CS May-Jun 2024
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Claws into ransomware<br />
What it's like to<br />
be held hostage<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
A world in turmoil<br />
Growing rift between well<br />
protected and vulnerable<br />
leaves no one safe<br />
Threatening times<br />
New hazards looming<br />
over the industry<br />
Getting the evil eyes<br />
Cybercriminals' levels of access<br />
and control are now off the scale<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong>
Unlock a<br />
More Secure<br />
Future with<br />
V-Key MFA<br />
• As secure as hard tokens<br />
• Single Sign-On<br />
• Strong protection of crypto keys<br />
• Instant Backup and Restore<br />
• Seamless integration with IDM &<br />
PAM and migration<br />
• Digital Trust Platform<br />
• Jailbreak & Root Detection<br />
• Detection of malware<br />
• Brute Force Attack Protection<br />
• Threat Intelligence<br />
• Meets FIDO2 Standard<br />
• FIPS 140-2, CC EAL3+, SOC 2, OATH<br />
Featuring V-Key<br />
Enhanced Facial<br />
Authentication<br />
Test Drive<br />
V-Key Today<br />
sales@celestix.com<br />
+44 (0)203 900 3737
comment<br />
EC STEPS IN TO DRIVE SUPPORT FOR AI INNOVATION<br />
European start-ups and SMEs<br />
need all the help they can get<br />
to develop AI models, with<br />
more established and resource-rich<br />
organisations forging ahead.<br />
So, it is timely and encouraging to<br />
see that the European Commission<br />
has recently set up an AI office to<br />
enforce new rules on artificial<br />
intelligence systems and support<br />
innovation in AI, as part of a<br />
package of broader measures to<br />
assist those most in need of<br />
support.<br />
Equally importantly, the establishment<br />
of the AI Office signifies a<br />
clear commitment to ensuring that<br />
AI advances closely align with ethical<br />
principles, says Dr Ellison Anne<br />
Williams, pictured right, CEO and<br />
founder of cyber security and data<br />
privacy company Enveil.<br />
"The EU's initiative represents the decisive action needed to drive this technological<br />
advancement. Similar to the White House Executive Order on AI and recent actions by<br />
the G7, these efforts will help address risks, uphold privacy, and prioritise security in the<br />
development and utilisation of AI technologies.<br />
"This leadership includes promoting Privacy Enhancing Technologies (PETs), a family<br />
of technologies that exemplify a proactive approach to safeguarding data privacy and<br />
security, while leveraging the benefits of AI. The global recognition of the importance<br />
of PETs, and its support for entrepreneurs and startups in driving innovation forward, is<br />
commendable."<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Daniella St Mart<br />
(daniella.stmart@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2024</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong><br />
inside this issue<br />
CONTENTS<br />
Computing<br />
Security<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
Claws into ransomware<br />
A world in turmoil<br />
Growing rift between well<br />
What it's like to<br />
protected and vulnerable<br />
be held hostage<br />
leaves no one safe<br />
Threatening times<br />
New hazards looming<br />
over the industry<br />
Getting the evil eyes<br />
COMMENT 3<br />
EC support for AI innovation<br />
Cybercriminals' levels of access<br />
and control are now off the scale<br />
NEWS 6<br />
Fraudulent websites spreading malware<br />
New cybersecurity best practice advice<br />
Confidential data shared online<br />
Government taking 'ostrich strategy'<br />
ARTICLES<br />
THE EVIL EYE 14<br />
The vast amounts of personal details now<br />
freely available is giving cybercriminals<br />
untold levels of access and control<br />
A WORLD IN TURMOIL 10<br />
In an interconnected world, the growing<br />
rift between those who are well protected<br />
against attacks and those most vulnerable<br />
suggests that no organisation is entirely<br />
safe<br />
VIRTUOSO TO TAKE CENTRE STAGE 16<br />
Generative AI presenter and deepfake<br />
expert Henry Ajder will be a keynote<br />
THREAT OR TREAT? 18<br />
speaker at this year's Infosec<br />
Artificial intelligence is on course to increase<br />
the volume and heighten the impact of<br />
FACE OFF! 21<br />
cyberattacks over the next two years, warns<br />
When it comes to device-based and<br />
the National Cyber Security Centre, with AI<br />
server-based facial authentication, which,<br />
almost certainly making cyberattacks against<br />
if either, is the more secure?<br />
the UK more impactful<br />
THREATENING TIMES 26<br />
Computing Security zooms in on some<br />
of the latest hazards that the industry is<br />
coming up againsr<br />
INSIDE OUT 22<br />
THE IMPERATIVE FOR ZERO TRUST 29<br />
Embracing digital transformation to gain<br />
66% of organisations questioned believed<br />
access to the cloud's many benefits means<br />
that attacks from the inside were more<br />
computing environments must face<br />
likely than attacks from the outside,<br />
evolving into borderless IT ecosystems<br />
according to the latest research. What are<br />
the workable, effective solutions for<br />
DEMOCRACY UNDER SIEGE 34<br />
mitigating these threats?<br />
Electoral disinformation is expected to<br />
create muddied political landscapes<br />
throughout this year, which will be prime<br />
for exploitation<br />
BIRD'S EYE VIEW OF ATTACK 30<br />
What is it like to be held to ransom? We<br />
BOOK REVIEW<br />
asked several experts to talk us through<br />
TEN DAYS… SEVEN DEADLY SINS...<br />
what typically happens when an attack is<br />
ZERO RI$K 13<br />
carried out<br />
What's not to celebrate when your bank<br />
account gains an extra zero or two over<br />
the festive period?<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4
Layers aren’t just for cakes; they’re<br />
essential in cybersecurity’s secret<br />
recipe for protection!<br />
Bake it happen with VIPRE Security Group. Secure your<br />
bytes before you take a bite with Email Security, Endpoint<br />
Security and User Protection<br />
www.vipre.com
news<br />
FRAUDULENT WEBSITES BEING USED TO SPREAD MALWARE<br />
Zscaler's ThreatLabz discovered a threat actor creating<br />
Himanshu Sharma,<br />
fraudulent Skype, Google Meet and Zoom websites to Zscaler.<br />
spread malware, beginning in December 2023. The threat<br />
actor spreads SpyNote RAT to Android users and NjRAT and<br />
DCRat to Windows users.<br />
"Our research demonstrates that businesses may be subject<br />
to threats that impersonate online meeting applications,"<br />
says Himanshu Sharma, senior security researcher at Zscaler.<br />
"In this example, a threat actor is using these lures to distribute<br />
RATs for Android and Windows, which can steal confidential<br />
information, log keystrokes and steal files.<br />
"Our findings highlight the need for robust security measures<br />
to protect against advanced and evolving malware threats,<br />
and the importance of regular updates and security patches."<br />
Darren Williams, Blackfog.<br />
CONFIDENTIAL PERSONAL<br />
DATA SHARED ONLINE<br />
Leicester City Council has revealed<br />
confidential personal data was<br />
shared online following a criminal<br />
investigation when it was forced to<br />
disable its phone and computer<br />
systems.<br />
"In the last two weeks, it's become<br />
evident that INC ransom [a multiextortion<br />
operation] have clear intent<br />
when it comes to targeting local<br />
services, with Leicester Council joining<br />
the victim list alongside NHS Dumfries<br />
and Galloway," comments Darren<br />
Williams, CEO and founder of Blackfog.<br />
"The intent of a group like this is<br />
clear: to cause maximum distress and<br />
disruption, with maximum rewards, at<br />
minimal effort. To prevent such attacks<br />
from happening again, councils and<br />
organisations alike must invest in<br />
the latest anti-data exfiltration tools<br />
to secure their data and prevent<br />
ransomware and extortion."<br />
NEW CYBERSECURITY BEST PRACTICE ADVICE RELEASED<br />
CISA and the National Security Agency (NSA) have<br />
Matt Muir, Cado Security.<br />
released five joint Cybersecurity Information Sheets<br />
(<strong>CS</strong>Is) to provide organisations with recommended best<br />
practices and/or mitigations to improve the security of<br />
their cloud environment(s).<br />
Following the advice, Matt Muir, threat research lead,<br />
Cado Security comments: "It's reassuring to see these<br />
agencies highlight the differences between cloud and onpremise<br />
security practices, along with providing tailored<br />
advice for securing the cloud in particular.<br />
"Hopefully, the advice will give organisations the nudge<br />
they need to recognise the wider threats and implications<br />
of cloud adoption. By taking heed of this advice and<br />
implementing appropriate controls, organisations can<br />
mitigate the pervasive threat of cloud attacks."<br />
THREATLOCKER UNVEILS MDR SERVICE<br />
ThreatLocker has launched a Managed Detection &<br />
Response (MDR) service designed to alert customers<br />
to suspicious or potentially malicious activity occurring<br />
in their environment - shutting down threats within<br />
seconds, the company claims.<br />
Danny Jenkins, CEO & co-founder of ThreatLocker,<br />
comments: "Not only will this provide customers with a<br />
faster response when they don't have 24-hour operation<br />
centres, but it also means that we are improving our<br />
product in a way that allows us to be responsible for<br />
so many customers and the management of their<br />
environments."<br />
Danny Jenkins,<br />
ThreatLocker.<br />
6<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
DON’T<br />
SaaSSS<br />
GET YOUR<br />
KICKED! !<br />
TAKE CONTROL NOW AND<br />
PROTECT YOUR SaaS DATA<br />
Global SaaS vendors like Microsoft, Google and Salesforce<br />
don’t assume any responsibility for your data hosted<br />
in their applications. So, it’s up to you to take control<br />
and fully protect your SaaS data from cyber threats or<br />
accidental loss. Arcserve SaaS Backup offers complete<br />
protection for your SaaS data, eliminating business<br />
interruptions due to unrecoverable data loss.<br />
Arcserve SaaS Backup<br />
Complete protection for all your SaaS data.<br />
arcserve.com<br />
The unified data resilience platform
news<br />
MICROSOFT RECENT EMAIL BREACH LABELLED "A STRATEGIC BLOW"<br />
Microsoft have admitted publicly that the recent<br />
Amit Yoran, Tenable.<br />
email breach the company suffered at the hands<br />
of Russian-backed Midnight Blizzard (the same group<br />
that was responsible for the SolarWinds breach)<br />
compromised certain unnamed source code, as well as<br />
customer "secrets" that were communicated via email<br />
with key executives.<br />
Amit Yoran, chairman and CEO, Tenable, has described<br />
the breach as a strategic blow. "By its own admission,<br />
Microsoft's source code and 'other secrets' have been<br />
compromised. Midnight Blizzard isn't some small-time<br />
criminal gang. They are a highly professional Russianbacked<br />
outfit that fully understands the value of the<br />
data they've exposed and how to best use it to inflict<br />
maximum harm. Given Russia's relationship with China<br />
and other strategic adversaries, the consequences get very troubling, very quickly."<br />
Trevor Dearing, Illumio.<br />
GOVERNMENT IS ACCUSED OF<br />
RANSOMWARE 'OSTRICH STRATEGY'<br />
Aparliamentary committee has<br />
accused the government of taking<br />
an "ostrich strategy" by burying its head<br />
in the sand over the national cyber<br />
threat posed by ransomware. The<br />
criticism follows the government<br />
publishing its formal response to a<br />
report from the Joint Committee on the<br />
National Security Strategy (JCNSS) that<br />
warned the government's failures<br />
meant there was a "high risk" the<br />
country faces a "catastrophic<br />
ransomware attack at any moment".<br />
States Trevor Dearing, director of<br />
critical infrastructure at Illumio: "While<br />
there is an obvious need to identify and<br />
remove ransomware, organisations<br />
need to focus on containing an attack<br />
to maintain services. Just as recommended<br />
by the NSA, the UK should<br />
promote a Zero Trust strategy and<br />
apply segmentation to prevent an<br />
attack becoming a catastrophe."<br />
63% OF KNOWN VULNERABILITIES ON HEALTHCARE ORGANISATION NETWORKS<br />
Anew report from Claroty has uncovered what it says is concerning data about<br />
the security of medical devices connected to healthcare organisation networks,<br />
such as hospitals and clinics. 'The State of CPS Security Report: Healthcare 2023'<br />
discovered 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) on these<br />
networks, reports the company, and that 23% of medical devices - including<br />
imaging devices, clinical IoT devices, and surgery devices - have at least one KEV.<br />
LACK OF TECHNOLOGY INVESTMENT RESTRICTING BUSINESS GROWTH<br />
Almost half (48%) of UK mid-sized enterprises feel<br />
Richard Thompson, ANS.<br />
that not having access to the most advanced<br />
technology is limiting their business growth, according<br />
to new data from UK technology company ANS.<br />
Company CEO Richard Thompson comments on the<br />
report's findings: "All too often, mid-sized enterprises<br />
are left playing catch-up when it comes to accessing<br />
the best tech, while big corporations with greater<br />
financial resources continue to keep the advantage.<br />
Lacking budget, tech recruitment challenges and the<br />
need to keep prices competitive are just some of the<br />
barriers holding UK enterprises back.<br />
"Our mission is to level the playing field, so that all<br />
businesses, regardless of their size, can embrace the<br />
latest technology and take their business to the<br />
next level."<br />
8<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
global risks<br />
A WORLD IN TURMOIL<br />
IN AN INTERCONNECTED WORLD, THE GROWING RIFT BETWEEN THOSE WHO ARE WELL PROTECTED<br />
AGAINST ATTACKS AND THOSE MOST VULNERABLE SUGGESTS THAT NO ORGANISATION IS ENTIRELY SAFE<br />
Anew World Economic Forum report<br />
has provided a snapshot of the multifaceted<br />
challenges facing the global<br />
cybersecurity landscape - and it is alarming,<br />
to say the least. While increased geopolitical<br />
tensions and economic instability continue to<br />
concern industry experts, the report, released<br />
in January, spotlights widening cyber inequity<br />
and emerging technologies, such as artificial<br />
intelligence (see feature on pages ??), as key<br />
rising risks for the year ahead in the fastgrowing<br />
cybersecurity sector.<br />
The Global Cybersecurity Outlook <strong>2024</strong><br />
report, developed in collaboration with<br />
Accenture, distils insights of industry experts<br />
and global executives about key cyber trends<br />
that leaders will need to navigate in <strong>2024</strong>,<br />
based on a series of surveys carried out<br />
between <strong>Jun</strong>e and November 2023. Given<br />
the increasingly complex cyber threat<br />
landscape, the report also calls for concerted<br />
collaboration, across borders and industries,<br />
to counter these interrelated threats and<br />
build a more resilient environment.<br />
"As the cyber realm evolves in response<br />
to emerging technologies and shifting<br />
geopolitical and economic trends, so do the<br />
challenges that threaten our digital world,"<br />
says Jeremy Jurgens, managing director,<br />
World Economic Forum, Switzerland. "We<br />
urgently need coordinated action by key<br />
public-private stakeholders, if we are to<br />
collectively address these complex, everevolving<br />
threats and build a secure digital<br />
future for all." The increasingly stark divide<br />
between cyber-resilient organisations and<br />
those that are struggling has emerged as a<br />
key risk for <strong>2024</strong>. The number of organisations<br />
that maintain minimum viable cyber<br />
resilience is down 30%, compared to last year.<br />
While large organisations have demonstrated<br />
notable gains in cyber resilience, small and<br />
medium-sized companies showed significant<br />
decline.<br />
This growing inequity is being fuelled by<br />
macroeconomic trends, industry regulation<br />
and, crucially, early adoption of paradigmshifting<br />
technology by some organisations. In<br />
addition, the cyber skills and talent shortage<br />
continues to widen at an alarming rate. Only<br />
15% of all organisations are optimistic about<br />
cyber skills and education significantly improving<br />
in the next two years.<br />
In an interconnected world, this growing<br />
rift means no organisations are completely<br />
safe. According to the report, external<br />
partners are both the greatest asset and<br />
the biggest hindrance to the cybersecurity<br />
of any organisation. In fact, 41% of the<br />
organisations surveyed that suffered a<br />
material incident in the past 12 months<br />
say it was caused by a third party.<br />
In 2023, the world faced a polarised<br />
geopolitical order, multiple armed conflicts,<br />
both scepticism and fervour about the<br />
implications of future technologies, and<br />
global economic uncertainty, points out the<br />
report. "Amid this complex landscape, the<br />
cybersecurity economy1 grew exponentially<br />
faster than the overall global economy, and<br />
outpaced growth in the tech sector. However,<br />
many organisations and countries experienced<br />
that growth in exceptionally different ways.<br />
A stark divide between cyber-resilient<br />
organisations and those that are struggling<br />
has emerged.<br />
"This clear divergence in cyber equity is<br />
exacerbated by the contours of the threat<br />
landscape, macroeconomic trends, industry<br />
regulation and early adoption of paradigmshifting<br />
technology by some organisations.<br />
Other clear barriers, including the rising cost<br />
of access to innovative cyber services, tools,<br />
skills and expertise, continue to influence the<br />
ability of the global ecosystem to build a more<br />
secure cyberspace in the face of myriad<br />
transitions."<br />
These factors are also ever-present in the<br />
accelerated disappearance of a healthy<br />
'middle grouping' of organisations, adds the<br />
report [ie, those that maintain minimum<br />
standards of cyber resilience only]. "Despite<br />
this divide, many organisations indicate clear<br />
progress in certain aspects of their cyber<br />
capability. This year's outlook also finds cause<br />
for optimism, especially when considering the<br />
relationship between cyber and business<br />
executives. These are the major findings from<br />
this year's Global Cybersecurity Outlook and<br />
the key cyber trends that executives will need<br />
to navigate in <strong>2024</strong>."<br />
10<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
global risks<br />
In parallel, the population of organisations<br />
that maintain a minimum level of cyber<br />
resilience is disappearing. Small and medium<br />
enterprises (SMEs), despite making up the<br />
majority of many country's ecosystems, are<br />
being disproportionately affected by this<br />
disparity:<br />
The number of organisations that maintain<br />
minimum viable cyber resilience is down<br />
by 30%. While many large organisations<br />
demonstrated remarkable gains in cyber<br />
resilience, SMEs showed a significant<br />
decline<br />
More than twice as many SMEs as the<br />
largest organisations say they lack the<br />
cyber resilience to meet their critical<br />
operational requirements<br />
90% of the 120 executives surveyed at the<br />
World Economic Forum's Annual Meeting<br />
on Cybersecurity said that urgent action is<br />
required to address this growing cyber<br />
inequity.<br />
Emerging technology will exacerbate longstanding<br />
challenges related to cyber resilience,<br />
the report also points out. "This will, in turn,<br />
accelerate the divide between the most<br />
capable and the least capable organisations."<br />
As organisations race to adopt new<br />
technologies, such as generative AI,<br />
a basic understanding is needed of the<br />
immediate, mid-term and long-term<br />
implications of these technologies for<br />
their cyber-resilience posture<br />
Fewer than one in 10 respondents believe<br />
that, in the next two years, generative AI<br />
will give the advantage to defenders over<br />
attackers<br />
Around half of executives, according to<br />
the report, say advances in adversarial<br />
capabilities (phishing, malware, deepfakes)<br />
present the most concerning impact of<br />
generative AI on cyber.<br />
CYBERWARFARE 'A RECURRING THEME'<br />
Bernard Montel, EMEA technical director and<br />
cybersecurity strategist at Tenable, comments<br />
that the fact this year's WEF Global Risks<br />
Report, ranking 'cyber insecurity' in its top five<br />
of the most severe risks over the next two<br />
years, isn't surprising, with the threat of<br />
cyberwarfare a recurring theme throughout<br />
the report, as well as the 'rapid integration<br />
of advanced technologies' that are exposing<br />
more organisations and individuals to<br />
exploitation.<br />
He also points out that the widespread<br />
adoption of cloud computing introduces<br />
new levels of vulnerability and management<br />
complexity that can be targeted by bad<br />
actors.<br />
"Particular concern surrounds the use of<br />
Artificial Intelligence (AI) technologies to<br />
boost cyber warfare capabilities, with good<br />
reason," adds Montel. "While AI has made<br />
astronomical technological advancements<br />
in the last 12-24 months, allowing an<br />
autonomous device to make the final<br />
judgement is incomprehensible today.<br />
"While AI is capable of quickly identifying<br />
and automating some actions that need to be<br />
taken, it's imperative that humans are the<br />
ones making critical decisions on where and<br />
when to act from the intelligence AI provides.<br />
"It's also worth noting that AI has a major<br />
role to play in cyber defence. It can be used by<br />
cybersecurity professionals to search for<br />
patterns, explain what they're finding in the<br />
simplest language possible, and help them<br />
decide what actions to take to reduce cyber<br />
risk.<br />
"AI can and is being harnessed by defenders<br />
to power preventive security solutions that cut<br />
through complexity to provide the concise<br />
guidance defenders need to stay ahead of<br />
attackers and prevent successful attacks," he<br />
states. "Harnessing the power of AI enables<br />
security teams to work faster, search faster,<br />
Bernard Montel, Tenable: allowing an<br />
autonomous device to make the final<br />
judgment is incomprehensible today.<br />
Jeremy Jurgens, World Economic Forum: as<br />
the cyber realm evolves, so do the challenges<br />
that threaten our digital world.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
11
global risks<br />
Jurgen Stock, third from left.<br />
analyse faster and ultimately make decisions<br />
faster. "As the report highlights, the threat<br />
of cyber insecurity is heightened with the<br />
evolving motivations driving these attacks -<br />
from monetised criminality all the way to<br />
geopolitical unrest. However, the manifestation<br />
of these threats remains unchanged.<br />
Threat actors are probing for the right<br />
combination of vulnerabilities, cloud<br />
misconfigurations and identity privileges that<br />
allow them to infiltrate and traverse cyber<br />
infrastructure. As defenders, we need to preempt<br />
this: to identify what attack paths exist<br />
and take steps to shut them down before<br />
they can be exploited. Organisations that can<br />
anticipate cyber-attacks and communicate<br />
those risks for decision support will be the<br />
ones best positioned to defend against<br />
emerging threats," he concludes.<br />
NO ONE IS SPARED<br />
"No country or organisation is spared from<br />
cybercrime, yet many are direly underequipped<br />
to effectively face the threats, and<br />
we cannot have effective global response<br />
mechanisms without closing the capacity<br />
gap," says Jürgen Stock, secretary-general of<br />
INTERPOL. "It is crucial that key stakeholders<br />
work collaboratively towards immediate,<br />
strategic actions that can help ensure a more<br />
secure and resilient global cyberspace.<br />
Emerging technologies, such as artificial<br />
intelligence (AI), are another key trend to<br />
watch in this year's outlook. Fewer than one in<br />
10 respondents believe that in the next two<br />
years generative AI will give the advantage to<br />
defenders over attackers and approximately<br />
half of experts surveyed agree that generative<br />
AI will have the most significant impact on<br />
cybersecurity in the next two years. Its rise<br />
is stoking fears among experts about the<br />
exacerbation of long-standing challenges,<br />
with around half of executives saying that AIdriven<br />
advances in adversarial capabilities of<br />
cybercriminals (phishing, malware, deepfakes)<br />
present the most concerning impact of<br />
generative AI on cybersecurity.<br />
Despite these concerns, experts also<br />
highlighted an encouraging increase in focus<br />
on the importance of cybersecurity globally,<br />
particularly at the executive and CEO levels.<br />
The incorporation of cyber resilience into<br />
organisational risk management is also<br />
becoming more common, as per the report.<br />
"Cyber resilience is increasingly dependent on<br />
a C-suite team that closely collaborates and<br />
communicates security priorities across the<br />
business and the industry," Paolo Dal Cin,<br />
global lead, Accenture Security. "This approach<br />
provides a clear view of cyber risks and allows<br />
security to be embedded from the start in all<br />
strategic business priorities as well as across<br />
third parties, vendors and suppliers."<br />
A stark divide between cyber-resilient<br />
organisations and those that are struggling<br />
has emerged. This clear divergence in cyber<br />
equity is exacerbated by the contours of the<br />
threat landscape, macroeconomic trends,<br />
industry regulation and early adoption of<br />
paradigm-shifting technology by some<br />
organisations. Other clear barriers, including<br />
the rising cost of access to innovative cyber<br />
services, tools, skills and expertise, continue to<br />
influence the ability of the global ecosystem to<br />
build a more secure cyberspace in the face of<br />
myriad transitions.<br />
Meanwhile, the population of organisations<br />
that maintain a minimum level of cyber<br />
resilience is disappearing. Small and medium<br />
enterprises (SMEs), despite making up the<br />
majority of many country's ecosystems, are<br />
being disproportionately affected by this<br />
disparity.<br />
KEY TRENDS TO NAVIGATE<br />
Key cyber trends identified in the report that<br />
executives will need to navigate in <strong>2024</strong><br />
include:<br />
The number of organisations that maintain<br />
minimum viable cyber resilience has fallen<br />
by 30%. While large organisations<br />
demonstrated remarkable gains in cyber<br />
resilience, SMEs showed a significant<br />
decline.<br />
More than twice as many SMEs as the<br />
largest organisations say they lack the<br />
cyber resilience to meet their critical<br />
operational requirements.<br />
90% of the 120 executives surveyed at the<br />
World Economic Forum's Annual Meeting<br />
on Cybersecurity said that urgent action is<br />
required to address this growing cyber<br />
inequity.<br />
Ultimately, the WEF concludes, "raising<br />
systemic resilience - all organisations closing<br />
the inequities that divide and improving the<br />
resilience of what connects - is not only the<br />
most pressing requirement; it is the greatest<br />
responsibility".<br />
12<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ook review<br />
TEN DAYS… SEVEN DEADLY SINS... ZERO RI$K<br />
WHAT'S NOT TO LIKE WHEN YOUR BANK ACCOUNT GAINS AN EXTRA ZERO OR TWO AT CHRISTMAS?<br />
When customer complaints on<br />
Christmas Eve herald not a<br />
botched system upgrade, but<br />
the most sophisticated cyber-attack<br />
in history, new National Bank CEO<br />
Rob Tanner finds himself in the eye<br />
of a 'Black Swan' storm that no one<br />
predicted, but anyone could have<br />
anticipated.<br />
Tanner enlists the help of brilliant<br />
American computer security expert<br />
Ashley Markham, but the attacks only<br />
worsen: bank balances rise remorselessly<br />
and spread to all the nation's banks.<br />
The only clue to the hacker's intentions<br />
are cryptic emails that continually taunt<br />
Tanner and newly incumbent Prime<br />
Minister James Allen.<br />
With financial markets - and the very<br />
world as he knows it - on the brink of<br />
collapse, Tanner races against the clock<br />
to decode not just the bizarre emails,<br />
but also their deeper meaning, and the<br />
implications for whom he can really<br />
trust. All the while, his former boss,<br />
'The Toad', is seeking revenge... and<br />
answers of his own.<br />
This intriguing, multi-layered debut<br />
thriller follows the story of a disillusioned<br />
banker facing the unthinkable -<br />
where money no longer has any value,<br />
financial markets are meaningless and<br />
the economy is destroyed. Tanner must<br />
unravel the mystery of the hacker's<br />
obsession with Hieronymus Bosch's<br />
medieval representation of the seven<br />
deadly sins before modern society<br />
returns to the dark ages. This is<br />
definitely a page turner and perfect<br />
for fans of Dan Brown, Sam Bourne,<br />
Christopher Reich and Robert Harris,<br />
addressing many of the key issues that<br />
we are all now facing:<br />
Our dependence on technology in<br />
daily life<br />
The risks of cyber-terrorism<br />
Speaking truth to power<br />
A modern take on the seven deadly<br />
sins.<br />
The book moves between various locations<br />
from London, Tanzania and Switzerland.<br />
ABOUT THE AUTHOR<br />
Simon Hayes is a seasoned professional,<br />
with a diverse background spanning<br />
financial services, executive search and<br />
consultancy. With more than three<br />
decades of international experience,<br />
he has lived in the US, Tokyo and Hong<br />
Kong. He began his career with Bank of<br />
Boston, Morgan Grenfell and James<br />
Capel, before spending much of the 90s<br />
in Asia, serving as head of equity<br />
research for Warburg in Japan and later<br />
as managing director for Salomon Bros<br />
and UBS in Hong Kong.<br />
A law graduate of Trinity Hall,<br />
Cambridge, Hayes is recognised as<br />
a top-ranked securities analyst by<br />
Extel and II, and later as the 'Best<br />
Headhunting Executive' in Japan by<br />
Asiamoney. He has also been an<br />
executive coach, mentor and financial<br />
consultant, spending much of 2023 in<br />
Zimbabwe on a major fraud case.<br />
PRINT FACTS<br />
Publisher: The Rubriqs Press<br />
ISBN: 9781738462407<br />
Price: HB: 16.99; EB: £4.99<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
13
on-line exposure<br />
THE EVIL EYE<br />
THE VAST AMOUNTS OF PERSONAL<br />
DETAILS NOW FREELY AVAILABLE<br />
ON SOCIAL PLATFORMS - BACKED<br />
UP BY AI TOOLS - IS GIVING<br />
CYBERCRIMINALS LEVELS OF<br />
ACCESS AND CONTROL THAT NOT<br />
LONG AGO WOULD HAVE BEEN<br />
THOUGHT UNIMAGINABLE<br />
James Dyer, Egress: threat actors are now<br />
rubbing their hands with glee.<br />
New research warns that, in <strong>2024</strong>, QR<br />
code hacks or 'quishing' will increase;<br />
use of AI to create content for spam<br />
emails including deepfakes will rise; highly<br />
personalised social media mining will grow<br />
further; and a wide array of file types and<br />
formats - especially EML - will be used to<br />
propagate phishing and malware attacks.<br />
Such is the warning from James Dyer, threat<br />
intelligence lead at Egress. How can we guard<br />
against such attacks?<br />
"As we share our lives on the internet, threat<br />
actors are rubbing their hands with glee," he<br />
says. "Concerns continue to grow about the<br />
volume of personal details readily available on<br />
social platforms, as well as how cybercriminals<br />
can use generative AI tools to exploit this<br />
data. Cybergangs have increasingly turned to<br />
open-source intelligence (OSINT) for cyber<br />
surveillance, using social media sources to<br />
deep dive [with very little time and cost] into<br />
an individual's job role, social connections and<br />
personal interests, with the intention of<br />
creating hyper-personalised phishing emails<br />
that persuade recipients to reveal sensitive<br />
information or transfer funds."<br />
Unequivocally, AI tools and chatbots have<br />
sped up the process between reconnaissance<br />
and attack, he adds. "Threat actors have<br />
been able to automate the analysis of data<br />
collected through OSINT and social media to<br />
quickly tailor phishing emails with convincing<br />
personalisation. Our recent research reinforces<br />
the concerns cybersecurity teams have,<br />
as 61% of cybersecurity leaders are losing<br />
sleep over AI chatbots being used to create<br />
phishing campaigns, plus 63% are specifically<br />
concerned about deepfakes."<br />
To safeguard data, a clear first step is to<br />
conduct a self-assessment through basic<br />
OSINT techniques. "Search your<br />
name, usernames and images<br />
online to gauge the extent of your<br />
digital footprint," advise Dyer.<br />
"Depending on your findings, consider<br />
adjusting your social media privacy<br />
settings to limit attackers' access to personal<br />
information. With the growing threat of<br />
deepfakes, it is also good to be cautious<br />
about sharing videos online to prevent<br />
potential exploitation of your voice.<br />
"When taking practical steps to minimise<br />
possible attack routes, it is sensible to reduce<br />
the number of email newsletters you sign<br />
up for and make sure unused social media<br />
accounts are deactivated. Ultimately, attackers<br />
can't use your data if there is less of it readily<br />
available to steal."<br />
ON THE DEFENCE<br />
John Scott, lead cyber security researcher at<br />
CultureAI, is in agreement that the rise of<br />
generative AI, deepfakes and QR phishing<br />
has undeniably diversified and evolved the<br />
threat landscape. "While the volume and<br />
sophistication of the attacks may increase,<br />
the underlying principles of these attacks<br />
remain unchanged. This means that defensive<br />
strategies can also equally stay largely the<br />
same. While it sometimes may feel like we are<br />
under siege, it's important to remember that<br />
this is the new normal.<br />
"The immense benefits the internet provides<br />
are not without cost. As new technologies<br />
appear, cybercriminals will seek to exploit<br />
them for their benefit. We are now all<br />
navigating a complex world where caution<br />
and vigilance are essential. As technical<br />
defences strengthen and are switched on by<br />
default, cybercriminals attack by exploiting<br />
our sense of urgency, pushing people for<br />
14<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
on-line exposure<br />
risk management platform becomes invaluable,<br />
integrating with your tech stacks<br />
and flagging workplace risks, such as<br />
sharing personal information in public chat<br />
channels or reusing passwords across SaaS<br />
applications. With these insights, security<br />
teams can deliver targeted education in the<br />
moment and either automatically fix risks or<br />
nudge employees to do so themselves with<br />
one click."<br />
hasty responses, which may lead to errors and<br />
security breaches."<br />
For individuals, the most effective defence<br />
strategy is to slow down, states Scott. "Taking<br />
a moment to question the logic behind a<br />
request and double-checking can confirm its<br />
legitimacy. It's almost always better to act<br />
safely, rather than swiftly to reduce the<br />
chances of being pushed into making an<br />
error. That said, we must also accept that<br />
mistakes are inevitable. We're only human,<br />
after all. "<br />
Our human response needs to be one part<br />
of a comprehensive, multi-layered approach<br />
to cyber security, he argues. "Each layer of<br />
defence might have vulnerabilities, but, when<br />
combined, they cover each other's gaps and<br />
form an effective barrier. For organisations,<br />
processes are vital. They provide structure and<br />
clarity, defining what each employee can and<br />
cannot do. While these processes might<br />
introduce some friction, it's a necessary<br />
inconvenience and a small price to pay<br />
for enhanced security."<br />
The 'security by design' concept is integral<br />
in this context. "It encapsulates the idea<br />
of building robust and failsafe systems,<br />
acknowledging that human errors are<br />
inevitable. This is where an effective human<br />
Remember, people alone cannot be the<br />
sole line of defence, he concludes. "While<br />
their awareness and actions matter, it's the<br />
combination of people, processes and<br />
technology that forms the most effective<br />
defence against all cyber threats."<br />
CODE ALERT<br />
"How often do you scan a QR code without<br />
a second thought? "They're now so integrated<br />
into our everyday lives for uses such as<br />
checking menus, parking our cars or getting<br />
into events," comments Edgar Zayas, director<br />
global advisory, BioCatch. "However, there's<br />
a dark side to QR codes becoming more<br />
commonplace - they're being exploited by<br />
fraudsters. The BBC recently found that there's<br />
been a nearly 50% increase in QR code scams<br />
in just three years."<br />
Scammers are creating fake QR codes and<br />
sneaking them into public spaces, he says,<br />
hoping that someone takes the bait. "Once<br />
scanned, webpages can look identical to<br />
the real thing, opening the door to phishing<br />
attacks, malware downloads, payment scams,<br />
or even data interception.<br />
"Over 80% of UK consumers buy products<br />
and services online, so it's safest to always<br />
approach scanning QR codes with caution.<br />
Confirm they're legit, check for alterations<br />
and scrutinise the URL. If you do fall foul<br />
to quishing, banks should have the right<br />
technology in place, such as behavioural<br />
biometric intelligence, to know when it's not<br />
you and protect your accounts. However,<br />
ultimately, prevention is better than cure."<br />
John Scott, defensive strategies can also<br />
equally stay largely the same.<br />
Edgar Zayas, BioCatch: how often do you<br />
scan a QR code without a second thought?<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
15
events<br />
VIRTUOSO TO TAKE CENTRE STAGE<br />
GENERATIVE AI PRESENTER AND DEEPFAKE EXPERT HENRY AJDER<br />
WILL BE A KEYNOTE SPEAKER AT THIS YEAR'S INFOSEC SHOW<br />
Henry Ajder, a leading generative AI<br />
presenter and deepfake expert, will<br />
be a keynote speaker at this year's<br />
Infosec. His opening presentation, which<br />
takes place on Tuesday, 4 <strong>Jun</strong>e, will cover<br />
generative AI and the impact on the cyber<br />
security industry.<br />
Ajder will then be joined by Tope<br />
Olufon, senior analyst, Forrester, in a chat<br />
session, 'Wading through AI overload -<br />
where are we going and what are you<br />
doing?'. This will be seeking to address<br />
the sensationalism and speculation within<br />
the industry. They will discuss where the<br />
business needs lie for AI, how AI is being<br />
adopted and how to ensure AI-generated<br />
information is trustworthy.<br />
"I'm very much looking forward to<br />
sharing insights with leading cybersecurity<br />
professionals on the fastevolving<br />
deepfakes and GenAI landscape,"<br />
says Ajder, "helping them to<br />
understand the potential opportunities<br />
and challenges that arise with the<br />
integration of AI into cyber. AI's role is<br />
no longer theoretical or a small segment,<br />
but a critical part of the threat and<br />
defence innovation landscape. Learning<br />
how to navigate the GenAI paradigm<br />
shift is essential to excelling in the<br />
cybersecurity industry both now and<br />
for an increasing AI centred future."<br />
AI HOPES AND FEARS<br />
Meanwhile, Infosecurity Europe has<br />
launched its '<strong>2024</strong> Cybersecurity Trends'<br />
report, which has uncovered findings<br />
into the current use of AI within<br />
organisations, expectations for future<br />
use and the risks that it presents. The<br />
research found that 50% of surveyed<br />
IT security decision makers admitted<br />
fearing that AI will lead to more<br />
attacks, a testament to the<br />
widespread impact of the<br />
technology for both security<br />
professionals and threat<br />
actors alike. Generative AI,<br />
ransomware and social<br />
engineering are the<br />
threats most likely to<br />
keep CISOs up at night,<br />
with over a third of<br />
survey respondents<br />
saying these issues were<br />
driving investment in cybersecurity.<br />
Despite the threat of attack, more than<br />
half (54%) responded that their organisations<br />
planned to integrate AI as part of<br />
their cybersecurity strategy in the next 12<br />
months. There was clear optimism that<br />
AI would have a positive impact on cyber<br />
professionals, with 42% agreeing that the<br />
technology would result in faster training,<br />
broader awareness and better education.<br />
With this in mind, generative AI could play<br />
a significant role in helping to bridge the<br />
skills gap in cybersecurity.<br />
According to the report, some 44% of<br />
respondents believe that AI will give their<br />
workforce the bandwidth to focus on<br />
future planning and business growth,<br />
which may be as a direct consequence<br />
of AI increasing automation within<br />
organisations. However, regulatory and<br />
ethical concerns could squeeze the brakes<br />
on some of this enthusiasm, with almost<br />
half of respondents stating that legislative<br />
challenges and moral dilemmas will slow<br />
their adoption of AI.<br />
Nicole Mills, exhibition director at Infosecurity<br />
Group, adds: "AI is completely<br />
transforming the way we do things in the<br />
workplace, but cybercriminals are also<br />
taking advantage of this evolving tech. Our<br />
survey highlights the AI risks to business,<br />
but it's great to see so many looking to<br />
integrate AI into their cybersecurity<br />
strategies over the coming year."<br />
You can Register here to attend<br />
Infosecurity Europe <strong>2024</strong>.<br />
For more information about the event<br />
itself, visit here.<br />
16<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Simplify work,<br />
protect devices<br />
and data<br />
with Jamf’s award-winning solution<br />
Trusted Access is Jamf’s vision for<br />
a zero trust experience that users<br />
love and organisations trust. Only<br />
authorised users, on enrolled devices<br />
that are secure and compliant,<br />
can access sensitive data.<br />
Visiting Black Hat Europe<br />
on 6–7 December?<br />
Join us at stand 513.<br />
www.jamf.com<br />
REQUEST<br />
Y O U R<br />
F R E E<br />
TRIAL<br />
TODAY
artificial intelligence<br />
THREAT OR TREAT?<br />
HOW ACCURATE MIGHT ELON MUSK, OWNER OF X AND TESLA, BE<br />
WHEN HE SAYS AI IS ONE OF THE "BIGGEST THREATS" TO HUMANITY?<br />
Artificial intelligence is on course to<br />
increase the volume and heighten the<br />
impact of cyberattacks over the next<br />
two years. That is the assessment of the<br />
National Cyber Security Centre (N<strong>CS</strong>C), which<br />
also concludes: "AI will almost certainly make<br />
cyberattacks against the UK more impactful,<br />
because threat actors will be able to analyse<br />
exfiltrated data faster and more effectively,<br />
and use it to train AI models."<br />
In the face of such dire predictions, are there<br />
any positives to be found that can rebalance<br />
the AI equation? Can the technology itself be<br />
used effectively to outsmart these dangers? If<br />
so, how is that likely to take shape and who<br />
will drive it? Might it even be an existential<br />
threat?<br />
FOCUS ON CYBERSECURITY<br />
What governments and organisations really<br />
need to engage with, rather than the<br />
existential question, is the many opportunities<br />
that AI presents to industry, comments Keiron<br />
Holyome, VP UKI & emerging markets,<br />
BlackBerry Cybersecurity. "We need to focus<br />
on the more immediate issues at hand. What<br />
are those immediate threats? Copyright<br />
infringement and spread of disinformation,<br />
yes, but - arguably - cybersecurity is the<br />
greater priority."<br />
Numerous examples show how AI-powered<br />
cybersecurity breaches can threaten national<br />
security, cripple national infrastructure, cause<br />
widespread panic and spread disinformation,<br />
as well as costing millions in recovery, he says.<br />
"We know that adversaries are deploying AI<br />
to make cyberattacks more sophisticated and<br />
successful, ramping up their volume, reach<br />
and efficacy. The latest BlackBerry Threat<br />
Report cited 3.7 new malicious samples<br />
of novel malware detected every minute.<br />
"The data indicates the use of AI by threat<br />
actors, meaning that, for effective defence,<br />
organisations now have no choice but to look<br />
well beyond human-only capabilities. In use<br />
against governments, businesses and citizens<br />
on a daily basis, AI is making cybercriminals<br />
more dangerous - and arguably more deadly -<br />
than ever before."<br />
But, as well as posing a significant threat,<br />
AI is also cybersecurity's greatest leveller, he<br />
believes. "It's a necessary technology for<br />
modern cyber protection and essential in<br />
the fight against malicious use - and it's<br />
critical that policy supports innovation and<br />
opportunity. AI protection takes cybersecurity<br />
to another level; enabling predictive, preventative<br />
action that stops would-be attacks at the<br />
door. It saves time and money, reducing the<br />
load on IT resources and helping to counter<br />
the growing shortage of cyber skills around<br />
the world."<br />
EMAIL ATTACKS<br />
"With social engineering attacks, like business<br />
email compromise (BEC), having already<br />
exposed losses of more than $50 billion<br />
over the past decade, it is clear that email<br />
continues to be a major threat vector in<br />
organisations today," states Mike Britton,<br />
CISO, Abnormal Security. "The proliferation<br />
of generative AI tools like ChatGPT have only<br />
catalysed modern phishing attacks, enabling<br />
threat actors to create personalised and<br />
seemingly authentic content that is often<br />
hard to distinguish from human-generated<br />
content."<br />
Not only are AI-generated email attacks<br />
more likely to deceive their recipients, they<br />
are also likely to bypass traditional security<br />
measures that rely on detecting known threat<br />
signatures. "To combat the threat of AIgenerated<br />
email attacks, organisations will<br />
need to amp up their own defensive AI<br />
capabilities," he adds. "We need to evolve<br />
beyond legacy systems like secure email<br />
gateways, which look for known-bad<br />
behaviours like malicious links, blocked<br />
senders or bad IP addresses, and instead use<br />
behavioural models to learn the known-good<br />
behaviours in an organisation's email<br />
environment-things like each user's typical<br />
communication patterns or sign-in activity."<br />
AI then acts as a key line of defence by<br />
detecting anomalous behaviour that may<br />
indicate a potential attack, automatically<br />
remediating those suspicious emails before<br />
they reach end users. "This means that<br />
security teams could block sophisticated email<br />
attacks, even if they are AI-generated, appear<br />
highly realistic and omit traditional indicators<br />
of compromise. Measures like password<br />
management, multi-factor authentication,<br />
and privilege and permissions management<br />
can provide a final safety net, helping to<br />
18<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
reduce the attack surface and prevent further<br />
havoc, if attackers are able to infiltrate the<br />
network."<br />
ALTERED LANDSCAPE<br />
In 2023 alone, half of UK businesses reported<br />
suffering some form of cybersecurity breach,<br />
including the high-profile ransomware attack<br />
on the British Library, states Matt Frye, head<br />
of pre-sales and education at Hornetsecurity.<br />
"The recent research from the N<strong>CS</strong>C [National<br />
Cyber Security Centre], that Generative AI tools<br />
will aid amateur cybercriminals to launch more<br />
sophisticated attacks, is alarming - but not at<br />
all surprising for professionals in the sector.<br />
The rise of Generative AI has permanently<br />
changed the cybersecurity threat landscape<br />
for businesses in the UK. We've seen a rise in<br />
sophisticated attacks, such as phishing, which<br />
currently account for 43.3% of attacks.<br />
"The rise is partially due to the development<br />
of malicious kinds of widely used large<br />
language models (LLMs) such as DarkBERT<br />
and WormGPT. "These programs automate<br />
processes, which means that amateur<br />
cybercriminals can now execute sophisticated<br />
cyber-attacks more easily, faster and with more<br />
precision. They can create far more compelling<br />
and targeted attacks, based on social engineering,<br />
for instance," adds Frye.<br />
THE RACE IS ON<br />
He also says a race has emerged between<br />
malicious actors and cybersecurity specialists,<br />
who are both using AI for different reasons.<br />
"Cybercriminals, armed with sophisticated<br />
AI tools, aim to target organisations at an<br />
unprecedented pace by automating attacks<br />
and adapting new strategies to bypass<br />
traditional defences. On the flip side, cybersecurity<br />
specialists are using AI to enhance<br />
threat detection, response, and mitigation.<br />
"AI can be used as a force for good and it's<br />
essential for cybersecurity professionals to<br />
continue rebalancing the AI equation by<br />
utilising this technology within protection<br />
packages to bolster defences for organisations.<br />
This is something we have been doing<br />
for some years at Hornetsecurity for Advanced<br />
Threat Protection; and solutions like our<br />
Security Awareness Service, for instance, use<br />
machine learning to adapt and evolve per<br />
individual user. AI is valuable for cybersecurity<br />
providers like Hornetsecurity for threat<br />
detection and pattern recognition, which in<br />
turn helps keep organisations safe from cyberattacks."<br />
AI EXPLOITATION<br />
While Frank Catucci, CTO and head of security<br />
research, Invicti Security, doesn't believe AI<br />
poses an existential threat, relative to its<br />
opportunities for good, he recognises that it<br />
is a tool that will be - and already is - used by<br />
threat actors to increase the speed, volume<br />
and methods of attack in a number of ways.<br />
"Using AI tools to aid attacks and attacking AI<br />
tools themselves to poison code or otherwise<br />
inject harmful/malicious elements are both<br />
ways that AI poses a threat to organisations.<br />
Alternatively, AI also holds an unrealised<br />
promise to improve vulnerability detection,<br />
risk assessment, correlation and remediation<br />
of said vulnerabilities.<br />
"Just in the way criminal attackers can use AI,<br />
so can organisations, security vendors and<br />
practitioners use these tools to improve their<br />
defences. For example, using AI to prioritise<br />
vulnerability or risk data and direct teams to fix<br />
issues accordingly, or leveraging AI-enhanced<br />
security tools to speed detection."<br />
The primary issue in fully realising the<br />
opportunities will be in processes or rather<br />
the human element within companies to use<br />
these tools effectively to keep pace with bad<br />
actors. "Where organisations have policies,<br />
protocols and often siloed operations that<br />
can slow innovation," further comments<br />
Catucci, "hackers usually don't follow those<br />
rules, so until organisations can break down<br />
barriers-to-speed safely, they may always be<br />
a step behind."<br />
Keiron Holyome, BlackBerry Cybersecurity:<br />
we need to focus on the more immediate<br />
issues at hand - cybersecurity is the<br />
greater priority.<br />
Mike-Britton, Abnormal Security: to combat<br />
the threat of AI-generated email attacks,<br />
organisations will need to amp up their own<br />
defensive AI capabilities.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
19
artificial intelligence<br />
Frank Catucci, Invicti Security: just as<br />
criminal attackers can use AI, so can<br />
organisations, security vendors and<br />
practitioners use these tools to improve<br />
their defences.<br />
Matt Frye, Hornetsecurity: the rise of<br />
Generative AI has permanently changed<br />
the cybersecurity threat landscape for<br />
businesses in the UK.<br />
DEEP TROUBLE<br />
AI-generated deep fakes are also fast causing<br />
havoc, says Jordan Avnaim, Entrust. "From<br />
allegedly doctored footage of Ukrainian<br />
President Zelenskyy urging soldiers to<br />
surrender, to falsified videos of Donald Trump<br />
being arrested and forged robocalls attributed<br />
to President Biden, the quality of deep fakes<br />
continues to advance.<br />
"As new, more powerful models like Sora<br />
from OpenAI hit the market, this content will<br />
become increasingly convincing. However,<br />
these techniques are being used for more than<br />
just misinformation. In Hong Kong, scammers<br />
recently orchestrated a video conference call,<br />
using deepfakes to impersonate executives of<br />
a multinational firm, convincing a finance<br />
worker to transfer approximately $25 million."<br />
Amidst these challenges lies hope, though,<br />
he adds. "Enhancing identity security is a key<br />
step in fighting AI threats. Decentralised<br />
identity systems can empower individuals by<br />
granting them sole ownership over encrypted<br />
personal data verified via digital keys, without<br />
exposing details to external parties. This type<br />
of set-up enables individuals to store sensitive<br />
attributes in a hardware-protected digital<br />
wallet, rather than databases vulnerable to<br />
breaches.<br />
FIGHTING OFF DEEP FAKES<br />
"Additionally, robust authentication of digital<br />
content is essential to combat deep fakes,"<br />
urges Avnaim. "Creators and publishers will<br />
need more sophisticated authentication<br />
methods to prove content is genuine. Using<br />
automated PKI certificates to digitally sign<br />
media, enabling audiences to verify<br />
authenticity through encryption, could<br />
facilitate this process.<br />
There are several advanced verification<br />
methods available to facilitate this transition.<br />
Today's facial biometrics can reliably match<br />
people to IDs and confirm liveness, ensuring<br />
authenticity while delivering smooth user<br />
experiences. Already seeing rapid growth in<br />
industries like banking and travel, biometrics<br />
can secure transactions and customer<br />
identification with minimal friction.<br />
ATTACK VERSUS DEFENCE<br />
Andrew Bolster, senior manager, research and<br />
development, at the Synopsys Software<br />
Integrity Group, sees cybersecurity, like every<br />
other form of crime, as fundamentally a game<br />
of economics: where the cost of attacking a<br />
valuable asset is less than the cost of<br />
defending it.<br />
"The explosion of Generative AI onto the<br />
security threat landscape has, so far, been an<br />
easier economic 'force-multiplier' for the<br />
attackers, but, as the technology matures, the<br />
pendulum is turning back to the side of the<br />
defender. Attackers are using GenAI to<br />
generate human-like content on a huge scale,<br />
flooding defenders; and they can either get<br />
'lucky' or use this smoke screen to slip in<br />
sophisticated attacks against critical<br />
infrastructure.<br />
"These technologies also apply in later phases<br />
of an attack profile, with attackers able to<br />
rapidly explore and horizontally spread within<br />
a compromised environment, leveraging the<br />
increasingly large context sized of new LLMs<br />
to learn more, faster," he adds.<br />
"But those same technologies are being<br />
deployed to counter this new scale and speed<br />
of threat, much like the arms race between<br />
ticket-bots and CAPTCHAs that precipitated<br />
this same generative AI wave; identifying<br />
'suspicious behaviours' at scale, using the same<br />
wide input space as the attackers."<br />
And, as Bolster points out: "Cybersecurity has<br />
always been an ever-escalating technological<br />
cat-and-mouse game, with the attackers<br />
rapidly adopting new technologies with<br />
abandon and the defenders taking some time<br />
to get off the starting block with a new tool.<br />
"Occasionally, the mouse has the upper hand,<br />
but not for long."<br />
20<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
facial authentication<br />
FACE OFF!<br />
WHEN IT COMES TO DEVICE-BASED AND SERVER-BASED FACIAL<br />
AUTHENTICATION, WHICH, IF EITHER, IS THE MORE SECURE?<br />
Device-based facial authentication<br />
and server-based facial authentication<br />
are two methods that are<br />
commonly used for authenticating users<br />
on mobile devices. While both methods<br />
serve the same purpose of verifying<br />
a user's identity, they differ in their<br />
approach and functionality.<br />
"Device-based facial authentication is a<br />
method that relies on the device's builtin<br />
hardware and software to capture<br />
and analyse the user's facial features,"<br />
says Majid Munir, senior cybersecurity<br />
consultant of Celestix Networks, the<br />
digital identity and secure access<br />
company. "When a user sets up facial<br />
authentication on their device, the<br />
device creates a unique facial template<br />
of the user, which is stored locally on<br />
the device. This template is then used<br />
for subsequent authentication attempts.<br />
With device-based facial authentication,<br />
the entire authentication process takes<br />
place on the device itself, without<br />
needing external servers or networks."<br />
One of the main advantages of devicebased<br />
facial authentication is its exclusivity<br />
to the device, he adds. "Since the<br />
facial template is stored locally on the<br />
device, external parties cannot access<br />
or tamper with it. This enhances the<br />
security of the authentication process,<br />
as there is no reliance on external<br />
servers or networks that may be<br />
vulnerable to cyberattacks."<br />
However, device-based facial authentication<br />
also has its limitations. "First,<br />
since the authentication process is<br />
exclusive to the device, users may face<br />
difficulties, if they need to authenticate<br />
using a different device. For example,<br />
if a user loses their device or upgrades<br />
to a new one, they will need to go<br />
through the registration process again<br />
to set up facial authentication on the<br />
new device. This can be inconvenient<br />
and time-consuming for users.<br />
"Another limitation of device-based<br />
facial authentication is that servers<br />
would not know the user's true identity.<br />
Since the authentication process occurs<br />
solely on the device, the server does not<br />
receive any information about the user's<br />
facial features or identity. This can pose<br />
challenges in scenarios where serverside<br />
authentication is required, such<br />
as accessing certain online services or<br />
platforms."<br />
On the other hand, adds Munir, serverbased<br />
facial authentication addresses<br />
these limitations by relying on external<br />
servers to store and process facial<br />
data. With this method, the facial data<br />
captured by the device is transformed<br />
into a Private Key, encrypted and<br />
securely stored on the server-side.<br />
The server then uses this Private Key<br />
to authenticate the user in subsequent<br />
authentication attempts.<br />
"One of the standout features of<br />
server-based facial authentication, such<br />
as the V-Key Smart authenticator, is its<br />
enhanced security and user experience.<br />
With V-Key facial authentication, the<br />
facial data is securely encrypted and<br />
stored in the V-Key cloud. This ensures<br />
the user's facial biometric information is<br />
protected from unauthorised access or<br />
tampering. Furthermore, users do not<br />
need to go through the registration<br />
Majid Munir, Celestix Networks: both<br />
device-based and server-based facial<br />
authentication have pros and cons.<br />
process again, if they change their<br />
devices or lose their device. The<br />
encrypted facial data is already stored<br />
in the V-Key cloud, allowing users to<br />
authenticate with their face again to<br />
regain access simply."<br />
Ultimately, both device-based and<br />
server-based facial authentication have<br />
pros and cons. "Device-based facial<br />
authentication provides a secure and<br />
exclusive authentication process, while<br />
server-based facial authentication offers<br />
enhanced security and a seamless user<br />
experience. The choice between the<br />
two methods finally depends on the<br />
specific needs and requirements of<br />
the users, and the applications they<br />
are accessing."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
21
insider threats<br />
INSIDE OUT<br />
INSIDER THREATS HIT MORE THAN 34% OF COMPANIES WORLDWIDE EVERY YEAR. UNLESS ORGANISATIONS<br />
COME UP WITH A CLEAR AND FEASIBLE ACTION PLAN THAT FIGURE LOOKS AS IF IT WILL ONLY GET WORSE<br />
It is estimated that, every day, around 2,500<br />
internal security holes are found in US<br />
businesses, while insider threats hit more<br />
than 34% of companies worldwide every year.<br />
Worryingly, 66% of organisations questioned<br />
believed that attacks from the inside were<br />
more likely than attacks from the outside,<br />
according to the latest research. With the<br />
big losses that are likely to result from such<br />
incidents when it comes to a company's<br />
finances - and reputation - what are the<br />
workable, effective solutions for mitigating<br />
these threats?<br />
RISK MITIGATION<br />
"Insiders don't act maliciously most of the<br />
time," points out Ian Robinson, chief architect,<br />
Titania "That's why it's often harder to detect<br />
harmful insider activities than it is to detect<br />
external attacks. Insiders know the weaknesses<br />
of an organisation's cybersecurity, and the<br />
location and nature of sensitive data they can<br />
exploit. The statistics show that insider threats<br />
pose a significant challenge to businesses<br />
worldwide, highlighting the need for proactive<br />
and robust risk mitigation strategies. There is<br />
no one solution that can address all these<br />
threats; rather a combination of people,<br />
processes and technology working together."<br />
As part of this, adopting a Zero Trust model -<br />
which requires all internal and external users to<br />
be continuously authenticated and authorised<br />
before being granted access to applications and<br />
data - and implementing effective network<br />
segmentation is a proven way to reduce the risk<br />
associated with insider attacks, he argues. "By<br />
segmenting the networks, either physically or<br />
logically, and reducing the number of people<br />
who have access to the more critical segments,<br />
organisations can significantly reduce their<br />
attack surface. And by constructing a micro<br />
perimeter around the protect surface - critical<br />
segments that require special permissions to<br />
access - network architects can ensure only<br />
authorised users can access assets within, while<br />
all others are blocked."<br />
Then, vigilance is crucial to detect and<br />
address potential risks originating from within<br />
the organisation, states Robinson. "For<br />
example, an attacker might focus on nonrepudiation<br />
by disabling audit logging to<br />
conceal the next phase of their attack, which<br />
might be to manipulate firewall rules or create<br />
a new route to allow the attacker to move<br />
laterally across the network to access a critical<br />
segment - such as the Cardholder Data<br />
Environment, for example. They are likely to<br />
start with the first phase and then wait to see<br />
how effective an organisation's incident<br />
response is before proceeding." This is where<br />
proactive security comes in, seeking out and<br />
remediating network vulnerabilities to mitigate<br />
threats and threat conditions before they pose<br />
a risk to the organisation.<br />
UNWITTING BAD ACTORS<br />
While insider threats are a valid concern for<br />
companies, the number of intentional internal<br />
bad actors is relatively small; the real threat<br />
lies with unwitting bad actors who have been<br />
subjected to phishing attacks or dormant<br />
accounts that provide access to the<br />
organisation, states Dave McGrail, head of<br />
business consultancy at Xalient. "As such,<br />
companies cannot ignore the risk associated<br />
with this threat and should implement a zerotrust<br />
approach to reducing the attack surface<br />
and mitigating risk - with robust identity and<br />
access management being a key starting<br />
point."<br />
Over the years, many companies have<br />
neglected good housekeeping practices<br />
around effective identity and access<br />
management, which leads to poor identity<br />
hygiene within the environment, he adds.<br />
"This has a knock-on effect on security, as too<br />
many domain administrators, administrator<br />
accounts, service accounts and more are<br />
allowed untracked and uncontrolled logins,<br />
without the knowledge of who is using them,<br />
for what and why. This lack of knowledge and<br />
management results in the accounts<br />
remaining active as IT departments are too<br />
scared to delete them for fear of breaking<br />
something and yet these are exactly what<br />
threat actors are looking to attack. Through<br />
these attacks, outsiders can masquerade as<br />
insiders by attacking the identity of those from<br />
within the organisation."<br />
Apart from organisations implementing a<br />
zero-trust strategy, they must also balance<br />
prevention efforts/investment with detection<br />
and response capability - doubling down on<br />
identity, he argues, using Threat Detection and<br />
Response (ITDR) to detect and respond to<br />
identity-based attacks. "This approach involves<br />
improving the visibility of events from identity<br />
platforms, incorporating Identity and Access<br />
Management (IAM), Privileged Account<br />
Management (PAM) and Identity Governance<br />
and Administration (IGA).<br />
"Combining ITDR with Zero Trust principles,<br />
companies benefit from the added value of<br />
driving access based on identity, along with<br />
the additional benefit of the added context<br />
around identity [device posture, location, timeof-day],<br />
measured against normal behaviour<br />
for that user," says McGrail. "There is huge<br />
value in understanding what is being accessed,<br />
when and by whom. This understanding<br />
forms the basis for anomaly detection, alerting<br />
the team to potential threats, and enabling<br />
them to respond to threats in a timely and<br />
effective way."<br />
22<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
insider threats<br />
PROTECTIVE SOLUTIONS<br />
To adequately address insider threats,<br />
organisations need solutions that protect the<br />
core identity system itself - for example, by<br />
highlighting vulnerabilities and attack paths<br />
that insiders can abuse, detecting and<br />
automatically remediating risky changes,<br />
and providing post-breach forensics to close<br />
backdoors left by malicious insiders.<br />
"In particular, organisations that are in the<br />
midst of major transitions, such as consolidating<br />
business offices or reducing the overall<br />
workforce, need the ability to take action on<br />
suspicious activity from high-risk users," advises<br />
Semperis chief scientist Igor Baikalov. "This<br />
could include employees who are flagged as<br />
a flight risk or who are slated for upcoming<br />
termination. An insider with malicious intent<br />
could use their privileged access to compromise<br />
the organisation's system for a variety<br />
of reasons, from monetary gain to revenge.<br />
"It's important to bear in mind that anyone<br />
who has permission to access critical business<br />
assets can potentially abuse that privilege,<br />
whether that's through malicious intent or<br />
through carelessness. Employees, contractors,<br />
vendors and partners can all inflict devastating<br />
damage on organisations. Negligence can lead<br />
to system compromise in several ways, but<br />
the result is the same: because of a mistake<br />
someone made - for example, an end user who<br />
left their laptop unlocked or an Active Directory<br />
admin who failed to follow defined employee<br />
off-boarding policies - privileged credentials<br />
become easy picking for bad actors."<br />
Defending against insider threats requires<br />
a concerted effort, adds Baikalov: a comprehensive<br />
strategy that addresses every phase<br />
of the attack lifecycle, including prevention,<br />
remediation and recovery.<br />
CLOUDY OUTCOMES<br />
Chris Doman, CTO and co-founder, Cado<br />
Security, points to how insider threats can<br />
be even more difficult to detect and prevent<br />
in the cloud. "Business practices including<br />
employee training, clear policies and procedures,<br />
fostering a culture of trust and transparency<br />
and collaboration with security teams<br />
can help to reduce the risk of insider threats.<br />
"For security teams, fast investigations are key.<br />
The issue is that best practices for managing<br />
and detecting insider threats that work well in<br />
on-prem environments don't translate across<br />
into cloud environments.<br />
"The proliferation of cloud resources across a<br />
multitude of cloud providers and the addition<br />
of container and serverless capabilities create<br />
complexities around detecting suspicious<br />
activity such as excessive privilege use. The<br />
basics such as implemented and reviewed<br />
access controls, encryption, and monitoring<br />
for suspicious activity in general are key.<br />
"A proactive approach to breaches enables<br />
security teams to understand whether they are<br />
prepared to quickly investigate and respond to<br />
insider threats before an incident occurs. This<br />
ensures that when an incident is detected, the<br />
security team will have the ability to quickly<br />
identify the root cause and remediate the<br />
threat, " adds Doman.<br />
MALICIOUS VERSUS ACCIDENTAL<br />
Neil Langridge, marketing & alliances director,<br />
e92plus, draws a clear distinction between<br />
various insider threats - and first comes the<br />
malicious insider. "This can be a dangerous<br />
threat, as the user can leverage their<br />
understanding of a business and where their<br />
security posture may have weaknesses.<br />
A good place to start is often joiners, movers<br />
and leavers - a change of role can be the ideal<br />
point at which users can find the opportunity<br />
to exfiltrate data or compromise the defences<br />
of a business. Just like layers of defence is an<br />
established cybersecurity principle, layers of<br />
authorisation or authentication is also key,<br />
especially where confidential data is involved,<br />
or access to critical systems."<br />
Then there's the second type: the accidental<br />
or compromised insider threat. "This can be<br />
Ian Robinson, Titania: adopting a Zero<br />
Trust model is a proven way to reduce<br />
the risk associated with insider attacks.<br />
Chris Doman, Cado Security: a proactive<br />
approach enables security teams to quickly<br />
identify the root cause of a breach and<br />
remediate the threat.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
23
insider threats<br />
Jon Fielding, Apricorn: The 3-2-1 rule is<br />
an effective means to facilitate recovery.<br />
Neil Langridge, e92plus: behaviour profiling<br />
can be essential, as the attacker won't fully<br />
know processes or the business culture.<br />
where a user has been unwittingly profiled<br />
and their user credentials have been obtained<br />
by an attacker - whether that's through social<br />
engineering [such as the MGM Casino attack,<br />
which leveraged a help desk engineer] or from<br />
a data breach [and the credentials hadn't been<br />
changed post-breach]. This is still a form of<br />
insider threat, as there's no attack as such -<br />
and it's increasingly common," cautions<br />
Langridge.<br />
"Such attacks allow bad actors to hide<br />
perfectly, understand an organisation and<br />
operate as an insider, so without drawing any<br />
unwanted attention. This is where behaviour<br />
profiling can be essential, as the attacker won't<br />
fully know processes or the business culture,<br />
and tools like UEBA [User and Entity Behaviour<br />
Analytics] can therefore highlight potential<br />
incidents that form a pattern of non-standard<br />
behaviour."<br />
For both forms of threat, as ever the first<br />
step before technology is process: just as<br />
authentication should be multi-factor with<br />
layers of approval, so should any business<br />
process (to avoid business email compromise<br />
or payment fraud) or access to critical data or<br />
infrastructure. "The next step is to review how<br />
their cybersecurity strategy can move towards<br />
a Zero Trust approach; this assumes trust must<br />
be earned, regardless of their status, and can<br />
help address the challenge of insider threat."<br />
ENFORCING THE '3-2-1 RULE'<br />
The insider threat has increased significantly,<br />
due to economic pressures and the way we<br />
work, with criminal groups now brazenly<br />
recruiting insiders. A recent study by Apricorn<br />
revealed that malicious leakage has doubled,<br />
with a fifth having suffered a breach<br />
attributable to a malicious employee during<br />
2023, and remote and hybrid working<br />
practices have almost certainly played a role,<br />
with 48% saying these workers had knowingly<br />
exposed data to a breach, up from 29% in<br />
2022. "Both factors have made it harder to<br />
counter the insider threat, requiring the<br />
business to reinforce the security culture<br />
through staff awareness training and the<br />
application of technical controls to protect<br />
data," says Jon Fielding, managing director<br />
EMEA at Apricorn.<br />
"Acceptable Use Policies (AUP) are well<br />
established, but these policies must be<br />
reinforced through regular staff training.<br />
Crucially, the AUP should extend beyond just<br />
seeking approval for a device, with controls<br />
implemented on sanctioned devices." The<br />
survey found that policy enforcement is either<br />
non-existent or weak.<br />
In cases of neglect or error, rather than<br />
malicious intent, encryption can be used to<br />
boost defences. "However, encryption of<br />
physical devices has nose-dived," adds Fielding.<br />
"Only 12% encrypt data on laptops today,<br />
compared with 68% in 2022 and only 17%<br />
desktop computers, down from 65%.<br />
Similarly, only 13% encrypt mobile devices<br />
versus 55% in 2022; 17% USB sticks, down<br />
from 54%; and 4% portable hard drives,<br />
down from 57%."<br />
If data is compromised or stolen, the business<br />
must be able to recover and so it needs a<br />
watertight backup strategy, he adds. "The 3-2-<br />
1 rule, which advocates at least three copies of<br />
data should be held on at least two different<br />
media with at least one held offsite (and<br />
preferably offline and encrypted), is an<br />
effective means to facilitate recovery, if the<br />
worst happens."<br />
INSIDER RISK MANAGEMENT<br />
Having an efficient and effective insider risk<br />
management (IRM) program can be challenging,<br />
due to several circumstances, states Kyle<br />
Kurdziolek, BigID's senior manager of cloud<br />
security. "IRM programs can be complex, due<br />
to the wide range of security technologies,<br />
monitoring solutions and behavioural analytics<br />
tools available. In a perfect world, all three of<br />
these solutions would mesh together and<br />
become the trifecta of an IRM solution. These<br />
all come together to deliver higher fidelity risks<br />
associated with insider threats and introduce<br />
24<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
insider threats<br />
capabilities to proactively eliminate known<br />
insider threats."<br />
From a technology perspective, data loss<br />
prevention (DLP) and data security posture<br />
management (DSPM) will aid and assist<br />
organisations in classifying their sensitive data<br />
and preventing unwanted exposure, he says.<br />
"Analysts spend a lot of unnecessary time trying<br />
to identify if a document was shared or<br />
whether said document contains confidential<br />
company information. A good starting point,<br />
if organisations are trying to mature IRM, is<br />
to establish DLP alongside DSPM to gain full<br />
visibility of what sensitive data is within the<br />
organisation and where it is at.<br />
"The next iteration would be combining<br />
this with user activity monitoring, which can<br />
provide additional telemetry to alerts captured<br />
by DLP or DSPM solutions. These tools can<br />
range from dedicated activity monitoring<br />
tools to applications embedded in security<br />
technologies or data from endpoints."<br />
However, as companies grow, the scale can<br />
become uncontrollable and requires higherlevel<br />
technologies, like behaviour analytics,<br />
to further drill down into true insider threats.<br />
"This would be the final iteration of your IRM,<br />
as this introduces machine learning capabilities<br />
to understand what is indeed normal and<br />
what are the anomalies that should be<br />
investigated," says Kurdziolek.<br />
Monitoring employee activity does not come<br />
without a degree of risk. "Before pursuing<br />
an IRM program, consider investigating the<br />
approved use of insider threat tools and<br />
services. Organisations can and should speak<br />
with legal counsel and human resources<br />
members to establish guardrails for the<br />
collection, storage, sharing and analysis related<br />
to employee activity. These guardrails are what<br />
can help enable an organisation to have a<br />
successful prosecution of insider threats."<br />
LIMITED SYSTEM ACCESS<br />
One pivotal aspect of mitigating insider threats<br />
means limiting system access, comments Tim<br />
Freestone, chief strategy and marketing officer<br />
at Kiteworks. "By ensuring that administrators<br />
do not have unnecessary access to the operating<br />
system, organisations can significantly<br />
reduce the potential for these insiders to<br />
manipulate or compromise sensitive information<br />
and its metadata. This approach includes<br />
the implementation of hardened environments<br />
where the separation of duties is strictly<br />
enforced. Such measures prevent a single<br />
individual from having excessive control over<br />
sensitive data, thereby limiting access to critical<br />
settings exclusively to those directly accountable."<br />
It's also crucial to adopt policies that restrict<br />
end-user access to sensitive data, he adds,<br />
adhering to the principle of least privilege.<br />
"Users should only have access to the data<br />
necessary for their specific roles, with automatic<br />
expirations on content access based on organisational<br />
policies to further curb unauthorised<br />
access. Advancements in digital rights management<br />
(DRM) technology offer further protections<br />
against insider threats.<br />
"Features that allow users to access and edit<br />
content in real-time, without the ability to<br />
download, retain or forward the content, are<br />
essential. Such capabilities ensure that sensitive<br />
documents are not stored on local devices,<br />
significantly reducing the risk of data leakage."<br />
Supporting these technological measures,<br />
organisations should also deploy<br />
comprehensive monitoring and auditing<br />
systems. "These systems provide real-time logs<br />
and reports that can be integrated with<br />
security information and event management<br />
(SIEM) systems," adds Freestone.<br />
"By monitoring user actions and access to<br />
files, organisations can quickly identify and<br />
investigate suspicious behaviour, gathering<br />
the necessary details for potential HR or legal<br />
actions." The implementation of an insider<br />
threat compliance report can further enhance<br />
an organisation's ability to track and analyse<br />
insider activities.<br />
Kyle Kurdziolek, BigID: monitoring<br />
employee activity does not come without<br />
risk.<br />
Tim Freestone, Kiteworks: limiting system<br />
access can prevent a single individual from<br />
having excessive control over sensitive data.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
25
threats landscape<br />
THREATENING TIMES<br />
COMPUTING SECURITY ZOOMS IN ON SOME OF THE LATEST<br />
HAZARDS THAT ARE THREATENING THE INDUSTRY<br />
VIPRE Security Group, a global leader<br />
and award-winning cybersecurity,<br />
privacy and data protection company,<br />
today released its report titled 'Email Security<br />
in <strong>2024</strong>: An Expert Look at Email-Based<br />
Threats'. The <strong>2024</strong> predictions for email<br />
security in this report are based on an analysis<br />
of over 7 billion emails processed by VIPRE<br />
worldwide during 2023. This equates to<br />
almost one email for everyone on the planet.<br />
Of those, roughly 1 billion (or 15%) were<br />
malicious.<br />
This research warns that, in <strong>2024</strong>, QR code<br />
hacks or quishing will increase; use of AI to<br />
create content for spam emails, including<br />
deepfakes, will rise; highly personalised social<br />
media mining will grow further; and a wide<br />
array of file types and formats - especially EML<br />
- will be used to propagate phishing and<br />
malware attacks. There will also be a marked<br />
uptick in state-sponsored attacks.<br />
"When you take a look at the kinds of [email]<br />
threats we're seeing today, a lot of them are<br />
preventable," says Usman Choudhary, general<br />
manager, VIPRE Security Group. "It just takes<br />
the right tools, but most companies don't<br />
know they exist, because email doesn't always<br />
get the same kind of security attention as the<br />
rest of the network. Unfortunately, threat<br />
actors know this."<br />
ALPHV/BLACKCAT RANSOMWARE<br />
The ALPHV/BlackCat ransomware group<br />
recently claimed responsibility for major<br />
attacks on both Prudential Financial and<br />
LoanDepot, making a series of follow-on<br />
allegations against them both. Neither<br />
company seems to have had any of their<br />
stolen data leaked, although, if negotiations<br />
continued to stall, as ALPHV said they had,<br />
then a data dump could be the longer-term<br />
outcome.<br />
The advice from both CISA and the FBI is<br />
that victims should not pay ransom demands<br />
to cybercriminals, something that is frequently<br />
adhered to. However, when ransom demands<br />
aren't paid, victims can end up having their<br />
attacks made public knowledge, before<br />
continued non-compliance with the criminals'<br />
demands leads to data disclosure. That can<br />
have a serious impact on clients, as it is often<br />
their personal data that is affected.<br />
Stephen Robinson, senior threat intelligence<br />
analyst at WithSecure, says that ALPHV was<br />
ranked as one of the largest and most active<br />
ransomware groups in 2023. "Our research<br />
showed that ALPHV was responsible for<br />
8.82% of total leaks in 2023. Prudential<br />
Financial are a Fortune 500 company in the<br />
financial sector, so it's not surprising they were<br />
a target for ALPHV. Multiple organisations<br />
in the financial sector have been victims of<br />
ransomware attacks by ransomware gangs<br />
in recent months, probably at least in part,<br />
because the ideal victim for a ransomware<br />
attack is an entity with a high turnover, which<br />
holds sensitive data."<br />
ALPHV have been known to take part in<br />
what is known as 'big game hunting', striking<br />
well-known, high-valued targets, including<br />
several attacks against critical national<br />
infrastructure, such as the Canadian Trans<br />
Northern Pipeline. "So great is the threat of<br />
ALPHV's activities, and the disruption they<br />
have caused," adds Robinson, "that the US<br />
State department has offered a reward for<br />
information leading to the arrest of members<br />
of the group."<br />
DIGITAL SAFETY GAMBLE<br />
A survey across the UK by Bitdefender has<br />
uncovered a stark reality: more than half of<br />
smartphone users are gambling with their<br />
digital safety. The alarming findings reveal<br />
that a staggering 50% of respondents are<br />
navigating the digital world without any<br />
form of mobile security, leaving them wide<br />
open to cyber-attacks. The survey paints a<br />
disturbing picture of complacency in the<br />
face of escalating cyber threats and found<br />
the following:<br />
Despite 76% of respondents relying on<br />
smartphones for critical transactions,<br />
including banking and accessing sensitive<br />
accounts, 50.10% are neglecting basic<br />
security measures<br />
Reasons for this negligence range from<br />
blind faith in the assumed invincibility<br />
of iOS (Apple) or Android systems (23%)<br />
to an alarming lack of awareness about<br />
available mobile security solutions (21%)<br />
Additionally, 49% expressed genuine<br />
fears about being doxxed, a chilling<br />
practice in which hackers unearth and<br />
expose private information online. An<br />
issue made scarier by the unprecedented<br />
access that hackers now have to your<br />
most personal information stored on<br />
smartphones for billions of people<br />
Consequently, 17% of respondents<br />
have experienced one or more security<br />
incidents in the last 12 months.<br />
26<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
threats landscape<br />
These revelations underscore an urgent need<br />
for action as smartphones become prime<br />
targets for cybercriminals. With the proliferation<br />
of mobile devices and their central<br />
role in our lives, the risk of devastating cyberattacks<br />
has never been greater.<br />
GOING FOR BROKE<br />
CYJAX's latest research, 'Broken China', has<br />
some disturbing warnings, as it analyses the<br />
turbulent socio-economic situation in China<br />
and how this will likely lead to an increase in<br />
cyber espionage activities by the PRC to give<br />
Chinese businesses a competitive edge.<br />
The report finds that China is facing major<br />
economic pressures from all sides. Its economy<br />
is still suffering from the effect of COVID,<br />
its manufacturing industry is shrinking and its<br />
property sector is overleveraged, due to an<br />
aggressive borrowing strategy. There are also<br />
signs of growing dissent among its youth,<br />
driven by rising unemployment.<br />
Although there are remedies that could aid<br />
in China's economic recovery, its culture of<br />
nationalism and conservatism is inclined to<br />
make implementing them unlikely. There is<br />
also the threat of chillier US-China relations,<br />
if Donald Trump returns to the White House,<br />
which could mean even higher trade tariffs<br />
than today.<br />
With a bleak economic future looming,<br />
Cyjax predicts that the PRC will opt for more<br />
short-term solutions to grow its economy<br />
fast-and this will include more aggressive<br />
cyber espionage campaigns designed to steal<br />
foreign intellectual property (IP) and boost<br />
Chinese industry.<br />
The PRC employs various threat groups to<br />
conduct espionage campaigns and, over the<br />
next year, Cyjax expects to see a major uplift<br />
in activity from the following:<br />
The Gallium group: active since at least<br />
2012, the group is well known for being<br />
part of Operation Soft Shell which targets<br />
global telecoms and Microsoft Exchange<br />
servers. The group targets and steals IP<br />
from telecommunication, financial, and<br />
government entities in Southeast Asia,<br />
Europe, Africa, and the Middle East<br />
Sandman: the group targets<br />
telecommunication providers in the Middle<br />
East, Western Europe and South Asia. It<br />
uses a novel backdoor that abuses the<br />
LuaJIT platform to deliver malware<br />
MustangPanda: the group had been<br />
observed to be targeting Beijing's more<br />
local advisories mainly including Southeast<br />
Asian governments<br />
VoltTyphoon: believed to have been<br />
operating since 2021, the group targets<br />
critical US infrastructure for intelligence<br />
gathering purposes in alignment with the<br />
requirements of the PRC.<br />
"China is a far more complex and nuanced<br />
territory than generally portrayed," states Ian<br />
Thornton-Trump, CISO at Cyjax. "Its internal<br />
pressures are likely to lead to increased cyber<br />
espionage activity, rather than slowing it<br />
down. The PRC's approach to cyberspace has<br />
always been to use it to advance its business<br />
interests, extracting technologies from<br />
Western companies and creating a protected<br />
domestic market for these industries, giving<br />
them an advantage in the global market.<br />
With a better understanding of the country's<br />
internal forces, and how these relate to its<br />
cyber strategy, we can plan better defences<br />
against PRC cyber espionage."<br />
THE EMAIL THREAT FACTOR<br />
"With social engineering attacks like business<br />
email compromise (BEC) having exposed<br />
losses of more than $50 billion over the past<br />
decade, it is clear that email continues to be<br />
a major threat vector in organisations today.<br />
That is the warning from Mike Britton, CISO,<br />
Abnormal Security.<br />
"The proliferation of generative AI tools like<br />
ChatGPT has only catalysed modern phishing<br />
attacks, enabling threat actors to create personalised<br />
and seemingly authentic content<br />
that is often hard to distinguish from human-<br />
Ian Thornton-Trump, Cyjax: China's<br />
internal pressures are likely to lead to<br />
increased cyber espionage activity.<br />
Usman Choudhary, VIPRE Security: email<br />
doesn't always get the same kind of security<br />
attention as the rest of the network.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
27
threats landscape<br />
Stephen Robinson, WithSecure: research<br />
showed that ALPHV was responsible for<br />
8.82% of total leaks in 2023.<br />
Ilia Kolochenko, ImmuniWeb: LLMs have<br />
a fairly narrow application in cybercrime.<br />
generated content. Not only are AI-generated<br />
email attacks more likely to deceive their<br />
recipients, they are also likely to bypass<br />
traditional security measures that rely on<br />
detecting known threat signatures.<br />
"To combat the threat of AI-generated email<br />
attacks, organisations will need to amp up<br />
their own defensive AI capabilities. We need<br />
to evolve beyond legacy systems like secure<br />
email gateways, which look for known-bad<br />
behaviours, like malicious links, blocked<br />
senders or bad IP addresses, and instead use<br />
to behavioural models to learn the knowngood<br />
behaviours in an organisation's email<br />
environment-things like each user's typical<br />
communication patterns or sign-in activity."<br />
AI then acts as a key line of defence by<br />
detecting anomalous behaviour that may<br />
indicate a potential attack, automatically<br />
remediating those suspicious emails before<br />
they reach end users. This means that security<br />
teams could block sophisticated email attacks<br />
even if they are AI-generated, appear highly<br />
realistic, and omit traditional indicators of<br />
compromise.<br />
"The AI arms race is on as organisations<br />
must realise that 'good' AI is necessary to<br />
detect and block 'bad' AI. Additionally,<br />
measures like password management,<br />
multi-factor authentication, and privilege<br />
and permissions management can provide<br />
a final safety net, helping to reduce the<br />
attack surface and prevent further havoc if<br />
attackers are able to infiltrate the network."<br />
Britton also recommend that security<br />
awareness training should not be neglected.<br />
"Employees need to know how to spot risky<br />
emails so they don't click on malicious links<br />
or rush to make suspicious transactions. Of<br />
course, phishing clues are harder than ever for<br />
people to identify, especially as generative AI<br />
enables threat actors to create hyper-realistic<br />
attacks. That's why it's critical to supplement<br />
security awareness training with sophisticated<br />
technology that reduces the number of email<br />
attacks that ever reach employee inboxes."<br />
PREDICTIONS EXAGGERATED<br />
Dr Ilia Kolochenko, CEO at ImmuniWeb, is of<br />
the opiion that the predictions about the<br />
unprecedented cybercrime surge, fuelled by<br />
GenAI and fine-tuned malicious LLMs (large<br />
language model-based tools), are somewhat<br />
exaggerated.<br />
"First, LLMs have a fairly narrow application<br />
in cybercrime, namely in phishing, smishing<br />
and vishing, BEC and whaling attacks - all of<br />
which rely on social engineering and human<br />
deception. GenAI provides little to no help<br />
with nationwide ransomware campaigns,<br />
disruptive attacks against critical national<br />
infrastructure (NCI) or advanced persistent<br />
threats (APTs) aiming at stealing classified<br />
information from the government or<br />
intellectual property from businesses.<br />
"Organised cybercrime groups already have<br />
all the requisite skills, such as spear-phishing<br />
email creation or state-of-the-art malware<br />
development, producing substantially superior<br />
quality of cyber warfare, compared to any<br />
LLM.<br />
"Secondly, cyberattacks that exploit human<br />
deception have been already quite efficient in<br />
the past," he points out. "Cyber gangs behind<br />
this will unlikely boost their success rate by<br />
a better-written email impersonating a CEO<br />
in a whaling attack. Moreover, an impeccably<br />
written email can rather trigger some doubts,<br />
as in business people frequently make typos<br />
or use jargon when communicating with their<br />
colleagues.<br />
"Having said that, any authentication<br />
systems - for example, in financial institutions<br />
- that are based on a client's voice or<br />
appearance are to be urgently tested for<br />
bypassability with fake AI-generated content.<br />
Employees who are susceptible to this kind of<br />
cyberattacks should also be regularly trained<br />
to spot red flags and require additional proof<br />
of identity to prevent fraud."<br />
28<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
zero trust<br />
THE IMPERATIVE FOR ZERO TRUST<br />
AS ORGANISATIONS EMBRACE DIGITAL TRANSFORMATION TO GAIN ACCESS TO THE CLOUD'S MANY BENEFITS,<br />
COMPUTING ENVIRONMENTS ARE FACED WITH EVOLVING INTO BORDERLESS IT ECOSYSTEMS<br />
As we continue to digitally<br />
transform organisations, so<br />
the importance of secure and<br />
reliable digital identities has grown.<br />
According to Scott Silver, CEO, Integral<br />
Partners, part of the Xalient Group,<br />
<strong>2024</strong> is poised to usher in a multitude<br />
of innovations and trends in this area,<br />
ranging from advanced biometrics to<br />
the integration of artificial intelligence<br />
and machine learning to meet the<br />
changing needs of businesses,<br />
individuals and governments.<br />
"As organisations embrace digital<br />
transformation, computing environments<br />
are evolving into borderless IT<br />
ecosystems," he warns. "Digital identities<br />
are also evolving at pace and identity<br />
security is now a crucial aspect of<br />
cybersecurity. <strong>2024</strong> will usher in a<br />
multitude of identity innovations,<br />
ranging from advanced biometrics<br />
to artificial intelligence integration<br />
to meet the needs of businesses,<br />
individuals and governments.<br />
"Increasingly, cybercriminals are<br />
creating synthetic identities by combining<br />
stolen personal information from<br />
several people into a new false identity<br />
that doesn't rely on real person-al data.<br />
"They use these identities to build a<br />
shallow history that passes identity<br />
checks with banks and retailers.<br />
To counter these tactics, biometrics,<br />
such as facial recognition, fingerprint<br />
scanning and voice recognition, are<br />
becoming popular as a stronger means<br />
of identity verification."<br />
Despite these countermeasures,<br />
however, the threat is large and<br />
growing, driven by Cybercrime-as-a-<br />
Service (CaaS) that allows criminals to<br />
procure tools enabling them to easily<br />
carry out identity-based attacks.<br />
"This makes it even more important for<br />
businesses to prioritise identity security,<br />
employing policies and tools that also<br />
monitor employees and prevent insider<br />
incidents."<br />
AI and machine learning are important<br />
tools for organisations seeking to combat<br />
identity risk. "AI-powered pattern and<br />
behaviour recognition capabilities can<br />
identify anomalies and detect fraudulent<br />
attempts in real-time. Machine<br />
learning algorithms act as adaptive<br />
detectives, continuously evolving to<br />
recognise new identity fraud tactics,<br />
enhancing the overall accuracy of the<br />
verification process.<br />
"Zero trust architecture is the<br />
foundation of modern cybersecurity,<br />
with secure networking and identity<br />
security as cornerstones. Zero Trust<br />
involves the application of identity and<br />
access management capabilities to<br />
perform continuous risk assessment<br />
every time resources are accessed. It<br />
uses contextual identity information to<br />
optimise access policies, while enforcing<br />
the principle of least privilege."<br />
Zero Trust controls reduce insiders'<br />
ability to access systems and data that<br />
aren't part of their job, adds Silver.<br />
"Now, organisations are seeking<br />
AI-powered identity and access<br />
management in a single solution that<br />
Scott Silver, CEO, Integral Partners.<br />
integrates seamlessly with zero trust<br />
architecture, combined with professional<br />
support. These solutions enable<br />
fast, effective responses to potential<br />
breaches and, alongside identity, will<br />
play a pivotal role in the evolution of<br />
zero trust models."<br />
Identity is seen as the new enterprise<br />
perimeter, and managing interdependencies<br />
between identity, security and<br />
networking to adhere to true zero trust<br />
principles is a considerable challenge -<br />
one that the Xalient Group is addressing,<br />
he says, as a provider of IAM<br />
services and solutions through its recent<br />
acquisitions of Grabowsky and Integral<br />
Partners. "Together, we can develop the<br />
advanced, AI-powered identity management<br />
solutions that companies need in<br />
today's complex security environment."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
29
ansomware<br />
BIRD'S EYE VIEW OF RANSOMWARE ATTACK<br />
WHAT IS IT LIKE TO BE HELD TO RANSOM? WE ASKED SEVERAL EXPERTS TO TALK<br />
US THROUGH WHAT TYPICALLY HAPPENS WHEN AN ATTACK IS CARRIED OUT<br />
How do the criminals who unleash<br />
ransomware demands set about<br />
targeting an organisation - right<br />
through from identification of a suitable<br />
target, the planning phase of the attack,<br />
the attack launch and finally capture of the<br />
victim's data? And what about the burning<br />
question that no one wants to grapple with:<br />
to pay or not to pay?<br />
"Ransomware attacks are well orchestrated<br />
acts that come in different forms to infiltrate<br />
IT systems and often are not random<br />
incidents," points out Justin Giardina, CTO<br />
of 11:11 Systems. "Ransomware groups<br />
carefully select high-value organisations and<br />
infrastructure to cripple until substantial<br />
ransoms are paid. Ransomware attacks<br />
use techniques that reflect a chilling<br />
professionalisation of tactics and leverage<br />
military-grade encryption, identity-hiding<br />
cryptocurrencies, data-stealing side efforts,<br />
and penetration testing of victims before<br />
attacks to determine maximum tolerances."<br />
They also often gain initial entry by purchasing<br />
access to systems from underground<br />
brokers (RaaS - Ransomware as a Service),<br />
then deploy multipart extortion schemes,<br />
including encrypting files, stealing data, he<br />
adds, threatening distributed denial-of-service<br />
(DDoS) attacks or releasing the data, where<br />
demands are not promptly met.<br />
"Adding to this, ransomware perpetrators tap<br />
into advancements like artificial intelligence<br />
[AI] to accelerate attacks through malicious<br />
code generation and underground dark web<br />
communities to coordinate schemes. Once an<br />
attacker breaches the system, the ransomware<br />
can lie undetected for days, weeks or even for<br />
months before it is revealed through a ransom<br />
demand."<br />
With ransomware attacks showing no signs<br />
at all of slowing down, companies must take<br />
proactive steps to protect their organisations<br />
and minimise the impact of a potential<br />
breach. "Protecting against ransomware<br />
requires a multi-layered, holistic approach<br />
encompassing people, processes, and<br />
technology," says Giardina. "To start,<br />
companies must focus on resilience and<br />
recovery. Cybersecurity infrastructure is the<br />
cornerstone of resilience, serving as the<br />
foundation for all other measures. This is<br />
followed by a well-rehearsed incident response<br />
plan that outlines clear procedures for dealing<br />
with an attack, including isolating infected<br />
systems, notifying stakeholders and restoring<br />
from backups.<br />
"Frequently test the backup and restore<br />
processes to ensure they work when needed.<br />
Regular immutable or tamper-proof data<br />
backups are a key part of the recovery process.<br />
Ensuring a recent and clean copy of vital data<br />
is always available can significantly improve<br />
the chances of a successful cyber recovery.<br />
But don't forget your business continuity<br />
plans! They need to be updated to allow your<br />
departments to continue to operate, using<br />
manual procedures, for as long as the<br />
ransomware event requires."<br />
The debate over ransom payments clearly<br />
highlights the complexities of cybersecurity<br />
policy, he acknowledges. "It underscores the<br />
need for a multifaceted approach to combatting<br />
ransomware; one that includes not only<br />
policy interventions, but also organisational<br />
practices. However, it makes one thing clear:<br />
there are no easy answers in the fight against<br />
ransomware, only informed choices." Such<br />
choices, whether they involve investing in<br />
employee training, implementing robust and<br />
modern backup systems, and developing a<br />
comprehensive disaster recovery (DR) plan,<br />
can significantly influence a company's ability<br />
to respond to, and recover from, ransomware<br />
attacks, he concludes.<br />
ALTERED LANDSCAPE<br />
Ten years ago, a ransomware attack was<br />
really obvious, states Bernard Montel, EMEA<br />
technical director and security strategist,<br />
Tenable. "The computer [PC] was bricked,<br />
with a ransomware demand displayed on<br />
the screen. Today, attacks are less obvious<br />
and can go undetected for a few weeks,<br />
as threat actors look to obfuscate their<br />
presence, allowing them to creep around<br />
infrastructure for nefarious purposes."<br />
The most popular way attackers infect<br />
organisations is through spam and phishing<br />
emails, he adds. "In the majority of cases,<br />
these messages include a malicious<br />
30<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
attachment, such as a Microsoft Word<br />
document or PDF file containing malware.<br />
Others, however, may contain a link to a<br />
webpage controlled by the attackers. The goal<br />
is to get the target to open the attachment<br />
and trick the victim to enable macros or click<br />
the link, which can then deliver a malicious<br />
downloader, leading to the final payload,<br />
which is ransomware.<br />
"Software vulnerabilities play a key role in<br />
facilitating ransomware attacks through<br />
several avenues. These include vulnerabilities<br />
used as part of malicious documents, vulnerabilities<br />
found in perimeter devices like Secure<br />
Socket Layer Virtual Private Networks (VPNs),<br />
as well as a plethora of flaws designed to<br />
elevate privileges, once inside an organisation's<br />
network."<br />
Prolific ransomware groups such as LockBit,<br />
Rhysida, Play and ALPHV/BlackCat make use of<br />
multiple exploits in their efforts to compromise<br />
organisations. "For illustration, throughout the<br />
last quarter of 2023, threat actors exploited<br />
CitrixBleed in attacks against a variety of organisations.<br />
Some notable examples include<br />
attacks against Boeing and Comcast."<br />
While initial access is how ransomware<br />
groups gain access to an organisation's<br />
network, once inside they will set their sights<br />
on Active Directory, says Montel. "Gaining<br />
domain privileges provides attackers with<br />
the necessary capabilities to distribute their<br />
ransomware payloads across the entire<br />
network. Once threat actors are inside,<br />
the game is fundamentally over. Today's<br />
ransomware gangs will look to extrapolate<br />
data silently and, once that's achieved, they'll<br />
prepare to encrypt systems and cripple the<br />
organisation's ability to function.<br />
"A further trend that has been seen is threat<br />
actors wiping data at rest. This is even more<br />
insidious and can be undetected, compared<br />
to encryption. Often, the first the organisation<br />
knows anything about the attack is a communication<br />
from the gang threatening to<br />
encrypt systems or publish the data on the<br />
dark web, if demands are not met. The added<br />
pressure from this type of extortion is what<br />
has helped make ransomware so successful."<br />
The question of whether to meet ransomware<br />
demands is complicated, he adds. "Only<br />
the organisation impacted will be able to<br />
determine the best cause of action. Given the<br />
financial impact from ransomware attacks,<br />
be it the inability to function from crippled<br />
systems or sensitive data exposed, prevention<br />
has to be better than cure. Gaining visibility<br />
into where the biggest areas of risk are -<br />
exposure management - is absolutely critical<br />
to knowing which doors and windows are<br />
wide open and need to be closed to stop<br />
ransomware in its tracks."<br />
14-STAGE ASSAULT<br />
A ransomware attack typically involves 14<br />
stages, according to Kennet Harpsoe, senior<br />
cyber analyst at Logpoint. "The first stage is<br />
reconnaissance, where the threat actor<br />
gathers information about the victim. The<br />
second stage is resource development to<br />
support targeting, followed by initial access,<br />
in which the attacker tries getting into the<br />
network. The fourth phase is execution,<br />
where the attacker tries executing malware."<br />
The next stage is persistence, he says, in<br />
which the attacker attempts to maintain a<br />
foothold in the victim's network, even if the<br />
system terminates the payload process or<br />
reboots. "Afterwards, attackers use privilege<br />
escalation to gain access to accounts with<br />
higher-level access and defence evasion by<br />
disabling security, clearing logs or obfuscating<br />
the payload. At the privilege escalation stage,<br />
attackers then retrieve logins.<br />
"The discovery phase allows attackers to<br />
identify other weaknesses within the network<br />
and plan and execute more advanced attacks,"<br />
continues Harpsoe. "Using lateral movement,<br />
the attacker moves to other hosts to establish<br />
a presence and access information. The collection<br />
stage is when attackers collate data<br />
Justin Giardina, 11:11 Systems:<br />
ransomware attacks reflect a chilling<br />
professionalisation of tactics and leverage<br />
military-grade encryption.<br />
from systems and the Command and Control<br />
(C&C) phase is where the attacker establishes<br />
control over the victim's systems."<br />
Exfiltration is where attacks extract data using<br />
various methods. The last stage is impact,<br />
where the attackers use techniques at a later<br />
stage to disrupt availability, compromise<br />
integrity or manipulate business and operational<br />
processes. Knowing these tactics is<br />
essential to detect an ongoing attack before<br />
the attackers deploy the ransomware.<br />
"Ransomware can result in downtime, data<br />
loss and ransom payments, but now the fines<br />
for non-compliance are an additional concern,<br />
as we saw in the case of BlackCat," he states.<br />
"It filed a complaint with the SEC over Meridian-<br />
Link's failure to disclose a cybersecurity incident<br />
to punish the company for not paying the<br />
ransom. This new extortion tactic will likely<br />
be used going forward, especially with the<br />
introduction of NIS2.<br />
"Compliance-driven extortion could diminish<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
31
ansomware<br />
Bernard Montel, Tenable: a further trend<br />
that has been seen is threat actors wiping<br />
data at rest.<br />
Iraklis Mathiopoulos, Obrela: the<br />
cybersecurity experts' consensus is that<br />
ransoms shouldn't be paid.<br />
the incentive to pay ransoms, with victims<br />
more likely to hesitate, if there's a risk of being<br />
reported to authorities, post-payment. We've<br />
seen a rise in double extortion attacks and<br />
pure extortion-based attacks. Now we see<br />
the commoditisation of Ransomware-as-a-<br />
Service, which offers individuals with minimal<br />
technical expertise the means to execute<br />
ransomware attacks and skip the first stages<br />
of the attack.<br />
"Automation is enabling initial access brokers<br />
to identify and offer more breach-ready environments.<br />
Consequently, expect a surge in<br />
attack frequency, driving the adoption of<br />
Managed Detection and Response (MDR)<br />
services to avert attacks."<br />
ROBUST PLAN ESSENTIAL<br />
When it comes to ransomware, we must stay<br />
ahead of the curve and know what to look<br />
out for, advises Iraklis Mathiopoulos, chief<br />
services delivery officer at Obrela. "Organisations<br />
without a robust security plan in place<br />
are more likely to suffer an attack. You need<br />
'always on' around-the-clock monitoring to<br />
identify, analyse and predict security threats,<br />
and prevent them from happening. At the<br />
very least, any system you have in place<br />
should be able to mitigate the consequences<br />
of attack - or attack attempt - quickly and<br />
effectively, limiting the damage to your critical<br />
operational processes and reputation, while<br />
also preventing successful ransomware<br />
attacks.<br />
"We have witnessed attacks evolve from<br />
single extortion [encryption]) to double<br />
extortion [data exfiltration] to triple extortion<br />
[attacking customers directly] to quadruple<br />
extortion [DDoS]. Today, ransomware gangs<br />
have added destructive wiper attacks to<br />
their arsenal and in <strong>2024</strong> we expect to see<br />
evermore creative attack methods emerging,<br />
including more cloud, AI and IoT-related<br />
attacks."<br />
Prevention is better than cure, of course,<br />
he cautions, and ensuring you have the best<br />
possible threat intelligence and protection<br />
in place will help avoid attack, rather than<br />
dealing with the response, remediation and<br />
ransomware issues. "We advise immutable<br />
backups, but even this sensible precaution<br />
is not without its problems. It does not, for<br />
instance, guarantee the immutability of<br />
data held in the past where attackers have<br />
penetrated the network weeks or months<br />
ago.<br />
"Virtually all ransomware attacks start with<br />
a compromised endpoint, typically a PC or<br />
server. Protecting these is vital, with the<br />
traditional defence being a security agent.<br />
Unfortunately, these will occasionally fail,<br />
which leaves most organisations relying on<br />
network security tools to spot anomalous<br />
traffic," states Mathiopoulos.<br />
One of the reasons ransomware attacks have<br />
become so severe is that attackers can lurk<br />
inside infrastructure for a long time. "With<br />
Managed Detection and Response, (MDR),<br />
though, incursions are detected sooner, rather<br />
than later. MDR integrates endpoint and<br />
network tools under one platform, allowing<br />
better detection and automated remediation,<br />
alert prioritisation and response."<br />
As for whether a ransom demand should<br />
be paid, he is quite clear. "The cybersecurity<br />
experts' consensus is that ransoms shouldn't<br />
be paid. Depending on jurisdiction, paying<br />
for ransomware is potentially illegal, because<br />
it might be a) funding criminal activity, b)<br />
transferring funds to sanctioned entities, c)<br />
supporting terrorist organisations.<br />
"We understand the potential reputational<br />
damage forces many decision makers to pay<br />
the ransom, but, as an industry, we must<br />
highlight that payment does not guarantee<br />
the return of data, may fund further cybercrime<br />
activities and could even make the<br />
organisation a 'softer' target for future attacks.<br />
The advice is simple enough: focus on<br />
prevention, backup strategies and incident<br />
response plans instead."<br />
32<br />
computing security <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
election threats<br />
DEMOCRACY UNDER SIEGE<br />
ELECTORAL MISINFORMATION AND DISINFORMATION ARE EXPECTED TO CREATE DISTORTED<br />
AND MUDDIED POLITICAL LANDSCAPES THROUGHOUT THIS YEAR, PRIME FOR EXPLOITATION<br />
More than two billion people<br />
across 50 countries will be<br />
going to the polls to elect<br />
representatives at local, national and<br />
intra-continental levels in <strong>2024</strong>. This<br />
includes elections in some of the world's<br />
most populous countries, such as India,<br />
Brazil, Indonesia and the US.<br />
"While this election year will certainly<br />
be a milestone in the long evolution of<br />
democracy, many of these elections take<br />
place amid a backdrop of increasing<br />
divisions in international relations, an<br />
uptick in illiberal democratic practices<br />
masked as free and fair elections, and<br />
a widespread disenchantment with<br />
political representation in some of the<br />
world's most developed democracies,"<br />
cautions Beth Hepworth, director,<br />
Protection Group International. "All of<br />
these issues transcend real-world and<br />
online spaces, creating distorted and<br />
muddied political landscapes, prime<br />
for exploitation."<br />
Electoral misinformation and<br />
disinformation will likely remain highly<br />
prevalent. "Online threat actors, such<br />
as pseudomedia entities, will likely<br />
continue sharing content designed to<br />
sow distrust in the electoral process for<br />
both ideological and commercial gain,"<br />
Hepworth continues. "Right across<br />
geographies, false narratives are likely<br />
to target voting systems and the<br />
integrity of electoral institutions,<br />
particularly in closely contested<br />
elections. Far-right organ-isations<br />
and political parties-who often share<br />
egregious content in online spaceswill<br />
likely pose a significant risk."<br />
Foreign state-backed influence<br />
operations (IOs) targeting elections are<br />
also highly likely to be a persistent and<br />
significant threat, while "AI-generated<br />
content will likely play a greater role in<br />
elections in <strong>2024</strong> as threat actors and<br />
political campaigns continue to embed<br />
AI techniques within their contentproducing<br />
toolkits". However, the use of<br />
sophisticated AI-generated content and<br />
technically manipulated media aimed<br />
at sowing distrust in candidates and<br />
electoral processes will likely be limited,<br />
with the majority of AI-generated media<br />
being low-quality in nature and easily<br />
discernible by ordinary online users.<br />
As a result, the risk of AI to elections<br />
in the medium term is often overstated.<br />
Threat actors certainly have the ability<br />
to weaponise AI effectively, as shown<br />
over the past year in America where<br />
the Republican Party released an ad<br />
with AI-generated images visualising<br />
a 'dystopian world' with a re-elected<br />
President Joe Biden, and in Moldova<br />
where President Maia Sandu was forced<br />
to refute claims in a Russia-made<br />
deepfake video of herself.<br />
However, adds Hepworth: "AIgenerated<br />
content has yet to play<br />
a significant role in an election, and<br />
current disinformation campaigns are<br />
currently succeeding organically by<br />
exploiting societal rifts. At present,<br />
the risk of AI to elections is centred<br />
more on the intrinsic uncertainty of<br />
its potential, rather than on its current<br />
impact. Heightened levels of targeted<br />
harassment and 'doxxing' [revealing<br />
identifying information about someone<br />
Beth Hepworth, Protection Group<br />
International.<br />
online, without their permission] are<br />
likely in <strong>2024</strong>, following a spike in<br />
threats against election workers and<br />
politicians over the past year in<br />
countries including New Zealand,<br />
Sweden, the US and Japan."<br />
These threats will likely entail the<br />
dissemination of Personally Identifiable<br />
Information online -such as targets'<br />
home addresses, family members and<br />
phone numbers-as well as online<br />
harassment campaigns designed to<br />
undermine their legitimacy. "In the year<br />
ahead, vigilance and critical thinking<br />
will be vital in democracies being able<br />
to navigate the nuances of these digital<br />
threats and knowing what these threats<br />
are is just the first step."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>May</strong>/<strong>Jun</strong>e <strong>2024</strong> computing security<br />
34
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
e-newsletter<br />
Are you receiving the Computing Security<br />
monthly e-newsletter?<br />
Computing Security always aims to help its readers as much as possible to do<br />
their increasingly demanding jobs. With this in mind, we've now launched a<br />
Computing Security e-newsletter which is produced every month and is available<br />
free of charge. This will enable us to provide you with more content, more<br />
frequently than ever before.<br />
If you are not already receiving this please send your request to<br />
christina.willis@btc.co.uk and advise her of the best email address for the<br />
newsletter to be sent to.