CS May-Jun 2024

Computing
Security
Secure systems, secure data, secure people, secure business
Claws into ransomware
What it's like to
be held hostage
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
A world in turmoil
Growing rift between well
protected and vulnerable
leaves no one safe
Threatening times
New hazards looming
over the industry
Getting the evil eyes
Cybercriminals' levels of access
and control are now off the scale
Computing Security May/June 2024

Unlock a
More Secure
Future with
V-Key MFA
• As secure as hard tokens
• Single Sign-On
• Strong protection of crypto keys
• Instant Backup and Restore
• Seamless integration with IDM &
PAM and migration
• Digital Trust Platform
• Jailbreak & Root Detection
• Detection of malware
• Brute Force Attack Protection
• Threat Intelligence
• Meets FIDO2 Standard
• FIPS 140-2, CC EAL3+, SOC 2, OATH
Featuring V-Key
Enhanced Facial
Authentication
Test Drive
V-Key Today
sales@celestix.com
+44 (0)203 900 3737

comment
EC STEPS IN TO DRIVE SUPPORT FOR AI INNOVATION
European start-ups and SMEs
need all the help they can get
to develop AI models, with
more established and resource-rich
organisations forging ahead.
So, it is timely and encouraging to
see that the European Commission
has recently set up an AI office to
enforce new rules on artificial
intelligence systems and support
innovation in AI, as part of a
package of broader measures to
assist those most in need of
support.
Equally importantly, the establishment
of the AI Office signifies a
clear commitment to ensuring that
AI advances closely align with ethical
principles, says Dr Ellison Anne
Williams, pictured right, CEO and
founder of cyber security and data
privacy company Enveil.
"The EU's initiative represents the decisive action needed to drive this technological
advancement. Similar to the White House Executive Order on AI and recent actions by
the G7, these efforts will help address risks, uphold privacy, and prioritise security in the
development and utilisation of AI technologies.
"This leadership includes promoting Privacy Enhancing Technologies (PETs), a family
of technologies that exemplify a proactive approach to safeguarding data privacy and
security, while leveraging the benefits of AI. The global recognition of the importance
of PETs, and its support for entrepreneurs and startups in driving innovation forward, is
commendable."
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Daniella St Mart
(daniella.stmart@btc.co.uk)
+ 44 (0)1689 616 000
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2024 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk May/June 2024 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security May/June 2024
inside this issue
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
Claws into ransomware
A world in turmoil
Growing rift between well
What it's like to
protected and vulnerable
be held hostage
leaves no one safe
Threatening times
New hazards looming
over the industry
Getting the evil eyes
COMMENT 3
EC support for AI innovation
Cybercriminals' levels of access
and control are now off the scale
NEWS 6
Fraudulent websites spreading malware
New cybersecurity best practice advice
Confidential data shared online
Government taking 'ostrich strategy'
ARTICLES
THE EVIL EYE 14
The vast amounts of personal details now
freely available is giving cybercriminals
untold levels of access and control
A WORLD IN TURMOIL 10
In an interconnected world, the growing
rift between those who are well protected
against attacks and those most vulnerable
suggests that no organisation is entirely
safe
VIRTUOSO TO TAKE CENTRE STAGE 16
Generative AI presenter and deepfake
expert Henry Ajder will be a keynote
THREAT OR TREAT? 18
speaker at this year's Infosec
Artificial intelligence is on course to increase
the volume and heighten the impact of
FACE OFF! 21
cyberattacks over the next two years, warns
When it comes to device-based and
the National Cyber Security Centre, with AI
server-based facial authentication, which,
almost certainly making cyberattacks against
if either, is the more secure?
the UK more impactful
THREATENING TIMES 26
Computing Security zooms in on some
of the latest hazards that the industry is
coming up againsr
INSIDE OUT 22
THE IMPERATIVE FOR ZERO TRUST 29
Embracing digital transformation to gain
66% of organisations questioned believed
access to the cloud's many benefits means
that attacks from the inside were more
computing environments must face
likely than attacks from the outside,
evolving into borderless IT ecosystems
according to the latest research. What are
the workable, effective solutions for
DEMOCRACY UNDER SIEGE 34
mitigating these threats?
Electoral disinformation is expected to
create muddied political landscapes
throughout this year, which will be prime
for exploitation
BIRD'S EYE VIEW OF ATTACK 30
What is it like to be held to ransom? We
BOOK REVIEW
asked several experts to talk us through
TEN DAYS… SEVEN DEADLY SINS...
what typically happens when an attack is
ZERO RI$K 13
carried out
What's not to celebrate when your bank
account gains an extra zero or two over
the festive period?
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk
4

Layers aren’t just for cakes; they’re
essential in cybersecurity’s secret
recipe for protection!
Bake it happen with VIPRE Security Group. Secure your
bytes before you take a bite with Email Security, Endpoint
Security and User Protection
www.vipre.com

news
FRAUDULENT WEBSITES BEING USED TO SPREAD MALWARE
Zscaler's ThreatLabz discovered a threat actor creating
Himanshu Sharma,
fraudulent Skype, Google Meet and Zoom websites to Zscaler.
spread malware, beginning in December 2023. The threat
actor spreads SpyNote RAT to Android users and NjRAT and
DCRat to Windows users.
"Our research demonstrates that businesses may be subject
to threats that impersonate online meeting applications,"
says Himanshu Sharma, senior security researcher at Zscaler.
"In this example, a threat actor is using these lures to distribute
RATs for Android and Windows, which can steal confidential
information, log keystrokes and steal files.
"Our findings highlight the need for robust security measures
to protect against advanced and evolving malware threats,
and the importance of regular updates and security patches."
Darren Williams, Blackfog.
CONFIDENTIAL PERSONAL
DATA SHARED ONLINE
Leicester City Council has revealed
confidential personal data was
shared online following a criminal
investigation when it was forced to
disable its phone and computer
systems.
"In the last two weeks, it's become
evident that INC ransom [a multiextortion
operation] have clear intent
when it comes to targeting local
services, with Leicester Council joining
the victim list alongside NHS Dumfries
and Galloway," comments Darren
Williams, CEO and founder of Blackfog.
"The intent of a group like this is
clear: to cause maximum distress and
disruption, with maximum rewards, at
minimal effort. To prevent such attacks
from happening again, councils and
organisations alike must invest in
the latest anti-data exfiltration tools
to secure their data and prevent
ransomware and extortion."
NEW CYBERSECURITY BEST PRACTICE ADVICE RELEASED
CISA and the National Security Agency (NSA) have
Matt Muir, Cado Security.
released five joint Cybersecurity Information Sheets
(CSIs) to provide organisations with recommended best
practices and/or mitigations to improve the security of
their cloud environment(s).
Following the advice, Matt Muir, threat research lead,
Cado Security comments: "It's reassuring to see these
agencies highlight the differences between cloud and onpremise
security practices, along with providing tailored
advice for securing the cloud in particular.
"Hopefully, the advice will give organisations the nudge
they need to recognise the wider threats and implications
of cloud adoption. By taking heed of this advice and
implementing appropriate controls, organisations can
mitigate the pervasive threat of cloud attacks."
THREATLOCKER UNVEILS MDR SERVICE
ThreatLocker has launched a Managed Detection &
Response (MDR) service designed to alert customers
to suspicious or potentially malicious activity occurring
in their environment - shutting down threats within
seconds, the company claims.
Danny Jenkins, CEO & co-founder of ThreatLocker,
comments: "Not only will this provide customers with a
faster response when they don't have 24-hour operation
centres, but it also means that we are improving our
product in a way that allows us to be responsible for
so many customers and the management of their
environments."
Danny Jenkins,
ThreatLocker.
6
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

DON’T
SaaSSS
GET YOUR
KICKED! !
TAKE CONTROL NOW AND
PROTECT YOUR SaaS DATA
Global SaaS vendors like Microsoft, Google and Salesforce
don’t assume any responsibility for your data hosted
in their applications. So, it’s up to you to take control
and fully protect your SaaS data from cyber threats or
accidental loss. Arcserve SaaS Backup offers complete
protection for your SaaS data, eliminating business
interruptions due to unrecoverable data loss.
Arcserve SaaS Backup
Complete protection for all your SaaS data.
arcserve.com
The unified data resilience platform

news
MICROSOFT RECENT EMAIL BREACH LABELLED "A STRATEGIC BLOW"
Microsoft have admitted publicly that the recent
Amit Yoran, Tenable.
email breach the company suffered at the hands
of Russian-backed Midnight Blizzard (the same group
that was responsible for the SolarWinds breach)
compromised certain unnamed source code, as well as
customer "secrets" that were communicated via email
with key executives.
Amit Yoran, chairman and CEO, Tenable, has described
the breach as a strategic blow. "By its own admission,
Microsoft's source code and 'other secrets' have been
compromised. Midnight Blizzard isn't some small-time
criminal gang. They are a highly professional Russianbacked
outfit that fully understands the value of the
data they've exposed and how to best use it to inflict
maximum harm. Given Russia's relationship with China
and other strategic adversaries, the consequences get very troubling, very quickly."
Trevor Dearing, Illumio.
GOVERNMENT IS ACCUSED OF
RANSOMWARE 'OSTRICH STRATEGY'
Aparliamentary committee has
accused the government of taking
an "ostrich strategy" by burying its head
in the sand over the national cyber
threat posed by ransomware. The
criticism follows the government
publishing its formal response to a
report from the Joint Committee on the
National Security Strategy (JCNSS) that
warned the government's failures
meant there was a "high risk" the
country faces a "catastrophic
ransomware attack at any moment".
States Trevor Dearing, director of
critical infrastructure at Illumio: "While
there is an obvious need to identify and
remove ransomware, organisations
need to focus on containing an attack
to maintain services. Just as recommended
by the NSA, the UK should
promote a Zero Trust strategy and
apply segmentation to prevent an
attack becoming a catastrophe."
63% OF KNOWN VULNERABILITIES ON HEALTHCARE ORGANISATION NETWORKS
Anew report from Claroty has uncovered what it says is concerning data about
the security of medical devices connected to healthcare organisation networks,
such as hospitals and clinics. 'The State of CPS Security Report: Healthcare 2023'
discovered 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) on these
networks, reports the company, and that 23% of medical devices - including
imaging devices, clinical IoT devices, and surgery devices - have at least one KEV.
LACK OF TECHNOLOGY INVESTMENT RESTRICTING BUSINESS GROWTH
Almost half (48%) of UK mid-sized enterprises feel
Richard Thompson, ANS.
that not having access to the most advanced
technology is limiting their business growth, according
to new data from UK technology company ANS.
Company CEO Richard Thompson comments on the
report's findings: "All too often, mid-sized enterprises
are left playing catch-up when it comes to accessing
the best tech, while big corporations with greater
financial resources continue to keep the advantage.
Lacking budget, tech recruitment challenges and the
need to keep prices competitive are just some of the
barriers holding UK enterprises back.
"Our mission is to level the playing field, so that all
businesses, regardless of their size, can embrace the
latest technology and take their business to the
next level."
8
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

global risks
A WORLD IN TURMOIL
IN AN INTERCONNECTED WORLD, THE GROWING RIFT BETWEEN THOSE WHO ARE WELL PROTECTED
AGAINST ATTACKS AND THOSE MOST VULNERABLE SUGGESTS THAT NO ORGANISATION IS ENTIRELY SAFE
Anew World Economic Forum report
has provided a snapshot of the multifaceted
challenges facing the global
cybersecurity landscape - and it is alarming,
to say the least. While increased geopolitical
tensions and economic instability continue to
concern industry experts, the report, released
in January, spotlights widening cyber inequity
and emerging technologies, such as artificial
intelligence (see feature on pages ??), as key
rising risks for the year ahead in the fastgrowing
cybersecurity sector.
The Global Cybersecurity Outlook 2024
report, developed in collaboration with
Accenture, distils insights of industry experts
and global executives about key cyber trends
that leaders will need to navigate in 2024,
based on a series of surveys carried out
between June and November 2023. Given
the increasingly complex cyber threat
landscape, the report also calls for concerted
collaboration, across borders and industries,
to counter these interrelated threats and
build a more resilient environment.
"As the cyber realm evolves in response
to emerging technologies and shifting
geopolitical and economic trends, so do the
challenges that threaten our digital world,"
says Jeremy Jurgens, managing director,
World Economic Forum, Switzerland. "We
urgently need coordinated action by key
public-private stakeholders, if we are to
collectively address these complex, everevolving
threats and build a secure digital
future for all." The increasingly stark divide
between cyber-resilient organisations and
those that are struggling has emerged as a
key risk for 2024. The number of organisations
that maintain minimum viable cyber
resilience is down 30%, compared to last year.
While large organisations have demonstrated
notable gains in cyber resilience, small and
medium-sized companies showed significant
decline.
This growing inequity is being fuelled by
macroeconomic trends, industry regulation
and, crucially, early adoption of paradigmshifting
technology by some organisations. In
addition, the cyber skills and talent shortage
continues to widen at an alarming rate. Only
15% of all organisations are optimistic about
cyber skills and education significantly improving
in the next two years.
In an interconnected world, this growing
rift means no organisations are completely
safe. According to the report, external
partners are both the greatest asset and
the biggest hindrance to the cybersecurity
of any organisation. In fact, 41% of the
organisations surveyed that suffered a
material incident in the past 12 months
say it was caused by a third party.
In 2023, the world faced a polarised
geopolitical order, multiple armed conflicts,
both scepticism and fervour about the
implications of future technologies, and
global economic uncertainty, points out the
report. "Amid this complex landscape, the
cybersecurity economy1 grew exponentially
faster than the overall global economy, and
outpaced growth in the tech sector. However,
many organisations and countries experienced
that growth in exceptionally different ways.
A stark divide between cyber-resilient
organisations and those that are struggling
has emerged.
"This clear divergence in cyber equity is
exacerbated by the contours of the threat
landscape, macroeconomic trends, industry
regulation and early adoption of paradigmshifting
technology by some organisations.
Other clear barriers, including the rising cost
of access to innovative cyber services, tools,
skills and expertise, continue to influence the
ability of the global ecosystem to build a more
secure cyberspace in the face of myriad
transitions."
These factors are also ever-present in the
accelerated disappearance of a healthy
'middle grouping' of organisations, adds the
report [ie, those that maintain minimum
standards of cyber resilience only]. "Despite
this divide, many organisations indicate clear
progress in certain aspects of their cyber
capability. This year's outlook also finds cause
for optimism, especially when considering the
relationship between cyber and business
executives. These are the major findings from
this year's Global Cybersecurity Outlook and
the key cyber trends that executives will need
to navigate in 2024."
10
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

global risks
In parallel, the population of organisations
that maintain a minimum level of cyber
resilience is disappearing. Small and medium
enterprises (SMEs), despite making up the
majority of many country's ecosystems, are
being disproportionately affected by this
disparity:
The number of organisations that maintain
minimum viable cyber resilience is down
by 30%. While many large organisations
demonstrated remarkable gains in cyber
resilience, SMEs showed a significant
decline
More than twice as many SMEs as the
largest organisations say they lack the
cyber resilience to meet their critical
operational requirements
90% of the 120 executives surveyed at the
World Economic Forum's Annual Meeting
on Cybersecurity said that urgent action is
required to address this growing cyber
inequity.
Emerging technology will exacerbate longstanding
challenges related to cyber resilience,
the report also points out. "This will, in turn,
accelerate the divide between the most
capable and the least capable organisations."
As organisations race to adopt new
technologies, such as generative AI,
a basic understanding is needed of the
immediate, mid-term and long-term
implications of these technologies for
their cyber-resilience posture
Fewer than one in 10 respondents believe
that, in the next two years, generative AI
will give the advantage to defenders over
attackers
Around half of executives, according to
the report, say advances in adversarial
capabilities (phishing, malware, deepfakes)
present the most concerning impact of
generative AI on cyber.
CYBERWARFARE 'A RECURRING THEME'
Bernard Montel, EMEA technical director and
cybersecurity strategist at Tenable, comments
that the fact this year's WEF Global Risks
Report, ranking 'cyber insecurity' in its top five
of the most severe risks over the next two
years, isn't surprising, with the threat of
cyberwarfare a recurring theme throughout
the report, as well as the 'rapid integration
of advanced technologies' that are exposing
more organisations and individuals to
exploitation.
He also points out that the widespread
adoption of cloud computing introduces
new levels of vulnerability and management
complexity that can be targeted by bad
actors.
"Particular concern surrounds the use of
Artificial Intelligence (AI) technologies to
boost cyber warfare capabilities, with good
reason," adds Montel. "While AI has made
astronomical technological advancements
in the last 12-24 months, allowing an
autonomous device to make the final
judgement is incomprehensible today.
"While AI is capable of quickly identifying
and automating some actions that need to be
taken, it's imperative that humans are the
ones making critical decisions on where and
when to act from the intelligence AI provides.
"It's also worth noting that AI has a major
role to play in cyber defence. It can be used by
cybersecurity professionals to search for
patterns, explain what they're finding in the
simplest language possible, and help them
decide what actions to take to reduce cyber
risk.
"AI can and is being harnessed by defenders
to power preventive security solutions that cut
through complexity to provide the concise
guidance defenders need to stay ahead of
attackers and prevent successful attacks," he
states. "Harnessing the power of AI enables
security teams to work faster, search faster,
Bernard Montel, Tenable: allowing an
autonomous device to make the final
judgment is incomprehensible today.
Jeremy Jurgens, World Economic Forum: as
the cyber realm evolves, so do the challenges
that threaten our digital world.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
11

global risks
Jurgen Stock, third from left.
analyse faster and ultimately make decisions
faster. "As the report highlights, the threat
of cyber insecurity is heightened with the
evolving motivations driving these attacks -
from monetised criminality all the way to
geopolitical unrest. However, the manifestation
of these threats remains unchanged.
Threat actors are probing for the right
combination of vulnerabilities, cloud
misconfigurations and identity privileges that
allow them to infiltrate and traverse cyber
infrastructure. As defenders, we need to preempt
this: to identify what attack paths exist
and take steps to shut them down before
they can be exploited. Organisations that can
anticipate cyber-attacks and communicate
those risks for decision support will be the
ones best positioned to defend against
emerging threats," he concludes.
NO ONE IS SPARED
"No country or organisation is spared from
cybercrime, yet many are direly underequipped
to effectively face the threats, and
we cannot have effective global response
mechanisms without closing the capacity
gap," says Jürgen Stock, secretary-general of
INTERPOL. "It is crucial that key stakeholders
work collaboratively towards immediate,
strategic actions that can help ensure a more
secure and resilient global cyberspace.
Emerging technologies, such as artificial
intelligence (AI), are another key trend to
watch in this year's outlook. Fewer than one in
10 respondents believe that in the next two
years generative AI will give the advantage to
defenders over attackers and approximately
half of experts surveyed agree that generative
AI will have the most significant impact on
cybersecurity in the next two years. Its rise
is stoking fears among experts about the
exacerbation of long-standing challenges,
with around half of executives saying that AIdriven
advances in adversarial capabilities of
cybercriminals (phishing, malware, deepfakes)
present the most concerning impact of
generative AI on cybersecurity.
Despite these concerns, experts also
highlighted an encouraging increase in focus
on the importance of cybersecurity globally,
particularly at the executive and CEO levels.
The incorporation of cyber resilience into
organisational risk management is also
becoming more common, as per the report.
"Cyber resilience is increasingly dependent on
a C-suite team that closely collaborates and
communicates security priorities across the
business and the industry," Paolo Dal Cin,
global lead, Accenture Security. "This approach
provides a clear view of cyber risks and allows
security to be embedded from the start in all
strategic business priorities as well as across
third parties, vendors and suppliers."
A stark divide between cyber-resilient
organisations and those that are struggling
has emerged. This clear divergence in cyber
equity is exacerbated by the contours of the
threat landscape, macroeconomic trends,
industry regulation and early adoption of
paradigm-shifting technology by some
organisations. Other clear barriers, including
the rising cost of access to innovative cyber
services, tools, skills and expertise, continue to
influence the ability of the global ecosystem to
build a more secure cyberspace in the face of
myriad transitions.
Meanwhile, the population of organisations
that maintain a minimum level of cyber
resilience is disappearing. Small and medium
enterprises (SMEs), despite making up the
majority of many country's ecosystems, are
being disproportionately affected by this
disparity.
KEY TRENDS TO NAVIGATE
Key cyber trends identified in the report that
executives will need to navigate in 2024
include:
The number of organisations that maintain
minimum viable cyber resilience has fallen
by 30%. While large organisations
demonstrated remarkable gains in cyber
resilience, SMEs showed a significant
decline.
More than twice as many SMEs as the
largest organisations say they lack the
cyber resilience to meet their critical
operational requirements.
90% of the 120 executives surveyed at the
World Economic Forum's Annual Meeting
on Cybersecurity said that urgent action is
required to address this growing cyber
inequity.
Ultimately, the WEF concludes, "raising
systemic resilience - all organisations closing
the inequities that divide and improving the
resilience of what connects - is not only the
most pressing requirement; it is the greatest
responsibility".
12
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

ook review
TEN DAYS… SEVEN DEADLY SINS... ZERO RI$K
WHAT'S NOT TO LIKE WHEN YOUR BANK ACCOUNT GAINS AN EXTRA ZERO OR TWO AT CHRISTMAS?
When customer complaints on
Christmas Eve herald not a
botched system upgrade, but
the most sophisticated cyber-attack
in history, new National Bank CEO
Rob Tanner finds himself in the eye
of a 'Black Swan' storm that no one
predicted, but anyone could have
anticipated.
Tanner enlists the help of brilliant
American computer security expert
Ashley Markham, but the attacks only
worsen: bank balances rise remorselessly
and spread to all the nation's banks.
The only clue to the hacker's intentions
are cryptic emails that continually taunt
Tanner and newly incumbent Prime
Minister James Allen.
With financial markets - and the very
world as he knows it - on the brink of
collapse, Tanner races against the clock
to decode not just the bizarre emails,
but also their deeper meaning, and the
implications for whom he can really
trust. All the while, his former boss,
'The Toad', is seeking revenge... and
answers of his own.
This intriguing, multi-layered debut
thriller follows the story of a disillusioned
banker facing the unthinkable -
where money no longer has any value,
financial markets are meaningless and
the economy is destroyed. Tanner must
unravel the mystery of the hacker's
obsession with Hieronymus Bosch's
medieval representation of the seven
deadly sins before modern society
returns to the dark ages. This is
definitely a page turner and perfect
for fans of Dan Brown, Sam Bourne,
Christopher Reich and Robert Harris,
addressing many of the key issues that
we are all now facing:
Our dependence on technology in
daily life
The risks of cyber-terrorism
Speaking truth to power
A modern take on the seven deadly
sins.
The book moves between various locations
from London, Tanzania and Switzerland.
ABOUT THE AUTHOR
Simon Hayes is a seasoned professional,
with a diverse background spanning
financial services, executive search and
consultancy. With more than three
decades of international experience,
he has lived in the US, Tokyo and Hong
Kong. He began his career with Bank of
Boston, Morgan Grenfell and James
Capel, before spending much of the 90s
in Asia, serving as head of equity
research for Warburg in Japan and later
as managing director for Salomon Bros
and UBS in Hong Kong.
A law graduate of Trinity Hall,
Cambridge, Hayes is recognised as
a top-ranked securities analyst by
Extel and II, and later as the 'Best
Headhunting Executive' in Japan by
Asiamoney. He has also been an
executive coach, mentor and financial
consultant, spending much of 2023 in
Zimbabwe on a major fraud case.
PRINT FACTS
Publisher: The Rubriqs Press
ISBN: 9781738462407
Price: HB: 16.99; EB: £4.99
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
13

on-line exposure
THE EVIL EYE
THE VAST AMOUNTS OF PERSONAL
DETAILS NOW FREELY AVAILABLE
ON SOCIAL PLATFORMS - BACKED
UP BY AI TOOLS - IS GIVING
CYBERCRIMINALS LEVELS OF
ACCESS AND CONTROL THAT NOT
LONG AGO WOULD HAVE BEEN
THOUGHT UNIMAGINABLE
James Dyer, Egress: threat actors are now
rubbing their hands with glee.
New research warns that, in 2024, QR
code hacks or 'quishing' will increase;
use of AI to create content for spam
emails including deepfakes will rise; highly
personalised social media mining will grow
further; and a wide array of file types and
formats - especially EML - will be used to
propagate phishing and malware attacks.
Such is the warning from James Dyer, threat
intelligence lead at Egress. How can we guard
against such attacks?
"As we share our lives on the internet, threat
actors are rubbing their hands with glee," he
says. "Concerns continue to grow about the
volume of personal details readily available on
social platforms, as well as how cybercriminals
can use generative AI tools to exploit this
data. Cybergangs have increasingly turned to
open-source intelligence (OSINT) for cyber
surveillance, using social media sources to
deep dive [with very little time and cost] into
an individual's job role, social connections and
personal interests, with the intention of
creating hyper-personalised phishing emails
that persuade recipients to reveal sensitive
information or transfer funds."
Unequivocally, AI tools and chatbots have
sped up the process between reconnaissance
and attack, he adds. "Threat actors have
been able to automate the analysis of data
collected through OSINT and social media to
quickly tailor phishing emails with convincing
personalisation. Our recent research reinforces
the concerns cybersecurity teams have,
as 61% of cybersecurity leaders are losing
sleep over AI chatbots being used to create
phishing campaigns, plus 63% are specifically
concerned about deepfakes."
To safeguard data, a clear first step is to
conduct a self-assessment through basic
OSINT techniques. "Search your
name, usernames and images
online to gauge the extent of your
digital footprint," advise Dyer.
"Depending on your findings, consider
adjusting your social media privacy
settings to limit attackers' access to personal
information. With the growing threat of
deepfakes, it is also good to be cautious
about sharing videos online to prevent
potential exploitation of your voice.
"When taking practical steps to minimise
possible attack routes, it is sensible to reduce
the number of email newsletters you sign
up for and make sure unused social media
accounts are deactivated. Ultimately, attackers
can't use your data if there is less of it readily
available to steal."
ON THE DEFENCE
John Scott, lead cyber security researcher at
CultureAI, is in agreement that the rise of
generative AI, deepfakes and QR phishing
has undeniably diversified and evolved the
threat landscape. "While the volume and
sophistication of the attacks may increase,
the underlying principles of these attacks
remain unchanged. This means that defensive
strategies can also equally stay largely the
same. While it sometimes may feel like we are
under siege, it's important to remember that
this is the new normal.
"The immense benefits the internet provides
are not without cost. As new technologies
appear, cybercriminals will seek to exploit
them for their benefit. We are now all
navigating a complex world where caution
and vigilance are essential. As technical
defences strengthen and are switched on by
default, cybercriminals attack by exploiting
our sense of urgency, pushing people for
14
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

on-line exposure
risk management platform becomes invaluable,
integrating with your tech stacks
and flagging workplace risks, such as
sharing personal information in public chat
channels or reusing passwords across SaaS
applications. With these insights, security
teams can deliver targeted education in the
moment and either automatically fix risks or
nudge employees to do so themselves with
one click."
hasty responses, which may lead to errors and
security breaches."
For individuals, the most effective defence
strategy is to slow down, states Scott. "Taking
a moment to question the logic behind a
request and double-checking can confirm its
legitimacy. It's almost always better to act
safely, rather than swiftly to reduce the
chances of being pushed into making an
error. That said, we must also accept that
mistakes are inevitable. We're only human,
after all. "
Our human response needs to be one part
of a comprehensive, multi-layered approach
to cyber security, he argues. "Each layer of
defence might have vulnerabilities, but, when
combined, they cover each other's gaps and
form an effective barrier. For organisations,
processes are vital. They provide structure and
clarity, defining what each employee can and
cannot do. While these processes might
introduce some friction, it's a necessary
inconvenience and a small price to pay
for enhanced security."
The 'security by design' concept is integral
in this context. "It encapsulates the idea
of building robust and failsafe systems,
acknowledging that human errors are
inevitable. This is where an effective human
Remember, people alone cannot be the
sole line of defence, he concludes. "While
their awareness and actions matter, it's the
combination of people, processes and
technology that forms the most effective
defence against all cyber threats."
CODE ALERT
"How often do you scan a QR code without
a second thought? "They're now so integrated
into our everyday lives for uses such as
checking menus, parking our cars or getting
into events," comments Edgar Zayas, director
global advisory, BioCatch. "However, there's
a dark side to QR codes becoming more
commonplace - they're being exploited by
fraudsters. The BBC recently found that there's
been a nearly 50% increase in QR code scams
in just three years."
Scammers are creating fake QR codes and
sneaking them into public spaces, he says,
hoping that someone takes the bait. "Once
scanned, webpages can look identical to
the real thing, opening the door to phishing
attacks, malware downloads, payment scams,
or even data interception.
"Over 80% of UK consumers buy products
and services online, so it's safest to always
approach scanning QR codes with caution.
Confirm they're legit, check for alterations
and scrutinise the URL. If you do fall foul
to quishing, banks should have the right
technology in place, such as behavioural
biometric intelligence, to know when it's not
you and protect your accounts. However,
ultimately, prevention is better than cure."
John Scott, defensive strategies can also
equally stay largely the same.
Edgar Zayas, BioCatch: how often do you
scan a QR code without a second thought?
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
15

events
VIRTUOSO TO TAKE CENTRE STAGE
GENERATIVE AI PRESENTER AND DEEPFAKE EXPERT HENRY AJDER
WILL BE A KEYNOTE SPEAKER AT THIS YEAR'S INFOSEC SHOW
Henry Ajder, a leading generative AI
presenter and deepfake expert, will
be a keynote speaker at this year's
Infosec. His opening presentation, which
takes place on Tuesday, 4 June, will cover
generative AI and the impact on the cyber
security industry.
Ajder will then be joined by Tope
Olufon, senior analyst, Forrester, in a chat
session, 'Wading through AI overload -
where are we going and what are you
doing?'. This will be seeking to address
the sensationalism and speculation within
the industry. They will discuss where the
business needs lie for AI, how AI is being
adopted and how to ensure AI-generated
information is trustworthy.
"I'm very much looking forward to
sharing insights with leading cybersecurity
professionals on the fastevolving
deepfakes and GenAI landscape,"
says Ajder, "helping them to
understand the potential opportunities
and challenges that arise with the
integration of AI into cyber. AI's role is
no longer theoretical or a small segment,
but a critical part of the threat and
defence innovation landscape. Learning
how to navigate the GenAI paradigm
shift is essential to excelling in the
cybersecurity industry both now and
for an increasing AI centred future."
AI HOPES AND FEARS
Meanwhile, Infosecurity Europe has
launched its '2024 Cybersecurity Trends'
report, which has uncovered findings
into the current use of AI within
organisations, expectations for future
use and the risks that it presents. The
research found that 50% of surveyed
IT security decision makers admitted
fearing that AI will lead to more
attacks, a testament to the
widespread impact of the
technology for both security
professionals and threat
actors alike. Generative AI,
ransomware and social
engineering are the
threats most likely to
keep CISOs up at night,
with over a third of
survey respondents
saying these issues were
driving investment in cybersecurity.
Despite the threat of attack, more than
half (54%) responded that their organisations
planned to integrate AI as part of
their cybersecurity strategy in the next 12
months. There was clear optimism that
AI would have a positive impact on cyber
professionals, with 42% agreeing that the
technology would result in faster training,
broader awareness and better education.
With this in mind, generative AI could play
a significant role in helping to bridge the
skills gap in cybersecurity.
According to the report, some 44% of
respondents believe that AI will give their
workforce the bandwidth to focus on
future planning and business growth,
which may be as a direct consequence
of AI increasing automation within
organisations. However, regulatory and
ethical concerns could squeeze the brakes
on some of this enthusiasm, with almost
half of respondents stating that legislative
challenges and moral dilemmas will slow
their adoption of AI.
Nicole Mills, exhibition director at Infosecurity
Group, adds: "AI is completely
transforming the way we do things in the
workplace, but cybercriminals are also
taking advantage of this evolving tech. Our
survey highlights the AI risks to business,
but it's great to see so many looking to
integrate AI into their cybersecurity
strategies over the coming year."
You can Register here to attend
Infosecurity Europe 2024.
For more information about the event
itself, visit here.
16
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

Simplify work,
protect devices
and data
with Jamf’s award-winning solution
Trusted Access is Jamf’s vision for
a zero trust experience that users
love and organisations trust. Only
authorised users, on enrolled devices
that are secure and compliant,
can access sensitive data.
Visiting Black Hat Europe
on 6–7 December?
Join us at stand 513.
www.jamf.com
REQUEST
Y O U R
F R E E
TRIAL
TODAY

artificial intelligence
THREAT OR TREAT?
HOW ACCURATE MIGHT ELON MUSK, OWNER OF X AND TESLA, BE
WHEN HE SAYS AI IS ONE OF THE "BIGGEST THREATS" TO HUMANITY?
Artificial intelligence is on course to
increase the volume and heighten the
impact of cyberattacks over the next
two years. That is the assessment of the
National Cyber Security Centre (NCSC), which
also concludes: "AI will almost certainly make
cyberattacks against the UK more impactful,
because threat actors will be able to analyse
exfiltrated data faster and more effectively,
and use it to train AI models."
In the face of such dire predictions, are there
any positives to be found that can rebalance
the AI equation? Can the technology itself be
used effectively to outsmart these dangers? If
so, how is that likely to take shape and who
will drive it? Might it even be an existential
threat?
FOCUS ON CYBERSECURITY
What governments and organisations really
need to engage with, rather than the
existential question, is the many opportunities
that AI presents to industry, comments Keiron
Holyome, VP UKI & emerging markets,
BlackBerry Cybersecurity. "We need to focus
on the more immediate issues at hand. What
are those immediate threats? Copyright
infringement and spread of disinformation,
yes, but - arguably - cybersecurity is the
greater priority."
Numerous examples show how AI-powered
cybersecurity breaches can threaten national
security, cripple national infrastructure, cause
widespread panic and spread disinformation,
as well as costing millions in recovery, he says.
"We know that adversaries are deploying AI
to make cyberattacks more sophisticated and
successful, ramping up their volume, reach
and efficacy. The latest BlackBerry Threat
Report cited 3.7 new malicious samples
of novel malware detected every minute.
"The data indicates the use of AI by threat
actors, meaning that, for effective defence,
organisations now have no choice but to look
well beyond human-only capabilities. In use
against governments, businesses and citizens
on a daily basis, AI is making cybercriminals
more dangerous - and arguably more deadly -
than ever before."
But, as well as posing a significant threat,
AI is also cybersecurity's greatest leveller, he
believes. "It's a necessary technology for
modern cyber protection and essential in
the fight against malicious use - and it's
critical that policy supports innovation and
opportunity. AI protection takes cybersecurity
to another level; enabling predictive, preventative
action that stops would-be attacks at the
door. It saves time and money, reducing the
load on IT resources and helping to counter
the growing shortage of cyber skills around
the world."
EMAIL ATTACKS
"With social engineering attacks, like business
email compromise (BEC), having already
exposed losses of more than $50 billion
over the past decade, it is clear that email
continues to be a major threat vector in
organisations today," states Mike Britton,
CISO, Abnormal Security. "The proliferation
of generative AI tools like ChatGPT have only
catalysed modern phishing attacks, enabling
threat actors to create personalised and
seemingly authentic content that is often
hard to distinguish from human-generated
content."
Not only are AI-generated email attacks
more likely to deceive their recipients, they
are also likely to bypass traditional security
measures that rely on detecting known threat
signatures. "To combat the threat of AIgenerated
email attacks, organisations will
need to amp up their own defensive AI
capabilities," he adds. "We need to evolve
beyond legacy systems like secure email
gateways, which look for known-bad
behaviours like malicious links, blocked
senders or bad IP addresses, and instead use
behavioural models to learn the known-good
behaviours in an organisation's email
environment-things like each user's typical
communication patterns or sign-in activity."
AI then acts as a key line of defence by
detecting anomalous behaviour that may
indicate a potential attack, automatically
remediating those suspicious emails before
they reach end users. "This means that
security teams could block sophisticated email
attacks, even if they are AI-generated, appear
highly realistic and omit traditional indicators
of compromise. Measures like password
management, multi-factor authentication,
and privilege and permissions management
can provide a final safety net, helping to
18
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

artificial intelligence
reduce the attack surface and prevent further
havoc, if attackers are able to infiltrate the
network."
ALTERED LANDSCAPE
In 2023 alone, half of UK businesses reported
suffering some form of cybersecurity breach,
including the high-profile ransomware attack
on the British Library, states Matt Frye, head
of pre-sales and education at Hornetsecurity.
"The recent research from the NCSC [National
Cyber Security Centre], that Generative AI tools
will aid amateur cybercriminals to launch more
sophisticated attacks, is alarming - but not at
all surprising for professionals in the sector.
The rise of Generative AI has permanently
changed the cybersecurity threat landscape
for businesses in the UK. We've seen a rise in
sophisticated attacks, such as phishing, which
currently account for 43.3% of attacks.
"The rise is partially due to the development
of malicious kinds of widely used large
language models (LLMs) such as DarkBERT
and WormGPT. "These programs automate
processes, which means that amateur
cybercriminals can now execute sophisticated
cyber-attacks more easily, faster and with more
precision. They can create far more compelling
and targeted attacks, based on social engineering,
for instance," adds Frye.
THE RACE IS ON
He also says a race has emerged between
malicious actors and cybersecurity specialists,
who are both using AI for different reasons.
"Cybercriminals, armed with sophisticated
AI tools, aim to target organisations at an
unprecedented pace by automating attacks
and adapting new strategies to bypass
traditional defences. On the flip side, cybersecurity
specialists are using AI to enhance
threat detection, response, and mitigation.
"AI can be used as a force for good and it's
essential for cybersecurity professionals to
continue rebalancing the AI equation by
utilising this technology within protection
packages to bolster defences for organisations.
This is something we have been doing
for some years at Hornetsecurity for Advanced
Threat Protection; and solutions like our
Security Awareness Service, for instance, use
machine learning to adapt and evolve per
individual user. AI is valuable for cybersecurity
providers like Hornetsecurity for threat
detection and pattern recognition, which in
turn helps keep organisations safe from cyberattacks."
AI EXPLOITATION
While Frank Catucci, CTO and head of security
research, Invicti Security, doesn't believe AI
poses an existential threat, relative to its
opportunities for good, he recognises that it
is a tool that will be - and already is - used by
threat actors to increase the speed, volume
and methods of attack in a number of ways.
"Using AI tools to aid attacks and attacking AI
tools themselves to poison code or otherwise
inject harmful/malicious elements are both
ways that AI poses a threat to organisations.
Alternatively, AI also holds an unrealised
promise to improve vulnerability detection,
risk assessment, correlation and remediation
of said vulnerabilities.
"Just in the way criminal attackers can use AI,
so can organisations, security vendors and
practitioners use these tools to improve their
defences. For example, using AI to prioritise
vulnerability or risk data and direct teams to fix
issues accordingly, or leveraging AI-enhanced
security tools to speed detection."
The primary issue in fully realising the
opportunities will be in processes or rather
the human element within companies to use
these tools effectively to keep pace with bad
actors. "Where organisations have policies,
protocols and often siloed operations that
can slow innovation," further comments
Catucci, "hackers usually don't follow those
rules, so until organisations can break down
barriers-to-speed safely, they may always be
a step behind."
Keiron Holyome, BlackBerry Cybersecurity:
we need to focus on the more immediate
issues at hand - cybersecurity is the
greater priority.
Mike-Britton, Abnormal Security: to combat
the threat of AI-generated email attacks,
organisations will need to amp up their own
defensive AI capabilities.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
19

artificial intelligence
Frank Catucci, Invicti Security: just as
criminal attackers can use AI, so can
organisations, security vendors and
practitioners use these tools to improve
their defences.
Matt Frye, Hornetsecurity: the rise of
Generative AI has permanently changed
the cybersecurity threat landscape for
businesses in the UK.
DEEP TROUBLE
AI-generated deep fakes are also fast causing
havoc, says Jordan Avnaim, Entrust. "From
allegedly doctored footage of Ukrainian
President Zelenskyy urging soldiers to
surrender, to falsified videos of Donald Trump
being arrested and forged robocalls attributed
to President Biden, the quality of deep fakes
continues to advance.
"As new, more powerful models like Sora
from OpenAI hit the market, this content will
become increasingly convincing. However,
these techniques are being used for more than
just misinformation. In Hong Kong, scammers
recently orchestrated a video conference call,
using deepfakes to impersonate executives of
a multinational firm, convincing a finance
worker to transfer approximately $25 million."
Amidst these challenges lies hope, though,
he adds. "Enhancing identity security is a key
step in fighting AI threats. Decentralised
identity systems can empower individuals by
granting them sole ownership over encrypted
personal data verified via digital keys, without
exposing details to external parties. This type
of set-up enables individuals to store sensitive
attributes in a hardware-protected digital
wallet, rather than databases vulnerable to
breaches.
FIGHTING OFF DEEP FAKES
"Additionally, robust authentication of digital
content is essential to combat deep fakes,"
urges Avnaim. "Creators and publishers will
need more sophisticated authentication
methods to prove content is genuine. Using
automated PKI certificates to digitally sign
media, enabling audiences to verify
authenticity through encryption, could
facilitate this process.
There are several advanced verification
methods available to facilitate this transition.
Today's facial biometrics can reliably match
people to IDs and confirm liveness, ensuring
authenticity while delivering smooth user
experiences. Already seeing rapid growth in
industries like banking and travel, biometrics
can secure transactions and customer
identification with minimal friction.
ATTACK VERSUS DEFENCE
Andrew Bolster, senior manager, research and
development, at the Synopsys Software
Integrity Group, sees cybersecurity, like every
other form of crime, as fundamentally a game
of economics: where the cost of attacking a
valuable asset is less than the cost of
defending it.
"The explosion of Generative AI onto the
security threat landscape has, so far, been an
easier economic 'force-multiplier' for the
attackers, but, as the technology matures, the
pendulum is turning back to the side of the
defender. Attackers are using GenAI to
generate human-like content on a huge scale,
flooding defenders; and they can either get
'lucky' or use this smoke screen to slip in
sophisticated attacks against critical
infrastructure.
"These technologies also apply in later phases
of an attack profile, with attackers able to
rapidly explore and horizontally spread within
a compromised environment, leveraging the
increasingly large context sized of new LLMs
to learn more, faster," he adds.
"But those same technologies are being
deployed to counter this new scale and speed
of threat, much like the arms race between
ticket-bots and CAPTCHAs that precipitated
this same generative AI wave; identifying
'suspicious behaviours' at scale, using the same
wide input space as the attackers."
And, as Bolster points out: "Cybersecurity has
always been an ever-escalating technological
cat-and-mouse game, with the attackers
rapidly adopting new technologies with
abandon and the defenders taking some time
to get off the starting block with a new tool.
"Occasionally, the mouse has the upper hand,
but not for long."
20
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

facial authentication
FACE OFF!
WHEN IT COMES TO DEVICE-BASED AND SERVER-BASED FACIAL
AUTHENTICATION, WHICH, IF EITHER, IS THE MORE SECURE?
Device-based facial authentication
and server-based facial authentication
are two methods that are
commonly used for authenticating users
on mobile devices. While both methods
serve the same purpose of verifying
a user's identity, they differ in their
approach and functionality.
"Device-based facial authentication is a
method that relies on the device's builtin
hardware and software to capture
and analyse the user's facial features,"
says Majid Munir, senior cybersecurity
consultant of Celestix Networks, the
digital identity and secure access
company. "When a user sets up facial
authentication on their device, the
device creates a unique facial template
of the user, which is stored locally on
the device. This template is then used
for subsequent authentication attempts.
With device-based facial authentication,
the entire authentication process takes
place on the device itself, without
needing external servers or networks."
One of the main advantages of devicebased
facial authentication is its exclusivity
to the device, he adds. "Since the
facial template is stored locally on the
device, external parties cannot access
or tamper with it. This enhances the
security of the authentication process,
as there is no reliance on external
servers or networks that may be
vulnerable to cyberattacks."
However, device-based facial authentication
also has its limitations. "First,
since the authentication process is
exclusive to the device, users may face
difficulties, if they need to authenticate
using a different device. For example,
if a user loses their device or upgrades
to a new one, they will need to go
through the registration process again
to set up facial authentication on the
new device. This can be inconvenient
and time-consuming for users.
"Another limitation of device-based
facial authentication is that servers
would not know the user's true identity.
Since the authentication process occurs
solely on the device, the server does not
receive any information about the user's
facial features or identity. This can pose
challenges in scenarios where serverside
authentication is required, such
as accessing certain online services or
platforms."
On the other hand, adds Munir, serverbased
facial authentication addresses
these limitations by relying on external
servers to store and process facial
data. With this method, the facial data
captured by the device is transformed
into a Private Key, encrypted and
securely stored on the server-side.
The server then uses this Private Key
to authenticate the user in subsequent
authentication attempts.
"One of the standout features of
server-based facial authentication, such
as the V-Key Smart authenticator, is its
enhanced security and user experience.
With V-Key facial authentication, the
facial data is securely encrypted and
stored in the V-Key cloud. This ensures
the user's facial biometric information is
protected from unauthorised access or
tampering. Furthermore, users do not
need to go through the registration
Majid Munir, Celestix Networks: both
device-based and server-based facial
authentication have pros and cons.
process again, if they change their
devices or lose their device. The
encrypted facial data is already stored
in the V-Key cloud, allowing users to
authenticate with their face again to
regain access simply."
Ultimately, both device-based and
server-based facial authentication have
pros and cons. "Device-based facial
authentication provides a secure and
exclusive authentication process, while
server-based facial authentication offers
enhanced security and a seamless user
experience. The choice between the
two methods finally depends on the
specific needs and requirements of
the users, and the applications they
are accessing."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
21

insider threats
INSIDE OUT
INSIDER THREATS HIT MORE THAN 34% OF COMPANIES WORLDWIDE EVERY YEAR. UNLESS ORGANISATIONS
COME UP WITH A CLEAR AND FEASIBLE ACTION PLAN THAT FIGURE LOOKS AS IF IT WILL ONLY GET WORSE
It is estimated that, every day, around 2,500
internal security holes are found in US
businesses, while insider threats hit more
than 34% of companies worldwide every year.
Worryingly, 66% of organisations questioned
believed that attacks from the inside were
more likely than attacks from the outside,
according to the latest research. With the
big losses that are likely to result from such
incidents when it comes to a company's
finances - and reputation - what are the
workable, effective solutions for mitigating
these threats?
RISK MITIGATION
"Insiders don't act maliciously most of the
time," points out Ian Robinson, chief architect,
Titania "That's why it's often harder to detect
harmful insider activities than it is to detect
external attacks. Insiders know the weaknesses
of an organisation's cybersecurity, and the
location and nature of sensitive data they can
exploit. The statistics show that insider threats
pose a significant challenge to businesses
worldwide, highlighting the need for proactive
and robust risk mitigation strategies. There is
no one solution that can address all these
threats; rather a combination of people,
processes and technology working together."
As part of this, adopting a Zero Trust model -
which requires all internal and external users to
be continuously authenticated and authorised
before being granted access to applications and
data - and implementing effective network
segmentation is a proven way to reduce the risk
associated with insider attacks, he argues. "By
segmenting the networks, either physically or
logically, and reducing the number of people
who have access to the more critical segments,
organisations can significantly reduce their
attack surface. And by constructing a micro
perimeter around the protect surface - critical
segments that require special permissions to
access - network architects can ensure only
authorised users can access assets within, while
all others are blocked."
Then, vigilance is crucial to detect and
address potential risks originating from within
the organisation, states Robinson. "For
example, an attacker might focus on nonrepudiation
by disabling audit logging to
conceal the next phase of their attack, which
might be to manipulate firewall rules or create
a new route to allow the attacker to move
laterally across the network to access a critical
segment - such as the Cardholder Data
Environment, for example. They are likely to
start with the first phase and then wait to see
how effective an organisation's incident
response is before proceeding." This is where
proactive security comes in, seeking out and
remediating network vulnerabilities to mitigate
threats and threat conditions before they pose
a risk to the organisation.
UNWITTING BAD ACTORS
While insider threats are a valid concern for
companies, the number of intentional internal
bad actors is relatively small; the real threat
lies with unwitting bad actors who have been
subjected to phishing attacks or dormant
accounts that provide access to the
organisation, states Dave McGrail, head of
business consultancy at Xalient. "As such,
companies cannot ignore the risk associated
with this threat and should implement a zerotrust
approach to reducing the attack surface
and mitigating risk - with robust identity and
access management being a key starting
point."
Over the years, many companies have
neglected good housekeeping practices
around effective identity and access
management, which leads to poor identity
hygiene within the environment, he adds.
"This has a knock-on effect on security, as too
many domain administrators, administrator
accounts, service accounts and more are
allowed untracked and uncontrolled logins,
without the knowledge of who is using them,
for what and why. This lack of knowledge and
management results in the accounts
remaining active as IT departments are too
scared to delete them for fear of breaking
something and yet these are exactly what
threat actors are looking to attack. Through
these attacks, outsiders can masquerade as
insiders by attacking the identity of those from
within the organisation."
Apart from organisations implementing a
zero-trust strategy, they must also balance
prevention efforts/investment with detection
and response capability - doubling down on
identity, he argues, using Threat Detection and
Response (ITDR) to detect and respond to
identity-based attacks. "This approach involves
improving the visibility of events from identity
platforms, incorporating Identity and Access
Management (IAM), Privileged Account
Management (PAM) and Identity Governance
and Administration (IGA).
"Combining ITDR with Zero Trust principles,
companies benefit from the added value of
driving access based on identity, along with
the additional benefit of the added context
around identity [device posture, location, timeof-day],
measured against normal behaviour
for that user," says McGrail. "There is huge
value in understanding what is being accessed,
when and by whom. This understanding
forms the basis for anomaly detection, alerting
the team to potential threats, and enabling
them to respond to threats in a timely and
effective way."
22
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

insider threats
PROTECTIVE SOLUTIONS
To adequately address insider threats,
organisations need solutions that protect the
core identity system itself - for example, by
highlighting vulnerabilities and attack paths
that insiders can abuse, detecting and
automatically remediating risky changes,
and providing post-breach forensics to close
backdoors left by malicious insiders.
"In particular, organisations that are in the
midst of major transitions, such as consolidating
business offices or reducing the overall
workforce, need the ability to take action on
suspicious activity from high-risk users," advises
Semperis chief scientist Igor Baikalov. "This
could include employees who are flagged as
a flight risk or who are slated for upcoming
termination. An insider with malicious intent
could use their privileged access to compromise
the organisation's system for a variety
of reasons, from monetary gain to revenge.
"It's important to bear in mind that anyone
who has permission to access critical business
assets can potentially abuse that privilege,
whether that's through malicious intent or
through carelessness. Employees, contractors,
vendors and partners can all inflict devastating
damage on organisations. Negligence can lead
to system compromise in several ways, but
the result is the same: because of a mistake
someone made - for example, an end user who
left their laptop unlocked or an Active Directory
admin who failed to follow defined employee
off-boarding policies - privileged credentials
become easy picking for bad actors."
Defending against insider threats requires
a concerted effort, adds Baikalov: a comprehensive
strategy that addresses every phase
of the attack lifecycle, including prevention,
remediation and recovery.
CLOUDY OUTCOMES
Chris Doman, CTO and co-founder, Cado
Security, points to how insider threats can
be even more difficult to detect and prevent
in the cloud. "Business practices including
employee training, clear policies and procedures,
fostering a culture of trust and transparency
and collaboration with security teams
can help to reduce the risk of insider threats.
"For security teams, fast investigations are key.
The issue is that best practices for managing
and detecting insider threats that work well in
on-prem environments don't translate across
into cloud environments.
"The proliferation of cloud resources across a
multitude of cloud providers and the addition
of container and serverless capabilities create
complexities around detecting suspicious
activity such as excessive privilege use. The
basics such as implemented and reviewed
access controls, encryption, and monitoring
for suspicious activity in general are key.
"A proactive approach to breaches enables
security teams to understand whether they are
prepared to quickly investigate and respond to
insider threats before an incident occurs. This
ensures that when an incident is detected, the
security team will have the ability to quickly
identify the root cause and remediate the
threat, " adds Doman.
MALICIOUS VERSUS ACCIDENTAL
Neil Langridge, marketing & alliances director,
e92plus, draws a clear distinction between
various insider threats - and first comes the
malicious insider. "This can be a dangerous
threat, as the user can leverage their
understanding of a business and where their
security posture may have weaknesses.
A good place to start is often joiners, movers
and leavers - a change of role can be the ideal
point at which users can find the opportunity
to exfiltrate data or compromise the defences
of a business. Just like layers of defence is an
established cybersecurity principle, layers of
authorisation or authentication is also key,
especially where confidential data is involved,
or access to critical systems."
Then there's the second type: the accidental
or compromised insider threat. "This can be
Ian Robinson, Titania: adopting a Zero
Trust model is a proven way to reduce
the risk associated with insider attacks.
Chris Doman, Cado Security: a proactive
approach enables security teams to quickly
identify the root cause of a breach and
remediate the threat.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
23

insider threats
Jon Fielding, Apricorn: The 3-2-1 rule is
an effective means to facilitate recovery.
Neil Langridge, e92plus: behaviour profiling
can be essential, as the attacker won't fully
know processes or the business culture.
where a user has been unwittingly profiled
and their user credentials have been obtained
by an attacker - whether that's through social
engineering [such as the MGM Casino attack,
which leveraged a help desk engineer] or from
a data breach [and the credentials hadn't been
changed post-breach]. This is still a form of
insider threat, as there's no attack as such -
and it's increasingly common," cautions
Langridge.
"Such attacks allow bad actors to hide
perfectly, understand an organisation and
operate as an insider, so without drawing any
unwanted attention. This is where behaviour
profiling can be essential, as the attacker won't
fully know processes or the business culture,
and tools like UEBA [User and Entity Behaviour
Analytics] can therefore highlight potential
incidents that form a pattern of non-standard
behaviour."
For both forms of threat, as ever the first
step before technology is process: just as
authentication should be multi-factor with
layers of approval, so should any business
process (to avoid business email compromise
or payment fraud) or access to critical data or
infrastructure. "The next step is to review how
their cybersecurity strategy can move towards
a Zero Trust approach; this assumes trust must
be earned, regardless of their status, and can
help address the challenge of insider threat."
ENFORCING THE '3-2-1 RULE'
The insider threat has increased significantly,
due to economic pressures and the way we
work, with criminal groups now brazenly
recruiting insiders. A recent study by Apricorn
revealed that malicious leakage has doubled,
with a fifth having suffered a breach
attributable to a malicious employee during
2023, and remote and hybrid working
practices have almost certainly played a role,
with 48% saying these workers had knowingly
exposed data to a breach, up from 29% in
2022. "Both factors have made it harder to
counter the insider threat, requiring the
business to reinforce the security culture
through staff awareness training and the
application of technical controls to protect
data," says Jon Fielding, managing director
EMEA at Apricorn.
"Acceptable Use Policies (AUP) are well
established, but these policies must be
reinforced through regular staff training.
Crucially, the AUP should extend beyond just
seeking approval for a device, with controls
implemented on sanctioned devices." The
survey found that policy enforcement is either
non-existent or weak.
In cases of neglect or error, rather than
malicious intent, encryption can be used to
boost defences. "However, encryption of
physical devices has nose-dived," adds Fielding.
"Only 12% encrypt data on laptops today,
compared with 68% in 2022 and only 17%
desktop computers, down from 65%.
Similarly, only 13% encrypt mobile devices
versus 55% in 2022; 17% USB sticks, down
from 54%; and 4% portable hard drives,
down from 57%."
If data is compromised or stolen, the business
must be able to recover and so it needs a
watertight backup strategy, he adds. "The 3-2-
1 rule, which advocates at least three copies of
data should be held on at least two different
media with at least one held offsite (and
preferably offline and encrypted), is an
effective means to facilitate recovery, if the
worst happens."
INSIDER RISK MANAGEMENT
Having an efficient and effective insider risk
management (IRM) program can be challenging,
due to several circumstances, states Kyle
Kurdziolek, BigID's senior manager of cloud
security. "IRM programs can be complex, due
to the wide range of security technologies,
monitoring solutions and behavioural analytics
tools available. In a perfect world, all three of
these solutions would mesh together and
become the trifecta of an IRM solution. These
all come together to deliver higher fidelity risks
associated with insider threats and introduce
24
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

insider threats
capabilities to proactively eliminate known
insider threats."
From a technology perspective, data loss
prevention (DLP) and data security posture
management (DSPM) will aid and assist
organisations in classifying their sensitive data
and preventing unwanted exposure, he says.
"Analysts spend a lot of unnecessary time trying
to identify if a document was shared or
whether said document contains confidential
company information. A good starting point,
if organisations are trying to mature IRM, is
to establish DLP alongside DSPM to gain full
visibility of what sensitive data is within the
organisation and where it is at.
"The next iteration would be combining
this with user activity monitoring, which can
provide additional telemetry to alerts captured
by DLP or DSPM solutions. These tools can
range from dedicated activity monitoring
tools to applications embedded in security
technologies or data from endpoints."
However, as companies grow, the scale can
become uncontrollable and requires higherlevel
technologies, like behaviour analytics,
to further drill down into true insider threats.
"This would be the final iteration of your IRM,
as this introduces machine learning capabilities
to understand what is indeed normal and
what are the anomalies that should be
investigated," says Kurdziolek.
Monitoring employee activity does not come
without a degree of risk. "Before pursuing
an IRM program, consider investigating the
approved use of insider threat tools and
services. Organisations can and should speak
with legal counsel and human resources
members to establish guardrails for the
collection, storage, sharing and analysis related
to employee activity. These guardrails are what
can help enable an organisation to have a
successful prosecution of insider threats."
LIMITED SYSTEM ACCESS
One pivotal aspect of mitigating insider threats
means limiting system access, comments Tim
Freestone, chief strategy and marketing officer
at Kiteworks. "By ensuring that administrators
do not have unnecessary access to the operating
system, organisations can significantly
reduce the potential for these insiders to
manipulate or compromise sensitive information
and its metadata. This approach includes
the implementation of hardened environments
where the separation of duties is strictly
enforced. Such measures prevent a single
individual from having excessive control over
sensitive data, thereby limiting access to critical
settings exclusively to those directly accountable."
It's also crucial to adopt policies that restrict
end-user access to sensitive data, he adds,
adhering to the principle of least privilege.
"Users should only have access to the data
necessary for their specific roles, with automatic
expirations on content access based on organisational
policies to further curb unauthorised
access. Advancements in digital rights management
(DRM) technology offer further protections
against insider threats.
"Features that allow users to access and edit
content in real-time, without the ability to
download, retain or forward the content, are
essential. Such capabilities ensure that sensitive
documents are not stored on local devices,
significantly reducing the risk of data leakage."
Supporting these technological measures,
organisations should also deploy
comprehensive monitoring and auditing
systems. "These systems provide real-time logs
and reports that can be integrated with
security information and event management
(SIEM) systems," adds Freestone.
"By monitoring user actions and access to
files, organisations can quickly identify and
investigate suspicious behaviour, gathering
the necessary details for potential HR or legal
actions." The implementation of an insider
threat compliance report can further enhance
an organisation's ability to track and analyse
insider activities.
Kyle Kurdziolek, BigID: monitoring
employee activity does not come without
risk.
Tim Freestone, Kiteworks: limiting system
access can prevent a single individual from
having excessive control over sensitive data.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
25

threats landscape
THREATENING TIMES
COMPUTING SECURITY ZOOMS IN ON SOME OF THE LATEST
HAZARDS THAT ARE THREATENING THE INDUSTRY
VIPRE Security Group, a global leader
and award-winning cybersecurity,
privacy and data protection company,
today released its report titled 'Email Security
in 2024: An Expert Look at Email-Based
Threats'. The 2024 predictions for email
security in this report are based on an analysis
of over 7 billion emails processed by VIPRE
worldwide during 2023. This equates to
almost one email for everyone on the planet.
Of those, roughly 1 billion (or 15%) were
malicious.
This research warns that, in 2024, QR code
hacks or quishing will increase; use of AI to
create content for spam emails, including
deepfakes, will rise; highly personalised social
media mining will grow further; and a wide
array of file types and formats - especially EML
- will be used to propagate phishing and
malware attacks. There will also be a marked
uptick in state-sponsored attacks.
"When you take a look at the kinds of [email]
threats we're seeing today, a lot of them are
preventable," says Usman Choudhary, general
manager, VIPRE Security Group. "It just takes
the right tools, but most companies don't
know they exist, because email doesn't always
get the same kind of security attention as the
rest of the network. Unfortunately, threat
actors know this."
ALPHV/BLACKCAT RANSOMWARE
The ALPHV/BlackCat ransomware group
recently claimed responsibility for major
attacks on both Prudential Financial and
LoanDepot, making a series of follow-on
allegations against them both. Neither
company seems to have had any of their
stolen data leaked, although, if negotiations
continued to stall, as ALPHV said they had,
then a data dump could be the longer-term
outcome.
The advice from both CISA and the FBI is
that victims should not pay ransom demands
to cybercriminals, something that is frequently
adhered to. However, when ransom demands
aren't paid, victims can end up having their
attacks made public knowledge, before
continued non-compliance with the criminals'
demands leads to data disclosure. That can
have a serious impact on clients, as it is often
their personal data that is affected.
Stephen Robinson, senior threat intelligence
analyst at WithSecure, says that ALPHV was
ranked as one of the largest and most active
ransomware groups in 2023. "Our research
showed that ALPHV was responsible for
8.82% of total leaks in 2023. Prudential
Financial are a Fortune 500 company in the
financial sector, so it's not surprising they were
a target for ALPHV. Multiple organisations
in the financial sector have been victims of
ransomware attacks by ransomware gangs
in recent months, probably at least in part,
because the ideal victim for a ransomware
attack is an entity with a high turnover, which
holds sensitive data."
ALPHV have been known to take part in
what is known as 'big game hunting', striking
well-known, high-valued targets, including
several attacks against critical national
infrastructure, such as the Canadian Trans
Northern Pipeline. "So great is the threat of
ALPHV's activities, and the disruption they
have caused," adds Robinson, "that the US
State department has offered a reward for
information leading to the arrest of members
of the group."
DIGITAL SAFETY GAMBLE
A survey across the UK by Bitdefender has
uncovered a stark reality: more than half of
smartphone users are gambling with their
digital safety. The alarming findings reveal
that a staggering 50% of respondents are
navigating the digital world without any
form of mobile security, leaving them wide
open to cyber-attacks. The survey paints a
disturbing picture of complacency in the
face of escalating cyber threats and found
the following:
Despite 76% of respondents relying on
smartphones for critical transactions,
including banking and accessing sensitive
accounts, 50.10% are neglecting basic
security measures
Reasons for this negligence range from
blind faith in the assumed invincibility
of iOS (Apple) or Android systems (23%)
to an alarming lack of awareness about
available mobile security solutions (21%)
Additionally, 49% expressed genuine
fears about being doxxed, a chilling
practice in which hackers unearth and
expose private information online. An
issue made scarier by the unprecedented
access that hackers now have to your
most personal information stored on
smartphones for billions of people
Consequently, 17% of respondents
have experienced one or more security
incidents in the last 12 months.
26
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

threats landscape
These revelations underscore an urgent need
for action as smartphones become prime
targets for cybercriminals. With the proliferation
of mobile devices and their central
role in our lives, the risk of devastating cyberattacks
has never been greater.
GOING FOR BROKE
CYJAX's latest research, 'Broken China', has
some disturbing warnings, as it analyses the
turbulent socio-economic situation in China
and how this will likely lead to an increase in
cyber espionage activities by the PRC to give
Chinese businesses a competitive edge.
The report finds that China is facing major
economic pressures from all sides. Its economy
is still suffering from the effect of COVID,
its manufacturing industry is shrinking and its
property sector is overleveraged, due to an
aggressive borrowing strategy. There are also
signs of growing dissent among its youth,
driven by rising unemployment.
Although there are remedies that could aid
in China's economic recovery, its culture of
nationalism and conservatism is inclined to
make implementing them unlikely. There is
also the threat of chillier US-China relations,
if Donald Trump returns to the White House,
which could mean even higher trade tariffs
than today.
With a bleak economic future looming,
Cyjax predicts that the PRC will opt for more
short-term solutions to grow its economy
fast-and this will include more aggressive
cyber espionage campaigns designed to steal
foreign intellectual property (IP) and boost
Chinese industry.
The PRC employs various threat groups to
conduct espionage campaigns and, over the
next year, Cyjax expects to see a major uplift
in activity from the following:
The Gallium group: active since at least
2012, the group is well known for being
part of Operation Soft Shell which targets
global telecoms and Microsoft Exchange
servers. The group targets and steals IP
from telecommunication, financial, and
government entities in Southeast Asia,
Europe, Africa, and the Middle East
Sandman: the group targets
telecommunication providers in the Middle
East, Western Europe and South Asia. It
uses a novel backdoor that abuses the
LuaJIT platform to deliver malware
MustangPanda: the group had been
observed to be targeting Beijing's more
local advisories mainly including Southeast
Asian governments
VoltTyphoon: believed to have been
operating since 2021, the group targets
critical US infrastructure for intelligence
gathering purposes in alignment with the
requirements of the PRC.
"China is a far more complex and nuanced
territory than generally portrayed," states Ian
Thornton-Trump, CISO at Cyjax. "Its internal
pressures are likely to lead to increased cyber
espionage activity, rather than slowing it
down. The PRC's approach to cyberspace has
always been to use it to advance its business
interests, extracting technologies from
Western companies and creating a protected
domestic market for these industries, giving
them an advantage in the global market.
With a better understanding of the country's
internal forces, and how these relate to its
cyber strategy, we can plan better defences
against PRC cyber espionage."
THE EMAIL THREAT FACTOR
"With social engineering attacks like business
email compromise (BEC) having exposed
losses of more than $50 billion over the past
decade, it is clear that email continues to be
a major threat vector in organisations today.
That is the warning from Mike Britton, CISO,
Abnormal Security.
"The proliferation of generative AI tools like
ChatGPT has only catalysed modern phishing
attacks, enabling threat actors to create personalised
and seemingly authentic content
that is often hard to distinguish from human-
Ian Thornton-Trump, Cyjax: China's
internal pressures are likely to lead to
increased cyber espionage activity.
Usman Choudhary, VIPRE Security: email
doesn't always get the same kind of security
attention as the rest of the network.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
27

threats landscape
Stephen Robinson, WithSecure: research
showed that ALPHV was responsible for
8.82% of total leaks in 2023.
Ilia Kolochenko, ImmuniWeb: LLMs have
a fairly narrow application in cybercrime.
generated content. Not only are AI-generated
email attacks more likely to deceive their
recipients, they are also likely to bypass
traditional security measures that rely on
detecting known threat signatures.
"To combat the threat of AI-generated email
attacks, organisations will need to amp up
their own defensive AI capabilities. We need
to evolve beyond legacy systems like secure
email gateways, which look for known-bad
behaviours, like malicious links, blocked
senders or bad IP addresses, and instead use
to behavioural models to learn the knowngood
behaviours in an organisation's email
environment-things like each user's typical
communication patterns or sign-in activity."
AI then acts as a key line of defence by
detecting anomalous behaviour that may
indicate a potential attack, automatically
remediating those suspicious emails before
they reach end users. This means that security
teams could block sophisticated email attacks
even if they are AI-generated, appear highly
realistic, and omit traditional indicators of
compromise.
"The AI arms race is on as organisations
must realise that 'good' AI is necessary to
detect and block 'bad' AI. Additionally,
measures like password management,
multi-factor authentication, and privilege
and permissions management can provide
a final safety net, helping to reduce the
attack surface and prevent further havoc if
attackers are able to infiltrate the network."
Britton also recommend that security
awareness training should not be neglected.
"Employees need to know how to spot risky
emails so they don't click on malicious links
or rush to make suspicious transactions. Of
course, phishing clues are harder than ever for
people to identify, especially as generative AI
enables threat actors to create hyper-realistic
attacks. That's why it's critical to supplement
security awareness training with sophisticated
technology that reduces the number of email
attacks that ever reach employee inboxes."
PREDICTIONS EXAGGERATED
Dr Ilia Kolochenko, CEO at ImmuniWeb, is of
the opiion that the predictions about the
unprecedented cybercrime surge, fuelled by
GenAI and fine-tuned malicious LLMs (large
language model-based tools), are somewhat
exaggerated.
"First, LLMs have a fairly narrow application
in cybercrime, namely in phishing, smishing
and vishing, BEC and whaling attacks - all of
which rely on social engineering and human
deception. GenAI provides little to no help
with nationwide ransomware campaigns,
disruptive attacks against critical national
infrastructure (NCI) or advanced persistent
threats (APTs) aiming at stealing classified
information from the government or
intellectual property from businesses.
"Organised cybercrime groups already have
all the requisite skills, such as spear-phishing
email creation or state-of-the-art malware
development, producing substantially superior
quality of cyber warfare, compared to any
LLM.
"Secondly, cyberattacks that exploit human
deception have been already quite efficient in
the past," he points out. "Cyber gangs behind
this will unlikely boost their success rate by
a better-written email impersonating a CEO
in a whaling attack. Moreover, an impeccably
written email can rather trigger some doubts,
as in business people frequently make typos
or use jargon when communicating with their
colleagues.
"Having said that, any authentication
systems - for example, in financial institutions
- that are based on a client's voice or
appearance are to be urgently tested for
bypassability with fake AI-generated content.
Employees who are susceptible to this kind of
cyberattacks should also be regularly trained
to spot red flags and require additional proof
of identity to prevent fraud."
28
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

zero trust
THE IMPERATIVE FOR ZERO TRUST
AS ORGANISATIONS EMBRACE DIGITAL TRANSFORMATION TO GAIN ACCESS TO THE CLOUD'S MANY BENEFITS,
COMPUTING ENVIRONMENTS ARE FACED WITH EVOLVING INTO BORDERLESS IT ECOSYSTEMS
As we continue to digitally
transform organisations, so
the importance of secure and
reliable digital identities has grown.
According to Scott Silver, CEO, Integral
Partners, part of the Xalient Group,
2024 is poised to usher in a multitude
of innovations and trends in this area,
ranging from advanced biometrics to
the integration of artificial intelligence
and machine learning to meet the
changing needs of businesses,
individuals and governments.
"As organisations embrace digital
transformation, computing environments
are evolving into borderless IT
ecosystems," he warns. "Digital identities
are also evolving at pace and identity
security is now a crucial aspect of
cybersecurity. 2024 will usher in a
multitude of identity innovations,
ranging from advanced biometrics
to artificial intelligence integration
to meet the needs of businesses,
individuals and governments.
"Increasingly, cybercriminals are
creating synthetic identities by combining
stolen personal information from
several people into a new false identity
that doesn't rely on real person-al data.
"They use these identities to build a
shallow history that passes identity
checks with banks and retailers.
To counter these tactics, biometrics,
such as facial recognition, fingerprint
scanning and voice recognition, are
becoming popular as a stronger means
of identity verification."
Despite these countermeasures,
however, the threat is large and
growing, driven by Cybercrime-as-a-
Service (CaaS) that allows criminals to
procure tools enabling them to easily
carry out identity-based attacks.
"This makes it even more important for
businesses to prioritise identity security,
employing policies and tools that also
monitor employees and prevent insider
incidents."
AI and machine learning are important
tools for organisations seeking to combat
identity risk. "AI-powered pattern and
behaviour recognition capabilities can
identify anomalies and detect fraudulent
attempts in real-time. Machine
learning algorithms act as adaptive
detectives, continuously evolving to
recognise new identity fraud tactics,
enhancing the overall accuracy of the
verification process.
"Zero trust architecture is the
foundation of modern cybersecurity,
with secure networking and identity
security as cornerstones. Zero Trust
involves the application of identity and
access management capabilities to
perform continuous risk assessment
every time resources are accessed. It
uses contextual identity information to
optimise access policies, while enforcing
the principle of least privilege."
Zero Trust controls reduce insiders'
ability to access systems and data that
aren't part of their job, adds Silver.
"Now, organisations are seeking
AI-powered identity and access
management in a single solution that
Scott Silver, CEO, Integral Partners.
integrates seamlessly with zero trust
architecture, combined with professional
support. These solutions enable
fast, effective responses to potential
breaches and, alongside identity, will
play a pivotal role in the evolution of
zero trust models."
Identity is seen as the new enterprise
perimeter, and managing interdependencies
between identity, security and
networking to adhere to true zero trust
principles is a considerable challenge -
one that the Xalient Group is addressing,
he says, as a provider of IAM
services and solutions through its recent
acquisitions of Grabowsky and Integral
Partners. "Together, we can develop the
advanced, AI-powered identity management
solutions that companies need in
today's complex security environment."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
29

ansomware
BIRD'S EYE VIEW OF RANSOMWARE ATTACK
WHAT IS IT LIKE TO BE HELD TO RANSOM? WE ASKED SEVERAL EXPERTS TO TALK
US THROUGH WHAT TYPICALLY HAPPENS WHEN AN ATTACK IS CARRIED OUT
How do the criminals who unleash
ransomware demands set about
targeting an organisation - right
through from identification of a suitable
target, the planning phase of the attack,
the attack launch and finally capture of the
victim's data? And what about the burning
question that no one wants to grapple with:
to pay or not to pay?
"Ransomware attacks are well orchestrated
acts that come in different forms to infiltrate
IT systems and often are not random
incidents," points out Justin Giardina, CTO
of 11:11 Systems. "Ransomware groups
carefully select high-value organisations and
infrastructure to cripple until substantial
ransoms are paid. Ransomware attacks
use techniques that reflect a chilling
professionalisation of tactics and leverage
military-grade encryption, identity-hiding
cryptocurrencies, data-stealing side efforts,
and penetration testing of victims before
attacks to determine maximum tolerances."
They also often gain initial entry by purchasing
access to systems from underground
brokers (RaaS - Ransomware as a Service),
then deploy multipart extortion schemes,
including encrypting files, stealing data, he
adds, threatening distributed denial-of-service
(DDoS) attacks or releasing the data, where
demands are not promptly met.
"Adding to this, ransomware perpetrators tap
into advancements like artificial intelligence
[AI] to accelerate attacks through malicious
code generation and underground dark web
communities to coordinate schemes. Once an
attacker breaches the system, the ransomware
can lie undetected for days, weeks or even for
months before it is revealed through a ransom
demand."
With ransomware attacks showing no signs
at all of slowing down, companies must take
proactive steps to protect their organisations
and minimise the impact of a potential
breach. "Protecting against ransomware
requires a multi-layered, holistic approach
encompassing people, processes, and
technology," says Giardina. "To start,
companies must focus on resilience and
recovery. Cybersecurity infrastructure is the
cornerstone of resilience, serving as the
foundation for all other measures. This is
followed by a well-rehearsed incident response
plan that outlines clear procedures for dealing
with an attack, including isolating infected
systems, notifying stakeholders and restoring
from backups.
"Frequently test the backup and restore
processes to ensure they work when needed.
Regular immutable or tamper-proof data
backups are a key part of the recovery process.
Ensuring a recent and clean copy of vital data
is always available can significantly improve
the chances of a successful cyber recovery.
But don't forget your business continuity
plans! They need to be updated to allow your
departments to continue to operate, using
manual procedures, for as long as the
ransomware event requires."
The debate over ransom payments clearly
highlights the complexities of cybersecurity
policy, he acknowledges. "It underscores the
need for a multifaceted approach to combatting
ransomware; one that includes not only
policy interventions, but also organisational
practices. However, it makes one thing clear:
there are no easy answers in the fight against
ransomware, only informed choices." Such
choices, whether they involve investing in
employee training, implementing robust and
modern backup systems, and developing a
comprehensive disaster recovery (DR) plan,
can significantly influence a company's ability
to respond to, and recover from, ransomware
attacks, he concludes.
ALTERED LANDSCAPE
Ten years ago, a ransomware attack was
really obvious, states Bernard Montel, EMEA
technical director and security strategist,
Tenable. "The computer [PC] was bricked,
with a ransomware demand displayed on
the screen. Today, attacks are less obvious
and can go undetected for a few weeks,
as threat actors look to obfuscate their
presence, allowing them to creep around
infrastructure for nefarious purposes."
The most popular way attackers infect
organisations is through spam and phishing
emails, he adds. "In the majority of cases,
these messages include a malicious
30
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
attachment, such as a Microsoft Word
document or PDF file containing malware.
Others, however, may contain a link to a
webpage controlled by the attackers. The goal
is to get the target to open the attachment
and trick the victim to enable macros or click
the link, which can then deliver a malicious
downloader, leading to the final payload,
which is ransomware.
"Software vulnerabilities play a key role in
facilitating ransomware attacks through
several avenues. These include vulnerabilities
used as part of malicious documents, vulnerabilities
found in perimeter devices like Secure
Socket Layer Virtual Private Networks (VPNs),
as well as a plethora of flaws designed to
elevate privileges, once inside an organisation's
network."
Prolific ransomware groups such as LockBit,
Rhysida, Play and ALPHV/BlackCat make use of
multiple exploits in their efforts to compromise
organisations. "For illustration, throughout the
last quarter of 2023, threat actors exploited
CitrixBleed in attacks against a variety of organisations.
Some notable examples include
attacks against Boeing and Comcast."
While initial access is how ransomware
groups gain access to an organisation's
network, once inside they will set their sights
on Active Directory, says Montel. "Gaining
domain privileges provides attackers with
the necessary capabilities to distribute their
ransomware payloads across the entire
network. Once threat actors are inside,
the game is fundamentally over. Today's
ransomware gangs will look to extrapolate
data silently and, once that's achieved, they'll
prepare to encrypt systems and cripple the
organisation's ability to function.
"A further trend that has been seen is threat
actors wiping data at rest. This is even more
insidious and can be undetected, compared
to encryption. Often, the first the organisation
knows anything about the attack is a communication
from the gang threatening to
encrypt systems or publish the data on the
dark web, if demands are not met. The added
pressure from this type of extortion is what
has helped make ransomware so successful."
The question of whether to meet ransomware
demands is complicated, he adds. "Only
the organisation impacted will be able to
determine the best cause of action. Given the
financial impact from ransomware attacks,
be it the inability to function from crippled
systems or sensitive data exposed, prevention
has to be better than cure. Gaining visibility
into where the biggest areas of risk are -
exposure management - is absolutely critical
to knowing which doors and windows are
wide open and need to be closed to stop
ransomware in its tracks."
14-STAGE ASSAULT
A ransomware attack typically involves 14
stages, according to Kennet Harpsoe, senior
cyber analyst at Logpoint. "The first stage is
reconnaissance, where the threat actor
gathers information about the victim. The
second stage is resource development to
support targeting, followed by initial access,
in which the attacker tries getting into the
network. The fourth phase is execution,
where the attacker tries executing malware."
The next stage is persistence, he says, in
which the attacker attempts to maintain a
foothold in the victim's network, even if the
system terminates the payload process or
reboots. "Afterwards, attackers use privilege
escalation to gain access to accounts with
higher-level access and defence evasion by
disabling security, clearing logs or obfuscating
the payload. At the privilege escalation stage,
attackers then retrieve logins.
"The discovery phase allows attackers to
identify other weaknesses within the network
and plan and execute more advanced attacks,"
continues Harpsoe. "Using lateral movement,
the attacker moves to other hosts to establish
a presence and access information. The collection
stage is when attackers collate data
Justin Giardina, 11:11 Systems:
ransomware attacks reflect a chilling
professionalisation of tactics and leverage
military-grade encryption.
from systems and the Command and Control
(C&C) phase is where the attacker establishes
control over the victim's systems."
Exfiltration is where attacks extract data using
various methods. The last stage is impact,
where the attackers use techniques at a later
stage to disrupt availability, compromise
integrity or manipulate business and operational
processes. Knowing these tactics is
essential to detect an ongoing attack before
the attackers deploy the ransomware.
"Ransomware can result in downtime, data
loss and ransom payments, but now the fines
for non-compliance are an additional concern,
as we saw in the case of BlackCat," he states.
"It filed a complaint with the SEC over Meridian-
Link's failure to disclose a cybersecurity incident
to punish the company for not paying the
ransom. This new extortion tactic will likely
be used going forward, especially with the
introduction of NIS2.
"Compliance-driven extortion could diminish
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
31

ansomware
Bernard Montel, Tenable: a further trend
that has been seen is threat actors wiping
data at rest.
Iraklis Mathiopoulos, Obrela: the
cybersecurity experts' consensus is that
ransoms shouldn't be paid.
the incentive to pay ransoms, with victims
more likely to hesitate, if there's a risk of being
reported to authorities, post-payment. We've
seen a rise in double extortion attacks and
pure extortion-based attacks. Now we see
the commoditisation of Ransomware-as-a-
Service, which offers individuals with minimal
technical expertise the means to execute
ransomware attacks and skip the first stages
of the attack.
"Automation is enabling initial access brokers
to identify and offer more breach-ready environments.
Consequently, expect a surge in
attack frequency, driving the adoption of
Managed Detection and Response (MDR)
services to avert attacks."
ROBUST PLAN ESSENTIAL
When it comes to ransomware, we must stay
ahead of the curve and know what to look
out for, advises Iraklis Mathiopoulos, chief
services delivery officer at Obrela. "Organisations
without a robust security plan in place
are more likely to suffer an attack. You need
'always on' around-the-clock monitoring to
identify, analyse and predict security threats,
and prevent them from happening. At the
very least, any system you have in place
should be able to mitigate the consequences
of attack - or attack attempt - quickly and
effectively, limiting the damage to your critical
operational processes and reputation, while
also preventing successful ransomware
attacks.
"We have witnessed attacks evolve from
single extortion [encryption]) to double
extortion [data exfiltration] to triple extortion
[attacking customers directly] to quadruple
extortion [DDoS]. Today, ransomware gangs
have added destructive wiper attacks to
their arsenal and in 2024 we expect to see
evermore creative attack methods emerging,
including more cloud, AI and IoT-related
attacks."
Prevention is better than cure, of course,
he cautions, and ensuring you have the best
possible threat intelligence and protection
in place will help avoid attack, rather than
dealing with the response, remediation and
ransomware issues. "We advise immutable
backups, but even this sensible precaution
is not without its problems. It does not, for
instance, guarantee the immutability of
data held in the past where attackers have
penetrated the network weeks or months
ago.
"Virtually all ransomware attacks start with
a compromised endpoint, typically a PC or
server. Protecting these is vital, with the
traditional defence being a security agent.
Unfortunately, these will occasionally fail,
which leaves most organisations relying on
network security tools to spot anomalous
traffic," states Mathiopoulos.
One of the reasons ransomware attacks have
become so severe is that attackers can lurk
inside infrastructure for a long time. "With
Managed Detection and Response, (MDR),
though, incursions are detected sooner, rather
than later. MDR integrates endpoint and
network tools under one platform, allowing
better detection and automated remediation,
alert prioritisation and response."
As for whether a ransom demand should
be paid, he is quite clear. "The cybersecurity
experts' consensus is that ransoms shouldn't
be paid. Depending on jurisdiction, paying
for ransomware is potentially illegal, because
it might be a) funding criminal activity, b)
transferring funds to sanctioned entities, c)
supporting terrorist organisations.
"We understand the potential reputational
damage forces many decision makers to pay
the ransom, but, as an industry, we must
highlight that payment does not guarantee
the return of data, may fund further cybercrime
activities and could even make the
organisation a 'softer' target for future attacks.
The advice is simple enough: focus on
prevention, backup strategies and incident
response plans instead."
32
computing security May/June 2024 @CSMagAndAwards www.computingsecurity.co.uk

election threats
DEMOCRACY UNDER SIEGE
ELECTORAL MISINFORMATION AND DISINFORMATION ARE EXPECTED TO CREATE DISTORTED
AND MUDDIED POLITICAL LANDSCAPES THROUGHOUT THIS YEAR, PRIME FOR EXPLOITATION
More than two billion people
across 50 countries will be
going to the polls to elect
representatives at local, national and
intra-continental levels in 2024. This
includes elections in some of the world's
most populous countries, such as India,
Brazil, Indonesia and the US.
"While this election year will certainly
be a milestone in the long evolution of
democracy, many of these elections take
place amid a backdrop of increasing
divisions in international relations, an
uptick in illiberal democratic practices
masked as free and fair elections, and
a widespread disenchantment with
political representation in some of the
world's most developed democracies,"
cautions Beth Hepworth, director,
Protection Group International. "All of
these issues transcend real-world and
online spaces, creating distorted and
muddied political landscapes, prime
for exploitation."
Electoral misinformation and
disinformation will likely remain highly
prevalent. "Online threat actors, such
as pseudomedia entities, will likely
continue sharing content designed to
sow distrust in the electoral process for
both ideological and commercial gain,"
Hepworth continues. "Right across
geographies, false narratives are likely
to target voting systems and the
integrity of electoral institutions,
particularly in closely contested
elections. Far-right organ-isations
and political parties-who often share
egregious content in online spaceswill
likely pose a significant risk."
Foreign state-backed influence
operations (IOs) targeting elections are
also highly likely to be a persistent and
significant threat, while "AI-generated
content will likely play a greater role in
elections in 2024 as threat actors and
political campaigns continue to embed
AI techniques within their contentproducing
toolkits". However, the use of
sophisticated AI-generated content and
technically manipulated media aimed
at sowing distrust in candidates and
electoral processes will likely be limited,
with the majority of AI-generated media
being low-quality in nature and easily
discernible by ordinary online users.
As a result, the risk of AI to elections
in the medium term is often overstated.
Threat actors certainly have the ability
to weaponise AI effectively, as shown
over the past year in America where
the Republican Party released an ad
with AI-generated images visualising
a 'dystopian world' with a re-elected
President Joe Biden, and in Moldova
where President Maia Sandu was forced
to refute claims in a Russia-made
deepfake video of herself.
However, adds Hepworth: "AIgenerated
content has yet to play
a significant role in an election, and
current disinformation campaigns are
currently succeeding organically by
exploiting societal rifts. At present,
the risk of AI to elections is centred
more on the intrinsic uncertainty of
its potential, rather than on its current
impact. Heightened levels of targeted
harassment and 'doxxing' [revealing
identifying information about someone
Beth Hepworth, Protection Group
International.
online, without their permission] are
likely in 2024, following a spike in
threats against election workers and
politicians over the past year in
countries including New Zealand,
Sweden, the US and Japan."
These threats will likely entail the
dissemination of Personally Identifiable
Information online -such as targets'
home addresses, family members and
phone numbers-as well as online
harassment campaigns designed to
undermine their legitimacy. "In the year
ahead, vigilance and critical thinking
will be vital in democracies being able
to navigate the nuances of these digital
threats and knowing what these threats
are is just the first step."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
34

Computing
Security
Secure systems, secure data, secure people, secure business
e-newsletter
Are you receiving the Computing Security
monthly e-newsletter?
Computing Security always aims to help its readers as much as possible to do
their increasingly demanding jobs. With this in mind, we've now launched a
Computing Security e-newsletter which is produced every month and is available
free of charge. This will enable us to provide you with more content, more
frequently than ever before.
If you are not already receiving this please send your request to
christina.willis@btc.co.uk and advise her of the best email address for the
newsletter to be sent to.