CS May-Jun 2023

Computing
Security
Secure systems, secure data, secure people, secure business
ARE WE READY FOR...
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
BALANCE OF POWER
US unveils National
Cybersecurity plan
Fears fuel
calls for
time-out
WALKING A VERY FINE LINE
Online Safety Bill: will
it threaten privacy and
lead to censorship?
‘EYE’, SPY, WITH MY....
Webcam hacking soars,
stepping up the risk
of being spied on
Computing Security May/June 2023

comment
CYBER SECURITY 'NOT THE HIGHEST PRIORITY'
While cyber security breaches and attacks remain a common threat, smaller
organisations are identifying them less than last year, according to a recent
government breach survey.
"This may reflect that senior managers in smaller organisations view cyber security
as less of a priority in the current economic climate than in previous years, so are
undertaking less monitoring and logging of breaches or attacks," it states, which is an
extremely worrying proposition by any measure. The government also states that board
engagement and corporate governance approaches towards cyber security tend to be
more sophisticated in larger organisations, "although corporate reporting of cyber risks
remains relatively uncommon, even among large businesses".
The proportion of organisations seeking external information or guidance on cyber
security remains stable, at almost half. "However, this means that a sizeable proportion
of organisations, including larger organisations, continue to be unaware of government
guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber
Essentials standard. Linked to this, relatively few organisations at present are adhering
to recognised standards or accreditations, such as Cyber Essentials or ISO 27001."
All in all, these are troubling findings. We are constantly being made aware of more
and more attacks on organisations, so this apparent 'indifference' to being the next
victim is hard to comprehend. In this issue of Computing Security, starting on page 20,
we look at several of the latest reported breaches as a measure of the challenge the UK
is up against - and all the signs are that the level of attacks will only get worse in the
days to come.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Daniella St Mart
(daniella.stmart@btc.co.uk)
+ 44 (0)1689 616 000
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2023 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk May/June 2023 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security May/June 2023
inside this issue
CONTENTS
Computing
Security
ARE WE READY FOR...
Fears fuel
calls for
time-out
WALKING A VERY FINE LINE
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
BALANCE OF POWER
US unveils National
Cybersecurity plan
Online Safety Bill: will
it threaten privacy and
lead to censorship?
‘EYE’, SPY, WITH MY....
COMMENT 3
Cyber security 'not the highest priority'
Webcam hacking soars,
stepping up the risk
of being spied on
NEWS 6
Threat hunting proves tough for many
Cybersecurity training seen as a 'must'
Ransomware attacks: good and bad
Attackers step up pace of exploits
ARTICLES
RACING CERTAINTY 8
Legendary sprinter Michael Johnson has
been confirmed as the opening keynote
speaker at this year's Infosec show in June
MFA BEST PRACTICES YOU DIDN'T
KNOW THAT YOU NEEDED 10
What are the MFA best practices that
organisations need to consider? Chris
Martin, Head of Solution Architecture,
SecurEnvoy, offers his expert insights
HUMAN VOICE GROWS LOUDER 16
Burnout is now said to be rampant
across the cybersecurity industry
LOST AND STOLEN 18
The number of devices somehow 'mislaid'
by various government departments has
prompted fears over data safety
WHY WE NEED A RETURN TO
PREVENTION-FIRST CYBERSECURITY 19
Stopping zero days, ransomware and
other never-before-seen malware is a race
against the clock, warns Karen Crowley,
Director of Product & Solutions Marketing
at Deep Instinct
FEARS OVER AI - ARE WE EMBARKED
ON A DANGEROUS JOURNEY? 12
Is Artificial Intelligence threatening to run
out of control? More than 1,000 experts,
researchers and backers are certainly
concerned about its rapid take-off and
have called for a pause in the creation
of 'giant' AIs. Editor Brian Wall reports
SPOTTING THE BREACH FAULT LINES 20
More and more organisations are being
accused of failing to take appropriate
measures to protect themselves against
data breaches. But is it right to put the
blame on them - or are the odds they face
simply too great?
CYBER STRATEGY CROSSROADS 26
Hard on the heels of the US publishing its
national cybersecurity strategy, does the UK
have any other option but to follow down
the same avenue? And might it be a good
thing to do so anyway?
'SAFETY' ON LINE: AT WHAT PRICE? 24
The Online Safety Bill has been labelled
'bloated and overreaching'. Here’s why
EYE SPY - WHO'S WATCHING YOU? 32
CLOUD GROWS DARKER 29
Webcam hacking has become a serious
Public cloud adopters are 'no longer in
concern in recent years, with all of us
full control of their own security'
potentially at risk of having our privacy
invaded by cybercriminals. Just think how
THE CRACKS ARE WIDENING 30
shocking it would be to discover that your
Password mismanagement is under
connected camera had already been turned
ever deeper scrutiny as hacks escalate
against you into a spying device
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk
4

news
THREAT HUNTING PROVES TOUGH FOR MANY
John Shier
Anew survey report from Sophos, 'The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders',
has revealed that 93% of organisations globally find the execution of some essential security operation tasks, such
as threat hunting, challenging. These include understanding how an attack happened, with 75% of respondents stating
they have challenges identifying the root cause of an incident.
"Only one fifth of respondents considered vulnerabilities and remote services a top cybersecurity risk for 2023, yet the
ground truth is that these are routinely exploited by Active Adversaries," said John Shier, field CTO, commercial, Sophos.
"This cascade of operational issues means that these organisations aren't seeing the full picture and are potentially acting
on incorrect information. "There's nothing worse than being confidently wrong. Having external audits and monitoring
helps eliminate blind spots."
CYBERSECURITY TRAINING IS A 'MUST'
F
Simon Wiseman ollowing the
government's
2023 Cyber
Breaches survey
(see Comment
on page 3), Dr
Simon Wiseman,
chief technology
officer for global
governments
and critical
infrastructure, Forcepoint, had this to
say in reply: "Business leaders in any
organisation must take everyday cyber
hygiene seriously. Employees are always
the first line of defence - so regular
cybersecurity training is a must to make
sure a small chink in your armour isn't
your downfall, particularly when it
comes to post-pandemic hybrid
working.
"The drop in adoption of password
policies and firewalls in microbusinesses
could reflect the move to
the cloud, as password managers and
2FA take on the 'strong password'
burden and SAAS apps make them easy
to deploy." Wiseman added: "Leaders
should be investing in the cloud as a
mechanism to protect themselves.
When times are tough and cash flow is
tight, it's easy for capital expenditure
and staff security costs to take second
place - but moving to the cloud can
provide better protection, while
spreading implementation costs."
HPE ACQUIRES CLOUD SECURITY PROVIDER AXIS SECURITY
Phil-Mottram
Hewlett Packard Enterprise (HPE) has acquired cloud
security provider Axis Security to expand Aruba's unified
Secure Access Services Edge (SASE) solutions by combining
cloud security with SD-WAN in a single offering. "As we
transition from a post-pandemic world and a hybrid work
environment has become the new normal, a new approach
is needed for network edge security to protect critical SaaS
applications," said Phil Mottram, executive vice president
and general manager, HPE Aruba Networking.
ATTACKERS DEVELOPING AND DEPLOYING EXPLOITS FASTER THAN EVER
Caitlin Condon
RANSOMWARE ATTACKS: GOOD AND THE BAD
Matt Hull
Rapid 7's latest Vulnerability Intelligence Report examines fifty
of the most notable security vulnerabilities and high-impact
cyberattacks in 2022. A significant finding is that attackers are
developing and deploying exploits faster than ever; 56% of the
vulnerabilities in this report were exploited within seven days of
public disclosure - a 12% rise over 2021 and an 87% rise over
2020. "Rapid7's team of vulnerability researchers works around
the clock to thoroughly investigate and provide critical context
into emergent threats," said Caitlin Condon, Rapid7 vulnerability
research manager and lead Vulnerability Intelligence Report author.
Analysis from NCC Group's Global Threat Intelligence team has
revealed there were 165 ransomware attacks in January, a
38% decrease from December 2022. Though a significant drop,
the total is the highest volume of attacks recorded in January over
the last three years. Matt Hull, global head of threat intelligence at
NCC Group, commented: "In terms of the most prevalent threat
actors, Lockbit 3.0 held onto first position as predicted, whilst Vice
Society and Blackcat had an active start to 2023. It'll be interesting
to see how that evolves over the coming months and whether
Lockbit will remain ahead of the rest."
6
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

infosec 2023
RACING AHEAD
LEGENDARY SPRINTER MICHAEL
JOHNSON HAS BEEN CONFIRMED
AS BEING THE OPENING KEYNOTE
SPEAKER AT THIS YEAR'S INFOSEC
EVENT, TAKING PLACE IN JUNE
For those on the fast track to
attending Infosecurity Europe in
June, there's good news: four-times
Olympic gold medallist and legendary
sprinter Michael Johnson has been
confirmed as the opening keynote.
Johnson, now an entrepreneur, author,
sports pundit and philanthropist, will
share insights from his journey, both on
and off the track. He will speak about
the values of goal-setting, adversity,
performing against competitors,
perseverance and how these same
principles can be applied in
cybersecurity.
Johnson will be at the podium on the
opening day of RX's information security
event, which runs from 20-22 June at
ExCeL London. The event is expected to
host more than 400 exhibitors, 13,000
visitors and 200 speakers.
Nicole Mills, exhibition director at
Infosecurity Group, comments: "We are
honoured to have Michael Johnson join
us at our conference and look forward
to his inspiring and motivational
message. In the infosec world, every
second counts. It's a race against
bad actors to secure your
organisation; with speed,
teamwork and drive making
the difference between
success and fatal attacks.
Athletes must deal with
multiple setbacks,
whether it be injuries or
defeats, and his talk
will be a great
opportunity to
hear about
these and
how he relates
this to the
unexpected
challenges
and threats
within
cybersecurity." Meanwhile, acclaimed
security analyst, author and TED speaker
Keren Elazari has been announced as the
latest keynote speaker at the event.
Former hacker turned cybersecurity
expert, she is an internationally
celebrated speaker and analyst. Her 2014
TED talk, the first by an Israeli woman
at the official TED Conference and now
viewed by millions, reimagined the
perception of hackers and the role they
play in the evolution of cybersecurity on
a global scale.
Elazari aims to bring her experience and
knowledge to Infosecurity Europe to
share insights into national security and
geopolitics, and how they are being
radically changed by digital society.
"In 2023, cyber security is no longer
about protecting secrets. It is about our
way of life and about our trust in the
digital ecosystem," she comments. "Cyber
threats impact everyday people and we
are all on the front lines, but this is not
a political battle - it's a challenge that
requires everyone coming together as
a digital society to protect our future.
So, how can we prepare for what comes
next? I believe we can do that, by
actually learning from hackers." Elazari
will be presenting her keynote session at
Infosecurity Europe at 10:00 on Thursday,
22 June,
States Nicole Mills: "We are thrilled to
have Keren as one of our headline
speakers for Infosecurity Europe 2023.
She is not only demonstrating the need
for collaboration and allegiance to
defend our digital future. crossing the
political boundaries to tackle cyber
conflict, but she champions the careers
of women in cyber and is an inspirational
role model to others in the industry."
Visitor registration is now open for the
2023 event.
08
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

DON’T
SaaSSS
GET YOUR
KICKED! !
TAKE CONTROL NOW AND
PROTECT YOUR SaaS DATA
Global SaaS vendors like Microsoft, Google and Salesforce
don’t assume any responsibility for your data hosted
in their applications. So, it’s up to you to take control
and fully protect your SaaS data from cyber threats or
accidental loss. Arcserve SaaS Backup offers complete
protection for your SaaS data, eliminating business
interruptions due to unrecoverable data loss.
Arcserve SaaS Backup
Complete protection for all your SaaS data.
arcserve.com
The unified data resilience platform

multi factor authentication
MFA BEST PRACTICES YOU DIDN'T KNOW YOU NEEDED
WHAT ARE THE MFA BEST PRACTICES THAT ORGANISATIONS NEED TO CONSIDER? CHRIS MARTIN,
HEAD OF SOLUTION ARCHITECTURE, SECURENVOY, OFFERS HIS EXPERT INSIGHTS
It's fair to say that MFA and the reasons for
it is understood by most people, except
maybe for artistic people who would
confuse Multi Factor Authentication for
Museum of Fine Arts. If you are looking for
a guide on how to set up a museum,
unfortunately this isn't the right article.
The aim of this guide is to provide MFA
best practices to help implement MFA and
improve the effectiveness of the solution.
Multi Factor Authentication is easily
understood. You really do have to have been
living on a deserted island for the last 20 years
not to know about the risks of using
passwords. Technically, MFA is not difficult,
often with simple solutions installed and
configured in a matter of minutes. Enrolling
MFA isn't difficult either. Users can enrol
a token extremely quickly and easily, often
in under a minute or two. It would appear
the only difficulty is choosing which
Authentication Factors to use.
The best practice is to adopt a simple threestep
process: Identify, Protect and Control.
If you have implemented MFA or are just
embarking on the implementation of MFA,
this process applies.
Identify is about understanding what you
have and what you need. Sounds simple, but
this is often where most companies go
wrong.
Protect is the implementation of the MFA
solution and the rollout to the users. There
will be challenges around user adoption, but
get the first stage correct and adopt a couple
of free simple techniques and the chances of
success are hugely increased.
Control is the final stage of acceptance that
needs change and that after implementation
further monitoring and adaption is required.
IDENTIFY
When someone mentions Identification,
Discovery or Analysis, most organisations
instantly adopt a defensive pose and assume
they will need to go and buy an expensive
Identity Governance or a Data Discovery tool.
Whilst there is no denying these will help, this
part of the process can be entirely manual. In
fact, it's not even technical; it can be done by
anyone with an enquiring, inquisitive mind
set. Every organisation has that annoying
person who asks: "Why?... But what about?"
It's that person who is best suited to do this.
The key to success in this stage is to adopt a
simple premise - not all users are equal. Users
in your organisation may work in different
locations, have different security needs, use
different applications and use different types
of devices etc.
This stage is about trying to group users
based on their authentication needs, how
they are going to authenticate and to what.
The following needs to be considered.
TYPE OF EMPLOYMENT
Is the user a permanent employee, contractor,
supplier, gig worker etc. This is important,
because this will dictate what an organisation
will provide to these users. You are more likely
to use expensive hardware tokens or provide
corporate mobile phones to a permanent
employee than to a third-party supplier.
Identifying these users will also help for the
onboarding process. Not everyone is going
to be onboarded with an AD account and
corporate email address.
PLACE OF WORK
The global pandemic accelerated the acceptance
of remote working. There is a lot of
10
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

multi factor authentication
implied security with working in an office - the
front door, the receptionist or security guard.
If you are not recognised at anyone of these
steps, you are likely to get stopped. When
not in the office, there is no visible check of
who is logging in. To make matters more
complicated, its often not a case of either or -
hybrid working people will do both. Another
aspect to consider is region of work. Different
countries will have varying national regulations
they must adhere to.
SECURITY LEVEL
The type and sensitivity of data that a user
accesses is a vital component and does
not always relate to job title. For example,
a production worker may have access to
personal data of a customer to check the
details of a job. Often, when customer data
is stolen, companies face huge reputational
damage, as it often makes headline news.
The best approach is to consider all data
sacred, but your most sensitive data needs
extra security.
TYPE OF DEVICES
You may need to consider reasons why users
may not adopt MFA. Many users in an
organisation may not be using a corporateissued
laptop or mobile phone. In this age
of personal privacy, users may not be willing
to put a corporate agent or authenticator
onto their personal device. This is partly the
consideration of dealing where people work.
It can be a little more nuanced than that.
If a user already has a large number of
authenticators on their device, they could be
prone to an attack known as authenticator
fatigue. A necessary thing to think about is:
can a mobile device be used in all places?
Is having a mobile phone allowed in your
production or research area?
APPLICATIONS
As mentioned under 'Security', what applications
and where those applications are
hosted is important. Most companies do
have a cloud first strategy, but will likely have
a large number of on-premise applications.
Consideration has to be given to how those
applications will be protected. Not all cloud
authentication services can handle on-premise
applications.
If you do this investigation correctly, you will
find you have around 20 different groups.
These groups are known as Personas or UML
Actors and will have different authentication
needs or journeys.
The key now is to decide which MFA Factor
is best for each persona. It is highly likely that
one factor will not be suitable for everyone.
There is no right or wrong answer to which is
best in every situation. Some factors are more
expensive than others; some are easier to set
up, but may not be as secure. The biggest
mistake companies make with MFA is assuming
one size fits all. Understand your users'
needs and address accordingly.
PROTECT
Now that the users' personas and authentication
journeys has been mapped out, the
next stage is implementing a solution to
protect those users. To avoid your help desk
from being overwhelmed with complaints
once you have rolled out MFA to all users and
applications, there are a couple of other
things to consider.
TRAINING
Unfortunately, it is human nature to resist
change or to adopt anything new. Providing
a simple video or guide will help show how
easy it is. Explain that it helps to protect them.
A useful trick, and one that highlights a
common frailty with passwords, is to explain
that, if their password is stolen at work, the
hacker is likely to have access to their social
media accounts. Ask them to imagine the
reputational damage that it could cause.
CORPORATE PROCEDURES
Put a small paragraph or line item in
your Computer Use or Company Security
Policy document, mandating that MFA must
be used. Also consider updating terms and
conditions for external parties.
CONTROL
This final part is essentially a continuous rinse
and repeat of the previous two parts.
Accepting that small changes can impact the
needs of users is important. Rolling out a new
app, how is that going to fit in to your
implementation? Opening a new office, are
those users in those locations adequately
covered?
Another useful action is to ask users for their
feedback. Take a select few from each persona
group and periodically ask them about their
experience. Make changes, if required.
The aim of this guide was to highlight that
implementing MFA is not a technical
challenge and doesn't require expensive
complimentary tools or an overtly complicated
and expensive solution.
Following a simple three-step process, which
is largely manual, helps to ensure that MFA is
successfully implemented across the whole of
your organisation.
Chris Martin,
SecurEnvoy: .
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
11

artificial intelligence
AI - ARE WE EMBARKED ON A DANGEROUS RACE?
MORE THAN 1,000 ARTIFICIAL INTELLIGENCE EXPERTS, RESEARCHERS AND BACKERS WANT AN IMMEDIATE
PAUSE ON THE CREATION OF 'GIANT' AIS, SO SYSTEMS SUCH AS GPT-4 CAN BE PROPERLY STUDIED AND
MITIGATED. EDITOR BRIAN WALL REPORTS
Artificial intelligence (AI) makes it
possible for machines to learn from
experience, adjust to new inputs and
perform human-like tasks. "Most AI examples
that you hear about today - from chessplaying
computers to self-driving cars -
rely heavily on deep learning and natural
language processing," states AI and analytics
company SAS. "Using these technologies,
computers can be trained to accomplish
specific tasks by processing large amounts
of data and recognising patterns in the data."
In fact, AI has been hailed by many experts
as the way forward. Yet this is a technology
that will most likely alter fundamentally
how we behave in relation to technological
development - and there are many questions
to be answered as to where AI may lead us
and not all of that necessarily a force for
good. Hence the emergence of the vast
number of experts calling for an immediate
short-term moratorium on the creation of
giant AIs to allow for some degree of
reflection and assessment.
The demand for a pause was made in
an open letter signed by major AI players,
including Elon Musk, who co-founded
OpenAI, the research lab responsible for
ChatGPT and GPT-4; Emad Mostaque, who
founded London-based Stability AI; and
Steve Wozniak, the co-founder of Apple.
Its signatories also include engineers from
Amazon, DeepMind, Google, Meta and
Microsoft, as well as academics, including
the cognitive scientist Gary Marcus.
"Recent months have seen AI labs locked in
an out-of-control race to develop and deploy
ever more powerful digital minds that no one
- not even their creators - can understand,
predict, or reliably control," the letter says,
adding. "Powerful AI systems should be
developed only once we are confident that
their effects will be positive and their risks
will be manageable."
The authors, coordinated by the 'longtermist'
thinktank the Future of Life Institute,
cite OpenAI's own co-founder Sam Altman in
justifying their calls. In a post from February,
Altman wrote: "At some point, it may be
important to get independent review before
starting to train future systems, and for the
most advanced efforts to agree to limit the
rate of growth of compute used for creating
new models." The letter continues: "We agree.
That point is now."
If researchers will not voluntarily pause their
work on AI models more powerful than GPT-
4, the letter's benchmark for "giant" models,
then "governments should step in", insist the
authors. "This does not mean a pause on AI
development in general, merely a stepping
back from the dangerous race to ever-larger
unpredictable black-box models with emergent
capabilities," they add.
HIDDEN POWERS
Since the release of GPT-4, OpenAI has been
adding capabilities to the AI system with
'plugins', giving it the ability to look up data
on the open web, plan holidays and even
order groceries. But the company has to deal
with "capability overhang": the issue that
its own systems are more powerful than it
knows at release. As researchers experiment
with GPT-4 over the coming months, they are
likely to uncover new ways of prompting the
system that improve its ability to solve difficult
problems. One recent discovery was that the
AI is noticeably more accurate at answering
questions, if it is first told to do so "in the style
of a knowledgeable expert".
The call for strict regulation stands in stark
contrast to the UK government's flagship AI
regulation white paper, published at the end
of March, which contains no new powers at
all. Instead, the government says, the focus is
on coordinating existing regulators, such as
the Competition and Markets Authority and
Health and Safety Executive, offering five
'principles' through which they should think
about AI. "Our new approach is based on
strong principles so that people can trust
businesses to unleash this technology of
tomorrow," says science, innovation and
technology secretary Michelle Donelan.
The Ada Lovelace Institute was amongst
those that criticised the announcement.
"The UK's approach has significant gaps,
which could leave harms unaddressed, and
is underpowered relative to the urgency and
scale of the challenge," says Michael Birtwistle,
who leads data and AI law and policy at the
research institute. "The government's timeline
of a year or more for implementation will
leave risks unaddressed, just as AI systems
12
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

artificial intelligence
are being integrated at pace into our daily
lives, from search engines to office suite
software."
Labour has joined in the criticism, with
shadow culture secretary Lucy Powell
accusing the government of "letting down
their side of the bargain". She added: "This
regulation will take months, if not years,
to come into effect. Meanwhile, ChatGPT,
Google's Bard and many others are making
AI a regular part of our everyday lives. The
government risks re-enforcing gaps in our
existing regulatory system, and making the
system hugely complex for businesses and
citizens to navigate, at the same time as
they're weakening those foundations
through their upcoming data bill."
Comments Amit Yoran, CEO of NASDAQlisted
company Tenable: "As artificial intelligence
captures mainstream imagination, a
world of possibilities awakens. So does the
realism that superintelligence is closer than
we think and something we won't be able
to control and/or manage.
Yoran continues: "While a six-month
moratorium is unrealistic, we have no
guidelines, guardrails, regulations or even
common frameworks for thinking about the
future we are approaching at full throttle."
MASSIVE CAPABILITY TO ABSORB
So, what exactly is GPT-4 and how does it
function? It's the latest version of what is
widely regarded as the ground-breaking AI
system that powers ChatGPT, which is said to
be more creative, less likely to make up facts
and less biased than its predecessor.
Calling it "our most capable and aligned
model yet", OpenAI cofounder Sam Altman
said the new system is a "multimodal" model,
which means it can accept images, as well
as text as inputs, allowing users to ask
questions about pictures. The new version
can handle massive text inputs, and
remember and act on more than 20,000
words at once,
letting it take an
entire novella as a
prompt.
During a demo of
GPT-4 on Tuesday,
Open AI president
and co-founder
Greg Brockman also
gave users a sneak
peek at the imagerecognition
capabilities
of the newest version of
the system, which is not yet
publicly available and only
being tested by a company called
Be My Eyes. The function will allow
GPT-4 to analyse and respond to images
that are submitted alongside prompts and
answer questions or perform tasks based on
those images. "GPT-4 is not just a language
model, it is also a vision model," Brockman
insists. "It can flexibly accept inputs that
intersperse images and text arbitrarily, kind
of like a document."
OpenAI claims that GPT-4 fixes or improves
upon many of the criticisms that users had
with the previous version of its system. As
a "large language model", GPT-4 is trained
on vast amounts of data scraped from the
internet and attempts to provide responses to
sentences and questions that are statistically
similar to those that already exist in the real
world. But that can mean that it makes up
information when it doesn't know the exact
answer - an issue known as 'hallucination' -
or that it provides upsetting or abusive
responses when given the wrong prompts.
By building on conversations users had with
ChatGPT, OpenAI says it managed to improve
- but not eliminate - those weaknesses in
GPT-4, responding sensitively to requests for
content such as medical or self-harm advice
"29% more often" and wrongly responding to
requests for disallowed content 82% less
often. GPT-4 will still "hallucinate" facts,
however, and OpenAI warns users: "Great
UNESCO
(Copyright author Shutterstock.com)
care should be taken when using language
model outputs, particularly in high-stakes
contexts, with the exact protocol (such as
human review, grounding with additional
context, or avoiding high-stakes uses
altogether) matching the needs of a specific
use-case." But it scores "40% higher" on tests
intended to measure hallucination, according
to OpenAI.
POTENTIAL FOR GOOD
Advocates of AI point to its phenomenal
potential for good. AI and analytics company
SAS, referenced at the start of this article,
point to how advances in AI enable us to
automate complicated tasks and find useful
signals in data that was previously too large
or complex to tackle. "From quality and
equipment performance, to supply chain and
spare parts optimisation, to service
improvements and monetisation of IoT data,
AI techniques can unlock new insights across
the spectrum of manufacturing data," it
states. These, according to SAS, can enable
organisations to:
Find early indicators of potential quality
issues. AI capabilities go far beyond what
simple rule-based systems can do, continuously
learning to automatically detect
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
13

artificial intelligence
patterns in data that a human would likely
never see
Avoid costly scrap and rework. Use image
recognition to identify flaws during the
manufacturing process so you can address
them promptly
Identify areas for improvement. Text analytics,
including natural language processing,
lets you link customer sentiment, service
comments and other written records
to quality and production variables to
identify areas for improvement
Improve yield. Apply deep learning in
industrial operations to optimise product
composition and production techniques,
combining audio, video, text and other
data "at efficiency levels previously
unimaginable".
Others with deep concerns and reservations
about AI point to the in-built bias that they
say fuels the very way in which artificial
intelligence has been set up. UNESCO, for
instance, says that typing 'greatest leaders of
all time' in your favourite search engine will
"probably bring up a list of the world's
UNESCO
(Copyright author Shutterstock.com)
prominent male personalities. How many
women do you count? An image search for
'school girl' will most probably reveal a page
filled with women and girls in all sorts of
sexualised costumes. Surprisingly, if you type
'schoolboy', results will mostly show ordinary
young schoolboys. No men in sexualised
costumes or very few."
These, states UNESCO, are examples of
gender bias in artificial intelligence, originating
from stereotypical representations deeply
rooted in our societies. "AI-systems deliver
biased results. Search-engine technology
is not neutral, as it processes big data and
prioritises results with the most clicks relying
both on user preferences and location.
Thus, a search engine can become an echo
chamber that upholds biases of the real world
and further entrenches these prejudices and
stereotypes online."
Gender bias should be avoided or at the
least minimised in the development of
algorithms, in the large data sets used for
their learning and in AI use for decisionmaking,
it argues. That is why
UNESCO has embarked for the
first time to develop a legal,
global document on the ethics
of AI. "Everyone and every part
of the world should be part
of this debate. Artificial
Intelligence is everyone's
business," it insists.
DOUBLE-EDGED SWORD
When it comes to the role AI
performs in cybersecurity, many
sectors have mixed feelings towards
the technology and machine learning,
states Matt Aldridge, OpenText Cyber
Security. "For cybersecurity, perhaps
more than for any other industry, it is
a genuine double-edged sword. For
cybersecurity professionals, AI is a powerful
instrument that expedites and improves many
processes, such as automated security processing
and threat detection. However, we
must remember that bad actors have the very
same toolsets available for their criminal
activity. It is proving to be a constant cat-andmouse
game between these two parties, in
the same way that it has been with cyber
defenders and attackers since the earliest days
of the internet."
First things first, says Aldridge. AI can make
cyberattacks much more sophisticated and
therefore harder to stop. "An all-too-common
example is phishing. With the help of AI,
cybercriminals can write extremely believable
phishing emails in any language, aimed at
whatever type of person they wish to target.
The same is true of voice phishing: AI bots
only need a few seconds of audio material to
credibly replicate a person's voice, making it
simpler than ever to fake calls with the
purpose of extortion."
Faced with the dangers this poses, he adds,
businesses must double down on their
security awareness training efforts. "These
must become regularly and systematically
updated sessions, which every employee is
mandated to take. Overall, businesses should
be encouraging their staff to cultivate a
critical mindset when it comes to internal
and external communications, and not
immediately trust any sender, whether
unfamiliar or not. For cybersecurity
organisations, using AI is no longer an
optional improvement, but an absolute
necessity. Considering the rise of AI-enhanced
cyberattacks, the only way to maintain
enterprise security is by incorporating AI into
threat recognition systems, in order to cope
with the increasing sophistication and
intelligence of cybercriminal techniques. You
must fight fire with fire - or risk being left
behind."
POISONING AND OBFUSCATION FEARS
Meanwhile, Kiri Addison, threat detection
and efficacy product manager, at Mimecast,
points to the company's Mimecast State of
Email Security report, which reveals that
nearly every company suffered from a data
14
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

artificial intelligence
UNESCO
(Copyright author Shutterstock.com)
breach (91%). However, she cautions, the
corporate investment into AI will only fuel
criminal organisations to upskill further into
AI poisoning and obfuscation techniques.
"This will lead to greater access to attack
organisations without strong security only
or those who rely solely on AI and forget to
cover the basics. With economic pressures
stretching everyone's budgets, there may be
less focus on cybersecurity as the numbers
get scrutinised, but this should not be the
case! The latest developments in AI have
the potential to enable cyber criminals to
develop social engineering attacks more
quickly and easily. Use tools like employee
training, on top of regular updates and
consolidated technology, to keep the impact
of cyber-attacks to a minimum," advises
Addision.
As far as financial services are concerned,
says Nigel Green, CEO and founder of deVere
Group, AI is set to play an ever-increasing
role and will "fundamentally reshape" the
industry for firms, consumers and markets.
His comments follow Microsoft announcing
that its suite of productivity tools is being
enhanced by artificial intelligence software
as the company pushes onward in a race
against tech giants such as Google, Baidu
and Adobe to commercialise AI technology.
"Despite the lack of familiarity for most
people, AI is a technology that's transforming
the way we do business,
interact and, without
exaggeration, how we live,"
states Green. "It's a wideranging
tech that enables
people to rethink how we
integrate information, analyse
data and use the resulting insights
to enhance our decision-making.
AI is already changing the world and
raising important issues for society, the
economy, and governance. Whilst there are
also concerns about the ethical and social
implications of AI, such as privacy and bias, it
has the potential to bring about considerable
positive changes, not least in areas including
healthcare, education, business and public
services."
The deVere CEO believes finance is one of
the sectors that will become defined by AI
in the coming years, with AI chatbots and
virtual assistants helping financial institutions
to offer personalised customer service 24/7
and respond to client queries in real-time;
and even discover fraudulent activities by
analysing large amounts of data in real-time
and identifying unusual behaviour trends. "As
such, this will help financial institutions make
better and faster decisions by analysing facts
and figures, and providing insights into
potential opportunities or risks. We expect
that algorithms can help financial institutions
make more informed trading decisions by
more accurately assessing market reports
and, therefore, predicting future trends and
patterns," he continues.
It's also hoped that AI will help finance
companies adhere to "regulatory and
reporting requirements by automating
compliance processes" and identifying
potential areas of non-compliance. Green
concludes: "By pushing the boundaries,
improving efficiency, reducing costs and
providing better services to their clients, I'm
confident that AI will change the financial
sector for the better in more ways than in
most sectors."
Kiri Addison, Mimecast: the latest
developments in AI could enable
cybercriminals to develop social
engineering attacks more quickly
and easily.
Matt Aldridge, OpenText Cyber Security:
for cybersecurity, AI is a genuine doubleedged
sword.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
15

automation
HUMAN VOICE GROWS LOUDER
BURNOUT HAS MADE ITS WAY
INTO THE CYBERSECURITY
INDUSTRY, BUT LITTLE IS BEING
DONE TO ADDRESS THE
ATTRITION IT CAUSES, STATES
GARTNER. WHAT CAN BE DONE
TO COUNTERACT THIS ISSUE?
Claire Clark, Titania.
Organisations in the past have
developed their cybersecurity
program to address the ebbs and
flows of regulatory changes, business
decisions, and customer demands and
threats, according to global analyst firm
Gartner. "Modern cybersecurity leaders will
use a human-centric design to strengthen
their program and optimize human
potential," it states.
In recent Gartner research, these are the
key findings:
Burnout has made its way into the
cybersecurity industry, but little is being
done to address the attrition it causes
Insider threat management is not a focus
area for most organisations, unless they
are highly regulated
Digital risk protection services (DRPS) are
becoming more relevant today as the
human element continues to be an
effective vector for malicious actors
The cybersecurity industry has taken
limited action to reduce cybersecurity
process friction and improve user
experience
Poor strategic implementation of topics
like Zero Trust stops organisations from
developing a positive security culture.
"Cyber threats are at an all-time high, so
it's no surprise to read about Gartner's claim
that burnout and attrition are prevalent in
the cybersecurity industry," says Claire Clark,
VP, Engineering and Operations, Titania.
"As the fear of threats rise, security teams
have more demands on them to ensure
organisations and people are protected. The
diversity and quantity of threats are on the
rise, too. As a result, businesses demand
more experts, but with constraints of
budgets. Cyber teams are pushed to their
limits and stretched thin. We need more
tools, resources and time to fight the battle;
for the most part, we don't get it."
Here is where automation can play a
valuable role, she argues, especially tools that
can audit networks continuously and
effectively at scale. "These tools provide the
security coverage of multiple experts in one,
and allow people to utilise their time more
efficiently and effectively, thus helping to
prevent burnout of key skilled security
resource. Burnout also results in an unintentional
risk to a business. Teams may need help
to perform effectively. They can miss or forget
something, or not do it properly. That is why
effective business continuity planning needs
to be in place to prevent, detect and manage
resources for security compliance."
When determining how to address cyber
threats, most organisations do not focus on
insider threat (intentional or unintentional)
management, unless they are heavily
regulated, adds Clark. "Human and insider
threats are one of the most critical to prevent,
detect and protect against. Adopting a zerotrust
mindset is essential, but only some buy
in on this approach. There's a misconception
about perceived overhead or the need to
make operational changes. The 'insider' user
experience precedes preventive security
measures and hinders organisations from
achieving a positive security adoption.
"We already face a skills shortage in cybersecurity,
and the long-term consequences
may increase burnout and attrition of skilled
professionals, thus creating a greater risk to
the cybersecurity industry itself. This, in turn,
could lead to a lack of resilience to increasingly
sophisticated cyber threats from the
inside and the outside."
Her parting advice: "Invest in solutions that
cause the least friction to the user and improve
the employee experience. Otherwise, you'll
develop a culture sceptical and resistant of
security, and an ineffective security strategy
for your business."
16
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

Prevention-first.
Powered by Deep Learning.
PREVENT
ransomware, zero-day,
and other unknown threats
BEFORE
they land in your environment.
> 99%
PREVENTION
ACCURACY
< 0.1%
FALSE POSITIVE
PRECISION
40%
REDUCTION
IN EVENTS

device disarray
LOST AND STOLEN
THE NUMBER OF LOST AND
STOLEN DEVICES ACROSS
SEVERAL GOVERNMENT
DEPARTMENTS HAS SOARED IN
RECENT TIMES, RAISING DEEP
CONCERNS OVER DATA SAFETY
Jon Fielding, Apricorn: robust, regularly
reviewed and tested policy and practice
is a must for optimum protection.
The Home Office declared 469 lost and
stolen devices between September
2021 and September 2022, while
the Ministry of Defence (MoD) was not far
behind with 467 mobiles, tablets and USB
devices unaccounted for. That is according
to annual findings from Freedom of Information
(FoI) requests submitted to 14
government departments into the security
of devices held by public sector employees.
Additionally, His Majesty's Revenue and
Customs (HMRC) declared 635 lost and
stolen devices, including 387 mobiles, 244
tablets and 4 USB drives - a 45% increase
on the numbers shared for the same
period in 2020-2021 (346) and 40% more
than 2019-2020 (375). Further to that,
the Department of Business, Energy and
Industrial Strategy admitted to 204 lost
and stolen devices, which is almost double
the 107 declared in the previous year. The
Prime Minister's Office also reported 203
misplaced devices.
"We have asked these same questions via
these FoI requests for the last three years
and, whilst it's not surprising to see devices
unaccounted for, we would hope to see
the numbers declining as cybersecurity
becomes more established," says Jon
Fielding, managing director, EMEA
Apricorn. "Robust, regularly reviewed
and tested policy and practice," he argues,
"with appropriate technology choices and
implementation, supported by education
and comprehensive backup and recovery
strategy, is a must for optimum protection."
Despite Apricorn's requests, The Ministry
of Justice (MoJ) "declined to provide
answers to the FoI questions posed,
regardless of having provided information
in previous years, which highlighted 345
lost and stolen devices, and an alarming
2,152 data breaches in that time (September
2020 and September 2021)," states
the company. However, research into the
MoJ Annual Report, which covered April
2021-March 2022, revealed a huge
number of breaches declared to the ICO,
most disturbing being the disclosure of a
COVID status spreadsheet of 1,800 staff
and offenders sent by email to all staff
within a prison. This contained the
confidential data for offenders and staff,
including health data.
There were also 5,782 security incidents
that were not deemed necessary to report
to the Information Commissioner's Office
for 2021-22, including loss or theft of
information assets from secured government
premises and outside secure
premises, as well as insecure disposal
of inadequately protected electronic
equipment, devices or paper documents.
"It's worrying to think that a government
entity that holds so much responsibility,
and retains so much sensitive and personal
information can pose this much risk," adds
Fielding. "The number of recorded security
incidents, whether reported to the ICO or
not, should alarm security teams. A good
place to start would be through education
and awareness. It's not simply about putting
critical policies in place, but equally ensuring
that awareness is maximised among
employees, so that the risks associated
with applications, actions and devices are
understood."
The Department for Education (DfE)
confirmed the loss and theft of 356
devices, including 296 USB drives. With so
many USB devices unaccounted for, it
further highlights the importance of
encryption on portable drives to keep data
safe when moving beyond the confines of
the government network.
Despite the number of devices missing in
action, when questioned on the security
of these devices, each of the government
departments that were asked confirmed
the missing devices were all encrypted as
standard.
18
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

threat response
WHY WE NEED A RETURN TO
PREVENTION-FIRST CYBERSECURITY
STOPPING ZERO DAYS, RANSOMWARE AND OTHER NEVER-BEFORE-SEEN MALWARE IS A RACE AGAINST THE
CLOCK, WARNS KAREN CROWLEY, DIRECTOR OF PRODUCT & SOLUTIONS MARKETING AT DEEP INSTINCT
As the volume and velocity of threats
increase, due to generative AI,
organisations won't keep up. The
industry standard 'assume breach' mentality,
which is a reactive approach that relies on
detection and response, is too late. The
threat actors are already inside. It's time to
prevent threats before they land inside your
environment.
ASSUME BREACH IS TOO LATE
For example, in just 15 seconds the fastestknown
ransomware begins to encrypt.
By contrast, the quickest detection and
response solutions take at least a few
minutes to detect a threat - with many
taking hours or even longer.
In a matter of minutes, extremely
destructive ransomware has ample time to
lock down patient zero, install backdoors,
moving laterally through the network. It's
highly likely that, by the time the security
team is aware of a problem, data will have
been exfiltrated and most of the network
impacted.
Most security tools begin their work only
after malware has started executing - with
behaviours then analysed to identify the
type of attack. This approach not only
provides the attackers with ample dwell
time, but it also frequently leads to a high
number of false-positive alerts, leaving SOC
teams to determine what is a real threat
versus a benign alert.
Attackers are getting better at evading
detection once they are inside. Once the
incident is detected, the focus then turns to
understanding what happened, conducting
further investigation, remediation and
clean-up - a time-intensive and expensive
process. Deep Instinct's Voice of SecOps
report found that it takes 20+ hours for an
organisation to respond to a cyber incident.
The challenge is, can you be sure you have
completely eradicated the threat? Did the
attacker leave droppers or artifacts behind,
or a backdoor?
REDUCING BUSINESS RISK THOUGH
PREVENTION
We have to fight AI with AI. With the application
of Deep Learning to cybersecurity, a
prevention-first approach is once again a
viable solution. Prevention of the past and,
let's face it, the present, relies on rules and
signatures, as well as cloud lookups and
threat intelligence feeds. This slows down
decisions and is truly only effective against
unknown threats.
A prevention-first solution that has been
natively built with deep learning models
that are dedicated to cybersecurity (not for
self-driving cars) is able to prevent unknown
malware in less than 20ms, before it can
execute. This can keep >99% of attacks
out of your environment, lower alerts and
reduce false-positives, and enable your
team to focus on the threats that really
matter.
Deep Learning is different from Machine
Learning in too many ways to explain in this
short article. However, it is the future and
the way organisations can take a more
proactive stance against cyber-attacks.
A prevention-first strategy will reduce overall
risk by stopping threats before they land inside
your environment, lowering events and falsepositives.
Ultimately, this means SOC teams
can focus on tasks that improve productivity,
and stop the most complex, sophisticated
and aggressive attacks.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
19

eaches
BREACHES: WHERE ARE THE FAULT LINES?
MANY ORGANISATIONS ARE BEING ACCUSED OF FAILING TO TAKE APPROPRIATE MEASURES TO PROTECT
THEMSELVES AGAINST DATA BREACHES - BUT ARE THE ODDS AGAINST THEM JUST TOO GREAT?
Data breaches and cyber-attacks are
accelerating at an alarming rate and
yet the response of organisations
when it comes to protecting themselves
seems to be lagging behind. According to
IT Governance, its research identified 106
publicly disclosed incidents accounting for
29,58 million breached records in February
alone. "It follows a mammoth start to the
year, with more than 277 million breached
records in January, and brings the running
total for the year to over 300 million pieces
of compromised personal data," the
company states.
Detecting data breaches has always been
a challenge, states IT Governance. "Even
with staff working on-site, with everyone
connected to the same network and
with antivirus, anti-malware and other
technological security solutions in place,
organisations seldom know they've been
breached until a third party informs them -
usually because stolen data can be traced
back to them. In fact, dwell time - the period
between a security breach and its discovery -
is more often measured in months than
days. This isn't so much a failing on the part
of the victims as efficiency on the part of the
attackers. After all, they don't want to be
detected." Ransomware, which is effective
only when the victim knows of its existence,
is the exception to this rule and inevitably
has a much shorter dwell time.
Of course, technical vulnerabilities aren't
the only causes of data breaches, it adds.
"Human error is regularly found to be the
most common reason for security and data
breaches. For instance, data can be sent to
the wrong recipient by accidentally using cc
instead of bcc when emailing groups of
people, and staff can accidentally click
malicious links and open dubious
attachments in phishing emails or fall for
other social engineering attacks. And, if the
breached data is personal information, you
risk substantial fines or regulatory action
under the UK GDPR (General Data Protection
Regulation) and DPA (Data Protection Act)
2018."
Those who argue that the tools to stop
the assailants are readily available, but are
often not taken up for various reasons - the
organisation doesn't see cybersecurity as a
priority or budgets are too constrained, for
instance - may be taking too simplistic an
approach. The truth is that the range and
sophistication of ways an organisation can
be breached has hit new heights - or maybe
lows - of late. Here are just some of those
means of cracking open a victim:
Cloud vulnerability
Data breaches
Dangerous hybrid or remote work
environments
Phishing becoming more complex
and evasive
Ransomware strategies taking new
directions
Cryptojacking
Cyber-physical attacks
State-sponsored attacks.
IN THE HEAT OF BATTLE
Of course, NOT being breached can be an
exercise in hindsight. In the heat of battle, it
may be a different story. Saying not enough
was done will always be true, in the wake of
an attack, but what was done will always
have to be measured by the power and
capability of the enemy against the budget
of the victim.
Computing Security thought it might be
instructive to look at some of the many
breaches that have occurred recently, as
reported by various sources, to get a picture
of how these were executed, their impact
and whether they might have been avoided.
Let's start with …
HIGHLY VULNERABLE
Sophos's Active Adversary Report for
Business Leaders, which looks at the
changing behaviours and attack techniques
that adversaries used in 2022. The data
identified more than 500 unique tools and
techniques, including 118 'Living off the
Land' binaries (LOLBins). Unlike malware,
LOLBins are executables naturally found
on operating systems, making them much
more difficult for defenders to block when
attackers exploit them for malicious activity.
Sophos also found that unpatched
vulnerabilities were the most common
root cause of attackers gaining initial
access to targeted systems. In fact, in half
of all investigations that were included in the
report, attackers exploited ProxyShell and
Log4Shell vulnerabilities - vulnerabilities from
2021 - to infiltrate organisations. The second
most common root cause of attacks was
compromised credentials.
"When today's attackers aren't breaking in,
they're logging in," says John Shier, field CTO,
commercial, Sophos. "The reality is that the
threat environment has grown in volume
and complexity to the point where there are
20
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

eaches
no discernible gaps for defenders to exploit.
For most organisations, the days of going
at it alone are well behind them. It truly is
everything, everywhere, all at once. However,
there are tools and services available to businesses
that can alleviate some of the defensive
burden, allowing them to focus on their
core business priorities."
WORKFORCE MORALE SUFFERS
A report by Bitdefender showed that, within
the UK, 44% of cybersecurity professionals
said they had been told to keep a breach
confidential when they should have reported
it. It's clear from the overall findings that
morale has also taken a big hit, it adds:
35% surveyed said they had knowingly
kept a breach confidential and 51%
worried about their company facing legal
action, due to poor reporting of cyber
incidents
47% of UK professionals cited supply
chain attacks and ransomware as the
top concern (unlike the rest of the world,
where software vulnerabilities are the
biggest concern for 54%)
64% said they had to work weekends,
due to security concerns their company
faced. This correlates to 45% stating they
planned to look for a new job in the next
12 months.
SUPPLY CHAIN WEAKNESSES
A recent report by cyber security business
Risk Ledger reveals leading cyber security
weaknesses in the supply chain. The report
found that 40% of third-party suppliers do
not conduct regular penetration tests of
internal systems and 32% do not have a
supplier security policy that outlines the
security requirements that their suppliers
should meet, putting their own and their
customer's data at risk. Some of the major
findings revealed in this report include:
17% do not enforce multi-factor
authentication (MFA) on all remotely
accessible services
23% do not use Privileged Access
Management controls to securely
manage the use of privileged accounts
20% do not use a password manager.
"Companies rarely run security assurance
against more than 10% of their immediate
third-party suppliers, while visibility into the
risks existing further down the chain remains
almost non-existent," says Risk Ledger CEO
Haydn Brooks. "To improve this situation,
better data and insights into the most
prevalent weaknesses in the wider supplier
ecosystem are needed, so that remedial
efforts can become more focused."
SMALLER ATTACK SURFACE
Nick Denning of Policy Monitor has specific
thoughts on what small and medium-sized
enterprises (SMEs) can do to better defend
themselves, starting with knowing their
vulnerabilities. "It is true that larger organisations
have more cybersecurity experts and
resources to help protect them from attack
than SMEs, but having in-house knowledge
is only part of the story," he says. "Research
can show 'what' the threat might be, but
not 'where' your organisation could be
vulnerable. The good news is that SMEs
by their nature are likely to have a smaller
attack surface. Therefore, it is potentially
easier for an SME to assess risks and to take
an inventory of the assets that need protecting
and how they may be vulnerable.
However, if a business does not have even
the basic skills and deployed technologies to
access this type of information, it can leave
huge gaps in its defences or lead it to invest
in the wrong kind of security. It is like leaving
your house, locking all the doors and turning
on the expensive burglar alarm you installed
after a previous break-in, but forgetting to
close the bedroom window or secure the
shed where your expensive power tools are
stored."
Just as it is important to have a register of
your physical assets for accounting and
maintenance purposes, an important
Haydn Brooks, Risk Ledger: better data
and insights into the most prevalent
weaknesses in the wider supplier
ecosystem are needed.
Nick Denning, Policy Monitor: effective
protection against cyber threats also requires
an ongoing process of cybersecurity asset
identification and management.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
21

eaches
Matt Hull, NCC Group: Lockbit 3.0
leading the way as 2023's most prevalent
threat actor by some margin.
Jason Foster, Cynozure: good data
management is at the heart of building
trust, reducing the risk of breaches and
enabling innovation.
element of effective protection against cyber
threats also requires an ongoing process of
cybersecurity asset identification and
management. "This has two dimensions,"
adds Denning. "Companies need a register
of traditional physical IT assets. such as
PCs, servers and the increasing number of
devices used to access systems remotely.
Increasingly, organisations have items
connected as part of the Internet of Things.
such as medical sensors, fire alarms and
smart security devices. You need to have an
inventory of all these assets. as they make up
the attack surface of an organisation."
The second dimension of IT asset
management is that these assets can provide
a vulnerable entry point and have great
value in themselves. "They may also be
the ultimate targets of cyber-attacks. For
example, an inadequately protected public
application might provide a way-in for cyber
criminals to download or corrupt your data
or a path to enter your systems then move
on to other targets," continues Denning.
"Customer data and employee records held
in databases can help cyber criminals
perpetuate identity theft and financial fraud.
If there is a data breach, an organisation
can be hit by direct financial fraud, an
inability to perform daily business processes,
reputational damage, and heavy data protection
fines from regulators and the cost of
forensic investigations."
RANSOMWARE ON THE RAMPAGE
Analysis from NCC Group's Global Threat
Intelligence team revealed there were 240
ransomware attacks in February,?a 45%
increase from January (see also News, Page
6). The volume of activity is the highest
recorded by NCC Group for this period,
up 30% on February 2022 (185) and 2021
(185). The considerable rise?highlights the
growing threat of ransomware attacks, it
states, as the threat landscape continues
to evolve. Matt Hull, global head of threat
intelligence at NCC Group, comments:
"In February, we observed a surge in ransomware
activity, as expected when coming
out of the typically quieter January period.
However, the volume of ransomware attacks
in January and February is the highest we
have ever monitored for this period of the
year. It is an indication of how the threat
landscape is evolving and threat actors show
no signs of reducing ransomware activities.
"Looking at the most prevalent threat
actors, Lockbit 3.0 looks set to carry on
where it left off in 2022," he believes, "and
is already leading the way as 2023's most
prevalent threat actor by some margin.
BlackCat also remains consistent, while the
ever-sporadic BianLian returned to the top
three. Finally, it'll be interesting to see how
the takedown of Hive by the US Department
of Justice plays out. While this means their
digital operations have been taken down,
it's unlikely Hive's members will disappear
completely. Our threat intelligence team
will continue to keep a close eye on how
this impacts the threat landscape."
POORLY MANAGED DATA
Almost six in ten (57%) senior executives in
the UK financial services sector said their
organisations were at risk of a data breach,
because data is so poorly managed, according
to research from data and analytics
strategy consultancy Cynozure. The findings
were revealed just as the Bank of England's
annual Systemic Risk Survey showed that
cyber-attacks are the most cited risk to
the UK financial system, ahead of inflation
and geopolitical risks. And these concerns
are well-founded, states the consultancy:
"Financial services and insurance firms have
been the target for over a quarter (28%)
of all cyber-attacks in the UK in the last
twelve months."
The research also exposes a lack of
understanding of data in many financial
institutions that may make them more
vulnerable to attack, including around how
it's stored, managed and used. More than
one in five (21%) respondents said they
22
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

eaches
didn't know where data was held in the
organisation, over a third (35%) said the
data world is too complex to understand
and more than three in ten (31%) said there
is a lack of data literacy in the business.
Jason Foster, CEO and founder of Cynozure,
comments: "94% of organisations say that
using data effectively is central to running
a successful business, but we've seen many
lack the strategy, literacy, controls and vision
to generate that success. In the financial
services sector, data has the power to create
better products and services, speed up
response rates, drive slicker operations and
support better management of risk. Good
data management is at the heart of building
trust, reducing the risk of breaches and
enabling innovation, so it's critical that steps
are taken to ensure data is stored, managed,
used and protected correctly."
PHISHING FOR AN EASY CATCH
In the wake of the government's 'Cyber
security breaches survey 2023', where one
statistic showed that, for medium businesses,
there has been a drop since 2022 in
the proportion of businesses saying they
have security controls on their devices (from
91% to 79%) and agreed processes for
phishing emails (from 86% to 78%), Andy
Robertson, head of enterprise and cybersecurity
business at Fujitsu UK&I, had this
to say: "A rise in phishing attacks always
correlates with negative economic or social
events and is targeted at those who stand to
benefit the most from socially engineered
messaging. So, as the cost-of-living crisis
continues, don't expect cyber risks to go
away."
Cyber security experts face another hurdle,
too. "With the big rise of artificial intelligence
tools that we're seeing in the form of generative
AI and platforms such as ChatGPT, this
is creating a surge in phishing attacks," he
adds. "For instance, Chat GPT has the ability
to create cyber security attacks, and these
attacks can be created by someone with very
little cyber security and computing experience.
On the flip side, it can be very
powerful, performing a lot of the heavy
lifting to understand what is happening."
URGENT REVIEW NEEDED
Going forward, organisations must identify
equally sophisticated methods to protect
themselves, warns Robertson. "Now, more
than ever, organisations need to be reviewing
their high-level accounts, who has access
to them and when the passwords were last
changed, having a strict approach to Multi-
Factor Authentication (MFA) and Conditional
Access (CA)."
Meanwhile, at a time when IBM reports
the average cost of a data breach is $9.44
million in the US and $4.35 million globally,
a survey carried out by Checkmarx of more
than 1,500 CISOs, AppSec managers and
software developers around the world
uncovered some troubling statistics. The
research showed 88% of AppSec managers
surveyed have experienced at least one
breach in the prior year as a direct result
of vulnerable application code. "The shift
toward modern development practices that
incorporate microservices and serverless
technologies, container security and
infrastructure as code (IaC) are multiplying
the potential attack surface, thereby
identifying critical new priorities for application
security," cautions the company.
CLOUD COMPLEXITY
Adds Sandeep Johri, CEO at Checkmarx:
"Our research underscores how the complexity
of cloud-native applications has ushered
in a bevy of new risks at a time when digital
transformation is a key enterprise goal. A
comprehensive 'shift everywhere' approach
to AppSec ensures that vulnerabilities can be
addressed at any point during the software
development lifecycle. This can become both
an enabler of transformation and a strong
differentiator for the enterprise that can
prove its advanced AppSec posture, ultimately
priming the business for success."
Andy Robertson, Fujitsu UK&I: the big
rise of artificial intelligence tools is
creating a surge in phishing attacks.
John Shier, Sophos: threat environment has
grown in volume and complexity to point
where there are no discernible gaps for
defenders to exploit.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
23

encryption
'SAFETY' ON LINE: AT WHAT PRICE?
THE ONLINE SAFETY BILL HAS BEEN ACCUSED OF WEAKENING THE UK'S DIGITAL SECURITY,
THREATENING BASIC PRIVACY AND OPENING UP THE PROSPECT OF EVER-CREEPING
CENSORSHIP AND BLANKET SURVEILLANCE... OR CAN IT STILL BE A FORCE FOR GOOD?
We all want to be able to address
abuse on the internet, says
Matthew Hodgson, CEO of
Element, but he has grave concerns as to
the UK government's Online Safety Bill (OSB)
being the right way to achieve that in its
present format. "Developing such a bill is
difficult as technology evolves far faster than
legislation," he comments. "But, even allowing
for that challenge, and that the OSB has some
genuinely good intentions, the proposed
legislation is still remarkably poor. What could
have been a constructive piece of legislation
has ended up as a bloated and overreaching
proposal, drafted with little technical prowess.
As it currently stands, the bill weakens the
UK's digital security, threatens basic privacy,
stymies the UK tech industry, and introduces
the prospect of ever-creeping censorship and
blanket surveillance."
Instead of setting a principled example to
the rest of the world, the OSB sees the UK
proposing state surveillance and censorship,
Hodgson insists. "It's far closer to the approach
seen from regimes in Russia and China than
anything in Europe or the US. The bill takes a
wrecking ball to the very fabric of encryption,
by requiring encrypted messaging apps to
scan for abusive content within the app [or
the app's underlying operating system]. This
fundamentally undermines encryption, by
providing a mechanism that can be hijacked
and abused to access arbitrary user data. It
is the online equivalent of installing a CCTV
camera into everyone's bedroom, hooked
up to an artificial intelligence (AI) classifier,
which sends footage back to the authorities
whenever it thinks it sees something illegal
happening."
Today's built-in scanning AI from Apple can't
even distinguish a cow from a horse, he adds
- "so, even if blanket surveillance was a good
idea in the first place, the chances of AI
scanning causing your phone to upload any
and all remotely questionable photos to the
authorities [Ofcom, no less] would be
enormous. The privacy implications are
catastrophic. By forcing this 'backdoor' into
end-to-end encryption (E2EE), the resulting
surveillance mechanisms would be able
to access anyone's messages, at any time,
forwarding them to the authorities, if
suspected as illegal. This weakens security
for everyone; from the 99 percent of normal
law-abiding people through to businesses
and governments."
And if you think that competing nation
states, terrorists and criminals won't be able
to make use of that same access you're sorely
mistaken, he continues. "It means that
healthcare information, financial details,
conversations regarding air traffic control,
electricity grids, nuclear power stations,
military manoeuvres…. none of it would be
protected by end-to-end encryption. And all
that loss of security will be for nothing,
because - no surprise - bad actors don't play
by the rules."
Hodgson believes forcing third party access
to end-to-end encrypted systems robs 'the
good guys' of their security and leaves 'the
bad guys' free to carry on doing what they've
always done. "That the likes of Facebook have
failed in their duty to moderate content is part
of what has led to the OSB. Yet that model in
itself - a centralised, hierarchical platform that
ends up in the unenviable position of having
to adjudicate what's 'acceptable' - is precisely
what the OSB puts forward as its solution."
UNITED PROTEST
Meanwhile, as reported in The Guardian, rival
chat apps WhatsApp and Signal are amongst
those that have joined forces to protest
24
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

encryption
against the bill, which they say could
undermine the UK's privacy and safety.
"The bill provides no explicit protection
for encryption," they comment, "and, if
implemented as written, could empower
Ofcom to try to force the proactive scanning
of private messages on end-to-end encrypted
communication services, nullifying the
purpose of end-to-end encryption as a result
and compromising the privacy of all users.
In short, the bill poses an unprecedented
threat to the privacy, safety and security of
every UK citizen and the people with whom
they communicate around the world, while
emboldening hostile governments who
may seek to draft copycat laws."
Recently, WhatsApp's chief Will Cathcart
said that the app would leave the UK, rather
than submit to a requirement to weaken
encryption, The Guardian also reports:
"Ninety-eight per cent of our users are outside
the UK," he told the newspaper. "They do not
want us to lower the security of the product,
and just as a straightforward matter, it would
be an odd choice for us to choose to lower
the security of the product in a way that
would affect those 98% of users."
At the core of the dispute are clauses that
allow Ofcom to compel communications
providers to take action to prevent harm to
users. Those clauses, privacy campaigners
say, do not allow for the possibility that an
encrypted messaging provider may be unable
to take such action without fundamentally
undercutting their users' security. "Proponents
say they appreciate the importance of
encryption and privacy, while also claiming
that it's possible to surveil everyone's messages
without undermining end-to-end encryption.
The truth is that this is not possible," the letter
reads.
During previous clashes over encryption,
opponents called for such services to be
banned or for governments and law
enforcement to be given 'back doors' into
encrypted communications. Now, the focus
is on a different set of technologies, called
'client side' scanning, which proponents
argue can be used to monitor encrypted
communications, without breaching security -
but critics liken it to installing a robot spy on
every phone in the world.
REDUCING RISK OF ATTACKS
John Benkert, Cigent co-founder and CEO,
states that no encryption method can offer
total protection against determined attackers.
"Nonetheless, businesses can take certain
measures to reduce the risks of such attacks.
These measures could include implementing
regular security training for employees,
network segmentation, proper access control
mechanisms and multi-factor authentication
(MFA)," which he singles out as "one way to
help provide maximum data protection".
Some of the benefits of MFA that he singles
out include the following:
Increased security: "MFA provides an
extra layer of security to protect against
unauthorised access to online accounts. It
requires users to provide more than one
form of authentication, usually a password
and a token, biometric information or
other means of verification, making it
much more difficult for attackers to gain
access"
Reduced risk of identity theft: "MFA helps
to reduce the risk of identity theft by
requiring users to verify their identity
through multiple means"
Improved compliance: "MFA is an essential
factor in complying with regulatory
requirements, such as GDPR, HIPAA
and PCI-DSS, which mandate that
organisations must take proactive
measures to protect sensitive data."
These, amongst other safeguards, can make
it more difficult for potential hackers to gain
unauthorised access to critical data, Benkert
argues, adding. "It's essential for businesses
to prioritise cybersecurity to help reduce the
likelihood of data breaches and loss of
customer trust."
John Benkert, Cigent: essential to
prioritise cybersecurity to help reduce
possible data breaches and loss of
customer trust.
Matthew Hodgson, CEO, Element: Online
Safety Bill takes a wrecking ball to the very
fabric of encryption.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
25

cybersecurity
SHIFTING THE BALANCE OF POWER
HARD ON THE HEELS OF THE U.S. PUBLISHING ITS NATIONAL
CYBERSECURITY STRATEGY, DOES THE UK HAVE ANY OTHER
OPTION BUT TO FOLLOW DOWN THE SAME AVENUE? AND MIGHT
IT BE A GOOD THING ANYWAY? BRIAN WALL REPORTS
With the US having published its
national cybersecurity strategy,
which seeks to impose minimum
security standards for critical infrastructure
onto larger software makers and, equally, shift
responsibility for maintaining the security of
computer systems away from consumers and
small businesses, what impact will this have on
the security industry? And what implications in
particular might this have for the UK? But first,
here are some of the key points in the strategy
and the US government's thinking behind it.
"Our rapidly evolving world demands a more
intentional, more coordinated, and more wellresourced
approach to cyber defense," the
strategy asserts. "We face a complex threat
environ-ment, with state and non-state actors
developing and executing novel campaigns
to threaten our interests. At the same time,
next-generation technologies are reaching
maturity at an accelerating pace, creating
new pathways for innovation while increasing
digital interdependencies.
Together with its allies and partners, the
United States will, it says, pursue the goal
of making its digital ecosystem:
Defensible, where cyber defence is
overwhelmingly easier, cheaper and more
effective
Resilient, where cyber incidents and errors
have little widespread or lasting impact
Values-aligned, where our most cherished
values shape-and are in turn reinforced byour
digital world.
This strategy seeks to build and enhance
collaboration around five pillars:
1. Defend Critical Infrastructure: "We will give
the American people confidence in the
availability and resilience of our critical
infrastructure and the essential services it
provides", including by:
Expanding the use of minimum
cybersecurity requirements in critical
sectors to ensure national security and
public safety and harmonising regulations
to reduce the burden of compliance
Enabling public-private collaboration at
the speed and scale necessary to defend
critical infrastructure and essential services
Defending and modernizing Federal
networks and updating Federal incident
response policy.
2. Disrupt and Dismantle Threat Actors: "Using
all instruments of national power, we will
make malicious cyber actors incapable of
threatening the national security or public
safety of the United States", including by:
Strategically employing all tools of national
power to disrupt adversaries
Engaging the private sector in disruption
activities through scalable mechanisms
Addressing the ransomware threat through
a comprehensive Federal approach and in
lockstep with our international partners.
3. Shape Market Forces to Drive Security and
Resilience: "We will place responsibility on
those within our digital ecosystem that are
best positioned to reduce risk and shift the
consequences of poor cybersecurity away
from the most vulnerable in order to make
our digital ecosystem more trustworthy",
including by:
Promoting privacy and the security of
personal data
Shifting liability for software products and
services to promote secure development
practices
Ensuring that
Federal grant
programs promote
investments in new infrastructures
that are secure and resilient.
4. Invest in a Resilient Future: "Through
strategic investments and coordinated,
collaborative action, the United States will
continue to lead the world in the innovation
of secure and resilient next-generation
technologies and infrastructure", including by:
Reducing systemic technical vulnerabilities
in the foundation of the Internet and
across the digital ecosystem while making it
more resilient against transnational digital
repression
Prioritizing cybersecurity R&D for nextgeneration
technologies, such as
postquantum encryption, digital identity
solutions and clean energy infrastructure
Developing a diverse and robust national
cyber workforce.
5. Forge International Partnerships to Pursue
Shared Goals: "The United States seeks a world
where responsible state behavior in cyberspace
is expected and reinforced and where
26
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

cybersecurity
irresponsible
behavior is
isolating and costly",
including by:
Leveraging international
coalitions and partnerships among likeminded
nations to counter threats to our
digital ecosystem through joint preparedness,
response and cost imposition
Increasing the capacity of our partners to
defend themselves against cyber threats,
both in peacetime and in crisis
Working with our allies and partners to
make secure, reliable, and trustworthy
global supply chains for information
and communications technology and
operational technology products and
services.
A LAUDABLE GOAL
Jon Geater, CTO from RKVST, has been taking
a close-up look at the US's governments
moves to introduce minimum security
standards for larger software suppliers, the
effect it may have on cyber security and the
potential implications for the UK market.
"Holding vendors liable for software insecurity
is a laudable goal and very likely to motivate
action: comparisons are often made between
building software and building bridges, and
we long ago found ways of holding
engineering companies accountable for
failings if the bridge they build turns out to be
unsafe.
"But the devil's in the details here," he states.
"You can't assess liability without finding fault
and, even if we can define what 'insecurity'
means - which is an entire PhD category in
itself - we still need to identify where the
insecurity originated. And there are so many
questions. Whose mistake led to hackers
getting in? Whose negligence let that buggy
software out into the world? Who authorised
that particular open-source package to be
used for this use case?"
In the case of a software breach, there will be
lots of moving parts with software, data and
security operations all at play, he adds, and
right now it's really hard to know where the
critical failure originated, because people don't
authenticate data, don't track software
provenance and don't record the who-didwhat-when
of releasing today's complex
software into the world.
"In order to successfully move forward in
holding software suppliers accountable, we
need to ensure the whole software and data
supply chain is traceable and provable, to
efficiently demonstrate fault and quickly bring
any issues to a conclusion," adds Geater.
"Initiatives such as the IETF SCITT working
group [which aims to define a set of interoperable
building blocks to help implementers
build integrity and accountability into software
supply chain systems, helping assure
trustworthy operations] are bringing this
essential capability to the world."
High-profile breaches such as the widely
discussed SUNBURST attack (which famously
affected SolarWinds, VMware and others) and
discovery of the Log4j vulnerability show
governments the widespread impact that
insecure software can have, he also points out,
and underline the need to do something
about it.
"The UK government currently has a
consultation open to provide a better
understanding of how to address software
risks and help create a more resilient digital
environment. As part of that, it is looking at
measures it can take to improve enterprise
software security. It is likely that the UK
government, based on this consultation, will
look to introduce similar standards. However,
in this increasingly global marketplace, we
need not only global standards, but also
standards that can hold the right people
accountable to actually fix the problem."
VALUABLE ALLIES
The US National Security Strategy is a
significant development in the global
competition for digital power, says Paul
Brucciani, cyber security advisor at WithSecure.
"It places a strong emphasis on the need for
greater government and private sector
cooperation. As seen by the role of companies
such as Google and Microsoft in helping
Ukraine defend against the Russian cyber
assault, tech and security firms can be valuable
allies against national cyber threats."
The strategy recognises that cybersecurity is
getting harder, he points out. "More complex
software and systems, increasing global
interconnectivity, exponential growth in the
quantity and intimacy of personal data
collection, and the collapsing boundary
between the physical and digital worlds,
increase cyber security risk. The strategy calls
for new requirements to be enforced in critical
economic sectors, such as electricity, oil and
gas, pipelines, aviation, rail, and water
systems. The aim is to improve security, while
maintaining a level competitive playing field. "
EMPHASIS ON DETERRENCE
The strategy recognises the need to use kinetic
(military) cyber, diplomatic and other
capabilities against threat actors and it places
greater prominence on 'deterrence', making it
more costly to attack systems than to defend
them. "In addition," comments Brucciani,
"cybersecurity responsibility will be shifted
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
27

cybersecurity
Paul Brucciani, WithSecure: sees the US
National Security Strategy as a significant
development in the global competition
for digital power.
Jon Geater. RKVST: holding vendors liable
for software insecurity is a laudable goal.
away from consumers and SMBs, and onto
internet service providers, including
technology providers that build and service
these systems."
CYBERSECURITY PUSH
There is also a shift toward introducing
regulations similar to the EU's NIS2 (CNI
resilience) and GDPR (data privacy), and
security incidents must be reported to CISA
within hours. "This is designed to compel
organisations and industries to improve their
cybersecurity. The US government will also
pursue cross-border regulatory harmonisation
to secure global supply chains, and tax breaks
will be provided to strengthen cybersecurity."
The approach will impact the private sector,
with cybersecurity providers held accountable
for security, and software companies will be
held liable if they fail to show a duty of care to
their customers. "Software suppliers will also
be required to supply a software bill of
materials to their customers and IT supply
chains will have to become more transparent.
Machine-to-machine data sharing is also
expected to increase, along with human-tohuman
interaction."
The US strategy comes amidst a wave of
similar efforts around the world, adds
Brucciani. "European regulations such as the
Network and Information Security Act (NIS2),
the Digital Operational Resilience Act (DORA)
and the Directive on the Resilience of Critical
Entities (CER), approved in December 2022,
propose similar measures to protect the
privacy and maintain economic stability. The
UK is likely to pursue similar strategies to
remain in lockstep with its international allies
against both physical and cyber threats to
critical infrastructure. "
For David Carroll, MD of Nominet, the new
national cybersecurity strategy marks a radical
step-change in government policy. "Tighter
security regulation, greater accountability for
software manufacturers and a willingness to
pursue threat actors have put industry,
cybercriminals and nation states on notice
that the US Government is no longer willing
to accept the status quo.
"There's a lot to unpack in the strategy: new
responsibilities for critical infrastructure
operators and cloud providers, a federal
insurance backstop, steps to secure the
technical foundations of the Internet,
legislative requests and an expansion of
international collaborative efforts.
"There will be much ground to cover before
many of these proposals become reality.
Doubtless, a robust debate will now follow
and it will be fascinating to witness the
various proposals' progress towards
legislation. We applaud the US government in
its recognition that a more interventionist
approach is required and expect to see other
governments following suit," adds Carroll.
NATIONAL CRITICAL FUNCTIONS
"The choice to put critical infrastructure at the
forefront in Pillar 1 is an important and
deliberate one," agrees Joshua Corman, VP of
Cyber Safety Strategy at Claroty, and former
chief strategist at the Department of
Homeland Security's Cybersecurity and
Infrastructure Security Agency. "It's crucial, as
the strategy is implemented, that we begin
to finally stratify our critical infrastructure
functions. I encourage Congress, the White
House, CISA and other parts of government to
focus on the most critical of the 55 National
Critical Functions - the lifeline, latency-sensitive
functions that, if disrupted for 24-48 hours,
could contribute to losses of life or a crisis of
confidence in the public.
"These include: supply water, provide medical
care, generate electricity, produce and provide
food, etc. Many of the owners and operators
of these lifeline functions happen to also be
what I've called, "target rich, cyber poor",
points out Corman, "meaning they are among
the most attractive targets for threat actors,
with the least amount of resources to protect
themselves."
28
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

cloud
CLOUD GETS DARKER
CUSTOMERS ADOPTING PUBLIC CLOUDS ARE NO LONGER IN FULL CONTROL OF THEIR OWN SECURITY -
WHICH IS ONE OF THE TOP BARRIERS TO CLOUD ADOPTION, STATES THE WORLD ECONOMIC FORUM
According to the World Economic
Forum, the growth in cloud-based
platforms and apps has caused
a shift in cybersecurity, with customers
no longer in full charge of their own
cybersecurity.
"Software developers exert far more
influence in cybersecurity decisionmaking
in this new cloud world," it
states. "… when customers adopt public
cloud providers, security is a shared
responsibility model between them and
the cloud providers. For example, if
a customer stores data in the AWS data
centre, the customer has to configure
and manage their own cybersecurity
policies.
"Despite not having full control of data
in the AWS data centre, security breaches
are still the customer's responsibility. In
this regard, customers adopting public
clouds are no longer in full control of
their own security. Security concerns are
often one of the top barriers to cloud
adoption."
Moreover, cloud environments are more
complex to secure. Modern cloud
customers often employ an architecture
called microservices, in which each
component of an application (such as
search bar, recommendation page, billing
page) is built independently of each
other. There could be up to 10x more
workloads (eg, virtual machines, servers,
containers) and microservices in the
cloud than on-premise. "This increased
fragmentation and complexity leads to
access control issues and increases the
probability of errors - for example, if
a developer leaves a sensitive password
in an AWS database that can be exposed
to the outside world. Simply put, the
attack surface area is larger and more
complex in the cloud," warns the WEF.
SHARED RESPONSIBILITY
Rob Pocock, technical director at Red
Helix, says it is becoming more important
now than ever that users and cloud
security providers have a shared
responsibility to ensure their cloud
operations are safe and secure. "Typically,
cloud services will offer some form of
secure encryption, and audit logging
[depending on the licensing of the
service] at a basic level, but, in some
cases, not all providers are operating
at the most rigorous levels to protect
the users' data. To strengthen security,
reduce risk and prevent cybercriminals
from bypassing internal policies, it is
essential that only authorised users gain
access to a company's system and that
authentication is required before access
is granted."
As part of their responsibility, users can
apply authentication that goes beyond
username and password. "For example,
multi-factor authentication requires the
user to provide two or more verification
factors to gain access to a resource such
as an application, online account, or a
VPN," states Pocock. "Quite often, the
user's identity is authenticated by crossreferencing
information stored on a
database with information held by
the user, such as biometric data
or the use of personalised
questions. Despite some
form of control over the
sensitive information in the cloud
database, there is no guarantee that user
data will not be shared with other
organisations sharing the same cloud
space.
"Whether a data breach is malicious or
accidental, the consequences of the
associated downtime, lost revenue and
brand harm can be hugely detrimental
to the business affected," he points out.
"Cloud services should consider the
importance of placing tighter controls
over accessing the physical rooms where
data is stored."
Rob Pocock, Red Helix.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
29

passwords
THE CRACKS ARE WIDENING
RESEARCH FROM US CYBERSECURITY COMPANY HIVE SYSTEMS SUGGESTS ANY 7-OR-8 CHARACTER
PASSWORD MADE UP OF JUST NUMBERS OR LOWER CASE LETTERS CAN BE CRACKED INSTANTLY.
WHEN IS 'SAFE' REALLY SAFE?
Password cracking (also called password
hacking) is an attack vector that involves
hackers attempting to crack or
determine a password - and it is something
attackers have multiple ways of carrying
out through a variety of programmatic
techniques and automation, using
specialised tools, says Matt Miller, director,
content marketing at BeyondTrust. "These
password cracking tools may be referred to
as 'password crackers'. Credentials can also
be stolen via other tactics, such as by
memory-scraping malware, and tools like
Redline password stealer, which has been
part of the attack chain in the recent, highprofile
Lapsus$ ransomware attacks."
A password can refer to any string of
characters or secret to authenticate an
authorised user to a resource. Passwords
are typically paired with a username or other
mechanism to provide proof of identity.
"Credentials are involved in most breaches
today. Forrester Research has estimated that
compromised privileged credentials are
involved in about 80% of breaches. When
a compromised account has privileges, the
threat actor can easily circumvent other
security controls, perform lateral movement
and crack other passwords. This is why
highly privileged credentials are the most
important of all credentials to protect."
Within an in-depth blog, Miller has
highlighted password vulnerabilities and risks
that give attackers an edge, and provided
an overview of password cracking motives,
techniques, tools and defences. Attackers
typically hold at least two advantages over
defenders, he points out:
Time on their hands, as they often take
a scatter-gun approach to gaining access
Automated password cracking toolsets
that will autonomously run the attack.
"Password crackers can try passwords at
a slow, measured pace to avoid triggering
account lock-outs on individual accounts. If
a password cracker only tries one password
every 10 minutes per account, 100,000
passwords will take a long time. Sensibly,
they will try each password against every
account they are aware of - few systems
track password attempts across accounts.
Even when Security Information and Event
Monitoring (SIEM) or User and Entity
Behavioral Analysis (UEBA) systems are
active, there are limited defensive actions.
You can't lock out every account. Blocking
the source IP address will result in a new
IP taking up the attack, if it hasn't already
distributed across hundreds, or even
thousands, of IP addresses."
Miller argues that the optimal defence
against this kind of attack is simply not
to use a password on the list. "Frequent
password changes trigger our laziness,
so 'password' becomes 'password1' and
'password2'. Every password cracker is aware
of these poor password practices. Replacing
letters with numbers and symbols is also a
predictable practice. For example, 3 for E, 4
for A and @ for a. Password cracking tools
prepare for these common variations.
Attackers seek to learn basic information
about password complexity, such as
minimum and maximum password length,
as well as password complexity. For example,
does the password have upper-case and
lower-case letters, numbers, symbols or a
combination of these? Attackers are also
interested in learning about restrictions on
the passwords."
PHISHING, VISHING, SMISHING
Phishing is traditionally email-based, points
out Darren James, senior product manager
at Specops Software, an Outpost24
company, but now also encompasses Vishing
(socially engineering a person to surrender
their login details via the phone or a video
call) and Smishing (using SMS messages to
dupe a user into going fake website). "The
email phishing scams can be protected by
using spam filtering software, but they are
always playing catch-up to the cyber
criminals. Vishing and Smishing are harder to
protect against and basically come down to
user awareness training. Your service desks
are also prime targets for these new attacks,
when bad actors pretend to be legitimate
users by faking a password reset request.
Adding a step to the process to verifying
30
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

passwords
users that
are calling in, and
also using a self-service
password reset solution with flexible
multifactor authentication, can massively
help here, he says, offering his thoughts on
how to ward off certain forms of attack:
Man-in-the-Middle Attacks are often used
where there is a high demand for public Wi-
Fi, as these systems steal credentials as they
are on their way to the webserver. The best
way to thwart these is by user training - tell
them not to trust public Wi-Fi, and also to
implement an Always On VPN (at least for
business traffic) and block access to
corporate resources from unmanaged
devices.
Brute Force is a very common attack vector,
especially as so many passwords follow a
standard format when choosing a password.
"Users have been brainwashed into poor
password habits - putting a capital letter at
the beginning, lowercase characters in the
middle, a number (or an exclamation mark)
at the end of their passwords and finally
using the minimum acceptable length for the
password. Threat Actors know this and, even
using a basic gaming computer today, can
attack a leaked password hash databases at
millions of guesses per second using a mask
that mimics that 'common behaviour'. The
best way to combat these types of attacks is
to change the user behaviour, by having
better password policies - eg, ditch complex
passwords and move to longer passphrases
instead, such as three random words as
recommended by the NCSC."
Dictionary Attacks are a common attack
vector, since threat actors take advantage of
the fact that people reuse passwords across
multiple work
and personal accounts.
"Most people have anywhere
between 25-100 passwords to
remember these days and this password
fatigue leads people to reuse one of more of
them. Implementing a password manager
helps with this, but you tend to run into
issues with users not trusting the password
manager, so it's important for organisations
to block known breached, weak passwords,
as well as blocking words that relate to their
business. When used alongside a strong
password policy, you can mitigate these
two major attack vectors very well; just make
sure that the solution also includes detailed
feedback to let the user know what they
have done wrong, if they do try to choose
a breached password."
Keyloggers. These can come in software
or hardware form and simply record all
keystrokes entered into a computer.
"Software Keyloggers are normally part of
malware attacks that come from
downloading copywritten software or are
installed, if systems are compromised… eg,
a remote PC takeover scam attack. Hardware
keyloggers physically plug into the PC/laptop
where the keyboard is connected. For
software based keyloggers having up-to-date
Antivirus, restrictions on who can install
software and good endpoint management
are vital. For physical keyloggers, you
need secure premises and restrictions
on what types of USB devices can be
connected to your PCs."
Darren James, Specops: bad actors often
persuade a service desk they are legitimate
users by faking a password reset request.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
31

webcam hacking
EYE SPY - WHO'S WATCHING YOU?
WEBCAM HACKING HAS BECOME
A SERIOUS CONCERN IN RECENT
YEARS, WITH ALL OF US
POTENTIALLY AT RISK OF
HAVING OUR PRIVACY INVADED
BY CYBERCRIMINALS. BRIAN
WALL REPORTS
How many times did you have a
webcam pointed at you today?
That is the disquieting question
raised by Norton. "The reality is that
there's a camera focused on you every
time you pick up your phone, work on
a computer, or browse on a tablet," it
says. "So, it's no surprise that webcam
hacking has become a serious concern in
recent years, with all of us potentially at
risk of having our privacy invaded by
cybercriminals. When the likes of Mark
Zuckerberg and former FBI director James
Comey cover their laptop camera with
tape, it may be something you should
consider."
Along with poor password hygiene,
a compromised camera can be one of
the biggest risks to your online security.
"Hackers can use your camera to spy on
you in your most unguarded moments and
use captured images or videos to blackmail
you," adds Norton. "The malware used to
take control of your camera can even give
them access to other sensitive data on your
device. Strangers could also be watching
you on sites that livestream footage from
unsecured webcams, so you don't necessarily
have to have your webcam hacked to
be at risk. If you have unsecured devices
with cameras or independent webcams
around your home, there's always a chance
that prying eyes could be watching you."
RAT IN THE PACK
If you've ever had your work computer
remotely accessed by an IT operative, you'll
know how strange it is to see someone
operating it from a distance. When hackers
use a Remote Administration Tool (RAT) to
take control of your computer, they're less
likely to announce their presence.
"It's easier than you think to download
this type of Trojan horse malware, which
can
convert
your connected
camera into a spying
device," points out Norton.
"You may think you're
downloading a legitimate update, but
instead are inadvertently clicking on a
malicious link. That can be all it takes to
get infected. This type of malware can be
easily deployed in an email or attachment,
but it can also be uploaded on your device
with a USB drive, if the hacker has access
to your physical computer. Once this RAT
malware infects your phone or computer,
a hacker can use it to take control of your
device and access your webcam remotely.
This malware allows them to activate the
camera, take pictures, record footage or
listen to your conversations."
Unfortunately, this type of Trojan virus
can also give the hacker access to your
messages, files, browsing history, images
or other sensitive information. And. as
these cases are so hard to detect, it may
sometimes seem like it's not a major
problem. However, some high-profile
sextortion cases show how hackers can
prey on their victims' fears for financial
gain.
"One of the most infamous webcam
hacking cases involved Miss Teen USA
32
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

webcam hacking
2013, Cassidy Wolf, who was
blackmailed by a
former classmate
who had hacked
into her webcam.
The 19-year-old
perpetrator had
hacked into the
computers of at
least two dozen
women and then
threatened to release
naked pictures of
his victims to social
media, unless they
were willing to pay
a ransom. Webcam
hacking can go entirely
undetected for years, with
hackers capable of accessing
their victims' devices over long
periods of time. In 2018, a man in Ohio
was charged with spying on thousands of
people through their devices' cameras over
the course of 14 years."
It's not just hackers that have access to
this type of malware, adds Norton, with
some forms of Trojan malware available for
free on the dark web. "When criminals with
limited computer skills can source RAT kits
like NanoCore RAT at no expense, it's no
surprise that this type of cybercrime is on
the rise."
Using a RAT may be one of the most
common forms of webcam hacking, but
it's not the only one. "Cybercriminals
have also taken advantage of the rising
popularity of Internet of Things (IoT)
devices and the move to remote working
during lockdown saw hackers target video
conferencing software. The proliferation
of Internet of Things [IoT] devices has
increased their owners' risk, with everything
from doorbells to home security
systems now open to webcam hacking.
The FBI has previously warned people
buying smart TVs to put black tape over
the television's camera to avoid being
watched by bad actors."
SPOTTING THE WARNING SIGNS
The experts at Proxyrack have revealed its
five warning signs of a hacked webcam
and what to do, if you find yourself in this
position:
1 - Webcam Indicator Light
If your webcam light is on when you aren't
using the camera, this could be a sign that
someone is accessing it externally. The light
isn't always the indicator, as it can be
turned off via settings, so check your
settings to make sure the light is set to
come on when the camera is in use.
2 - Unfamiliar Programs
If you notice unfamiliar programs on your
desktop or in your files, this could be a
sign that your webcam has been hacked
and someone is externally installing
software onto your device to access the
camera.
3 - Unusual Activity
If your computer is working slower than
usual or you are seeing unexpected popups
and documents in your files, this could
be a sign of a hacked webcam. The hacker
may also be sending and receiving data
from your webcam so check for any
unexpected activity
4 - Battery Draining Faster Than Usual
If your battery is draining unexpectedly
fast, this could be a sign of external
activity. Check your battery usage in your
task manager to see which applications are
consuming the most power - this can
indicate whether your camera is being
used unexpectedly.
5 - Unrecognised Browser Extensions
Hackers can use browser extensions to
access your webcam; one indicator of this
can be that, when opening your browser,
your webcam light turns on. You should
www.computingsecurity.co.uk @CSMagAndAwards May/June 2023 computing security
33

webcam hacking
also check for any extensions that you haven't
installed yourself, as this could be a sign that
someone is gaining access to your computer
externally.
WARNING SIGNALS
Evan Fitzroy, technical specialist at Proxyrack,
has also shared the following advice, if you
think that your webcam has been hacked:
"As the tech industry continues to grow, the
dangers increase, so knowing how to spot the
warning signs of being hacked become more
important. One feature of your device that can
be slightly more difficult to identify when
hacked is your camera or webcam.
"One indication that your webcam has been
hacked is the camera light, he cautions. "If this
comes on when you start your computer or an
application that wouldn't usually require the
camera, this could be a sign that someone is
externally accessing your webcam. However, it
is important to note that the light can be set to
not come on when the camera is in use so be
sure to check your settings to ensure that it is
set to come on so you know when it is in use."
Hackers can also infiltrate your webcam via
browser extensions, he warns, so it is vital to
check these regularly to see if any appear that
you did not download yourself and might
have been installed by a hacker . "If you are
worried that one of these extensions is
responsible for a possible hacking, open each
one until anything unexpected appears, such
as the camera light or a pop-up. These could
indicate that your camera is being hacked
through that particular extension and you will
want to uninstall it immediately."
The most important thing to monitor is any
unusual activity that has begun appearing on
your computer: for example, new programs or
documents appearing unexpectedly and also
any persistent pop-ups or warnings that might
indicate external use of your device.
“To help reduce the risks of being hacked,
installing a proxy can be a great option, as it
can create a safety net between your system
and the internet, making it harder for hackers
to access your software. Anti-viral software
is also a good option for protecting your
computer and data from hackers and
computer viruses," adds Fitzroy.
PRYING EYES INSIDE YOUR DEVICE
Cloudwards also offers a number of cautionary
measures that should be taken to keep out
prying eyes. "Malware is the primary vehicle
of compromise that allows hackers to peer
through the lens of your device, so the issue is
fundamentally a matter of shoring up your
device's security defences against malware
threats, vulnerabilities, phishing emails and
other common dangers of the web," it
comments. "As always, your personal
cybersecurity habits make up the first line of
defence. A good starting place would be to
avoid clicking links in suspicious emails, as
webcam hackers commonly rely on phishing
emails to infiltrate your system."
Here are its own top tips for staying safe:
1. Physically cover up the camera
The first thing you should do to prevent spying
is to cover up the camera itself. There is no
way to bypass a covering placed over the lens
itself, no matter how sophisticated the hacker's
malware might be. Placing a piece of electrical
tape over the lens is an inexpensive solution
commonly used to thwart webcam spies, but
it could leave adhesive residue on the lens that
could get in the way when you do want to use
the webcam." It costs very little to get a plastic
webcam cover that slides over your webcam
while not in use, it adds.
2. Don't trust the indicator light
An LED light will turn on beside your webcam's
lens whenever the video recording begins. If
you didn't click 'record' and yet the light turns
on anyway, someone may be watching you.
However, don't get too comfortable, even if
the light stays off when you stop recording.
Webcam hackers are usually clever enough to
turn the light off while capturing your private
activities. If someone takes control of your
webcam, then they will probably have just as
much power over the webcam's ancillary
functions as the camera itself, such as the
indicator light and the audio recording.
3. Beware your microphone
Keep in mind that a webcam hacker could still
record audio, even if they can't lay eyes on you.
Preventing unauthorised audio recording is less
straightforward than covering your webcam,
so you will have to disable the microphone in
your device's settings. If you use Windows 10,
navigate to the Device Manager to locate and
disable the webcam and microphone
manually.
4. Check your app permissions
Sometimes the webcam's settings can be
altered by apps and browser extensions that
have permission to access the webcam, and
may lead to the indicator light turning on
when you're not recording. Most operating
systems will let you deny all apps' permission
to access your webcam. Be aware that some
apps may not work after revoking permission.
5. Install updates automatically and regularly
Practising good cybersecurity habits is the first
thing you need to do to secure your privacy.
Automatically installing regular updates will
keep your system fortified against the new
vulnerabilities and malware threats that pop
up every day.
6. Install security software
Regular system updates come hand in hand
with installing reliable security software. There
is plenty of security software available online
for free, but free solutions usually can't keep
up with threats emerging on a daily basis as
well as a good subscription service.
7. Use a VPN
Ideally, it's better to prevent the security breach
from happening in the first place. Keeping
your internet connection private with a VPN
is one way to prevent your internet service
provider and malicious hackers from spying on
everything you do.
34
computing security May/June 2023 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
e-newsletter
Are you receiving the Computing Security
monthly e-newsletter?
Computing Security always aims to help its readers as much as possible to do
their increasingly demanding jobs. With this in mind, we've now launched a
Computing Security e-newsletter which is produced every month and is available
free of charge. This will enable us to provide you with more content, more
frequently than ever before.
If you are not already receiving this please send your request to
christina.willis@btc.co.uk and advise her of the best email address for the
newsletter to be sent to.