CS Jul-Aug 2024

Computing
Security
Secure systems, secure data, secure people, secure business
PRIMED FOR A FIGHTBACK
New EU directive out to
redress attack imbalance
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
WHAT’S AFOOT?
Resilience level of
IT infrastructure
comes under scrutiny
AT THE AI CROSSROADS
Who will succeed in the
battle of good and evil?
BATTERED AND BREACHED
Bruising new stats on cyber attacks
are a punch to the gut
for UK businesses
Computing Security July/August 2024

ACCORDING TO JAMF 2024:
Security
Trends Report
39 % of
organisations
had at least one device
with known vulnerabilities
40 % of
mobile users
were running a device
with known vulnerabilities
9 % of
users fell for
a phishing attack
Manage and Secure
Apple at work
With Jamf Trusted Access, you ensure
that only authorised users, on enrolled
devices that are secure and compliant,
can access sensitive data.
REQUEST
Y O U R
F R E E
T R I A L
TODAY
www.jamf.com

comment
WORRYING TRAIN OF THOUGHT
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
David Bonner
(david.bonner@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
It is widely accepted that continuous security training within any organisation forms a vital part
of anyone's long-term development and that to neglect it is almost certain to prove detrimental
to the well-being of that individual and the organisation that employs them.
Indeed, ask most businesses if training really matters and they will say 'yes'. Ask if they are fully
committed to training within their own organisations and they will likely say 'yes' again, although
possibly not as wholeheartedly. Because hard times have provoked harsh cutbacks - and training
is often one area that takes the hit.
A new survey by cybersecurity provider Hornetsecurity has uncovered significant gaps in IT
security training, with 26% of organisations still providing no form of training to their end users.
Compiled from industry professionals around the world, the survey feedback also reveals that
fewer than 8% of organisations offer adaptive training that evolves based on the results of regular
security tests.
"In a rapidly evolving cybersecurity landscape, where malicious threat actors are constantly
devising new ways to infiltrate and harm, this is a significant business concern," comments
Hornetsecurity. I would have to agree. Of course, many businesses are struggling and investment
is often spread thinly. But neglect training and the likelihood is that the prospects of
being hit by an attack can surely only increase.
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2024 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
www.computingsecurity.co.uk July/August 2024 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security July/August 2024
inside this issue
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
PRIMED FOR A FIGHTBACK
WHAT’S AFOOT?
Resilience level of
New EU directive out to
IT infrastructure
redress attack imbalance
comes under scrutiny
AT THE AI CROSSROADS
Who will succeed in the battle
of good and evil?
BATTERED AND BREACHED
COMMENT 3
Worrying train of thought
Bruising new stats on cyber attacks
are a punch to the gut
for UK businesses
NEWS 6
Powering up vulnerability detection
Integrity360 partners up with Armis
Semperis secures financing injection
Education and training are 'must haves'
Breach risk drives Zero Trust strategies
Disconnect fuels attack fears
ARTICLES
BATTERED AND BREACHED 18
A disturbing picture has emerged of the
scale of cyber-attacks perpetrated against
UK businesses over the last 12 months
AT THE AI CROSSROADS 14
Are the criminals on the front foot in the ongoing
battle to use AI for good or bad? Two
ARE PASSWORDS PASSÉ? 20
With Google moving towards a future
prominent voices believe that the time is now
without passwords, rolling out passkeys as
right for policymakers, security professionals
a 'safer and easier alternative', the path
and civil society finally to tilt the cybersecurity
has been thrown open for others now to
balance away from attackers and over to the
follow their lead
cyber defenders.
PUT TO THE TEST 22
Red Team exercises can help organisations
to identify any existing weaknesses in their
IT defences and thus provide a playbook
to rectify those frailties going forward
HEALTHCARE TRUCE IS OVER! 24
An 'honour amongst thieves' agreement
FATIGUE RED ALERT 27
during Covid, where healthcare providers
The explosion of digital accounts has led
were spared cyber-attacks, has given way
to a big increase in 'account fatigue,'
to all-out assaults, with large corporations
impacting how consumers interact with
such as Ticketmaster, the BBC and even the
businesses online, states new research
NHS reporting record-breaking hacks and
INFOSEC HITS THE HOT SPOTS! 28
data breaches
It was showtime at the ExCeL - and that
meant Infosecurity Europe was back in the
swing again for three full-on days!
RANSOMWARE GOES RAMPANT 30
Widespread cyber insecurity ranks amongst
SIX OF THE BEST? 34
the most severe threats that the world will
The General Data Protection Regulation
be facing over the next 10 years, according
flagged up its 6th anniversary in May this
to a new report, even overtaking interstate
year. We asked some industry observers to
tell us how they felt GDPR has fared so far
armed conflict, inflation and economic
downturn by 2026.
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk
4
A DIRECTIVE IN THE RIGHT DIRECTION? 10
EU-wide legislation, the NIS2 Directive, is
focused on stepping up cybersecurity
attack compliance. It will mean operators
of essential services in key sectors will now
be required to take appropriate security
measures and notify the relevant national
authorities of serious incidents

Want to
understand
how to sanitise
media?
Learn more about the NEW international
media sanitisation standard IEEE 2883 from
one of the authors - Jonmichael Hands
conference
conference
2024
2024
17TH OCTOBER 2024 , LONDON
USE PROMO
CODE:
CSMAG FOR
50% OFF!
WWW.ADISA.GLOBAL/ADISACONFERENCE2024/

news
Brian Martin, Integrity360.
BORDERING ON THE UNACCEPTABLE
Recent UK airport chaos, due to Border Force IT failures,
has exposed a critical vulnerability: the lack of robust IT
contingency plans within border control infrastructure.
That is the view of Jamil Ahmed, distinguished engineer
at Solace. "The recent e-gate outages at UK airports
underscores a critical deficiency in the operational resilience
of border control infrastructure. While e-gates represent
advancements in border technology, this incident exposes
the need for robust contingency plans to mitigate
disruptions and ensure continuous service.
"Stringent IT regulations exist in other sectors, such as
banking, that mandate high availability and demonstrably
robust disaster recovery plans. It is essential that border
control infrastructure looks to adhere to similarly rigorous
standards."
Jamil Ahmed, Solace.
INTEGRITY360 PARTNERS UP WITH
ARMIS TO ENHANCE ITS OFFERING
Pan-European cyber security specialist
Integrity360 has entered into a new
partnership with asset intelligence cybersecurity
company Armis in a drive to
enhance its cyber security offering
and also expand its customer base
across Ireland, the UK and Continental
Europe.
Brian Martin, director of product
management, Integrity360, comments:
"We live in an increasingly connected
world, underpinned by the exponential
expansion of the attack surface due
to cloud, IoT, OT, mobile, identity and
the work-from-anywhere era.
This is only set to continue in the
years to come, states Martin, which
means the attack surface will be forever
expanding. "With more devices and
more threats, companies need solutions,
services and partners that bolster
cyber security, and - more importantly -
resilience."
POWERING UP VULNERABILITY DETECTION
West Burton Energy is using Tenable OT Security to deliver operational
technology (OT) asset visibility, OT vulnerability management and threat
detection - use cases that have proven challenging for so many companies in the
power industry. This has enabled West Burton Energy to reduce threat-detection
alerts by 98% and improve efficiency by 87%, it is stated.
As part of the UK's critical infrastructure, West Burton Energy is an advanced
and efficient Combined Cycle Gas Turbine (CCGT) plant and 49 MW battery
energy storage facility that delivers 1,333 MW of power to the National Grid:
enough electricity to power 1.5 million homes and businesses.
Since deploying Tenable OT Security, West Burton Energy has reportedly
reduced the time and resources needed to manually manage its asset inventory,
saving more than 200 hours per year. Additionally, it has been able to create
efficiencies
SEMPERIS SECURES FINANCING INJECTION
Semperis has secured $125 million in growth financing
from JP Morgan and Hercules Capital. The new money
will enable the company to further invest in product
innovation and support an expanding customer base.
"Semperis is a clear leader in the urgently-needed area
of identity system defense, with machine-learning-based
attack prevention, detection, and response," says Scott
Bluestein, CEO and CIO at Hercules Capital. "Leading
organisations around the world depend on Semperis
to safeguard their hybrid Active Directory environment,
which is foundational to the IT infrastructure and heavily
targeted by attackers."
Scott Bluestein,
Hercules Capital.
6
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

Building cyber security
awareness together.
Leading the way in personalised
cyber security awareness.
Keep your staff engaged, cyber-secure, and compliant with our award-winning,
personalised cyber security training.
Designed with real people and teams in mind, our expertly crafted content transforms
cyber security into an informative and captivating experience. By making learning
fun and impactful, we maximise engagement and enhance staff security behaviour,
ensuring constant vigilance against cyber threats.
Our staff fully engaged with our
security awareness program, with
completion rates over 85%
Best cyber security awareness
platform available

news
Chris Denbigh-White, Next DLP.
CYBER BREACH RISK DRIVES ZERO TRUST STRATEGIES
Survey findings on the state of Zero Trust adoption
and encryption in 2024 reveal that the risk of a cyber
breach is the number one global driver for Zero Trust
strategy implementation. The results are included in
Entrust Cybersecurity Institute's annual study, which
was conducted by the Ponemon Institute.
"With the rise of costly breaches and AI-generated
deepfakes, synthetic identity fraud, ransomware gangs
and cyber warfare, the threat landscape is intensifying
at an alarming rate," says Samantha Mabey, director
solutions marketing at Entrust.
"This means that implementing a Zero Trust security
practice is an urgent business imperative - and the
security of organisations' and their customers' data,
Samantha Mabey, Entrust.
networks and identities depends on it."
EDUCATION AND TRAINING:
WHY THESE ARE 'MUST HAVES'
Research from Kaspersky has found that
over 50% of acting cyber security
professionals have admitted to making
mistakes early in their careers, due to a
lack of technical knowledge. Also, over
the past two years, every organisation has
fallen victim to "at least one" cyber security
incident as a result of underqualified or
undertrained staff.
Chris Denbigh-White, chief security officer
at Next DLP, puts these errors down, in
large part, to education and training.
While this isn't a surefire way to eradicate
each and every mistake, he accepts,
"educating employees - particularly at the
point of risk - is a powerful strategy to
help build knowledge and awareness
to identify and act on cyber threats
effectively. From simulated phishing
exercises and role-based training, creating
a human firewall can fortify an organisation's
defence, without falling into
the trap of scapegoating users".
DISCONNECT FUELS ATTACK FEARS
Anew survey carried out by cybersecurity provider
Hornetsecurity has uncovered significant gaps in IT
security training, with 26% of organisations still providing
no form of training to their end users.
The survey, which compiled feedback from industry
professionals around the world, also reveals that fewer
than 1 in 13 organisations offer adaptive training that
evolves based on the results of regular security tests.
Daniel Blank, COO of Hornetsecurity, comments: "Our latest
research shows a clear disconnect between the perceived
effectiveness of security training, and its actual relevance
and responsiveness to modern cyber threats, especially the
recent boom in AI-driven attacks. Employees must be
equipped with ongoing training to bolster any technical
defences and serve as a human firewall.
GETTING ENTERPRISES BACK UP AND RUNNING
Daniel Blank,
Hornetsecurity.
"The ongoing aspect is essential for the training to have the most impact. It's important to
invest in the latest cybersecurity technology, but a sustainable security culture means investing in
people as well."
Commvault has acquired cloud cyber resilience company Appranix. Commvault says
it has made the move to help enterprises get up and running even faster after an
outage or cyberattack.
"We are taking resilience to the next level by marrying Commvault's extensive risk,
readiness and recovery capabilities with Appranix's next-generation cloud-native
rebuild capabilities," states Sanjay Mirchandani, president & CEO, Commvault.
8
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

DON’T
SaaSSS
GET YOUR
KICKED! !
TAKE CONTROL NOW AND
PROTECT YOUR SaaS DATA
Global SaaS vendors like Microsoft, Google and Salesforce
don’t assume any responsibility for your data hosted
in their applications. So, it’s up to you to take control
and fully protect your SaaS data from cyber threats or
accidental loss. Arcserve SaaS Backup offers complete
protection for your SaaS data, eliminating business
interruptions due to unrecoverable data loss.
Arcserve SaaS Backup
Complete protection for all your SaaS data.
arcserve.com
The unified data resilience platform

legal focus
IS THIS DIRECTIVE IN THE RIGHT DIRECTION?
NEW EU-WIDE LEGISLATION IS FOCUSED ON STEPPING UP CYBERSECURITY ATTACK COMPLIANCE
The NIS2 Directive - the EU-wide
legislation on cybersecurity - provides
legal measures to boost the overall level
of cybersecurity across the EU. Businesses
identified as operators of essential services
in key sectors will have to take appropriate
security measures and notify relevant national
authorities of serious incidents. Also, key digital
service providers, such as search engines, cloud
computing services and online marketplaces,
will have to comply with the security and
notification requirements under the directive
(https://digital-strategy.ec.europa.eu/en/
policies/nis2-directive)
Is this a big advance in the quest to keep
organisations safe from harm? Or is it simply
more bureaucracy and 'interference', as some
have branded it? If so, what should the
alternative be?
Karl Mattson, CISO at Noname Security,
believes the NIS2 Directive is a big step forward
for EU cyber resilience. "The directive has stricter
requirements for risk management and
incident reporting, covers a wider remit of
industries and features increasingly hard-hitting
financial penalties for non-compliance. These
requirements have significant implications for
the security and management of organisations."
Instead of viewing regulation as an onerous
task, he adds, achieving compliance with NIS2
can enable organisations to gain a competitive
advantage. "Indeed, as new regulations come
into force over time, organisations are likely to
find that many of their partners will require
proof of compliance before doing business
with them. While it does not specifically
mention APIs, NIS2's requirements for
enhanced cybersecurity, risk management,
incident reporting and supply chain security
have significant implications for the security
and management of APIs in organisations
subject to the directive. APIs are critical to
business transformation and lie at the heart
of corporate strategies for growth and
innovation."
"With escalating regulation requirements,
organisations need to know what they need to
implement through the lens of API security,"
he states. "This should be a priority for every inscope
organisation, if they are going to remain
compliant with NIS2."
BLIND SPOTS TACKLED
EU regulators have become the global tip of
the spear when it comes to data protection
for nation states, argues Matthew Sciberras,
CISO - VP of information security & information
technology, Invicti. "First, there was GDPR,
which set an international standard for the
protection and handling of personal data,
he points out. "Now, NIS2 is just about to
come into enforcement and addresses some
really important blind spots that businesses
often ignore."
The software supply chain is a considerably
important factor here. "Under NIS2, compliant
entities will have to account for the potential
risk within their partners, vendors, third parties
and overall supply chain." This is significant,
because - like the GDPR before it - it gives NIS2
a potentially global reach. "While NIS2 will only
apply to organisations that operate within
the EU, their compliance status is dependent
on the security of the international partners.
"That means that EU entities will have to
make partnering decisions based on the
security risk of those partners. It's safe to say
that there are few companies - wherever in the
world - who would want to isolate themselves
from the world's largest market."
Aside from that, the software supply chain
really does deserve serious consideration, he
points out. "The software that undergirds so
many basic functions in the modern world, are
delivered through complex and multi-faceted
supply chains, along which there are multiple
points of failure. Furthermore, the mounting
demand for new tools and services has put an
incredible amount of pressure on the development
process… considering the complex,
interwoven nature of software supply chains
this isn't just a problem for one product or
group of customers, but a larger security issue
for society in general."
UNIFIED APPROACH
Jon Leather, European head of supply chain
defence at BlueVoyant, says NIS2 unifies the
approach to collaborative security across the
entire supply chain, encompassing more than
160,000 midsize and large companies - and
those businesses within their supply chains -
in a cross-section of critical industries, such
as energy, transportation, healthcare, and
banking and financial services. "A unified
approach to securing supply chain relationships
between companies, direct suppliers,
and business partners is sorely needed."
BlueVoyant global research reveals that
organisations suffered negative impacts on
average from 4.16 supply chain breaches
last year. With organisations responsible for
their own security under NIS2, they must:
Review how they comply with stricter
reporting obligations, with 'essential'
businesses needing to report cyber
incidents within 24 hours
Conduct regular risk assessments to
identify and address cyber threats
IInvest in cyber security awareness
and training at all management levels -
even the board, if needs be.
HoHowever, the big question mark over the
10
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

legal focus
implementation of NIS2 is the fragmentation
of global compliance and how it's adhered to
from one country to the next, he continues.
"With each EU member state likely to introduce
nuanced legislation to suit individual needs -
in addition to the UK - the question of NIS2's
global impact remains unanswered.
"Regardless, all businesses within NIS2's scope
need to undertake a comprehensive analysis
of their supply chains to determine their
standing and readiness, with a view to using
full compliance as a competitive advantage.
Those without the resources to analyse
external vulnerabilities and cyber risks will
struggle to reach compliance by October
2024, which could lead to fines of up to
10 million euros or 2% of their annual
revenue, whichever is higher."
WIDER SCOPE
Chris Doman, CTO and co-founder, Cado
Security, also regards the NIS2 Directive
as a significant update to the European
Union's cybersecurity framework, identifying
it as particularly relevant to cloud security
incident response.
"First, NIS2 broadens the scope of sectors that
must adhere to its requirements, including
cloud computing services, and requires
improved security controls," Dorman states.
"One of the directive's core elements is the
establishment of policies for incident handling.
Entities must report significant cybersecurity
incidents to the national competent authorities
or computer security incident response teams
[CSIRTs] within 24 hours of becoming aware
of the incident.
"That early warning should be followed by
an incident notification within 72 hours of
becoming aware of the significant incident."
The dynamic nature of cloud environments
requires haste, he continues. "Therefore,
mandating rapid response in this way is crucial
for mitigating the impact of security breaches
in the cloud."
While Sam Peters, chief product officer,
ISMS.Online, acknowledges the NIS2 Directive
as "a significant stride in the European Union's
cybersecurity efforts",
he also states that, whether this is actualy
an advancement or an imposition of
bureaucracy, depends mainly on perspective
and execution."
NECESSARY SAFEGUARDS
"For some," he states, "these regulations
will be considered necessary safeguards
that enhance security protocols and ensure
a uniform level of cyber defence across
Europe. For others, particularly smaller
businesses and startups, the increased
compliance costs and operational hurdles
could be considered excessive and stifling
innovation."
In an ideal scenario, argues Peters, the
alternative to a directive like NIS2 would
still involve a structured approach to cybersecurity,
but could offer a more adaptable
framework. "This might include scaled
requirements, based on the size and impact
of the business, increased support for small-er
companies in meeting these requirements or
incentives for voluntarily adopting advanc-ed
cybersecurity measures.
"Another approach could be industry-led
standards that allow for more flexibility and
innovation, while still providing a framework
for essential security measures and incident
reporting. Ultimately, he says, the
effectiveness of the NIS2 Directive "will
depend on its implementation, including the
support provided to businesses to comply and
the adaptiveness of the framework to
evolving cyber threats".
MINDSET SWITCH
Tim Freestone, chief strategy and marketing
officer, Kiteworks, says adhering to the
NIS2 Directive necessitates a fundamental
alteration in corporate mindset, backed by
investments in advanced technologies and
robust procedural frameworks.
Chris Doman, Cado Security: a proactive
approach enables security teams to quickly
identify the root cause of a breach and
remediate the threat.
Tim Freestone, Kiteworks: limiting system
access can prevent a single individual from
having excessive control over sensitive data.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
11

legal focus
Jamie Beckland, APIContext: API
validation remains an immature practice.
Matthew Sciberras, Invicti: NIS2 seeks to
protect the free movement of business
across borders.
"We contend that such investments are
crucial to fostering innovation and securing
our digital infrastructures. Central to the
directive is the adoption of both technical
and organisational safeguards to ensure data
confidentiality, integrity and availability. This
involves deploying cutting-edge encryption
technologies, stringent access controls and
secure communication protocols. Equally
important is the cultivation of a securityconscious
culture among employees,
positioning them as vital defenders against
cyber threats." The directive also emphasises
the importance of risk management and
incident response strategies," he continues.
"Proactive identification and mitigation of
vulnerabilities enable companies to stay
ahead of cyber adversaries. Effective incident
response measures, meanwhile, help to
mitigate the impact of data breaches, swiftly
restoring confidence among customers and
stakeholders."
Compliance with NIS2 is an ongoing process,
he points out, demanding continuous
documentation of security practices, risk
assessments, and incident response actions.
"This transparency is critical in fostering trust
within the digital landscape. This directive is
not just about achieving compliance, but
about inspiring a transformative movement
in data protection, leveraging technological
advancements and human creativity to protect
the vital assets of our digital economy. It encourages
companies to view data protection not as
a statutory obligation, but as a cornerstone of
their business ethos, thereby shaping a secure,
reliable and boundless digital future."
VITAL ROLE
Cyrille Badeau, vice president of international
sales ThreatQuotient, regards he directive as
a positive regulation, because "cybersecurity
inequity is a real and growing problem
at national and international level. Digital
infrastructure is only as strong as its weakest
link and when less-secure entities are connected
to critical supplier networks, they introduce
significant risk".
The EU needs overarching mechanisms,
processes and response plans to deal with
cybersecurity risk, just like any single entity
does. "Effective risk management is at the
heart of the directive, requiring entities to
assess organisational and industry-specific
cyber risk. We see a vital role here for threat
intelligence collection and analysis from
multiple sources to inform companies' risk
management strategy. This is best practice and
puts organisations in a stronger position to
proactively manage risk, but it is not always
consistently achieved on a sector-wide basis."
The directive also mandates timely and
complete incident reporting. "This is another
area where threat intelligence management
is crucial," says Badeau, "allowing entities to
obtain and share relevant information relating
to incidents and their possible impact in nearreal
time. The directive's focus on informationsharing
is also very positive. The more we can
learn about TTPs, incidents and impacts, the
better placed we are to respond."
Effectively, he adds, this directive is the EU's
bid to map good cybersecurity practice onto
a digital continent. "This certainly isn't easy, but
it is necessary, especially given the geopolitical
uncertainty and the aforementioned cybersecurity
inequity within and between countries.
Many individual organisations and sectors
already adhere to the risk management best
practices prescribed in the directive, but
cybersecurity has to be a collective effort
across communities, even one as large as the
EU. NIS2 is a step in the right direction."
API PERTINENCE
Jamie Beckland, APIContext’s chief product
officer, sees the directive's wide approach to
securing supply chains as especially pertinent
to the API sector. "APIs, as the building blocks
of modern software, often form extensive and
intricate networks that many businesses
depend on. Modern digital applications are
built with multiple compon-ents, including
cloud compute vendors, authentication
providers, data feeds, and other digital
12
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

legal focus
infrastructure. Application developers use
the APIs of these vendors to lash up to 100
individual services together to create the final
customer-facing application. Every online
banking transaction, every video stream, every
mobile app and every e-commerce sale is
powered by APIs."
However, he states, API validation remains
an immature practice. "Many organisations are
not aware of their API dependencies, which
first manifest in vendor APIs impacting application
reliability. This opacity can lead to
significant vulnerabilities, exposing entire
systems to data leaks." API supply chains are
poorly understood, but can have serious
consequences.
TOTAL COMPROMISE
"If an authentication API has a security
vulnerability, it can be leveraged to compromise
every account in the application,"
says Beckland. "If a cloud compute API is
misconfigured, it can leak all the data that
traverses that API. It's critical to comprehensively
inventory application APIs, and
the supplier APIs that they rely on. And,
since over 80% of API vulnerabilities are
misconfigurations [and not fundamental
security design flaws], they are often
straightforward to remediate."
NIS2 provides a clear driver for businesses
to prioritise the work of understanding their
API supply chain dependencies, he adds.
"It compels organisations to adopt a more
disciplined and transparent approach to API
management and security, which is crucial
for protecting sensitive data and maintaining
trust in digital services."
BUREAUCRATIC BURDEN?
Kennet Harpsoe, senior cyber analyst, Logpoint,
flags up how the directive, for all its virtues,
has faced criticism for potentially imposing a
significant bureaucratic burden. "Compliance
costs and administrative overheads could
be particularly challenging for smaller organisations,"
he says. "The NIS2 directive is formulated
in very general terms that can be hard to
translate into a practical implementation. And,
while it might generate a lot of business for
large accounting firms and their consultants,
it's unlikely to generate cost efficient cyber
security."
Some businesses view the directive as an
intrusion that limits their flexibility and autonomy
in managing cybersecurity and there
are concerns that stringent regulations might
stifle innovation, especially for start-ups, he
adds. "And will the reporting requirements
be useful? If the reports are written in a hurry,
and there is no explicit purpose, so no explicit
reason why anyone should read them, will
they have any practical effect?"
Alternative approaches could be considered,
Harpsoe suggests. "Regulations could be
tailored, based on the specific risk profiles of
different sectors and organisations, balancing
the need for security with flexibility. Another
approach could be to make the recommendations
more specific; years of cyber security
experience have been codified into best
practices, like the CIS 18 Critical controls.
Referring directly to more specific recommendations
could make implementation of NIS2
much more cost effective."
Also, providing financial assistance, such as
subsidies or grants, and technical support can
help organisations, particularly SMEs, manage
compliance costs. "Additionally, the directive
could include mechanisms for regular updates
based on evolving cyber threats and technological
advancements, ensuring it remains
relevant and effective without imposing
unnecessary burdens. Regular consultations
with industry stakeholders could further
enhance its impact, particularly as the cyber
security space evolves fast."
Tailored approaches, supportive measures
and continuous legislative adaptation can help
mitigate the directive's potential administrative
and financial burdens, he concludes, and
enhance the directive's effectiveness.
Kennet Harpsoe, Logpoint: compliance
costs and administrative overheads could
be particularly challenging for smaller
organisations.
Karl Mattson, Noname Security: NIS2
Directive is a big step forward for EU
cyber resilience.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
13

artificial intelligence
AT THE AI CROSSROADS
ARE THE CRIMINALS ON THE FRONT FOOT IN THE BATTLE
TO USE AI FOR GOOD OR BAD? EDITOR BRIAN WALL REPORTS
It would appear that AI is at a definitive
crossroads - one where policymakers,
security professionals and civil society have
the chance to finally tilt the cybersecurity
balance from attackers to cyber defenders.
That is the view of Google's Phil Venables,
vice president, chief information security
officer (CISO), Google Cloud, and Royal
Hansen, vice president, Privacy, Safety and
Security Engineering.
"At a moment when malicious actors are
experimenting with AI, we need bold and
timely action to shape the direction of this
technology," the two argue. To support this
work, Google has launched a new AI Cyber
Defense Initiative, including a proposed policy
and technology agenda contained in its new
report: Secure, Empower, Advance: How AI
Can Reverse the Defender's Dilemma.
"Today, and for decades, the main challenge
in cybersecurity has been that attackers need
just one successful, novel threat to break
through the best defences. Defenders,
meanwhile, need to deploy the best defences
at all times, across increasingly complex digital
terrain - and there's no margin for error. This
is the 'Defender's Dilemma' and there's never
been a reliable way to tip that balance. Our
experience deploying AI at scale informs
our belief that AI can actually reverse this
dynamic. AI allows security professionals
and defenders to scale their work in threat
detection, malware analysis, vulnerability
detection, vulnerability fixing and incident
response."
SLOWER ADOPTION
Alasdair Anderson, VP at Protegrity, also
believes AI has the potential to be an effective
tool for whoever wields it. "However, for
businesses, AI adoption will be slower than
the cybercrime industry, as there will be new
regulations to adhere to and ensuring the
safe use of AI is a lengthy process. As such,
through 2024 there will be an increase in AIbased
attacks before businesses and
government bodies can put in place robust
and ethical AI cyber-security measures. The
importance at this time will be in employing
safe data practices so private information is
always protected."
While AI's ability to streamline processes
and present speedy outcomes is offering
breakthroughs to businesses, he adds, it is
at the same time attracting attention from
threat actors who are realising that it could
be a weakness in a company's security. if
not used correctly. "However, if used to its
full potential, AI could be a tool that helps
businesses identify weaknesses and address
them. During the race to attack and defend in
the age of AI, businesses should be focusing
on protecting the prize: data. When a threat
actor utilises AI to find an innovative way
to break through the latest cybersecurity
defence, all the data at the centre will be
at risk - and can be used to enhance larger
attacks. If training an LLM with data, or if an
employee elects to streamline a task and use
an LLM on a public platform - that data is
too at risk."
Protegrity advocates for a data-centric
approach, states Anderson. "If all data used is
subjected to privacy-preserving measures to
comply with data protection laws, it ensures
that, if the data is breached at any point, it is
anonymous and worthless to hackers."
GENIE ‘OUT OF THE BOTTLE’
For Aron Brand, CTO, CTERA, attempting to
contain the emerging AI-based cyber threats
with regulation is "as futile as trying to contain
a wildfire with a garden hose". With powerful
open-source models on the GPT-4 level being
freely proliferated, the genie is out of the
bottle, he says. "Today, even individuals with
moderate resources can create powerful AI
systems without ethical safeguards, rendering
proposed AI rules ineffective against malicious
actors, not to mention state actors who are
actively developing AI cyber weapons.
"In fact, it is very reasonable to assume that
AI scientists from major world superpowers
are already engaged in a high-stakes race to
develop the ultimate AI weapon, which could
be likened to an 'Internet nuke'. The regulators
can only influence the 'good guys', and do
nothing to stop nefarious actors from
creating malicious AI."
The way forward, says Brand, lies in embracing
AI-based defences as countermeasures.
"It is time for more software vendors to step
up and incorporate behavioural AI into their
products. By leveraging AI's ability to distinguish
between malicious and normal user
behaviour, next-generation security solutions
can quickly detect and neutralise AI-powered
attacks. Unfortunately, the rapid surge in the
offensive capabilities of attackers means we
14
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

artificial intelligence
face an uphill battle in this AI arms race."
10.5 TRILLION DOLLAR PRICE TAG
According to Louis Blackburn, operations
director at CovertSwarm, global cybersecurity
crime is expected to cost the world $10.5
trillion USD annually by 2025, up by 15%
from the cost five years ago, while the
average global cost of a single data breach
costs a business around $3.62 million, with
customer trust taking a huge hit. "It's essential
that organisations of all sizes learn about
the security risks that AI can have to their
business and establish a plan to deal with
any threats," he cautions.
"Voice synthesis tools are being used to
mimic employees in organisations, such
as service desk workers, to gain people's
trust. Businesses are at threat of simple
transactions, like a password reset taking
place over the phone and getting into the
hands of somebody who, unbeknown to
them, is not the actual colleague a person
thinks they're speaking to."
AI can be used to perform reconnaissance
against organisations in the future. "Collating
information about a target business at the
moment is a very manual process, but in the
near future attackers will be able to use AI
to quickly find out the relevant information
about an organisation like the IP address,
open ports, security software and hardware
in use and vulnerabilities in these systems,"
Blackburn states.
"In the future, this will develop into hackers
being able to use AI and OpenSource to
look into a company's computer vulnerabilities
and other areas that may be insecure.
Organisations need to be proactive with
regard to all digital security and perform
continuous testing to find the problems
before AI does."
OPERATING AT SCALE
Curtis Wilson, staff data scientist at the
Synopsys Software Integrity Group, argues
that the potential of AI lies not in full autonomy,
but in allowing experts to operate at
scale. "The problem faced by cyber security
experts is that they must find and patch every
single vulnerability in the systems they are
responsible for - a threat actor, however, only
needs to find and exploit one vulnerability to
launch a successful attack. AI-based tools can
help cyber security experts identify potentially
vulnerable areas of an application, search
through large codebases, automate routine
inspections, see patterns or unusual behaviour
in network traffic and even suggest easy
fixes for common problems."
However, he adds, AI alone can struggle
to understand the complex interactions
between different parts of a large system,
the underlying business logic (and how that
factors into the system) or the potential for
completely novel exploits. Keeping human
experts in the loop is thus essential. "Whilst
this ability to scale expertise is a boon to cyber
security experts when patching vulnerabilities,
it can also be a boon to threat actors in a
different domain: social engineering. Currently,
social engineering tends to be either quality
or quantity based. Either you send an unsophisticated
email to hundreds of thousands:
("enter your details for information about
a package"), or you send a highly-tailored
email to a small group: ('This is [CFO's name],
CFO of [Your Company], and I need your
help…')."
The question of 'Will AI help or hinder cyber
security experts?' is a false dichotomy, says
Wilson. "I think instead we will see the entire
landscape of cybersecurity threats continue
to change and evolve in response to advances
in AI technologies; just as it has to every other
change in technology over the last few
decades."
OPINION DIVIDED
Matt Frye, who is the head of education at
Hornetsecurity, says the company's latest
research shows that 45% of UK businesses
have been victims of a cyberattack and 85%
Alasdair Anderson, Protegrity: businesses
should be focusing on protecting the
prize: data.
Louis Blackburn, CovertSwarm: hackers will
be able to use AI and OpenSource to look
into a company's computer vulnerabilities.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
15

artificial intelligence
Aron Brand, CTERA: rapid surge in the
offensive capabilities of attackers means
we face an uphill battle in this AI arms
race.
Dan Wiseman, Transmit Security: While AI
is increasingly being adopted by cyber
attackers, it holds equal, if not greater,
potential as a defensive mechanism.
are concerned about the increasing sophistication
of attack methods, thanks to AI.
THE RACE IS UNDERWAY
"Cybersecurity professionals need to amplify
their efforts and enhance their technology
to safeguard businesses from evolving attack
methods," he advises, as the race is underway
between cyber criminals, vendors and policymakers,
with all parties leveraging the power
of AI for differing reasons." Hornetsecurity
research shows that opinions amongst British
business leaders are split, with 45% finding AI
helpful and 45% thinking it has worsened the
threat landscape.
"Next-gen defenders like Hornetsecurity
are continually investing to maintain the
upper hand over attackers and they have
been ably using AI as part of their efforts to
do so. However, the dynamic nature of cyber
threats means that this is an ongoing battle,
requiring constant vigilance, adaptation and
education to build users' knowledge of the
threat landscape and the methods cybercriminals
are using. Business leaders must act
now, investing in comprehensive AI-enhanced
protection packages, which include both
technical defences and training packages."
DEFENSIVE MECHANISM
Dan Wiseman, senior solutions advisor,
Transmit Security, emphasises how AI is not
a silver bullet, but a tool and, like any tool,
its effectiveness hinges on how it's utilised.
"While AI is increasingly being adopted by
cyber attackers, it holds equal, if not greater,
potential as a defensive mechanism. Yet,
many organisations are still in the early stages
of harnessing its full potential and therefore
risk falling behind the curve," he warns.
The unpredictable nature of AI, often seen
as a challenge, can actually be its strength.
"With the right safeguards and ethical
guidelines in place, this unpredictability can
be harnessed to stay one step ahead of cyber
threats. AI's predictive capabilities enable us to
identify and mitigate potential threats before
they materialise, effectively shifting the
balance in favour of cyber defenders."
Achieving this requires a multi-faceted
approach, says Wiseman. "From a security
perspective, it involves constantly improving
AI algorithms, investing in AI training and
research, and fostering collaboration between
AI developers, cybersecurity professionals and
policymakers. At Transmit Security, we're
actively embedding AI-driven capabilities
across our entire platform, making it easier
for our customers to leverage AI as a core
component of their cybersecurity strategy."
ROBUST FRAMEWORKS
To truly outrun cybercriminals and maintain a
defensive advantage, robust frameworks for
AI governance and ethical standards must be
established, ensuring responsible use and
mitigating risks," comments Keiron Holyome,
VP UKI & Emerging Markets, BlackBerry.
"As a response to the Chinese cyberattack
on the Ministry of Defence earlier this year,
we are already seeing progress in such
recommendations for both AI caution and
applications for good, demonstrated by May's
collection of UK government research reports
on the cyber security of AI. Collaboration
between governments, industry leaders and
academia will be increasingly essential for
sharing knowledge, developing best practices
and responding to emerging threats
collectively."
Holyome says that AI's potential for both
defenders and attackers is still in the early
stages of its journey, something that can
be overlooked. "The security industry must
remain vigilant and adaptive. It must be
prepared to address evolving vulnerabilities
that AI may introduce and meet challenges
head-on, with an innovative, yet responsible
approach. If effectively harnessed, AI can
maintain cybersecurity balance against
defenders, but this requires ongoing research,
innovation and collaboration."
16
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

cyber breaches
BATTERED AND BREACHED
A 2024 GOVERNMENT SURVEY PAINTS A DISTURBING PICTURE OF THE SCALE OF
CYBER-ATTACKS PERPETRATED AGAINST UK BUSINESSES OVER THE LAST 12 MONTHS
Organisations of all sizes and
persuasions are prey to the attackers
and a large percentage have suffered
at their hands - that is the main takeaway
from the government's Cyber Security
Breaches Survey for 2024.
"Half of businesses [50%] and around a third
of charities [32%] report having experienced
some form of cyber security breach or attack
in the last 12 months," states the government.
"This is much higher for medium businesses
[70%], large businesses [74%] and highincome
charities with £500,000 or more in
annual income [66%]."
By far the most common type of breach or
attack is phishing (84% of businesses and
83% of charities). "This is followed, to a much
lesser extent, by others impersonating
organisations in emails or online [35% of
businesses and 37% of charities] and then
viruses or other malware [17% of businesses
and 14% of charities]. Among those
identifying any breaches or attacks, we
estimate the single most disruptive breach
from the last 12 months cost each business,
of any size, an average of approximately
£1,205. For medium and large businesses, this
was approximately £10,830. For charities, it
was approximately £460." There were some
changes this year to the question that seeks to
capture the overall incidence of cyber-attacks
and breaches. Due to these changes, it was
not possible to make direct comparisons
between 2023 and 2024, states the survey
report.
CYBER HYGIENE
Interestingly, and perhaps against general
expectation, the most common cyber threats
are relatively unsophisticated, so government
guidance advises businesses and charities to
protect themselves using a set of "cyber
hygiene" measures. A majority of businesses
and charities have a broad range of these
measures already in place. The most common
are updated malware protection, password
policies, cloud back-ups, restricted admin
rights and network firewalls - each
administered by at least seven in 10
businesses and around half of charities or
more, according to the report.
Compared to 2023, the deployment of
various controls and procedures has risen
slightly among businesses:
Using up-to-date malware protection
(up from 76% to 83%)
Restricting admin rights (67% to 73%)
Network firewalls (66% to 75%)
Agreed processes for phishing emails
(up from 48% to 54%).
These trends represent a partial reversal of
the pattern seen in the previous three years
of the survey, where some areas had seen
consistent declines among businesses. The
changes mainly reflect shifts in the micro
business population and, to a lesser extent,
small and medium businesses.
RISK MANAGEMENT & SUPPLY CHAINS
Businesses are more likely than charities to
take actions to identify cyber risks. Larger
businesses (defined as medium and large
businesses as opposed to smaller business
that cover micro and small business) are the
most advanced in this regard.
Some 31% of businesses and 26% of
charities have undertaken cyber security risk
assessments in the last year - rising to 63%
of medium businesses and 72% of large
businesses. A third of businesses (33%)
deployed security monitoring tools, rising to
63% of medium businesses and 71% of large
businesses. The proportion was lower among
charities (23%). Around four in ten businesses
(43%) and a third of charities (34%) report
18
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

cyber breaches
being insured against cyber security risks rising
to 62% of medium businesses and 54% of
large businesses (ie, cyber insurance is more
common in medium businesses than large
ones). Compared to the 2023 survey, the
proportion of businesses with some form of
insurance has increased from 37% to 43%,
while the proportion has remained stable
amongst charities.
Just over one in 10 businesses say they
review the risks posed by their immediate
suppliers (11% vs 9% of charities). More
medium businesses (28%) and large
businesses (48%) review immediate supplier
risks.
The qualitative interviews suggest that
organisations have an increasing awareness of
the cyber security risks posed by supply chains.
Despite this, organisations, particularly at the
smaller end, tend to have limited formal
procedures in place to manage cyber risks
from wider supply chains.
Meanwhile, board engagement and
corporate governance approaches towards
cyber security tend to be more sophisticated
in larger organisations. Levels of activity have
remained stable, compared with 2023.
GOING LARGE
Three-quarters of businesses (75%) and more
than six in 10 charities (63%) report that cyber
security is a high priority for their senior
management. This proportion is higher
among larger businesses (93% of medium
businesses and 98% of large businesses vs
75% overall). The same is true for highincome
charities (93% of those with income
of £500,000 or more vs 63% overall).
The proportion that says cyber security is a
high priority has remained stable since 2023,
following an apparent decrease in
prioritisation in 2023. The qualitative
interviews suggest that, despite economic
conditions, many organisations have
continued to invest either the same amount
or more in cyber security over the last 12
months. This is in part a response to the
perceived increase in the number of cyberattacks
and their sophistication.
UPTICK IN PROTECTION
"With half of businesses encountering cyber
breaches and attacks in the last 12 months,
this report exposes the scale of the cyber
threat landscape that we face today," says
Matt Thomas, head of UK markets at NCC
Group. "An estimated 7.78 million
cybercrimes is not a figure that should be
taken lightly.
"Businesses and charities are at risk of
phishing scams, viruses and malware, so it is
heartening to see an uptick in the adoption of
cyber hygiene practices, with those using upto-date
malware protection up from 76% to
83%. Improvement in cyber hygiene among
micro businesses in particular, and qualitative
reports that businesses are investing in
cybersecurity, should be celebrated. Despite
the economic challenges that all businesses
face, there is long-term value in investing in
cyber hygiene now and prioritising prevention
before an incident occurs.
The government breach report is a reminder,
says Thomas, that, despite progress,
challenges still remain. "With global supply
chain instability continuing, formal procedures
are more important than ever before. This
report has also highlighted a lacking approach
to incident response across the board, with
only the minority of businesses [22%] having
agreed formal processes in place to support
following a cyber incident."
He also highlights how 75% of all businesses
have reported cyber security as a high priority
among senior management. "However, the
findings show discrepancies between the size
of businesses adopting appropriate cyber
security measures. Some 98% of large
businesses and 93% of medium businesses
have cyber security at the top of their agenda,
yet small businesses are yet to prioritise
mitigating cyber threats in the same way
despite being vulnerable."
He adds that there has not been significant
improvement in board or senior management
engagement on cybersecurity since 2017. "The
disconnect between IT or cyber teams and
wider staff is being keenly felt within large
businesses, suggesting greater collaboration is
required across businesses to effectively and
holistically combat cyber threats.
"Further education is still needed to support
smaller businesses and charities towards a
safer cyber future, and this data also
demonstrates sectoral differences when it
comes to cybersecurity. Businesses within
finance and health, for example, are more
likely to make cyber security a higher priority
than other businesses, but all businesses must
invest budget into protecting themselves from
cyber threats, too."
Matt Thomas, NCC Group: this report
exposes the scale of the cyber threat
landscape that we face today.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
19

passwords
ARE PASSWORDS PASSÉ?
WITH GOOGLE MOVING TOWARDS A FUTURE WITHOUT PASSWORDS,
THE PATH HAS BEEN THROWN OPEN FOR OTHERS TO FOLLOW
When your password is stolen,
cybercriminals may sell your
information on the dark web
to other hackers or use it themselves to
commit more cybercrimes," says Aranza
Trevino, senior SEO content specialist at
Keeper Security. "Your stolen credentials
may give hackers access to important
accounts, such as your bank account,
and allow them to steal other Personally
Identifiable Information (PII). This can result
in serious consequences, such as stolen
money and stolen identities. Recovering
from a stolen identity is time consuming
and expensive, and the consequences can
follow victims for years."
Data breaches are one of the most
common ways credentials are stolen. "In
2022, over 422 million people in the US
were affected by 1,802 data breaches,"
she confirms. "These breaches, often at
major companies with millions of users,
can expose usernames and passwords,
health information, credit card numbers,
social security numbers and more."
Brute force, meanwhile, is a method
of password cracking that uses a bot to
repeatedly guess random passwords until
it finds the right one. "These bots can try
hundreds of passwords a second - but they
are more likely to guess passwords that
include dictionary words [also known as
a dictionary attack] or passwords that are
short," states Trevino. "A random, eightcharacter
password can be hacked within
eight hours. A password shorter than that
can be cracked almost instantly. A random
eighteen-character password with a mix
of numbers, letters and special characters
would take trillions of years to crack."
Other attack methods that Trevino also
singles out include the following:
Guessing: gathering information by
researching your digital and attempt
to guess your password by using what
they learn
Shoulder surfing: stealing information,
including passwords, by physically
viewing the victim entering in the
information
Malware: malicious links and files can
contain malware, which users might
accidentally download when they are
victims of online scams, like phishing
attacks
Man-in-the-middle attacks: these occur
when cybercriminals intercept data sent
between two entities
Social engineering: which can be used
in tandem with other methods, such as
phishing
Password spraying: where hackers use
a few common passwords to attack
multiple accounts on a single website
or application.
THE PASSWORDLESS FUTURE
Enter Google, which has begun rolling out
passkeys - something it describes as "the
easiest and most secure way to sign in to
apps and websites and a major step toward
a passwordless future".
Passkeys are a safer and easier alternative
to passwords, it states. "With passkeys,
users can sign in to apps and websites with
a biometric sensor [such as a fingerprint or
facial recognition], PIN or pattern, freeing
them from having to remember and
manage passwords."
Developers and users both hate
passwords, insists Google: "They give a poor
user experience, they add conversion
friction, and they create security liability for
both users and developers. Google
Password Manager in Android and Chrome
reduces the friction through autofill;
for developers looking for even further
improvements in conversion and security,
passkeys and identity federation are the
industry's modern approaches."
A passkey can meet multifactor
20
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

passwords
authentication requirements in a single
step, adds Google, replacing both
a password and OTP (eg, 6-digit SMS code)
to deliver robust protection against
phishing attacks and avoids the UX pain
of SMS or app-based one-time passwords.
"Since passkeys are standardised, a single
implementation enables a passwordless
experience across all of a user's devices,
across different browsers and operating
systems."
Passkeys are easier, it says, because:
Users can select an account to sign
in with. Typing the username is not
required
Users can authenticate using device's
screen lock such as a fingerprint sensor,
facial recognition or PIN
Once a passkey is created and registered,
the user can seamlessly switch to a new
device and immediately use it without
needing to re-enrol (unlike traditional
biometric auth, which requires setup
on each device).
Google also identifies passkeys as safer for
several reasons:
Developers only save a public key to the
server, instead of a password, meaning
there's far less value for a bad actor to
hack into servers and far less cleanup
to do, in the event of a breach
Passkeys protect users from phishing
attacks. Passkeys work only on their
registered websites and apps; a user
cannot be tricked into authenticating
on a deceptive site, because the browser
or OS handles verification
Passkeys reduce costs for sending SMS,
making them a safer and more costeffective
means for two-factor
authentication.
PERSISTENT CHALLENGE
Clearly, password protection is a fraught
and challenging enterprise that has
provoked new thinking. Peter Barker, chief
product officer at Ping Identity, is one
concerned party who has been quick to
identify why he feels passwords are way
past their 'best-before date' and how
he hopes that Google's move towards
a passwordless future will prove to be
an inspirational force for change.
"Passwords have been a persistent security
challenge for the past seven decades,
leaving us susceptible to phishing attacks
and the looming threats of fraud and
identity theft," says Barker.
"Consumers increasingly crave greater
convenience, without compromising on
security. The path we must embark on leads
us toward a passwordless future, though
this transition will undoubtedly require time
to be embraced on a grand scale.
"Notably, we have already witnessed the
widespread integration of biometric
authentication methods, such as facial
recognition and fingerprint scans, into
our daily lives. These technologies serve as
stepping stones towards the ultimate goal
of a world where the arduous task of
logging in becomes a thing of the past.
However, to truly reach this passwordless
utopia, the general public needs a better
grasp of the underlying technology.
"In light of these developments," adds
Barker, "Google's decision to champion
passkeys as the default login option
couldn't have come at a better time.
Sometimes, it takes industry giants to
take the lead, pushing for change more
assertively."
BROKEN SYSTEM
Meanwhile, Alex Laurie, Ping Identity's SVP
EMEA, points to how passwords also act
as a barrier to achieving a smoother user
experience. "Think back to the number of
times you've been locked out of a site or
app and had to go through the painstaking
process of resetting your password. It's
a broken system that needs to change."
Alex Laurie, Ping Identity: most logical
path that access management
organisations could take would be
towards a passwordless future.
Given such challenges, the most logical
path that access management
organisations could take would be towards
a passwordless future, Laurie points out.
"While this transition will undoubtedly
require time to be embraced at scale on
both the B2B and B2C side, our research
shows that consumers welcome passwordless
authentication. In the UK, 59% said
they'd be happy to switch website/app/
service, if a passwordless authentication
method was offered."
He feels that the clear shift away from
passwords by major technology firms
like Google and Amazon is the way that
others now need to go. "Passkeys signify
a significant leap forward, sparing users
from the hassle of remembering passwords
and the constant worry of someone
stealing them. This proactive move
promises to reduce fraud, and usher in
a simpler, faster and more secure user
experience that we can all benefit from."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
21

pen testing
PUT TO THE TEST
MOST COMPANIES HAVE INVESTED
IN SECURE I.T. INFRASTRUCTURE,
BUT DO THEY KNOW HOW WELL
IT WORKS UNDER PRESSURE?
How many organisation have policies
and procedures ready for real-world
cyber threats? With so many attacks
launched, they need to find out exactly
how robust their defences are - before they
become a victim. Testing cyber resilience
with a Red Team exercise will identify the
weaknesses in an IT defence and provide
a playbook to rectify those frailties going
forward.
The majority of organisations already have
a good understanding of penetration tests,
and operate a mature security-assessment
programme that employs both vulnerability
assessment and periodic penetration tests,
says Shinoj Joni, senior security consultant
at Prism Infosec. "During a typical pentest,
a vulnerability assessment is conducted,
in which potential weaknesses within the
system are discovered and listed. A good
penetration test will then attempt to
exploit the observations made in the
vulnerability assessment, so that the
technical risk of each observation can be
measured and the findings of the
assessment prioritised, enabling the
assessed organisation to understand their
specific risk profile. This activity typically
has very strict parameters, agreed in
advance, governing what can be assessed
and which techniques can be employed."
One of the key distinguishing features of
a red team assessment, by contrast, is that the
type of attack performed is less important
than the type of threat actor being simulated.
"While red teaming draws on elements of
the pentest methodology, the scope is nearly
always wider," he points out. "This allows the
exercise to explore the real-world risks that the
organisation is exposed to from a threat actor,
who is only interested in achieving their goal."
As red team exercises emulate real-world
attackers, it is often the case that the
methodologies employed are much stealthier
than the traditional combination of a
penetration test, with activities such as opensource
intelligence gathering. "This is not
always the case, depending on the assessment
being conducted, but in general red team
exercises do not commence with the
deployment of 'noisy' vulnerability assessment
tools," explains Joni. "Instead, intelligence is
gathered about the organisation and the
vector with the greatest likelihood of success
with the least risk of detection is deployed.
The methodologies and tools available to the
red team provider are limited only by
the capabilities of their team and the
understanding of the threat actor being
modelled."
The obvious answer, he suggests, is that
every organisation would benefit from a red
team exercise, in that it will provide a list
of security-related findings that, when
addressed, will improve the security posture of
the organisation. "However, the most benefit
will be found by organisations that have a
mature penetration testing strategy, coupled
with robust protective monitoring capabilities,
or who are about to embark on a significant
security upgrade programme. This not to say
that there is no benefit to an organisation that
is currently struggling to apply system patches
consistently across the enterprise or trying to
stay on top of corrective actions arising from
the output of automated vulnerability
assessment tools. A red team exercise can
help these organisations prioritise the order
in which elements of the enterprise receive
penetration tests and track progress as the
security programme matures."
TEST…TEST… AND TEST
To be effective, cyber resilience strategies and
recovery plans need to be tested regularly,
points out Sam Woodcock, director of cloud
strategy and enablement, 11:11 Systems.
"Unfortunately, many organisations lack focus
22
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

pen testing
on testing, both in terms of their planning
and their process during simulation. However,
tabletop exercises are key, because they get
to the heart of the metrics and unpack how
long it will take to get the organisation back
up and running. It clarifies the company's
response and highlights where teams need to
improve their planning. In doing this, the
company will know how to operate through
an incident. The insight that security teams
can get from proper testing cannot be gained
any other way and is the best way to prepare
for actual cyber incidents."
If the strategy for undoing the damage from
a ransomware attack is to recover copies of
locked data, regularly testing how to do so
is a good idea - particularly as more clever
examples of ransomware also target backups.
Disaster recovery-as-a-service offerings
are great for making sure data is backed up
in multiple ways; however, it is still vital that
this solution is tested with as close to a reallife
scenario as possible."
Red Team assessments and penetration
testing are the two key ways in which teams
can accurately gauge the strength of their
security systems, adds Woodcock. "These are
especially effective as, particularly in the case
of Red Team assessments, they mimic how
threat actors would try to gain access to
a system. This is done through a combination
of real-world tactics, including intelligencegathering,
technical vulnerability identification
and exploitation, and social
engineering. However, penetration testing,
while effective, necessary and time consuming,
does not always uncover all of a system's
weaknesses, yet it does provide a benchmark
to test from and identify areas for improvement,
ahead of a ransomware attack."
BACKDOOR INVASION
Meanwhile, it's been reported that a principal
software engineer at Microsoft and one of
the developers of PostgreSQL discovered a
backdoor in liblzma, which is part of the
widely used open-source compression library
XZ. This has been described as "one of the
best executed supply chain attacks" and
would have been a security disaster, had it
not been discovered.
The XZ software is used in many Linux
distributions and in macOS for tasks such as
compressing release tarballs and kernel
images. According to industry experts, this
episode could have been far worse, had it
not been caught early, as the malicious
backdoor code enabled full remote code
execution.
HUGE, COMPLEX CHAINS
Shakeel Ahmed, principal penetration tester,
Protection Group International Shakeel
Ahmed, principal penetration tester, of
Protection Group International, comments:
"Open source's use of other projects creates
huge and complex supply chains that are
rarely well understood and even more rarely
audited. Buying software doesn't really avoid
the problem anymore. However, open-source
software development is robust and, even
though there have been concerns over the
years around software maintenance and
support, the fact that it was picked up does
highlight the fact there is an element of
vigilance and best security practices within
the open-source software supply chain.
"Community oversight on open-source
projects is crucial to prevent APT and backdoors,"
he states. "This is in comparison to
proprietary software, which may contain
vulnerabilities intentionally or unintentionally.
Going forward, I think there should be a
requirement for more enhanced monitoring
and fuzzing of core open-source libraries
and dependencies.
"Software vendors should assess their
dependencies and perform secure source
code reviews, in order to protect their
supply chains. Sticking to stable software,
in comparison to running the latest, alpha,
beta or bleeding edge packages, will also
maintain a robust cybersecurity stance."
Shinoj Joni, Prism Infosec: most benefit
will be found by organisations with a
mature penetration testing strategy,
coupled with robust protective
monitoring capabilities.
Sam Woodcock, 11:11 Systems: tabletop
exercises get to the heart of the metrics
and unpack how long it will take to get
the organisation back up and running.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
23

threats latest
HEALTHCARE
IS OVER!
AN 'HONOUR AMONGST THIEVES' AGREEMENT DURING COVID WHERE HEALTHCARE PROVIDERS WERE
SPARED CYBER-ATTACKS HAS GIVEN WAY TO ALL-OUT ATTACKS
Cyberattacks are on the rise, with large
corporations such as Ticketmaster,
the BBC and even the NHS reporting
record-breaking hacks and data breaches.
With more data than ever being shared by
both consumers and businesses online, can
information ever be safe from the threat of
cyber leaks again? And how exactly, in the
face of such attacks, can cybersecurity stay
agile and updated to protect the privacy of
organisations?
Spencer Starkey, VP of EMEA at SonicWall,
says that cybersecurity arrangements must be
agile and constantly updated to keep up with
the evolving threat landscape. "Cybercriminals
are constantly developing new tactics,
techniques and procedures (TTPs) to exploit
vulnerabilities and bypass security controls,
and companies must be able to quickly
adapt and respond to these threats. This
requires a proactive and flexible approach to
cybersecurity, which includes regular security
assessments, threat intelligence, vulnerability
management and incident response planning.
"It also requires ongoing training and
awareness programmes to ensure that
employees are aware of the latest threats
and best practices for cybersecurity," he adds.
"By maintaining agile and up-to-date
cybersecurity arrangements, companies
can minimise their risk exposure, detect
and respond to threats more effectively, and
maintain the trust and confidence of their
customers and stakeholders."
UPTICK IN ATTACKS
Another worrying trend is the regularity with
which the health care system is being targeted
of late. "The recent attack on NHS hospitals by
the Qilin ransomware group is part of a wider
trend of threat actors attacking the healthcare
sector," points out James Tytler, associate, Cyber
Incident Response, at S-RM. "While there was
an 'honour among thieves' agreement during
Covid where healthcare providers were spared
cyber-attacks [with some threat actors even
issuing apologies], this moratorium has been
lifted, with global data showing a significant
uptick in attacks since March 2023. The
healthcare sector is unfortunately a good
target, as providers hold critical data, are
critical infrastructure and more likely to pay
to keep operations going."
While there have been proportionally more
attacks on healthcare organisations in recent
years, fundamentally these groups are
opportunistic and breaches are often the result
of software vulnerabilities or poor password
management, he says. "These groups tend
to go after the easiest targets, so healthcare
and other critical infrastructure should urgently
invest in their cybersecurity defences to avoid
falling victim. S-RM has responded to attacks
launched by the Qilin ransomware group
in the UK and supported clients in the
healthcare sector."
EXTORTION AND DOWNTIME
The cyber incident affecting London hospitals
was extremely serious and impacting , concurs
Mark Jow, technical evangelist at Gigamon.
"Unfortunately, all too often bad actors know
the potential for disruption and use this as an
opportunity to extort more money from their
victims and downtime can be devastating
in the healthcare sector. It's fair to say in
situations like this it has the potential to be
a 'life-or-death' matter for those patients
affected.
"We can only hope that the NHS has
safeguards in place to limit the level of
disruption and protect their day-to-day
operations. It is vital that healthcare
organisations and any security leaders
operating within our critical national
infrastructure take note of this incident."
There are a few proactive steps for organisations
looking to protect themselves against
cyber threats and improve detection and
remediation of any intruders, he points out.
INSECURE SUPPLY CHAIN
"First, it is critical to understand the risk
brought about by an insecure supply chain. In
this threat environment, all organisations must
have confidence in not only their own security
posture, but those of all their suppliers, with
evidence of the security of their entire supply
chain. When selecting suppliers and vetting
third parties, it's important that organisations
assess not just the quality and price of services
offered, but also the IT maturity of the supplier.
This incident really does reinforce the
importance of vetting suppliers to critical
infrastructure organisations like the NHS,
ensuring they have implemented best practices
in securing themselves, and holding them to
account when these situations arise."
Secondly, says Jow, you have to be aware
where attackers could gain a 'foothold' in
your organisation. "The number of connected
medical devices within the Internet of Medical
Things (IoMT) is rising, but IoMT is often highly
vulnerable to cyber-attacks. This is mainly
because 5G technology increases the 'attack
surface' for malicious actors by introducing
a whole new class of targets to the internetconnected
ecosystem many of which cannot
24
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

threats latest
be protected by traditional EDR solutions."
With this additional risk, all healthcare
security leaders should implement defence-indepth
solutions with robust infrastructure
monitoring, he adds. "End-point detection is
not enough; seeking visibility into east-west
traffic [information that travels internally and
between servers and hosts] and north-south
[data from external sources] is crucial to
detecting and remediating laterally moving
threats before they can cause more damage.
This includes analysing all encrypted traffic,
which today is used to mask 93% of malware
attacks."
ENHANCED VIGILANCE
For Matt Aldridge, principal solutions
consultant at OpenText Cybersecurity, the
recent attack on security organisation MITRE
is a stark reminder of the pervasive threat
landscape that has to be navigated daily.
"MITRE's recognition of the breach demonstrates
both the need for enhanced vigilance
across all sectors and the benefits of transparent
incident disclosure. It has further
demonstrated why cybersecurity has to be an
immediate priority, and a cornerstone of risk
mitigation and prevention strategies for any
business. Without it, businesses will not be
able to survive the current climate of rapidly
rising ransomware attacks.
"Almost every organisation needs to have at
least some systems providing services to the
internet and, in the face of zero-day attacks,
there are no security controls which can block
attacks 100% of the time, even when patches
are installed in a timely fashion. For this
reason, it is essential to be monitoring for
unexpected changes in your environments,
collating and correlating log data, and looking
for anomalies. Solutions that are built with
unsupervised machine learning can help
greatly with this," says Aldridge.
Organisations should learn from this latest
breach by ensuring they're doing everything
they can to protect themselves and their data
in a world where new cyber risks and dangers
are evolving at compute speed, he continues.
"We've seen that increased employee flexibility
around remote working practices often means
increased cybersecurity risks. As a result,
organisations must work with their employees
to create strong cybersecurity habits so bestpractice
becomes second nature.
"To mitigate against cyber threats, regular
education and phishing simulations are
a must, and all employees and companies
must stay updated with current trends.
Rather than viewing data protection as a
box-ticking exercise, it should be a key priority
and integrated into every aspect of an organisation.
Employee awareness and vigilance is
the most powerful tool in the cyber resilience
kit-bag - to boost prevention, detection and
reporting of breaches."
NETWORK INFRASTRUCTURE AT RISK
Claud Bilbao, regional vice president for the
UK, underwriting & distribution, Cowbell, the
adaptive cyber insurance specialists, says the
recent attacks on the health service reminds us
that it is not only the personal data that needs
to be protected within the healthcare space,
but the whole network infrastructure.
"With our increased reliance on technology,
we can see the devastating impact a cyber
event can have on major and crucial healthcare
facilities like the St Thomas' Hospital,
which had to shut down whole systems and
equipment, resulting in interrupted business
operations and patients' health put at
immense risk. To better protect businesses in
healthcare, cyber resilience must be built and
nurtured."
This, he states, entails the following:
Assessing one's cyber risk posture to better
understand how well protected your
business is and should be, compared to
the industry standard
Implementing cybersecurity best practices,
like firewalls, regular data backups,
multi-factor authentication (MFA), good
password hygiene, cybersecurity awareness
Spencer Starkey, SonicWall: cybersecurity
arrangements must be agile and updated
constantly to keep up with the evolving
threat landscape.
Mark Jow, Gigamon: all healthcare security
leaders should implement defence-in-depth
solutions, with robust infrastructure
monitoring.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
25

threats latest
Claud Bilbao, Cowbell: the whole
network infrastructure needs to be
protected.
Ian Thornton-Trump, Cyjax: a major
reorganisation of the cybercriminal
underground is taking place as a direct
response to law enforcement success.
training for employees and a regularly
tested incident response plan
Obtaining a standalone cyber insurance
policy, which can be a safety net to fall
on in the case of an incident. Businesses
should ask their brokers about cyber
insurance providers that offer risk
assessment and management support
as well, helping to facilitate the process.
"It is crucial to raise the standard of
cybersecurity awareness and defences in this
new, digital age," adds Bilbao. "Any business
of any size, in any industry, can fall victim to
an attack. Luckily, there are steps you can take
to drastically improve your business's cyber
posture and they are not as difficult as you
may expect." Some that he suggests are
talking to your CFO, risk manager, IT professional
or cyber insurance broker about
your cyber hygiene."
ARMS RACE
Ransomware attackers are in an arms race
with defenders, says CYJAX. While law
enforcement disrupts existing groups, the
attacker side is experiencing a boom, with
the total number of new groups reaching
an all-time high. In 2023, a total of 22 new
ransomware groups emerged, compared
to the total of 22 groups that emerged
between 2018 and 2020.
CYJAX has just published a new report on
this trend, with the main takeaways as follows:
Unprecedented growth: the number of
ransomware groups is exploding, with an
average of 5.5 new groups emerging per
month in 2024 - a dramatic increase,
compared to previous years
Shifting targets: ransomware attackers are
increasingly targeting smaller businesses
with weaker security postures, posing
a new threat to a wider victim pool
Spike following group disbandment: an
anomalous rise in new groups, following
the dismantling of prominent groups like
Conti and ALPHV. This suggests a potential
recruitment pool from disbanded groups or
a temporary dip in activity before new groups
solidify
Short-term wins, but long-term struggle:
While law enforcement actions disrupt existing
groups, they often lead to rebranding or the
creation of entirely new groups
Geopolitical influence: The Russia-Ukraine
war is hampering international cooperation,
allowing Russia-based groups to operate with
impunity.
Comments CYJAX CISO Ian Thornton-Trump:
"One of the big trends I sense is a major reorganisation
of the cybercriminal underground
as a direct response to law enforcement
success. It's likely that criminal actors are
starting fresh and building more operational
resiliency into their organisations, and focusing
on OPSEC to avoid discovery and compromise.
It's far better to be a new crew and remain
under the radar than an old crew with a big
OSINT footprint."
MILITARY HACKED
Another recent target saw the personal
information of military personnel hacked.
Comments Dr Ilia Kolochenko, CEO at
ImmuniWeb and adjunct professor of
cybersecurity at Capital Technology University:
"Financial and personal data of UK military
personnel is a desired target for organized
cybercrime groups that run large-scale fraud,
scam and blackmailing campaigns over the
Internet, being motivated by profits.
"Having said this, the attackers can, of course,
try to re-sell information to more powerful
hacking groups, backed by foreign states,
to run laser-focused social engineering or
extortion schemes against high-ranking
officers of the British army. Thus, the risks
should not be downplayed and urgent
investigation is needed," adds Thornton-Trump.
26
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

digital accounts
FATIGUE RED ALERT
THE EXPLOSION OF DIGITAL ACCOUNTS HAS LED TO A SIGNIFICANT INCREASE IN 'ACCOUNT FATIGUE,'
IMPACTING THE WAY CONSUMERS INTERACT WITH BUSINESSES ONLINE, STATES NEW RESEARCH
Recently released research reveals that
digital 'account fatigue' 'is hindering
consumers' ability to adequately protect
their online accounts and thus weakening
businesses' cybersecurity practices. The
research, from Beyond Encryption, highlights
the fact that, on average, a UK consumer
has 119 accounts to manage, while 1 in 5 is
requesting a new password weekly, as they
struggle to manage their online accounts and
security.
This overload not only greatly hampers the
adoption of new services, but also contributes
to a decline in customer portal engagement
and satisfaction, warns the company.
Other findings included 50% of consumers
saying that the number of separate logins
they have to remember and manage makes
them feel overwhelmed and confused. This
can lead to poor password management,
which leaves the door open for threat actors.
Additionally, respondents with a higher
number of accounts are nearly three times
more likely to reset their password daily at
14%, compared to the average of 5%.
However, consumers have shown an
inclination to adopt solutions that will
streamline their experience and ease the
burden of password management, while
still maintaining security. With 44% of
consumers saying that they prefer single
sign-on services for this exact reason and
over half of respondents stating they are
comfortable using biometric authentication
(57%) and password managers (54%), there
are clear alternatives that businesses should
consider to resolve this issue, states Beyond
Encryption.
EXTRA BURDEN
The company's CEO Paul Holland comments:
"Login management is essential for security.
However, we must acknowledge that we're
putting an additional burden on our customers
when we give them an account. Credential
management can be a huge source of
frustration, if not made seamless.
"It is crucial for businesses to quickly resolve
this issue and bridge the gap between
consumer expectations and current digital
offerings. To achieve this, businesses must
adopt a multifaceted approach that focuses
on simplifying portal navigation, catering to
consumer preference on login methods to
streamline portal access, and supplying
secure, multichannel communications that
offer targeted value and meet evolving
consumer needs."
Beyond Encryption's new report, has shone
a harsh light on the impact of password and
account fatigue on password security, and
offers a range of insights on wider consumer
behaviour. "The burden businesses are putting
on consumers with an overwhelming number
of accounts to manage is not only damaging
to cybersecurity, but also to customer engagement
and the adoption of new digital services,
with almost half of consumers (43%) not
engaging with or using digital services, due to
a sense of 'digital overwhelm' and weariness,"
adds Beyond Encryption.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
27

events & exhibitions
Stephanie Hare: urged women to continue
breaking down barriers in cybersecurity.
INFOSEC HITS THE HOT SPOTS!
IT WAS SHOWTIME AT THE EXCEL AND THAT MEANT INFOSECURITY
EUROPE WAS BACK IN THE SWING AGAIN FOR THREE FULL-ON DAYS!
This year's Infosecurity Europe
event - which was held at the
ExCeL in London - was packed
with infosec knowledge and expertise,
offering attendees a raft of insights
into how to navigate the present and
protect the future of the sector.
Infosecurity Europe 2024 was
certainly a powerful testament to the
dynamic and evolving nature of the
cyber-security industry. From the
insights shared by keynote speakers to
the celebration of innovative solutions
and community initiatives, the event
offered invaluable experiences for all
those who were there.
The big focus, of course, was on the
array of technology and solutions on
display from so many of the security
industry's top names. With security
increasingly top of mind for business
and organisations, attendance was high
across the three days, as visitors sought
out the answers to their individual
challenges.
Away from the exhibition floor, there
was plenty more to catch the eye of
those attending, such as a keynote
session delivered by Henry Ajder, a
leading authority in generative AI. His
insights into the future of AI and its
implications for cybersecurity were both
28
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

events & exhibitions
Henry Ajder: a leading authority in generative AI.
Claire Williams: brought a fresh perspective on
leadership dynamics and high-pressure decisionmaking.
enlightening and thought-provoking.
Ajder's ability to break down complex
AI concepts into understandable terms
helped professionals grasp both the
risks and rewards of this rapidly
evolving technology. "AI's role is no
longer theoretical or a small segment,"
he pointed out, "but a critical part
of the threat and defence innovation
landscape. Learning how to navigate
the GenAI paradigm shift is essential
to excelling in the cybersecurity industry,
both now and for an increasing AI
centred future."
Meanwhile, Claire Williams, celebrated
for her leadership in Formula 1, brought
a fresh perspective on leadership
dynamics and high-pressure decisionmaking.
Her talk resonated strongly
with her audience, emphasising the
importance of building a stable team
when maintaining a robust cybersecurity
posture.
Williams shared her insights on how
to engage a vast workforce, embed key
values and motivate others to have
conviction in operating to the best of
their ability. "There are so many parallels
between the F1 and cybersecurity
worlds - not least teams having to
constantly operate in highly pressurised
and fast paced environments, while
having to make logical, sound and quick
decisions," she said. She also revealed
how she has personally approached
managing a team of 1,000 people in
the challenging world of Formula One
for close to a decade, as well as cultural
and business transformation and gender
diversity.
The 'Women in Cybersecurity' event
was an equally great success, highlighting
the contributions that have been
made by so many women in the industry.
Keynote speaker Stephanie Hare urged
women to continue breaking down
barriers in cybersecurity. Alongside
a panel of leading women in cybersecurity,
she shared their stories,
covering topics from imposter syndrome
and mentorship, through to negotiation
skills and how to build your brand.
Next year, Infosecurity Europe will take
place from 3-5 June.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
29

ansomware
RANSOMWARE RAMPANT
RANSOMWARE IS EVOLVING ALL THE TIME - AND ARTIFICIAL
INTELLIGENCE IS ONLY LIKELY TO ENHANCE ITS DAMAGING IMPACT
Bernard Montel, Tenable: wiping data at
rest is even more insidious and can be
undetected, compared to encryption.
Ten years ago, a ransomware attack was
really obvious, says Bernard Montel,
EMEA technical director and security
strategist, Tenable. "The computer [PC] was
bricked with a ransomware demand
displayed on the screen. Today, attacks are
less obvious and can go undetected for a few
weeks, as threat actors look to obfuscate their
presence, allowing them to creep around
infrastructure for nefarious purposes."
The most popular way attackers infect
organisations is through spam and phishing
emails, he continues. "In the majority of
cases, these messages include a malicious
attachment, such as a Microsoft Word
document or PDF file containing malware.
Others, however, may contain a link to a
webpage controlled by the attackers. The
goal is to get the target to open the
attachment and trick the victim to enable
macros or click the link, which can then
deliver a malicious downloader, leading to
the final payload, which is ransomware."
Software vulnerabilities play a key role in
facilitating ransomware attacks through
several avenues. "These include vulnerabilities
used as part of malicious documents,
vulnerabilities found in perimeter devices
like Secure Socket Layer Virtual Private
Networks (VPNs), as well as a plethora of
flaws designed to elevate privileges once
inside an organisation's network. Prolific
ransomware groups, such as LockBit, Rhysida,
Play and ALPHV/BlackCat, make use of
multiple exploits in their efforts to
compromise organisations. For illustration,
throughout the last quarter of 2023, threat
actors exploited CitrixBleed in attacks
against a variety of organisations. Some
notable examples include attacks against
Boeing and Comcast."
While initial access is how ransomware
groups gain access to an organisation's
network, once inside they will set their
sights on Active Directory. Gaining domain
privileges provides attackers the necessary
capabilities to distribute their ransomware
payloads across the entire network. "Once
threat actors are inside, the game is fundamentally
over," warns Montel. "Today's
ransomware gangs will look to extrapolate
data silently and, once that's achieved, they'll
prepare to encrypt systems and cripple the
organisation's ability to function.
INSIDIOUS AND UNDETECTED
"A further trend that has been seen is threat
actors wiping data at rest. This is even more
insidious and can be undetected, compared
to encryption. Often the first that the
organisation knows anything about the
attack is a communication from the gang
threatening to encrypt systems or publish
the data on the dark web, if demands are
not met. The added pressure from this
type of extortion is what has helped make
ransomware so successful."
30
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
The question of whether to meet
ransomware demands is complicated,
he states. "Only the organisation impacted
will be able to determine the best course of
action. Given the financial impact from
ransomware attacks, be it the inability to
function from crippled systems or sensitive
data exposed, prevention has to be better
than cure. Gaining visibility into where
the biggest areas of risk are - exposure
management - is absolutely critical to
knowing which doors and windows are
wide open and need to be closed to stop
ransomware in its tracks."
What about those ransomware groups
that Montel names: LockBit, Rhysida, Play
and ALPHV/BlackCat. Who exactly are they
and what are their objectives and attack
methodologies?
CYBER INSECURITY
As ransomware and other forms of attack
proliferate (see pages 24-26 in this issue), the
World Economic Forum's 'Global Risks Report
2024' is worth returning to as a weathervane
for what is happening. The report shows that
widespread cyber insecurity ranks among
the most severe threats facing the world over
the next 10 years, even overtaking interstate
armed conflict, inflation and economic
downturn by 2026.
These simmering geopolitical tensions,
combined with rapidly advancing technology
and AI escalation, mean it is now more crucial
than ever that companies locate and repair
their cyber vulnerabilities. Cyber insecurity
is a foreseeable and dangerous threat for
many organisations, which is why businesses
must improve their cyber resilience or risk
becoming victims of cyber hackers, putting
sensitive data, bottom lines, and shareholder,
investor and customer trust at stake.
It's something that Tenable's Bernard Montel
is equally occupied by: "That this year's WEF
Global Risks Report ranking 'cyber insecurity'
in its top five of the most severe risks over the
next two years isn't surprising, with the
threat of cyberwarfare a recurring theme
throughout the report, as well as the 'rapid
integration of advanced technologies' that are
exposing more organisations and individuals
to exploitation. The widespread adoption of
cloud computing introduces new levels of
vulnerability and management complexity
that can be targeted by bad actors.
"Particular concern surrounds the use of
Artificial Intelligence (AI) technologies to
boost cyber warfare capabilities, with good
reason. While AI has made astronomical
technological advancements in the last
12 - 24 months, allowing an autonomous
device to make the final judgement is
incomprehensible today. While AI is capable
of quickly identifying and automating some
actions that need to be taken, it's imperative
that humans are the ones making critical
decisions on where and when to act from
the intelligence AI provides.
IN DEFENCE
"It's also worth noting that AI has a major
role to play in cyber defence. It can be used
by cybersecurity professionals to search for
patterns, explain what they're finding in
the simplest language possible, and help
them decide what actions to take to reduce
cyber risk.
"AI can and is being harnessed by defenders
to power preventive security solutions that cut
through complexity to provide the concise
guidance defenders need to stay ahead of
attackers and prevent successful attacks.
Harnessing the power of AI enables security
teams to work faster, search faster, analyse
faster and ultimately make decisions faster.
As the report highlights, the threat of cyber
insecurity is heightened with the evolving
motivations driving these attacks - from
monetised criminality all the way to geopolitical
unrest. However, the manifestation
of these threats remains unchanged. "Threat
actors are probing for the right combination
of vulnerabilities, cloud misconfigurations and
identity privileges that allow them to infiltrate
and traverse cyber infrastructure. As defenders
we need to pre-empt this: to identify
what attack paths exist and take steps to shut
them down before they can be exploited.
Organisations that can anticipate cyberattacks
and communicate those risks for decision
support will be the ones best positioned to
defend against emerging threats."
BIG GAME HUNTING
CrowdStrike's '2024 Global Threat Report'
confirms that ransomware remains the tool
of choice for many Big Game Hunting (BGH)
adversaries. At the same time, it states, datatheft
extortion continues to be an attractive -
and often easier - monetisation route, "as
evidenced by the 76% increase in the number
of victims named on BGH dedicated leak sites
(DLSs) between 2022 and 2023. Access
brokers continued to profit by providing initial
access to eCrime threat actors throughout the
year, with the number of advertised accesses
increasing by 20% from 2022".
The number of victims named on BGH
dedicated leak sites increased significantly in
2023, with 4,615 victim posts made to DLSs -
a 76% increase over 2022. "Several factors
contributed to this growth, including newly
emerged BGH adversaries, growth of existing
adversary operations and select high-volume
campaigns, such as multiple GRACEFUL
SPIDER zero-day exploitations."
Collectively, BITWISE SPIDER, ALPHA SPIDER,
GRACEFUL SPIDER, RECESS SPIDER and BRAIN
SPIDER accounted for 77% of posts across all
tracked adversary DLSs. "BITWISE SPIDER and
ALPHA SPIDER have historically posted
numerous new DLS posts and were ranked
in first and second place respectively for the
highest number of DLS posts in 2022 and
2023," reveals CrowdStrike. "They have since
grown in prominence to account for the
fourth [RECESS SPIDER] and fifth-highest
BRAIN SPIDER] number of DLS posts in 2023.
GRACEFUL SPIDER - which has operated since
www.computingsecurity.co.uk @CSMagAndAwards July/August 2024 computing security
31

ansomware
Image courtesy of AdobeStock.
WIZARD SPIDER members, aiming to restrict
the named individuals' finances, travel and
assets, and disrupt the adversary's operations
as it worked to circumvent the restrictions."
Today's sophisticated cyberattacks only
take minutes to succeed, says CrowdStrike.
"Adversaries use techniques such as interactive
hands-on-keyboard attacks and legitimate
tools to attempt to hide from detection. To
further accelerate attack tempo, adversaries
can access credentials in multiple ways,
including purchasing them from access
brokers for a few hundred dollars. Organizations
must prioritize protecting identities
in 2024."
2016 and has typically conducted lowvolume
campaigns - exploited three zero-day
vulnerabilities in 2023 to exfiltrate data from
hundreds of victims across the globe. This
adversary ultimately published the thirdhighest
number of DLS posts in 2023."
SCATTERED SPIDER began using ALPHA
SPIDER's Alphv ransomware in April 2023,
it is reported. "The adversary had previously
monetized intrusions by selling victim data
and SIM swaps, as well as stealing
cryptocurrency. Adopting ransomware as its
primary means of extortion has shifted the
scope of the adversary's target profile: Most
SCATTERED SPIDER victims in 2023 can be
categorized as either reconnaissance targets
or monetization targets. Reconnaissance
targets are typically organizations in the
business process outsourcing, customer
relationship management, customer
experience, technology and telecom sectors."
SCATTERED SPIDER uses intrusions into
these entities' networks to identify data that
may prove useful in downstream, third-party
monetisation targeting. The adversary's
monetisation target profile is considerably
broader. Most directly observed targets
include high-revenue - often Fortune 500 -
US-based private sector entities. A notable
uptick in North American financial services
victims occurred in the second half of 2023,
adds CrowdStrike.
There have been considerable successes in
hitting back against these aggressors, states
CrowdStrike. "In January 2023, a coordinated
international law enforcement operation
resulted in the seizure of HIVE SPIDER
infrastructure and acquisition of the Hive
ransomware decryption key. The US Department
of Justice (DOJ) has reportedly maintained
access to HIVE SPIDER's internal
infrastructure since July 2022 and has since
provided decryption keys to more than 300
worldwide victims, preventing ransom
payments totalling 130 million USD.
At the time of its report, the company
said that no HIVE SPIDER activity has been
observed since January 2023. "However,
Hive affiliates have since migrated to other
ransomware as a service (RaaS) operations.
In February and September 2023, law
enforcement issued sanctions against
Also, throughout 2023, targeted intrusion
actors consistently attempted to exploit
trusted relationships to gain initial access to
organisations across multiple verticals and
regions. "This type of attack takes advantage
of vendor-client relationships to deploy
malicious tooling via two key techniques:
1) compromising the software supply chain
using trusted software to spread malicious
tooling and 2) leveraging access to vendors
supplying IT services.
"Threat actors targeting third-party
relationships are motivated by the
potential return on investment [ROI]:
one compromised organisation can lead to
hundreds or thousands of follow-on targets.
These stealthy attacks can also more effectively
provide an opportunity for attackers
seeking to exploit a hardened end target."
What of the future? Of great concern now
is the probability that the rise of artificial
intelligence (AI) will enhance the threat posed
by ransomware over the coming years,
something that the National Cyber Security
Centre (NCSC), part of GCHQ, has warned
about. The centre believes the technology is
lowering the barrier of entry to novice cyber
criminals. "As a result, AI is enabling unskilled
online actors to carry out more effective
cyber-attacks," it says.
32
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
Product Review Service
VENDORS – HAS YOUR SOLUTION BEEN
REVIEWED BY COMPUTING SECURITY YET?
The Computing Security review service has been praised by vendors and
readers alike. Each solution is tested by an independent expert whose
findings are published in the magazine along with a photo or screenshot.
Hardware, software and services can all be reviewed.
Many vendors organise a review to coincide with a new launch. However,
please don’t feel that the service is reserved exclusively for new solutions.
A review can also be a good way of introducing an established solution to
a new audience. Are the readers of Computing Security as familiar with
your solution(s) as you would like them to be?
All products or services reviewed in Computing Security Magazine in the 12
months leading up to the Awards ceremony will automatically be entered
as a finalist into this year's awards. And it's not too late. You can book a
review now by contacting us below:
Contact Edward O’Connor on 01689 616000 or email
edward.oconnor@btc.co.uk to make it happen.

GDPR
SIX OF THE BEST?
WITH SIX YEARS TO ITS NAME,
HOW HAS GDPR FARED SO FAR?
Matt Cooper, Vanta.
GDPR (General Data Protection
Regulation) flagged up its 6th
anniversary in May this year,
which is hard to believe. It seems like
only recently we were all waiting for it
to kick in, wondering what the impact
would be. We asked a few industry
observers to give us their thoughts.
Matt Cooper, director of governance,
risk and compliance, Vanta: "Another
year older doesn't necessarily mean
another year wiser - a lesson we're
learning on GDPR's 6th anniversary.
Many businesses across Europe are
still struggling to adapt their data
management practices to meet the
regulations' strict requirements six years
on. And, despite significant efforts,
staying in compliance with GDPR
remains a resource-heavy task that
often demands continuous monitoring
and regular audits.
"To complicate matters further, AI
has become a must-have for many
businesses to stay competitive, which is
introducing new data privacy risks.
This is spreading resources even thinner
than before, as businesses are having to
adopt robust AI governance frameworks
to ensure said novel risks are mitigated,
while still grappling with the relatively
new GDPR rules. The impact of this is
already being felt, with 57% of UK
businesses reporting that secure data
management has become more difficult
with AI adoption [according to Vanta's
2023 State of Trust report].
"However, with risk also comes
opportunity. AI has proven particularly
effective at automating manual tasks -
and streamlining compliance processes
is no exception. Businesses can use the
technology to automate evidence
collection and continuously monitor
compliance, reducing the burden on
their security teams."
Eduardo Crespo, VP EMEA, PagerDuty,
points to the major review of the GDPR
framework being undertaken by the
European Commission. "This review offers
leaders a chance to interrogate data
security policies, especially in context of
next generation technology. It is important
that data protection isn't viewed as just
another frustrating piece of bureaucratic
red tape - it is designed to protect data
privacy, reinforce consumer trust in
companies and keep transparency of
processes top of mind. Data protection,
through measures like EU GDPR, relies on
two pillars in an organisation: the right
technology and the right skills to use it."
And he adds: "Organisations who fail
to act or deploy enterprise operations
solutions and AI do face the risk of falling
behind early adopters. With the volume of
data and content to store and secure,
across retail, media, financial services and
a host of other sectors, security and cloud
investments need to remain both timeless
and timely in the IT world, especially with
the backdrop of EU GDPR review."
Michel Isnard, VP of EMEA, GitLab
"The growing need for data to build and
fine-tune AI applications, coupled with
an ever-increasing number of data
breaches, indicates that adherence to
GDPR has never been more important.
With software delivery, in particular, the
need for developers to invoke secure-bydesign
principles becomes even more
critical. Secure-by-design principles ensure
the entire development lifecycle has the
necessary controls to address vulnerabilities
specific to each phase of the software
delivery process.
"It also requires tighter collaboration
between developers-with clear functional
knowledge of how software should workand
teams with a better understanding
of the legislative, regulatory and security
requirements impacting the business."
34
computing security July/August 2024 @CSMagAndAwards www.computingsecurity.co.uk

Unlock a
More Secure
Future with
V-Key MFA
• As secure as hard tokens
• Single Sign-On
• Strong protection of crypto keys
• Instant Backup and Restore
• Seamless integration with IDM &
PAM and migration
• Digital Trust Platform
• Jailbreak & Root Detection
• Detection of malware
• Brute Force Attack Protection
• Threat Intelligence
• Meets FIDO2 Standard
• FIPS 140-2, CC EAL3+, SOC 2, OATH
Featuring V-Key
Enhanced Facial
Authentication
Test Drive
V-Key Today
sales@celestix.com
+44 (0)203 900 3737

Layers aren’t just for cakes; they’re
essential in cybersecurity’s secret
recipe for protection!
Bake it happen with VIPRE Security Group. Secure your
bytes before you take a bite with Email Security, Endpoint
Security and User Protection
www.vipre.com