phishing
PHISHING IN THE DARK
PHISHING IS NO NEW PHENOMENON - BUT IT IS BEING USED MORE AND MORE AS A FORMIDABLE
WEAPON TO ATTACK VICTIMS WITH. WHAT CAN BE DONE TO NEGATE ITS IMPACT?
Anew phishing assault unleashed
on the NHS has been described
as a "timely reminder" to all
organisations, both in the public and
private sector, that they need to cover
both the technology and human aspects
of cybersecurity to develop an adequate
level of protection. What should such
a strategy look like? How does it differ
from what most organisations are doing
right now? And what are the likely
consequences, if they fail to take those
steps?
"In the new hybrid working world,
organisations have been left seriously
exposed to cyberattacks," points out
Richard Watson, EY Global & Asia-Pacific
cybersecurity leader. "In fact, 77% of
security leaders have witnessed an
increase in the number of disruptive
attacks over the last year [according to
the latest EY Global Information Security
Survey]. In addition, phishing tactics
used by cyber criminals have become
increasingly sophisticated and difficult to
detect, compounding the problem even
further.
"Leaders need to put in place a comprehensive
cybersecurity strategy that
incorporates both technology and human
elements, especially since phishing attacks
take advantage of human vulnerabilities
and weaknesses," adds Watson, who
suggests the following approach:
Know the signs of a phishing attack -
"Despite years of sitting through
computer-based training modules, too
many employees are still not aware of the
signs of a phishing attack, often falling
victim to them. Leaders should make
cybersecurity training mandatory for all
employees, so they can identify a phishing
attack immediately and that training
should be experienced based (for example
simulated phishing exercises) as this is
considered to be a very effective way to
really get the message home," he states.
Foster greater communication and
collaboration between the CISO and
C-Suite - "Cybersecurity is too often
a technical conversation causing many
executives and boards to shy away from
it. To help manage this, CISOs should
use business language with the C-suite,
articulating the risks, not reams of
technical operational data, to ensure
they're properly educated about the
realities of cyber-incidents and how to
mitigate them. This will also help with
10
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

phishing
the conversation about funding - which
many CISOs consider to be the hardest
part of their job."
Security by design approach - "All teams
should follow this approach when
creating systems, products and services
within their businesses and, to do it
properly, cyber experts should be involved
in the planning process of any new
initiative from the very start. This is a term
that has become known as 'left shifting
security in the plan'. This means that cyber
protection is built into everything from
the outset and is maintained through
consistent monitoring, testing and
implementation of safeguarding
procedures. Worryingly, today just 19% of
cybersecurity professionals feel like they
are consulted in the planning stages of
new business initiatives - so it's clear there
is significant room for improvement."
If leaders fail to take these steps, says
Watson, the consequences for their
organisations could be catastrophic
and lead to significant financial and
reputational damage, especially for those
who hold sensitive customer data or
operate critical infrastructure.
STAYING IN CONTROL
Phishing is a threat that cannot be
avoided, but it can be controlled, argues
Lee Schor, chief revenue officer of VIPRE,
outlining crucial technology tools and
training needed to reduce the threat
of such attacks and ultimately for
organisations to create a phishing
prevention toolkit. "Technology solutions
can support businesses by acting as
a layer of security protection to help
identify, stop and block potential phishing
threats from entering the network.
Email is the leading attack vector used
by cybercriminals to deliver phishing,
ransomware and malware attacks. The
first step in preventing phishing via email,
is to ensure that businesses have the right
protection in place at the time of
receiving and handling emails, such
as email attachment sandboxing; antiphishing
protection; data loss prevention
tools (DLP); and outbound email
protection."
Innovative technologies such as machine
learning can be used to scan emails for
possible phishing scams by comparing
links to known phishing data, he adds.
"Additionally, DLP tools help to stop
sensitive information from leaving the
organisation at the time an employee
sends an email by offering a crucial
double-check."
Digital tools can help to identify and stop
potential phishing emails - but these
technologies are not the complete
solution. "No phishing prevention plan is
effective without users understanding the
threat landscape," says Schor. "Therefore,
it is crucial that businesses implement a
security and phishing awareness training
programme that educates users on the
different types of phishing and potential
threats. It is vital that this training
includes phishing simulations and
penetration testing, so that employees
can face real-life scenarios. This type of
education will help identify areas of
weakness where organisations need to
provide support to employees through
additional training, for example, and
will help businesses to continuously assess
the success of a phishing awareness
programme."
Investing in a phishing toolbox is
essential to fully protect your organisation
against ever-changing attacks and zeroday
threats delivered via SMS, phone and
email, he concludes. "By implementing
the right technology, combined with user
education and security awareness training
to give all-around protection, businesses
can carefully manage and avoid phishing
threats. As the growth of the cyber
Richard Watson, EY: phishing tactics
used by cyber-criminals have become
increasingly sophisticated and difficult
to detect.
security threat landscape shows no signs
of slowing down, organisations can be
reassured that they have the necessary
protective layers in place to combat the
modern threat landscape by using the
right tools and training."
TWO-FOLD APPROACH
Tackling the threat of phishing requires
a two-fold approach, says Jamie Akhtar,
CEO & co-founder of CyberSmart. "On
the one hand, organisations must deploy
technologies that can help filter through
incoming communications for any
suspicious language, links and
attachments; quarantining these until
they have been inspected by the security
team. In conjunction, measures must be
implemented to educate employees on
the threats that exist and how they can
best manage them. The latter is trickier to
do, and requires a good understanding of
cyber psychology and human behaviour to
be effective."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
11

phishing
Most employees, generally, prioritise their
efforts on direct work tasks and deliverables,
employing slow and deliberate (or 'system 2')
thinking to do so, he points out. "Cybersecurity
concerns, however, usually come secondary to
these tasks and may not receive the same
amount of attention. Instead, the majority of
individuals will use system 1, or automatic
thinking, when assessing threats. We use
cognitive shortcuts, like identifying familiar
logos, images and names, when making a
judgement on the safety of clicking a link or
downloading an attachment. There is also an
element of learned helplessness when it comes
to cybersecurity, because it is often made out
to be a complex and intimidating matter.
Therefore, it is critical that organisations foster
good cybersecurity habits as early as possible
and embed them into the company culture."
There are a couple of ways to make this work
in practice, suggests Akhtar. "The first is to
leverage security tools and other awareness
training technologies that are user friendly to
improve overall security posture. For instance,
introducing regular, bite-sized training videos
that address specific knowledge gaps in the
organisation. The second important step is to
build an empowering and encouraging
culture where it is okay to ask questions, make
mistakes and learn from them. If your
employees are scared or uncomfortable
reporting an issue to your security team, that is
when you should be worried."
In the past, employees have been vilified for
being the 'weakest link' and fear was used to
instil best practices, he adds. "Yet research has
shown that relying on fear to enact change is
not sustainable, so we need to take steps to
bolster employee confidence in handling
threats. We should also place greater
emphasis on the benefits of being cyber
secure and compliant, such as keeping their
data safe, as opposed to the dangers that
exist."
INSIDER THREATS
"Phishing is not a new phenomenon,"
comments Joseph Carson, chief security
scientist and advisory CISO at Delinea, "so
strategies need not drastically change, but
organisations need to adopt basic best
practice, educate users and reinforce through
repetition. Whether made by a public or
private organisation, security processes should
ultimately be the same and user access should
be a top priority, given insider threats are the
predominant cause of phishing and other
breaches."
Carson points to the proliferation of NHS
email, SMS and web-based phishing attacks
over the past year, adding that so far we've
seen cyberattack campaigns lure thousands of
victims into leaking sensitive information, such
as log-in credentials and payment details. "In
fact, these phishing campaigns have been so
sophisticated and widespread that business
leaders can only reasonably assume that a
colleague or employee has already fallen victim
to one - especially if they have been working
remotely for the first time in their career."
Cybersecurity and awareness training for all
employees should be a top priority, adds
Carson. "The earlier you identify attacks, the
quicker you can implement detection and
response controls to mitigate any impact.
However, training alone is not enough and we
shouldn't expect employees to all become
cybersecurity professionals. While they should
be made aware of common phishing
techniques and how to identify and report
such attacks, it is imperative for companies to
adopt a zero-trust approach enforced by least
privilege access.
"This way, a user will only get access to
specific applications and data once their
identity has been verified and only for the time
needed to complete the task, thus ensuring
that leaked log-in credentials do not
necessarily translate to a breach of data. Every
organisation will likely have at least one
employee who will click on something bad, so
let's adopt a zero-trust approach to reduce the
impact of when that happens."
TUNNEL VISION
According to recent research from OpenText,
there was a 1,122% increase in phishing
attacks in the first quarter of 2022,
compared to Q1 in 2021. To ensure cyber
resilience, it states, organisations must
deploy strong, multi-layered security and
data protection policies to prevent, respond
to and quickly recover from threats. With this
in mind, OpenText Security Solutions has
unveiled new patent-pending technology
that, it says, "stops rogue DNS requests and
identifies and blocks vulnerabilities exposed
through DNS, including tunnelling and data
exfiltration attacks".
Real-time threat intelligence is an essential
component of a business's cyber resilience
strategy, advises Open Text, citing the
following findings in a 2022 BrightCloud
Threat Intelligence report:
1,122% increase in phishing in the first
quarter of 2022, compared to 2021 Q1
phishing numbers, indicating a buck in
the trend of hackers taking holiday in Q1
For the first time, Instagram broke into
the top five most impersonated brands
for phishing, demonstrating increased
targeting of younger users
36.1% reduction in malware encounters
for customers using both endpoint and
DNS protection versus only endpoint
protection, reinforcing the added efficacy
benefit of securing DNS and using layered
security.
"With security risks escalating worldwide
and a persistent state of evolving threats,
compromises are inevitable, so security
remains job number one," says Mark J.
Barrenechea, OpenText CEO and CTO.
"Through our breadth of OpenText Security
Cloud, we make it easier for businesses to
increase their cyber resilience posture and
protect themselves against threats. And if a
vulnerability unfortunately leads to a breach,
our solutions enable quick detection,
response and recovery to minimise
disruption."
12
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

compliance
IS COMPLIANCE ENOUGH WHEN
IT COMES TO YOUR INFORMATION
SECURITY?
PAUL HARRIS, MANAGING DIRECTOR AT PENTEST LIMITED, LOOKS
AT THE ISSUE OF INFORMATION SECURITY WITHIN COMPLIANCE
As a penetration testing company,
we often get approached by
organisations looking to conduct
security testing as part of their compliance
obligations, whether that's to comply with
industry specific regul-ations, such as PCI DSS,
more general regulations such as GDPR,
government-backed schemes, such as Cyber
Essentials Plus, or as part of international
quality standards, such as ISO 27001.
Whatever the compliance need, information
security has quickly become a core
requirement within both regulatory and
voluntary compliance standards across
the globe.
In many ways, compliance requirements have
been a fantastic driver for information security
improvement, bringing much needed
attention to the issues and ensuring that
necessary security measures are being put in
place, even if this has been slightly forced
upon them.
For many organisations, however, achieving
compliance has now become the end goal
when it comes to their information security
efforts, with many believing that compliance
shows they've done enough. Box ticked; job
done. For this year at least.
Whilst any information security improve-ment
effort is to be commended, achieving
compliance doesn't necessarily mean your
organisation is secure. Far from it. In fact,
many information security requirements are
designed as a minimum, baseline standard,
rather than an end goal.
Yes, having a certificate or accreditation is
an important achievement and it's something
that can be shouted about. But is a baseline
truly enough for your organisation, and
your clients, when it comes to information
security? For many, the answer should be no,
but that's not to say it isn't a good starting
point. So, how do you take your information
security efforts further, using your compliance
requirements as a starting point?
EXPAND YOUR FOCUS
The first thing to mention is that compliance
can often have a limited scope, whether it's
your Card Data Environment (PCI DSS) or your
information security systems (ISO 27001).
Whilst these critical areas certainly require
attention, purely focusing your security efforts
on satisfying compliance requirements could
mean that other, potentially less secure, areas
of your business are being overlooked, if not
completely ignored.
Security efforts therefore need to take a much
broader view than your compliance
obligations, looking at your business as a
whole, rather than specific areas in isolation.
MAKE SURE SECURITY EFFORTS
ARE ONGOING, NOT ONE-OFFS
When it comes to compliance, it's easy to think
that once certification is achieved its
job done. However, compliance is only truly
effective when efforts are made continuously.
The same can be said for your wider security.
What is considered 'safe' today could be
vulnerable tomorrow and there are no set
standards to aim for; it's about employing
an ongoing improvement mindset, rather than
looking to reach a one-off goal.
HOLD YOURSELF TO HIGHER
STANDARDS; YOUR CUSTOMERS
OFTEN WILL
Compliance isn't an issue for many
organisations, why? Because their own
internal standards far surpass the requirements
set out by the necessary regulations. When
you set yourself these higher standards,
compliance is achieved almost by default.
This mindset can be driven by the
organisation itself, though it can also be driven
by security-aware customers, many of whom
will require more robust assurances than basic
compliance standards can offer.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
13

events & exhibitions
Infosec 2022 at the ExCeL was a showcase for much of the latest technologies and solutions.
INFOSEC EUROPE MAKES WELCOME RETURN
AFTER ALL THE TRIALS AND TRIBULATIONS OF THE COVID LOCKDOWNS, THE CYBERSECURITY COMMUNITY
WAS FINALLY ABLE TO COME BACK TOGETHER IN PERSON FOR INFOSECURITY EUROPE 2022
In the spirit of Infosecurity Europe
2022's theme, 'Stronger Together',
more than 370 exhibitors, 249
speakers and many thousands of visitors
came through the doors at London's
ExCeL.
On the exhibition floor, numerous
companies used Infosecurity Europe as
a platform for launching new products,
demoing their solutions and announcing
their news.
Visitors were able to explore specialist
zones and showcases dedicated to new
technologies, innovative companies and
the security leaders of tomorrow. These
included the Discovery Zone, the Start-Up
Zone, and the Technology Showcase -
where they could discover the latest
products, services and solutions, as well
as learn about solving technical problems.
Infosecurity Europe 2022 offered plenty
of chances for people to get together
and network, including the sixth annual
Women in Cybersecurity Networking
Event, and the Leaders Lounge, an
exclusive 'home' for CISOs and heads
of information security.
Cyber professionals also took full
advantage of the opportunities to develop
their knowledge, expertise and skills.
These included immersive learning
activities and in-depth roundtable
discussions on Geek Street, and a series
of Security Workshops delivered by
experts from organisations including
Cisco, Google Cloud, the Chartered
Institute of Information Security and
Cloud Security Alliance.
TALKING HEADS
Meanwhile, the conference programme
opened with a keynote presentation from
Lieutenant General Tom Copinger-Symes
of UK Strategic Command, responsible for
accelerating the digital transformation
of UK Defence. His talk focused on how
to tackle the uncertain future of security
threats, adapting to the changing
landscape to anticipate, prevent, prepare
for, respond to and recover from risks.
14
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

events & exhibitions
The TryHackMe team, with (on the left) Erika Lewis,
director, Cyber Security and Digital Identity, DCMS.
Topping the bill on the second day
was former Head of MI5 Baroness Eliza
Manningham-Buller, who has led
organisations through remarkable and
pressurised times, from counter terrorism
to pandemics. Through this lens, she
explored the topic of how to lead an
organisation when things have turned
decidedly unpredictable.
Day Two also saw TryHackMe ‘crowned’
as the winner of the UK's Most Innovative
Cyber SME competition, run by the
Department for Digital, Culture, Media
& Sport (DCMS), Infosecurity Europe and
techUK. The company provides hands-on,
immersive security training through realworld
scenarios, via a platform anyone
can access through their browser.
The main keynote presentation on the
final day was delivered by International
Hostage and Kidnap Negotiation Expert
Suzanne Williams, who shared the lessons
learned from her experiences of remaining
resilient in difficult situations, decisionmaking
under pressure and calculated risktaking.
Also on Day Three, renowned 'People
Hacker' Jenny Radcliffe became the latest
industry luminary to be inducted into
the Infosecurity Hall of Fame. Radcliffe
is celebrated for her work exploring,
identifying and addressing human-centred
information security vulnerabilities.
Following her induction, she delivered the
Infosecurity Hall of Fame Annual Lecture,
in which she reflected on her lifetime of
social engineering and physical infiltration
work.
THREAT INSIGHTS
Also attracting large audiences on the
Keynote Stage were investigative journalist
Geoff White, author of 'The Lazarus Heist',
who gave an account of how governmentsponsored
cyber attackers are increasingly
interacting with organised crime gangs,
and Misha Glenny - author, journalist
and specialist in organised crime and
cybersecurity - who offered unique
insights into the challenges geo-political
tensions are creating across the tech
sector. There were a number of other
confer-ence theatres open during the
event, many of which enjoyed full houses,
with speakers exploring various topics,
from ransomware response, threat
detection and battling endpoint
cybercrime, to back-up strategies, IoT
security and DevSecOps.
The Tech & Strategy Talks stage, for
example, featured bite-size presentations
sharing cybersecurity insight, knowledge
and expertise from organisations including
Trend Micro, Canonic Security, Microsoft,
Osirium, Varonis and CrowdStrike.
Infosecurity Europe 2023 will run from 20-
22 June at ExCeL London.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
15

autonomous vehicles & threats
STEERING ON THE SAFE SIDE OF AUTONOMY
AUTONOMOUS VEHICLES ARE INCREASINGLY MAKING HEADLINES AND NOT ALWAYS FOR THE RIGHT REASONS.
HERE, PETER LANE, INFORMATION SECURITY CONSULTANT, XCINA CONSULTING, LOOKS AT HOW NETWORKS
AND SYSTEMS CAN BE PROTECTED FROM ATTACKS OR VULNERABILITIES
There was once a time when travel was
far more simple. To board a vehicle
and save your personal energy was
an achievement, even when the 'vehicle'
was a bicycle. The same may be said for
communication, when a message would
be delivered by hand and then, eventually,
by a miraculous feat, flown through the
waves in invisible data packets and taking
several minutes to upload and then receive.
However, the exponential growth in technology
have brought us to our present day.
Advances in technology continue on a
near daily basis. A strong example of this is
Autonomous Vehicles (AVs) and the rate in
which they are experiencing rapid growth
and acceptance throughout the world.
There are several levels of AVs, depending
on their degree of autonomy. The levels
shown in the table on page 17 have been
created by the Society of Automotive
Engineers (SAE) and adopted by the US
Department of Transportation.
THREATS TO AVS
As we commonly see in security, the threats
may broadly be segregated by the CIA
triad. Confidentiality of information in
the vehicle or pertaining to the driver.
Integrity of information that the vehicle
or organisation rely on. This may be the
vehicle sending false data or even receiving
false data during what it believes is an
'over the air' software update. Availability,
perhaps of the communication systems or
worse, the vehicle controls themselves.
Modern vehicles contain tools to aid in
the efficiency and overall experience of
driving. Unfortunately, they also create
a number of vulnerabilities by relying on
Electronic Computing Units (ECUs) to
conduct the complex processes required
for your driver assist and infotainment
functions.
This results in up to 100 million lines
of code programmed into the ECUs, a
significant number when compared to
the approximately 25 million lines of code
written into the ECUs of a passenger
aeroplane. Vehicles contain a myriad
of sensors, cameras, radars and Light
Detection and Ranging (LIDAR) systems, all
of which contain their own vulnerabilities.
Common attack vectors are not unique to
vehicles: they are shared throughout the
wider cybersecurity industry with all
connected systems. From unauthorised
software modifications to Denial of Service
(DoS) attacks, compromising user privacy
and vehicle safety is achievable and has
16
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

autonomous vehicles & threats
been proven on several occasions - see the
graphic on page 16.
Another target may be the occupants
or owner's information. From a private
owner's perspective, owning a vehicle and
using its technology paints a map of your
life and lifestyle. The information you rely
on your vehicle for is growing with each
new technological development. Owners
and organisations need to consider the
safety of people in the vehicle and around
them but also need to consider the private
data that is at risk. The vehicle itself
contains data such as the locations visited
and as most drivers now use some level
of mobile phone connectivity within the
vehicle, their personal data is also
vulnerable.
COMBAT THE THREAT
Considering the modern vehicle as a form
of computer is actually a good first step.
How do we protect our networks and
systems from attacks or vulnerabilities?
The answer is 'Deter', 'Prevent' and 'Detect'
the attacks. Unfortunately, the ability to
prevent and deter are hampered somewhat
by the logistical difficulties in vehicle
manufacturing, but progress is being
made. Due to the myriad of third parties
involved in vehicle manufacture, a holistic
approach to security is very difficult to
achieve. Components found within
a vehicle may come from different
companies or even different countries,
each with their own approach to security.
In June 2020 the World Forum for
Harmonization of Vehicle Regulations
under the United Nations Economic
Commission for Europe (UNECE)
announced the adoption of frameworks to
address the increase and significance of
software and connectivity in vehicles. This
has provided a basis for new regulations
that have enacted cybersecurity
requirements for future vehicle in more
than 60 countries. To help combat the
threat, new companies and services
are developed. Large automotive
manufacturers are now seeking their
guidance or use of the products during
design and production stages. Porsche,
for example, enlisted GuardKnox
(an Israel-based cybersecurity and
technology company) to improve the
cybersecurity of vehicles produced.
This leaves 'Detect'. Fortunately, the
reliance on computing plays to our favour
here. The Controller Area Network (CAN) is
a communication protocol found in most
modern AVs and is responsible for relaying
information between sensors in the vehicle.
Whilst this has been seen in the past as
a vulnerability with weak security, many
companies are now working to rely on
the CAN to feed an interior Intrusion
Detection System (IDS). Paired with
network behavioural analysis or machine
learning, the IDS will alert a driver or
designated entity when malicious activity
is suspected.
Unfortunately, this will not stop malicious
actors finding new vulnerabilities in the
system throughout the vehicle's lifespan,
but it does address the previously mixed
approach to security by design. Owners and
organisations can implement small security
procedures through their own practice to
lower certain risks:
Adopt strict password procedures
(complex and changed regularly)
Organisations may use network
segmentation for connected vehicles
in their fleets
Limit the use of GPS services, use
them only when needed
Educate users on security implications
and risks to personal or company data.
If all else fails, Ferrari announced in June
2022 that they will limit autonomy in their
vehicles to Level 2. Whilst their intention
is to preserve 'emotion' for the driver, less
autonomy will aid in less security vulnerabilities
that we have discussed in this article.
However, one might argue that not everyone
can afford that choice.
ADVICE & SUPPORT
If your firm would benefit from our advice and
support, visit us at www.xcinaconsulting.com.
We provide our clients with pragmatic advice
and guidance to ensure the protection of
connected devices.
For more information, contact us at:
info@xcinaconsulting.com
LEVEL
DESCRIPTION
0 No automation; all major systems are human-controlled
1 Includes automated systems, such as cruise control or automatic braking
2 Partial driving automation, but human intervention is still needed
3 Conditional automation and environmental detection; human override still necessary
4 Officially driverless vehicles. Can operate in self-driving mode in limited areas and speeds, but legislative and
infrastructure limitations restrict full adoption of these vehicles
5 Full vehicle autonomy; no legislative or infrastructure restrictions limitations and no human interaction required.
Testing of fully autonomous vehicles is currently ongoing in several markets globally; however, none are currently
available for the public yet
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
17

encryption
'TWO-THIRDS OF MALWARE ENCRYPTED'
REPORT HIGHLIGHTS DANGERS THAT THREATEN WITHOUT
HTTPS INSPECTION AND FINDS THE UK IS A TOP TARGET
Amassive 67% of all malware in Q1
2020 was delivered via encrypted
HTTPS (Hypertext Transfer Protocol
Secure) connections, with 72% of encrypted
malware classified as zero day - and so would
have evaded signature-based antivirus
protection.
These findings - in WatchGuard
Technologies' latest Internet Security Report* -
suggest that, without HTTPS inspection of
encrypted traffic and advanced behaviourbased
threat detection and response,
organisations are missing up to two-thirds of
incoming threats. The report also highlights
that the UK was a top target for cyber
criminals in Q1, earning a spot in the top
three countries for the five most widespread
network attacks.
"Some organisations are reluctant to set up
HTTPS inspection due to the extra work
involved, but our threat data clearly shows
that a majority of malware is delivered
through encrypted connections and that
letting traffic go uninspected is simply no
longer an option," says Corey Nachreiner,
chief technology officer at WatchGuard.
"As malware continues to become more
advanced and evasive, the only reliable
approach to defence is implementing a set of
layered security services, including advanced
threat detection methods and HTTPS
inspection." Other key findings from
WatchGuard's report includethe following:
Monero cryptominers surge in popularity. Five
of the top ten domains distributing malware
in Q1 (identified by WatchGuard's DNS
filtering service DNSWatch) either hosted or
controlled Monero cryptominers. This sudden
jump in cryptominer popularity could simply
be due to its utility; adding a cryptomining
module to malware is an easy way for online
criminals to generate passive income.
Flawed-Ammyy and Cryxos malware variants
join top lists. The Cryxos trojan was third on
WatchGuard's top-five encrypted malware
list and also third on its top-five most
widespread malware detections list, primarily
targeting Hong Kong. It is delivered as an
email attachment disguised as an invoice
and will ask the user to enter their email and
password, which it then stores. Flawed-
Ammyy is a support scam where the attacker
uses the Ammyy Admin support software to
gain remote access to the victim's computer.
Three-year-old Adobe vulnerability appears
in top network attacks. An Adobe Acrobat
Reader exploit that was patched in August
2017 appeared in WatchGuard's top network
attacks list for the first time in Q1. This
vulnerability resurfacing several years after
being discovered and resolved illustrates the
importance of regularly patching and
updating systems.
Mapp Engage, AT&T and Bet365 targeted
with spear phishing campaigns. Three new
domains hosting phishing campaigns
appeared on WatchGuard's top-ten list in Q1
2020. They impersonated digital marketing
and analytics product Mapp Engage, online
betting platform Bet365 (this campaign was
in Chinese) and an AT&T login page (this
campaign is no longer active at the time of
the report's publication).
MASSIVE ATTACK SURGE
COVID-19 Impact. Q1 2020 was only the
start of the massive changes to the cyber
threat landscape brought on by the COVID-
19 pandemic. Even in these first three
months of 2020, we still saw a massive rise
in remote workers and attacks targeting
individuals.
Malware hits and network attacks decline.
Overall, there were 6.9% fewer malware hits
and 11.6% fewer network attacks in Q1,
despite a 9% increase in the number of
Fireboxes contributing data. This could be
attributed to fewer potential targets
operating within the traditional network
perimeter with worldwide work-from-home
policies in full force during the COVID-19
pandemic.
SEEKING GREATER CONTROL
Organisations reporting having a consistent,
enterprise-wide encryption strategy leapt
from 50% to 62%, as they seek greater
control of the data they have distributed
across multiple cloud environments. This
is according to the Entrust 2022 Global
Encryption Trends Study, the 17th annual
18
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

encryption
multinational survey of security and IT
professionals conducted by the Ponemon
Institute.
The latest findings suggest companies are
taking data protection more seriously, but
there's still a way to go, it is stated. While the
Ponemon research has shown a steady
increase in enterprise-wide encryption
adoption over the years, this year's study
revealed a dramatic jump from 50% to
62% in those respondents saying that their
organisations have an encryption policy
that is consistently applied. Similarly, 61%
of respondents rated the level of their
senior leaders' support for enterprise-wide
encryption strategy as significant or very
significant.
This year's report also revealed significant
decreases since 2021 in the top two biggest
challenges in planning and executing a data
encryption strategy, namely finding the data
(55% down from 65%) and classifying it
(27% down from 34%).
"The large jump in respondents reporting
consistently applied encryption policies across
their organisations, together with high
support from senior leadership, points to
a real enterprise awakening to the need for
proactive data security," says John Metzger,
vice president of product marketing for
digital security solutions at Entrust. "While
this year's study also reveals that there are still
gaps in the implementation of encryption for
several categories of data, it's nonetheless
a big step forward."
an important part of an encryption and key
management strategy, half said they were
still lacking HSMs. These results highlight
the accelerating digital transformation
underpinned by the movement to the cloud,
as well as the increased focus on data
protection.
UNPROTECTED DATA TRANSFERS
This year's study also reveals how the flow
of sensitive data into multiple cloud
environments is forcing enterprises to
increase their security in this space. Notably,
this includes containerised applications,
where the use of HSMs reached an all-time
high of 40%.
More than half of respondents (55%)
admitted that their organisations transfer
sensitive or confidential data to the cloud
whether or not it is encrypted or made
unreadable via some other mechanism, such
as tokenisation or data masking. However,
another 27% said they expect to do so in the
next one to two years.
"The rising adoption of multi-cloud
environments, containers and serverless
deployments, as well as IoT platforms, is
creating a new kind of IT security headache
for many organisations," adds Metzger. "This
is compounded by the growth in
ransomware and other cybersecurity attacks.
This year's Global Encryption Trends study
shows that organisations are responding by
looking to maintain control over encrypted
data, rather than leaving it to platform
providers to secure."
Corey Nachreiner, WatchGuard: the only
reliable approach to defence is
implementing a set of layered security
services.
John Metzger, Entrust: organisations are
looking to maintain control over encrypted
data, rather than leaving it to platform
providers to secure.
While the results indicate that companies
have gone from assessing the problem to
acting on it, they also reveal encryption
implementation gaps across many sensitive
data categories. For example, just 34% of
respondents say that encryption is extensively
deployed across containers, 31% for big data
repositories and 34% across IoT platforms.
Similarly, while 63% of global respondents
rate hardware security modules (HSMs) as
* The findings in WatchGuard's Internet Security
Reports are drawn from anonymised Firebox Feed
data from active WatchGuard appliances whose
owners have opted in to share data to support the
Threat Lab's research efforts. Today, over 44,000
appliances worldwide contribute threat intelligence
data to the report. In Q1 2020, they blocked over
32,148,519 malware variants in total (730 samples
per device) and more than 1,660,000 network
attacks (38 attacks per device).
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
19

ansomware
RANSOMWARE DEVASTATION
DESPITE SPENDING BILLIONS ON CYBERSECURITY TOOLS, BUSINESSES ARE ALLEGED
STILL TO BE POORLY PREPARED FOR RANSOMWARE ATTACKS. WHAT’S THE SOLUTION?
Ransomware attacks continue to impact
organisations worldwide - and the costs
are staggering, says Florian Malecki,
executive vice president marketing, Arcserve.
"A new global survey of over 1,100 IT decision
makers at small and midsize companies found
that 50% had been targeted by a ransomware
attack, with 35% asked to pay over
$100,000 in ransom, and 20% asked to pay
between $1 million and $10 million. In the
UK, 50% of respondents said they had no
choice but to pay the ransom."
And he adds. "The sad truth is that, despite
spending billions on cybersecurity tools,
businesses are still poorly prepared for
ransomware attacks. For this reason,
companies must take a new approach to data
resilience. They must strengthen their disasterrecovery
strategies, backup systems and
immutable storage solutions to prevent the
loss of mission-critical data." He offers five
steps that organisations can take to reduce
their exposure to ransomware and "avoid
staggering losses":
Educate employees. "It's essential to invest in
training for staff, so that they're aware of how
ransomware works. From there, employees
will be better prepared to recognise and
prevent it."
Focus on cures, as well as prevention. "It's time
for companies to stop focusing entirely on
prevention. They should also invest in curative
measures like backup & recovery and
immutable storage that allow them to quickly
restore their data and avoid paying the
ransom when attackers break in."
Place a premium on data resilience. "Your data
resilience is only as strong as your weakest
link. Monitor your weaknesses, fix them when
you find them, and you can bounce back
quickly from disruption and return to normal
operation. To do this, you must have the
technologies required to back up your data
and recover it, if necessary, along with the
proper mindset."
Know what data is most critical. "Data varies
in value. If you're concerned about costs, as
most organisations are these days, you don't
have to store or back up all your data in the
same place. Look into storage solutions that
provide options like data tiering. These enable
you to place less-important data in lessexpensive
levels of storage or 'tiers'."
Put a disaster-recovery plan in place. "A good
disaster-recovery solution will back up your
data to a location of your choice and on a
schedule that suits you. It will also be easy to
test, which is crucial because testing is the
only way you can validate that your recoverytime
goals can be met."
SOPHISTICATED AND BOLDER
Year on year, threat actors have ramped up
ransomware activities. But, in the past two
years, they have become more sophisticated
and bolder, with devastating consequences,
points out Brett Raybould, EMEA solutions
architect, Menlo Security. "Critical
infrastructure attacks are on the rise, with
the Colonial Pipeline attack perhaps the
most well-known example. Sadly in 2021,
one ransomware attack on a hospital in
Duesseldorf led to the death of a woman after
she was diverted to another city to be treated.
The year also saw a record $70m ransom
demand from Kaseya, the company affected
by a zero-day exploitation that went on to
affect 1,500 businesses - a supply chain attack
rivalling that of the SolarWinds incident of
2020."
Since the pandemic, and the transition
to remote and hybrid working models,
companies continue to expand their digital
footprint and reliance on web-based
applications, leading to a greater volume of
ransomware attacks exploiting vulnerabilities
in cloud applications and tools. "For
ransomware to be curbed effectively, there
needs to be a greater focus on business
continuity and disaster recovery strategies, so
firms can limit the damages inflicted by a
potential attack," he adds. "Greater attention
must be placed on the threat of supply chain
20
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
attacks and third-party connectivity. This
involves a mindset shift to prepare for the risks
presented by third parties to reduce what is a
growing attack surface among organisations."
Right now, this largely requires a proactive
initiative from companies, states Raybould.
"But we could see a change in regulations and
government guidance in the future."
According to a Menlo Security poll, over half
(55%) of respondents felt that responsibility
for protection should fall to government.
"For more organisations to pay attention,
governments may need to take greater action
in the fight against ransomware. We're
already seeing mandatory reporting
procedures on ransomware in APAC, so I
wouldn't be surprised to see this elsewhere.
"We also anticipate greater collaboration
between governments and large corporations
like Google and Microsoft - initiatives that are
beginning to gather momentum already,
as demonstrated by DMARC email
authentication. Such initiatives provide the
building blocks for something greater.
Without question, open collaboration and
the sharing of tools across the industry could
really help to address the ransomware
challenges businesses and governments
currently face."
EASY ACCESS FOR CYBERCRIMINALS
The explanation for the exponential growth
of ransomware attacks, which sometimes
doubles or even quadruples, year-on-year, can
be attributed to the highly agile nature of the
market, states James Tamblin, president,
BlueVoyant UK. "The cyber-criminal economy
presents a cybercrime-as-a-service (CaaS)
model that provides ready-made tools and
services, lowering the barriers to entry for
newcomers and groups alike. It allows less
'tech savvy' cyber criminals easy access to
the market which ensures even more
organisations fall victim. Not to mention, the
increased digitalisation over the last two years
where organisations and services rapidly
shifted online and, in parallel, rapidly
increased their attack vectors, leaving their
digital front door open to threat."
Another explanation for the increase is new
tactics, including double extortion, where
criminals exfiltrate data in addition to
encrypting it. "Double extortion has now
escalated to triple extortion with tactics such
as leak sites, a hugely successful method used
in ransomware attacks. Triple extortion often
leads to associated media publicity, ensuring
companies 'pay the piper'."
This public extortion method has reduced
the ability to contain an attack, adds Tamblin.
"Ransomware attacks have a huge knock-on
effect, not only fiscally, but it is also almost
impossible to quantify the final impact of the
attack after reputation is damaged, customer
relationships sullied and operations affected.
The burden of compliance fines further
increases the secrecy shrouding ransomware,
as companies may choose to pay the
ransomware in secret. Companies can expect
this cost to rise as regulations tighten and
future government policy may increasingly
need to address this burden."
In this climate, companies and organisations
must increase their awareness and risk
tolerance toward cyber threats, he continues.
"There are a range of ways organisations
can reduce this risk and contain the threat,
starting with implementing multi-factor
authentication (MFA) across all accounts.
BlueVoyant has observed that cyber attackers
will often move on to easier targets when
MFA is used effectively. Other important
methods include implementing both a Zero-
Trust approach and the 'principle of least
privilege', a security concept wherein
employees only hold access they need."
BEYOND THE DISCONNECT
While newfound awareness of the existing
cyber threat landscape is a critical first step
towards building a robust defence, this has
yet to be paired with the necessary security
measures and strategies, argues Mike Varley,
threat consultant at Adarma. "For the most
part, there appears to be a disconnect
between how prepared businesses believe
themselves to be and where they truly stand.
Despite 96% of respondents stating that they
were confident in their existing deterrents and
preventive measures, a staggering 58% of
businesses surveyed have already been hit
with ransomware," he comments. "Moreover,
more than one in every five companies does
not have an incident plan in place, suggesting
that cybersecurity is not as much of a priority
as they claim. To put it simply, many are failing
to walk the talk."
Organisations must also take a proactive
approach to mitigating ransomware attacks,
Varley says - "that is, prevent, prepare, detect
and eliminate" - while recommending the
following actions:
Keep software updated - "Keeping systems
up to date should be a priority. Organisations
must ensure effective management of their
technology infrastructure, systems and
services, including the adequate patching of
devices and systems, ensure sufficient network
security and replace unsupported software."
Adopt a proactive mindset - "Organisations
need to adopt a proactive approach to
cybersecurity to ensure that essential functions
and operations can continue even after
a cyber-criminal has penetrated defences
and compromised digital assets."
Utilise better threat detection - "When
ransomware worms its way past your
defences, damage is measured by the time
taken to detect, investigate, contain and
resolve the threat. The longer your exposure,
the greater the incident impact. It's more
efficient to stop a ransomware attack before
it has a chance to do any damage."
Regularly back up data - "To prevent
ransomware disrupting business operations,
it's vital that organisations regularly back up
company data. If a cyber incident occurs, the
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
21

ansomware
Brett Raybould, Menlo Security: in the
past two years, threat actors have
become more sophisticated and bolder,
with devastating consequences.
Nigel Thorpe, SecureAge: cybercriminals
continually use new techniques to prevent
their malware from being identified.
organisation will be able to quickly fall back
on a recent backup version."
Improve employee cyber awareness -
"Ransomware attacks can be the result of
poor employee cyber awareness or bad
habits. For example, employees may use easily
guessable passwords or the same password
for multiple accounts. Organisations can
mitigate this risk by providing employee
training and running regular attack
simulations/digital health check-ups to see
if their employees are practising good cyber
hygiene."
ONE STEP AHEAD
The traditional way to prevent ransomware is
to identify and then block malicious activities,
points out Nigel Thorpe, technical director at
SecureAge. "But cybercriminals have a habit of
being one step ahead and continually use
new techniques to prevent their malware
from being identified."
In a business environment, there is generally
no reason for a previously unknown
executable or script to run, he says. "The
software for a typical business PC is built to
a standard design that includes all the tools
that its user will require. A better way is to
block all unauthorised processes which are
not on the 'allow list' from executing. So, if
a malicious executable or script attempts to
run, it is simply blocked.
"The other mainstream approach to
protecting data is to encrypt it using tools
such as database and full disk encryption,
such as BitLocker. But while full disk
encryption is fine, if you lose your laptop;
on a running system, it will simply hand over
decrypted data to every process that asks for
it - legitimate or malicious. As cybercriminals
can only steal data from running systems, full
disk encryption cannot prevent this theft."
As you can't demand a ransom for data that
is already encrypted, the answer is to encrypt
all of your data, all of the time, at rest, in
transit and in use and no matter where it gets
copied - including when it is stolen, Thorpe
states. "This way, stolen data remains
worthless - reverse ransomware you might
say. We must stop believing that it's possible
to block all data exfiltration and accept that,
at some time, someone will gain access to the
network with the aim to steal data and that
they will succeed."
Only by encrypting data at source, and by
maintaining data encryption throughout its
lifecycle can ransomware be truly defeated,
he adds. "File-level encryption works silently
in the background so that neither the user
nor the administrator needs to make any
decisions about what should or should not
be encrypted. Data-centric security goes to
the heart of the whole ransomware attack
problem by securing data against both theft
and crypto attacks."
CRITICAL NATIONAL INFRASTRUCTURE
Cyber-attacks on Critical National
Infrastructure (CNI), which largely comprise
of industrial entities are usually politically
motivated and carried out by 'cyber terrorists'
from adversarial nation states; where the
hacker's goal is to disrupt operations or steal
confidential information which does not
necessarily have a direct financial reward.
Ransomware in the context of CNI brings
a different threat-actor to the forefront -
financial cyber-criminals. "Financial cyber-crime
has found a sweet spot in banking and retail
sectors, but the shift in focus to the industrial
sector/CNI is enabled firstly by a general lack
of cyber-awareness and cyber-investment in
these areas, which makes hacking a CNI
or process industry easier in comparison
to banking infrastructure," says Sashank
Tadimeti, a manager in Protiviti's Technology
Consulting Group.
"Secondly, evolution of 'Ransomware as
a Service' [RaaS] has enabled non-skilled
malicious actors to hire cyber-criminals to
target CNI entities, increasing the number
of ransomware incidents. Thirdly, and most
22
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
importantly, the anonymity of cryptocurrency
transactions makes it easier for these
malicious actors to extort money, with a
reduced threat of being identified. All these
factors make ransomware a huge success,
leading to the manifestation of a new threat
in the CNI cyber-space."
The compounded risk arising from these
factors concerns even the most cyber matured
organisations; testimony to which are well
known CNI attacks such as Stuxnet, Shamoon
and more recently the Colonial Pipeline
incident, he adds.
"Whilst there is a limited role individual
organisations can play in combating the risk
arising from RaaS and anonymity of cryptotransactions;
'Cyber-Awareness' must be a key
focus for CNI organisations and government
entities. CNI organisations historically have
placed a lot of importance on 'safety' and
often have well-structured and effective safety
awareness programs. CNI Organisations
should consider leveraging these models in
internally advocating cyber awareness and
must ensure the training material stays at
pace with the ever-evolving digital space."
Tadimeti also advises that organisations
should not limit cybersecurity to a compliance
exercise, but aspire to adopt cybersecurity
in its essence. Adopting new technology/
digital solutions without understanding its
ramifications to security or spending heavily
on cyber tools without properly configuring
them result in half-baked solutions, leaving
organisations vulnerable to ransomware and
other cyber threats.
"Whilst we are just getting started on our
'CNI - Security journey', the threat actors
and their methodologies are evolving. The
emergence of 'RaaS' and 'Double-Extortion
Ransomware'; where hackers demand
a ransom payment from the attacked
organisation and simultaneously seek buyers
for the attacked organisation's confidential
data to optimise their profits, are testimony
to this evolution. Awareness, vigilance and
intelligence are key to combating this
growing epidemic."
MONEY SPEAKS LOUDEST
Ransomware is a variation on the old data
breach, points out Tim Mackey, who is
principal security strategist at the Synopsys
Cybersecurity Research Centre. "In effect, the
cyber criminals have discovered a new way
to monetise their investment in both attack
techniques and processes. If my comments
make it sound like cyber criminals are
behaving like businesses, that's because they
are. If you consider the lifecycle of an attack,
the entry point might be a phishing attack or
the exploitation of a vulnerability.
"The team discovering that entry point might
then install some command-and-control
software, at which point they can sell access
to the system. A buyer of that access then
uses the compromised systems for their
purposes, which might include exfiltration
of data or a combination of ransomware and
data exfiltration.
"Defending against these attacks starts with
first principles. If an attacker is unable to
readily exploit a weakness in people, process
or technology, then they can't execute their
attack and move on an easier target.
Identifying weaknesses is the province of
threat models, and such models recognise
that no security is perfect. Instead, they
focus on identifying the threat, then defining
reasonable protections to mitigate the threat,
and lastly monitoring for indications that
someone has successfully used the threat
in an attack.
"Avoiding being targeted is easy - resist
the urge to pay the ransom. There is no
guarantee that decryption keys provided
by an attacker will completely restore
a system and, once you pay, your identity
and willingness to pay ransoms is data
that can be sold as part of a post-attack
monetisation plan," he concludes.
James Tamblin, BlueVoyant UK: "The
cyber-criminal economy presents a
cybercrime-as-a-service (CaaS) model that
provides ready-made tools and services.
Sashank Tadimeti, Protiviti: evolution of
'Ransomware as a Service' [RaaS] has enabled
non-skilled malicious actors to hire cybercriminals
to target CNI entities.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
23

cyber power
POWER VACUUM
CYBER POWER MAY WELL BE A VITAL COMPONENT IN PROTECTING NATIONAL
INTERESTS, BUT HOW EFFECTIVELY WILL IT PLAY OUT IN REALITY?
Cyber Power - the ability to protect and
promote national interests in and
through cyberspace - is, according to
the UK government, becoming an ever more
vital lever of national power and a source of
strategic advantage. But it comes at a price -
the mounting cyber threats that are associated
with it. The government's National Cyber
Strategy 2022 sets out to exploit
opportunities, and tackle evolving threats and
risks. We asked some of the industry's key
players whether that strategy is up to the task
and what else needs to be done to make the
UK more resilient to cyber-attacks.
"A lot of noise from some geopolitical
pundits and think tanks - potentially backed
by cyber security and defence lobbyists -
continues to be generated against the
backdrop of the war in the Ukraine," says
Ian Thornton-Trump, CISO, Cyjax. With the
conflict now running well over the 100 days'
mark, many assumptions about the strength
of the Russian military and cyber capabilities
appear to have been greatly exaggerated. "The
evidence of Russian military incompetence is
littered across the battlefield and the idea
that a Russian 'Battalion Tactical Group' could
perform as a near peer adversary to the
integrated NATO Battle Group was
aspirational at best and farcical at worst."
So, too, it appears with Russian cyber forces,
which also seem to have failed to achieve any
sort of impactful, substantial or persistent
cyber-attack on Ukraine during the conflict, he
adds. "In fact, western technology firms were
geared up and ready for a potential Russian
onslaught of global cyber war, which has
completely failed (so far) to materialise. These
revelations about the iron and cyber curtain of
the Russian 'Great Oz' should spark a NATO
and G-20 rethink."
The idea of 'Cyber Power' as this vital lever
of national power and a source of strategic
advantage is questionable, states Thornton-
Trump. "This does not seem to be the case and
is being oversold as a solution to complex
geopolitical relationships. China, for instance,
is not going to cease being a protagonist
against Taiwan's move towards independence
because of a DDoS attack."
And as he points out: "Although some NATO
cyber capabilities have greatly assisted the
Ukraine defensive efforts, especially when it
comes to Intelligence, Surveillance, Tracking
& Reconnaissance (ISTAR) of Russian army
leadership, Ukraine is not crying out for more
cyber capabilities: it is requesting heavier
weapons, such as more rocket artillery,
howitzers and main battle tanks to defeat the
enemy occupiers. Equal to the heavy weapons
request, and perhaps even more effective, has
been the extraordinary economic sanctions
brought against Russia, which appear to be
degrading and directly disrupting the ability of
the Kremlin to wage the war with the bonus
of undermining Putin's regime."
Setting aside the thoughts of the military
industrial complex's lobbying efforts, what
does he believe 'Cyber Power' can actually
achieve, in real terms? "Not very much, it
seems, other than espionage and surveillance
of persons and groups of interest. Of course,
there have been covert and overt cyber-attacks
conducted by nation state actors against
nation state defenders - by both sides - but
the question to ask is whether any of those
attacks have curtailed a nation state's
behaviour or achieved any substantial geopolitical
outcomes? Without access to
classified analysis reports on 'this top-secret
cyber-attack or espionage campaign altered
the course of history', Chinese, Russian, Iranian
and North Korean leaders all seem eager to
continue to pursue their own aggressive
foreign policy objectives.
"'Cyber power' - if we even want to accept it
as a term - is just another tool of implementing
foreign policy and, like others, it cannot
24
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

cyber power
stand alone or achieve any objectives without
diplomatic, coalition building, economic aid
(or sanctions) or overt or covert action, all of
which require investment and support. When
it comes to nation state objectives there is no
'cyber easy button': it remains a difficult and
messy business."
BASIC SECURITY NEED
"In the National Cyber Strategy 2022, the
UK government details its commitment to
establishing a future where the nation is more
resilient to cyberattack, cyber is a national
economic and strategic asset, and the UK
effectively defends its position as a 'cyber
power'," states Phil Lewis, CEO at Titania. "One
of the key areas the strategy rightly focuses on
is the increasing need for basic cyber security
across all sectors and highlights what more
businesses should be doing to prevent cyber
security breaches and close the gaps in
national resilience. Because, without the
basics in place, the nation is exposed."
The research used in the strategy indicates
that 39% of businesses and 26% of charities
have reported a security breach in the last
year. But perhaps more worrying, says Lewis,
is the line from Part 1 of the strategy that
reads: 'Industry tells us that many businesses
do not understand the cyber risks they face...
and that there is often little motivation to
report breaches and attacks.'
Understanding the potentially catastrophic
risk that exploitable vulnerabilities can pose
to an organisation's operations - or indeed
an entire supply chain - is key to prioritising
remediation and mitigation strategies in order
to develop better resilience, he insists. "It's as
important as threat detection and response,
and arguably a more basic requirement for
every organisation. There are world-leading
UK solutions designed to automate the
detection and remediation of complex
network vulnerabilities, as well as endpoint
vulnerabilities. And some of these tools can
even help prioritise remediation, based on the
criticality of the risk the vulnerability poses to
businesses. So, understanding the true extent
of risks is now within reach of businesses of all
shapes and sizes within the UK economy and
the supply chain."
Perhaps it's not surprising then that
understanding and prioritising cyber risks to
better defend networks appears to underpin
all five of the pillars outlined in the strategy,
he comments, "as this has never been a
more achievable goal with the right risk
management frameworks and automation
technology in place. And it's great to see that
the Government continue to lead by example,
significantly reducing its own cyber risks
across the public sector by 2025, in order to
advance the UK's global position as a cyber
power."
Does the strategy and its implementation
go far enough to ensure all critical national
infrastructure (both commercial and
governmental) and their supply chains
establish defendable networks? "Time will tell,"
responds Lewis. "But its commitment to
investing in cyber people, skills, partnerships,
technologies and trusted risk management
frameworks is clearly in the nation's best
interest."
SIGNIFICANT CHANGE
Working over the last 15 years in the
Government sector cyber security industry,
Martin Walsham, director of Cyber Security,
AMR CyberSecurity, has witnessed significant
change in the level of cross-connectivity,
dependency on the ICT systems to operate
and deliver core business functions, and the
evolving threat level. This period has also seen
a lot of stimulus to the digital cyber economy,
with the development and growth of a large
number of SMEs.
"This has resulted in the maturing of the UK
market, the creation of new jobs and export
opportunities; examples of these include
Digital Shadows and Nettitude, which have
grown, been acquired or received significant
investment," he says. "This is something that
Ian Thornton-Trump, Cyjax: a lot of noise
from some geopolitical pundits and think
tanks continues to be generated against the
backdrop of the war in the Ukraine.
Martin Walsham, AMR CyberSecurity:
what has been put forward is a balanced
comprehensive strategy, so it is important
to focus on implementing what has been
proposed.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
25

cyber power
Phil Lewis, Titania: one key area the strategy
rightly focuses on is the increasing need for
basic cyber security across all sectors.
Scott McAvoy, Kyndryl: cybersecurity is very
much a shared responsibility and businesses
need to play their part.
I experienced first-hand with my first cyber
start-up organisation, Info-Assure, which was
acquired in 2016." The Government's current
cyber strategy clearly sets out the main and
evolving challenges, adds Walsham.
"It is based on an honest appraisal of the
shortfalls in current posture relating to
legacy systems and the presence of known
vulnerabilities within aspects of the
Government systems, as well as reflecting
on NCSC involvement - in 777 incidents
managed by the National Cyber Security
Centre between September 2020 and August
2021, around 40% were aimed at the public
sector. This upward trend shows no signs of
abating." As with all strategies, it could be
argued that more could be done and quicker,
he says. "However, what has been put forward
is a balanced comprehensive strategy, so it is
important to focus on implementing what
has been proposed. Most of the strategy
detail is focused on resilience, detection and
response. Very little detail is included outlining
the Government strategy to deter and disrupt
the root causes of cyber threats."
This is alluded to within the strategy, he
adds, but very little detail has been provided:
"Such capabilities will include advanced
protection and detection techniques, as well
as targeted use of government's offensive
cyber capability and broader international and
diplomatic efforts to disrupt and deter such
threats."
If the strategy is to be effective, Walsham
concludes, "then resilience, detection and
response mechanisms need to be supported
with robust measures to deter and disrupt,
such as breaking up criminal networks and
applying sanctions and other measures to
aggressive nation states harming the UK
sovereign cyber interests."
FIVE KEY PILLARS
With cyber-attacks posing an increasingly
dangerous threat to society, Government
initiatives such as the National Cyber Strategy
are more essential than ever, says Scott
McAvoy, UKI associate partner A & IS Security
Practice, Kyndryl. "This latest strategy rests
on five key pillars, ultimately aiming to
strengthen the UK cyber ecosystem and build
a more resilient digital UK. While it addresses
some of the chinks in the current UK
cybersecurity armour, the very nature of
cybersecurity suggests it cannot protect
entirely. Cyberthreats are an ever-moving and
changing entity, and we need to reflect this
in our approach to combatting them."
According to McAvoy, we're at the point
where nothing and no-one is immune to
the nefarious charms of cyber-attackers. "As
such, cybersecurity is very much a shared
responsibility and businesses need to play
their part. As well as following the guidelines
set out in the National Cyber Strategy,
organisations need to adopt a 'resilience by
design' mindset. Over the past 30 years, the
IT industry has compartmentalised itself into
neat towers and silos, which have eventually
evolved into dedicated disciplines.
Mainframe, server, network, cloud,
applications, security etc, each is a dedicated
discipline and often professionals managing
these are only interested in their own
performance, handing over responsibility
whenever a problem falls outside their direct
remit. This siloed approach is particularly
unhelpful in the event of a cyberattack. The
towers create responsibility gaps, which
make it impossible to mount an effective
recovery and response. Preparing for
resilience means redefining the structure."
To break down silos, CIOs need to
understand what the viable business function
requirements are and ask how the whole IT
estate, together, can work to support them,
he concludes. "At a high level, it comes down
to making sure that there is a generalist,
holistic view of resilience in place. It needs
to address what will actually matter to the
business, not just in terms of resilience as an
abstract ideal."
26
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

Strengthen your data resilience with
Immutable Backup from Arcserve
Buy an Arcserve Appliance secured by Sophos,
and get OneXafe immutable storage!
Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve
brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat
ransomware and provide the best-in-class data management and data protection solution in the market.
Arcserve UDP Data
Protection Software
Unified data and ransomware
protection to neutralize
ransomware attacks,
restore data, and perform
orchestrated recovery.
Arcserve Appliances
All-in-one enterprise backup,
cybersecurity, and disaster
recovery, with multipetabyte
scalability.
StorageCraft OneXafe
Immutable Storage
Scale-out object-based NAS
storage with immutable
snapshots to safeguard data.
Get multi-layer protection!
SCAN HERE

metaverse
A WORLD APART
INTEREST IN THE METAVERSE IS ON THE UP, BUT IS IT AN ILLUSORY
WORLD FRAUGHT WITH DANGERS OR ONE WITH REAL PROMISE?
The word 'metaverse' has yet
to be fully defined, as it is
not yet fully understood,
states Dr Lydia Kostopoulos, SVP
of emerging tech insights at
KnowBe4. "However," she
points out, "a high-level way
to interpret it is an interactive
digital space that can be
experienced through
virtual reality,
augmented
reality or
on a
traditional screen. Whether it is a digital
environment on a screen, inside a VR
headset or an augmented digital overlay
on the physical environment, there are
countless new business models, customer
journeys and security needs that will
arise."
It is too early to know what will be
successful and generate long-term value,
but there are many things we do know,
she adds. "We do know that there will be
business models around the transactions
of digital goods, advertising native
to those environments and digital
experiences. All of these models and
experiences in these digital environments
will create a multitude of data, from what
was clicked to how long someone spent
in a digital place or interacting with
others. We know there will be artificial
intelligence in the back-end, facilitating
personalised ads, and also in the form of
avatars or customer service chatbots."
While development of these digital
environments is still in the early stages,
the benefits they bring are starting to
show. "Musicians have been able to
perform concerts for their fans in fully
digital environments, fitness companies
have created immersive worlds for people
who want to exercise while feeling like
they are flying over mountains or doing
yoga on top of a mountain, artists have
been able to digitally place their art in
physical spaces to be seen only through
special augmented reality apps, and there
are many new use cases being developed
today for immersive learning, medical
28
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

metaverse
visualisation of disease and also digital
twins of factories."
However, some challenges and risks will
need to be mitigated, she states. "If these
spaces are meant to be safe, welcoming
to everyone and promote commerce, then
there need to be rules; just as we have
rules on how we interact in the physical
world. The digital streets in the metaverse
should also have rules and those rules
need to be enforced, and there need to
be ways for grievances to be heard and
a transparent process for how they will
be addressed." Besides rules, there should
also be transparency on how data is
collected and ways in which people can
opt out or control the data they are
generating with their activity.
"Ask a dozen different people in digital
what the metaverse is and you are likely
to hear a dozen different answers," says
Thomas Bedenk, VP Extended Reality at
Endava. "However, as it is most commonly
understood, the metaverse will enable
users to interact with a digital continuous
3D space, rather than operating as an
outsider through an abstract interface.
"This offers companies a unique
opportunity to gain much more insight
into their customers' behaviours and
intentions than ever before, which is
hugely valuable data for a business to
have access to."
This will all be possible through the next
generation of AR and VR devices, which
will offer more advanced sensors for the
likes of gesture, eye and face tracking,
skin response and heart rate, he adds.
"By monitoring these stats continuously
and holistically, alongside AI voice
interaction, it will allow for completely
new insights into customer behaviour,
such as being able to measure attention
and emotion, while interacting with a
brand or application."
Having access to that much data brings
with it a whole level of security and
privacy challenges that companies should
be aware of, he cautions. "Users have an
increased sensitivity to this kind of data,
because it is so close to who they are in
the real world and makes them easily
identifiable," states Bedenk. "You can
already see different approaches to this,
with one stream of thought pushing
towards decentralisation and data
sovereignty, while big platform owners
like Microsoft, Apple, Google and
Facebook try to improve their branding
and positioning around data privacy.
"Accelerating digital strategies towards
the metaverse will require a lot of
understanding of the trends that have
led to this so-called 'metaverse moment',
such as 3D data, powerful use cases and
excellent user experience -which many
digital strategies may well already reflect.
However, getting data security and privacy
right, along with ethics, is another key
ingredient for positioning an organisation
well for growing successfully through the
metaverse."
IMPACT ON WELLBEING
Anna Collard, SVP of content strategy and
evangelist at KnowBe4, points to the
immersive nature of the metaverse where
negative experiences such as trolling,
groping or harassment can have more
impactful effects on people's psychological
wellbeing. "Currently, platforms
make users responsible for setting up
'safe zones', which limit others coming
into their space, but we feel there needs
to be more moderation and rules
enforced by default," she continues.
"There are already companies developing
AI-based 'bouncers' for the metaverse.
Like anywhere in society, wherever many
people come together, we have to protect
the vulnerable from the non-desirable
behaviour that comes with human
nature."
Anna Collard, KnowBe4: we have to protect
the vulnerable from the non-desirable
behaviour that comes with human nature.
Lydia Kostopoulos, KnowBe4: some
challenges and risks around the metaverse
will need to be mitigated.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
29

cyber resilience
CYBER WOES
MANY ORGANISATIONS FEEL NO MORE CONFIDENT IN THEIR ABILITY TO RESPOND TO
CYBER RISKS NOW THAN THEY DID IN 2019. WHAT HAS TAKEN ITS TOLL ON THEM?
"
Sarah Stephens, Marsh: no surprise many
organisations do not feel any more confident
in their ability to respond to cyber risks.
The toll of almost three years of
unrelenting workplace disruption,
digital transformation and
ransomware attacks means that most
leaders are no more confident in their
ability to manage cyber risk than they
were two years ago. This is according to
a report published recently by insurance
broker and risk advisor Marsh, along
with Microsoft.
The report, The State of Cyber Resilience,
questioned over 660 cyber risk decision
makers globally and analysed how cyber
risk is viewed by various functions and
executives in leading organisations,
including cybersecurity and IT, risk
management and insurance, finance,
and executive leadership.
One thing holding back confidence is
that most companies have not adopted an
enterprise-wide approach
to cyber
risk: one that at its core is about broadbased
communication and fosters
collaboration and alignment between
stakeholders during key decision-making
moments of truth on their cyber resilience
journey. "For example, all departments
that touch cyber risk should be involved
in cyber incident management and cyber
insights should be shared across the
enterprise to appropriately address
organisational cybersecurity weak spots,"
states Marsh.
"This year, our report looks at how cyber
risk is viewed by various functions and
leaders in the company, specifically
cybersecurity and IT, risk management
and insurance, finance, and executive
leadership. While all of these functions
have common interests around cyber risks,
we found they often act independently,
missing the potential benefits that an
enterprise-wide approach offers. Their
different views and separate ways of
managing cyber risks are reflected in our
finding that only 41% of
30
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

cyber resilience
organisations engage legal, corporate
planning, finance, operations, or supply
chain management in making cyber risk
plans."
According to the report, leadership
confidence in their organisation's core
cyber risk management capabilities -
including the ability to understand/assess
cyber threats, mitigate/prevent cyberattacks,
and manage/respond to cyberattacks
- is largely unchanged since 2019,
when 19.7% of respondents stated they
were highly confident, compared to 19%
in 2022.
"As we analysed the responses from the
2022 Marsh and Microsoft Cyber Risk
Survey, eight trends stood out, say the
authors of the report:
1
. Cyber-specific enterprise-wide goals -
including cybersecurity measures,
insurance, data and analytics, and
incident response plans - should be
aligned to building cyber resilience versus
simply preventing incidents, as every
organisation can expect a cyberattack.
73% of companies said they had
experienced a cyberattack.
2
. Ransomware is considered the top
cyber threat faced by companies,
but not the only one. Other prevalent
threats include phishing/social
engineering, privacy breaches, and
business interruption, due to an external
supplier being attacked.
3
. Insurance is an important part of
cyber risk management strategy, and
influences the adoption of best practices
and controls. 61% said their company
buys some type of cyber insurance
coverage.
4
. Adoption of more cybersecurity
controls leads to higher cyber hygiene
ratings. Just 3% of respondents rated
their company's cyber hygiene as being
excellent.
5
. Organisations lag in measuring cyber
risk in financial terms, which hurts their
ability to effectively communicate cyber
threats across the enterprise. Just 26% of
respondents said their organisation uses
financial measures for cyber risk.
6
. Increased investment in cyber risk
mitigation continues, though spending
priorities vary across the enterprise. 64%
said the spur to increasing cyber risk
investments was having experienced an
attack.
7
. New technologies need to be assessed
and monitored on a continuous basis,
not just during exploration and testing prior
to adoption. 54% of companies said they
do not extend risk assessments of new
technologies beyond implementation.
8
. Firms take many cybersecurity actions,
but widely overlook their vendors/digital
supply chains. Only 43% have conducted
a risk assessment of their vendor/supply
chain.
"Many conversations about cyber risk
today begin with a discussion of the
pervasiveness of ransomware," states the
report. "Survey respondents ranked
ransomware at the top of cyber risks facing
their organisations, with more than onethird
saying it is the number one threat,
and nearly three-quarters placing it in the
top three." Organisations also feel that
the infinite number of vulnerabilities
makes ransomware nearly impossible to
safeguard against. "This hammers home
the importance of developing a cyber
resilient organisation."
Professionals in risk management and
insurance roles are more likely to point
to ransomware as a key driver of attacks;
board and CEO-level leaders are less likely
to hold that view. "Given the continued rise
of ransomware and the current tumultuous
threat landscape, it is not surprising that
many organisations do not feel any more
confident in their ability to respond to cyber
risks now than they were in 2019" is the
view of Sarah Stephens, head of cyber,
International, Marsh.
Further, many organisations are still
struggling to understand the risks posed by
their vendors and digital supply chains as
part of their cybersecurity strategies. Only
43% of respondents stated that they have
conducted a risk assessment of their
vendors or supply chains.
FURTHER INSIGHTS
Other findings from the report include:
Only 41% of organisations look beyond
cybersecurity and insurance to engage
their legal, corporate planning, finance,
operations or supply chain management
functions in making cyber risk plans
Nearly four in ten respondents (38%)
said their organisation uses quantitative
methods to measure their cyber risk
exposure, which is a critical step in
understanding how cyberattacks and
other events can create volatility. This is
an improvement from the 2019 survey,
when three in ten respondents (30%)
stated that their organisation uses
quantitative methods.
Tom Reagan, cyber risk practice leader,
US & Canada, Marsh, adds: "Cyber risks
are pervasive across most organisations.
Successfully countering cyber threats needs
to be an enterprise-wide goal, aimed at
building cyber resilience across the firm,
rather than singular investments in incident
prevention or cyber defence. Greater
cross-enterprise communication can help
organisations bridge the gaps that currently
exist, boost confidence and better inform
overall strategic decision-making around
cyber threats."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
31

quantum on trial
STEAL NOW - PROTECT NOW
GLOBAL CYBER SECURITY EXPERTS NORMAN WILLOX AND TOM PATTERSON DEFEND
THE CHANGE OF QUANTUM COMPUTING FROM SCIENCE FICTION TO SCIENCE FACT
When it comes to the imminent and
tremendous advances in quantum
computing, do you wonder
what position the world will be in, in just
a few years' time? Do you wonder what
government, industry and our adversaries
are doing, and what you should be doing?
The truth is that no one knows exactly what
the state of quantum computing will be in
the future, but there are already great strides
being made by governments, academics
and industry around the world in the race
for 'quantum advantage.' When quantum
advantage is achieved, bad actors won't need
a sub-zero lab of their own, but will most
probably be accessing it via a cloud service,
much like the advanced technology of
ransomware that has been made available to
every crook with a computer and a credit
card today.
Defensively, key components of quantum
resistance and encryption are now a reality,
while quantum communication is underway
and quantum clouds are beginning to
become available for sensitive operations. The
time for governments and companies to get
ready is now. Our adversaries already are.
The threat to governments, critical
infrastructure and businesses, large and
small, is most certainly real…it's just maths
at this point. And these threats have already
begun, with a new era of adversarial
behaviour called 'steal now, decrypt later.'
In these SNDL scenarios, adversaries are
stealing large volumes of critical encrypted
data that they cannot yet decrypt, but
are confident that their coming quantum
computers will soon be able to. We also
know that quantum computer supported
encryption hacking will come online years
before the more mature quantum systems
evolve; again highlighting that the most
valuable information be protected now.
PRESIDENT STEPS IN
This matter is so significant, the President of
the United States issued a National Security
Memorandum and an Executive Order
(EO) on 4 May 2022 aimed at securing the
nation's competitive advantage in quantum
information science (QIS), while mitigating
the risks of quantum computers to the
nation's cyber, economic and national
security. This is the fourth such action just
this year.
Current public key encryption schemes rely
on the outdated premise that it would take
the fastest computers too many millions
of years to be able to factor large prime
numbers. So, as computers got incrementally
faster, we just added extra bits to the key
length to keep that premise alive. As the
rapid advances of quantum computers over
this past decade have gone from science
fiction to science fact, we are getting
closer and closer to 'Y2Q', when a quantum
computer can run Shor's algorithm and read
everything we've ever encrypted, regardless of
key length. We need to not only have come
up with better encryption by then, but we
will need to have it be adopted, distributed,
installed and maintained worldwide in
advance. That takes years, so the time to
begin that process is now.
A bipartisan bill, the Quantum Computing
Cyber Preparedness Act, was introduced into
the House of Representatives in April, which
seeks to speed, strengthen and provide
regulation of quantum cyber security. The
authors of this article both support this bill.
While the bill helps to highlight the
tremendous risks that are associated with
the adversarial use of a quantum computer
to decrypt government files and communications,
it does not address the same need in
the 16 critical infrastructure areas of our
private sector. While this bill is a welcome
step, Congress could go even further in
protecting private corporations and business
from this emerging and potentially imminent
threat.
The private sector owns approximately 85%
of our critical infrastructure. Imagine if all our
health records were laid bare, our banking
information zeroed out, our transportation
shut down or our energy turned off. All these
critical infrastructure sectors rely on trusted
encryption to provide even the most basic
of operations. Additionally, the Federal
Government is supported by a very large
defence and security industrial base that has
extensive sensitive government and industry
32
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

quantum on trial
information. Protecting these critical supply
chains is as important as protecting the
agencies themselves.
FOUR-STEP PROCESS
In order to protect against bad actors using
quantum computing in criminal, terroristic or
intelligence activities, we believe that every
component of government and the critical
infrastructure sectors should be implementing
a four-step process immediately:
Conduct a complete inventory of where
your organisation uses encryption;
document the specific encryption details
including algorithm, key distribution,
provider, and partner(s)
Begin to make your encryption 'agile' in
a way that will allow for easier changes
in the future
Leverage the latest encryption available
today, like the Messaging Layer Security
(MLS) that is already designed to resist
aggressive collection methods for
communications and collaboration,
and quantum-generated shared keys
for symmetric algorithms
Research and test the NIST candidate
'quantum resistance' algorithms (available
via the providers you've just inventoried),
AND the newer 'quantum encryption'
systems that rely on currently available
use of quantum physics with random
numbers, keys and more to provide
provably secure encryption today with
some existing algorithms.
KEY TO SUCCESS
We believe the above four steps are the
key to success for today and tomorrow.
A quantum-proofing strategy today is both
needed and required. Finding the right talent,
experts, partners, products, and tools to do
such and keep on delivering it into the future
will be paramount. There is an understandable
misconception that the threat of adversarial
use of quantum computing is just for
governments to worry about. But it has
the potential to affect everyone and every
business. Everyone has secrets, intellectual
property and sensitive information that is the
cornerstone of their business or life, and
everyone is vulnerable when it gets out.
Today's ransomware has shown that the
most sophisticated of cyber weapons quickly
finds its way into criminal hands. So, what
secret data do you have that you rely on
systems to keep safe? Will you favour a
product that can protect your information
into the future or doesn't it matter to you?
AND DON'T FORGET ALL THE VIRTUES!
While we are sounding the warning bells
to get ready for quantum computing, we
certainly can't end this piece by not also
extolling all the virtues it will bring. Quantum
computing promises not just faster
computing, but computing in completely
new ways. Entirely new problems can be
crafted and addressed, communications can
become instantons, universal, and secure,
remote sensing will be a reality, and so very
much more. Beyond code-breaking, sectors
including fintech, pharma, logistics,
communications, space, climate and data
analytics are all actively working to leverage
the quantum computing on the horizon.
In the 1960s, Albert Einstein famously called
quantum computing 'spooky.' Today, with
everything we now know, we find quantum
computing exhilarating!
It will take us to intellectual places we have
never even imagined and solve problems we
never thought solvable.
Norman Willox.
Tom Patterson.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2022 computing security
33

threat report
AT WAR WITH CYBER-ATTACKS
THE ONGOING CONFLICT IN UKRAINE HAS SEEN THE RESURRECTION
OF THE INFAMOUS INDUSTROYER MALWARE AND OTHER THREATS
ESET has released its T1 2022 Threat
Report, summarising key statistics
from ESET detection systems and
highlighting notable examples of the
company’s cybersecurity research.
The latest issue of the ESET Threat Report
recounts the various cyberattacks connected
to the ongoing war in Ukraine that ESET
Roman Kovác, ESET : Ukrainians fighting
for their lives and sovereignty.
researchers analysed or helped to mitigate.
This includes the resurrection of the now
infamous Industroyer malware, attempting
to target high-voltage electrical substations.
ESET telemetry also recorded other changes
in the cyberthreat realm that might have
a connection to the situation in Ukraine.
Roman Kovác, chief research officer at ESET,
clarifies why this report is so focused on
cyberthreats related to this war. "Several
conflicts are raging in different parts of the
world, but for us, this one is different. Right
across Slovakia's eastern borders, where ESET
has its HQ and several offices, Ukrainians are
fighting for their lives and sovereignty."
Shortly before the Russian invasion, ESET
telemetry recorded a sharp drop in Remote
Desktop Protocol (RDP) attacks. The decline
in these attacks comes after two years of
constant growth - and as explained in the
Exploits section of the latest ESET Threat
Report, this turn of events might be related
to the war in Ukraine. But even with this fall,
almost 60% of incoming RDP attacks seen in
T1 2022 originated in Russia.
Another side effect of the war: while in
the past, ransomware threats tended to
avoid targets located in Russia, during
this period, according to ESET
telemetry, Russia was the most
targeted country. Researchers at
ESET even detected lock-screen
variants using the Ukrainian
national salute 'Slava Ukraini!'
(Glory to Ukraine!). Since the
Russian invasion of Ukraine,
there has been an increase in
the number of amateurish
ransomware and wipers. Their
authors often pledge support for
one of the fighting sides and position the
attacks as personal vendettas.
Unsurprisingly, the war has also been
noticeably exploited by spam and phishing
threats, adds ESET. Immediately after the
invasion on February 24, scammers started
to take advantage of people trying to
support Ukraine, using fictitious charities
and fundraisers as lures. On that day, ESET
telemetry detected a large spike in spam
detections.
ESET telemetry has also seen many other
threats unrelated to the Russia/Ukraine war.
"We can confirm that Emotet - the infamous
malware, spread primarily through spam
email - is back after last year's takedown
attempts, and has shot back up in our
telemetry," explains Ková?. Emotet operators
spewed spam campaign after spam
campaign in T1, with Emotet detections
growing by more than a hundredfold.
However, as the Threat Report notes, the
campaigns relying on malicious macros
might well have been the last, given
Microsoft's recent move to disable macros
from the internet by default in Office
programs. Following the change, Emotet
operators started testing other compromise
vectors on much smaller samples of victims.
The ESET T1 2022 Threat Report also
reviews the most important research
findings, with ESET Research uncovering: the
abuse of kernel driver vulnerabilities; high
impact UEFI vulnerabilities; cryptocurrency
malware targeting Android and iOS devices;
a yet-unattributed campaign deploying
the DazzleSpy macOS malware; and the
campaigns of Mustang Panda, Donot Team,
Winnti Group, and the TA410 APT group.
34
computing security July/August 2022 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
e-newsletter
Are you receiving the Computing Security
monthly e-newsletter?
Computing Security always aims to help its readers as much as possible to do
their increasingly demanding jobs. With this in mind, we've now launched a
Computing Security e-newsletter which is produced every month and is available
free of charge. This will enable us to provide you with more content, more
frequently than ever before.
If you are not already receiving this please send your request to
christina.willis@btc.co.uk and advise her of the best email address for the
newsletter to be sent to.

Nobody likes feeling
vulnerable.
It’s the same when it comes
to information security.
That’s why our information security services have
been designed to provide you with the robust security
assurances you require.
Penetration Testing
Red Teaming
Information Security Consultancy
www.pentest.co.uk
0161 233 0100
pentest
INFORMATION SECURITY ASSURANCE