CS May-Jun 2023
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
ARE WE READY FOR...<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
BALANCE OF POWER<br />
US unveils National<br />
Cybersecurity plan<br />
Fears fuel<br />
calls for<br />
time-out<br />
WALKING A VERY FINE LINE<br />
Online Safety Bill: will<br />
it threaten privacy and<br />
lead to censorship?<br />
‘EYE’, SPY, WITH MY....<br />
Webcam hacking soars,<br />
stepping up the risk<br />
of being spied on<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong>
comment<br />
CYBER SECURITY 'NOT THE HIGHEST PRIORITY'<br />
While cyber security breaches and attacks remain a common threat, smaller<br />
organisations are identifying them less than last year, according to a recent<br />
government breach survey.<br />
"This may reflect that senior managers in smaller organisations view cyber security<br />
as less of a priority in the current economic climate than in previous years, so are<br />
undertaking less monitoring and logging of breaches or attacks," it states, which is an<br />
extremely worrying proposition by any measure. The government also states that board<br />
engagement and corporate governance approaches towards cyber security tend to be<br />
more sophisticated in larger organisations, "although corporate reporting of cyber risks<br />
remains relatively uncommon, even among large businesses".<br />
The proportion of organisations seeking external information or guidance on cyber<br />
security remains stable, at almost half. "However, this means that a sizeable proportion<br />
of organisations, including larger organisations, continue to be unaware of government<br />
guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber<br />
Essentials standard. Linked to this, relatively few organisations at present are adhering<br />
to recognised standards or accreditations, such as Cyber Essentials or ISO 27001."<br />
All in all, these are troubling findings. We are constantly being made aware of more<br />
and more attacks on organisations, so this apparent 'indifference' to being the next<br />
victim is hard to comprehend. In this issue of Computing Security, starting on page 20,<br />
we look at several of the latest reported breaches as a measure of the challenge the UK<br />
is up against - and all the signs are that the level of attacks will only get worse in the<br />
days to come.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Daniella St Mart<br />
(daniella.stmart@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2023</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong><br />
inside this issue<br />
CONTENTS<br />
Computing<br />
Security<br />
ARE WE READY FOR...<br />
Fears fuel<br />
calls for<br />
time-out<br />
WALKING A VERY FINE LINE<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
BALANCE OF POWER<br />
US unveils National<br />
Cybersecurity plan<br />
Online Safety Bill: will<br />
it threaten privacy and<br />
lead to censorship?<br />
‘EYE’, SPY, WITH MY....<br />
COMMENT 3<br />
Cyber security 'not the highest priority'<br />
Webcam hacking soars,<br />
stepping up the risk<br />
of being spied on<br />
NEWS 6<br />
Threat hunting proves tough for many<br />
Cybersecurity training seen as a 'must'<br />
Ransomware attacks: good and bad<br />
Attackers step up pace of exploits<br />
ARTICLES<br />
RACING CERTAINTY 8<br />
Legendary sprinter Michael Johnson has<br />
been confirmed as the opening keynote<br />
speaker at this year's Infosec show in <strong>Jun</strong>e<br />
MFA BEST PRACTICES YOU DIDN'T<br />
KNOW THAT YOU NEEDED 10<br />
What are the MFA best practices that<br />
organisations need to consider? Chris<br />
Martin, Head of Solution Architecture,<br />
SecurEnvoy, offers his expert insights<br />
HUMAN VOICE GROWS LOUDER 16<br />
Burnout is now said to be rampant<br />
across the cybersecurity industry<br />
LOST AND STOLEN 18<br />
The number of devices somehow 'mislaid'<br />
by various government departments has<br />
prompted fears over data safety<br />
WHY WE NEED A RETURN TO<br />
PREVENTION-FIRST CYBERSECURITY 19<br />
Stopping zero days, ransomware and<br />
other never-before-seen malware is a race<br />
against the clock, warns Karen Crowley,<br />
Director of Product & Solutions Marketing<br />
at Deep Instinct<br />
FEARS OVER AI - ARE WE EMBARKED<br />
ON A DANGEROUS JOURNEY? 12<br />
Is Artificial Intelligence threatening to run<br />
out of control? More than 1,000 experts,<br />
researchers and backers are certainly<br />
concerned about its rapid take-off and<br />
have called for a pause in the creation<br />
of 'giant' AIs. Editor Brian Wall reports<br />
SPOTTING THE BREACH FAULT LINES 20<br />
More and more organisations are being<br />
accused of failing to take appropriate<br />
measures to protect themselves against<br />
data breaches. But is it right to put the<br />
blame on them - or are the odds they face<br />
simply too great?<br />
CYBER STRATEGY CROSSROADS 26<br />
Hard on the heels of the US publishing its<br />
national cybersecurity strategy, does the UK<br />
have any other option but to follow down<br />
the same avenue? And might it be a good<br />
thing to do so anyway?<br />
'SAFETY' ON LINE: AT WHAT PRICE? 24<br />
The Online Safety Bill has been labelled<br />
'bloated and overreaching'. Here’s why<br />
EYE SPY - WHO'S WATCHING YOU? 32<br />
CLOUD GROWS DARKER 29<br />
Webcam hacking has become a serious<br />
Public cloud adopters are 'no longer in<br />
concern in recent years, with all of us<br />
full control of their own security'<br />
potentially at risk of having our privacy<br />
invaded by cybercriminals. Just think how<br />
THE CRACKS ARE WIDENING 30<br />
shocking it would be to discover that your<br />
Password mismanagement is under<br />
connected camera had already been turned<br />
ever deeper scrutiny as hacks escalate<br />
against you into a spying device<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
news<br />
THREAT HUNTING PROVES TOUGH FOR MANY<br />
John Shier<br />
Anew survey report from Sophos, 'The State of Cybersecurity <strong>2023</strong>: The Business Impact of Adversaries on Defenders',<br />
has revealed that 93% of organisations globally find the execution of some essential security operation tasks, such<br />
as threat hunting, challenging. These include understanding how an attack happened, with 75% of respondents stating<br />
they have challenges identifying the root cause of an incident.<br />
"Only one fifth of respondents considered vulnerabilities and remote services a top cybersecurity risk for <strong>2023</strong>, yet the<br />
ground truth is that these are routinely exploited by Active Adversaries," said John Shier, field CTO, commercial, Sophos.<br />
"This cascade of operational issues means that these organisations aren't seeing the full picture and are potentially acting<br />
on incorrect information. "There's nothing worse than being confidently wrong. Having external audits and monitoring<br />
helps eliminate blind spots."<br />
CYBERSECURITY TRAINING IS A 'MUST'<br />
F<br />
Simon Wiseman ollowing the<br />
government's<br />
<strong>2023</strong> Cyber<br />
Breaches survey<br />
(see Comment<br />
on page 3), Dr<br />
Simon Wiseman,<br />
chief technology<br />
officer for global<br />
governments<br />
and critical<br />
infrastructure, Forcepoint, had this to<br />
say in reply: "Business leaders in any<br />
organisation must take everyday cyber<br />
hygiene seriously. Employees are always<br />
the first line of defence - so regular<br />
cybersecurity training is a must to make<br />
sure a small chink in your armour isn't<br />
your downfall, particularly when it<br />
comes to post-pandemic hybrid<br />
working.<br />
"The drop in adoption of password<br />
policies and firewalls in microbusinesses<br />
could reflect the move to<br />
the cloud, as password managers and<br />
2FA take on the 'strong password'<br />
burden and SAAS apps make them easy<br />
to deploy." Wiseman added: "Leaders<br />
should be investing in the cloud as a<br />
mechanism to protect themselves.<br />
When times are tough and cash flow is<br />
tight, it's easy for capital expenditure<br />
and staff security costs to take second<br />
place - but moving to the cloud can<br />
provide better protection, while<br />
spreading implementation costs."<br />
HPE ACQUIRES CLOUD SECURITY PROVIDER AXIS SECURITY<br />
Phil-Mottram<br />
Hewlett Packard Enterprise (HPE) has acquired cloud<br />
security provider Axis Security to expand Aruba's unified<br />
Secure Access Services Edge (SASE) solutions by combining<br />
cloud security with SD-WAN in a single offering. "As we<br />
transition from a post-pandemic world and a hybrid work<br />
environment has become the new normal, a new approach<br />
is needed for network edge security to protect critical SaaS<br />
applications," said Phil Mottram, executive vice president<br />
and general manager, HPE Aruba Networking.<br />
ATTACKERS DEVELOPING AND DEPLOYING EXPLOITS FASTER THAN EVER<br />
Caitlin Condon<br />
RANSOMWARE ATTACKS: GOOD AND THE BAD<br />
Matt Hull<br />
Rapid 7's latest Vulnerability Intelligence Report examines fifty<br />
of the most notable security vulnerabilities and high-impact<br />
cyberattacks in 2022. A significant finding is that attackers are<br />
developing and deploying exploits faster than ever; 56% of the<br />
vulnerabilities in this report were exploited within seven days of<br />
public disclosure - a 12% rise over 2021 and an 87% rise over<br />
2020. "Rapid7's team of vulnerability researchers works around<br />
the clock to thoroughly investigate and provide critical context<br />
into emergent threats," said Caitlin Condon, Rapid7 vulnerability<br />
research manager and lead Vulnerability Intelligence Report author.<br />
Analysis from NCC Group's Global Threat Intelligence team has<br />
revealed there were 165 ransomware attacks in January, a<br />
38% decrease from December 2022. Though a significant drop,<br />
the total is the highest volume of attacks recorded in January over<br />
the last three years. Matt Hull, global head of threat intelligence at<br />
NCC Group, commented: "In terms of the most prevalent threat<br />
actors, Lockbit 3.0 held onto first position as predicted, whilst Vice<br />
Society and Blackcat had an active start to <strong>2023</strong>. It'll be interesting<br />
to see how that evolves over the coming months and whether<br />
Lockbit will remain ahead of the rest."<br />
6<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
infosec <strong>2023</strong><br />
RACING AHEAD<br />
LEGENDARY SPRINTER MICHAEL<br />
JOHNSON HAS BEEN CONFIRMED<br />
AS BEING THE OPENING KEYNOTE<br />
SPEAKER AT THIS YEAR'S INFOSEC<br />
EVENT, TAKING PLACE IN JUNE<br />
For those on the fast track to<br />
attending Infosecurity Europe in<br />
<strong>Jun</strong>e, there's good news: four-times<br />
Olympic gold medallist and legendary<br />
sprinter Michael Johnson has been<br />
confirmed as the opening keynote.<br />
Johnson, now an entrepreneur, author,<br />
sports pundit and philanthropist, will<br />
share insights from his journey, both on<br />
and off the track. He will speak about<br />
the values of goal-setting, adversity,<br />
performing against competitors,<br />
perseverance and how these same<br />
principles can be applied in<br />
cybersecurity.<br />
Johnson will be at the podium on the<br />
opening day of RX's information security<br />
event, which runs from 20-22 <strong>Jun</strong>e at<br />
ExCeL London. The event is expected to<br />
host more than 400 exhibitors, 13,000<br />
visitors and 200 speakers.<br />
Nicole Mills, exhibition director at<br />
Infosecurity Group, comments: "We are<br />
honoured to have Michael Johnson join<br />
us at our conference and look forward<br />
to his inspiring and motivational<br />
message. In the infosec world, every<br />
second counts. It's a race against<br />
bad actors to secure your<br />
organisation; with speed,<br />
teamwork and drive making<br />
the difference between<br />
success and fatal attacks.<br />
Athletes must deal with<br />
multiple setbacks,<br />
whether it be injuries or<br />
defeats, and his talk<br />
will be a great<br />
opportunity to<br />
hear about<br />
these and<br />
how he relates<br />
this to the<br />
unexpected<br />
challenges<br />
and threats<br />
within<br />
cybersecurity." Meanwhile, acclaimed<br />
security analyst, author and TED speaker<br />
Keren Elazari has been announced as the<br />
latest keynote speaker at the event.<br />
Former hacker turned cybersecurity<br />
expert, she is an internationally<br />
celebrated speaker and analyst. Her 2014<br />
TED talk, the first by an Israeli woman<br />
at the official TED Conference and now<br />
viewed by millions, reimagined the<br />
perception of hackers and the role they<br />
play in the evolution of cybersecurity on<br />
a global scale.<br />
Elazari aims to bring her experience and<br />
knowledge to Infosecurity Europe to<br />
share insights into national security and<br />
geopolitics, and how they are being<br />
radically changed by digital society.<br />
"In <strong>2023</strong>, cyber security is no longer<br />
about protecting secrets. It is about our<br />
way of life and about our trust in the<br />
digital ecosystem," she comments. "Cyber<br />
threats impact everyday people and we<br />
are all on the front lines, but this is not<br />
a political battle - it's a challenge that<br />
requires everyone coming together as<br />
a digital society to protect our future.<br />
So, how can we prepare for what comes<br />
next? I believe we can do that, by<br />
actually learning from hackers." Elazari<br />
will be presenting her keynote session at<br />
Infosecurity Europe at 10:00 on Thursday,<br />
22 <strong>Jun</strong>e,<br />
States Nicole Mills: "We are thrilled to<br />
have Keren as one of our headline<br />
speakers for Infosecurity Europe <strong>2023</strong>.<br />
She is not only demonstrating the need<br />
for collaboration and allegiance to<br />
defend our digital future. crossing the<br />
political boundaries to tackle cyber<br />
conflict, but she champions the careers<br />
of women in cyber and is an inspirational<br />
role model to others in the industry."<br />
Visitor registration is now open for the<br />
<strong>2023</strong> event.<br />
08<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
DON’T<br />
SaaSSS<br />
GET YOUR<br />
KICKED! !<br />
TAKE CONTROL NOW AND<br />
PROTECT YOUR SaaS DATA<br />
Global SaaS vendors like Microsoft, Google and Salesforce<br />
don’t assume any responsibility for your data hosted<br />
in their applications. So, it’s up to you to take control<br />
and fully protect your SaaS data from cyber threats or<br />
accidental loss. Arcserve SaaS Backup offers complete<br />
protection for your SaaS data, eliminating business<br />
interruptions due to unrecoverable data loss.<br />
Arcserve SaaS Backup<br />
Complete protection for all your SaaS data.<br />
arcserve.com<br />
The unified data resilience platform
multi factor authentication<br />
MFA BEST PRACTICES YOU DIDN'T KNOW YOU NEEDED<br />
WHAT ARE THE MFA BEST PRACTICES THAT ORGANISATIONS NEED TO CONSIDER? CHRIS MARTIN,<br />
HEAD OF SOLUTION ARCHITECTURE, SECURENVOY, OFFERS HIS EXPERT INSIGHTS<br />
It's fair to say that MFA and the reasons for<br />
it is understood by most people, except<br />
maybe for artistic people who would<br />
confuse Multi Factor Authentication for<br />
Museum of Fine Arts. If you are looking for<br />
a guide on how to set up a museum,<br />
unfortunately this isn't the right article.<br />
The aim of this guide is to provide MFA<br />
best practices to help implement MFA and<br />
improve the effectiveness of the solution.<br />
Multi Factor Authentication is easily<br />
understood. You really do have to have been<br />
living on a deserted island for the last 20 years<br />
not to know about the risks of using<br />
passwords. Technically, MFA is not difficult,<br />
often with simple solutions installed and<br />
configured in a matter of minutes. Enrolling<br />
MFA isn't difficult either. Users can enrol<br />
a token extremely quickly and easily, often<br />
in under a minute or two. It would appear<br />
the only difficulty is choosing which<br />
Authentication Factors to use.<br />
The best practice is to adopt a simple threestep<br />
process: Identify, Protect and Control.<br />
If you have implemented MFA or are just<br />
embarking on the implementation of MFA,<br />
this process applies.<br />
Identify is about understanding what you<br />
have and what you need. Sounds simple, but<br />
this is often where most companies go<br />
wrong.<br />
Protect is the implementation of the MFA<br />
solution and the rollout to the users. There<br />
will be challenges around user adoption, but<br />
get the first stage correct and adopt a couple<br />
of free simple techniques and the chances of<br />
success are hugely increased.<br />
Control is the final stage of acceptance that<br />
needs change and that after implementation<br />
further monitoring and adaption is required.<br />
IDENTIFY<br />
When someone mentions Identification,<br />
Discovery or Analysis, most organisations<br />
instantly adopt a defensive pose and assume<br />
they will need to go and buy an expensive<br />
Identity Governance or a Data Discovery tool.<br />
Whilst there is no denying these will help, this<br />
part of the process can be entirely manual. In<br />
fact, it's not even technical; it can be done by<br />
anyone with an enquiring, inquisitive mind<br />
set. Every organisation has that annoying<br />
person who asks: "Why?... But what about?"<br />
It's that person who is best suited to do this.<br />
The key to success in this stage is to adopt a<br />
simple premise - not all users are equal. Users<br />
in your organisation may work in different<br />
locations, have different security needs, use<br />
different applications and use different types<br />
of devices etc.<br />
This stage is about trying to group users<br />
based on their authentication needs, how<br />
they are going to authenticate and to what.<br />
The following needs to be considered.<br />
TYPE OF EMPLOYMENT<br />
Is the user a permanent employee, contractor,<br />
supplier, gig worker etc. This is important,<br />
because this will dictate what an organisation<br />
will provide to these users. You are more likely<br />
to use expensive hardware tokens or provide<br />
corporate mobile phones to a permanent<br />
employee than to a third-party supplier.<br />
Identifying these users will also help for the<br />
onboarding process. Not everyone is going<br />
to be onboarded with an AD account and<br />
corporate email address.<br />
PLACE OF WORK<br />
The global pandemic accelerated the acceptance<br />
of remote working. There is a lot of<br />
10<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
multi factor authentication<br />
implied security with working in an office - the<br />
front door, the receptionist or security guard.<br />
If you are not recognised at anyone of these<br />
steps, you are likely to get stopped. When<br />
not in the office, there is no visible check of<br />
who is logging in. To make matters more<br />
complicated, its often not a case of either or -<br />
hybrid working people will do both. Another<br />
aspect to consider is region of work. Different<br />
countries will have varying national regulations<br />
they must adhere to.<br />
SECURITY LEVEL<br />
The type and sensitivity of data that a user<br />
accesses is a vital component and does<br />
not always relate to job title. For example,<br />
a production worker may have access to<br />
personal data of a customer to check the<br />
details of a job. Often, when customer data<br />
is stolen, companies face huge reputational<br />
damage, as it often makes headline news.<br />
The best approach is to consider all data<br />
sacred, but your most sensitive data needs<br />
extra security.<br />
TYPE OF DEVICES<br />
You may need to consider reasons why users<br />
may not adopt MFA. Many users in an<br />
organisation may not be using a corporateissued<br />
laptop or mobile phone. In this age<br />
of personal privacy, users may not be willing<br />
to put a corporate agent or authenticator<br />
onto their personal device. This is partly the<br />
consideration of dealing where people work.<br />
It can be a little more nuanced than that.<br />
If a user already has a large number of<br />
authenticators on their device, they could be<br />
prone to an attack known as authenticator<br />
fatigue. A necessary thing to think about is:<br />
can a mobile device be used in all places?<br />
Is having a mobile phone allowed in your<br />
production or research area?<br />
APPLICATIONS<br />
As mentioned under 'Security', what applications<br />
and where those applications are<br />
hosted is important. Most companies do<br />
have a cloud first strategy, but will likely have<br />
a large number of on-premise applications.<br />
Consideration has to be given to how those<br />
applications will be protected. Not all cloud<br />
authentication services can handle on-premise<br />
applications.<br />
If you do this investigation correctly, you will<br />
find you have around 20 different groups.<br />
These groups are known as Personas or UML<br />
Actors and will have different authentication<br />
needs or journeys.<br />
The key now is to decide which MFA Factor<br />
is best for each persona. It is highly likely that<br />
one factor will not be suitable for everyone.<br />
There is no right or wrong answer to which is<br />
best in every situation. Some factors are more<br />
expensive than others; some are easier to set<br />
up, but may not be as secure. The biggest<br />
mistake companies make with MFA is assuming<br />
one size fits all. Understand your users'<br />
needs and address accordingly.<br />
PROTECT<br />
Now that the users' personas and authentication<br />
journeys has been mapped out, the<br />
next stage is implementing a solution to<br />
protect those users. To avoid your help desk<br />
from being overwhelmed with complaints<br />
once you have rolled out MFA to all users and<br />
applications, there are a couple of other<br />
things to consider.<br />
TRAINING<br />
Unfortunately, it is human nature to resist<br />
change or to adopt anything new. Providing<br />
a simple video or guide will help show how<br />
easy it is. Explain that it helps to protect them.<br />
A useful trick, and one that highlights a<br />
common frailty with passwords, is to explain<br />
that, if their password is stolen at work, the<br />
hacker is likely to have access to their social<br />
media accounts. Ask them to imagine the<br />
reputational damage that it could cause.<br />
CORPORATE PROCEDURES<br />
Put a small paragraph or line item in<br />
your Computer Use or Company Security<br />
Policy document, mandating that MFA must<br />
be used. Also consider updating terms and<br />
conditions for external parties.<br />
CONTROL<br />
This final part is essentially a continuous rinse<br />
and repeat of the previous two parts.<br />
Accepting that small changes can impact the<br />
needs of users is important. Rolling out a new<br />
app, how is that going to fit in to your<br />
implementation? Opening a new office, are<br />
those users in those locations adequately<br />
covered?<br />
Another useful action is to ask users for their<br />
feedback. Take a select few from each persona<br />
group and periodically ask them about their<br />
experience. Make changes, if required.<br />
The aim of this guide was to highlight that<br />
implementing MFA is not a technical<br />
challenge and doesn't require expensive<br />
complimentary tools or an overtly complicated<br />
and expensive solution.<br />
Following a simple three-step process, which<br />
is largely manual, helps to ensure that MFA is<br />
successfully implemented across the whole of<br />
your organisation.<br />
Chris Martin,<br />
SecurEnvoy: .<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
11
artificial intelligence<br />
AI - ARE WE EMBARKED ON A DANGEROUS RACE?<br />
MORE THAN 1,000 ARTIFICIAL INTELLIGENCE EXPERTS, RESEARCHERS AND BACKERS WANT AN IMMEDIATE<br />
PAUSE ON THE CREATION OF 'GIANT' AIS, SO SYSTEMS SUCH AS GPT-4 CAN BE PROPERLY STUDIED AND<br />
MITIGATED. EDITOR BRIAN WALL REPORTS<br />
Artificial intelligence (AI) makes it<br />
possible for machines to learn from<br />
experience, adjust to new inputs and<br />
perform human-like tasks. "Most AI examples<br />
that you hear about today - from chessplaying<br />
computers to self-driving cars -<br />
rely heavily on deep learning and natural<br />
language processing," states AI and analytics<br />
company SAS. "Using these technologies,<br />
computers can be trained to accomplish<br />
specific tasks by processing large amounts<br />
of data and recognising patterns in the data."<br />
In fact, AI has been hailed by many experts<br />
as the way forward. Yet this is a technology<br />
that will most likely alter fundamentally<br />
how we behave in relation to technological<br />
development - and there are many questions<br />
to be answered as to where AI may lead us<br />
and not all of that necessarily a force for<br />
good. Hence the emergence of the vast<br />
number of experts calling for an immediate<br />
short-term moratorium on the creation of<br />
giant AIs to allow for some degree of<br />
reflection and assessment.<br />
The demand for a pause was made in<br />
an open letter signed by major AI players,<br />
including Elon Musk, who co-founded<br />
OpenAI, the research lab responsible for<br />
ChatGPT and GPT-4; Emad Mostaque, who<br />
founded London-based Stability AI; and<br />
Steve Wozniak, the co-founder of Apple.<br />
Its signatories also include engineers from<br />
Amazon, DeepMind, Google, Meta and<br />
Microsoft, as well as academics, including<br />
the cognitive scientist Gary Marcus.<br />
"Recent months have seen AI labs locked in<br />
an out-of-control race to develop and deploy<br />
ever more powerful digital minds that no one<br />
- not even their creators - can understand,<br />
predict, or reliably control," the letter says,<br />
adding. "Powerful AI systems should be<br />
developed only once we are confident that<br />
their effects will be positive and their risks<br />
will be manageable."<br />
The authors, coordinated by the 'longtermist'<br />
thinktank the Future of Life Institute,<br />
cite OpenAI's own co-founder Sam Altman in<br />
justifying their calls. In a post from February,<br />
Altman wrote: "At some point, it may be<br />
important to get independent review before<br />
starting to train future systems, and for the<br />
most advanced efforts to agree to limit the<br />
rate of growth of compute used for creating<br />
new models." The letter continues: "We agree.<br />
That point is now."<br />
If researchers will not voluntarily pause their<br />
work on AI models more powerful than GPT-<br />
4, the letter's benchmark for "giant" models,<br />
then "governments should step in", insist the<br />
authors. "This does not mean a pause on AI<br />
development in general, merely a stepping<br />
back from the dangerous race to ever-larger<br />
unpredictable black-box models with emergent<br />
capabilities," they add.<br />
HIDDEN POWERS<br />
Since the release of GPT-4, OpenAI has been<br />
adding capabilities to the AI system with<br />
'plugins', giving it the ability to look up data<br />
on the open web, plan holidays and even<br />
order groceries. But the company has to deal<br />
with "capability overhang": the issue that<br />
its own systems are more powerful than it<br />
knows at release. As researchers experiment<br />
with GPT-4 over the coming months, they are<br />
likely to uncover new ways of prompting the<br />
system that improve its ability to solve difficult<br />
problems. One recent discovery was that the<br />
AI is noticeably more accurate at answering<br />
questions, if it is first told to do so "in the style<br />
of a knowledgeable expert".<br />
The call for strict regulation stands in stark<br />
contrast to the UK government's flagship AI<br />
regulation white paper, published at the end<br />
of March, which contains no new powers at<br />
all. Instead, the government says, the focus is<br />
on coordinating existing regulators, such as<br />
the Competition and Markets Authority and<br />
Health and Safety Executive, offering five<br />
'principles' through which they should think<br />
about AI. "Our new approach is based on<br />
strong principles so that people can trust<br />
businesses to unleash this technology of<br />
tomorrow," says science, innovation and<br />
technology secretary Michelle Donelan.<br />
The Ada Lovelace Institute was amongst<br />
those that criticised the announcement.<br />
"The UK's approach has significant gaps,<br />
which could leave harms unaddressed, and<br />
is underpowered relative to the urgency and<br />
scale of the challenge," says Michael Birtwistle,<br />
who leads data and AI law and policy at the<br />
research institute. "The government's timeline<br />
of a year or more for implementation will<br />
leave risks unaddressed, just as AI systems<br />
12<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
are being integrated at pace into our daily<br />
lives, from search engines to office suite<br />
software."<br />
Labour has joined in the criticism, with<br />
shadow culture secretary Lucy Powell<br />
accusing the government of "letting down<br />
their side of the bargain". She added: "This<br />
regulation will take months, if not years,<br />
to come into effect. Meanwhile, ChatGPT,<br />
Google's Bard and many others are making<br />
AI a regular part of our everyday lives. The<br />
government risks re-enforcing gaps in our<br />
existing regulatory system, and making the<br />
system hugely complex for businesses and<br />
citizens to navigate, at the same time as<br />
they're weakening those foundations<br />
through their upcoming data bill."<br />
Comments Amit Yoran, CEO of NASDAQlisted<br />
company Tenable: "As artificial intelligence<br />
captures mainstream imagination, a<br />
world of possibilities awakens. So does the<br />
realism that superintelligence is closer than<br />
we think and something we won't be able<br />
to control and/or manage.<br />
Yoran continues: "While a six-month<br />
moratorium is unrealistic, we have no<br />
guidelines, guardrails, regulations or even<br />
common frameworks for thinking about the<br />
future we are approaching at full throttle."<br />
MASSIVE CAPABILITY TO ABSORB<br />
So, what exactly is GPT-4 and how does it<br />
function? It's the latest version of what is<br />
widely regarded as the ground-breaking AI<br />
system that powers ChatGPT, which is said to<br />
be more creative, less likely to make up facts<br />
and less biased than its predecessor.<br />
Calling it "our most capable and aligned<br />
model yet", OpenAI cofounder Sam Altman<br />
said the new system is a "multimodal" model,<br />
which means it can accept images, as well<br />
as text as inputs, allowing users to ask<br />
questions about pictures. The new version<br />
can handle massive text inputs, and<br />
remember and act on more than 20,000<br />
words at once,<br />
letting it take an<br />
entire novella as a<br />
prompt.<br />
During a demo of<br />
GPT-4 on Tuesday,<br />
Open AI president<br />
and co-founder<br />
Greg Brockman also<br />
gave users a sneak<br />
peek at the imagerecognition<br />
capabilities<br />
of the newest version of<br />
the system, which is not yet<br />
publicly available and only<br />
being tested by a company called<br />
Be My Eyes. The function will allow<br />
GPT-4 to analyse and respond to images<br />
that are submitted alongside prompts and<br />
answer questions or perform tasks based on<br />
those images. "GPT-4 is not just a language<br />
model, it is also a vision model," Brockman<br />
insists. "It can flexibly accept inputs that<br />
intersperse images and text arbitrarily, kind<br />
of like a document."<br />
OpenAI claims that GPT-4 fixes or improves<br />
upon many of the criticisms that users had<br />
with the previous version of its system. As<br />
a "large language model", GPT-4 is trained<br />
on vast amounts of data scraped from the<br />
internet and attempts to provide responses to<br />
sentences and questions that are statistically<br />
similar to those that already exist in the real<br />
world. But that can mean that it makes up<br />
information when it doesn't know the exact<br />
answer - an issue known as 'hallucination' -<br />
or that it provides upsetting or abusive<br />
responses when given the wrong prompts.<br />
By building on conversations users had with<br />
ChatGPT, OpenAI says it managed to improve<br />
- but not eliminate - those weaknesses in<br />
GPT-4, responding sensitively to requests for<br />
content such as medical or self-harm advice<br />
"29% more often" and wrongly responding to<br />
requests for disallowed content 82% less<br />
often. GPT-4 will still "hallucinate" facts,<br />
however, and OpenAI warns users: "Great<br />
UNESCO<br />
(Copyright author Shutterstock.com)<br />
care should be taken when using language<br />
model outputs, particularly in high-stakes<br />
contexts, with the exact protocol (such as<br />
human review, grounding with additional<br />
context, or avoiding high-stakes uses<br />
altogether) matching the needs of a specific<br />
use-case." But it scores "40% higher" on tests<br />
intended to measure hallucination, according<br />
to OpenAI.<br />
POTENTIAL FOR GOOD<br />
Advocates of AI point to its phenomenal<br />
potential for good. AI and analytics company<br />
SAS, referenced at the start of this article,<br />
point to how advances in AI enable us to<br />
automate complicated tasks and find useful<br />
signals in data that was previously too large<br />
or complex to tackle. "From quality and<br />
equipment performance, to supply chain and<br />
spare parts optimisation, to service<br />
improvements and monetisation of IoT data,<br />
AI techniques can unlock new insights across<br />
the spectrum of manufacturing data," it<br />
states. These, according to SAS, can enable<br />
organisations to:<br />
Find early indicators of potential quality<br />
issues. AI capabilities go far beyond what<br />
simple rule-based systems can do, continuously<br />
learning to automatically detect<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
13
artificial intelligence<br />
patterns in data that a human would likely<br />
never see<br />
Avoid costly scrap and rework. Use image<br />
recognition to identify flaws during the<br />
manufacturing process so you can address<br />
them promptly<br />
Identify areas for improvement. Text analytics,<br />
including natural language processing,<br />
lets you link customer sentiment, service<br />
comments and other written records<br />
to quality and production variables to<br />
identify areas for improvement<br />
Improve yield. Apply deep learning in<br />
industrial operations to optimise product<br />
composition and production techniques,<br />
combining audio, video, text and other<br />
data "at efficiency levels previously<br />
unimaginable".<br />
Others with deep concerns and reservations<br />
about AI point to the in-built bias that they<br />
say fuels the very way in which artificial<br />
intelligence has been set up. UNESCO, for<br />
instance, says that typing 'greatest leaders of<br />
all time' in your favourite search engine will<br />
"probably bring up a list of the world's<br />
UNESCO<br />
(Copyright author Shutterstock.com)<br />
prominent male personalities. How many<br />
women do you count? An image search for<br />
'school girl' will most probably reveal a page<br />
filled with women and girls in all sorts of<br />
sexualised costumes. Surprisingly, if you type<br />
'schoolboy', results will mostly show ordinary<br />
young schoolboys. No men in sexualised<br />
costumes or very few."<br />
These, states UNESCO, are examples of<br />
gender bias in artificial intelligence, originating<br />
from stereotypical representations deeply<br />
rooted in our societies. "AI-systems deliver<br />
biased results. Search-engine technology<br />
is not neutral, as it processes big data and<br />
prioritises results with the most clicks relying<br />
both on user preferences and location.<br />
Thus, a search engine can become an echo<br />
chamber that upholds biases of the real world<br />
and further entrenches these prejudices and<br />
stereotypes online."<br />
Gender bias should be avoided or at the<br />
least minimised in the development of<br />
algorithms, in the large data sets used for<br />
their learning and in AI use for decisionmaking,<br />
it argues. That is why<br />
UNESCO has embarked for the<br />
first time to develop a legal,<br />
global document on the ethics<br />
of AI. "Everyone and every part<br />
of the world should be part<br />
of this debate. Artificial<br />
Intelligence is everyone's<br />
business," it insists.<br />
DOUBLE-EDGED SWORD<br />
When it comes to the role AI<br />
performs in cybersecurity, many<br />
sectors have mixed feelings towards<br />
the technology and machine learning,<br />
states Matt Aldridge, OpenText Cyber<br />
Security. "For cybersecurity, perhaps<br />
more than for any other industry, it is<br />
a genuine double-edged sword. For<br />
cybersecurity professionals, AI is a powerful<br />
instrument that expedites and improves many<br />
processes, such as automated security processing<br />
and threat detection. However, we<br />
must remember that bad actors have the very<br />
same toolsets available for their criminal<br />
activity. It is proving to be a constant cat-andmouse<br />
game between these two parties, in<br />
the same way that it has been with cyber<br />
defenders and attackers since the earliest days<br />
of the internet."<br />
First things first, says Aldridge. AI can make<br />
cyberattacks much more sophisticated and<br />
therefore harder to stop. "An all-too-common<br />
example is phishing. With the help of AI,<br />
cybercriminals can write extremely believable<br />
phishing emails in any language, aimed at<br />
whatever type of person they wish to target.<br />
The same is true of voice phishing: AI bots<br />
only need a few seconds of audio material to<br />
credibly replicate a person's voice, making it<br />
simpler than ever to fake calls with the<br />
purpose of extortion."<br />
Faced with the dangers this poses, he adds,<br />
businesses must double down on their<br />
security awareness training efforts. "These<br />
must become regularly and systematically<br />
updated sessions, which every employee is<br />
mandated to take. Overall, businesses should<br />
be encouraging their staff to cultivate a<br />
critical mindset when it comes to internal<br />
and external communications, and not<br />
immediately trust any sender, whether<br />
unfamiliar or not. For cybersecurity<br />
organisations, using AI is no longer an<br />
optional improvement, but an absolute<br />
necessity. Considering the rise of AI-enhanced<br />
cyberattacks, the only way to maintain<br />
enterprise security is by incorporating AI into<br />
threat recognition systems, in order to cope<br />
with the increasing sophistication and<br />
intelligence of cybercriminal techniques. You<br />
must fight fire with fire - or risk being left<br />
behind."<br />
POISONING AND OBFUSCATION FEARS<br />
Meanwhile, Kiri Addison, threat detection<br />
and efficacy product manager, at Mimecast,<br />
points to the company's Mimecast State of<br />
Email Security report, which reveals that<br />
nearly every company suffered from a data<br />
14<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
UNESCO<br />
(Copyright author Shutterstock.com)<br />
breach (91%). However, she cautions, the<br />
corporate investment into AI will only fuel<br />
criminal organisations to upskill further into<br />
AI poisoning and obfuscation techniques.<br />
"This will lead to greater access to attack<br />
organisations without strong security only<br />
or those who rely solely on AI and forget to<br />
cover the basics. With economic pressures<br />
stretching everyone's budgets, there may be<br />
less focus on cybersecurity as the numbers<br />
get scrutinised, but this should not be the<br />
case! The latest developments in AI have<br />
the potential to enable cyber criminals to<br />
develop social engineering attacks more<br />
quickly and easily. Use tools like employee<br />
training, on top of regular updates and<br />
consolidated technology, to keep the impact<br />
of cyber-attacks to a minimum," advises<br />
Addision.<br />
As far as financial services are concerned,<br />
says Nigel Green, CEO and founder of deVere<br />
Group, AI is set to play an ever-increasing<br />
role and will "fundamentally reshape" the<br />
industry for firms, consumers and markets.<br />
His comments follow Microsoft announcing<br />
that its suite of productivity tools is being<br />
enhanced by artificial intelligence software<br />
as the company pushes onward in a race<br />
against tech giants such as Google, Baidu<br />
and Adobe to commercialise AI technology.<br />
"Despite the lack of familiarity for most<br />
people, AI is a technology that's transforming<br />
the way we do business,<br />
interact and, without<br />
exaggeration, how we live,"<br />
states Green. "It's a wideranging<br />
tech that enables<br />
people to rethink how we<br />
integrate information, analyse<br />
data and use the resulting insights<br />
to enhance our decision-making.<br />
AI is already changing the world and<br />
raising important issues for society, the<br />
economy, and governance. Whilst there are<br />
also concerns about the ethical and social<br />
implications of AI, such as privacy and bias, it<br />
has the potential to bring about considerable<br />
positive changes, not least in areas including<br />
healthcare, education, business and public<br />
services."<br />
The deVere CEO believes finance is one of<br />
the sectors that will become defined by AI<br />
in the coming years, with AI chatbots and<br />
virtual assistants helping financial institutions<br />
to offer personalised customer service 24/7<br />
and respond to client queries in real-time;<br />
and even discover fraudulent activities by<br />
analysing large amounts of data in real-time<br />
and identifying unusual behaviour trends. "As<br />
such, this will help financial institutions make<br />
better and faster decisions by analysing facts<br />
and figures, and providing insights into<br />
potential opportunities or risks. We expect<br />
that algorithms can help financial institutions<br />
make more informed trading decisions by<br />
more accurately assessing market reports<br />
and, therefore, predicting future trends and<br />
patterns," he continues.<br />
It's also hoped that AI will help finance<br />
companies adhere to "regulatory and<br />
reporting requirements by automating<br />
compliance processes" and identifying<br />
potential areas of non-compliance. Green<br />
concludes: "By pushing the boundaries,<br />
improving efficiency, reducing costs and<br />
providing better services to their clients, I'm<br />
confident that AI will change the financial<br />
sector for the better in more ways than in<br />
most sectors."<br />
Kiri Addison, Mimecast: the latest<br />
developments in AI could enable<br />
cybercriminals to develop social<br />
engineering attacks more quickly<br />
and easily.<br />
Matt Aldridge, OpenText Cyber Security:<br />
for cybersecurity, AI is a genuine doubleedged<br />
sword.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
15
automation<br />
HUMAN VOICE GROWS LOUDER<br />
BURNOUT HAS MADE ITS WAY<br />
INTO THE CYBERSECURITY<br />
INDUSTRY, BUT LITTLE IS BEING<br />
DONE TO ADDRESS THE<br />
ATTRITION IT CAUSES, STATES<br />
GARTNER. WHAT CAN BE DONE<br />
TO COUNTERACT THIS ISSUE?<br />
Claire Clark, Titania.<br />
Organisations in the past have<br />
developed their cybersecurity<br />
program to address the ebbs and<br />
flows of regulatory changes, business<br />
decisions, and customer demands and<br />
threats, according to global analyst firm<br />
Gartner. "Modern cybersecurity leaders will<br />
use a human-centric design to strengthen<br />
their program and optimize human<br />
potential," it states.<br />
In recent Gartner research, these are the<br />
key findings:<br />
Burnout has made its way into the<br />
cybersecurity industry, but little is being<br />
done to address the attrition it causes<br />
Insider threat management is not a focus<br />
area for most organisations, unless they<br />
are highly regulated<br />
Digital risk protection services (DRPS) are<br />
becoming more relevant today as the<br />
human element continues to be an<br />
effective vector for malicious actors<br />
The cybersecurity industry has taken<br />
limited action to reduce cybersecurity<br />
process friction and improve user<br />
experience<br />
Poor strategic implementation of topics<br />
like Zero Trust stops organisations from<br />
developing a positive security culture.<br />
"Cyber threats are at an all-time high, so<br />
it's no surprise to read about Gartner's claim<br />
that burnout and attrition are prevalent in<br />
the cybersecurity industry," says Claire Clark,<br />
VP, Engineering and Operations, Titania.<br />
"As the fear of threats rise, security teams<br />
have more demands on them to ensure<br />
organisations and people are protected. The<br />
diversity and quantity of threats are on the<br />
rise, too. As a result, businesses demand<br />
more experts, but with constraints of<br />
budgets. Cyber teams are pushed to their<br />
limits and stretched thin. We need more<br />
tools, resources and time to fight the battle;<br />
for the most part, we don't get it."<br />
Here is where automation can play a<br />
valuable role, she argues, especially tools that<br />
can audit networks continuously and<br />
effectively at scale. "These tools provide the<br />
security coverage of multiple experts in one,<br />
and allow people to utilise their time more<br />
efficiently and effectively, thus helping to<br />
prevent burnout of key skilled security<br />
resource. Burnout also results in an unintentional<br />
risk to a business. Teams may need help<br />
to perform effectively. They can miss or forget<br />
something, or not do it properly. That is why<br />
effective business continuity planning needs<br />
to be in place to prevent, detect and manage<br />
resources for security compliance."<br />
When determining how to address cyber<br />
threats, most organisations do not focus on<br />
insider threat (intentional or unintentional)<br />
management, unless they are heavily<br />
regulated, adds Clark. "Human and insider<br />
threats are one of the most critical to prevent,<br />
detect and protect against. Adopting a zerotrust<br />
mindset is essential, but only some buy<br />
in on this approach. There's a misconception<br />
about perceived overhead or the need to<br />
make operational changes. The 'insider' user<br />
experience precedes preventive security<br />
measures and hinders organisations from<br />
achieving a positive security adoption.<br />
"We already face a skills shortage in cybersecurity,<br />
and the long-term consequences<br />
may increase burnout and attrition of skilled<br />
professionals, thus creating a greater risk to<br />
the cybersecurity industry itself. This, in turn,<br />
could lead to a lack of resilience to increasingly<br />
sophisticated cyber threats from the<br />
inside and the outside."<br />
Her parting advice: "Invest in solutions that<br />
cause the least friction to the user and improve<br />
the employee experience. Otherwise, you'll<br />
develop a culture sceptical and resistant of<br />
security, and an ineffective security strategy<br />
for your business."<br />
16<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Prevention-first.<br />
Powered by Deep Learning.<br />
PREVENT<br />
ransomware, zero-day,<br />
and other unknown threats<br />
BEFORE<br />
they land in your environment.<br />
> 99%<br />
PREVENTION<br />
ACCURACY<br />
< 0.1%<br />
FALSE POSITIVE<br />
PRECISION<br />
40%<br />
REDUCTION<br />
IN EVENTS
device disarray<br />
LOST AND STOLEN<br />
THE NUMBER OF LOST AND<br />
STOLEN DEVICES ACROSS<br />
SEVERAL GOVERNMENT<br />
DEPARTMENTS HAS SOARED IN<br />
RECENT TIMES, RAISING DEEP<br />
CONCERNS OVER DATA SAFETY<br />
Jon Fielding, Apricorn: robust, regularly<br />
reviewed and tested policy and practice<br />
is a must for optimum protection.<br />
The Home Office declared 469 lost and<br />
stolen devices between September<br />
2021 and September 2022, while<br />
the Ministry of Defence (MoD) was not far<br />
behind with 467 mobiles, tablets and USB<br />
devices unaccounted for. That is according<br />
to annual findings from Freedom of Information<br />
(FoI) requests submitted to 14<br />
government departments into the security<br />
of devices held by public sector employees.<br />
Additionally, His Majesty's Revenue and<br />
Customs (HMRC) declared 635 lost and<br />
stolen devices, including 387 mobiles, 244<br />
tablets and 4 USB drives - a 45% increase<br />
on the numbers shared for the same<br />
period in 2020-2021 (346) and 40% more<br />
than 2019-2020 (375). Further to that,<br />
the Department of Business, Energy and<br />
Industrial Strategy admitted to 204 lost<br />
and stolen devices, which is almost double<br />
the 107 declared in the previous year. The<br />
Prime Minister's Office also reported 203<br />
misplaced devices.<br />
"We have asked these same questions via<br />
these FoI requests for the last three years<br />
and, whilst it's not surprising to see devices<br />
unaccounted for, we would hope to see<br />
the numbers declining as cybersecurity<br />
becomes more established," says Jon<br />
Fielding, managing director, EMEA<br />
Apricorn. "Robust, regularly reviewed<br />
and tested policy and practice," he argues,<br />
"with appropriate technology choices and<br />
implementation, supported by education<br />
and comprehensive backup and recovery<br />
strategy, is a must for optimum protection."<br />
Despite Apricorn's requests, The Ministry<br />
of Justice (MoJ) "declined to provide<br />
answers to the FoI questions posed,<br />
regardless of having provided information<br />
in previous years, which highlighted 345<br />
lost and stolen devices, and an alarming<br />
2,152 data breaches in that time (September<br />
2020 and September 2021)," states<br />
the company. However, research into the<br />
MoJ Annual Report, which covered April<br />
2021-March 2022, revealed a huge<br />
number of breaches declared to the ICO,<br />
most disturbing being the disclosure of a<br />
COVID status spreadsheet of 1,800 staff<br />
and offenders sent by email to all staff<br />
within a prison. This contained the<br />
confidential data for offenders and staff,<br />
including health data.<br />
There were also 5,782 security incidents<br />
that were not deemed necessary to report<br />
to the Information Commissioner's Office<br />
for 2021-22, including loss or theft of<br />
information assets from secured government<br />
premises and outside secure<br />
premises, as well as insecure disposal<br />
of inadequately protected electronic<br />
equipment, devices or paper documents.<br />
"It's worrying to think that a government<br />
entity that holds so much responsibility,<br />
and retains so much sensitive and personal<br />
information can pose this much risk," adds<br />
Fielding. "The number of recorded security<br />
incidents, whether reported to the ICO or<br />
not, should alarm security teams. A good<br />
place to start would be through education<br />
and awareness. It's not simply about putting<br />
critical policies in place, but equally ensuring<br />
that awareness is maximised among<br />
employees, so that the risks associated<br />
with applications, actions and devices are<br />
understood."<br />
The Department for Education (DfE)<br />
confirmed the loss and theft of 356<br />
devices, including 296 USB drives. With so<br />
many USB devices unaccounted for, it<br />
further highlights the importance of<br />
encryption on portable drives to keep data<br />
safe when moving beyond the confines of<br />
the government network.<br />
Despite the number of devices missing in<br />
action, when questioned on the security<br />
of these devices, each of the government<br />
departments that were asked confirmed<br />
the missing devices were all encrypted as<br />
standard.<br />
18<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
threat response<br />
WHY WE NEED A RETURN TO<br />
PREVENTION-FIRST CYBERSECURITY<br />
STOPPING ZERO DAYS, RANSOMWARE AND OTHER NEVER-BEFORE-SEEN MALWARE IS A RACE AGAINST THE<br />
CLOCK, WARNS KAREN CROWLEY, DIRECTOR OF PRODUCT & SOLUTIONS MARKETING AT DEEP INSTINCT<br />
As the volume and velocity of threats<br />
increase, due to generative AI,<br />
organisations won't keep up. The<br />
industry standard 'assume breach' mentality,<br />
which is a reactive approach that relies on<br />
detection and response, is too late. The<br />
threat actors are already inside. It's time to<br />
prevent threats before they land inside your<br />
environment.<br />
ASSUME BREACH IS TOO LATE<br />
For example, in just 15 seconds the fastestknown<br />
ransomware begins to encrypt.<br />
By contrast, the quickest detection and<br />
response solutions take at least a few<br />
minutes to detect a threat - with many<br />
taking hours or even longer.<br />
In a matter of minutes, extremely<br />
destructive ransomware has ample time to<br />
lock down patient zero, install backdoors,<br />
moving laterally through the network. It's<br />
highly likely that, by the time the security<br />
team is aware of a problem, data will have<br />
been exfiltrated and most of the network<br />
impacted.<br />
Most security tools begin their work only<br />
after malware has started executing - with<br />
behaviours then analysed to identify the<br />
type of attack. This approach not only<br />
provides the attackers with ample dwell<br />
time, but it also frequently leads to a high<br />
number of false-positive alerts, leaving SOC<br />
teams to determine what is a real threat<br />
versus a benign alert.<br />
Attackers are getting better at evading<br />
detection once they are inside. Once the<br />
incident is detected, the focus then turns to<br />
understanding what happened, conducting<br />
further investigation, remediation and<br />
clean-up - a time-intensive and expensive<br />
process. Deep Instinct's Voice of SecOps<br />
report found that it takes 20+ hours for an<br />
organisation to respond to a cyber incident.<br />
The challenge is, can you be sure you have<br />
completely eradicated the threat? Did the<br />
attacker leave droppers or artifacts behind,<br />
or a backdoor?<br />
REDUCING BUSINESS RISK THOUGH<br />
PREVENTION<br />
We have to fight AI with AI. With the application<br />
of Deep Learning to cybersecurity, a<br />
prevention-first approach is once again a<br />
viable solution. Prevention of the past and,<br />
let's face it, the present, relies on rules and<br />
signatures, as well as cloud lookups and<br />
threat intelligence feeds. This slows down<br />
decisions and is truly only effective against<br />
unknown threats.<br />
A prevention-first solution that has been<br />
natively built with deep learning models<br />
that are dedicated to cybersecurity (not for<br />
self-driving cars) is able to prevent unknown<br />
malware in less than 20ms, before it can<br />
execute. This can keep >99% of attacks<br />
out of your environment, lower alerts and<br />
reduce false-positives, and enable your<br />
team to focus on the threats that really<br />
matter.<br />
Deep Learning is different from Machine<br />
Learning in too many ways to explain in this<br />
short article. However, it is the future and<br />
the way organisations can take a more<br />
proactive stance against cyber-attacks.<br />
A prevention-first strategy will reduce overall<br />
risk by stopping threats before they land inside<br />
your environment, lowering events and falsepositives.<br />
Ultimately, this means SOC teams<br />
can focus on tasks that improve productivity,<br />
and stop the most complex, sophisticated<br />
and aggressive attacks.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
19
eaches<br />
BREACHES: WHERE ARE THE FAULT LINES?<br />
MANY ORGANISATIONS ARE BEING ACCUSED OF FAILING TO TAKE APPROPRIATE MEASURES TO PROTECT<br />
THEMSELVES AGAINST DATA BREACHES - BUT ARE THE ODDS AGAINST THEM JUST TOO GREAT?<br />
Data breaches and cyber-attacks are<br />
accelerating at an alarming rate and<br />
yet the response of organisations<br />
when it comes to protecting themselves<br />
seems to be lagging behind. According to<br />
IT Governance, its research identified 106<br />
publicly disclosed incidents accounting for<br />
29,58 million breached records in February<br />
alone. "It follows a mammoth start to the<br />
year, with more than 277 million breached<br />
records in January, and brings the running<br />
total for the year to over 300 million pieces<br />
of compromised personal data," the<br />
company states.<br />
Detecting data breaches has always been<br />
a challenge, states IT Governance. "Even<br />
with staff working on-site, with everyone<br />
connected to the same network and<br />
with antivirus, anti-malware and other<br />
technological security solutions in place,<br />
organisations seldom know they've been<br />
breached until a third party informs them -<br />
usually because stolen data can be traced<br />
back to them. In fact, dwell time - the period<br />
between a security breach and its discovery -<br />
is more often measured in months than<br />
days. This isn't so much a failing on the part<br />
of the victims as efficiency on the part of the<br />
attackers. After all, they don't want to be<br />
detected." Ransomware, which is effective<br />
only when the victim knows of its existence,<br />
is the exception to this rule and inevitably<br />
has a much shorter dwell time.<br />
Of course, technical vulnerabilities aren't<br />
the only causes of data breaches, it adds.<br />
"Human error is regularly found to be the<br />
most common reason for security and data<br />
breaches. For instance, data can be sent to<br />
the wrong recipient by accidentally using cc<br />
instead of bcc when emailing groups of<br />
people, and staff can accidentally click<br />
malicious links and open dubious<br />
attachments in phishing emails or fall for<br />
other social engineering attacks. And, if the<br />
breached data is personal information, you<br />
risk substantial fines or regulatory action<br />
under the UK GDPR (General Data Protection<br />
Regulation) and DPA (Data Protection Act)<br />
2018."<br />
Those who argue that the tools to stop<br />
the assailants are readily available, but are<br />
often not taken up for various reasons - the<br />
organisation doesn't see cybersecurity as a<br />
priority or budgets are too constrained, for<br />
instance - may be taking too simplistic an<br />
approach. The truth is that the range and<br />
sophistication of ways an organisation can<br />
be breached has hit new heights - or maybe<br />
lows - of late. Here are just some of those<br />
means of cracking open a victim:<br />
Cloud vulnerability<br />
Data breaches<br />
Dangerous hybrid or remote work<br />
environments<br />
Phishing becoming more complex<br />
and evasive<br />
Ransomware strategies taking new<br />
directions<br />
Cryptojacking<br />
Cyber-physical attacks<br />
State-sponsored attacks.<br />
IN THE HEAT OF BATTLE<br />
Of course, NOT being breached can be an<br />
exercise in hindsight. In the heat of battle, it<br />
may be a different story. Saying not enough<br />
was done will always be true, in the wake of<br />
an attack, but what was done will always<br />
have to be measured by the power and<br />
capability of the enemy against the budget<br />
of the victim.<br />
Computing Security thought it might be<br />
instructive to look at some of the many<br />
breaches that have occurred recently, as<br />
reported by various sources, to get a picture<br />
of how these were executed, their impact<br />
and whether they might have been avoided.<br />
Let's start with …<br />
HIGHLY VULNERABLE<br />
Sophos's Active Adversary Report for<br />
Business Leaders, which looks at the<br />
changing behaviours and attack techniques<br />
that adversaries used in 2022. The data<br />
identified more than 500 unique tools and<br />
techniques, including 118 'Living off the<br />
Land' binaries (LOLBins). Unlike malware,<br />
LOLBins are executables naturally found<br />
on operating systems, making them much<br />
more difficult for defenders to block when<br />
attackers exploit them for malicious activity.<br />
Sophos also found that unpatched<br />
vulnerabilities were the most common<br />
root cause of attackers gaining initial<br />
access to targeted systems. In fact, in half<br />
of all investigations that were included in the<br />
report, attackers exploited ProxyShell and<br />
Log4Shell vulnerabilities - vulnerabilities from<br />
2021 - to infiltrate organisations. The second<br />
most common root cause of attacks was<br />
compromised credentials.<br />
"When today's attackers aren't breaking in,<br />
they're logging in," says John Shier, field CTO,<br />
commercial, Sophos. "The reality is that the<br />
threat environment has grown in volume<br />
and complexity to the point where there are<br />
20<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
eaches<br />
no discernible gaps for defenders to exploit.<br />
For most organisations, the days of going<br />
at it alone are well behind them. It truly is<br />
everything, everywhere, all at once. However,<br />
there are tools and services available to businesses<br />
that can alleviate some of the defensive<br />
burden, allowing them to focus on their<br />
core business priorities."<br />
WORKFORCE MORALE SUFFERS<br />
A report by Bitdefender showed that, within<br />
the UK, 44% of cybersecurity professionals<br />
said they had been told to keep a breach<br />
confidential when they should have reported<br />
it. It's clear from the overall findings that<br />
morale has also taken a big hit, it adds:<br />
35% surveyed said they had knowingly<br />
kept a breach confidential and 51%<br />
worried about their company facing legal<br />
action, due to poor reporting of cyber<br />
incidents<br />
47% of UK professionals cited supply<br />
chain attacks and ransomware as the<br />
top concern (unlike the rest of the world,<br />
where software vulnerabilities are the<br />
biggest concern for 54%)<br />
64% said they had to work weekends,<br />
due to security concerns their company<br />
faced. This correlates to 45% stating they<br />
planned to look for a new job in the next<br />
12 months.<br />
SUPPLY CHAIN WEAKNESSES<br />
A recent report by cyber security business<br />
Risk Ledger reveals leading cyber security<br />
weaknesses in the supply chain. The report<br />
found that 40% of third-party suppliers do<br />
not conduct regular penetration tests of<br />
internal systems and 32% do not have a<br />
supplier security policy that outlines the<br />
security requirements that their suppliers<br />
should meet, putting their own and their<br />
customer's data at risk. Some of the major<br />
findings revealed in this report include:<br />
17% do not enforce multi-factor<br />
authentication (MFA) on all remotely<br />
accessible services<br />
23% do not use Privileged Access<br />
Management controls to securely<br />
manage the use of privileged accounts<br />
20% do not use a password manager.<br />
"Companies rarely run security assurance<br />
against more than 10% of their immediate<br />
third-party suppliers, while visibility into the<br />
risks existing further down the chain remains<br />
almost non-existent," says Risk Ledger CEO<br />
Haydn Brooks. "To improve this situation,<br />
better data and insights into the most<br />
prevalent weaknesses in the wider supplier<br />
ecosystem are needed, so that remedial<br />
efforts can become more focused."<br />
SMALLER ATTACK SURFACE<br />
Nick Denning of Policy Monitor has specific<br />
thoughts on what small and medium-sized<br />
enterprises (SMEs) can do to better defend<br />
themselves, starting with knowing their<br />
vulnerabilities. "It is true that larger organisations<br />
have more cybersecurity experts and<br />
resources to help protect them from attack<br />
than SMEs, but having in-house knowledge<br />
is only part of the story," he says. "Research<br />
can show 'what' the threat might be, but<br />
not 'where' your organisation could be<br />
vulnerable. The good news is that SMEs<br />
by their nature are likely to have a smaller<br />
attack surface. Therefore, it is potentially<br />
easier for an SME to assess risks and to take<br />
an inventory of the assets that need protecting<br />
and how they may be vulnerable.<br />
However, if a business does not have even<br />
the basic skills and deployed technologies to<br />
access this type of information, it can leave<br />
huge gaps in its defences or lead it to invest<br />
in the wrong kind of security. It is like leaving<br />
your house, locking all the doors and turning<br />
on the expensive burglar alarm you installed<br />
after a previous break-in, but forgetting to<br />
close the bedroom window or secure the<br />
shed where your expensive power tools are<br />
stored."<br />
Just as it is important to have a register of<br />
your physical assets for accounting and<br />
maintenance purposes, an important<br />
Haydn Brooks, Risk Ledger: better data<br />
and insights into the most prevalent<br />
weaknesses in the wider supplier<br />
ecosystem are needed.<br />
Nick Denning, Policy Monitor: effective<br />
protection against cyber threats also requires<br />
an ongoing process of cybersecurity asset<br />
identification and management.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
21
eaches<br />
Matt Hull, NCC Group: Lockbit 3.0<br />
leading the way as <strong>2023</strong>'s most prevalent<br />
threat actor by some margin.<br />
Jason Foster, Cynozure: good data<br />
management is at the heart of building<br />
trust, reducing the risk of breaches and<br />
enabling innovation.<br />
element of effective protection against cyber<br />
threats also requires an ongoing process of<br />
cybersecurity asset identification and<br />
management. "This has two dimensions,"<br />
adds Denning. "Companies need a register<br />
of traditional physical IT assets. such as<br />
PCs, servers and the increasing number of<br />
devices used to access systems remotely.<br />
Increasingly, organisations have items<br />
connected as part of the Internet of Things.<br />
such as medical sensors, fire alarms and<br />
smart security devices. You need to have an<br />
inventory of all these assets. as they make up<br />
the attack surface of an organisation."<br />
The second dimension of IT asset<br />
management is that these assets can provide<br />
a vulnerable entry point and have great<br />
value in themselves. "They may also be<br />
the ultimate targets of cyber-attacks. For<br />
example, an inadequately protected public<br />
application might provide a way-in for cyber<br />
criminals to download or corrupt your data<br />
or a path to enter your systems then move<br />
on to other targets," continues Denning.<br />
"Customer data and employee records held<br />
in databases can help cyber criminals<br />
perpetuate identity theft and financial fraud.<br />
If there is a data breach, an organisation<br />
can be hit by direct financial fraud, an<br />
inability to perform daily business processes,<br />
reputational damage, and heavy data protection<br />
fines from regulators and the cost of<br />
forensic investigations."<br />
RANSOMWARE ON THE RAMPAGE<br />
Analysis from NCC Group's Global Threat<br />
Intelligence team revealed there were 240<br />
ransomware attacks in February,?a 45%<br />
increase from January (see also News, Page<br />
6). The volume of activity is the highest<br />
recorded by NCC Group for this period,<br />
up 30% on February 2022 (185) and 2021<br />
(185). The considerable rise?highlights the<br />
growing threat of ransomware attacks, it<br />
states, as the threat landscape continues<br />
to evolve. Matt Hull, global head of threat<br />
intelligence at NCC Group, comments:<br />
"In February, we observed a surge in ransomware<br />
activity, as expected when coming<br />
out of the typically quieter January period.<br />
However, the volume of ransomware attacks<br />
in January and February is the highest we<br />
have ever monitored for this period of the<br />
year. It is an indication of how the threat<br />
landscape is evolving and threat actors show<br />
no signs of reducing ransomware activities.<br />
"Looking at the most prevalent threat<br />
actors, Lockbit 3.0 looks set to carry on<br />
where it left off in 2022," he believes, "and<br />
is already leading the way as <strong>2023</strong>'s most<br />
prevalent threat actor by some margin.<br />
BlackCat also remains consistent, while the<br />
ever-sporadic BianLian returned to the top<br />
three. Finally, it'll be interesting to see how<br />
the takedown of Hive by the US Department<br />
of Justice plays out. While this means their<br />
digital operations have been taken down,<br />
it's unlikely Hive's members will disappear<br />
completely. Our threat intelligence team<br />
will continue to keep a close eye on how<br />
this impacts the threat landscape."<br />
POORLY MANAGED DATA<br />
Almost six in ten (57%) senior executives in<br />
the UK financial services sector said their<br />
organisations were at risk of a data breach,<br />
because data is so poorly managed, according<br />
to research from data and analytics<br />
strategy consultancy Cynozure. The findings<br />
were revealed just as the Bank of England's<br />
annual Systemic Risk Survey showed that<br />
cyber-attacks are the most cited risk to<br />
the UK financial system, ahead of inflation<br />
and geopolitical risks. And these concerns<br />
are well-founded, states the consultancy:<br />
"Financial services and insurance firms have<br />
been the target for over a quarter (28%)<br />
of all cyber-attacks in the UK in the last<br />
twelve months."<br />
The research also exposes a lack of<br />
understanding of data in many financial<br />
institutions that may make them more<br />
vulnerable to attack, including around how<br />
it's stored, managed and used. More than<br />
one in five (21%) respondents said they<br />
22<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
eaches<br />
didn't know where data was held in the<br />
organisation, over a third (35%) said the<br />
data world is too complex to understand<br />
and more than three in ten (31%) said there<br />
is a lack of data literacy in the business.<br />
Jason Foster, CEO and founder of Cynozure,<br />
comments: "94% of organisations say that<br />
using data effectively is central to running<br />
a successful business, but we've seen many<br />
lack the strategy, literacy, controls and vision<br />
to generate that success. In the financial<br />
services sector, data has the power to create<br />
better products and services, speed up<br />
response rates, drive slicker operations and<br />
support better management of risk. Good<br />
data management is at the heart of building<br />
trust, reducing the risk of breaches and<br />
enabling innovation, so it's critical that steps<br />
are taken to ensure data is stored, managed,<br />
used and protected correctly."<br />
PHISHING FOR AN EASY CATCH<br />
In the wake of the government's 'Cyber<br />
security breaches survey <strong>2023</strong>', where one<br />
statistic showed that, for medium businesses,<br />
there has been a drop since 2022 in<br />
the proportion of businesses saying they<br />
have security controls on their devices (from<br />
91% to 79%) and agreed processes for<br />
phishing emails (from 86% to 78%), Andy<br />
Robertson, head of enterprise and cybersecurity<br />
business at Fujitsu UK&I, had this<br />
to say: "A rise in phishing attacks always<br />
correlates with negative economic or social<br />
events and is targeted at those who stand to<br />
benefit the most from socially engineered<br />
messaging. So, as the cost-of-living crisis<br />
continues, don't expect cyber risks to go<br />
away."<br />
Cyber security experts face another hurdle,<br />
too. "With the big rise of artificial intelligence<br />
tools that we're seeing in the form of generative<br />
AI and platforms such as ChatGPT, this<br />
is creating a surge in phishing attacks," he<br />
adds. "For instance, Chat GPT has the ability<br />
to create cyber security attacks, and these<br />
attacks can be created by someone with very<br />
little cyber security and computing experience.<br />
On the flip side, it can be very<br />
powerful, performing a lot of the heavy<br />
lifting to understand what is happening."<br />
URGENT REVIEW NEEDED<br />
Going forward, organisations must identify<br />
equally sophisticated methods to protect<br />
themselves, warns Robertson. "Now, more<br />
than ever, organisations need to be reviewing<br />
their high-level accounts, who has access<br />
to them and when the passwords were last<br />
changed, having a strict approach to Multi-<br />
Factor Authentication (MFA) and Conditional<br />
Access (CA)."<br />
Meanwhile, at a time when IBM reports<br />
the average cost of a data breach is $9.44<br />
million in the US and $4.35 million globally,<br />
a survey carried out by Checkmarx of more<br />
than 1,500 CISOs, AppSec managers and<br />
software developers around the world<br />
uncovered some troubling statistics. The<br />
research showed 88% of AppSec managers<br />
surveyed have experienced at least one<br />
breach in the prior year as a direct result<br />
of vulnerable application code. "The shift<br />
toward modern development practices that<br />
incorporate microservices and serverless<br />
technologies, container security and<br />
infrastructure as code (IaC) are multiplying<br />
the potential attack surface, thereby<br />
identifying critical new priorities for application<br />
security," cautions the company.<br />
CLOUD COMPLEXITY<br />
Adds Sandeep Johri, CEO at Checkmarx:<br />
"Our research underscores how the complexity<br />
of cloud-native applications has ushered<br />
in a bevy of new risks at a time when digital<br />
transformation is a key enterprise goal. A<br />
comprehensive 'shift everywhere' approach<br />
to AppSec ensures that vulnerabilities can be<br />
addressed at any point during the software<br />
development lifecycle. This can become both<br />
an enabler of transformation and a strong<br />
differentiator for the enterprise that can<br />
prove its advanced AppSec posture, ultimately<br />
priming the business for success."<br />
Andy Robertson, Fujitsu UK&I: the big<br />
rise of artificial intelligence tools is<br />
creating a surge in phishing attacks.<br />
John Shier, Sophos: threat environment has<br />
grown in volume and complexity to point<br />
where there are no discernible gaps for<br />
defenders to exploit.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
23
encryption<br />
'SAFETY' ON LINE: AT WHAT PRICE?<br />
THE ONLINE SAFETY BILL HAS BEEN ACCUSED OF WEAKENING THE UK'S DIGITAL SECURITY,<br />
THREATENING BASIC PRIVACY AND OPENING UP THE PROSPECT OF EVER-CREEPING<br />
CENSORSHIP AND BLANKET SURVEILLANCE... OR CAN IT STILL BE A FORCE FOR GOOD?<br />
We all want to be able to address<br />
abuse on the internet, says<br />
Matthew Hodgson, CEO of<br />
Element, but he has grave concerns as to<br />
the UK government's Online Safety Bill (OSB)<br />
being the right way to achieve that in its<br />
present format. "Developing such a bill is<br />
difficult as technology evolves far faster than<br />
legislation," he comments. "But, even allowing<br />
for that challenge, and that the OSB has some<br />
genuinely good intentions, the proposed<br />
legislation is still remarkably poor. What could<br />
have been a constructive piece of legislation<br />
has ended up as a bloated and overreaching<br />
proposal, drafted with little technical prowess.<br />
As it currently stands, the bill weakens the<br />
UK's digital security, threatens basic privacy,<br />
stymies the UK tech industry, and introduces<br />
the prospect of ever-creeping censorship and<br />
blanket surveillance."<br />
Instead of setting a principled example to<br />
the rest of the world, the OSB sees the UK<br />
proposing state surveillance and censorship,<br />
Hodgson insists. "It's far closer to the approach<br />
seen from regimes in Russia and China than<br />
anything in Europe or the US. The bill takes a<br />
wrecking ball to the very fabric of encryption,<br />
by requiring encrypted messaging apps to<br />
scan for abusive content within the app [or<br />
the app's underlying operating system]. This<br />
fundamentally undermines encryption, by<br />
providing a mechanism that can be hijacked<br />
and abused to access arbitrary user data. It<br />
is the online equivalent of installing a CCTV<br />
camera into everyone's bedroom, hooked<br />
up to an artificial intelligence (AI) classifier,<br />
which sends footage back to the authorities<br />
whenever it thinks it sees something illegal<br />
happening."<br />
Today's built-in scanning AI from Apple can't<br />
even distinguish a cow from a horse, he adds<br />
- "so, even if blanket surveillance was a good<br />
idea in the first place, the chances of AI<br />
scanning causing your phone to upload any<br />
and all remotely questionable photos to the<br />
authorities [Ofcom, no less] would be<br />
enormous. The privacy implications are<br />
catastrophic. By forcing this 'backdoor' into<br />
end-to-end encryption (E2EE), the resulting<br />
surveillance mechanisms would be able<br />
to access anyone's messages, at any time,<br />
forwarding them to the authorities, if<br />
suspected as illegal. This weakens security<br />
for everyone; from the 99 percent of normal<br />
law-abiding people through to businesses<br />
and governments."<br />
And if you think that competing nation<br />
states, terrorists and criminals won't be able<br />
to make use of that same access you're sorely<br />
mistaken, he continues. "It means that<br />
healthcare information, financial details,<br />
conversations regarding air traffic control,<br />
electricity grids, nuclear power stations,<br />
military manoeuvres…. none of it would be<br />
protected by end-to-end encryption. And all<br />
that loss of security will be for nothing,<br />
because - no surprise - bad actors don't play<br />
by the rules."<br />
Hodgson believes forcing third party access<br />
to end-to-end encrypted systems robs 'the<br />
good guys' of their security and leaves 'the<br />
bad guys' free to carry on doing what they've<br />
always done. "That the likes of Facebook have<br />
failed in their duty to moderate content is part<br />
of what has led to the OSB. Yet that model in<br />
itself - a centralised, hierarchical platform that<br />
ends up in the unenviable position of having<br />
to adjudicate what's 'acceptable' - is precisely<br />
what the OSB puts forward as its solution."<br />
UNITED PROTEST<br />
Meanwhile, as reported in The Guardian, rival<br />
chat apps WhatsApp and Signal are amongst<br />
those that have joined forces to protest<br />
24<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
encryption<br />
against the bill, which they say could<br />
undermine the UK's privacy and safety.<br />
"The bill provides no explicit protection<br />
for encryption," they comment, "and, if<br />
implemented as written, could empower<br />
Ofcom to try to force the proactive scanning<br />
of private messages on end-to-end encrypted<br />
communication services, nullifying the<br />
purpose of end-to-end encryption as a result<br />
and compromising the privacy of all users.<br />
In short, the bill poses an unprecedented<br />
threat to the privacy, safety and security of<br />
every UK citizen and the people with whom<br />
they communicate around the world, while<br />
emboldening hostile governments who<br />
may seek to draft copycat laws."<br />
Recently, WhatsApp's chief Will Cathcart<br />
said that the app would leave the UK, rather<br />
than submit to a requirement to weaken<br />
encryption, The Guardian also reports:<br />
"Ninety-eight per cent of our users are outside<br />
the UK," he told the newspaper. "They do not<br />
want us to lower the security of the product,<br />
and just as a straightforward matter, it would<br />
be an odd choice for us to choose to lower<br />
the security of the product in a way that<br />
would affect those 98% of users."<br />
At the core of the dispute are clauses that<br />
allow Ofcom to compel communications<br />
providers to take action to prevent harm to<br />
users. Those clauses, privacy campaigners<br />
say, do not allow for the possibility that an<br />
encrypted messaging provider may be unable<br />
to take such action without fundamentally<br />
undercutting their users' security. "Proponents<br />
say they appreciate the importance of<br />
encryption and privacy, while also claiming<br />
that it's possible to surveil everyone's messages<br />
without undermining end-to-end encryption.<br />
The truth is that this is not possible," the letter<br />
reads.<br />
During previous clashes over encryption,<br />
opponents called for such services to be<br />
banned or for governments and law<br />
enforcement to be given 'back doors' into<br />
encrypted communications. Now, the focus<br />
is on a different set of technologies, called<br />
'client side' scanning, which proponents<br />
argue can be used to monitor encrypted<br />
communications, without breaching security -<br />
but critics liken it to installing a robot spy on<br />
every phone in the world.<br />
REDUCING RISK OF ATTACKS<br />
John Benkert, Cigent co-founder and CEO,<br />
states that no encryption method can offer<br />
total protection against determined attackers.<br />
"Nonetheless, businesses can take certain<br />
measures to reduce the risks of such attacks.<br />
These measures could include implementing<br />
regular security training for employees,<br />
network segmentation, proper access control<br />
mechanisms and multi-factor authentication<br />
(MFA)," which he singles out as "one way to<br />
help provide maximum data protection".<br />
Some of the benefits of MFA that he singles<br />
out include the following:<br />
Increased security: "MFA provides an<br />
extra layer of security to protect against<br />
unauthorised access to online accounts. It<br />
requires users to provide more than one<br />
form of authentication, usually a password<br />
and a token, biometric information or<br />
other means of verification, making it<br />
much more difficult for attackers to gain<br />
access"<br />
Reduced risk of identity theft: "MFA helps<br />
to reduce the risk of identity theft by<br />
requiring users to verify their identity<br />
through multiple means"<br />
Improved compliance: "MFA is an essential<br />
factor in complying with regulatory<br />
requirements, such as GDPR, HIPAA<br />
and PCI-DSS, which mandate that<br />
organisations must take proactive<br />
measures to protect sensitive data."<br />
These, amongst other safeguards, can make<br />
it more difficult for potential hackers to gain<br />
unauthorised access to critical data, Benkert<br />
argues, adding. "It's essential for businesses<br />
to prioritise cybersecurity to help reduce the<br />
likelihood of data breaches and loss of<br />
customer trust."<br />
John Benkert, Cigent: essential to<br />
prioritise cybersecurity to help reduce<br />
possible data breaches and loss of<br />
customer trust.<br />
Matthew Hodgson, CEO, Element: Online<br />
Safety Bill takes a wrecking ball to the very<br />
fabric of encryption.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
25
cybersecurity<br />
SHIFTING THE BALANCE OF POWER<br />
HARD ON THE HEELS OF THE U.S. PUBLISHING ITS NATIONAL<br />
CYBERSECURITY STRATEGY, DOES THE UK HAVE ANY OTHER<br />
OPTION BUT TO FOLLOW DOWN THE SAME AVENUE? AND MIGHT<br />
IT BE A GOOD THING ANYWAY? BRIAN WALL REPORTS<br />
With the US having published its<br />
national cybersecurity strategy,<br />
which seeks to impose minimum<br />
security standards for critical infrastructure<br />
onto larger software makers and, equally, shift<br />
responsibility for maintaining the security of<br />
computer systems away from consumers and<br />
small businesses, what impact will this have on<br />
the security industry? And what implications in<br />
particular might this have for the UK? But first,<br />
here are some of the key points in the strategy<br />
and the US government's thinking behind it.<br />
"Our rapidly evolving world demands a more<br />
intentional, more coordinated, and more wellresourced<br />
approach to cyber defense," the<br />
strategy asserts. "We face a complex threat<br />
environ-ment, with state and non-state actors<br />
developing and executing novel campaigns<br />
to threaten our interests. At the same time,<br />
next-generation technologies are reaching<br />
maturity at an accelerating pace, creating<br />
new pathways for innovation while increasing<br />
digital interdependencies.<br />
Together with its allies and partners, the<br />
United States will, it says, pursue the goal<br />
of making its digital ecosystem:<br />
Defensible, where cyber defence is<br />
overwhelmingly easier, cheaper and more<br />
effective<br />
Resilient, where cyber incidents and errors<br />
have little widespread or lasting impact<br />
Values-aligned, where our most cherished<br />
values shape-and are in turn reinforced byour<br />
digital world.<br />
This strategy seeks to build and enhance<br />
collaboration around five pillars:<br />
1. Defend Critical Infrastructure: "We will give<br />
the American people confidence in the<br />
availability and resilience of our critical<br />
infrastructure and the essential services it<br />
provides", including by:<br />
Expanding the use of minimum<br />
cybersecurity requirements in critical<br />
sectors to ensure national security and<br />
public safety and harmonising regulations<br />
to reduce the burden of compliance<br />
Enabling public-private collaboration at<br />
the speed and scale necessary to defend<br />
critical infrastructure and essential services<br />
Defending and modernizing Federal<br />
networks and updating Federal incident<br />
response policy.<br />
2. Disrupt and Dismantle Threat Actors: "Using<br />
all instruments of national power, we will<br />
make malicious cyber actors incapable of<br />
threatening the national security or public<br />
safety of the United States", including by:<br />
Strategically employing all tools of national<br />
power to disrupt adversaries<br />
Engaging the private sector in disruption<br />
activities through scalable mechanisms<br />
Addressing the ransomware threat through<br />
a comprehensive Federal approach and in<br />
lockstep with our international partners.<br />
3. Shape Market Forces to Drive Security and<br />
Resilience: "We will place responsibility on<br />
those within our digital ecosystem that are<br />
best positioned to reduce risk and shift the<br />
consequences of poor cybersecurity away<br />
from the most vulnerable in order to make<br />
our digital ecosystem more trustworthy",<br />
including by:<br />
Promoting privacy and the security of<br />
personal data<br />
Shifting liability for software products and<br />
services to promote secure development<br />
practices<br />
Ensuring that<br />
Federal grant<br />
programs promote<br />
investments in new infrastructures<br />
that are secure and resilient.<br />
4. Invest in a Resilient Future: "Through<br />
strategic investments and coordinated,<br />
collaborative action, the United States will<br />
continue to lead the world in the innovation<br />
of secure and resilient next-generation<br />
technologies and infrastructure", including by:<br />
Reducing systemic technical vulnerabilities<br />
in the foundation of the Internet and<br />
across the digital ecosystem while making it<br />
more resilient against transnational digital<br />
repression<br />
Prioritizing cybersecurity R&D for nextgeneration<br />
technologies, such as<br />
postquantum encryption, digital identity<br />
solutions and clean energy infrastructure<br />
Developing a diverse and robust national<br />
cyber workforce.<br />
5. Forge International Partnerships to Pursue<br />
Shared Goals: "The United States seeks a world<br />
where responsible state behavior in cyberspace<br />
is expected and reinforced and where<br />
26<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cybersecurity<br />
irresponsible<br />
behavior is<br />
isolating and costly",<br />
including by:<br />
Leveraging international<br />
coalitions and partnerships among likeminded<br />
nations to counter threats to our<br />
digital ecosystem through joint preparedness,<br />
response and cost imposition<br />
Increasing the capacity of our partners to<br />
defend themselves against cyber threats,<br />
both in peacetime and in crisis<br />
Working with our allies and partners to<br />
make secure, reliable, and trustworthy<br />
global supply chains for information<br />
and communications technology and<br />
operational technology products and<br />
services.<br />
A LAUDABLE GOAL<br />
Jon Geater, CTO from RKVST, has been taking<br />
a close-up look at the US's governments<br />
moves to introduce minimum security<br />
standards for larger software suppliers, the<br />
effect it may have on cyber security and the<br />
potential implications for the UK market.<br />
"Holding vendors liable for software insecurity<br />
is a laudable goal and very likely to motivate<br />
action: comparisons are often made between<br />
building software and building bridges, and<br />
we long ago found ways of holding<br />
engineering companies accountable for<br />
failings if the bridge they build turns out to be<br />
unsafe.<br />
"But the devil's in the details here," he states.<br />
"You can't assess liability without finding fault<br />
and, even if we can define what 'insecurity'<br />
means - which is an entire PhD category in<br />
itself - we still need to identify where the<br />
insecurity originated. And there are so many<br />
questions. Whose mistake led to hackers<br />
getting in? Whose negligence let that buggy<br />
software out into the world? Who authorised<br />
that particular open-source package to be<br />
used for this use case?"<br />
In the case of a software breach, there will be<br />
lots of moving parts with software, data and<br />
security operations all at play, he adds, and<br />
right now it's really hard to know where the<br />
critical failure originated, because people don't<br />
authenticate data, don't track software<br />
provenance and don't record the who-didwhat-when<br />
of releasing today's complex<br />
software into the world.<br />
"In order to successfully move forward in<br />
holding software suppliers accountable, we<br />
need to ensure the whole software and data<br />
supply chain is traceable and provable, to<br />
efficiently demonstrate fault and quickly bring<br />
any issues to a conclusion," adds Geater.<br />
"Initiatives such as the IETF SCITT working<br />
group [which aims to define a set of interoperable<br />
building blocks to help implementers<br />
build integrity and accountability into software<br />
supply chain systems, helping assure<br />
trustworthy operations] are bringing this<br />
essential capability to the world."<br />
High-profile breaches such as the widely<br />
discussed SUNBURST attack (which famously<br />
affected SolarWinds, VMware and others) and<br />
discovery of the Log4j vulnerability show<br />
governments the widespread impact that<br />
insecure software can have, he also points out,<br />
and underline the need to do something<br />
about it.<br />
"The UK government currently has a<br />
consultation open to provide a better<br />
understanding of how to address software<br />
risks and help create a more resilient digital<br />
environment. As part of that, it is looking at<br />
measures it can take to improve enterprise<br />
software security. It is likely that the UK<br />
government, based on this consultation, will<br />
look to introduce similar standards. However,<br />
in this increasingly global marketplace, we<br />
need not only global standards, but also<br />
standards that can hold the right people<br />
accountable to actually fix the problem."<br />
VALUABLE ALLIES<br />
The US National Security Strategy is a<br />
significant development in the global<br />
competition for digital power, says Paul<br />
Brucciani, cyber security advisor at WithSecure.<br />
"It places a strong emphasis on the need for<br />
greater government and private sector<br />
cooperation. As seen by the role of companies<br />
such as Google and Microsoft in helping<br />
Ukraine defend against the Russian cyber<br />
assault, tech and security firms can be valuable<br />
allies against national cyber threats."<br />
The strategy recognises that cybersecurity is<br />
getting harder, he points out. "More complex<br />
software and systems, increasing global<br />
interconnectivity, exponential growth in the<br />
quantity and intimacy of personal data<br />
collection, and the collapsing boundary<br />
between the physical and digital worlds,<br />
increase cyber security risk. The strategy calls<br />
for new requirements to be enforced in critical<br />
economic sectors, such as electricity, oil and<br />
gas, pipelines, aviation, rail, and water<br />
systems. The aim is to improve security, while<br />
maintaining a level competitive playing field. "<br />
EMPHASIS ON DETERRENCE<br />
The strategy recognises the need to use kinetic<br />
(military) cyber, diplomatic and other<br />
capabilities against threat actors and it places<br />
greater prominence on 'deterrence', making it<br />
more costly to attack systems than to defend<br />
them. "In addition," comments Brucciani,<br />
"cybersecurity responsibility will be shifted<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
27
cybersecurity<br />
Paul Brucciani, WithSecure: sees the US<br />
National Security Strategy as a significant<br />
development in the global competition<br />
for digital power.<br />
Jon Geater. RKVST: holding vendors liable<br />
for software insecurity is a laudable goal.<br />
away from consumers and SMBs, and onto<br />
internet service providers, including<br />
technology providers that build and service<br />
these systems."<br />
CYBERSECURITY PUSH<br />
There is also a shift toward introducing<br />
regulations similar to the EU's NIS2 (CNI<br />
resilience) and GDPR (data privacy), and<br />
security incidents must be reported to CISA<br />
within hours. "This is designed to compel<br />
organisations and industries to improve their<br />
cybersecurity. The US government will also<br />
pursue cross-border regulatory harmonisation<br />
to secure global supply chains, and tax breaks<br />
will be provided to strengthen cybersecurity."<br />
The approach will impact the private sector,<br />
with cybersecurity providers held accountable<br />
for security, and software companies will be<br />
held liable if they fail to show a duty of care to<br />
their customers. "Software suppliers will also<br />
be required to supply a software bill of<br />
materials to their customers and IT supply<br />
chains will have to become more transparent.<br />
Machine-to-machine data sharing is also<br />
expected to increase, along with human-tohuman<br />
interaction."<br />
The US strategy comes amidst a wave of<br />
similar efforts around the world, adds<br />
Brucciani. "European regulations such as the<br />
Network and Information Security Act (NIS2),<br />
the Digital Operational Resilience Act (DORA)<br />
and the Directive on the Resilience of Critical<br />
Entities (CER), approved in December 2022,<br />
propose similar measures to protect the<br />
privacy and maintain economic stability. The<br />
UK is likely to pursue similar strategies to<br />
remain in lockstep with its international allies<br />
against both physical and cyber threats to<br />
critical infrastructure. "<br />
For David Carroll, MD of Nominet, the new<br />
national cybersecurity strategy marks a radical<br />
step-change in government policy. "Tighter<br />
security regulation, greater accountability for<br />
software manufacturers and a willingness to<br />
pursue threat actors have put industry,<br />
cybercriminals and nation states on notice<br />
that the US Government is no longer willing<br />
to accept the status quo.<br />
"There's a lot to unpack in the strategy: new<br />
responsibilities for critical infrastructure<br />
operators and cloud providers, a federal<br />
insurance backstop, steps to secure the<br />
technical foundations of the Internet,<br />
legislative requests and an expansion of<br />
international collaborative efforts.<br />
"There will be much ground to cover before<br />
many of these proposals become reality.<br />
Doubtless, a robust debate will now follow<br />
and it will be fascinating to witness the<br />
various proposals' progress towards<br />
legislation. We applaud the US government in<br />
its recognition that a more interventionist<br />
approach is required and expect to see other<br />
governments following suit," adds Carroll.<br />
NATIONAL CRITICAL FUNCTIONS<br />
"The choice to put critical infrastructure at the<br />
forefront in Pillar 1 is an important and<br />
deliberate one," agrees Joshua Corman, VP of<br />
Cyber Safety Strategy at Claroty, and former<br />
chief strategist at the Department of<br />
Homeland Security's Cybersecurity and<br />
Infrastructure Security Agency. "It's crucial, as<br />
the strategy is implemented, that we begin<br />
to finally stratify our critical infrastructure<br />
functions. I encourage Congress, the White<br />
House, CISA and other parts of government to<br />
focus on the most critical of the 55 National<br />
Critical Functions - the lifeline, latency-sensitive<br />
functions that, if disrupted for 24-48 hours,<br />
could contribute to losses of life or a crisis of<br />
confidence in the public.<br />
"These include: supply water, provide medical<br />
care, generate electricity, produce and provide<br />
food, etc. Many of the owners and operators<br />
of these lifeline functions happen to also be<br />
what I've called, "target rich, cyber poor",<br />
points out Corman, "meaning they are among<br />
the most attractive targets for threat actors,<br />
with the least amount of resources to protect<br />
themselves."<br />
28<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cloud<br />
CLOUD GETS DARKER<br />
CUSTOMERS ADOPTING PUBLIC CLOUDS ARE NO LONGER IN FULL CONTROL OF THEIR OWN SECURITY -<br />
WHICH IS ONE OF THE TOP BARRIERS TO CLOUD ADOPTION, STATES THE WORLD ECONOMIC FORUM<br />
According to the World Economic<br />
Forum, the growth in cloud-based<br />
platforms and apps has caused<br />
a shift in cybersecurity, with customers<br />
no longer in full charge of their own<br />
cybersecurity.<br />
"Software developers exert far more<br />
influence in cybersecurity decisionmaking<br />
in this new cloud world," it<br />
states. "… when customers adopt public<br />
cloud providers, security is a shared<br />
responsibility model between them and<br />
the cloud providers. For example, if<br />
a customer stores data in the AWS data<br />
centre, the customer has to configure<br />
and manage their own cybersecurity<br />
policies.<br />
"Despite not having full control of data<br />
in the AWS data centre, security breaches<br />
are still the customer's responsibility. In<br />
this regard, customers adopting public<br />
clouds are no longer in full control of<br />
their own security. Security concerns are<br />
often one of the top barriers to cloud<br />
adoption."<br />
Moreover, cloud environments are more<br />
complex to secure. Modern cloud<br />
customers often employ an architecture<br />
called microservices, in which each<br />
component of an application (such as<br />
search bar, recommendation page, billing<br />
page) is built independently of each<br />
other. There could be up to 10x more<br />
workloads (eg, virtual machines, servers,<br />
containers) and microservices in the<br />
cloud than on-premise. "This increased<br />
fragmentation and complexity leads to<br />
access control issues and increases the<br />
probability of errors - for example, if<br />
a developer leaves a sensitive password<br />
in an AWS database that can be exposed<br />
to the outside world. Simply put, the<br />
attack surface area is larger and more<br />
complex in the cloud," warns the WEF.<br />
SHARED RESPONSIBILITY<br />
Rob Pocock, technical director at Red<br />
Helix, says it is becoming more important<br />
now than ever that users and cloud<br />
security providers have a shared<br />
responsibility to ensure their cloud<br />
operations are safe and secure. "Typically,<br />
cloud services will offer some form of<br />
secure encryption, and audit logging<br />
[depending on the licensing of the<br />
service] at a basic level, but, in some<br />
cases, not all providers are operating<br />
at the most rigorous levels to protect<br />
the users' data. To strengthen security,<br />
reduce risk and prevent cybercriminals<br />
from bypassing internal policies, it is<br />
essential that only authorised users gain<br />
access to a company's system and that<br />
authentication is required before access<br />
is granted."<br />
As part of their responsibility, users can<br />
apply authentication that goes beyond<br />
username and password. "For example,<br />
multi-factor authentication requires the<br />
user to provide two or more verification<br />
factors to gain access to a resource such<br />
as an application, online account, or a<br />
VPN," states Pocock. "Quite often, the<br />
user's identity is authenticated by crossreferencing<br />
information stored on a<br />
database with information held by<br />
the user, such as biometric data<br />
or the use of personalised<br />
questions. Despite some<br />
form of control over the<br />
sensitive information in the cloud<br />
database, there is no guarantee that user<br />
data will not be shared with other<br />
organisations sharing the same cloud<br />
space.<br />
"Whether a data breach is malicious or<br />
accidental, the consequences of the<br />
associated downtime, lost revenue and<br />
brand harm can be hugely detrimental<br />
to the business affected," he points out.<br />
"Cloud services should consider the<br />
importance of placing tighter controls<br />
over accessing the physical rooms where<br />
data is stored."<br />
Rob Pocock, Red Helix.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
29
passwords<br />
THE CRACKS ARE WIDENING<br />
RESEARCH FROM US CYBERSECURITY COMPANY HIVE SYSTEMS SUGGESTS ANY 7-OR-8 CHARACTER<br />
PASSWORD MADE UP OF JUST NUMBERS OR LOWER CASE LETTERS CAN BE CRACKED INSTANTLY.<br />
WHEN IS 'SAFE' REALLY SAFE?<br />
Password cracking (also called password<br />
hacking) is an attack vector that involves<br />
hackers attempting to crack or<br />
determine a password - and it is something<br />
attackers have multiple ways of carrying<br />
out through a variety of programmatic<br />
techniques and automation, using<br />
specialised tools, says Matt Miller, director,<br />
content marketing at BeyondTrust. "These<br />
password cracking tools may be referred to<br />
as 'password crackers'. Credentials can also<br />
be stolen via other tactics, such as by<br />
memory-scraping malware, and tools like<br />
Redline password stealer, which has been<br />
part of the attack chain in the recent, highprofile<br />
Lapsus$ ransomware attacks."<br />
A password can refer to any string of<br />
characters or secret to authenticate an<br />
authorised user to a resource. Passwords<br />
are typically paired with a username or other<br />
mechanism to provide proof of identity.<br />
"Credentials are involved in most breaches<br />
today. Forrester Research has estimated that<br />
compromised privileged credentials are<br />
involved in about 80% of breaches. When<br />
a compromised account has privileges, the<br />
threat actor can easily circumvent other<br />
security controls, perform lateral movement<br />
and crack other passwords. This is why<br />
highly privileged credentials are the most<br />
important of all credentials to protect."<br />
Within an in-depth blog, Miller has<br />
highlighted password vulnerabilities and risks<br />
that give attackers an edge, and provided<br />
an overview of password cracking motives,<br />
techniques, tools and defences. Attackers<br />
typically hold at least two advantages over<br />
defenders, he points out:<br />
Time on their hands, as they often take<br />
a scatter-gun approach to gaining access<br />
Automated password cracking toolsets<br />
that will autonomously run the attack.<br />
"Password crackers can try passwords at<br />
a slow, measured pace to avoid triggering<br />
account lock-outs on individual accounts. If<br />
a password cracker only tries one password<br />
every 10 minutes per account, 100,000<br />
passwords will take a long time. Sensibly,<br />
they will try each password against every<br />
account they are aware of - few systems<br />
track password attempts across accounts.<br />
Even when Security Information and Event<br />
Monitoring (SIEM) or User and Entity<br />
Behavioral Analysis (UEBA) systems are<br />
active, there are limited defensive actions.<br />
You can't lock out every account. Blocking<br />
the source IP address will result in a new<br />
IP taking up the attack, if it hasn't already<br />
distributed across hundreds, or even<br />
thousands, of IP addresses."<br />
Miller argues that the optimal defence<br />
against this kind of attack is simply not<br />
to use a password on the list. "Frequent<br />
password changes trigger our laziness,<br />
so 'password' becomes 'password1' and<br />
'password2'. Every password cracker is aware<br />
of these poor password practices. Replacing<br />
letters with numbers and symbols is also a<br />
predictable practice. For example, 3 for E, 4<br />
for A and @ for a. Password cracking tools<br />
prepare for these common variations.<br />
Attackers seek to learn basic information<br />
about password complexity, such as<br />
minimum and maximum password length,<br />
as well as password complexity. For example,<br />
does the password have upper-case and<br />
lower-case letters, numbers, symbols or a<br />
combination of these? Attackers are also<br />
interested in learning about restrictions on<br />
the passwords."<br />
PHISHING, VISHING, SMISHING<br />
Phishing is traditionally email-based, points<br />
out Darren James, senior product manager<br />
at Specops Software, an Outpost24<br />
company, but now also encompasses Vishing<br />
(socially engineering a person to surrender<br />
their login details via the phone or a video<br />
call) and Smishing (using SMS messages to<br />
dupe a user into going fake website). "The<br />
email phishing scams can be protected by<br />
using spam filtering software, but they are<br />
always playing catch-up to the cyber<br />
criminals. Vishing and Smishing are harder to<br />
protect against and basically come down to<br />
user awareness training. Your service desks<br />
are also prime targets for these new attacks,<br />
when bad actors pretend to be legitimate<br />
users by faking a password reset request.<br />
Adding a step to the process to verifying<br />
30<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
passwords<br />
users that<br />
are calling in, and<br />
also using a self-service<br />
password reset solution with flexible<br />
multifactor authentication, can massively<br />
help here, he says, offering his thoughts on<br />
how to ward off certain forms of attack:<br />
Man-in-the-Middle Attacks are often used<br />
where there is a high demand for public Wi-<br />
Fi, as these systems steal credentials as they<br />
are on their way to the webserver. The best<br />
way to thwart these is by user training - tell<br />
them not to trust public Wi-Fi, and also to<br />
implement an Always On VPN (at least for<br />
business traffic) and block access to<br />
corporate resources from unmanaged<br />
devices.<br />
Brute Force is a very common attack vector,<br />
especially as so many passwords follow a<br />
standard format when choosing a password.<br />
"Users have been brainwashed into poor<br />
password habits - putting a capital letter at<br />
the beginning, lowercase characters in the<br />
middle, a number (or an exclamation mark)<br />
at the end of their passwords and finally<br />
using the minimum acceptable length for the<br />
password. Threat Actors know this and, even<br />
using a basic gaming computer today, can<br />
attack a leaked password hash databases at<br />
millions of guesses per second using a mask<br />
that mimics that 'common behaviour'. The<br />
best way to combat these types of attacks is<br />
to change the user behaviour, by having<br />
better password policies - eg, ditch complex<br />
passwords and move to longer passphrases<br />
instead, such as three random words as<br />
recommended by the N<strong>CS</strong>C."<br />
Dictionary Attacks are a common attack<br />
vector, since threat actors take advantage of<br />
the fact that people reuse passwords across<br />
multiple work<br />
and personal accounts.<br />
"Most people have anywhere<br />
between 25-100 passwords to<br />
remember these days and this password<br />
fatigue leads people to reuse one of more of<br />
them. Implementing a password manager<br />
helps with this, but you tend to run into<br />
issues with users not trusting the password<br />
manager, so it's important for organisations<br />
to block known breached, weak passwords,<br />
as well as blocking words that relate to their<br />
business. When used alongside a strong<br />
password policy, you can mitigate these<br />
two major attack vectors very well; just make<br />
sure that the solution also includes detailed<br />
feedback to let the user know what they<br />
have done wrong, if they do try to choose<br />
a breached password."<br />
Keyloggers. These can come in software<br />
or hardware form and simply record all<br />
keystrokes entered into a computer.<br />
"Software Keyloggers are normally part of<br />
malware attacks that come from<br />
downloading copywritten software or are<br />
installed, if systems are compromised… eg,<br />
a remote PC takeover scam attack. Hardware<br />
keyloggers physically plug into the PC/laptop<br />
where the keyboard is connected. For<br />
software based keyloggers having up-to-date<br />
Antivirus, restrictions on who can install<br />
software and good endpoint management<br />
are vital. For physical keyloggers, you<br />
need secure premises and restrictions<br />
on what types of USB devices can be<br />
connected to your PCs."<br />
Darren James, Specops: bad actors often<br />
persuade a service desk they are legitimate<br />
users by faking a password reset request.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
31
webcam hacking<br />
EYE SPY - WHO'S WATCHING YOU?<br />
WEBCAM HACKING HAS BECOME<br />
A SERIOUS CONCERN IN RECENT<br />
YEARS, WITH ALL OF US<br />
POTENTIALLY AT RISK OF<br />
HAVING OUR PRIVACY INVADED<br />
BY CYBERCRIMINALS. BRIAN<br />
WALL REPORTS<br />
How many times did you have a<br />
webcam pointed at you today?<br />
That is the disquieting question<br />
raised by Norton. "The reality is that<br />
there's a camera focused on you every<br />
time you pick up your phone, work on<br />
a computer, or browse on a tablet," it<br />
says. "So, it's no surprise that webcam<br />
hacking has become a serious concern in<br />
recent years, with all of us potentially at<br />
risk of having our privacy invaded by<br />
cybercriminals. When the likes of Mark<br />
Zuckerberg and former FBI director James<br />
Comey cover their laptop camera with<br />
tape, it may be something you should<br />
consider."<br />
Along with poor password hygiene,<br />
a compromised camera can be one of<br />
the biggest risks to your online security.<br />
"Hackers can use your camera to spy on<br />
you in your most unguarded moments and<br />
use captured images or videos to blackmail<br />
you," adds Norton. "The malware used to<br />
take control of your camera can even give<br />
them access to other sensitive data on your<br />
device. Strangers could also be watching<br />
you on sites that livestream footage from<br />
unsecured webcams, so you don't necessarily<br />
have to have your webcam hacked to<br />
be at risk. If you have unsecured devices<br />
with cameras or independent webcams<br />
around your home, there's always a chance<br />
that prying eyes could be watching you."<br />
RAT IN THE PACK<br />
If you've ever had your work computer<br />
remotely accessed by an IT operative, you'll<br />
know how strange it is to see someone<br />
operating it from a distance. When hackers<br />
use a Remote Administration Tool (RAT) to<br />
take control of your computer, they're less<br />
likely to announce their presence.<br />
"It's easier than you think to download<br />
this type of Trojan horse malware, which<br />
can<br />
convert<br />
your connected<br />
camera into a spying<br />
device," points out Norton.<br />
"You may think you're<br />
downloading a legitimate update, but<br />
instead are inadvertently clicking on a<br />
malicious link. That can be all it takes to<br />
get infected. This type of malware can be<br />
easily deployed in an email or attachment,<br />
but it can also be uploaded on your device<br />
with a USB drive, if the hacker has access<br />
to your physical computer. Once this RAT<br />
malware infects your phone or computer,<br />
a hacker can use it to take control of your<br />
device and access your webcam remotely.<br />
This malware allows them to activate the<br />
camera, take pictures, record footage or<br />
listen to your conversations."<br />
Unfortunately, this type of Trojan virus<br />
can also give the hacker access to your<br />
messages, files, browsing history, images<br />
or other sensitive information. And. as<br />
these cases are so hard to detect, it may<br />
sometimes seem like it's not a major<br />
problem. However, some high-profile<br />
sextortion cases show how hackers can<br />
prey on their victims' fears for financial<br />
gain.<br />
"One of the most infamous webcam<br />
hacking cases involved Miss Teen USA<br />
32<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
webcam hacking<br />
2013, Cassidy Wolf, who was<br />
blackmailed by a<br />
former classmate<br />
who had hacked<br />
into her webcam.<br />
The 19-year-old<br />
perpetrator had<br />
hacked into the<br />
computers of at<br />
least two dozen<br />
women and then<br />
threatened to release<br />
naked pictures of<br />
his victims to social<br />
media, unless they<br />
were willing to pay<br />
a ransom. Webcam<br />
hacking can go entirely<br />
undetected for years, with<br />
hackers capable of accessing<br />
their victims' devices over long<br />
periods of time. In 2018, a man in Ohio<br />
was charged with spying on thousands of<br />
people through their devices' cameras over<br />
the course of 14 years."<br />
It's not just hackers that have access to<br />
this type of malware, adds Norton, with<br />
some forms of Trojan malware available for<br />
free on the dark web. "When criminals with<br />
limited computer skills can source RAT kits<br />
like NanoCore RAT at no expense, it's no<br />
surprise that this type of cybercrime is on<br />
the rise."<br />
Using a RAT may be one of the most<br />
common forms of webcam hacking, but<br />
it's not the only one. "Cybercriminals<br />
have also taken advantage of the rising<br />
popularity of Internet of Things (IoT)<br />
devices and the move to remote working<br />
during lockdown saw hackers target video<br />
conferencing software. The proliferation<br />
of Internet of Things [IoT] devices has<br />
increased their owners' risk, with everything<br />
from doorbells to home security<br />
systems now open to webcam hacking.<br />
The FBI has previously warned people<br />
buying smart TVs to put black tape over<br />
the television's camera to avoid being<br />
watched by bad actors."<br />
SPOTTING THE WARNING SIGNS<br />
The experts at Proxyrack have revealed its<br />
five warning signs of a hacked webcam<br />
and what to do, if you find yourself in this<br />
position:<br />
1 - Webcam Indicator Light<br />
If your webcam light is on when you aren't<br />
using the camera, this could be a sign that<br />
someone is accessing it externally. The light<br />
isn't always the indicator, as it can be<br />
turned off via settings, so check your<br />
settings to make sure the light is set to<br />
come on when the camera is in use.<br />
2 - Unfamiliar Programs<br />
If you notice unfamiliar programs on your<br />
desktop or in your files, this could be a<br />
sign that your webcam has been hacked<br />
and someone is externally installing<br />
software onto your device to access the<br />
camera.<br />
3 - Unusual Activity<br />
If your computer is working slower than<br />
usual or you are seeing unexpected popups<br />
and documents in your files, this could<br />
be a sign of a hacked webcam. The hacker<br />
may also be sending and receiving data<br />
from your webcam so check for any<br />
unexpected activity<br />
4 - Battery Draining Faster Than Usual<br />
If your battery is draining unexpectedly<br />
fast, this could be a sign of external<br />
activity. Check your battery usage in your<br />
task manager to see which applications are<br />
consuming the most power - this can<br />
indicate whether your camera is being<br />
used unexpectedly.<br />
5 - Unrecognised Browser Extensions<br />
Hackers can use browser extensions to<br />
access your webcam; one indicator of this<br />
can be that, when opening your browser,<br />
your webcam light turns on. You should<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> computing security<br />
33
webcam hacking<br />
also check for any extensions that you haven't<br />
installed yourself, as this could be a sign that<br />
someone is gaining access to your computer<br />
externally.<br />
WARNING SIGNALS<br />
Evan Fitzroy, technical specialist at Proxyrack,<br />
has also shared the following advice, if you<br />
think that your webcam has been hacked:<br />
"As the tech industry continues to grow, the<br />
dangers increase, so knowing how to spot the<br />
warning signs of being hacked become more<br />
important. One feature of your device that can<br />
be slightly more difficult to identify when<br />
hacked is your camera or webcam.<br />
"One indication that your webcam has been<br />
hacked is the camera light, he cautions. "If this<br />
comes on when you start your computer or an<br />
application that wouldn't usually require the<br />
camera, this could be a sign that someone is<br />
externally accessing your webcam. However, it<br />
is important to note that the light can be set to<br />
not come on when the camera is in use so be<br />
sure to check your settings to ensure that it is<br />
set to come on so you know when it is in use."<br />
Hackers can also infiltrate your webcam via<br />
browser extensions, he warns, so it is vital to<br />
check these regularly to see if any appear that<br />
you did not download yourself and might<br />
have been installed by a hacker . "If you are<br />
worried that one of these extensions is<br />
responsible for a possible hacking, open each<br />
one until anything unexpected appears, such<br />
as the camera light or a pop-up. These could<br />
indicate that your camera is being hacked<br />
through that particular extension and you will<br />
want to uninstall it immediately."<br />
The most important thing to monitor is any<br />
unusual activity that has begun appearing on<br />
your computer: for example, new programs or<br />
documents appearing unexpectedly and also<br />
any persistent pop-ups or warnings that might<br />
indicate external use of your device.<br />
“To help reduce the risks of being hacked,<br />
installing a proxy can be a great option, as it<br />
can create a safety net between your system<br />
and the internet, making it harder for hackers<br />
to access your software. Anti-viral software<br />
is also a good option for protecting your<br />
computer and data from hackers and<br />
computer viruses," adds Fitzroy.<br />
PRYING EYES INSIDE YOUR DEVICE<br />
Cloudwards also offers a number of cautionary<br />
measures that should be taken to keep out<br />
prying eyes. "Malware is the primary vehicle<br />
of compromise that allows hackers to peer<br />
through the lens of your device, so the issue is<br />
fundamentally a matter of shoring up your<br />
device's security defences against malware<br />
threats, vulnerabilities, phishing emails and<br />
other common dangers of the web," it<br />
comments. "As always, your personal<br />
cybersecurity habits make up the first line of<br />
defence. A good starting place would be to<br />
avoid clicking links in suspicious emails, as<br />
webcam hackers commonly rely on phishing<br />
emails to infiltrate your system."<br />
Here are its own top tips for staying safe:<br />
1. Physically cover up the camera<br />
The first thing you should do to prevent spying<br />
is to cover up the camera itself. There is no<br />
way to bypass a covering placed over the lens<br />
itself, no matter how sophisticated the hacker's<br />
malware might be. Placing a piece of electrical<br />
tape over the lens is an inexpensive solution<br />
commonly used to thwart webcam spies, but<br />
it could leave adhesive residue on the lens that<br />
could get in the way when you do want to use<br />
the webcam." It costs very little to get a plastic<br />
webcam cover that slides over your webcam<br />
while not in use, it adds.<br />
2. Don't trust the indicator light<br />
An LED light will turn on beside your webcam's<br />
lens whenever the video recording begins. If<br />
you didn't click 'record' and yet the light turns<br />
on anyway, someone may be watching you.<br />
However, don't get too comfortable, even if<br />
the light stays off when you stop recording.<br />
Webcam hackers are usually clever enough to<br />
turn the light off while capturing your private<br />
activities. If someone takes control of your<br />
webcam, then they will probably have just as<br />
much power over the webcam's ancillary<br />
functions as the camera itself, such as the<br />
indicator light and the audio recording.<br />
3. Beware your microphone<br />
Keep in mind that a webcam hacker could still<br />
record audio, even if they can't lay eyes on you.<br />
Preventing unauthorised audio recording is less<br />
straightforward than covering your webcam,<br />
so you will have to disable the microphone in<br />
your device's settings. If you use Windows 10,<br />
navigate to the Device Manager to locate and<br />
disable the webcam and microphone<br />
manually.<br />
4. Check your app permissions<br />
Sometimes the webcam's settings can be<br />
altered by apps and browser extensions that<br />
have permission to access the webcam, and<br />
may lead to the indicator light turning on<br />
when you're not recording. Most operating<br />
systems will let you deny all apps' permission<br />
to access your webcam. Be aware that some<br />
apps may not work after revoking permission.<br />
5. Install updates automatically and regularly<br />
Practising good cybersecurity habits is the first<br />
thing you need to do to secure your privacy.<br />
Automatically installing regular updates will<br />
keep your system fortified against the new<br />
vulnerabilities and malware threats that pop<br />
up every day.<br />
6. Install security software<br />
Regular system updates come hand in hand<br />
with installing reliable security software. There<br />
is plenty of security software available online<br />
for free, but free solutions usually can't keep<br />
up with threats emerging on a daily basis as<br />
well as a good subscription service.<br />
7. Use a VPN<br />
Ideally, it's better to prevent the security breach<br />
from happening in the first place. Keeping<br />
your internet connection private with a VPN<br />
is one way to prevent your internet service<br />
provider and malicious hackers from spying on<br />
everything you do.<br />
34<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
e-newsletter<br />
Are you receiving the Computing Security<br />
monthly e-newsletter?<br />
Computing Security always aims to help its readers as much as possible to do<br />
their increasingly demanding jobs. With this in mind, we've now launched a<br />
Computing Security e-newsletter which is produced every month and is available<br />
free of charge. This will enable us to provide you with more content, more<br />
frequently than ever before.<br />
If you are not already receiving this please send your request to<br />
christina.willis@btc.co.uk and advise her of the best email address for the<br />
newsletter to be sent to.