CS Mar-Apr 2024
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
CUTTING EDGE<br />
Can AI overcome all<br />
the doomsayers and<br />
be a force for good?<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
SHAPING UP<br />
More insights on what may<br />
lie in wait for security during<br />
the rest of <strong>2024</strong><br />
EMBRACE YOUR ‘FOE’<br />
AI and humanity can<br />
partner up, but there<br />
will be a price to pay<br />
GETTING TO THE (END) POINT<br />
How to identify the<br />
system that’s right<br />
for your organisation<br />
Computing Security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong>
comment<br />
GEARING UP TO THE TASK<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Daniella St <strong>Mar</strong>t<br />
(daniella.stmart@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
It's interesting to see that a new taskforce is being set up by a number of leading<br />
accounting and security organisations in the UK, as cybersecurity threats hit<br />
unprecedented levels.<br />
The idea is that businesses can be supported and helped in their efforts to effect a<br />
stronger security stance that serves to protect their corporate financial transactions. At<br />
the heart of this enterprise is the Institute of Chartered Accountants in England and<br />
Wales (ICAEW), operating in partnership with the National Cyber Security Centre<br />
(N<strong>CS</strong>C).<br />
It's a move that has been welcomed by Sylvain Cortes, VP Strategy, Hackuity. "It's<br />
reassuring to see the ICAEW working with the N<strong>CS</strong>C to establish a cyber taskforce and<br />
improve the security of their deals," he comments.<br />
"The attack surface of these corporations is enormous, so any guidance will be<br />
invaluable to companies striving to reduce their cyber risk," adds Cortes. "The finance<br />
sector has become a prime target for attackers globally, due to the huge amounts of PII<br />
and financial data they hold. Any type of breach, particularly in this sector, shatters both<br />
the victim organisation's reputation and customer trust. The more help and guidance<br />
for maximum defence, the better."<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2024</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong><br />
inside this issue<br />
CONTENTS<br />
Computing<br />
Security<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
CUTTING EDGE<br />
SHAPING UP<br />
More insights on what may<br />
Can AI overcome all<br />
lie in wait for security during<br />
the doomsayers and<br />
the rest of <strong>2024</strong><br />
be a force for good?<br />
EMBRACE YOUR ‘FOE’<br />
AI and humanity can<br />
partner up, but there<br />
will be a price to pay<br />
GETTING TO THE (END) POINT<br />
COMMENT 3<br />
Gearing up to the task<br />
How to identify the<br />
system that’s right<br />
for your organisation<br />
NEWS 6 & 8<br />
Legacy IT systems at critical risk level<br />
Data protection falling way short<br />
Action call to solve skills shortages<br />
ARTICLES<br />
GETTING YOUR ACT TOGETHER 11<br />
Core obligations of the upcoming Digital<br />
Operational Resilience Act explained<br />
AI: PARTNER, NOT PREDATOR? 12<br />
AI and humanity are partners, not<br />
adversaries, argues one observer, signalling<br />
a future where the technology empowers,<br />
rather than endangers, our species. This<br />
isn't to say that AI won't pose threats and<br />
safeguards will need to be put in place.<br />
REMOTE ACCESS SCAM PANDEMIC 22<br />
Cursor Insight's Tamas Zelczer discusses<br />
how biometric cybersecurity can help<br />
UNCERTAINTY THE ONLY CERTAINTY 18<br />
prevent fraud<br />
Part 2 of Computing Security's delve into how<br />
the 'darker forces' of cyber security might<br />
INFOSEC EUROPE <strong>2024</strong> BECKONS 24<br />
impact the industry in the months ahead:<br />
Showtime is approaching, with three days<br />
at minimum, the volume and sophistication<br />
of learning, discovery and insights lined up<br />
of attacks will continue to rise, it is predicted,<br />
as GenAI gets smarter and bad actors learn<br />
DATA STATS ARE 'WAKE-UP CALL' 25<br />
how to wield its power.<br />
Emails soar from just over 2 million sent<br />
per minute in 2013 to hit 241 million<br />
a minute 10 years later<br />
RANSOMWARE ATTACKS ROCKET 29<br />
GONE NUCLEAR 26<br />
Sophisticated attack methods surface,<br />
The number of formal reports that serve<br />
with healthcare a prominent target<br />
to document security issues at the UK's<br />
civil nuclear facilities has hit its highest level<br />
TIME TO SAY 'PASS' TO PASSWORDS? 32<br />
in at least 12 years, amidst a decline in<br />
With Google moving towards a<br />
inspections, according to The Guardian<br />
passwordless future, others may follow<br />
newspaper.<br />
GETTING RIGHT TO THE (END)POINT 33<br />
Why endpoint protection Is seen by many<br />
as a 'must have'<br />
PUT TO THE TEST 30<br />
With penetration testing used to identify<br />
the level of technical risk emanating from<br />
BOOK REVIEW<br />
software and hardware vulnerabilities, might<br />
this be something that every organisation<br />
AI - WEAPON OF WAR? 10<br />
should be implementing?<br />
A new book tackles the implications for<br />
this controversial technology head on<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
Layers aren’t just for cakes; they’re<br />
essential in cybersecurity’s secret<br />
recipe for protection!<br />
Bake it happen with VIPRE Security Group. Secure your<br />
bytes before you take a bite with Email Security, Endpoint<br />
Security and User Protection<br />
www.vipre.com
news<br />
TORSION ANNOUNCES FILING OF PATENT-PENDING TECHNOLOGY<br />
Solution 'automatically controls' access to digital resources<br />
Torsion has had its patent application filed at the United<br />
States Patent and Trademark Office for the core technology<br />
underlying its data access security solution. The technology<br />
provides a layer of intelligent automation of 'who has access<br />
to what' within cloud-based collaboration systems, such as<br />
Microsoft 365. It automatically controls access to digital<br />
resources, based on understanding the business reasons why<br />
a person needs access and their ever-changing professional<br />
circumstances.<br />
"Torsion's patent-pending technology is a breakthrough for<br />
businesses wanting to automate the process of understanding<br />
and controlling who has access to what data, to keep data<br />
secure, and to prove that control under audit, to simplify<br />
Peter Bradley, Torsion.<br />
compliance," states Peter Bradley, company CEO and founder.<br />
WIDENING THE 360 VISION<br />
Integrity360 continues international<br />
growth trajectory.<br />
Integrity360 is expanding its portfolio<br />
of Microsoft security services. The rollout<br />
is scheduled to embrace the UK,<br />
Ireland, Bulgaria, Italy, Spain and the<br />
Nordic region.<br />
As well as the expansion of services and<br />
associated tools and processes, the<br />
company states that it has invested in<br />
the training and development of many<br />
employees. It has also rolled out<br />
product and platform development<br />
and integration, as well as proprietary<br />
threat detection content for the<br />
Microsoft ecosystem and threat<br />
response playbook production.<br />
Integrity360's director of product<br />
management, Brian <strong>Mar</strong>tin - pictured<br />
above with <strong>Mar</strong>tina Naughton, global<br />
partner sales director, Microsoft Ireland<br />
- says that Integrity360's new partner<br />
designations "will help us fulfil our<br />
Microsoft services vision and cement<br />
our position in the security marketplace,<br />
while further growing our business".<br />
And <strong>Mar</strong>tin then goes on to say: "We<br />
expect great demand for Microsoft<br />
Threat Protection services, as it is an<br />
area in which many organisations lack<br />
the required skills and capabilities".<br />
STOLEN CREDENTIALS LIST HITS THE ONE BILLION MARK<br />
Have I Been Pwned' confirms almost 71 million more<br />
John Stringer, Next DLP.<br />
seized email addresses<br />
'Have I Been Pwned' recently confirmed it had added almost<br />
71 million email addresses associated with stolen accounts in<br />
the Naz.API dataset to its data breach notification service.<br />
The dataset is home to a collection of one billion credentials<br />
compiled using credential-stuffing lists and data appropriated<br />
by information-stealing malware.<br />
Comments John Stringer, head of product, Next DLP: "A single<br />
credential can give threat actors access to multiple accounts<br />
when used for various logins. This situation highlights the<br />
urgent need for organisations to enhance their cybersecurity<br />
strategies. It's imperative to emphasise employee training and<br />
awareness programs to mitigate the risks of undetected,<br />
malicious activity in organisational devices."<br />
LEGACY IT SYSTEMS AT CRITICAL RISK LEVEL<br />
Dozens of systems vulnerable across public sector<br />
The Central Digital and Data Office IT Risk Assessment has<br />
found that over 43 legacy IT systems in the UK public sector are<br />
at a critical risk level. <strong>Mar</strong>k Jow, technical evangelist EMEA at<br />
Gigamon, says the Central Digital and Data Office's recent data<br />
findings have highlighted the gap between where government<br />
cyber-resilience is now and where it needs to be. "Government<br />
CISOs are still contending with siloed systems, ranging from<br />
complex legacy platforms to new digital hybrid environments,<br />
struggling with scarce resources. These environments will remain<br />
the prime candidates for bad actors to exploit until these CISOs<br />
have the opportunity to get their house in order."<br />
<strong>Mar</strong>k Jow, Gigamon.<br />
6<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
DON’T<br />
SaaSSS<br />
GET YOUR<br />
KICKED! !<br />
TAKE CONTROL NOW AND<br />
PROTECT YOUR SaaS DATA<br />
Global SaaS vendors like Microsoft, Google and Salesforce<br />
don’t assume any responsibility for your data hosted<br />
in their applications. So, it’s up to you to take control<br />
and fully protect your SaaS data from cyber threats or<br />
accidental loss. Arcserve SaaS Backup offers complete<br />
protection for your SaaS data, eliminating business<br />
interruptions due to unrecoverable data loss.<br />
Arcserve SaaS Backup<br />
Complete protection for all your SaaS data.<br />
arcserve.com<br />
The unified data resilience platform
news<br />
Greg Wetmore,<br />
Entrust.<br />
TIME TO MIND YOUR PS AND QS?<br />
Entrust launches Post-Quantum Ready<br />
PKI-as-a-Service platform<br />
Entrust has recently announced the general<br />
availability of its Post-Quantum Ready PKIas-a-Service<br />
(PKIaaS PQ) platform.<br />
With this launch, the company's cloudbased<br />
PKI-as-a-Service offering can now<br />
provide both composite and pure quantumsafe<br />
certificate authority hierarchies, it<br />
states, enabling customers to test or<br />
implement quantum-safe scenarios and<br />
infrastructure. This makes it "the first<br />
commercially available platform of its<br />
type", it further claims.<br />
"Although the quantum threat is up to<br />
a decade away, we know the transition<br />
to quantum-safe algorithms won't be just<br />
another crypto refresh cycle," says Greg<br />
Wetmore, vice president, Software<br />
Development at Entrust. "To prepare, we<br />
need to move today's public key cryptographic<br />
systems from their current state<br />
to new quantum-safe cryptographic<br />
algorithms.<br />
"This transition will be more complex than<br />
anything we've done in the past, and will<br />
touch just about every piece of digital<br />
infrastructure and data we rely on today.<br />
Organisations should be looking at their<br />
Post Quantum (PQ) migration strategy<br />
now, and implementing the tools and<br />
technology needed to test and migrate to<br />
quantum-safe security," he states.<br />
PROTECTING DATA FALLING WAY SHORT<br />
Companies and authorities still taking breach<br />
AJ Thompson, Northdoor.<br />
threats too lightly<br />
Companies need to stop treating regulations as a tickbox<br />
exercise and realise that the point of them is to<br />
protect data, warns AJ Thompson, CCO, Northdoor.<br />
"Equally, the ICO [Information Commissioner's Office]<br />
also needs to up its efforts in implementing 'proper'<br />
sanctions against those organisations that are failing<br />
customers and partners."<br />
The high-profile introduction of GDPR in 2018 was<br />
meant to prove that the authorities were taking the<br />
threat from cyber-criminals and the misuse of data<br />
seriously, Thompson further points out. "There were<br />
promises of major consequences for every business<br />
that failed to adhere to the regulation, but, as the years<br />
have gone by, we have seen that those organisations suffering data breaches have<br />
been, frankly, wrapped on the knuckles, with no further consequences."<br />
RAPID ACTION NEEDED TO SOLVE CRIPPLING SKILLS SHORTAGES<br />
Traditional university education in cybersecurity is not sufficient<br />
New research in the UK and US reveals that over three-quarters (78%) of<br />
cybersecurity and IT professionals believe a traditional university education in<br />
cybersecurity is not doing enough to prepare graduates for the modern workforce.<br />
Meanwhile, nearly two-thirds (64%) of cyber industry professionals say current<br />
recruitment processes inadequately assess candidates' practical skills.<br />
This is according to a study called 'Securing the future of cybersecurity: From<br />
classroom to every career stage' from Hack The Box, a leading cybersecurity<br />
upskilling, certification and talent assessment platform.<br />
The research highlights what it says is a gap between the essential practical skills<br />
required to combat modern cyber-criminals in the workplace and the expertise<br />
cultivated within university education.<br />
An overwhelming 90% emphasise the need for cybersecurity and computer science<br />
graduates to be prepared with hands-on, practical experience before their first role.<br />
LOGPOINT AND SECURVALUE PARTNER UP TO SHARE THEIR EXPERTISE<br />
Alliance aims to help customers detect and respond to cyber threats.<br />
Armed with Logpoint's modern SIEM+SOAR solution, SecurValue can offer<br />
more robust threat detection and response, real-time data analysis, early detection<br />
of data breaches and easy implementation of compliance requirements, it is<br />
claimed. "We're happy to partner with SecurValue to help organisations strengthen<br />
security posture and cyber resilience. They share our vision for conducting long-term<br />
business in Southern Europe," says Christian Pijoulat, regional director SEMEA at<br />
Logpoint. "SecurValue has a tailored approach to their customers, based on skilled<br />
cybersecurity professionals and trusted technologies, and we're proud that<br />
Logpoint's solution is now a part of that."<br />
8<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ook review<br />
AI - WEAPON OF WAR?<br />
AI HAS BECOME A VAST TOPIC OF DEBATE: WILL IT HELP US THRIVE OR PROVE OUR NEMESIS?<br />
A NEW BOOK TACKLES THE IMPLICATIONS FOR THIS CONTROVERSIAL TECHNOLOGY HEAD ON<br />
When your subject matter is artificial<br />
intelligence - and your mission is<br />
to confront how this controversial<br />
technology has already been armed and<br />
equipped for malicious and adversarial<br />
purposes, and will be even more so in the<br />
days ahead - you know you are likely to<br />
have an audience out there that will sit up<br />
and take notice.<br />
With his book, 'The Language of Deception:<br />
Weaponizing Next Generation AI', author<br />
Justin Hutchens will undoubtedly secure such<br />
a reaction, not just because AI has arguably<br />
become the most talked about topic on the<br />
planet - yes, even more so than Taylor Swift -<br />
but because the artificial intelligence and<br />
cybersecurity veteran guides the reader<br />
expertly along the path that has spawned<br />
this technology.<br />
In his hands, there is an inevitability about<br />
all of this. We are at the crossroads we have<br />
reached, Hutchens argues, because of our<br />
past, a history he revisits with admirable<br />
exactitude and in fine detail: from artificial<br />
social intelligence to psychological exploitation;<br />
from consciousness, sentience and<br />
understanding to weaponising technical<br />
intelligence; his wide-ranging powers of<br />
observation and analysis are fully brought<br />
to bear.<br />
There is a grim irony in the fact that, with AI<br />
now commanding masses of column inches<br />
and often apocalyptic headlines in the media<br />
every day, and with every politician, entrepreneur<br />
and 'expert' seemingly having an opinion<br />
about the technology and the dark places it<br />
may take us, Hutchens recalls a time - way<br />
back in June 2022 - when he presented<br />
research at the world's largest annual hacking<br />
convention, DEF CON, which itself enjoyed a<br />
massive turnout. Not so the AI Village where<br />
he was speaking. Only a small group of<br />
doughty enthusiasts showed up. As he recalls<br />
in his book, "most people were not paying<br />
attention" - well, they certainly are now.<br />
As Hutchens states, AI "is already poised to<br />
transform every part of our lives. The world is<br />
going to radically change in the coming years,<br />
and emerging AI technology is going to be<br />
at the center of it all. It is critical that people<br />
understand the risks that come along with<br />
these new capabilities, and how we can<br />
safeguard ourselves against those risks".<br />
Certainly, there is much to cause alarm in<br />
what he imparts, but equally the book is a call<br />
to action. "Unfortunately, there is no turning<br />
back the sands of time, and there is no way<br />
to universally unlearn this knowledge that<br />
we now collectively possess. We are going to<br />
have to find a way to live with this technology.<br />
We are going to need to identify ways to<br />
come together, establish global partnerships,<br />
and address these problems on a unified<br />
front. The consequences of next generation<br />
AI will inevitably impact far more than one<br />
culture or organization. If there has ever been<br />
a time for the many factions of humanity to<br />
set aside their differences and act on behalf<br />
of the common good, that time is now."<br />
ALL THE ESSENTIALS...<br />
'The Language of Deception: Weaponizing Next Generation AI'<br />
Author: Justin Hutchens (ISBN: 9781394222544)<br />
Published January <strong>2024</strong> by Wiley<br />
Paperback and ebook, priced £26.99<br />
10<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
legal focus<br />
GETTING YOUR ACT TOGETHER!<br />
EDWARD MACHIN, OF ROPES & GRAY, SETS OUT THE CORE OBLIGATIONS<br />
OF THE UPCOMING DIGITAL OPERATIONAL RESILIENCE ACT<br />
The EU Digital Operational Resilience Act<br />
(DORA), which comes into effect in<br />
January next year, is designed to strengthen<br />
IT security in the financial sector. It sets<br />
requirements for the security of network and<br />
information systems, and applies to financial<br />
institutions and their third-party providers.<br />
"In practice, this means harmonising and<br />
strengthening existing obligations around ICT<br />
governance, risk management and incident<br />
reporting - with responsibility for compliance<br />
going to the board level," says Edward Machin,<br />
a counsel in the Ropes & Gray data, privacy &<br />
cybersecurity team.<br />
DORA applies to a wide range of financial<br />
and financial-adjacent institutions and entities,<br />
he adds. "Although most of these organisations<br />
are already subject to some form of<br />
cybersecurity regulation in the EU, DORA<br />
significantly expands the scope of these laws<br />
and will apply to most of an in-scope entity's<br />
business activities in the EU - including on<br />
an extra-territorial basis."<br />
DORA has four core obligations:<br />
1. Governance and controls. "Management<br />
must approve and oversee the implementation<br />
of an IT risk management compliance<br />
programme that aligns with and reflects<br />
the entity's risk profile and tolerance," states<br />
Machin. "In other words, the board must<br />
maintain an active role in understanding and<br />
directing the company's approach to ICT risk -<br />
including through regular training to keep<br />
their knowledge up to date. Given the speed<br />
at which the cybersecurity world is developing,<br />
this won't always be an easy task."<br />
2. ICT risk management. "In-scope entities<br />
must have in place an appropriate and documented<br />
IT risk management framework that<br />
helps them address risks quickly and comprehensively.<br />
As a minimum it will include (i)<br />
implementing policies, procedures and tools,<br />
including reporting lines, and (ii) adopting<br />
robust security systems and advanced resilience<br />
testing at least once every three years.<br />
Helpfully, these measures can be applied on a<br />
proportionate and risk-based basis…However,<br />
DORA takes a prescriptive approach to certain<br />
of its obligations, such as making in-scope<br />
entities (i) conduct business impact analyses of<br />
their exposure to severe business disruptions,<br />
and (ii) establish a crisis management function<br />
for handling internal and external<br />
communications."<br />
3. Incident reporting. "In-scope entities must<br />
have processes in place to identify, manage<br />
and notify ICT security incidents." Reporting<br />
timelines are among the most involved in<br />
the EU, including initial and secondary notifications<br />
and a final report to competent<br />
authorities, he points out.<br />
4 Third parties. In-scope entities must ensure<br />
that their (new and existing) contractual<br />
arrangements with third-party ICT service<br />
providers meet the prescriptive requirements<br />
set out in DORA. These requirements are<br />
similar to the EBA's guidelines on outsourcing<br />
arrangements; the GDPR mandatory provisions<br />
will also be required if the services<br />
involve personal data (which is likely…).<br />
"Although the requirements are different,"<br />
says Machin, "you should leverage your GDPR<br />
compliance programme - and the experience<br />
gained through putting that in place - to<br />
inform your DORA strategy. Given the impact<br />
that DORA will have on in-scope entities, it<br />
should be treated as seriously as the GDPR."<br />
For the full text of Edwad Machin's blog on<br />
DORA and its likely significance, see here.<br />
Edward Machin, Ropes & Gray.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
11
artificial intelligence<br />
THE WORDS 'GRIM' AND 'REAPER' ARE ALREADY BEING TOUTED AS APT DESCRIPTIONS FOR AI.<br />
WE TURN TO CONSULTANCY AND IMPLEMENTATION AGENCY WEAREBRAIN FOR ITS TAKE ON<br />
THE LIKELY FUTURE OF THIS CONTROVERSIAL TECHNOLOGY<br />
IS AI ALREADY BEYOND CONTROL?<br />
There is no denying that AI has<br />
"revolutionised every major industry on<br />
the planet, transforming the way we<br />
live and work", as WeAreBrain states on its<br />
website. Indeed, AI is continually pushing<br />
the boundaries of conventional thinking.<br />
"However, as it becomes more powerful and<br />
autonomous, there is a growing concern<br />
regarding AI control and the potential risks it<br />
poses to humanity," states the consultancy<br />
and implementation agency. "So, are we<br />
really 'summoning the demon', as Elon Musk<br />
eerily predicted? Or should we all just keep<br />
scrolling and let the algorithms do their<br />
thing?<br />
Here is our comprehensive coverage<br />
on what WeAreBrain has to say:<br />
As artificial intelligence (AI) continues to be<br />
the lifeblood of innovation in our digital<br />
society, global spending is expected to surge<br />
by 120% and hit $110 billion by <strong>2024</strong>. This<br />
surge in investment and adoption is largely<br />
a result of the recent GenAI boom, where<br />
everyday netizens are given access to<br />
amazing AI-powered tools designed to push<br />
the boundaries of content creation and<br />
creativity.<br />
With a few simple prompts, anyone can<br />
now write engaging copy, code a website<br />
or application, make music, design art and<br />
images, make videos and create original<br />
content. The possibilities for innovation,<br />
collaboration and creation are seemingly<br />
endless. Let's take a look at the leading AI<br />
trends to supercharge your business in <strong>2024</strong>.<br />
LOW-CODE AND NO-CODE AI<br />
By <strong>2024</strong>, over 65% of application development<br />
activity is expected to be driven by lowcode<br />
application development. Similar to<br />
low-code/no-code development for websites<br />
or applications, low-code and no-code AI<br />
systems allow users to drag and drop their<br />
way to create smart programs and systems.<br />
By combining pre-built templates and<br />
modules, users simply need to feed the<br />
system with their own domain data to create<br />
a customised AI system tailored to their<br />
needs. This democratisation of AI and IT<br />
helps businesses create AI systems quickly<br />
and affordably, with a faster time to market<br />
and little risk/ROI ratio.<br />
THE PAUSE OF CREATIVE AI<br />
Although AI has been able to produce<br />
creative content like music, art and literature<br />
for a few years now, it has recently levelled<br />
up its ability to mimic human creativity and<br />
expression through art. With Chat-GPT and<br />
GenAI propelling content creation into the<br />
12<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
stratosphere in recent times, <strong>2024</strong> might see<br />
a pause.<br />
GenAI faces a sobering reality check, as<br />
the actual costs, risks and complexities<br />
overshadow the hype of 2023. The immense<br />
enthusiasm surrounding generative AI might<br />
have been overstated and significant hurdles<br />
must be overcome to successfully bring it to<br />
market. Added to this, there is a growing<br />
anti-AI movement raising concerns about<br />
the technology's pervasive implementation<br />
that is raising societal and ethical questions.<br />
CHATBOTS AND LLM MODELS<br />
As ChatGPT-5 approaches, we anticipate<br />
swift advancements in AI-driven chatbots.<br />
There is a surge of software companies<br />
actively developing their own Large Language<br />
Model (LLM), with the aim of enabling<br />
computers to emulate human language and<br />
provide solutions to queries in a more<br />
'human-like' manner. For example, Google's<br />
Bard is another popular and free-to-use AI<br />
chatbot relying on Google's search engine<br />
data. Also, Microsoft's Bing Chat is free to use<br />
and relies on the latest GPT 4 model. Be on<br />
the lookout for the launch of Grok, X's (ex-<br />
Twitter) latest AI product set to release in<br />
<strong>2024</strong>.<br />
Moreover, with Meta's beta release of a new<br />
AI experience integrated into their suite of<br />
apps (WhatsApp, Instagram and Facebook),<br />
users can engage in conversations with AI<br />
versions of celebrities like Snoop Dogg and<br />
Kendall Jenner.<br />
DEMAND FOR AI SPECIALISTS<br />
As AI continues to impact various industries,<br />
the need for skilled professionals who can<br />
develop, maintain and advance AI technologies<br />
becomes increasingly evident. Prompt<br />
engineers and technicians play a vital role in<br />
getting the algorithms to do what they are<br />
required to do, ensuring their functionality<br />
and efficiency. It takes skill to be able to<br />
specify what you precisely require of AI tools<br />
to enjoy the far-reaching benefits of this<br />
technology. Trainers contribute by refining<br />
AI models and teaching them to recognise<br />
patterns or respond to specific inputs.<br />
Additionally, ethicists play a crucial role in<br />
navigating the ethical considerations associated<br />
with AI development and deployment,<br />
ensuring that these technologies align with<br />
societal values and standards.<br />
VOICE- AND LANGUAGE-<br />
DRIVEN INTELLIGENCE<br />
The voice and speech recognition market is<br />
expected to hit $49.7 billion by 2029. The<br />
remote working revolution created a surge<br />
in smart speaker usage in homes and voice<br />
solutions aimed at improving business<br />
processes (ie, voice in meetings and voice<br />
for business intelligence) will take centre<br />
stage in 2023.<br />
Voice assistants will increasingly be tailored<br />
to specific business challenges and integrated<br />
with internal systems, such as CRM and<br />
business processes.<br />
AI ETHI<strong>CS</strong> AND LEGISLATION<br />
As private companies power AI's advancements,<br />
the lack of governmental oversight<br />
has pushed the debate over the ethics of<br />
responsible AI to the fore. In <strong>2024</strong>, we will<br />
likely see continued initiatives from global AI<br />
partnerships on how to leverage AI to battle<br />
against major global issues, such as climate<br />
change, and inclusion and diversity.<br />
Ethics will continue to play a major part in<br />
the stimulation of innovation and economic<br />
growth as more organisations realise the<br />
need for responsible tech. Fairness of<br />
algorithms and data transparency are issues<br />
that will need to be addressed this year as<br />
AI adoption is more widespread than ever.<br />
In <strong>2024</strong>, we will continue to see the<br />
evolution of AI regulation and legislation<br />
across the globe. From China's recent laws<br />
regarding non-consensual deepfakes to<br />
the UK's explosive proposed bill in <strong>2024</strong>,<br />
including the EU's proactive steps towards<br />
settling on an AI act by 2025, it seems that<br />
governing bodies aim to make <strong>2024</strong> a year<br />
to get a handle on AI regulation.<br />
GENERATIVE VIDEO TO<br />
SET THE SCENE IN <strong>2024</strong><br />
While the hype around GenAI might drop in<br />
the coming months, the reality is that this<br />
technology will continue to usher in a new<br />
era of content generation and creativity. The<br />
use of generative videos by content creators,<br />
businesses and the general public will become<br />
more evident - simply because it has never<br />
been easier to create videos.<br />
With generative video tools such as<br />
Runway's Gen-2, Zeroscope, Midjourney<br />
and others, anyone will be able to produce<br />
professional-looking video content for a<br />
fraction of the price in <strong>2024</strong>.<br />
Adobe Firefly's new video editing feature<br />
generative fill allows you to pretty much<br />
generate anything from nothing - from<br />
turning a frown into a smile or changing the<br />
item someone is holding, the capabilities of<br />
video generation software will continue to<br />
amaze us in <strong>2024</strong>.<br />
AI-POWERED CYBERSECURITY<br />
As AI technology evolves, so do the tools<br />
cybercriminals use to conduct nefarious<br />
activity, leading businesses to level up their<br />
cybersecurity game. In a world where data<br />
is more valuable than oil and compliance is<br />
the gateway to digital growth and customer<br />
trust, <strong>2024</strong> will be the year where AIpowered<br />
cybersecurity will be tested the<br />
most. Unfortunately, cybercriminals are using<br />
AI technology to bypass conventional IT<br />
security systems to infiltrate systems housing<br />
sensitive company and personal data.<br />
But AI also helps in the fight against cyber<br />
threats and this year we predict more<br />
organisations placing more money into<br />
securing their data through the use of<br />
sophisticated cybersecurity technologies.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
13
artificial intelligence<br />
WHY AI DOESN’T HAVE TO BE THE ENEMY<br />
AI AND HUMANITY ARE PARTNERS, NOT ADVERSARIES, ARGUES ONE OBSERVER. RECOGNISING<br />
THIS CAN BRING A FUTURE WHERE AI EMPOWERS, RATHER THAN ENDANGERS, OUR SPECIES<br />
The question of whether AI has slipped<br />
from our grasp, careening towards an<br />
apocalyptic singularity, ignites a primal<br />
fear within us, points out LiveAction founder<br />
John Smith. "While Hollywood depictions<br />
of sentient robots wreaking havoc paint<br />
a chilling picture, the reality, for now, is far<br />
less dramatic," he suggests. "True, we haven't<br />
achieved the mythical 'general intelligence' in<br />
AI. Today's systems, despite their impressive<br />
feats, remain confined to narrow tasks and<br />
often stumble with issues like accuracy,<br />
bias and even hallucinatory outputs. It's like<br />
handing a toddler a paintbrush: the results,<br />
while undeniably creative, can be messy and<br />
unpredictable."<br />
However, dismissing AI as harmless would<br />
be a dangerous oversight, warns Smith.<br />
Despite its limitations, it's already deeply<br />
woven into our lives, powering algorithms<br />
that influence news feeds, filter financial<br />
transactions and even diagnose diseases. This<br />
raises a crucial question: who holds the reins?<br />
"Thankfully, the answer isn't some renegade<br />
Skynet. Companies and governments, for<br />
all their flaws, are still the ones pulling the<br />
strings. AI regulations, though nascent,<br />
are evolving, striving to ensure ethical<br />
deployment and safeguard against misuse.<br />
This isn't foolproof, but it's a vital line of<br />
defence."<br />
Perhaps a more pressing concern lies not<br />
in AI itself, but in the hands wielding it.<br />
"Malicious actors, armed with AI tools, pose<br />
a genuine threat. But let's not forget the<br />
destructive track record of our own species.<br />
Wars, social divisions, environmental devastation<br />
- humanity, armed with primitive tools,<br />
has already inflicted immense harm on itself<br />
and the planet. This begs a critical question:<br />
are we projecting our own flaws onto AI,<br />
fearing the monster we ourselves created?<br />
The truth is, AI isn't some external bogeyman.<br />
It's a reflection of ourselves, a tool shaped by<br />
our values and intentions."<br />
Instead of succumbing to dystopian<br />
fantasies, he advises, perhaps we should turn<br />
the lens inward. "If we truly fear AI becoming<br />
'out of control', then perhaps the question we<br />
should be asking isn't 'can we control it?' but<br />
'can we control ourselves?' Ultimately, AI can<br />
be a powerful force for good or ill. The choice<br />
lies not in some hypothetical singularity, but<br />
in the present decisions we make, the values<br />
we instil in both our technology and ourselves.<br />
It's time to move beyond the 'AI vs. humanity'<br />
narrative and recognise that, in this technological<br />
dance, we’re partners, not adversaries.<br />
Only then can we truly orchestrate a future<br />
where AI empowers, rather than endangers,<br />
our species."<br />
FEAR OF EXPOSURE<br />
As technology advances at an accelerated<br />
rate, many organisations - particularly those<br />
handling sensitive data or under public or<br />
regulatory scrutiny - may feel a heightened<br />
sense of exposure with the advancement<br />
of AI, concurs Keiron Holyome, VP UKI<br />
& Emerging <strong>Mar</strong>kets, BlackBerry.<br />
"These concerns are valid. Our latest research<br />
identified a 50% uptick in targeted cyberattacks<br />
against national infrastructure. We<br />
also saw a 70% increase in new malware<br />
identified. These indicators suggest that<br />
adversarial entities are taking advantage of<br />
technological innovation - including AI -<br />
against critical industries and organisations.<br />
"Although it's difficult to tell if a hack has<br />
come from a human or AI source, we'd be<br />
naïve to deny that malicious actors are<br />
employing AI in increasing efforts to broaden<br />
their scope, increase effectiveness and amplify<br />
the frequency of attacks to circumvent defensive<br />
measures. For instance, threat actors can<br />
abuse ChatGPT and other Large-Language<br />
Models (LLMs) to generate potentially<br />
malicious code or to create more authentic<br />
and persuasive phishing content."<br />
AI HAS ITS SAY<br />
So, what might AI itself have to say about all<br />
this? Well, here follow some thoughts along<br />
that very line, partially rendered by AI and<br />
partly by human input, namely Gareth Owen,<br />
director, Redkey USB:<br />
"The rapid advancement of artificial<br />
intelligence (AI) has brought us to a critical<br />
juncture in its evolution. AI's profound impact<br />
on industries and our daily lives raises a vital<br />
question: Is AI already beyond control? As we<br />
integrate AI more deeply into our systems, the<br />
echoes of cautionary tales like those depicted<br />
in the film 'I, Robot' become increasingly<br />
relevant. This classic film foresaw the need<br />
for stringent rules to govern AI behaviour,<br />
famously encapsulated in its 'Three Laws of<br />
Robotics.'<br />
"Today, as AI evolves and becomes more<br />
autonomous, it's clear that the concerns and<br />
considerations portrayed in 'I, Robot' years<br />
ago are more than just science fiction; they<br />
are rapidly becoming our reality. The film's<br />
foresight underscores the urgency for the<br />
industry to implement similar foundational<br />
rules and ethical guidelines in AI development<br />
to safeguard our future.<br />
14<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
"In an intriguing plot twist, much like many<br />
other contemporary writings, this article was<br />
created with assistance from AI. And, in<br />
alignment with its insights, one must ponder<br />
the potential enhancements AI brings to<br />
human capabilities. Are we on the cusp of<br />
a new era of coexistence or are we approaching<br />
a risky precedent?<br />
"The 'black box' nature of AI makes its<br />
decision-making process often inscrutable,<br />
even to its creators. As AI systems grow in<br />
complexity, the chances of unintended biases<br />
and errors increase. This uncertainty raises<br />
crucial questions about responsibility and<br />
control in AI-driven decisions. Harnessing<br />
AI's power responsibly is imperative. We must<br />
not let AI run without oversight. The future<br />
of AI should be a collaborative journey,<br />
with humanity at the helm, guiding it with<br />
wisdom and foresight. Only time will tell if<br />
we are now already, in a sense, AI-enhanced.<br />
"As we reflect on AI's role in our lives and its<br />
creation of this article, we are reminded of<br />
the need for thoughtful, proactive measures<br />
in AI governance. Implementing robust,<br />
ethical frameworks akin to the 'Three Laws'<br />
envisioned in 'I, Robot' is no longer a futuristic<br />
concept, but a present-day necessity."<br />
That’s some collaboration, certainly. But<br />
does it leave you more reassured about the<br />
technology - or simply more queasy.<br />
HIGHLY TRAINED ASSAILANTS<br />
As of January <strong>2024</strong>, the UK National Cyber<br />
Security Centre (N<strong>CS</strong>C) has warned that AI<br />
tools will increase the volume and impact of<br />
cyberattacks, including ransomware, in the<br />
next two years. It will allow unskilled threat<br />
actors to conduct more sophisticated attacks.<br />
Jovana Macakanja, intelligence analyst with<br />
Cyjax, points out that threat actors are already<br />
using AI tools based on ChatGPT, which itself<br />
has had a profound influence on modern<br />
society and is entering common parlance. "In<br />
mid-July 2023, the generative AI cybercrime<br />
tool WormGPT was advertised on underground<br />
forums as a tool for launching<br />
phishing and business email compromise<br />
(BEC) attacks," she says. "Allegedly trained<br />
on several undisclosed data sources<br />
concentrating on malware-related data, it<br />
can produce phishing emails which are<br />
persuasive and sophisticated."<br />
People have always been sceptical of AI<br />
technology and its effect on humanity, she<br />
continues. "These fears often play out in<br />
popular fiction as evil robots taking over the<br />
world. While that eventuality is far-off at<br />
present, AI's continued maturation is resulting<br />
in people losing jobs, which could gravely<br />
impact the economy, and is making it difficult<br />
to discern between AI-generated and humancreated<br />
content. Students use ChatGPT to<br />
write assignments, medical tools identify<br />
various disorders or cancers, with diagnostic<br />
capabilities rivalling those of specialists, and<br />
a popular publishing house has used AI to<br />
replace a range of editorial roles. AI also<br />
poses significant ethical implications, as it<br />
lacks real, logical human-thinking, and is<br />
susceptible to inaccuracies and biases from<br />
the data sources it has been fed."<br />
While the technology is still developing<br />
and may not yet be out of control itself,<br />
Macakanja accepts, the use of it by humans<br />
for nefarious ends is already uncontrollable.<br />
"Its future technological applications could<br />
easily spiral and get out of hand, as machine<br />
learning advances. Due to the rapid growth<br />
in AI capabilities, legislation surrounding the<br />
technology will quickly become outdated and<br />
need to be freshly examined."<br />
UNPREDICTABLE AI<br />
The baseline danger around AI springs from<br />
the fact that we cannot predict what it will<br />
do, says Aleksi Helakari, head of technical<br />
office, EMEA - Spirent. "Traditional tools and<br />
software were clearly defined and we could<br />
accurately predict outcomes. AI, however,<br />
learns and changes autonomously, and a<br />
great deal of speculation around the future of<br />
Keiron Holyome, BlackBerry Cybersecurity:<br />
naïve to deny that malicious actors are<br />
employing AI in increasing efforts to broaden<br />
their scope.<br />
John Smith, LiveAction: perhaps a more<br />
pressing concern lies not in AI itself, but in<br />
the hands wielding it.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
15
artificial intelligence<br />
Gareth Owen, Redkey: the concerns and<br />
considerations portrayed in 'I, Robot'<br />
years ago are more than just science<br />
fiction; they are becoming our reality.<br />
Jovana Macakanja, Cyjax: legislation<br />
surrounding AI technology will quickly<br />
become outdated and need to be freshly<br />
examined.<br />
it is attempting to look into a black box<br />
and imagining what could emerge out of it.<br />
Getting to that future will be an iterative<br />
process and crucial to ensuring the best<br />
possible version of it is the careful development<br />
of these technologies.<br />
Continuous testing and validation will be<br />
crucial to evaluate how these nascent<br />
technologies learn and change and most<br />
importantly, that they stay within the<br />
boundaries that we set for it."<br />
He accepts that this will be a very difficult<br />
and complicated task to achieve, and<br />
contains multiple layers of complexity. "That<br />
process of testing and validating AIs will start<br />
with the data that those AIs train on. These<br />
huge datasets will need to be finely evaluated<br />
and validated for accuracy. In turn, that will<br />
require some measure of automation, due<br />
to the sheer size of these datasets."<br />
From that point, the AI can start to be<br />
tested with some kind of deterministic<br />
prompts to know what kind of responses<br />
to expect, Helakari states. "On top of that,<br />
testers will need to throw some unexpected<br />
curve balls - which sit outside the scope of<br />
the training data - to see how the AI<br />
responds. That's just the beginning. The<br />
peculiarities of AI mean that it can have a<br />
different response to the same input every<br />
time it's presented. Continual testing will<br />
help anticipate those continual changes and<br />
ensure the AI is staying within the bounds<br />
that have been set for it."<br />
The test parameters will also need to<br />
constantly change to validate how the AI<br />
learns and evolves, he adds. "If you test your<br />
AI on one day with one dataset, you will need<br />
to test it with a similar data set on other days<br />
to track the changes that have been made.<br />
"This is critical for establishing whether<br />
biases have developed within the AI and<br />
especially important when the AI has been<br />
deployed, and it's integrating data from<br />
sources outside of its original training data."<br />
This isn't to say that AI won't pose threats<br />
and safeguards will need to be in place to<br />
protect against this kind of outcome, he<br />
emphasises. "That means keeping thinking<br />
about how we can stop AI code from leaking<br />
or getting into the grips of malicious parties<br />
and developing triggers, kill switches and<br />
failsafes, which can alert us to these situations<br />
and shut down malicious use, if need be."<br />
CYBERCRIME ALREADY FLOURISHING<br />
For Dr Ilia Kolochenko, CEO and chief architect at ImmuniWeb<br />
and adjunct professor of cybersecurity and cyber law at<br />
Capital Technology University (pictured right), the impact of<br />
generative AI on cybercrime growth seems overestimated.<br />
"First, most cybercrime groups have been successfully using<br />
various forms of AI for years, including pre-LLMs forms of<br />
generative AI, and the introduction of LLMs will unlikely<br />
revolutionise their operations.<br />
"Secondly, while LLMs can help with a variety of simple tasks, such as writing<br />
attractive phishing emails or even generating primitive malware, it cannot do all<br />
the foundational tasks, such as deploying abuse-resistant infrastructure to host<br />
C&C servers or laundering the money received from the victims.<br />
"Thirdly, the ransomware 'business' already works very well; it is a mature, highly<br />
efficient and effective industry with its own players, economy, laws and hierarchy. "<br />
16<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Product Review Service<br />
VENDORS – HAS YOUR SOLUTION BEEN<br />
REVIEWED BY COMPUTING SECURITY YET?<br />
The Computing Security review service has been praised by vendors and<br />
readers alike. Each solution is tested by an independent expert whose findings<br />
are published in the magazine along with a photo or screenshot.<br />
Hardware, software and services can all be reviewed.<br />
Many vendors organise a review to coincide with a new launch. However,<br />
please don’t feel that the service is reserved exclusively for new solutions.<br />
A review can also be a good way of introducing an established solution to<br />
a new audience. Are the readers of Computing Security as familiar with<br />
your solution(s) as you would like them to be?<br />
Contact Edward O’Connor on 01689 616000 or email<br />
edward.oconnor@btc.co.uk to make it happen.
<strong>2024</strong> predictions<br />
UNCERTAINTY THE ONLY CERTAINTY<br />
PART 2 OF COMPUTING SECURITY'S DELVE INTO HOW THE 'DARKER FORCES'<br />
OF CYBER SECURITY MIGHT IMPACT THE INDUSTRY IN THE MONTHS AHEAD<br />
With <strong>2024</strong> awell underway, how it is<br />
likely to pan out for the security<br />
industry is a matter of certainty,<br />
conjecture, opinion and guesswork. What is<br />
certain is that it won't be any easier a ride than<br />
previous years when it comes to warding off<br />
the hackers and attackers, the ransomware<br />
demands, the less appealing aspects of AI or<br />
the many other threats that have to be faced<br />
up to and resisted. With those caveats in mind,<br />
here are the thoughts on what lies ahead,<br />
delivered by several of those in the know.<br />
JEFF WILLIAMS, CTO AND CO-FOUNDER,<br />
CONTRAST SECURITY:<br />
"Now that many people are working from<br />
home, due to coronavirus, businesses up and<br />
down the land are facing unprecedented<br />
cybersecurity challenges. Unfortunately, one of<br />
those challenges is that hackers are already<br />
attempting to capitalise on the crisis by<br />
attacking with viruses of their own. In fact,<br />
thousands of COVID-19-related websites are<br />
being launched by<br />
cybercriminals.<br />
"As organisations and workers navigate this<br />
new work-from-home world and the threats<br />
that come with it, the World Economic Forum<br />
has provided a checklist of ways that individual<br />
users and businesses can protect from cyberattacks<br />
during COVID-19 that are helpful:<br />
"Better understand threats to the organisation.<br />
Since more employees are working<br />
from home, security teams need to identify<br />
likely attack vectors and prioritise the protection<br />
of their most sensitive information<br />
and business-critical applications<br />
"Provide clear guidance and encourage<br />
communication. Companies need to<br />
ensure that security policies for workers<br />
are clear and easy to follow. This includes<br />
instructing employees to communicate<br />
with internal security teams about any<br />
suspicious activities<br />
"Ensure the right security capabilities.<br />
Organisations need to ensure that all<br />
corporate-owned or managed devices are<br />
equipped with the best security capabilities,<br />
extending the same network security best<br />
practices that exist within the enterprise<br />
to all remote environments."<br />
PHILIP BRIDGE, PRESIDENT, ONTRACK:<br />
"Changes in our work habits can cause us<br />
to make mistakes that we might not have<br />
ordinarily made. Remote working has added<br />
a huge number of endpoints to organisations<br />
that may not have been there previously.<br />
Systems that are now being used to connect<br />
to a company's infrastructure may not have<br />
been vetted or provided by the employer.<br />
These new endpoints may be lacking in the<br />
security controls that corporate machines<br />
would have.<br />
"Remote working also gives corporations less<br />
control over their employees - what they are<br />
doing and when. More distractions at home<br />
can lead to increased engagement in risky<br />
behaviour such as clicking on links they<br />
wouldn't usually click on if they were in the<br />
office.<br />
"We have to remember that cybersecurity is<br />
mostly a human issue; the employee<br />
controlling the computer will always be the<br />
weakest point of any system, for example;<br />
ransomware through a phishing email only<br />
has legs, if an employee clicks on the link in<br />
the email. Employees need to be extra vigilant<br />
when remote working to ensure they are<br />
keeping optimal security practices."<br />
COREY NACHREINER, CHIEF SECURITY<br />
OFFICER, WATCHGUARD TECHNOLOGIES<br />
"The most prominent attacks and information<br />
security trends the WatchGuard Threat Lab<br />
believes will emerge in <strong>2024</strong> include: malicious<br />
prompt engineering tricks targeting large<br />
language models (LLMs); managed service<br />
providers (MSPs) doubling down on unified<br />
security platforms with heavy automation;<br />
'Vishers' scaling their malicious operations with<br />
AI-based voice chatbots; and hacks on modern<br />
VR/MR headsets… to name a few.<br />
"Every new technology trend opens up new<br />
attack vectors for cybercriminals. In <strong>2024</strong>,<br />
we believe that emerging threats targeting<br />
companies and individuals will be even more<br />
intense, complicated and difficult to manage.<br />
With an ongoing cybersecurity skills shortage,<br />
the need for MSPs [managed service<br />
providers], unified security, and automated<br />
platforms to bolster cybersecurity and protect<br />
organisations from the ever-evolving threat<br />
landscape has never been greater.<br />
"While people are experimenting with LLMs<br />
to increase operational efficiency, threat actors<br />
are learning how to maliciously exploit LLMs,"<br />
states Nachreiner. "Using techniques like<br />
prompt injection or prompt extraction, threat<br />
18<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
<strong>2024</strong> predictions<br />
?? ?<br />
actors can sometime bypass and LLMs<br />
designer-imposed limits and access data they<br />
shouldn't. During <strong>2024</strong>, WatchGuard Threat<br />
Lab predicts that a smart prompt engineer,<br />
whether a criminal attacker or researcher, will<br />
crack the code and manipulate an LLM into<br />
leaking private data.<br />
"With around 3.4 million open cybersecurity<br />
jobs and fierce competition for available talent,<br />
more SMEs will turn to trusted managed<br />
service and security service providers, (MSPs<br />
and MSSPs), to protect them in <strong>2024</strong>. To<br />
accommodate growing demand and scarce<br />
staffing resources, MSPs and MSSPs will<br />
double down on unified security platforms<br />
with heavy automation, using artificial<br />
intelligence and machine learning.<br />
"Cybercriminals can buy dark web tools to<br />
send spam email, automatically craft convincing<br />
texts and scrape the Internet for a target's<br />
information, but a lot of these tasks are still<br />
manual and require attackers to target one<br />
user at a time. Well-formatted tasks like these<br />
are perfect for AI automation - making it likely<br />
that AI-powered tools will emerge as <strong>2024</strong>'s<br />
dark web best sellers.<br />
"Finally, while QR codes have been around for<br />
decades, we expect a major headline-stealing<br />
hack in <strong>2024</strong>, caused by an employee following<br />
a QR code to a malicious destination."<br />
DAVID MAHDI, CHIEF IDENTITY OFFICER,<br />
TRANSMIT SECURITY<br />
"Generative AI is enabling fraudsters to create<br />
more deceptive phishing campaigns,<br />
deepfakes and cyberthreats that evade<br />
standard detection methods. While ChatGPT<br />
can be used for malicious intent, it has some<br />
security guardrails. So bad actors quickly<br />
recognised they could build their own services<br />
to create and proliferate fraud campaigns.<br />
"Enter: FraudGPT, a service (among others) on<br />
the dark web giving cybercriminals the power<br />
of generative AI, with no security limitations.<br />
Want malicious code? Just ask. Need language<br />
translation and images for a phishing<br />
campaign? Done to perfection. Phishing<br />
attacks have increased over 1,200% in 2023 -<br />
a meteoric rise since the release of GenAI.<br />
"So, what can security leaders expect? At<br />
minimum, the volume and sophistication of<br />
attacks will continue to rise as GenAI gets<br />
smarter and bad actors learn how to wield<br />
its power. And it's not just phishing attacks.<br />
Fraudsters are now able to create polished,<br />
eye-catching ads for fake goods or services,<br />
collecting payments for goods that are never<br />
sent or leading victims to download remote<br />
access trojans (RATs) or banking trojans. Once<br />
installed, they log keystrokes or overlay fake<br />
login forms to steal credentials, even one-time<br />
passcodes.<br />
"Perhaps more unsettling, scammers are<br />
starting to use conversational bots on social<br />
media to mimic local dialects, professional<br />
language or gamer lingo, for example.<br />
They can even respond to DMs to build<br />
relationships and create positive, but fake,<br />
reviews. We expect this type of manipulation<br />
to grow and facilitate new types of fraudulent<br />
schemes."<br />
What can security leaders do? asks Mahdi.<br />
"To protect against the expected increase in<br />
volume and velocity of attacks, security leaders<br />
need to prepare their teams, process and<br />
technology. From a technology perspective,<br />
it's crucial to implement identity and security<br />
solutions that use equally powerful AI and ML.<br />
Advanced cybersecurity and anti-fraud must<br />
be fused with customer identity and access<br />
management (CIAM). For accurate detection<br />
of evasive threats, it's essential to leverage<br />
hundreds of detection methods and analyse<br />
anomalies within the full context of all that's<br />
happening in real time. Orchestration is a<br />
key component necessary for consolidating<br />
capabilities and correlating data - for contextaware<br />
risk and trust decisioning. From a<br />
process perspective, fraud teams should<br />
conduct table-top exercises and threat simulations<br />
to ensure they're ready."<br />
Jeff Williams, Contrast Security:<br />
thousands of COVID-19-related websites<br />
are being launched by cybercriminals.<br />
Phil Bridge, Ontrack: cybersecurity is mostly<br />
a human issue.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
19
<strong>2024</strong> predictions<br />
?? ?<br />
Corey Nachreiner, WatchGuard<br />
Technologies: expecting a major<br />
headline-stealing hack in <strong>2024</strong>.<br />
David Mahdi, Transmit Security: phishing<br />
attacks have increased over 1,200% in 2023<br />
- a meteoric rise since the release of GenAI.<br />
IRVIN SHILLINGFORD, REGIONAL<br />
MANAGER, NORTHERN EUROPE,<br />
HORNETSECURITY<br />
"In <strong>2024</strong>, businesses are faced with an everexpanding<br />
landscape of options, configurations<br />
and integrations to leverage the full<br />
potential of cloud computing. However, this<br />
rising complexity also amplifies the potential<br />
scope for cybersecurity attacks. Intricate<br />
systems may harbour vulnerabilities that, if<br />
exploited, could compromise sensitive data<br />
and pose significant threats to organisational<br />
security.<br />
"There's no doubt that the proliferation of<br />
generative AI has ushered in a new era of<br />
cyber-attacks, with sophisticated and adaptive<br />
algorithms being employed to execute<br />
unpredictable malicious activities.<br />
"The growing prominence of AI, coupled<br />
with the increasing complexity of cloud<br />
systems, has heightened the potential for<br />
cyber-attacks, as AI-driven threats ultimately<br />
look to exploit intricate vulnerabilities within<br />
cloud infrastructures.<br />
"With the launch of ChatGPT, the most widely<br />
known large language model (LLM), we've<br />
seen some evidence of threat actors using<br />
generative AI tools to prepare attacks and help<br />
write malware. Whilst the media have largely<br />
covered this malicious side of AI, the power<br />
of LLMs will also be used increasingly to help<br />
defenders. Two clear examples are log analysis<br />
and report writing, but it'll be exciting to see<br />
how it will help security analysts deal with<br />
workload and better protect their businesses.<br />
"There were countless examples of cloudrelated<br />
cyber-attacks throughout 2023, from<br />
Amazon S3 buckets being left unsecured, or<br />
even the breach of 38TBs worth of data stolen<br />
from Microsoft, due to a misconfigured Azure<br />
storage account. These are just examples<br />
involving cloud storage and don't include the<br />
massive adoption of cloud APIs or increasingly<br />
complex network configurations.<br />
"The rise of AI has also played a role in enabling<br />
cyber attackers to devise sophisticated<br />
strategies to bypass Multi-Factor Authentication<br />
(MFA) measures in businesses and<br />
compromise security defences. This includes<br />
fatigue attacks, which overwhelm users with<br />
numerous prompts and cause them to<br />
ultimately click 'accept' to prevent more<br />
notifications.<br />
"As businesses continue to adopt cloud<br />
technologies at a rapid scale, and with the<br />
increase in cloud-related innovation in the<br />
industry, security sometimes seems like an<br />
afterthought. Becoming cyber-resilient takes<br />
time, effort and persistence. Organisations<br />
must implement robust security measures,<br />
understand the technology they use, and<br />
ensure that employees are trained to recognise<br />
potential attacks and know the escalation<br />
process. By adopting a comprehensive<br />
approach that combines technology, education<br />
and proactive measures, businesses can<br />
significantly enhance their cybersecurity<br />
strategy."<br />
IAN ROBINSON, CHIEF ARCHITECT,<br />
TITANIA<br />
"Following a record-breaking number of cyberattacks<br />
in 2023, organisations are expecting<br />
more of the same in <strong>2024</strong>. And with 220,975<br />
published CVEs (taken from https://www.cve.<br />
org/ 5 Jan 24), it's not surprising that organisations<br />
are looking for more effective ways to<br />
analyse, understand and improve their risk<br />
posture at any given time - to stay off the<br />
'breached list'.<br />
"No small feat when tasked with tens of<br />
thousands of vulnerabilities, due to out-ofdate<br />
software and misconfigurations across<br />
the attack surface. Risk-based vulnerability<br />
management (RBVM) therefore has to be the<br />
priority, to understand, device-by-device, how<br />
best to deploy resources to remediate the<br />
most critical risks first. RBVM, coupled with a<br />
focus on regularly assessing critical segments.<br />
Not just at the perimeter (firewalls), but from<br />
the interior, too, because router and switch<br />
20<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
<strong>2024</strong> predictions<br />
?? ?<br />
security is the key to maintaining effective zero<br />
trust network segmentation that stops ransomware<br />
in its tracks. And keeping critical applications<br />
and data segmented, isolated and<br />
protected from automated attacks.<br />
"As any changes to device configurations -<br />
planned or unplanned - can expose networks<br />
and enable lateral movement through<br />
privilege escalation, organisations have woken<br />
up to the fact that it's no longer enough to<br />
assess devices once a quarter. Particularly as<br />
changes are potential indicators of compromise<br />
(IOCs) and should be assessed immediately.<br />
But achieving continuous network assurance<br />
in a practical way has previously been a<br />
challenge. <strong>2024</strong> should see organisations<br />
investing in solutions that change all this.<br />
"Proactively assessing network changes, as<br />
they occur, to determine when changes result<br />
in deviation away from a secure state - and<br />
then overlaying this risk data with ATT&CK<br />
vectors and adversary tactics, techniques and<br />
procedures (TTP)s - takes RBVM to the next<br />
level. Especially when we consider that less<br />
than 4% of known exploited vulnerabilities,<br />
according to CISA, have ever been used by<br />
attackers in the wild."<br />
And Robinson concludes: "Looking at<br />
vulnerabilities through an attacker's lens<br />
enables organisations to determine where they<br />
need to deploy resources to harden their<br />
networks to the best effect. Through this risk<br />
lens, organisations can view both their current<br />
posture to techniques being used in the wild<br />
and inform threat hunting with historic<br />
network posture analysis. Closing the loop,<br />
channelling remediation efforts on known<br />
exploited vulnerabilities that are most likely to<br />
be exploited right now, will help prevent any<br />
nasty surprises in <strong>2024</strong>."<br />
TIM FREESTONE, CHIEF STRATEGY AND<br />
MARKETING OFFICER, KITEWORKS<br />
Despite bans and restrictions, the number<br />
of businesses using generative artificial<br />
intelligence (GenAI) large language models<br />
(LLMs) are increasing as the competitive<br />
advantages become too significant to<br />
ignore, insists Tim Freestone, chief strategy<br />
and marketing officer, Kiteworks.<br />
"Even with advances in security controls,<br />
data breaches stemming from GenAI LLM<br />
misuse will rise in <strong>2024</strong>. This will force data<br />
security to be a central part of GenAI LLM<br />
strategies," he states.<br />
"Managed file transfer (MFT) tools are<br />
useful for the digital transfer of data.<br />
However, many are based on decades-old<br />
technology that have inherent security<br />
deficiencies. Two major MFT tools experienced<br />
zero-day exploits in 2023. It is likely<br />
that rogue nation-states and cybercriminals<br />
will continue to exploit such vulnerabilities<br />
in legacy MFT solutions in <strong>2024</strong>, too."<br />
Email remains the number one attack<br />
vector, he adds. "However, like legacy MFT<br />
solutions, legacy email systems lack modern<br />
security capabilities. Until organisations<br />
embrace an email protection gateway<br />
where email is sent, received and stored<br />
using zero-trust policy management with<br />
single-tenant hosting, email security will<br />
remain a serious risk factor."<br />
Data privacy is a global concern. "Gartner<br />
predicts that personal data for threequarters<br />
of the world's population will be<br />
covered by data privacy regulations by the<br />
end of <strong>2024</strong> and the average annual<br />
budget for privacy in a company exceed<br />
$2.5 million."<br />
In <strong>2024</strong>, businesses will be under<br />
heightened strain to protect confidential<br />
data, Freestone adds. "It is time for<br />
organisations to hit the reset button.<br />
"Only by adopting zero-trust architectures,<br />
detailed security models based on content,<br />
strong access management, integrated<br />
DRM, DLP and the like, can organisations<br />
mitigate the risks and uphold compliance."<br />
Irvin Shillingford, Hornetsecurity: the<br />
proliferation of generative AI has ushered<br />
in a new era of cyber-attacks.<br />
Tim Freestone, Kiteworks: data breaches<br />
stemming from GenAI LLM misuse will<br />
rise in <strong>2024</strong>.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
21
iometric cybersecurity<br />
STOPPING THE REMOTE<br />
ACCESS SCAM PANDEMIC<br />
SCAMMERS ARE STRIPPING<br />
UNTOLD SUMS OF MONEY FROM<br />
VICTIMS' BANK ACCOUNTS.<br />
TAMAS ZELCZER, CEO AND<br />
CO-FOUNDER OF CURSOR<br />
INSIGHT, PICTURED BELOW,<br />
DISCUSSES HOW BIOMETRIC<br />
CYBERSECURITY CAN<br />
PREVENT SUCH FRAUD<br />
Hello? I'm calling from your<br />
bank's tech support. Your<br />
account has been<br />
hacked. I need your urgent help<br />
to stop criminals stealing your<br />
money.' This is one of the typical<br />
dreaded opening lines actual<br />
cybercriminals use on unsuspecting<br />
victims before tricking them into handing<br />
over control of their online banking session<br />
and inflicting damages equal to. or even<br />
surpassing. all the assets on the account.<br />
The professional fraudsters dismantle the<br />
victims' instinctive defences by exploiting the<br />
strong fear of financial loss and a sense of<br />
urgency. They also quickly build some level<br />
of trust over the phone, usually by quoting<br />
personal details like the victim's name,<br />
address and contact details that were<br />
perhaps gathered from hacked databases or<br />
even public sources. What happens next is<br />
that the hacker asks the victim to download<br />
and install a remote desktop tool, such as<br />
Anydesk, log into their own account and<br />
then hand over the control to the criminal<br />
impersonating a helpful tech support<br />
agent.<br />
This scam might sound<br />
like something few<br />
people would fall for,<br />
but, in fact, this is<br />
one of the fastestgrowing<br />
and most<br />
effective types of<br />
financial cyber<br />
fraud. It's being<br />
referred to as a<br />
'remote access<br />
scam', 'tech<br />
support<br />
scam' or<br />
'Anydesk scam' after<br />
the name of the most widely used remote<br />
desktop application and, according to<br />
ScamWatch research, is just as widespread as<br />
Phishing Scams, where fraudsters coerce or<br />
dupe victims into sharing online banking<br />
login credentials and 2FA codes.<br />
Approved push payment (APP) fraud -<br />
where victims are tricked into executing,<br />
thus 'approving', a fraudulent transaction<br />
themselves - and classic online credit card<br />
scams are still the most common types of<br />
digital fraud by the number of cases.<br />
However, remote access scams may represent<br />
up to a staggering 80% of the financial<br />
damages sustained by victims in some<br />
markets or financial institutions. In many<br />
cases, the ruthless remote access hackers,<br />
exploiting a lengthy remote access session,<br />
liquidate the victim's investments, even<br />
apply for a personal loan in the name of<br />
the victim, then pool all the money together<br />
and transfer everything to the fraudster's<br />
account, where the money typically instantly<br />
disappears in an untraceable crypto wallet.<br />
LOSSES SOAR 130%<br />
The spreading of remote access scams seems<br />
to be unstoppable for now. Statista reported<br />
total losses of $806 million in 2022 in the<br />
USA, a soaring 130% increase, compared to<br />
22<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
iometric cybersecurity<br />
the previous year, making it the<br />
fastest-growing fraud category.<br />
How can banks effectively protect their<br />
clients from these kinds of financial losses<br />
and minimise losses for themselves, as<br />
obligatory fraud reimbursement regulations<br />
are being introduced in the UK and around<br />
the world? Traditional user authentication<br />
and fraud detection tools, deployed by<br />
many banks, typically use various device<br />
fingerprinting techniques that are quite<br />
effective against scams where the fraudster is<br />
in an unusual location or accesses the online<br />
banking application from a browser or device<br />
that is not recognised as the standard for a<br />
specific user. The problem is that when the<br />
user hands over the cursor and keyboard<br />
control to someone else who is remotely<br />
transacting in the victim's account on the<br />
victim's own device, through the usual<br />
browser, and from the usual IP address,<br />
device fingerprinting becomes completely<br />
useless in spotting the fraud.<br />
During a remote desktop session, the cursor<br />
movements and typing of the remote agent<br />
are instantly mirrored on the user's screen,<br />
and these cannot be differentiated by a<br />
human observer from the interactions of<br />
the user working locally on their own<br />
computer. A few years ago, there used to be<br />
a slight time lag and some skipping cursor<br />
movements, but the latest versions of the<br />
common remote desktop tools are free from<br />
these<br />
issues.<br />
Luckily, there are<br />
still some very subtle<br />
data patterns that can be<br />
detected by the most sophisticated AI<br />
systems, such as Cursor Insight's patentpending<br />
Remote Access Detection solution,<br />
which is part of the Graboxy Cybersecurity<br />
Platform.<br />
SUSPICIOUS ACTIVITY FLAGGED<br />
Cursor Insight has been for years at the<br />
forefront of innovation in the field of<br />
biometric cybersecurity, with the Graboxy<br />
Continuous Authentication tool winning<br />
prestigious awards, including the 'Cyber<br />
Product of the Year' at the National Cyber<br />
Awards and the 'Remote Monitoring Security<br />
Solution of the Year' at the Computing<br />
Security Awards in 2023. A fundamental<br />
feature of Graboxy is the continuous<br />
monitoring of user interactions and the<br />
use of AI to analyse data transmitted through<br />
the user's web browser.<br />
The data is only monitored and analysed on<br />
the server side, so nothing has to be installed<br />
by the client. The technology is capable of<br />
building accurate biometric profiles by<br />
finding behavioural patterns that can be<br />
associated with individual users.<br />
Graboxy can passively authenticate users<br />
in the background by comparing real-time<br />
interactions, including mouse movements,<br />
to the biometric profile belonging to the<br />
user. Suspicious sessions with a high<br />
likelihood of an ongoing account takeover<br />
or other types of unauthorised access can be<br />
quickly flagged for further security checks or<br />
additional re-authentication. This solution<br />
can be effectively used to detect a fraudster<br />
controlling the user account through a<br />
remote desktop session.<br />
The Graboxy Remote Access Detection<br />
Solution adds an additional security layer on<br />
top of passive continuous authentication. It is<br />
able to, within a few seconds and in real time<br />
identify any remote access session, which is<br />
almost always a sign of a scam attempt in<br />
online banking and payment applications.<br />
The unique advantage of this solution is that<br />
it uses predefined machine learning models<br />
trained specifically to differentiate between<br />
local and remote users. It means that no<br />
individual profiles need to be built over time,<br />
and no rule or algorithm calibration is<br />
required, unlike most AI-based solutions. It<br />
works straight out of the box and can easily<br />
be combined with already deployed fraud<br />
detection solutions through its API.<br />
WINNING THE BATTLE<br />
Fighting against cybercrime and online<br />
financial fraud is a dynamic race where both<br />
the attackers and the defenders tirelessly<br />
innovate and try to outsmart the other side.<br />
The stakes are high, especially with remote<br />
access scams, where, unlike with the most<br />
common types of scams, the hackers could<br />
potentially steal complete life savings in a<br />
matter of minutes. Educating banking clients<br />
not to hand over the control of their devices<br />
to strangers who are offering unwanted help<br />
during a phone call is, of course, essential;<br />
awareness can and should be raised to help<br />
people protect themselves.<br />
But, just like many customers still often<br />
voluntarily share their login credentials,<br />
PINs and SMS one-time passwords with<br />
scammers, the human factor remains<br />
the weakest link that fraudsters exploit in<br />
the case of remote access scams as well.<br />
Investing in technologies that offer protection<br />
from the latest forms of cyber fraud<br />
remains a necessary tool to win the fight.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
23
show preview<br />
COUNTDOWN TO INFOSECURITY EUROPE <strong>2024</strong><br />
SHOWTIME IS APPROACHING, WITH THREE DAYS OF LEARNING, DISCOVERY AND INSIGHTS LINED UP<br />
Infosecurity Europe <strong>2024</strong> takes place<br />
from 4-6 June at the ExCeL London.<br />
retro competitive gaming and the chance to<br />
relive classic nostalgic gaming moments.<br />
Away from the show floor, the South<br />
Gallery Rooms will feature more than 25<br />
Security Workshops where vendors will<br />
showcase and demonstrate their product<br />
offerings, providing access to industry<br />
experts.<br />
Exhibitors, industry bodies and cybersecurity<br />
peers will once again unite at<br />
Infosecurity Europe - taking place from<br />
the 4th-6th of June at the ExCeL London - to<br />
share their technological arsenal and extensive<br />
industry knowledge, all under one roof.<br />
Infosecurity Europe is widely regarded as<br />
the premier platform to explore cutting-edge<br />
cybersecurity technologies, forge invaluable<br />
connections, hone skills, and benefit from<br />
exclusive insights and know-how from<br />
experts immersed in the industry's latest<br />
developments.<br />
This year's Conference programme will<br />
feature nine theatres, giving visitors access to<br />
three days of learning, discovery and insights.<br />
The range of theatres will offer information to<br />
suit all levels of experience, from strategy talks<br />
to tactical sessions, round tables and keynote<br />
sessions, with an impressive line-up of<br />
speakers soon to be announced.<br />
The event is geared up to deliver the learning<br />
opportunities and also to further professional<br />
development in a practical setting. It also<br />
provides a valuable means for registered<br />
members to earn CPE credits. Working in<br />
partnership with leading industry associations<br />
(ISC)2 and ISACA, attending the varying<br />
theatre sessions, enables attendees to earn<br />
credits automatically.<br />
New for <strong>2024</strong> is the 'Tomorrow's Topics'<br />
theatre, which will address future industry<br />
developments and how to be prepared to<br />
seize these openings. Discussions will cover<br />
everything from channel, diversity and access<br />
to the industry, through to professional<br />
development.<br />
Infosecurity Europe is also committed to<br />
supporting cutting-edge companies embarking<br />
on growth, with the 'Start-up Showcase'<br />
providing a launchpad to hear from them.<br />
Exclusively for companies that are three years<br />
in maturity, the dedicated stage gives voice to<br />
industry newcomers. Attendees will be able<br />
to hear about the latest innovations and<br />
understand where collaboration can help<br />
to build solid foundations for the future<br />
success of companies.<br />
For those looking for a fun way to unwind,<br />
a stroll down to 'Arcade Alley' will offer some<br />
The 90-minute tactical training sessions<br />
allow visitors to the show to benefit from indepth,<br />
practical sessions, offering advice on<br />
strengthening information security posture.<br />
Security workshop expert speakers will<br />
provide learning-orientated sessions to help<br />
to take skills to a higher level.<br />
For the CISOs and heads of information<br />
security in attendance, the 'Leaders'<br />
Programme' offers an access-all-areas pass,<br />
granting entry to the Leaders' Lounge in the<br />
South Gallery Rooms, as well as exclusive<br />
participation in Leaders' Roundtable discussions,<br />
shaping security strategies and<br />
exploring cutting-edge industry tech-nology<br />
and solutions.<br />
Meanwhile, this year's 'Women in Cybersecurity'<br />
event will provide the opportunity<br />
to hear from senior female leaders, as they<br />
share their insights and expertise. The event<br />
is registration only and is now open here.<br />
The <strong>2024</strong> conference programme aims to<br />
share best practices, case studies and reallife<br />
insight. There will also be presentations<br />
from end users, policymakers, government,<br />
law enforcement and industry leaders<br />
including interviews, panel discussions and<br />
debates.<br />
You can register now for Infosecurity<br />
Europe and secure your spot at the forefront<br />
of cyber resilience.<br />
24<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
data management<br />
NEW DATA STATS ARE A WAKE-UP CALL<br />
REPORT REVEALS SURGE FROM JUST OVER 2 MILLION EMAILS SENT PER<br />
MINUTE IN 2013 TO A STAGGERING 241 MILLION A MINUTE A DECADE LATER<br />
Over the past decade, Domo has<br />
tracked the world's data usage,<br />
revealing remarkable increases in<br />
activity across various online platforms,<br />
from Instagram and X to Amazon,<br />
Venmo and many others. The annual<br />
'Data Never Sleeps' infographic offers<br />
a big-picture glimpse into the immense<br />
volume of data generated on the internet<br />
every minute, showcasing how data<br />
is constantly evolving and changing<br />
as more people interact with digital<br />
platforms and services. "This year's<br />
findings reflect the ever-changing and<br />
fast-paced digital landscape, which<br />
has only been heightened by the<br />
rapid popularity of AI models such<br />
as ChatGPT," said Josh James, founder<br />
and CEO, Domo.<br />
"Data drives everything we do, from a<br />
quick search online or sending an email,<br />
to checking the latest headlines on our<br />
way to work. Data Never Sleeps, now in<br />
its eleventh year, depicts just how much<br />
we rely on data and its impact on our<br />
daily lives in one of the 525,600 minutes<br />
in a year."<br />
Some key highlights from this year's<br />
'Data Never Sleeps 11.0' report include:<br />
The AI Boom: Artificial Intelligence (AI)<br />
is making big waves in the digital world.<br />
AI-driven platforms such as ChatGPT<br />
are reshaping the ways we work,<br />
communicate and create, with users<br />
submitting 6,944 prompts every minute.<br />
However, users haven't forsaken their<br />
search engine habits, as searches on<br />
Google total more than 6.3 million<br />
every minute (this is a substantial<br />
increase from 5.9 million a year ago).<br />
Entertainment Dominance: After a dip in<br />
engagement last year, X (formerly Twitter)<br />
now sees 360,000 posts from users every<br />
minute, up from 347,000 in Data Never<br />
Sleeps 10.0. Spotify users stream 24,000<br />
hours of music, including 69,444 Taylor<br />
Swift songs. Instagram users are sending<br />
over 694,000 reels via direct message every<br />
sixty seconds. And the world of streaming<br />
continues to dominate, as collective<br />
viewers watch more than 40 years of<br />
streaming content every single minute.<br />
As online platforms gain more activity and<br />
engagement, the entertainment industry<br />
promises to never be the same.<br />
Transactions on a Tear: Digital spending<br />
continues its vast expansion. E-commerce<br />
giant Amazon sees more than £362k<br />
in sales every minute and on digital<br />
transaction app Venmo, users send<br />
£369k worth of payments every minute,<br />
up 6% year over year. In the food sector,<br />
DoorDash diners place orders totaling<br />
£97.7k, up 60% from last year, reflecting<br />
the increased reliance (and potentially,<br />
inflation) on food and food delivery<br />
services in this digital age.<br />
Cybersecurity Challenges: However,<br />
as digital activities intensify, so do<br />
cybersecurity threats. Cybercriminals<br />
launch 30 DDoS attacks every minute,<br />
highlighting the need for robust online<br />
security measures to protect individuals<br />
and businesses. Adds Domo's James: "Data<br />
weaves the fabric of our digital lives, and<br />
our annual Data Never Sleeps report<br />
highlights some of the most meaningful<br />
data for businesses and consumers alike."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
25
energy industry<br />
GONE NUCLEAR<br />
SECURITY ISSUES AT UK CIVIL NUCLEAR FACILITIES HAVE BEEN ON THE UP, WHILE INSPECTION<br />
LEVELS FALL AWAY. HOW VULNERABLE IS THAT LEAVING THE UK TO ACCIDENTS OR WORSE?<br />
The number of formal reports that<br />
document security issues at the<br />
UK's civil nuclear facilities has hit its<br />
highest level in at least 12 years amidst<br />
a decline in inspections, according to<br />
The Guardian newspaper.<br />
Experts say that the worrying news<br />
raises concerns about the regulator's<br />
capacity to cope with planned expansion<br />
in the sector.<br />
How serious might the problem be?<br />
Very, it would appear, considering a total<br />
of 456 incident notification forms<br />
documenting security issues at UK<br />
nuclear facilities were<br />
submitted to the<br />
Office for Nuclear<br />
Regulation (ONR)<br />
during 2021<br />
alone. That is<br />
according to information obtained by The<br />
Guardian and investigative journalism<br />
organisation Point Source. This is 30%<br />
higher than the 320 reports filed during<br />
the whole of 2020 and more than double<br />
the 213 reports that were filed in 2018.<br />
Incidents include physical security issues,<br />
such as unauthorised people gaining<br />
unsupervised access to secure areas,<br />
as well as cybersecurity issues such as<br />
attacks by malicious software.<br />
Dr<br />
Paul Dorfman, the chair of the Nuclear<br />
Consulting Group and a former secretary<br />
of the government's committee examining<br />
radiation risks of internal emitters (Cerrie),<br />
says operators and the regulator needed<br />
to take action to address the rise in<br />
reported incidents. "The higher number<br />
of security issues that we are seeing<br />
documented at nuclear facilities is<br />
extremely concerning. These figures seem<br />
to show a relaxation in security standards<br />
when it comes to the operation and<br />
regulation of sites that have the potential<br />
to cause great human and environmental<br />
harm. When the stakes are so high, it<br />
is important that ONR takes all these<br />
security incidents seriously, looks at why<br />
they happened, tries to address the<br />
relevant issues, and reduces the number<br />
of incidents that are occurring."<br />
He adds: "The broader picture raises<br />
significant concerns about ONR's<br />
technical and human capacity to<br />
regulate and monitor what is<br />
potentially a very risky industry.<br />
This is especially concerning in<br />
the context of the UK's<br />
ageing nuclear fleet as<br />
well as the new-build<br />
plans the govern-ment<br />
is currently pushing."<br />
During 2021, there<br />
was an increase in the<br />
number of "moderate"<br />
security incidents<br />
reported, according to<br />
the data obtained from the<br />
ONR using freedom of information<br />
legislation. Over the year, 42 security<br />
incidents documented were rated as<br />
"moderate", up from the 24 moderate<br />
26<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
energy industry<br />
incidents in 2020 - the highest number<br />
recorded in at least 12 years. Moderate is<br />
the second-most severe category and is<br />
described by the ONR as an incident<br />
where there has been "a significant<br />
departure from expected standards".<br />
The rising number of reported incidents<br />
comes amid a fall in security inspections<br />
carried out by the regulator. There are<br />
concerns that during 2021 the frequency<br />
of nuclear security inspections carried out<br />
by the ONR may have fallen to its lowest<br />
level in at least four years. Data obtained<br />
in a separate freedom of information<br />
request shows that in 2021, up to 17<br />
December, just 136 security inspections<br />
had been carried out by the ONR, down<br />
from the full-year figure of 144 in 2020<br />
and 169 in 2019. Information security<br />
inspections are among the types to have<br />
seen the biggest decline, with only 40<br />
carried out in 2021 up to 17 December,<br />
down from 74 over the whole of 2020.<br />
Dorfman said this was particularly<br />
worrying, given the growing risk of cyberattacks<br />
on nuclear infrastructure. "There<br />
is no question that nuclear is operating<br />
in an increasingly dangerous and unstable<br />
world where the threat of statesponsored<br />
or non-state cyber-attacks is<br />
increasing."<br />
In a statement, the ONR commented:<br />
"We welcome the increase in reported<br />
events, as our analysis indicates that<br />
this reflects improvements in security<br />
awareness and culture across the<br />
industry. The vast majority of reported<br />
events (80-90%) are minor breaches of<br />
security arrangements, which have been<br />
proactively reported to us." The regulator<br />
also said it believed its engagement with<br />
nuclear operators had increased over<br />
recent years, despite the decline in official<br />
inspections. It added: "The data we<br />
provided under freedom of information<br />
law relates only to on-site compliance<br />
inspections and does not include other<br />
assessment work. This separate regulatory<br />
scrutiny, which is not represented in the<br />
data, is essential to ensure site security<br />
arrangements comply with the law and<br />
includes site visits to reinforce regulatory<br />
judgments."<br />
COMPLEXITY OF CRITICAL<br />
INFRASTRUCTURE<br />
According to Allianz, critical infrastructure<br />
systems like those driving power<br />
generation, water treatment, electricity<br />
production and other platforms are<br />
interconnected to form the energy 'grid'.<br />
Although beneficial to the public, this<br />
grid is vulnerable to cyber-attack by<br />
'hacktivists' or terrorists.<br />
Imagine, during a particularly harsh<br />
winter, a group of hacktivists spreading<br />
panic by bringing down the US power<br />
grid, millions of homes and businesses<br />
plunged into darkness, communications<br />
cut, banks going offline, hospitals closing<br />
and air traffic grounded. While such<br />
a scenario sounds apocalyptic, it is a<br />
realistic threat, according to Idan Udi<br />
Edry, chief executive officer at Nation-E,<br />
a provider of cyber security solutions that<br />
safely allow customers to connect their<br />
infrastructure to the internet, thereby<br />
enabling them to connect and control<br />
critical assets remotely and safely.<br />
Critical infrastructure, like power<br />
generation and distribution, is becoming<br />
more complex and reliant on networks<br />
of connected devices. Just decades ago,<br />
power grids and other critical infrastructure<br />
operated in isolation. Now they<br />
are far more interconnected, both in<br />
terms of geography and across sectors.<br />
As the US power grid scenario highlights,<br />
the failure of one critical infrastructure<br />
could result in a devastating chain<br />
reaction, says Edry. Unsurprisingly, the<br />
vulnerability of critical infrastructure to<br />
cyber-attacks and technical failures has<br />
become a big concern. And fears have<br />
been given credence by recent events.<br />
In December 2015, the world witnessed<br />
the first-known power outage caused by<br />
a malicious cyber-attack. Three utilities<br />
companies in Ukraine were hit by<br />
BlackEnergy malware, leaving hundreds<br />
of thousands of homes without electricity<br />
for six hours. Cyber security firm Trend<br />
Micro says the malware targeted the<br />
utility firms' SCADA (supervisory control<br />
and data acquisition) systems and<br />
probably began with a phishing attack.<br />
The blackout was followed two months<br />
later by the news that the Israel National<br />
Electricity Authority had suffered a major<br />
cyber-attack, although damage was<br />
mitigated after the Israel Electricity<br />
Corporation shut down systems to<br />
prevent the spread of a virus.<br />
The energy sector is one of the main<br />
targets of cyber-attacks against critical<br />
infrastructure, but it is far from being<br />
the only one, of course. Transport, public<br />
sector services, telecommunications and<br />
critical manufacturing industries are also<br />
vulnerable. In 2013, Iranian hackers<br />
breached the Bowman Avenue Dam<br />
in New York and gained control of the<br />
floodgates. Oil rigs, ships, satellites,<br />
airliners, airport and port systems are<br />
all thought to be vulnerable, and media<br />
reports suggest that breaches have<br />
occurred.<br />
SOARING CYBER-ATTACKS<br />
Cyber-attacks against critical<br />
infrastructure and key manufacturing<br />
industries have soared, according to US<br />
cyber-security officials at Industrial<br />
Control Systems Cyber Emergency<br />
Response Team (I<strong>CS</strong>-CERT), the US<br />
government body that helps companies<br />
investigate attacks against I<strong>CS</strong> and<br />
corporate networks. It reported a 20%<br />
increase in cyber investigations in 2015<br />
and a doubling of attacks against US<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
27
energy industry<br />
critical<br />
manufacturing.<br />
Over the years, a wide range<br />
of sectors have become more reliant<br />
on industrial control systems - such as<br />
SCADA, Programmable Logic Controllers<br />
(PLC) and Distributed Control Systems -<br />
for monitoring processes and controlling<br />
physical devices, such as pumps, valves,<br />
motors, sensors etc.<br />
The most high-profile example of a<br />
cyber-attack against critical infrastructure<br />
is the Stuxnet computer virus. The worm,<br />
which targeted PLCs, disrupted the<br />
Iranian nuclear program by damaging<br />
centrifuges used to separate nuclear<br />
material. The incident caused concern,<br />
because Stuxnet could be adapted to<br />
attack the SCADA systems used by many<br />
critical infrastructure and manufacturing<br />
industries in Europe and the US.<br />
In one of the only public examples of<br />
a SCADA attack, a German steel mill<br />
suffered major damage after a cyberattack<br />
forced the shutdown of a furnace,<br />
the German Federal Office for Information<br />
Security reported in 2014. The<br />
attackers used various social engineering<br />
techniques to gain control of the blast<br />
furnace systems.<br />
CONTROL SYSTEMS TARGETED<br />
Cyber-attacks against critical infrastructure<br />
and manufacturing are much<br />
more likely to target industrial control<br />
systems than steal data, according to the<br />
Organization<br />
of American States<br />
and Trend Micro. Its research<br />
found that 54% of the 500 US critical<br />
infrastructure suppliers surveyed had<br />
reported attempts to control systems,<br />
while 40% had experienced attempts to<br />
shut down systems. Over half said that<br />
they had noticed an increase in attacks,<br />
while three-quarters believed that those<br />
attacks were becoming more<br />
sophisticated.<br />
HACKERS’ EYES ON WEAK SPOTS<br />
According to Nation-E's Edry, hackers<br />
are becoming much more interested<br />
in operational technology: the physical<br />
connected devices that support industrial<br />
processes. "The vulnerability and lack of<br />
knowledge of operational technology is<br />
the most dangerous thing today," he says.<br />
As an example, he cites a cyber-attack<br />
against a New York City office block in<br />
which a hacker accessed the building<br />
management systems - which can control<br />
power, communications, security and<br />
environmental systems - via a connected<br />
vending machine. The building shutdown<br />
resulted in estimated damage of $350m<br />
from lost business.<br />
However, the security of industrial<br />
control systems and connected devices<br />
has fallen behind that of IT systems.<br />
Many of the connected devices used by<br />
industry are based on serial communication<br />
technology - which Edry likens to<br />
the beeps and squeals associated with the<br />
old-style internet dial-up. He believes that<br />
operational technology is a vulnerable<br />
and poorly protected element of cyber<br />
security. While IT infrastructure has given<br />
rise<br />
to an army of<br />
cyber security<br />
consultants, products and<br />
services, industrial control systems by<br />
comparison are not well served.<br />
On top of that, he states, growing<br />
digitalisation and the 'IoT' could create a<br />
perfect cyber security storm. He notes<br />
that, where a company would once have<br />
control over its systems, physical<br />
networks and servers, the trend has been<br />
to run devices, software and data<br />
through virtual networks, such as cloud<br />
computing. "Even the network is now off<br />
the network."<br />
Confidence in data and systems security<br />
is key, if society is to benefit from the<br />
potential efficiencies that the IoT can<br />
bring. "The digital age is here. We can't<br />
prevent it. It is becoming part of us. But<br />
we see news headlines of breach after<br />
breach. We are losing our confidence in<br />
the digital age."<br />
Edry believes that more needs to be<br />
done to deter cyber criminals and to<br />
protect operational technology. The cost<br />
of creating a successful attack is small for<br />
cyber criminals, which is why there are<br />
now so many attacks.<br />
"We have seen that, as the cost of<br />
launching a successful attack has gone<br />
down, the number of attacks has risen,”<br />
he comments. "So, we need to develop<br />
technology to increase the cost of<br />
successful attacks. We can't stop 100%<br />
of attacks, but we can create technology<br />
to increase the cost, so that the hacker<br />
says: 'I don't want to deal with this<br />
organisation, as it will cost me a lot of<br />
time and computer resource'. If we can<br />
prevent the damage, it will incentivise<br />
insurers to offer higher limits and give<br />
customers more incentive to buy."<br />
28<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
NEW THREAT ACTORS SEND RANSOMWARE ATTACKS SOARING<br />
SOPHISTICATED ATTACK METHODS SURFACE, WITH HEALTHCARE BECOMING A PROMINENT TARGET<br />
In December last year, global levels of<br />
ransomware attacks fell by 12% from<br />
November, with a total of 391 cases,<br />
compared to 442 in the previous month,<br />
according to NCC Group's December Threat<br />
Pulse. Good news? Not really. The figure<br />
for December took the total number of<br />
ransomware attacks in 2023 to 4,667 -<br />
far beyond NCC Group's initial expectations<br />
that cases would hit 4,000. The annual total<br />
marks an 84% increase from all recorded<br />
ransomware attacks in 2022.<br />
Despite the usual threat groups responsible<br />
for ransomware attacks, December 2023<br />
saw three new groups enter the top ten most<br />
active. Data reveals that newcomer Hunters<br />
ranked in fifth place with 22 cases (6% of<br />
total). The group is believed to be a rebrand of<br />
Hive, dismantled by Europol and the FBI earlier<br />
in 2023. DragonForce ranked in sixth spot,<br />
responsible for 21 cases (5%), and has been<br />
active since Summer 2022. WereWolves also<br />
joined the ranking in tenth spot, with<br />
speculation that they are a LockBit affiliate.<br />
North America and Europe remained the<br />
two most targeted regions in December, with<br />
80% of global attacks between them. North<br />
America experienced 51% (199) of all attacks,<br />
down from 219 in November, with 114<br />
attacks in Europe marking a 29% regional<br />
reduction in cases. Claiming third place,<br />
Asia witnessed 37 attacks, also representing<br />
a decrease of 20%.<br />
Most notably, the data also reveals that<br />
attacks in Russia rose in December to 12<br />
cases, accounting for 11% of all attacks levied<br />
against targets in Europe, compared to the<br />
whole of 2023.<br />
Despite healthcare not placing in the top<br />
three most targeted sectors, it is now regarded<br />
as frequently at risk of ransomware attacks.<br />
Following October and November, where it<br />
was in the top three most targeted sectors,<br />
the total volume of ransomware attacks on<br />
healthcare in 2023 has resulted in it being<br />
considered at similar risk to other sectors.<br />
INCREASED ACTIVITY<br />
OF MALWARE FAMILIES<br />
In December, malware families (a group of<br />
applications with similar attack techniques)<br />
were more active than previous months. Two<br />
malware families, Hydra mobile malware and<br />
the unexpected activity of Qakbot, following<br />
the malware family's infrastructure take-down<br />
at the end of August, were notable.<br />
The infostealer Meduza Stealer also<br />
resurfaced in December, with a new version<br />
to help cybercriminals make their attacks<br />
more sophisticated through methods such<br />
as accounts takeover (ATO), online-banking<br />
theft and financial fraud. The re-emergence<br />
of significant malware families helps attackers<br />
to develop their own methods of gathering<br />
intelligence and understanding vulnerabilities,<br />
to prepare for the delivery of ransomware to<br />
their victims.<br />
Matt Hull, global head of threat intelligence<br />
at NCC Group, comments: ""Closing 2023<br />
with over 4,000 global ransomware attacks is<br />
reflective of the sharp rise of cyber-criminal<br />
activity, compared with 2022. Over the year<br />
we've seen the development of sophisticated<br />
attack methods, allowing both new and old<br />
threat groups to exploit vulnerabilities of<br />
victims across a range of sectors and, in particular,<br />
present threats to healthcare where we've<br />
seen notable successful attacks over the last<br />
12 months, with vast volumes of data being<br />
compromised."<br />
Matt Hull, NCC Group: sharp rise seen<br />
in cyber-criminal activity in 2023.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
29
penetration testing<br />
PUT TO THE TEST<br />
WITH PENETRATION TESTING USED TO IDENTIFY THE LEVEL OF TECHNICAL RISK<br />
EMANATING FROM SOFTWARE AND HARDWARE VULNERABILITIES, MIGHT THIS BE<br />
SOMETHING THAT EVERY ORGANISATION SHOULD BE IMPLEMENTING?<br />
Typically, penetration tests are<br />
widely employed to identify the<br />
level of technical risk emanating<br />
from software and hardware vulnerabilities.<br />
Exactly what techniques are used,<br />
what targets are allowed, how much<br />
knowledge of the system is given to<br />
the testers beforehand and how much<br />
knowledge of the test is given to system<br />
administrators can vary within the same<br />
test regime.<br />
However, according to the National<br />
Cyber Security Council (N<strong>CS</strong>C), such<br />
testing can deliver a multitude of<br />
patbacks. "A well-scoped penetration test<br />
can give confidence that the products<br />
and security controls tested have been<br />
configured in accordance with good<br />
practice, points out the council, "and<br />
that there are no common or publicly<br />
known vulnerabilities in the tested<br />
components, at the time of the test."<br />
PRIOR KNOWLEDGE<br />
In an ideal world, you should know what<br />
the penetration testers are going to find,<br />
before they find it, adds the N<strong>CS</strong>C. "Armed<br />
with a good understanding of the vulnerabilities<br />
present in your system, you<br />
can use third-party tests to verify your<br />
own expectations.<br />
"Highly experienced penetration testers<br />
may find subtle issues, which your internal<br />
processes have not picked up, but this<br />
should be the exception, not the rule.<br />
The aim should always be to use the<br />
findings of a penetration test report<br />
to improve your organisation's internal<br />
vulnerability assessment and management<br />
processes."<br />
WHAT SHOULD A TESTING<br />
REGIME LOOK LIKE?<br />
"It's critically important to note that a<br />
planned penetration test doesn't mean<br />
your normal testing regime should cease<br />
to include security tests on the target<br />
system," cautions the N<strong>CS</strong>C. "Functional<br />
testing of security controls should still<br />
occur. Assessing whether defined security<br />
controls are functioning is not a valuable<br />
use of penetration testing resources."<br />
A functional testing plan should always<br />
include positive tests (such as 'The logon<br />
box comes up every time that you attempt<br />
to log in and you aren't just allowed in').<br />
"Negative testing may be included in your<br />
functional testing plan where the skills<br />
to perform it are available within your<br />
organisation (for example, verifying that<br />
'You can't log in without the correct<br />
password')."<br />
A typical penetration test, according to<br />
the N<strong>CS</strong>C, will follow this pattern: Initial<br />
engagement, scoping, testing, reporting<br />
and follow-up. There should be a severity<br />
rating for any issues found. For this<br />
model, it is assumed that:<br />
<br />
<br />
You wish to know what the impact of<br />
an attacker exploiting a vulnerability<br />
would be and how likely it is to occur<br />
You have an internal vulnerability<br />
assessment and management process.<br />
"You should ensure the external team has<br />
the relevant qualifications and skills to<br />
perform testing on your IT estate. If you<br />
have any unusual systems (main-frames,<br />
uncommon networking protocols, bespoke<br />
hardware etc), these should be highlighted<br />
in the bid process, so the external teams<br />
know what skill sets will be required."<br />
30<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
penetration testing<br />
I.T. SYSTEMS RELIANCE<br />
Today, virtually all organisations have come<br />
to rely on their IT systems to carry out dayto-day<br />
business operations and support<br />
customers, points out <strong>Mar</strong>tin Walsham,<br />
director of cyber security, AMR CyberSecurity,<br />
so they are also dependent upon the<br />
confidentially, integrity and availability<br />
of their systems to protect their brand<br />
reputation, avoid business disruption, and<br />
protect customer information and trade<br />
secrets.<br />
"Equally, all organisations are at risk of<br />
cyberattack," he points out, "including<br />
hacktivists, disgruntled employees, hostile<br />
foreign intelligence and cyber criminals<br />
seeking financial gain, for example."<br />
So, how does an organisation check<br />
that its security posture is up to scratch?<br />
"Penetration testing is a good start," he<br />
confirms. "A penetration test is a systematic<br />
security test of a hardware or software<br />
component or IT system that tests the<br />
current security posture and identifies<br />
security vulnerabilities. Penetration testing<br />
is becoming widely recognised as an effective<br />
security tool and something many<br />
organisations now regularly carry out."<br />
When a penetration test should be carried<br />
out, the type of testing carried out and the<br />
frequency of testing is influenced by several<br />
factors, such as the organisation's size,<br />
maturity and the industry in which they<br />
operate.<br />
"We are seeing increased uptake in penetration<br />
testing, especially in more regulated<br />
sectors, such as finance and healthcare -<br />
and areas where there is a higher need for<br />
greater security, such as those concerned<br />
with critical national infrastructure," adds<br />
Walsham.<br />
CONTRACTUAL OBLIGATIONS<br />
"Nowadays, many large organisations and<br />
government departments have specific<br />
contractual requirements for security<br />
penetration testing as part of their supply<br />
chain assurance. The UK healthcare industry<br />
requires supplier organisations to<br />
carry out penetration testing to meet the<br />
DTAC standard."<br />
The Digital Technology Assessment<br />
Criteria (DTAC) for health and social care<br />
gives staff, patients and citizens confidence<br />
that the digital health tools they use meet<br />
its clinical safety, data protection, technical<br />
security, interoperability and usability and<br />
accessibility standards. The DTAC brings<br />
together legislation and good practice<br />
in these areas and serves as the national<br />
baseline criteria for digital health technologies<br />
entering and already used in the<br />
NHS and social care.<br />
Another example that Walsham offers is<br />
the payment card industry, which requires<br />
organisations that take payment card<br />
transactions to comply with the PCI DSS,<br />
(Data Security Standard), which has a<br />
specific requirement for security penetration<br />
testing.<br />
BENEFITS OF REGULAR TESTING<br />
There are a wide range of benefits to be<br />
enjoyed by organisations that carry out<br />
regular penetration tests, he says.<br />
"Fundamentally, a penetration test reveals<br />
gaps in organisational security posture,<br />
which can then be improved. By testing<br />
whether a security architecture is operating<br />
as expected, free from known vulnerabilities<br />
and security configuration errors,<br />
an organisation will improve its security<br />
posture, reduce risk and as a result<br />
likely reduce the number and<br />
severity of IT security<br />
incidents.<br />
"By building security<br />
testing into the<br />
development lifecycle,<br />
organisations can<br />
identify and address<br />
security issues early on - leading to fewer<br />
project delays and requirements for<br />
rework, while reducing product<br />
vulnerabilities."<br />
BETTER PAYOFF<br />
Moreover, states Walsham, IT services and<br />
IT system providers are likely to achieve<br />
better responses on bids and RFP<br />
responses, if they can demonstrate that<br />
they have carried out regular penetration<br />
testing of the service or system to be<br />
provided. "When clients, investors and<br />
regulators are aware of an organisation's<br />
regular pen testing schedule, this leads to<br />
an improved reputation. And who doesn't<br />
want that?"<br />
<strong>Mar</strong>tin Walsham, AMR CyberSecurity:<br />
penetration testing is a good way<br />
for an organisation to check if its<br />
security posture is up to scratch.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
31
passwords<br />
SHOULD YOU SAY ‘PASS’ TO PASSWORDS?<br />
WITH GOOGLE MOVING TOWARDS A FUTURE WITHOUT PASSWORDS,<br />
THE PATH HAS BEEN THROWN OPEN FOR OTHERS TO FOLLOW<br />
Alex Laurie, Ping Identity: broken system<br />
that needs to change.<br />
Peter Barker, chief product officer at Ping<br />
Identity, has been quick to identify why<br />
he feels passwords are way past their<br />
'best-before date' and how he hopes Google's<br />
move to a passwordless future will prove to<br />
be an inspirational force for change.<br />
"Passwords have been a persistent security<br />
challenge for the past seven decades, leaving<br />
us susceptible to phishing attacks and the<br />
looming threats of fraud and identity theft.<br />
Consumers increasingly crave greater<br />
convenience, without compromising on<br />
security. The path we must embark on leads<br />
us toward a passwordless future, though<br />
this transition will undoubtedly require time<br />
to be embraced on a grand scale.<br />
"Notably, we have already witnessed the<br />
widespread integration of biometric<br />
authentication methods, such as facial<br />
recognition and fingerprint scans, into our<br />
daily lives. These technologies serve as<br />
stepping stones towards the ultimate goal<br />
of a world where the arduous task of logging<br />
in becomes a thing of the past. However,<br />
to truly reach this passwordless utopia,<br />
the general public needs a better grasp of<br />
the underlying technology.<br />
"In light of these developments,", continues<br />
Barker, "Google's decision to champion<br />
passkeys as the default login option couldn't<br />
have come at a better time. Sometimes, it<br />
takes industry giants to take the lead, pushing<br />
for change more assertively."<br />
Meanwhile, Alex Laurie, SVP EMEA at Ping<br />
Identity, points to how passwords also act<br />
as a barrier to achieving a smoother user<br />
experience. "Think back to the number of<br />
times you've been locked out of a site or<br />
app and had to go through the painstaking<br />
process of resetting your password. It's a<br />
broken system that needs to change."<br />
Given such challenges, the most logical path<br />
access management organisations could take<br />
would be towards a passwordless future, he<br />
continues. "While this transition will undoubtedly<br />
require time to be embraced at scale on<br />
both the B2B and B2C side, our research<br />
shows that consumers welcome passwordless<br />
authentication. In the UK, 59% said they'd be<br />
happy to switch website/app/service, if a<br />
passwordless authentication method was<br />
offered."<br />
Laurie feels that the move away from<br />
passwords, led by major technology firms like<br />
Google and Amazon, is the path that others<br />
now need to go. "Passkeys signify a significant<br />
leap forward, sparing users from the hassle<br />
of remembering passwords and the constant<br />
worry of someone stealing them. This proactive<br />
move promises to reduce fraud, and<br />
usher in a simpler, faster and more secure user<br />
experience that we can all benefit from."<br />
32<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
endpoint protection<br />
GETTING STRAIGHT TO THE (END)POINT<br />
ENDPOINT PROTECTION IS REGARDED AS A 'MUST HAVE' WHERE CYBER THREATS ARE CONCERNED.<br />
BUT HOW DO YOU SET ABOUT IDENTIFYING THE SYSTEM THAT IS RIGHT FOR YOUR ORGANISATION?<br />
An endpoint protection platform (EPP)<br />
is a solution deployed on endpoint<br />
devices to prevent file-based malware<br />
attacks, detect malicious activity, and provide<br />
the investigation and remediation capabilities<br />
needed to respond to dynamic security<br />
incidents and alerts.<br />
Expending on this EPP take, Gartner<br />
continues: "Detection capabilities will vary,<br />
but advanced solutions will use multiple<br />
detection techniques, ranging from static<br />
IOCs to behavioural analysis. Desirable EPP<br />
solutions are primarily cloud-managed,<br />
allowing the continuous monitoring and<br />
collection of activity data, along with the<br />
ability to take remote remediation actions,<br />
whether the endpoint is on the corporate<br />
network or outside of the office. In addition,<br />
these solutions are cloud-data-assisted,<br />
meaning the endpoint agent does not have<br />
to maintain a local database of all known<br />
IOCs, but can check a cloud resource to<br />
find the latest verdicts on objects that it is<br />
unable to classify."<br />
In the company's 'Hype Cycle for Endpoint<br />
Security, 2023' report (Franz Hinner, Satarupa<br />
Patnaik, Eric Grenier, Nikul Patel), Gartner<br />
offers several key insights into endpoint<br />
protection and why it matters.<br />
"Endpoint security innovations focus on<br />
faster, automated detection and prevention,<br />
and remediation of threats powering<br />
integrated, extended detection and response<br />
(XDR) to correlate data points and telemetry<br />
from solutions such as endpoint, network,<br />
web, email and identity. Methods to provide<br />
lightweight, secure remote access remain in<br />
demand driving desktop as a service (DaaS)<br />
and endpoint and browser isolation for<br />
increased control and security posture.<br />
"We see continued adoption of zero-trust<br />
network access (ZTNA), increasingly as a part<br />
of security service edge (SSE) or a wider<br />
secure access service edge (SASE). This<br />
enables application access from any device<br />
over any network, with minimal impact on<br />
user experience."<br />
The Hype Cycle for Endpoint Security tracks<br />
developments that help security executives<br />
defend their companies. Two tendencies<br />
occur when technology evolves, says Gartner:<br />
New endpoint technologies include endpoint<br />
access isolation, endpoint-agnostic<br />
workspace security, along with endpoint<br />
protection toolset integrations and<br />
upgrades<br />
Net new security investments may focus<br />
on new technologies and suppliers since<br />
most purchasers consolidate vendors.<br />
"The operational burden of deploying<br />
internal people for threat hunting demands<br />
greater signal correlation and automation of<br />
reaction to counter sophisticated, targeted<br />
attacks. This Hype Cycle shows XDR spreading<br />
again. Unified endpoint security (UES), which<br />
integrates endpoint protection platform (EPP)<br />
and MTD security assets, is rising in this Hype<br />
Cycle. While usage is limited, endpoint<br />
operations solutions that configure devices<br />
for consistency of control and speedy<br />
remedial activities are anticipated to grow.<br />
"Endpoint detection and response (EDR)<br />
adoption continues as EPP matures. This year,<br />
business email compromise (BEC) security<br />
will detect compromised accounts to prevent<br />
phishing. Network-based secure web gateways<br />
(SWGs) also prevent endpoint attacks,<br />
especially cloud-based ones. SSE is absorbing<br />
SWG capabilities," states Gartner.<br />
NEW SKILLS MATURE AND SPREAD<br />
"Bring your own PC (BYOPC), unified endpoint<br />
management (UEM) and DaaS are mature in<br />
tackling access and endpoint isolation issues,<br />
but they are rigid, encouraging technologies<br />
like enterprise application integration (EAI)<br />
to ascend the hill. SSE empowers ZTNA to let<br />
any device access any app over any network.<br />
ZTNA alone exposes endpoints to online<br />
attacks and loses control of SaaS programs.<br />
ZTNA, SASE and new zero-trust philosophy<br />
implementations, like automated moving<br />
target defence (AMTD), are being embraced<br />
at different paces. Edge security services are<br />
touted. Buyers want platform-wide security<br />
33<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
endpoint protection<br />
tools. UES products encompass phones,<br />
tablets and PCs. Attack surface management<br />
(ASM) and breach simulation<br />
provide unique adversary engagement<br />
and understanding. XDR uses several<br />
domains and data to identify threats<br />
faster."<br />
Transformational Technology: Gartner<br />
has seen SASE defend any application,<br />
network and endpoint, it reports. "Security<br />
executives should use SASE to combine<br />
network security point solutions like SWG,<br />
cloud access security broker (CASB) and<br />
ZTNA with SD-WAN transformations and<br />
couple with other endpoint security to<br />
secure endpoints, regardless of location."<br />
Key Technologies: As XDR grows, Gartner<br />
expects commercial and technological<br />
application cases. "These applications<br />
simulate bogus assaults to identify<br />
hazards quickly. Endpoint detection and<br />
response, UEM, and DaaS solutions will<br />
become essential for BYOPC security, UES<br />
and XDR. Endpoint malware protection<br />
needs improvement. As generative AI<br />
advances, corporations will prioritise BEC.<br />
Attack surface assessment (ASA) and<br />
breach attack simulation (BAS) are part<br />
of a complete endpoint strategy. Attack<br />
surface management (ASM) uses XDR<br />
telemetry to catalogue attack surfaces<br />
without using ASA or BAS, or creating<br />
new deceptive technological use cases.<br />
These technologies and exposure management<br />
(EM) let defenders cross-correlate<br />
detection and attack behaviour, and teach<br />
machine learning and deep learning<br />
algorithms new methods through<br />
behaviour pattern improvement."<br />
OFF THE HYPE CYCLE<br />
Secure Corporate Data Transmissions: "Virtual<br />
private network (VPN) architecture has<br />
matured into a well-understood and reliable<br />
solution for remote access problems. The<br />
growing importance of ZTNA ideas and SASE<br />
tools means that VPN-based secure business<br />
data transfers are exiting the Hype Cycle.<br />
Contextual, dynamic access restrictions for a<br />
wide range of remote employees, enabled by<br />
deploying these solutions in addition to, or in<br />
substitute of, current VPN infrastructure."<br />
Business Impact: "Existing security products<br />
will continue to provide enterprises with<br />
increasingly sophisticated levels of protection,<br />
access control and reporting analytics," advises<br />
the resach. However, many of these products<br />
will extend functionality to support browsers<br />
via strategic partnerships, integrations or<br />
browser extensions. Enterprise browsers are<br />
not likely to replace existing security controls<br />
throughout the enterprise, but rather extend<br />
the reach of these tools for additional usecase<br />
coverage.<br />
Drivers:<br />
Enterprise browsers are embracing the<br />
new remote-work paradigm to consolidate<br />
secure remote access for contractors,<br />
suppliers and branch locations relying<br />
on non-standardised equipment<br />
Existing security solutions often struggle<br />
to support unmanaged devices. This is an<br />
area where enterprise browsers have found<br />
early traction in the market, by providing<br />
an acceptable level of secure remote access<br />
that is able to maintain a mostly familiar<br />
end-user experience<br />
Small and midsize organisations are also<br />
expected to be early adopters of this<br />
technology. Organisations with simpler<br />
environments and requirements may see<br />
early opportunities to displace existing or<br />
add new security controls with an enterprise<br />
browser as a cheaper, centrally<br />
managed option that immediately raises<br />
their maturity level<br />
Many security vendors already offer<br />
integration with browsers via extensions,<br />
while others have sought strategic partnerships<br />
and integrations with browser manufacturers.<br />
Enterprise browsers represent<br />
a new way of delivering security services to<br />
an organisation, which extend the edge of<br />
traditional network security solutions.<br />
OBSTACLES:<br />
Free browsers are ubiquitous, to the point<br />
that organisations must have specific use<br />
cases to justify the purchase of a separate<br />
browser. These justifications will become<br />
easier to identify as enterprises begin to realise<br />
the extensible and flexible enterprise security<br />
and management potential of the browser.<br />
However, it is unlikely most companies will<br />
dedicate budget to an enterprise browser<br />
without the ability to offset that spend<br />
elsewhere.<br />
Larger organisations with mature<br />
cybersecurity and infrastructure operations<br />
are advised that they may find it impractical<br />
to reduce the complexity of their existing<br />
environments with enterprise browsers,<br />
though specific use cases may exist to justify<br />
a relatively small purchase (such as providing<br />
Day 1 access for new organisations gained<br />
through mergers and acquisitions, contractor<br />
access management, or as layered security<br />
controls on top of fragile critical<br />
infrastructure).<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
34