CS Jul-Aug 2024
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
PRIMED FOR A FIGHTBACK<br />
New EU directive out to<br />
redress attack imbalance<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
WHAT’S AFOOT?<br />
Resilience level of<br />
IT infrastructure<br />
comes under scrutiny<br />
AT THE AI CROSSROADS<br />
Who will succeed in the<br />
battle of good and evil?<br />
BATTERED AND BREACHED<br />
Bruising new stats on cyber attacks<br />
are a punch to the gut<br />
for UK businesses<br />
Computing Security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong>
ACCORDING TO JAMF <strong>2024</strong>:<br />
Security<br />
Trends Report<br />
39 % of<br />
organisations<br />
had at least one device<br />
with known vulnerabilities<br />
40 % of<br />
mobile users<br />
were running a device<br />
with known vulnerabilities<br />
9 % of<br />
users fell for<br />
a phishing attack<br />
Manage and Secure<br />
Apple at work<br />
With Jamf Trusted Access, you ensure<br />
that only authorised users, on enrolled<br />
devices that are secure and compliant,<br />
can access sensitive data.<br />
REQUEST<br />
Y O U R<br />
F R E E<br />
T R I A L<br />
TODAY<br />
www.jamf.com
comment<br />
WORRYING TRAIN OF THOUGHT<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
David Bonner<br />
(david.bonner@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
It is widely accepted that continuous security training within any organisation forms a vital part<br />
of anyone's long-term development and that to neglect it is almost certain to prove detrimental<br />
to the well-being of that individual and the organisation that employs them.<br />
Indeed, ask most businesses if training really matters and they will say 'yes'. Ask if they are fully<br />
committed to training within their own organisations and they will likely say 'yes' again, although<br />
possibly not as wholeheartedly. Because hard times have provoked harsh cutbacks - and training<br />
is often one area that takes the hit.<br />
A new survey by cybersecurity provider Hornetsecurity has uncovered significant gaps in IT<br />
security training, with 26% of organisations still providing no form of training to their end users.<br />
Compiled from industry professionals around the world, the survey feedback also reveals that<br />
fewer than 8% of organisations offer adaptive training that evolves based on the results of regular<br />
security tests.<br />
"In a rapidly evolving cybersecurity landscape, where malicious threat actors are constantly<br />
devising new ways to infiltrate and harm, this is a significant business concern," comments<br />
Hornetsecurity. I would have to agree. Of course, many businesses are struggling and investment<br />
is often spread thinly. But neglect training and the likelihood is that the prospects of<br />
being hit by an attack can surely only increase.<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2024</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
www.computingsecurity.co.uk <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong><br />
inside this issue<br />
CONTENTS<br />
Computing<br />
Security<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
PRIMED FOR A FIGHTBACK<br />
WHAT’S AFOOT?<br />
Resilience level of<br />
New EU directive out to<br />
IT infrastructure<br />
redress attack imbalance<br />
comes under scrutiny<br />
AT THE AI CROSSROADS<br />
Who will succeed in the battle<br />
of good and evil?<br />
BATTERED AND BREACHED<br />
COMMENT 3<br />
Worrying train of thought<br />
Bruising new stats on cyber attacks<br />
are a punch to the gut<br />
for UK businesses<br />
NEWS 6<br />
Powering up vulnerability detection<br />
Integrity360 partners up with Armis<br />
Semperis secures financing injection<br />
Education and training are 'must haves'<br />
Breach risk drives Zero Trust strategies<br />
Disconnect fuels attack fears<br />
ARTICLES<br />
BATTERED AND BREACHED 18<br />
A disturbing picture has emerged of the<br />
scale of cyber-attacks perpetrated against<br />
UK businesses over the last 12 months<br />
AT THE AI CROSSROADS 14<br />
Are the criminals on the front foot in the ongoing<br />
battle to use AI for good or bad? Two<br />
ARE PASSWORDS PASSÉ? 20<br />
With Google moving towards a future<br />
prominent voices believe that the time is now<br />
without passwords, rolling out passkeys as<br />
right for policymakers, security professionals<br />
a 'safer and easier alternative', the path<br />
and civil society finally to tilt the cybersecurity<br />
has been thrown open for others now to<br />
balance away from attackers and over to the<br />
follow their lead<br />
cyber defenders.<br />
PUT TO THE TEST 22<br />
Red Team exercises can help organisations<br />
to identify any existing weaknesses in their<br />
IT defences and thus provide a playbook<br />
to rectify those frailties going forward<br />
HEALTHCARE TRUCE IS OVER! 24<br />
An 'honour amongst thieves' agreement<br />
FATIGUE RED ALERT 27<br />
during Covid, where healthcare providers<br />
The explosion of digital accounts has led<br />
were spared cyber-attacks, has given way<br />
to a big increase in 'account fatigue,'<br />
to all-out assaults, with large corporations<br />
impacting how consumers interact with<br />
such as Ticketmaster, the BBC and even the<br />
businesses online, states new research<br />
NHS reporting record-breaking hacks and<br />
INFOSEC HITS THE HOT SPOTS! 28<br />
data breaches<br />
It was showtime at the ExCeL - and that<br />
meant Infosecurity Europe was back in the<br />
swing again for three full-on days!<br />
RANSOMWARE GOES RAMPANT 30<br />
Widespread cyber insecurity ranks amongst<br />
SIX OF THE BEST? 34<br />
the most severe threats that the world will<br />
The General Data Protection Regulation<br />
be facing over the next 10 years, according<br />
flagged up its 6th anniversary in May this<br />
to a new report, even overtaking interstate<br />
year. We asked some industry observers to<br />
tell us how they felt GDPR has fared so far<br />
armed conflict, inflation and economic<br />
downturn by 2026.<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4<br />
A DIRECTIVE IN THE RIGHT DIRECTION? 10<br />
EU-wide legislation, the NIS2 Directive, is<br />
focused on stepping up cybersecurity<br />
attack compliance. It will mean operators<br />
of essential services in key sectors will now<br />
be required to take appropriate security<br />
measures and notify the relevant national<br />
authorities of serious incidents
Want to<br />
understand<br />
how to sanitise<br />
media?<br />
Learn more about the NEW international<br />
media sanitisation standard IEEE 2883 from<br />
one of the authors - Jonmichael Hands<br />
conference<br />
conference<br />
<strong>2024</strong><br />
<strong>2024</strong><br />
17TH OCTOBER <strong>2024</strong> , LONDON<br />
USE PROMO<br />
CODE:<br />
<strong>CS</strong>MAG FOR<br />
50% OFF!<br />
WWW.ADISA.GLOBAL/ADISACONFERENCE<strong>2024</strong>/
news<br />
Brian Martin, Integrity360.<br />
BORDERING ON THE UNACCEPTABLE<br />
Recent UK airport chaos, due to Border Force IT failures,<br />
has exposed a critical vulnerability: the lack of robust IT<br />
contingency plans within border control infrastructure.<br />
That is the view of Jamil Ahmed, distinguished engineer<br />
at Solace. "The recent e-gate outages at UK airports<br />
underscores a critical deficiency in the operational resilience<br />
of border control infrastructure. While e-gates represent<br />
advancements in border technology, this incident exposes<br />
the need for robust contingency plans to mitigate<br />
disruptions and ensure continuous service.<br />
"Stringent IT regulations exist in other sectors, such as<br />
banking, that mandate high availability and demonstrably<br />
robust disaster recovery plans. It is essential that border<br />
control infrastructure looks to adhere to similarly rigorous<br />
standards."<br />
Jamil Ahmed, Solace.<br />
INTEGRITY360 PARTNERS UP WITH<br />
ARMIS TO ENHANCE ITS OFFERING<br />
Pan-European cyber security specialist<br />
Integrity360 has entered into a new<br />
partnership with asset intelligence cybersecurity<br />
company Armis in a drive to<br />
enhance its cyber security offering<br />
and also expand its customer base<br />
across Ireland, the UK and Continental<br />
Europe.<br />
Brian Martin, director of product<br />
management, Integrity360, comments:<br />
"We live in an increasingly connected<br />
world, underpinned by the exponential<br />
expansion of the attack surface due<br />
to cloud, IoT, OT, mobile, identity and<br />
the work-from-anywhere era.<br />
This is only set to continue in the<br />
years to come, states Martin, which<br />
means the attack surface will be forever<br />
expanding. "With more devices and<br />
more threats, companies need solutions,<br />
services and partners that bolster<br />
cyber security, and - more importantly -<br />
resilience."<br />
POWERING UP VULNERABILITY DETECTION<br />
West Burton Energy is using Tenable OT Security to deliver operational<br />
technology (OT) asset visibility, OT vulnerability management and threat<br />
detection - use cases that have proven challenging for so many companies in the<br />
power industry. This has enabled West Burton Energy to reduce threat-detection<br />
alerts by 98% and improve efficiency by 87%, it is stated.<br />
As part of the UK's critical infrastructure, West Burton Energy is an advanced<br />
and efficient Combined Cycle Gas Turbine (CCGT) plant and 49 MW battery<br />
energy storage facility that delivers 1,333 MW of power to the National Grid:<br />
enough electricity to power 1.5 million homes and businesses.<br />
Since deploying Tenable OT Security, West Burton Energy has reportedly<br />
reduced the time and resources needed to manually manage its asset inventory,<br />
saving more than 200 hours per year. Additionally, it has been able to create<br />
efficiencies<br />
SEMPERIS SECURES FINANCING INJECTION<br />
Semperis has secured $125 million in growth financing<br />
from JP Morgan and Hercules Capital. The new money<br />
will enable the company to further invest in product<br />
innovation and support an expanding customer base.<br />
"Semperis is a clear leader in the urgently-needed area<br />
of identity system defense, with machine-learning-based<br />
attack prevention, detection, and response," says Scott<br />
Bluestein, CEO and CIO at Hercules Capital. "Leading<br />
organisations around the world depend on Semperis<br />
to safeguard their hybrid Active Directory environment,<br />
which is foundational to the IT infrastructure and heavily<br />
targeted by attackers."<br />
Scott Bluestein,<br />
Hercules Capital.<br />
6<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Layers aren’t just for cakes; they’re<br />
essential in cybersecurity’s secret<br />
recipe for protection!<br />
Bake it happen with VIPRE Security Group. Secure your<br />
bytes before you take a bite with Email Security, Endpoint<br />
Security and User Protection<br />
www.vipre.com
news<br />
Chris Denbigh-White, Next DLP.<br />
CYBER BREACH RISK DRIVES ZERO TRUST STRATEGIES<br />
Survey findings on the state of Zero Trust adoption<br />
and encryption in <strong>2024</strong> reveal that the risk of a cyber<br />
breach is the number one global driver for Zero Trust<br />
strategy implementation. The results are included in<br />
Entrust Cybersecurity Institute's annual study, which<br />
was conducted by the Ponemon Institute.<br />
"With the rise of costly breaches and AI-generated<br />
deepfakes, synthetic identity fraud, ransomware gangs<br />
and cyber warfare, the threat landscape is intensifying<br />
at an alarming rate," says Samantha Mabey, director<br />
solutions marketing at Entrust.<br />
"This means that implementing a Zero Trust security<br />
practice is an urgent business imperative - and the<br />
security of organisations' and their customers' data,<br />
Samantha Mabey, Entrust.<br />
networks and identities depends on it."<br />
EDUCATION AND TRAINING:<br />
WHY THESE ARE 'MUST HAVES'<br />
Research from Kaspersky has found that<br />
over 50% of acting cyber security<br />
professionals have admitted to making<br />
mistakes early in their careers, due to a<br />
lack of technical knowledge. Also, over<br />
the past two years, every organisation has<br />
fallen victim to "at least one" cyber security<br />
incident as a result of underqualified or<br />
undertrained staff.<br />
Chris Denbigh-White, chief security officer<br />
at Next DLP, puts these errors down, in<br />
large part, to education and training.<br />
While this isn't a surefire way to eradicate<br />
each and every mistake, he accepts,<br />
"educating employees - particularly at the<br />
point of risk - is a powerful strategy to<br />
help build knowledge and awareness<br />
to identify and act on cyber threats<br />
effectively. From simulated phishing<br />
exercises and role-based training, creating<br />
a human firewall can fortify an organisation's<br />
defence, without falling into<br />
the trap of scapegoating users".<br />
DISCONNECT FUELS ATTACK FEARS<br />
Anew survey carried out by cybersecurity provider<br />
Hornetsecurity has uncovered significant gaps in IT<br />
security training, with 26% of organisations still providing<br />
no form of training to their end users.<br />
The survey, which compiled feedback from industry<br />
professionals around the world, also reveals that fewer<br />
than 1 in 13 organisations offer adaptive training that<br />
evolves based on the results of regular security tests.<br />
Daniel Blank, COO of Hornetsecurity, comments: "Our latest<br />
research shows a clear disconnect between the perceived<br />
effectiveness of security training, and its actual relevance<br />
and responsiveness to modern cyber threats, especially the<br />
recent boom in AI-driven attacks. Employees must be<br />
equipped with ongoing training to bolster any technical<br />
defences and serve as a human firewall.<br />
GETTING ENTERPRISES BACK UP AND RUNNING<br />
Daniel Blank,<br />
Hornetsecurity.<br />
"The ongoing aspect is essential for the training to have the most impact. It's important to<br />
invest in the latest cybersecurity technology, but a sustainable security culture means investing in<br />
people as well."<br />
Commvault has acquired cloud cyber resilience company Appranix. Commvault says<br />
it has made the move to help enterprises get up and running even faster after an<br />
outage or cyberattack.<br />
"We are taking resilience to the next level by marrying Commvault's extensive risk,<br />
readiness and recovery capabilities with Appranix's next-generation cloud-native<br />
rebuild capabilities," states Sanjay Mirchandani, president & CEO, Commvault.<br />
8<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
DON’T<br />
SaaSSS<br />
GET YOUR<br />
KICKED! !<br />
TAKE CONTROL NOW AND<br />
PROTECT YOUR SaaS DATA<br />
Global SaaS vendors like Microsoft, Google and Salesforce<br />
don’t assume any responsibility for your data hosted<br />
in their applications. So, it’s up to you to take control<br />
and fully protect your SaaS data from cyber threats or<br />
accidental loss. Arcserve SaaS Backup offers complete<br />
protection for your SaaS data, eliminating business<br />
interruptions due to unrecoverable data loss.<br />
Arcserve SaaS Backup<br />
Complete protection for all your SaaS data.<br />
arcserve.com<br />
The unified data resilience platform
legal focus<br />
IS THIS DIRECTIVE IN THE RIGHT DIRECTION?<br />
NEW EU-WIDE LEGISLATION IS FOCUSED ON STEPPING UP CYBERSECURITY ATTACK COMPLIANCE<br />
The NIS2 Directive - the EU-wide<br />
legislation on cybersecurity - provides<br />
legal measures to boost the overall level<br />
of cybersecurity across the EU. Businesses<br />
identified as operators of essential services<br />
in key sectors will have to take appropriate<br />
security measures and notify relevant national<br />
authorities of serious incidents. Also, key digital<br />
service providers, such as search engines, cloud<br />
computing services and online marketplaces,<br />
will have to comply with the security and<br />
notification requirements under the directive<br />
(https://digital-strategy.ec.europa.eu/en/<br />
policies/nis2-directive)<br />
Is this a big advance in the quest to keep<br />
organisations safe from harm? Or is it simply<br />
more bureaucracy and 'interference', as some<br />
have branded it? If so, what should the<br />
alternative be?<br />
Karl Mattson, CISO at Noname Security,<br />
believes the NIS2 Directive is a big step forward<br />
for EU cyber resilience. "The directive has stricter<br />
requirements for risk management and<br />
incident reporting, covers a wider remit of<br />
industries and features increasingly hard-hitting<br />
financial penalties for non-compliance. These<br />
requirements have significant implications for<br />
the security and management of organisations."<br />
Instead of viewing regulation as an onerous<br />
task, he adds, achieving compliance with NIS2<br />
can enable organisations to gain a competitive<br />
advantage. "Indeed, as new regulations come<br />
into force over time, organisations are likely to<br />
find that many of their partners will require<br />
proof of compliance before doing business<br />
with them. While it does not specifically<br />
mention APIs, NIS2's requirements for<br />
enhanced cybersecurity, risk management,<br />
incident reporting and supply chain security<br />
have significant implications for the security<br />
and management of APIs in organisations<br />
subject to the directive. APIs are critical to<br />
business transformation and lie at the heart<br />
of corporate strategies for growth and<br />
innovation."<br />
"With escalating regulation requirements,<br />
organisations need to know what they need to<br />
implement through the lens of API security,"<br />
he states. "This should be a priority for every inscope<br />
organisation, if they are going to remain<br />
compliant with NIS2."<br />
BLIND SPOTS TACKLED<br />
EU regulators have become the global tip of<br />
the spear when it comes to data protection<br />
for nation states, argues Matthew Sciberras,<br />
CISO - VP of information security & information<br />
technology, Invicti. "First, there was GDPR,<br />
which set an international standard for the<br />
protection and handling of personal data,<br />
he points out. "Now, NIS2 is just about to<br />
come into enforcement and addresses some<br />
really important blind spots that businesses<br />
often ignore."<br />
The software supply chain is a considerably<br />
important factor here. "Under NIS2, compliant<br />
entities will have to account for the potential<br />
risk within their partners, vendors, third parties<br />
and overall supply chain." This is significant,<br />
because - like the GDPR before it - it gives NIS2<br />
a potentially global reach. "While NIS2 will only<br />
apply to organisations that operate within<br />
the EU, their compliance status is dependent<br />
on the security of the international partners.<br />
"That means that EU entities will have to<br />
make partnering decisions based on the<br />
security risk of those partners. It's safe to say<br />
that there are few companies - wherever in the<br />
world - who would want to isolate themselves<br />
from the world's largest market."<br />
Aside from that, the software supply chain<br />
really does deserve serious consideration, he<br />
points out. "The software that undergirds so<br />
many basic functions in the modern world, are<br />
delivered through complex and multi-faceted<br />
supply chains, along which there are multiple<br />
points of failure. Furthermore, the mounting<br />
demand for new tools and services has put an<br />
incredible amount of pressure on the development<br />
process… considering the complex,<br />
interwoven nature of software supply chains<br />
this isn't just a problem for one product or<br />
group of customers, but a larger security issue<br />
for society in general."<br />
UNIFIED APPROACH<br />
Jon Leather, European head of supply chain<br />
defence at BlueVoyant, says NIS2 unifies the<br />
approach to collaborative security across the<br />
entire supply chain, encompassing more than<br />
160,000 midsize and large companies - and<br />
those businesses within their supply chains -<br />
in a cross-section of critical industries, such<br />
as energy, transportation, healthcare, and<br />
banking and financial services. "A unified<br />
approach to securing supply chain relationships<br />
between companies, direct suppliers,<br />
and business partners is sorely needed."<br />
BlueVoyant global research reveals that<br />
organisations suffered negative impacts on<br />
average from 4.16 supply chain breaches<br />
last year. With organisations responsible for<br />
their own security under NIS2, they must:<br />
Review how they comply with stricter<br />
reporting obligations, with 'essential'<br />
businesses needing to report cyber<br />
incidents within 24 hours<br />
Conduct regular risk assessments to<br />
identify and address cyber threats<br />
IInvest in cyber security awareness<br />
and training at all management levels -<br />
even the board, if needs be.<br />
HoHowever, the big question mark over the<br />
10<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
legal focus<br />
implementation of NIS2 is the fragmentation<br />
of global compliance and how it's adhered to<br />
from one country to the next, he continues.<br />
"With each EU member state likely to introduce<br />
nuanced legislation to suit individual needs -<br />
in addition to the UK - the question of NIS2's<br />
global impact remains unanswered.<br />
"Regardless, all businesses within NIS2's scope<br />
need to undertake a comprehensive analysis<br />
of their supply chains to determine their<br />
standing and readiness, with a view to using<br />
full compliance as a competitive advantage.<br />
Those without the resources to analyse<br />
external vulnerabilities and cyber risks will<br />
struggle to reach compliance by October<br />
<strong>2024</strong>, which could lead to fines of up to<br />
10 million euros or 2% of their annual<br />
revenue, whichever is higher."<br />
WIDER SCOPE<br />
Chris Doman, CTO and co-founder, Cado<br />
Security, also regards the NIS2 Directive<br />
as a significant update to the European<br />
Union's cybersecurity framework, identifying<br />
it as particularly relevant to cloud security<br />
incident response.<br />
"First, NIS2 broadens the scope of sectors that<br />
must adhere to its requirements, including<br />
cloud computing services, and requires<br />
improved security controls," Dorman states.<br />
"One of the directive's core elements is the<br />
establishment of policies for incident handling.<br />
Entities must report significant cybersecurity<br />
incidents to the national competent authorities<br />
or computer security incident response teams<br />
[<strong>CS</strong>IRTs] within 24 hours of becoming aware<br />
of the incident.<br />
"That early warning should be followed by<br />
an incident notification within 72 hours of<br />
becoming aware of the significant incident."<br />
The dynamic nature of cloud environments<br />
requires haste, he continues. "Therefore,<br />
mandating rapid response in this way is crucial<br />
for mitigating the impact of security breaches<br />
in the cloud."<br />
While Sam Peters, chief product officer,<br />
ISMS.Online, acknowledges the NIS2 Directive<br />
as "a significant stride in the European Union's<br />
cybersecurity efforts",<br />
he also states that, whether this is actualy<br />
an advancement or an imposition of<br />
bureaucracy, depends mainly on perspective<br />
and execution."<br />
NECESSARY SAFEGUARDS<br />
"For some," he states, "these regulations<br />
will be considered necessary safeguards<br />
that enhance security protocols and ensure<br />
a uniform level of cyber defence across<br />
Europe. For others, particularly smaller<br />
businesses and startups, the increased<br />
compliance costs and operational hurdles<br />
could be considered excessive and stifling<br />
innovation."<br />
In an ideal scenario, argues Peters, the<br />
alternative to a directive like NIS2 would<br />
still involve a structured approach to cybersecurity,<br />
but could offer a more adaptable<br />
framework. "This might include scaled<br />
requirements, based on the size and impact<br />
of the business, increased support for small-er<br />
companies in meeting these requirements or<br />
incentives for voluntarily adopting advanc-ed<br />
cybersecurity measures.<br />
"Another approach could be industry-led<br />
standards that allow for more flexibility and<br />
innovation, while still providing a framework<br />
for essential security measures and incident<br />
reporting. Ultimately, he says, the<br />
effectiveness of the NIS2 Directive "will<br />
depend on its implementation, including the<br />
support provided to businesses to comply and<br />
the adaptiveness of the framework to<br />
evolving cyber threats".<br />
MINDSET SWITCH<br />
Tim Freestone, chief strategy and marketing<br />
officer, Kiteworks, says adhering to the<br />
NIS2 Directive necessitates a fundamental<br />
alteration in corporate mindset, backed by<br />
investments in advanced technologies and<br />
robust procedural frameworks.<br />
Chris Doman, Cado Security: a proactive<br />
approach enables security teams to quickly<br />
identify the root cause of a breach and<br />
remediate the threat.<br />
Tim Freestone, Kiteworks: limiting system<br />
access can prevent a single individual from<br />
having excessive control over sensitive data.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
11
legal focus<br />
Jamie Beckland, APIContext: API<br />
validation remains an immature practice.<br />
Matthew Sciberras, Invicti: NIS2 seeks to<br />
protect the free movement of business<br />
across borders.<br />
"We contend that such investments are<br />
crucial to fostering innovation and securing<br />
our digital infrastructures. Central to the<br />
directive is the adoption of both technical<br />
and organisational safeguards to ensure data<br />
confidentiality, integrity and availability. This<br />
involves deploying cutting-edge encryption<br />
technologies, stringent access controls and<br />
secure communication protocols. Equally<br />
important is the cultivation of a securityconscious<br />
culture among employees,<br />
positioning them as vital defenders against<br />
cyber threats." The directive also emphasises<br />
the importance of risk management and<br />
incident response strategies," he continues.<br />
"Proactive identification and mitigation of<br />
vulnerabilities enable companies to stay<br />
ahead of cyber adversaries. Effective incident<br />
response measures, meanwhile, help to<br />
mitigate the impact of data breaches, swiftly<br />
restoring confidence among customers and<br />
stakeholders."<br />
Compliance with NIS2 is an ongoing process,<br />
he points out, demanding continuous<br />
documentation of security practices, risk<br />
assessments, and incident response actions.<br />
"This transparency is critical in fostering trust<br />
within the digital landscape. This directive is<br />
not just about achieving compliance, but<br />
about inspiring a transformative movement<br />
in data protection, leveraging technological<br />
advancements and human creativity to protect<br />
the vital assets of our digital economy. It encourages<br />
companies to view data protection not as<br />
a statutory obligation, but as a cornerstone of<br />
their business ethos, thereby shaping a secure,<br />
reliable and boundless digital future."<br />
VITAL ROLE<br />
Cyrille Badeau, vice president of international<br />
sales ThreatQuotient, regards he directive as<br />
a positive regulation, because "cybersecurity<br />
inequity is a real and growing problem<br />
at national and international level. Digital<br />
infrastructure is only as strong as its weakest<br />
link and when less-secure entities are connected<br />
to critical supplier networks, they introduce<br />
significant risk".<br />
The EU needs overarching mechanisms,<br />
processes and response plans to deal with<br />
cybersecurity risk, just like any single entity<br />
does. "Effective risk management is at the<br />
heart of the directive, requiring entities to<br />
assess organisational and industry-specific<br />
cyber risk. We see a vital role here for threat<br />
intelligence collection and analysis from<br />
multiple sources to inform companies' risk<br />
management strategy. This is best practice and<br />
puts organisations in a stronger position to<br />
proactively manage risk, but it is not always<br />
consistently achieved on a sector-wide basis."<br />
The directive also mandates timely and<br />
complete incident reporting. "This is another<br />
area where threat intelligence management<br />
is crucial," says Badeau, "allowing entities to<br />
obtain and share relevant information relating<br />
to incidents and their possible impact in nearreal<br />
time. The directive's focus on informationsharing<br />
is also very positive. The more we can<br />
learn about TTPs, incidents and impacts, the<br />
better placed we are to respond."<br />
Effectively, he adds, this directive is the EU's<br />
bid to map good cybersecurity practice onto<br />
a digital continent. "This certainly isn't easy, but<br />
it is necessary, especially given the geopolitical<br />
uncertainty and the aforementioned cybersecurity<br />
inequity within and between countries.<br />
Many individual organisations and sectors<br />
already adhere to the risk management best<br />
practices prescribed in the directive, but<br />
cybersecurity has to be a collective effort<br />
across communities, even one as large as the<br />
EU. NIS2 is a step in the right direction."<br />
API PERTINENCE<br />
Jamie Beckland, APIContext’s chief product<br />
officer, sees the directive's wide approach to<br />
securing supply chains as especially pertinent<br />
to the API sector. "APIs, as the building blocks<br />
of modern software, often form extensive and<br />
intricate networks that many businesses<br />
depend on. Modern digital applications are<br />
built with multiple compon-ents, including<br />
cloud compute vendors, authentication<br />
providers, data feeds, and other digital<br />
12<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
legal focus<br />
infrastructure. Application developers use<br />
the APIs of these vendors to lash up to 100<br />
individual services together to create the final<br />
customer-facing application. Every online<br />
banking transaction, every video stream, every<br />
mobile app and every e-commerce sale is<br />
powered by APIs."<br />
However, he states, API validation remains<br />
an immature practice. "Many organisations are<br />
not aware of their API dependencies, which<br />
first manifest in vendor APIs impacting application<br />
reliability. This opacity can lead to<br />
significant vulnerabilities, exposing entire<br />
systems to data leaks." API supply chains are<br />
poorly understood, but can have serious<br />
consequences.<br />
TOTAL COMPROMISE<br />
"If an authentication API has a security<br />
vulnerability, it can be leveraged to compromise<br />
every account in the application,"<br />
says Beckland. "If a cloud compute API is<br />
misconfigured, it can leak all the data that<br />
traverses that API. It's critical to comprehensively<br />
inventory application APIs, and<br />
the supplier APIs that they rely on. And,<br />
since over 80% of API vulnerabilities are<br />
misconfigurations [and not fundamental<br />
security design flaws], they are often<br />
straightforward to remediate."<br />
NIS2 provides a clear driver for businesses<br />
to prioritise the work of understanding their<br />
API supply chain dependencies, he adds.<br />
"It compels organisations to adopt a more<br />
disciplined and transparent approach to API<br />
management and security, which is crucial<br />
for protecting sensitive data and maintaining<br />
trust in digital services."<br />
BUREAUCRATIC BURDEN?<br />
Kennet Harpsoe, senior cyber analyst, Logpoint,<br />
flags up how the directive, for all its virtues,<br />
has faced criticism for potentially imposing a<br />
significant bureaucratic burden. "Compliance<br />
costs and administrative overheads could<br />
be particularly challenging for smaller organisations,"<br />
he says. "The NIS2 directive is formulated<br />
in very general terms that can be hard to<br />
translate into a practical implementation. And,<br />
while it might generate a lot of business for<br />
large accounting firms and their consultants,<br />
it's unlikely to generate cost efficient cyber<br />
security."<br />
Some businesses view the directive as an<br />
intrusion that limits their flexibility and autonomy<br />
in managing cybersecurity and there<br />
are concerns that stringent regulations might<br />
stifle innovation, especially for start-ups, he<br />
adds. "And will the reporting requirements<br />
be useful? If the reports are written in a hurry,<br />
and there is no explicit purpose, so no explicit<br />
reason why anyone should read them, will<br />
they have any practical effect?"<br />
Alternative approaches could be considered,<br />
Harpsoe suggests. "Regulations could be<br />
tailored, based on the specific risk profiles of<br />
different sectors and organisations, balancing<br />
the need for security with flexibility. Another<br />
approach could be to make the recommendations<br />
more specific; years of cyber security<br />
experience have been codified into best<br />
practices, like the CIS 18 Critical controls.<br />
Referring directly to more specific recommendations<br />
could make implementation of NIS2<br />
much more cost effective."<br />
Also, providing financial assistance, such as<br />
subsidies or grants, and technical support can<br />
help organisations, particularly SMEs, manage<br />
compliance costs. "Additionally, the directive<br />
could include mechanisms for regular updates<br />
based on evolving cyber threats and technological<br />
advancements, ensuring it remains<br />
relevant and effective without imposing<br />
unnecessary burdens. Regular consultations<br />
with industry stakeholders could further<br />
enhance its impact, particularly as the cyber<br />
security space evolves fast."<br />
Tailored approaches, supportive measures<br />
and continuous legislative adaptation can help<br />
mitigate the directive's potential administrative<br />
and financial burdens, he concludes, and<br />
enhance the directive's effectiveness.<br />
Kennet Harpsoe, Logpoint: compliance<br />
costs and administrative overheads could<br />
be particularly challenging for smaller<br />
organisations.<br />
Karl Mattson, Noname Security: NIS2<br />
Directive is a big step forward for EU<br />
cyber resilience.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
13
artificial intelligence<br />
AT THE AI CROSSROADS<br />
ARE THE CRIMINALS ON THE FRONT FOOT IN THE BATTLE<br />
TO USE AI FOR GOOD OR BAD? EDITOR BRIAN WALL REPORTS<br />
It would appear that AI is at a definitive<br />
crossroads - one where policymakers,<br />
security professionals and civil society have<br />
the chance to finally tilt the cybersecurity<br />
balance from attackers to cyber defenders.<br />
That is the view of Google's Phil Venables,<br />
vice president, chief information security<br />
officer (CISO), Google Cloud, and Royal<br />
Hansen, vice president, Privacy, Safety and<br />
Security Engineering.<br />
"At a moment when malicious actors are<br />
experimenting with AI, we need bold and<br />
timely action to shape the direction of this<br />
technology," the two argue. To support this<br />
work, Google has launched a new AI Cyber<br />
Defense Initiative, including a proposed policy<br />
and technology agenda contained in its new<br />
report: Secure, Empower, Advance: How AI<br />
Can Reverse the Defender's Dilemma.<br />
"Today, and for decades, the main challenge<br />
in cybersecurity has been that attackers need<br />
just one successful, novel threat to break<br />
through the best defences. Defenders,<br />
meanwhile, need to deploy the best defences<br />
at all times, across increasingly complex digital<br />
terrain - and there's no margin for error. This<br />
is the 'Defender's Dilemma' and there's never<br />
been a reliable way to tip that balance. Our<br />
experience deploying AI at scale informs<br />
our belief that AI can actually reverse this<br />
dynamic. AI allows security professionals<br />
and defenders to scale their work in threat<br />
detection, malware analysis, vulnerability<br />
detection, vulnerability fixing and incident<br />
response."<br />
SLOWER ADOPTION<br />
Alasdair Anderson, VP at Protegrity, also<br />
believes AI has the potential to be an effective<br />
tool for whoever wields it. "However, for<br />
businesses, AI adoption will be slower than<br />
the cybercrime industry, as there will be new<br />
regulations to adhere to and ensuring the<br />
safe use of AI is a lengthy process. As such,<br />
through <strong>2024</strong> there will be an increase in AIbased<br />
attacks before businesses and<br />
government bodies can put in place robust<br />
and ethical AI cyber-security measures. The<br />
importance at this time will be in employing<br />
safe data practices so private information is<br />
always protected."<br />
While AI's ability to streamline processes<br />
and present speedy outcomes is offering<br />
breakthroughs to businesses, he adds, it is<br />
at the same time attracting attention from<br />
threat actors who are realising that it could<br />
be a weakness in a company's security. if<br />
not used correctly. "However, if used to its<br />
full potential, AI could be a tool that helps<br />
businesses identify weaknesses and address<br />
them. During the race to attack and defend in<br />
the age of AI, businesses should be focusing<br />
on protecting the prize: data. When a threat<br />
actor utilises AI to find an innovative way<br />
to break through the latest cybersecurity<br />
defence, all the data at the centre will be<br />
at risk - and can be used to enhance larger<br />
attacks. If training an LLM with data, or if an<br />
employee elects to streamline a task and use<br />
an LLM on a public platform - that data is<br />
too at risk."<br />
Protegrity advocates for a data-centric<br />
approach, states Anderson. "If all data used is<br />
subjected to privacy-preserving measures to<br />
comply with data protection laws, it ensures<br />
that, if the data is breached at any point, it is<br />
anonymous and worthless to hackers."<br />
GENIE ‘OUT OF THE BOTTLE’<br />
For Aron Brand, CTO, CTERA, attempting to<br />
contain the emerging AI-based cyber threats<br />
with regulation is "as futile as trying to contain<br />
a wildfire with a garden hose". With powerful<br />
open-source models on the GPT-4 level being<br />
freely proliferated, the genie is out of the<br />
bottle, he says. "Today, even individuals with<br />
moderate resources can create powerful AI<br />
systems without ethical safeguards, rendering<br />
proposed AI rules ineffective against malicious<br />
actors, not to mention state actors who are<br />
actively developing AI cyber weapons.<br />
"In fact, it is very reasonable to assume that<br />
AI scientists from major world superpowers<br />
are already engaged in a high-stakes race to<br />
develop the ultimate AI weapon, which could<br />
be likened to an 'Internet nuke'. The regulators<br />
can only influence the 'good guys', and do<br />
nothing to stop nefarious actors from<br />
creating malicious AI."<br />
The way forward, says Brand, lies in embracing<br />
AI-based defences as countermeasures.<br />
"It is time for more software vendors to step<br />
up and incorporate behavioural AI into their<br />
products. By leveraging AI's ability to distinguish<br />
between malicious and normal user<br />
behaviour, next-generation security solutions<br />
can quickly detect and neutralise AI-powered<br />
attacks. Unfortunately, the rapid surge in the<br />
offensive capabilities of attackers means we<br />
14<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
face an uphill battle in this AI arms race."<br />
10.5 TRILLION DOLLAR PRICE TAG<br />
According to Louis Blackburn, operations<br />
director at CovertSwarm, global cybersecurity<br />
crime is expected to cost the world $10.5<br />
trillion USD annually by 2025, up by 15%<br />
from the cost five years ago, while the<br />
average global cost of a single data breach<br />
costs a business around $3.62 million, with<br />
customer trust taking a huge hit. "It's essential<br />
that organisations of all sizes learn about<br />
the security risks that AI can have to their<br />
business and establish a plan to deal with<br />
any threats," he cautions.<br />
"Voice synthesis tools are being used to<br />
mimic employees in organisations, such<br />
as service desk workers, to gain people's<br />
trust. Businesses are at threat of simple<br />
transactions, like a password reset taking<br />
place over the phone and getting into the<br />
hands of somebody who, unbeknown to<br />
them, is not the actual colleague a person<br />
thinks they're speaking to."<br />
AI can be used to perform reconnaissance<br />
against organisations in the future. "Collating<br />
information about a target business at the<br />
moment is a very manual process, but in the<br />
near future attackers will be able to use AI<br />
to quickly find out the relevant information<br />
about an organisation like the IP address,<br />
open ports, security software and hardware<br />
in use and vulnerabilities in these systems,"<br />
Blackburn states.<br />
"In the future, this will develop into hackers<br />
being able to use AI and OpenSource to<br />
look into a company's computer vulnerabilities<br />
and other areas that may be insecure.<br />
Organisations need to be proactive with<br />
regard to all digital security and perform<br />
continuous testing to find the problems<br />
before AI does."<br />
OPERATING AT SCALE<br />
Curtis Wilson, staff data scientist at the<br />
Synopsys Software Integrity Group, argues<br />
that the potential of AI lies not in full autonomy,<br />
but in allowing experts to operate at<br />
scale. "The problem faced by cyber security<br />
experts is that they must find and patch every<br />
single vulnerability in the systems they are<br />
responsible for - a threat actor, however, only<br />
needs to find and exploit one vulnerability to<br />
launch a successful attack. AI-based tools can<br />
help cyber security experts identify potentially<br />
vulnerable areas of an application, search<br />
through large codebases, automate routine<br />
inspections, see patterns or unusual behaviour<br />
in network traffic and even suggest easy<br />
fixes for common problems."<br />
However, he adds, AI alone can struggle<br />
to understand the complex interactions<br />
between different parts of a large system,<br />
the underlying business logic (and how that<br />
factors into the system) or the potential for<br />
completely novel exploits. Keeping human<br />
experts in the loop is thus essential. "Whilst<br />
this ability to scale expertise is a boon to cyber<br />
security experts when patching vulnerabilities,<br />
it can also be a boon to threat actors in a<br />
different domain: social engineering. Currently,<br />
social engineering tends to be either quality<br />
or quantity based. Either you send an unsophisticated<br />
email to hundreds of thousands:<br />
("enter your details for information about<br />
a package"), or you send a highly-tailored<br />
email to a small group: ('This is [CFO's name],<br />
CFO of [Your Company], and I need your<br />
help…')."<br />
The question of 'Will AI help or hinder cyber<br />
security experts?' is a false dichotomy, says<br />
Wilson. "I think instead we will see the entire<br />
landscape of cybersecurity threats continue<br />
to change and evolve in response to advances<br />
in AI technologies; just as it has to every other<br />
change in technology over the last few<br />
decades."<br />
OPINION DIVIDED<br />
Matt Frye, who is the head of education at<br />
Hornetsecurity, says the company's latest<br />
research shows that 45% of UK businesses<br />
have been victims of a cyberattack and 85%<br />
Alasdair Anderson, Protegrity: businesses<br />
should be focusing on protecting the<br />
prize: data.<br />
Louis Blackburn, CovertSwarm: hackers will<br />
be able to use AI and OpenSource to look<br />
into a company's computer vulnerabilities.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
15
artificial intelligence<br />
Aron Brand, CTERA: rapid surge in the<br />
offensive capabilities of attackers means<br />
we face an uphill battle in this AI arms<br />
race.<br />
Dan Wiseman, Transmit Security: While AI<br />
is increasingly being adopted by cyber<br />
attackers, it holds equal, if not greater,<br />
potential as a defensive mechanism.<br />
are concerned about the increasing sophistication<br />
of attack methods, thanks to AI.<br />
THE RACE IS UNDERWAY<br />
"Cybersecurity professionals need to amplify<br />
their efforts and enhance their technology<br />
to safeguard businesses from evolving attack<br />
methods," he advises, as the race is underway<br />
between cyber criminals, vendors and policymakers,<br />
with all parties leveraging the power<br />
of AI for differing reasons." Hornetsecurity<br />
research shows that opinions amongst British<br />
business leaders are split, with 45% finding AI<br />
helpful and 45% thinking it has worsened the<br />
threat landscape.<br />
"Next-gen defenders like Hornetsecurity<br />
are continually investing to maintain the<br />
upper hand over attackers and they have<br />
been ably using AI as part of their efforts to<br />
do so. However, the dynamic nature of cyber<br />
threats means that this is an ongoing battle,<br />
requiring constant vigilance, adaptation and<br />
education to build users' knowledge of the<br />
threat landscape and the methods cybercriminals<br />
are using. Business leaders must act<br />
now, investing in comprehensive AI-enhanced<br />
protection packages, which include both<br />
technical defences and training packages."<br />
DEFENSIVE MECHANISM<br />
Dan Wiseman, senior solutions advisor,<br />
Transmit Security, emphasises how AI is not<br />
a silver bullet, but a tool and, like any tool,<br />
its effectiveness hinges on how it's utilised.<br />
"While AI is increasingly being adopted by<br />
cyber attackers, it holds equal, if not greater,<br />
potential as a defensive mechanism. Yet,<br />
many organisations are still in the early stages<br />
of harnessing its full potential and therefore<br />
risk falling behind the curve," he warns.<br />
The unpredictable nature of AI, often seen<br />
as a challenge, can actually be its strength.<br />
"With the right safeguards and ethical<br />
guidelines in place, this unpredictability can<br />
be harnessed to stay one step ahead of cyber<br />
threats. AI's predictive capabilities enable us to<br />
identify and mitigate potential threats before<br />
they materialise, effectively shifting the<br />
balance in favour of cyber defenders."<br />
Achieving this requires a multi-faceted<br />
approach, says Wiseman. "From a security<br />
perspective, it involves constantly improving<br />
AI algorithms, investing in AI training and<br />
research, and fostering collaboration between<br />
AI developers, cybersecurity professionals and<br />
policymakers. At Transmit Security, we're<br />
actively embedding AI-driven capabilities<br />
across our entire platform, making it easier<br />
for our customers to leverage AI as a core<br />
component of their cybersecurity strategy."<br />
ROBUST FRAMEWORKS<br />
To truly outrun cybercriminals and maintain a<br />
defensive advantage, robust frameworks for<br />
AI governance and ethical standards must be<br />
established, ensuring responsible use and<br />
mitigating risks," comments Keiron Holyome,<br />
VP UKI & Emerging Markets, BlackBerry.<br />
"As a response to the Chinese cyberattack<br />
on the Ministry of Defence earlier this year,<br />
we are already seeing progress in such<br />
recommendations for both AI caution and<br />
applications for good, demonstrated by May's<br />
collection of UK government research reports<br />
on the cyber security of AI. Collaboration<br />
between governments, industry leaders and<br />
academia will be increasingly essential for<br />
sharing knowledge, developing best practices<br />
and responding to emerging threats<br />
collectively."<br />
Holyome says that AI's potential for both<br />
defenders and attackers is still in the early<br />
stages of its journey, something that can<br />
be overlooked. "The security industry must<br />
remain vigilant and adaptive. It must be<br />
prepared to address evolving vulnerabilities<br />
that AI may introduce and meet challenges<br />
head-on, with an innovative, yet responsible<br />
approach. If effectively harnessed, AI can<br />
maintain cybersecurity balance against<br />
defenders, but this requires ongoing research,<br />
innovation and collaboration."<br />
16<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cyber breaches<br />
BATTERED AND BREACHED<br />
A <strong>2024</strong> GOVERNMENT SURVEY PAINTS A DISTURBING PICTURE OF THE SCALE OF<br />
CYBER-ATTACKS PERPETRATED AGAINST UK BUSINESSES OVER THE LAST 12 MONTHS<br />
Organisations of all sizes and<br />
persuasions are prey to the attackers<br />
and a large percentage have suffered<br />
at their hands - that is the main takeaway<br />
from the government's Cyber Security<br />
Breaches Survey for <strong>2024</strong>.<br />
"Half of businesses [50%] and around a third<br />
of charities [32%] report having experienced<br />
some form of cyber security breach or attack<br />
in the last 12 months," states the government.<br />
"This is much higher for medium businesses<br />
[70%], large businesses [74%] and highincome<br />
charities with £500,000 or more in<br />
annual income [66%]."<br />
By far the most common type of breach or<br />
attack is phishing (84% of businesses and<br />
83% of charities). "This is followed, to a much<br />
lesser extent, by others impersonating<br />
organisations in emails or online [35% of<br />
businesses and 37% of charities] and then<br />
viruses or other malware [17% of businesses<br />
and 14% of charities]. Among those<br />
identifying any breaches or attacks, we<br />
estimate the single most disruptive breach<br />
from the last 12 months cost each business,<br />
of any size, an average of approximately<br />
£1,205. For medium and large businesses, this<br />
was approximately £10,830. For charities, it<br />
was approximately £460." There were some<br />
changes this year to the question that seeks to<br />
capture the overall incidence of cyber-attacks<br />
and breaches. Due to these changes, it was<br />
not possible to make direct comparisons<br />
between 2023 and <strong>2024</strong>, states the survey<br />
report.<br />
CYBER HYGIENE<br />
Interestingly, and perhaps against general<br />
expectation, the most common cyber threats<br />
are relatively unsophisticated, so government<br />
guidance advises businesses and charities to<br />
protect themselves using a set of "cyber<br />
hygiene" measures. A majority of businesses<br />
and charities have a broad range of these<br />
measures already in place. The most common<br />
are updated malware protection, password<br />
policies, cloud back-ups, restricted admin<br />
rights and network firewalls - each<br />
administered by at least seven in 10<br />
businesses and around half of charities or<br />
more, according to the report.<br />
Compared to 2023, the deployment of<br />
various controls and procedures has risen<br />
slightly among businesses:<br />
Using up-to-date malware protection<br />
(up from 76% to 83%)<br />
Restricting admin rights (67% to 73%)<br />
Network firewalls (66% to 75%)<br />
Agreed processes for phishing emails<br />
(up from 48% to 54%).<br />
These trends represent a partial reversal of<br />
the pattern seen in the previous three years<br />
of the survey, where some areas had seen<br />
consistent declines among businesses. The<br />
changes mainly reflect shifts in the micro<br />
business population and, to a lesser extent,<br />
small and medium businesses.<br />
RISK MANAGEMENT & SUPPLY CHAINS<br />
Businesses are more likely than charities to<br />
take actions to identify cyber risks. Larger<br />
businesses (defined as medium and large<br />
businesses as opposed to smaller business<br />
that cover micro and small business) are the<br />
most advanced in this regard.<br />
Some 31% of businesses and 26% of<br />
charities have undertaken cyber security risk<br />
assessments in the last year - rising to 63%<br />
of medium businesses and 72% of large<br />
businesses. A third of businesses (33%)<br />
deployed security monitoring tools, rising to<br />
63% of medium businesses and 71% of large<br />
businesses. The proportion was lower among<br />
charities (23%). Around four in ten businesses<br />
(43%) and a third of charities (34%) report<br />
18<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cyber breaches<br />
being insured against cyber security risks rising<br />
to 62% of medium businesses and 54% of<br />
large businesses (ie, cyber insurance is more<br />
common in medium businesses than large<br />
ones). Compared to the 2023 survey, the<br />
proportion of businesses with some form of<br />
insurance has increased from 37% to 43%,<br />
while the proportion has remained stable<br />
amongst charities.<br />
Just over one in 10 businesses say they<br />
review the risks posed by their immediate<br />
suppliers (11% vs 9% of charities). More<br />
medium businesses (28%) and large<br />
businesses (48%) review immediate supplier<br />
risks.<br />
The qualitative interviews suggest that<br />
organisations have an increasing awareness of<br />
the cyber security risks posed by supply chains.<br />
Despite this, organisations, particularly at the<br />
smaller end, tend to have limited formal<br />
procedures in place to manage cyber risks<br />
from wider supply chains.<br />
Meanwhile, board engagement and<br />
corporate governance approaches towards<br />
cyber security tend to be more sophisticated<br />
in larger organisations. Levels of activity have<br />
remained stable, compared with 2023.<br />
GOING LARGE<br />
Three-quarters of businesses (75%) and more<br />
than six in 10 charities (63%) report that cyber<br />
security is a high priority for their senior<br />
management. This proportion is higher<br />
among larger businesses (93% of medium<br />
businesses and 98% of large businesses vs<br />
75% overall). The same is true for highincome<br />
charities (93% of those with income<br />
of £500,000 or more vs 63% overall).<br />
The proportion that says cyber security is a<br />
high priority has remained stable since 2023,<br />
following an apparent decrease in<br />
prioritisation in 2023. The qualitative<br />
interviews suggest that, despite economic<br />
conditions, many organisations have<br />
continued to invest either the same amount<br />
or more in cyber security over the last 12<br />
months. This is in part a response to the<br />
perceived increase in the number of cyberattacks<br />
and their sophistication.<br />
UPTICK IN PROTECTION<br />
"With half of businesses encountering cyber<br />
breaches and attacks in the last 12 months,<br />
this report exposes the scale of the cyber<br />
threat landscape that we face today," says<br />
Matt Thomas, head of UK markets at NCC<br />
Group. "An estimated 7.78 million<br />
cybercrimes is not a figure that should be<br />
taken lightly.<br />
"Businesses and charities are at risk of<br />
phishing scams, viruses and malware, so it is<br />
heartening to see an uptick in the adoption of<br />
cyber hygiene practices, with those using upto-date<br />
malware protection up from 76% to<br />
83%. Improvement in cyber hygiene among<br />
micro businesses in particular, and qualitative<br />
reports that businesses are investing in<br />
cybersecurity, should be celebrated. Despite<br />
the economic challenges that all businesses<br />
face, there is long-term value in investing in<br />
cyber hygiene now and prioritising prevention<br />
before an incident occurs.<br />
The government breach report is a reminder,<br />
says Thomas, that, despite progress,<br />
challenges still remain. "With global supply<br />
chain instability continuing, formal procedures<br />
are more important than ever before. This<br />
report has also highlighted a lacking approach<br />
to incident response across the board, with<br />
only the minority of businesses [22%] having<br />
agreed formal processes in place to support<br />
following a cyber incident."<br />
He also highlights how 75% of all businesses<br />
have reported cyber security as a high priority<br />
among senior management. "However, the<br />
findings show discrepancies between the size<br />
of businesses adopting appropriate cyber<br />
security measures. Some 98% of large<br />
businesses and 93% of medium businesses<br />
have cyber security at the top of their agenda,<br />
yet small businesses are yet to prioritise<br />
mitigating cyber threats in the same way<br />
despite being vulnerable."<br />
He adds that there has not been significant<br />
improvement in board or senior management<br />
engagement on cybersecurity since 2017. "The<br />
disconnect between IT or cyber teams and<br />
wider staff is being keenly felt within large<br />
businesses, suggesting greater collaboration is<br />
required across businesses to effectively and<br />
holistically combat cyber threats.<br />
"Further education is still needed to support<br />
smaller businesses and charities towards a<br />
safer cyber future, and this data also<br />
demonstrates sectoral differences when it<br />
comes to cybersecurity. Businesses within<br />
finance and health, for example, are more<br />
likely to make cyber security a higher priority<br />
than other businesses, but all businesses must<br />
invest budget into protecting themselves from<br />
cyber threats, too."<br />
Matt Thomas, NCC Group: this report<br />
exposes the scale of the cyber threat<br />
landscape that we face today.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
19
passwords<br />
ARE PASSWORDS PASSÉ?<br />
WITH GOOGLE MOVING TOWARDS A FUTURE WITHOUT PASSWORDS,<br />
THE PATH HAS BEEN THROWN OPEN FOR OTHERS TO FOLLOW<br />
When your password is stolen,<br />
cybercriminals may sell your<br />
information on the dark web<br />
to other hackers or use it themselves to<br />
commit more cybercrimes," says Aranza<br />
Trevino, senior SEO content specialist at<br />
Keeper Security. "Your stolen credentials<br />
may give hackers access to important<br />
accounts, such as your bank account,<br />
and allow them to steal other Personally<br />
Identifiable Information (PII). This can result<br />
in serious consequences, such as stolen<br />
money and stolen identities. Recovering<br />
from a stolen identity is time consuming<br />
and expensive, and the consequences can<br />
follow victims for years."<br />
Data breaches are one of the most<br />
common ways credentials are stolen. "In<br />
2022, over 422 million people in the US<br />
were affected by 1,802 data breaches,"<br />
she confirms. "These breaches, often at<br />
major companies with millions of users,<br />
can expose usernames and passwords,<br />
health information, credit card numbers,<br />
social security numbers and more."<br />
Brute force, meanwhile, is a method<br />
of password cracking that uses a bot to<br />
repeatedly guess random passwords until<br />
it finds the right one. "These bots can try<br />
hundreds of passwords a second - but they<br />
are more likely to guess passwords that<br />
include dictionary words [also known as<br />
a dictionary attack] or passwords that are<br />
short," states Trevino. "A random, eightcharacter<br />
password can be hacked within<br />
eight hours. A password shorter than that<br />
can be cracked almost instantly. A random<br />
eighteen-character password with a mix<br />
of numbers, letters and special characters<br />
would take trillions of years to crack."<br />
Other attack methods that Trevino also<br />
singles out include the following:<br />
Guessing: gathering information by<br />
researching your digital and attempt<br />
to guess your password by using what<br />
they learn<br />
Shoulder surfing: stealing information,<br />
including passwords, by physically<br />
viewing the victim entering in the<br />
information<br />
Malware: malicious links and files can<br />
contain malware, which users might<br />
accidentally download when they are<br />
victims of online scams, like phishing<br />
attacks<br />
Man-in-the-middle attacks: these occur<br />
when cybercriminals intercept data sent<br />
between two entities<br />
Social engineering: which can be used<br />
in tandem with other methods, such as<br />
phishing<br />
Password spraying: where hackers use<br />
a few common passwords to attack<br />
multiple accounts on a single website<br />
or application.<br />
THE PASSWORDLESS FUTURE<br />
Enter Google, which has begun rolling out<br />
passkeys - something it describes as "the<br />
easiest and most secure way to sign in to<br />
apps and websites and a major step toward<br />
a passwordless future".<br />
Passkeys are a safer and easier alternative<br />
to passwords, it states. "With passkeys,<br />
users can sign in to apps and websites with<br />
a biometric sensor [such as a fingerprint or<br />
facial recognition], PIN or pattern, freeing<br />
them from having to remember and<br />
manage passwords."<br />
Developers and users both hate<br />
passwords, insists Google: "They give a poor<br />
user experience, they add conversion<br />
friction, and they create security liability for<br />
both users and developers. Google<br />
Password Manager in Android and Chrome<br />
reduces the friction through autofill;<br />
for developers looking for even further<br />
improvements in conversion and security,<br />
passkeys and identity federation are the<br />
industry's modern approaches."<br />
A passkey can meet multifactor<br />
20<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
passwords<br />
authentication requirements in a single<br />
step, adds Google, replacing both<br />
a password and OTP (eg, 6-digit SMS code)<br />
to deliver robust protection against<br />
phishing attacks and avoids the UX pain<br />
of SMS or app-based one-time passwords.<br />
"Since passkeys are standardised, a single<br />
implementation enables a passwordless<br />
experience across all of a user's devices,<br />
across different browsers and operating<br />
systems."<br />
Passkeys are easier, it says, because:<br />
Users can select an account to sign<br />
in with. Typing the username is not<br />
required<br />
Users can authenticate using device's<br />
screen lock such as a fingerprint sensor,<br />
facial recognition or PIN<br />
Once a passkey is created and registered,<br />
the user can seamlessly switch to a new<br />
device and immediately use it without<br />
needing to re-enrol (unlike traditional<br />
biometric auth, which requires setup<br />
on each device).<br />
Google also identifies passkeys as safer for<br />
several reasons:<br />
Developers only save a public key to the<br />
server, instead of a password, meaning<br />
there's far less value for a bad actor to<br />
hack into servers and far less cleanup<br />
to do, in the event of a breach<br />
Passkeys protect users from phishing<br />
attacks. Passkeys work only on their<br />
registered websites and apps; a user<br />
cannot be tricked into authenticating<br />
on a deceptive site, because the browser<br />
or OS handles verification<br />
Passkeys reduce costs for sending SMS,<br />
making them a safer and more costeffective<br />
means for two-factor<br />
authentication.<br />
PERSISTENT CHALLENGE<br />
Clearly, password protection is a fraught<br />
and challenging enterprise that has<br />
provoked new thinking. Peter Barker, chief<br />
product officer at Ping Identity, is one<br />
concerned party who has been quick to<br />
identify why he feels passwords are way<br />
past their 'best-before date' and how<br />
he hopes that Google's move towards<br />
a passwordless future will prove to be<br />
an inspirational force for change.<br />
"Passwords have been a persistent security<br />
challenge for the past seven decades,<br />
leaving us susceptible to phishing attacks<br />
and the looming threats of fraud and<br />
identity theft," says Barker.<br />
"Consumers increasingly crave greater<br />
convenience, without compromising on<br />
security. The path we must embark on leads<br />
us toward a passwordless future, though<br />
this transition will undoubtedly require time<br />
to be embraced on a grand scale.<br />
"Notably, we have already witnessed the<br />
widespread integration of biometric<br />
authentication methods, such as facial<br />
recognition and fingerprint scans, into<br />
our daily lives. These technologies serve as<br />
stepping stones towards the ultimate goal<br />
of a world where the arduous task of<br />
logging in becomes a thing of the past.<br />
However, to truly reach this passwordless<br />
utopia, the general public needs a better<br />
grasp of the underlying technology.<br />
"In light of these developments," adds<br />
Barker, "Google's decision to champion<br />
passkeys as the default login option<br />
couldn't have come at a better time.<br />
Sometimes, it takes industry giants to<br />
take the lead, pushing for change more<br />
assertively."<br />
BROKEN SYSTEM<br />
Meanwhile, Alex Laurie, Ping Identity's SVP<br />
EMEA, points to how passwords also act<br />
as a barrier to achieving a smoother user<br />
experience. "Think back to the number of<br />
times you've been locked out of a site or<br />
app and had to go through the painstaking<br />
process of resetting your password. It's<br />
a broken system that needs to change."<br />
Alex Laurie, Ping Identity: most logical<br />
path that access management<br />
organisations could take would be<br />
towards a passwordless future.<br />
Given such challenges, the most logical<br />
path that access management<br />
organisations could take would be towards<br />
a passwordless future, Laurie points out.<br />
"While this transition will undoubtedly<br />
require time to be embraced at scale on<br />
both the B2B and B2C side, our research<br />
shows that consumers welcome passwordless<br />
authentication. In the UK, 59% said<br />
they'd be happy to switch website/app/<br />
service, if a passwordless authentication<br />
method was offered."<br />
He feels that the clear shift away from<br />
passwords by major technology firms<br />
like Google and Amazon is the way that<br />
others now need to go. "Passkeys signify<br />
a significant leap forward, sparing users<br />
from the hassle of remembering passwords<br />
and the constant worry of someone<br />
stealing them. This proactive move<br />
promises to reduce fraud, and usher in<br />
a simpler, faster and more secure user<br />
experience that we can all benefit from."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
21
pen testing<br />
PUT TO THE TEST<br />
MOST COMPANIES HAVE INVESTED<br />
IN SECURE I.T. INFRASTRUCTURE,<br />
BUT DO THEY KNOW HOW WELL<br />
IT WORKS UNDER PRESSURE?<br />
How many organisation have policies<br />
and procedures ready for real-world<br />
cyber threats? With so many attacks<br />
launched, they need to find out exactly<br />
how robust their defences are - before they<br />
become a victim. Testing cyber resilience<br />
with a Red Team exercise will identify the<br />
weaknesses in an IT defence and provide<br />
a playbook to rectify those frailties going<br />
forward.<br />
The majority of organisations already have<br />
a good understanding of penetration tests,<br />
and operate a mature security-assessment<br />
programme that employs both vulnerability<br />
assessment and periodic penetration tests,<br />
says Shinoj Joni, senior security consultant<br />
at Prism Infosec. "During a typical pentest,<br />
a vulnerability assessment is conducted,<br />
in which potential weaknesses within the<br />
system are discovered and listed. A good<br />
penetration test will then attempt to<br />
exploit the observations made in the<br />
vulnerability assessment, so that the<br />
technical risk of each observation can be<br />
measured and the findings of the<br />
assessment prioritised, enabling the<br />
assessed organisation to understand their<br />
specific risk profile. This activity typically<br />
has very strict parameters, agreed in<br />
advance, governing what can be assessed<br />
and which techniques can be employed."<br />
One of the key distinguishing features of<br />
a red team assessment, by contrast, is that the<br />
type of attack performed is less important<br />
than the type of threat actor being simulated.<br />
"While red teaming draws on elements of<br />
the pentest methodology, the scope is nearly<br />
always wider," he points out. "This allows the<br />
exercise to explore the real-world risks that the<br />
organisation is exposed to from a threat actor,<br />
who is only interested in achieving their goal."<br />
As red team exercises emulate real-world<br />
attackers, it is often the case that the<br />
methodologies employed are much stealthier<br />
than the traditional combination of a<br />
penetration test, with activities such as opensource<br />
intelligence gathering. "This is not<br />
always the case, depending on the assessment<br />
being conducted, but in general red team<br />
exercises do not commence with the<br />
deployment of 'noisy' vulnerability assessment<br />
tools," explains Joni. "Instead, intelligence is<br />
gathered about the organisation and the<br />
vector with the greatest likelihood of success<br />
with the least risk of detection is deployed.<br />
The methodologies and tools available to the<br />
red team provider are limited only by<br />
the capabilities of their team and the<br />
understanding of the threat actor being<br />
modelled."<br />
The obvious answer, he suggests, is that<br />
every organisation would benefit from a red<br />
team exercise, in that it will provide a list<br />
of security-related findings that, when<br />
addressed, will improve the security posture of<br />
the organisation. "However, the most benefit<br />
will be found by organisations that have a<br />
mature penetration testing strategy, coupled<br />
with robust protective monitoring capabilities,<br />
or who are about to embark on a significant<br />
security upgrade programme. This not to say<br />
that there is no benefit to an organisation that<br />
is currently struggling to apply system patches<br />
consistently across the enterprise or trying to<br />
stay on top of corrective actions arising from<br />
the output of automated vulnerability<br />
assessment tools. A red team exercise can<br />
help these organisations prioritise the order<br />
in which elements of the enterprise receive<br />
penetration tests and track progress as the<br />
security programme matures."<br />
TEST…TEST… AND TEST<br />
To be effective, cyber resilience strategies and<br />
recovery plans need to be tested regularly,<br />
points out Sam Woodcock, director of cloud<br />
strategy and enablement, 11:11 Systems.<br />
"Unfortunately, many organisations lack focus<br />
22<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
pen testing<br />
on testing, both in terms of their planning<br />
and their process during simulation. However,<br />
tabletop exercises are key, because they get<br />
to the heart of the metrics and unpack how<br />
long it will take to get the organisation back<br />
up and running. It clarifies the company's<br />
response and highlights where teams need to<br />
improve their planning. In doing this, the<br />
company will know how to operate through<br />
an incident. The insight that security teams<br />
can get from proper testing cannot be gained<br />
any other way and is the best way to prepare<br />
for actual cyber incidents."<br />
If the strategy for undoing the damage from<br />
a ransomware attack is to recover copies of<br />
locked data, regularly testing how to do so<br />
is a good idea - particularly as more clever<br />
examples of ransomware also target backups.<br />
Disaster recovery-as-a-service offerings<br />
are great for making sure data is backed up<br />
in multiple ways; however, it is still vital that<br />
this solution is tested with as close to a reallife<br />
scenario as possible."<br />
Red Team assessments and penetration<br />
testing are the two key ways in which teams<br />
can accurately gauge the strength of their<br />
security systems, adds Woodcock. "These are<br />
especially effective as, particularly in the case<br />
of Red Team assessments, they mimic how<br />
threat actors would try to gain access to<br />
a system. This is done through a combination<br />
of real-world tactics, including intelligencegathering,<br />
technical vulnerability identification<br />
and exploitation, and social<br />
engineering. However, penetration testing,<br />
while effective, necessary and time consuming,<br />
does not always uncover all of a system's<br />
weaknesses, yet it does provide a benchmark<br />
to test from and identify areas for improvement,<br />
ahead of a ransomware attack."<br />
BACKDOOR INVASION<br />
Meanwhile, it's been reported that a principal<br />
software engineer at Microsoft and one of<br />
the developers of PostgreSQL discovered a<br />
backdoor in liblzma, which is part of the<br />
widely used open-source compression library<br />
XZ. This has been described as "one of the<br />
best executed supply chain attacks" and<br />
would have been a security disaster, had it<br />
not been discovered.<br />
The XZ software is used in many Linux<br />
distributions and in macOS for tasks such as<br />
compressing release tarballs and kernel<br />
images. According to industry experts, this<br />
episode could have been far worse, had it<br />
not been caught early, as the malicious<br />
backdoor code enabled full remote code<br />
execution.<br />
HUGE, COMPLEX CHAINS<br />
Shakeel Ahmed, principal penetration tester,<br />
Protection Group International Shakeel<br />
Ahmed, principal penetration tester, of<br />
Protection Group International, comments:<br />
"Open source's use of other projects creates<br />
huge and complex supply chains that are<br />
rarely well understood and even more rarely<br />
audited. Buying software doesn't really avoid<br />
the problem anymore. However, open-source<br />
software development is robust and, even<br />
though there have been concerns over the<br />
years around software maintenance and<br />
support, the fact that it was picked up does<br />
highlight the fact there is an element of<br />
vigilance and best security practices within<br />
the open-source software supply chain.<br />
"Community oversight on open-source<br />
projects is crucial to prevent APT and backdoors,"<br />
he states. "This is in comparison to<br />
proprietary software, which may contain<br />
vulnerabilities intentionally or unintentionally.<br />
Going forward, I think there should be a<br />
requirement for more enhanced monitoring<br />
and fuzzing of core open-source libraries<br />
and dependencies.<br />
"Software vendors should assess their<br />
dependencies and perform secure source<br />
code reviews, in order to protect their<br />
supply chains. Sticking to stable software,<br />
in comparison to running the latest, alpha,<br />
beta or bleeding edge packages, will also<br />
maintain a robust cybersecurity stance."<br />
Shinoj Joni, Prism Infosec: most benefit<br />
will be found by organisations with a<br />
mature penetration testing strategy,<br />
coupled with robust protective<br />
monitoring capabilities.<br />
Sam Woodcock, 11:11 Systems: tabletop<br />
exercises get to the heart of the metrics<br />
and unpack how long it will take to get<br />
the organisation back up and running.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
23
threats latest<br />
HEALTHCARE<br />
IS OVER!<br />
AN 'HONOUR AMONGST THIEVES' AGREEMENT DURING COVID WHERE HEALTHCARE PROVIDERS WERE<br />
SPARED CYBER-ATTACKS HAS GIVEN WAY TO ALL-OUT ATTACKS<br />
Cyberattacks are on the rise, with large<br />
corporations such as Ticketmaster,<br />
the BBC and even the NHS reporting<br />
record-breaking hacks and data breaches.<br />
With more data than ever being shared by<br />
both consumers and businesses online, can<br />
information ever be safe from the threat of<br />
cyber leaks again? And how exactly, in the<br />
face of such attacks, can cybersecurity stay<br />
agile and updated to protect the privacy of<br />
organisations?<br />
Spencer Starkey, VP of EMEA at SonicWall,<br />
says that cybersecurity arrangements must be<br />
agile and constantly updated to keep up with<br />
the evolving threat landscape. "Cybercriminals<br />
are constantly developing new tactics,<br />
techniques and procedures (TTPs) to exploit<br />
vulnerabilities and bypass security controls,<br />
and companies must be able to quickly<br />
adapt and respond to these threats. This<br />
requires a proactive and flexible approach to<br />
cybersecurity, which includes regular security<br />
assessments, threat intelligence, vulnerability<br />
management and incident response planning.<br />
"It also requires ongoing training and<br />
awareness programmes to ensure that<br />
employees are aware of the latest threats<br />
and best practices for cybersecurity," he adds.<br />
"By maintaining agile and up-to-date<br />
cybersecurity arrangements, companies<br />
can minimise their risk exposure, detect<br />
and respond to threats more effectively, and<br />
maintain the trust and confidence of their<br />
customers and stakeholders."<br />
UPTICK IN ATTACKS<br />
Another worrying trend is the regularity with<br />
which the health care system is being targeted<br />
of late. "The recent attack on NHS hospitals by<br />
the Qilin ransomware group is part of a wider<br />
trend of threat actors attacking the healthcare<br />
sector," points out James Tytler, associate, Cyber<br />
Incident Response, at S-RM. "While there was<br />
an 'honour among thieves' agreement during<br />
Covid where healthcare providers were spared<br />
cyber-attacks [with some threat actors even<br />
issuing apologies], this moratorium has been<br />
lifted, with global data showing a significant<br />
uptick in attacks since March 2023. The<br />
healthcare sector is unfortunately a good<br />
target, as providers hold critical data, are<br />
critical infrastructure and more likely to pay<br />
to keep operations going."<br />
While there have been proportionally more<br />
attacks on healthcare organisations in recent<br />
years, fundamentally these groups are<br />
opportunistic and breaches are often the result<br />
of software vulnerabilities or poor password<br />
management, he says. "These groups tend<br />
to go after the easiest targets, so healthcare<br />
and other critical infrastructure should urgently<br />
invest in their cybersecurity defences to avoid<br />
falling victim. S-RM has responded to attacks<br />
launched by the Qilin ransomware group<br />
in the UK and supported clients in the<br />
healthcare sector."<br />
EXTORTION AND DOWNTIME<br />
The cyber incident affecting London hospitals<br />
was extremely serious and impacting , concurs<br />
Mark Jow, technical evangelist at Gigamon.<br />
"Unfortunately, all too often bad actors know<br />
the potential for disruption and use this as an<br />
opportunity to extort more money from their<br />
victims and downtime can be devastating<br />
in the healthcare sector. It's fair to say in<br />
situations like this it has the potential to be<br />
a 'life-or-death' matter for those patients<br />
affected.<br />
"We can only hope that the NHS has<br />
safeguards in place to limit the level of<br />
disruption and protect their day-to-day<br />
operations. It is vital that healthcare<br />
organisations and any security leaders<br />
operating within our critical national<br />
infrastructure take note of this incident."<br />
There are a few proactive steps for organisations<br />
looking to protect themselves against<br />
cyber threats and improve detection and<br />
remediation of any intruders, he points out.<br />
INSECURE SUPPLY CHAIN<br />
"First, it is critical to understand the risk<br />
brought about by an insecure supply chain. In<br />
this threat environment, all organisations must<br />
have confidence in not only their own security<br />
posture, but those of all their suppliers, with<br />
evidence of the security of their entire supply<br />
chain. When selecting suppliers and vetting<br />
third parties, it's important that organisations<br />
assess not just the quality and price of services<br />
offered, but also the IT maturity of the supplier.<br />
This incident really does reinforce the<br />
importance of vetting suppliers to critical<br />
infrastructure organisations like the NHS,<br />
ensuring they have implemented best practices<br />
in securing themselves, and holding them to<br />
account when these situations arise."<br />
Secondly, says Jow, you have to be aware<br />
where attackers could gain a 'foothold' in<br />
your organisation. "The number of connected<br />
medical devices within the Internet of Medical<br />
Things (IoMT) is rising, but IoMT is often highly<br />
vulnerable to cyber-attacks. This is mainly<br />
because 5G technology increases the 'attack<br />
surface' for malicious actors by introducing<br />
a whole new class of targets to the internetconnected<br />
ecosystem many of which cannot<br />
24<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
threats latest<br />
be protected by traditional EDR solutions."<br />
With this additional risk, all healthcare<br />
security leaders should implement defence-indepth<br />
solutions with robust infrastructure<br />
monitoring, he adds. "End-point detection is<br />
not enough; seeking visibility into east-west<br />
traffic [information that travels internally and<br />
between servers and hosts] and north-south<br />
[data from external sources] is crucial to<br />
detecting and remediating laterally moving<br />
threats before they can cause more damage.<br />
This includes analysing all encrypted traffic,<br />
which today is used to mask 93% of malware<br />
attacks."<br />
ENHANCED VIGILANCE<br />
For Matt Aldridge, principal solutions<br />
consultant at OpenText Cybersecurity, the<br />
recent attack on security organisation MITRE<br />
is a stark reminder of the pervasive threat<br />
landscape that has to be navigated daily.<br />
"MITRE's recognition of the breach demonstrates<br />
both the need for enhanced vigilance<br />
across all sectors and the benefits of transparent<br />
incident disclosure. It has further<br />
demonstrated why cybersecurity has to be an<br />
immediate priority, and a cornerstone of risk<br />
mitigation and prevention strategies for any<br />
business. Without it, businesses will not be<br />
able to survive the current climate of rapidly<br />
rising ransomware attacks.<br />
"Almost every organisation needs to have at<br />
least some systems providing services to the<br />
internet and, in the face of zero-day attacks,<br />
there are no security controls which can block<br />
attacks 100% of the time, even when patches<br />
are installed in a timely fashion. For this<br />
reason, it is essential to be monitoring for<br />
unexpected changes in your environments,<br />
collating and correlating log data, and looking<br />
for anomalies. Solutions that are built with<br />
unsupervised machine learning can help<br />
greatly with this," says Aldridge.<br />
Organisations should learn from this latest<br />
breach by ensuring they're doing everything<br />
they can to protect themselves and their data<br />
in a world where new cyber risks and dangers<br />
are evolving at compute speed, he continues.<br />
"We've seen that increased employee flexibility<br />
around remote working practices often means<br />
increased cybersecurity risks. As a result,<br />
organisations must work with their employees<br />
to create strong cybersecurity habits so bestpractice<br />
becomes second nature.<br />
"To mitigate against cyber threats, regular<br />
education and phishing simulations are<br />
a must, and all employees and companies<br />
must stay updated with current trends.<br />
Rather than viewing data protection as a<br />
box-ticking exercise, it should be a key priority<br />
and integrated into every aspect of an organisation.<br />
Employee awareness and vigilance is<br />
the most powerful tool in the cyber resilience<br />
kit-bag - to boost prevention, detection and<br />
reporting of breaches."<br />
NETWORK INFRASTRUCTURE AT RISK<br />
Claud Bilbao, regional vice president for the<br />
UK, underwriting & distribution, Cowbell, the<br />
adaptive cyber insurance specialists, says the<br />
recent attacks on the health service reminds us<br />
that it is not only the personal data that needs<br />
to be protected within the healthcare space,<br />
but the whole network infrastructure.<br />
"With our increased reliance on technology,<br />
we can see the devastating impact a cyber<br />
event can have on major and crucial healthcare<br />
facilities like the St Thomas' Hospital,<br />
which had to shut down whole systems and<br />
equipment, resulting in interrupted business<br />
operations and patients' health put at<br />
immense risk. To better protect businesses in<br />
healthcare, cyber resilience must be built and<br />
nurtured."<br />
This, he states, entails the following:<br />
Assessing one's cyber risk posture to better<br />
understand how well protected your<br />
business is and should be, compared to<br />
the industry standard<br />
Implementing cybersecurity best practices,<br />
like firewalls, regular data backups,<br />
multi-factor authentication (MFA), good<br />
password hygiene, cybersecurity awareness<br />
Spencer Starkey, SonicWall: cybersecurity<br />
arrangements must be agile and updated<br />
constantly to keep up with the evolving<br />
threat landscape.<br />
Mark Jow, Gigamon: all healthcare security<br />
leaders should implement defence-in-depth<br />
solutions, with robust infrastructure<br />
monitoring.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
25
threats latest<br />
Claud Bilbao, Cowbell: the whole<br />
network infrastructure needs to be<br />
protected.<br />
Ian Thornton-Trump, Cyjax: a major<br />
reorganisation of the cybercriminal<br />
underground is taking place as a direct<br />
response to law enforcement success.<br />
training for employees and a regularly<br />
tested incident response plan<br />
Obtaining a standalone cyber insurance<br />
policy, which can be a safety net to fall<br />
on in the case of an incident. Businesses<br />
should ask their brokers about cyber<br />
insurance providers that offer risk<br />
assessment and management support<br />
as well, helping to facilitate the process.<br />
"It is crucial to raise the standard of<br />
cybersecurity awareness and defences in this<br />
new, digital age," adds Bilbao. "Any business<br />
of any size, in any industry, can fall victim to<br />
an attack. Luckily, there are steps you can take<br />
to drastically improve your business's cyber<br />
posture and they are not as difficult as you<br />
may expect." Some that he suggests are<br />
talking to your CFO, risk manager, IT professional<br />
or cyber insurance broker about<br />
your cyber hygiene."<br />
ARMS RACE<br />
Ransomware attackers are in an arms race<br />
with defenders, says CYJAX. While law<br />
enforcement disrupts existing groups, the<br />
attacker side is experiencing a boom, with<br />
the total number of new groups reaching<br />
an all-time high. In 2023, a total of 22 new<br />
ransomware groups emerged, compared<br />
to the total of 22 groups that emerged<br />
between 2018 and 2020.<br />
CYJAX has just published a new report on<br />
this trend, with the main takeaways as follows:<br />
Unprecedented growth: the number of<br />
ransomware groups is exploding, with an<br />
average of 5.5 new groups emerging per<br />
month in <strong>2024</strong> - a dramatic increase,<br />
compared to previous years<br />
Shifting targets: ransomware attackers are<br />
increasingly targeting smaller businesses<br />
with weaker security postures, posing<br />
a new threat to a wider victim pool<br />
Spike following group disbandment: an<br />
anomalous rise in new groups, following<br />
the dismantling of prominent groups like<br />
Conti and ALPHV. This suggests a potential<br />
recruitment pool from disbanded groups or<br />
a temporary dip in activity before new groups<br />
solidify<br />
Short-term wins, but long-term struggle:<br />
While law enforcement actions disrupt existing<br />
groups, they often lead to rebranding or the<br />
creation of entirely new groups<br />
Geopolitical influence: The Russia-Ukraine<br />
war is hampering international cooperation,<br />
allowing Russia-based groups to operate with<br />
impunity.<br />
Comments CYJAX CISO Ian Thornton-Trump:<br />
"One of the big trends I sense is a major reorganisation<br />
of the cybercriminal underground<br />
as a direct response to law enforcement<br />
success. It's likely that criminal actors are<br />
starting fresh and building more operational<br />
resiliency into their organisations, and focusing<br />
on OPSEC to avoid discovery and compromise.<br />
It's far better to be a new crew and remain<br />
under the radar than an old crew with a big<br />
OSINT footprint."<br />
MILITARY HACKED<br />
Another recent target saw the personal<br />
information of military personnel hacked.<br />
Comments Dr Ilia Kolochenko, CEO at<br />
ImmuniWeb and adjunct professor of<br />
cybersecurity at Capital Technology University:<br />
"Financial and personal data of UK military<br />
personnel is a desired target for organized<br />
cybercrime groups that run large-scale fraud,<br />
scam and blackmailing campaigns over the<br />
Internet, being motivated by profits.<br />
"Having said this, the attackers can, of course,<br />
try to re-sell information to more powerful<br />
hacking groups, backed by foreign states,<br />
to run laser-focused social engineering or<br />
extortion schemes against high-ranking<br />
officers of the British army. Thus, the risks<br />
should not be downplayed and urgent<br />
investigation is needed," adds Thornton-Trump.<br />
26<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
digital accounts<br />
FATIGUE RED ALERT<br />
THE EXPLOSION OF DIGITAL ACCOUNTS HAS LED TO A SIGNIFICANT INCREASE IN 'ACCOUNT FATIGUE,'<br />
IMPACTING THE WAY CONSUMERS INTERACT WITH BUSINESSES ONLINE, STATES NEW RESEARCH<br />
Recently released research reveals that<br />
digital 'account fatigue' 'is hindering<br />
consumers' ability to adequately protect<br />
their online accounts and thus weakening<br />
businesses' cybersecurity practices. The<br />
research, from Beyond Encryption, highlights<br />
the fact that, on average, a UK consumer<br />
has 119 accounts to manage, while 1 in 5 is<br />
requesting a new password weekly, as they<br />
struggle to manage their online accounts and<br />
security.<br />
This overload not only greatly hampers the<br />
adoption of new services, but also contributes<br />
to a decline in customer portal engagement<br />
and satisfaction, warns the company.<br />
Other findings included 50% of consumers<br />
saying that the number of separate logins<br />
they have to remember and manage makes<br />
them feel overwhelmed and confused. This<br />
can lead to poor password management,<br />
which leaves the door open for threat actors.<br />
Additionally, respondents with a higher<br />
number of accounts are nearly three times<br />
more likely to reset their password daily at<br />
14%, compared to the average of 5%.<br />
However, consumers have shown an<br />
inclination to adopt solutions that will<br />
streamline their experience and ease the<br />
burden of password management, while<br />
still maintaining security. With 44% of<br />
consumers saying that they prefer single<br />
sign-on services for this exact reason and<br />
over half of respondents stating they are<br />
comfortable using biometric authentication<br />
(57%) and password managers (54%), there<br />
are clear alternatives that businesses should<br />
consider to resolve this issue, states Beyond<br />
Encryption.<br />
EXTRA BURDEN<br />
The company's CEO Paul Holland comments:<br />
"Login management is essential for security.<br />
However, we must acknowledge that we're<br />
putting an additional burden on our customers<br />
when we give them an account. Credential<br />
management can be a huge source of<br />
frustration, if not made seamless.<br />
"It is crucial for businesses to quickly resolve<br />
this issue and bridge the gap between<br />
consumer expectations and current digital<br />
offerings. To achieve this, businesses must<br />
adopt a multifaceted approach that focuses<br />
on simplifying portal navigation, catering to<br />
consumer preference on login methods to<br />
streamline portal access, and supplying<br />
secure, multichannel communications that<br />
offer targeted value and meet evolving<br />
consumer needs."<br />
Beyond Encryption's new report, has shone<br />
a harsh light on the impact of password and<br />
account fatigue on password security, and<br />
offers a range of insights on wider consumer<br />
behaviour. "The burden businesses are putting<br />
on consumers with an overwhelming number<br />
of accounts to manage is not only damaging<br />
to cybersecurity, but also to customer engagement<br />
and the adoption of new digital services,<br />
with almost half of consumers (43%) not<br />
engaging with or using digital services, due to<br />
a sense of 'digital overwhelm' and weariness,"<br />
adds Beyond Encryption.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
27
events & exhibitions<br />
Stephanie Hare: urged women to continue<br />
breaking down barriers in cybersecurity.<br />
INFOSEC HITS THE HOT SPOTS!<br />
IT WAS SHOWTIME AT THE EXCEL AND THAT MEANT INFOSECURITY<br />
EUROPE WAS BACK IN THE SWING AGAIN FOR THREE FULL-ON DAYS!<br />
This year's Infosecurity Europe<br />
event - which was held at the<br />
ExCeL in London - was packed<br />
with infosec knowledge and expertise,<br />
offering attendees a raft of insights<br />
into how to navigate the present and<br />
protect the future of the sector.<br />
Infosecurity Europe <strong>2024</strong> was<br />
certainly a powerful testament to the<br />
dynamic and evolving nature of the<br />
cyber-security industry. From the<br />
insights shared by keynote speakers to<br />
the celebration of innovative solutions<br />
and community initiatives, the event<br />
offered invaluable experiences for all<br />
those who were there.<br />
The big focus, of course, was on the<br />
array of technology and solutions on<br />
display from so many of the security<br />
industry's top names. With security<br />
increasingly top of mind for business<br />
and organisations, attendance was high<br />
across the three days, as visitors sought<br />
out the answers to their individual<br />
challenges.<br />
Away from the exhibition floor, there<br />
was plenty more to catch the eye of<br />
those attending, such as a keynote<br />
session delivered by Henry Ajder, a<br />
leading authority in generative AI. His<br />
insights into the future of AI and its<br />
implications for cybersecurity were both<br />
28<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
events & exhibitions<br />
Henry Ajder: a leading authority in generative AI.<br />
Claire Williams: brought a fresh perspective on<br />
leadership dynamics and high-pressure decisionmaking.<br />
enlightening and thought-provoking.<br />
Ajder's ability to break down complex<br />
AI concepts into understandable terms<br />
helped professionals grasp both the<br />
risks and rewards of this rapidly<br />
evolving technology. "AI's role is no<br />
longer theoretical or a small segment,"<br />
he pointed out, "but a critical part<br />
of the threat and defence innovation<br />
landscape. Learning how to navigate<br />
the GenAI paradigm shift is essential<br />
to excelling in the cybersecurity industry,<br />
both now and for an increasing AI<br />
centred future."<br />
Meanwhile, Claire Williams, celebrated<br />
for her leadership in Formula 1, brought<br />
a fresh perspective on leadership<br />
dynamics and high-pressure decisionmaking.<br />
Her talk resonated strongly<br />
with her audience, emphasising the<br />
importance of building a stable team<br />
when maintaining a robust cybersecurity<br />
posture.<br />
Williams shared her insights on how<br />
to engage a vast workforce, embed key<br />
values and motivate others to have<br />
conviction in operating to the best of<br />
their ability. "There are so many parallels<br />
between the F1 and cybersecurity<br />
worlds - not least teams having to<br />
constantly operate in highly pressurised<br />
and fast paced environments, while<br />
having to make logical, sound and quick<br />
decisions," she said. She also revealed<br />
how she has personally approached<br />
managing a team of 1,000 people in<br />
the challenging world of Formula One<br />
for close to a decade, as well as cultural<br />
and business transformation and gender<br />
diversity.<br />
The 'Women in Cybersecurity' event<br />
was an equally great success, highlighting<br />
the contributions that have been<br />
made by so many women in the industry.<br />
Keynote speaker Stephanie Hare urged<br />
women to continue breaking down<br />
barriers in cybersecurity. Alongside<br />
a panel of leading women in cybersecurity,<br />
she shared their stories,<br />
covering topics from imposter syndrome<br />
and mentorship, through to negotiation<br />
skills and how to build your brand.<br />
Next year, Infosecurity Europe will take<br />
place from 3-5 June.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
29
ansomware<br />
RANSOMWARE RAMPANT<br />
RANSOMWARE IS EVOLVING ALL THE TIME - AND ARTIFICIAL<br />
INTELLIGENCE IS ONLY LIKELY TO ENHANCE ITS DAMAGING IMPACT<br />
Bernard Montel, Tenable: wiping data at<br />
rest is even more insidious and can be<br />
undetected, compared to encryption.<br />
Ten years ago, a ransomware attack was<br />
really obvious, says Bernard Montel,<br />
EMEA technical director and security<br />
strategist, Tenable. "The computer [PC] was<br />
bricked with a ransomware demand<br />
displayed on the screen. Today, attacks are<br />
less obvious and can go undetected for a few<br />
weeks, as threat actors look to obfuscate their<br />
presence, allowing them to creep around<br />
infrastructure for nefarious purposes."<br />
The most popular way attackers infect<br />
organisations is through spam and phishing<br />
emails, he continues. "In the majority of<br />
cases, these messages include a malicious<br />
attachment, such as a Microsoft Word<br />
document or PDF file containing malware.<br />
Others, however, may contain a link to a<br />
webpage controlled by the attackers. The<br />
goal is to get the target to open the<br />
attachment and trick the victim to enable<br />
macros or click the link, which can then<br />
deliver a malicious downloader, leading to<br />
the final payload, which is ransomware."<br />
Software vulnerabilities play a key role in<br />
facilitating ransomware attacks through<br />
several avenues. "These include vulnerabilities<br />
used as part of malicious documents,<br />
vulnerabilities found in perimeter devices<br />
like Secure Socket Layer Virtual Private<br />
Networks (VPNs), as well as a plethora of<br />
flaws designed to elevate privileges once<br />
inside an organisation's network. Prolific<br />
ransomware groups, such as LockBit, Rhysida,<br />
Play and ALPHV/BlackCat, make use of<br />
multiple exploits in their efforts to<br />
compromise organisations. For illustration,<br />
throughout the last quarter of 2023, threat<br />
actors exploited CitrixBleed in attacks<br />
against a variety of organisations. Some<br />
notable examples include attacks against<br />
Boeing and Comcast."<br />
While initial access is how ransomware<br />
groups gain access to an organisation's<br />
network, once inside they will set their<br />
sights on Active Directory. Gaining domain<br />
privileges provides attackers the necessary<br />
capabilities to distribute their ransomware<br />
payloads across the entire network. "Once<br />
threat actors are inside, the game is fundamentally<br />
over," warns Montel. "Today's<br />
ransomware gangs will look to extrapolate<br />
data silently and, once that's achieved, they'll<br />
prepare to encrypt systems and cripple the<br />
organisation's ability to function.<br />
INSIDIOUS AND UNDETECTED<br />
"A further trend that has been seen is threat<br />
actors wiping data at rest. This is even more<br />
insidious and can be undetected, compared<br />
to encryption. Often the first that the<br />
organisation knows anything about the<br />
attack is a communication from the gang<br />
threatening to encrypt systems or publish<br />
the data on the dark web, if demands are<br />
not met. The added pressure from this<br />
type of extortion is what has helped make<br />
ransomware so successful."<br />
30<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
The question of whether to meet<br />
ransomware demands is complicated,<br />
he states. "Only the organisation impacted<br />
will be able to determine the best course of<br />
action. Given the financial impact from<br />
ransomware attacks, be it the inability to<br />
function from crippled systems or sensitive<br />
data exposed, prevention has to be better<br />
than cure. Gaining visibility into where<br />
the biggest areas of risk are - exposure<br />
management - is absolutely critical to<br />
knowing which doors and windows are<br />
wide open and need to be closed to stop<br />
ransomware in its tracks."<br />
What about those ransomware groups<br />
that Montel names: LockBit, Rhysida, Play<br />
and ALPHV/BlackCat. Who exactly are they<br />
and what are their objectives and attack<br />
methodologies?<br />
CYBER INSECURITY<br />
As ransomware and other forms of attack<br />
proliferate (see pages 24-26 in this issue), the<br />
World Economic Forum's 'Global Risks Report<br />
<strong>2024</strong>' is worth returning to as a weathervane<br />
for what is happening. The report shows that<br />
widespread cyber insecurity ranks among<br />
the most severe threats facing the world over<br />
the next 10 years, even overtaking interstate<br />
armed conflict, inflation and economic<br />
downturn by 2026.<br />
These simmering geopolitical tensions,<br />
combined with rapidly advancing technology<br />
and AI escalation, mean it is now more crucial<br />
than ever that companies locate and repair<br />
their cyber vulnerabilities. Cyber insecurity<br />
is a foreseeable and dangerous threat for<br />
many organisations, which is why businesses<br />
must improve their cyber resilience or risk<br />
becoming victims of cyber hackers, putting<br />
sensitive data, bottom lines, and shareholder,<br />
investor and customer trust at stake.<br />
It's something that Tenable's Bernard Montel<br />
is equally occupied by: "That this year's WEF<br />
Global Risks Report ranking 'cyber insecurity'<br />
in its top five of the most severe risks over the<br />
next two years isn't surprising, with the<br />
threat of cyberwarfare a recurring theme<br />
throughout the report, as well as the 'rapid<br />
integration of advanced technologies' that are<br />
exposing more organisations and individuals<br />
to exploitation. The widespread adoption of<br />
cloud computing introduces new levels of<br />
vulnerability and management complexity<br />
that can be targeted by bad actors.<br />
"Particular concern surrounds the use of<br />
Artificial Intelligence (AI) technologies to<br />
boost cyber warfare capabilities, with good<br />
reason. While AI has made astronomical<br />
technological advancements in the last<br />
12 - 24 months, allowing an autonomous<br />
device to make the final judgement is<br />
incomprehensible today. While AI is capable<br />
of quickly identifying and automating some<br />
actions that need to be taken, it's imperative<br />
that humans are the ones making critical<br />
decisions on where and when to act from<br />
the intelligence AI provides.<br />
IN DEFENCE<br />
"It's also worth noting that AI has a major<br />
role to play in cyber defence. It can be used<br />
by cybersecurity professionals to search for<br />
patterns, explain what they're finding in<br />
the simplest language possible, and help<br />
them decide what actions to take to reduce<br />
cyber risk.<br />
"AI can and is being harnessed by defenders<br />
to power preventive security solutions that cut<br />
through complexity to provide the concise<br />
guidance defenders need to stay ahead of<br />
attackers and prevent successful attacks.<br />
Harnessing the power of AI enables security<br />
teams to work faster, search faster, analyse<br />
faster and ultimately make decisions faster.<br />
As the report highlights, the threat of cyber<br />
insecurity is heightened with the evolving<br />
motivations driving these attacks - from<br />
monetised criminality all the way to geopolitical<br />
unrest. However, the manifestation<br />
of these threats remains unchanged. "Threat<br />
actors are probing for the right combination<br />
of vulnerabilities, cloud misconfigurations and<br />
identity privileges that allow them to infiltrate<br />
and traverse cyber infrastructure. As defenders<br />
we need to pre-empt this: to identify<br />
what attack paths exist and take steps to shut<br />
them down before they can be exploited.<br />
Organisations that can anticipate cyberattacks<br />
and communicate those risks for decision<br />
support will be the ones best positioned to<br />
defend against emerging threats."<br />
BIG GAME HUNTING<br />
CrowdStrike's '<strong>2024</strong> Global Threat Report'<br />
confirms that ransomware remains the tool<br />
of choice for many Big Game Hunting (BGH)<br />
adversaries. At the same time, it states, datatheft<br />
extortion continues to be an attractive -<br />
and often easier - monetisation route, "as<br />
evidenced by the 76% increase in the number<br />
of victims named on BGH dedicated leak sites<br />
(DLSs) between 2022 and 2023. Access<br />
brokers continued to profit by providing initial<br />
access to eCrime threat actors throughout the<br />
year, with the number of advertised accesses<br />
increasing by 20% from 2022".<br />
The number of victims named on BGH<br />
dedicated leak sites increased significantly in<br />
2023, with 4,615 victim posts made to DLSs -<br />
a 76% increase over 2022. "Several factors<br />
contributed to this growth, including newly<br />
emerged BGH adversaries, growth of existing<br />
adversary operations and select high-volume<br />
campaigns, such as multiple GRACEFUL<br />
SPIDER zero-day exploitations."<br />
Collectively, BITWISE SPIDER, ALPHA SPIDER,<br />
GRACEFUL SPIDER, RECESS SPIDER and BRAIN<br />
SPIDER accounted for 77% of posts across all<br />
tracked adversary DLSs. "BITWISE SPIDER and<br />
ALPHA SPIDER have historically posted<br />
numerous new DLS posts and were ranked<br />
in first and second place respectively for the<br />
highest number of DLS posts in 2022 and<br />
2023," reveals CrowdStrike. "They have since<br />
grown in prominence to account for the<br />
fourth [RECESS SPIDER] and fifth-highest<br />
BRAIN SPIDER] number of DLS posts in 2023.<br />
GRACEFUL SPIDER - which has operated since<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> computing security<br />
31
ansomware<br />
Image courtesy of AdobeStock.<br />
WIZARD SPIDER members, aiming to restrict<br />
the named individuals' finances, travel and<br />
assets, and disrupt the adversary's operations<br />
as it worked to circumvent the restrictions."<br />
Today's sophisticated cyberattacks only<br />
take minutes to succeed, says CrowdStrike.<br />
"Adversaries use techniques such as interactive<br />
hands-on-keyboard attacks and legitimate<br />
tools to attempt to hide from detection. To<br />
further accelerate attack tempo, adversaries<br />
can access credentials in multiple ways,<br />
including purchasing them from access<br />
brokers for a few hundred dollars. Organizations<br />
must prioritize protecting identities<br />
in <strong>2024</strong>."<br />
2016 and has typically conducted lowvolume<br />
campaigns - exploited three zero-day<br />
vulnerabilities in 2023 to exfiltrate data from<br />
hundreds of victims across the globe. This<br />
adversary ultimately published the thirdhighest<br />
number of DLS posts in 2023."<br />
SCATTERED SPIDER began using ALPHA<br />
SPIDER's Alphv ransomware in April 2023,<br />
it is reported. "The adversary had previously<br />
monetized intrusions by selling victim data<br />
and SIM swaps, as well as stealing<br />
cryptocurrency. Adopting ransomware as its<br />
primary means of extortion has shifted the<br />
scope of the adversary's target profile: Most<br />
SCATTERED SPIDER victims in 2023 can be<br />
categorized as either reconnaissance targets<br />
or monetization targets. Reconnaissance<br />
targets are typically organizations in the<br />
business process outsourcing, customer<br />
relationship management, customer<br />
experience, technology and telecom sectors."<br />
SCATTERED SPIDER uses intrusions into<br />
these entities' networks to identify data that<br />
may prove useful in downstream, third-party<br />
monetisation targeting. The adversary's<br />
monetisation target profile is considerably<br />
broader. Most directly observed targets<br />
include high-revenue - often Fortune 500 -<br />
US-based private sector entities. A notable<br />
uptick in North American financial services<br />
victims occurred in the second half of 2023,<br />
adds CrowdStrike.<br />
There have been considerable successes in<br />
hitting back against these aggressors, states<br />
CrowdStrike. "In January 2023, a coordinated<br />
international law enforcement operation<br />
resulted in the seizure of HIVE SPIDER<br />
infrastructure and acquisition of the Hive<br />
ransomware decryption key. The US Department<br />
of Justice (DOJ) has reportedly maintained<br />
access to HIVE SPIDER's internal<br />
infrastructure since <strong>Jul</strong>y 2022 and has since<br />
provided decryption keys to more than 300<br />
worldwide victims, preventing ransom<br />
payments totalling 130 million USD.<br />
At the time of its report, the company<br />
said that no HIVE SPIDER activity has been<br />
observed since January 2023. "However,<br />
Hive affiliates have since migrated to other<br />
ransomware as a service (RaaS) operations.<br />
In February and September 2023, law<br />
enforcement issued sanctions against<br />
Also, throughout 2023, targeted intrusion<br />
actors consistently attempted to exploit<br />
trusted relationships to gain initial access to<br />
organisations across multiple verticals and<br />
regions. "This type of attack takes advantage<br />
of vendor-client relationships to deploy<br />
malicious tooling via two key techniques:<br />
1) compromising the software supply chain<br />
using trusted software to spread malicious<br />
tooling and 2) leveraging access to vendors<br />
supplying IT services.<br />
"Threat actors targeting third-party<br />
relationships are motivated by the<br />
potential return on investment [ROI]:<br />
one compromised organisation can lead to<br />
hundreds or thousands of follow-on targets.<br />
These stealthy attacks can also more effectively<br />
provide an opportunity for attackers<br />
seeking to exploit a hardened end target."<br />
What of the future? Of great concern now<br />
is the probability that the rise of artificial<br />
intelligence (AI) will enhance the threat posed<br />
by ransomware over the coming years,<br />
something that the National Cyber Security<br />
Centre (N<strong>CS</strong>C), part of GCHQ, has warned<br />
about. The centre believes the technology is<br />
lowering the barrier of entry to novice cyber<br />
criminals. "As a result, AI is enabling unskilled<br />
online actors to carry out more effective<br />
cyber-attacks," it says.<br />
32<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Product Review Service<br />
VENDORS – HAS YOUR SOLUTION BEEN<br />
REVIEWED BY COMPUTING SECURITY YET?<br />
The Computing Security review service has been praised by vendors and<br />
readers alike. Each solution is tested by an independent expert whose<br />
findings are published in the magazine along with a photo or screenshot.<br />
Hardware, software and services can all be reviewed.<br />
Many vendors organise a review to coincide with a new launch. However,<br />
please don’t feel that the service is reserved exclusively for new solutions.<br />
A review can also be a good way of introducing an established solution to<br />
a new audience. Are the readers of Computing Security as familiar with<br />
your solution(s) as you would like them to be?<br />
All products or services reviewed in Computing Security Magazine in the 12<br />
months leading up to the Awards ceremony will automatically be entered<br />
as a finalist into this year's awards. And it's not too late. You can book a<br />
review now by contacting us below:<br />
Contact Edward O’Connor on 01689 616000 or email<br />
edward.oconnor@btc.co.uk to make it happen.
GDPR<br />
SIX OF THE BEST?<br />
WITH SIX YEARS TO ITS NAME,<br />
HOW HAS GDPR FARED SO FAR?<br />
Matt Cooper, Vanta.<br />
GDPR (General Data Protection<br />
Regulation) flagged up its 6th<br />
anniversary in May this year,<br />
which is hard to believe. It seems like<br />
only recently we were all waiting for it<br />
to kick in, wondering what the impact<br />
would be. We asked a few industry<br />
observers to give us their thoughts.<br />
Matt Cooper, director of governance,<br />
risk and compliance, Vanta: "Another<br />
year older doesn't necessarily mean<br />
another year wiser - a lesson we're<br />
learning on GDPR's 6th anniversary.<br />
Many businesses across Europe are<br />
still struggling to adapt their data<br />
management practices to meet the<br />
regulations' strict requirements six years<br />
on. And, despite significant efforts,<br />
staying in compliance with GDPR<br />
remains a resource-heavy task that<br />
often demands continuous monitoring<br />
and regular audits.<br />
"To complicate matters further, AI<br />
has become a must-have for many<br />
businesses to stay competitive, which is<br />
introducing new data privacy risks.<br />
This is spreading resources even thinner<br />
than before, as businesses are having to<br />
adopt robust AI governance frameworks<br />
to ensure said novel risks are mitigated,<br />
while still grappling with the relatively<br />
new GDPR rules. The impact of this is<br />
already being felt, with 57% of UK<br />
businesses reporting that secure data<br />
management has become more difficult<br />
with AI adoption [according to Vanta's<br />
2023 State of Trust report].<br />
"However, with risk also comes<br />
opportunity. AI has proven particularly<br />
effective at automating manual tasks -<br />
and streamlining compliance processes<br />
is no exception. Businesses can use the<br />
technology to automate evidence<br />
collection and continuously monitor<br />
compliance, reducing the burden on<br />
their security teams."<br />
Eduardo Crespo, VP EMEA, PagerDuty,<br />
points to the major review of the GDPR<br />
framework being undertaken by the<br />
European Commission. "This review offers<br />
leaders a chance to interrogate data<br />
security policies, especially in context of<br />
next generation technology. It is important<br />
that data protection isn't viewed as just<br />
another frustrating piece of bureaucratic<br />
red tape - it is designed to protect data<br />
privacy, reinforce consumer trust in<br />
companies and keep transparency of<br />
processes top of mind. Data protection,<br />
through measures like EU GDPR, relies on<br />
two pillars in an organisation: the right<br />
technology and the right skills to use it."<br />
And he adds: "Organisations who fail<br />
to act or deploy enterprise operations<br />
solutions and AI do face the risk of falling<br />
behind early adopters. With the volume of<br />
data and content to store and secure,<br />
across retail, media, financial services and<br />
a host of other sectors, security and cloud<br />
investments need to remain both timeless<br />
and timely in the IT world, especially with<br />
the backdrop of EU GDPR review."<br />
Michel Isnard, VP of EMEA, GitLab<br />
"The growing need for data to build and<br />
fine-tune AI applications, coupled with<br />
an ever-increasing number of data<br />
breaches, indicates that adherence to<br />
GDPR has never been more important.<br />
With software delivery, in particular, the<br />
need for developers to invoke secure-bydesign<br />
principles becomes even more<br />
critical. Secure-by-design principles ensure<br />
the entire development lifecycle has the<br />
necessary controls to address vulnerabilities<br />
specific to each phase of the software<br />
delivery process.<br />
"It also requires tighter collaboration<br />
between developers-with clear functional<br />
knowledge of how software should workand<br />
teams with a better understanding<br />
of the legislative, regulatory and security<br />
requirements impacting the business."<br />
34<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Unlock a<br />
More Secure<br />
Future with<br />
V-Key MFA<br />
• As secure as hard tokens<br />
• Single Sign-On<br />
• Strong protection of crypto keys<br />
• Instant Backup and Restore<br />
• Seamless integration with IDM &<br />
PAM and migration<br />
• Digital Trust Platform<br />
• Jailbreak & Root Detection<br />
• Detection of malware<br />
• Brute Force Attack Protection<br />
• Threat Intelligence<br />
• Meets FIDO2 Standard<br />
• FIPS 140-2, CC EAL3+, SOC 2, OATH<br />
Featuring V-Key<br />
Enhanced Facial<br />
Authentication<br />
Test Drive<br />
V-Key Today<br />
sales@celestix.com<br />
+44 (0)203 900 3737
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
e-newsletter<br />
Are you receiving the Computing Security<br />
monthly e-newsletter?<br />
Computing Security always aims to help its readers as much as possible to do<br />
their increasingly demanding jobs. With this in mind, we've now launched a<br />
Computing Security e-newsletter which is produced every month and is available<br />
free of charge. This will enable us to provide you with more content, more<br />
frequently than ever before.<br />
If you are not already receiving this please send your request to<br />
christina.willis@btc.co.uk and advise her of the best email address for the<br />
newsletter to be sent to.