Iot Security: Could Careless Talk Cost Their Reputation

computer

FRAUD & SECURITY ISSN 1361-3723 May 2019 www.computerfraudandsecurity.com

Featured in this issue: Contents How readable are data breach notifications? NEWS Church scammed as FBI warns of major rise ata breaches – where protected readability of the notification response in BEC fraudVisit us @ 1 Ddata that is considered sensitive used by firms to alert affected consum- Dark markets busted 3 www.biometrics-today.com and confidential has been accessed in ers after a suspected incident has taken FEATURES an unauthorised manner – present a place. Stephen Jackson of the University How readable are data breach notifications? 6 growing threat to society and organi- of London examines ways in which we Data breaches present a growing threat to society and organisations. While much of the focus to date sations. can judge how comprehensible breach has been on technical countermeasures, we also need greater insights into the readability of the notification While much of the focus to date has notifications are and how we can go response usedVisit by firms to alertus affected @ consumers been on technical countermeasures, about improving them. after www.membrane-technology.coma suspected incident has taken place. Stephen Jackson of the University of London examines how we also need greater insights into the Full story on page 6… to judge the readability of breach notifications and improve them. Gamification as a winning cyber security strategy Gamification as a winning cyber security strategy 9 ust like in some video games, con- techniques, now is the time for CISOs Just as in video games, organisations are battling the consequencesVisit of interconnectivity us and trying @ to keep the Jsumers and business leaders find and business leaders to reach for a new opponent from exploiting their information. Now is the themselves battling the consequenc- cyber security manual – one that lever- time for CISOs and business leaders to reach for a new cyber security manual – one that leverages gamification. es of interconnectivity and are try- ages gamification. This is the process of This is the process of exploiting game-like elements to improve information retention and the application of ing to keep opponents from exploit- exploiting game-like elements to improve skills, explains Brad Wolfenden of Circadence. ing their information and damaging information retention and the applica- IoT security: could careless talk cost their reputation. tion of skills, explains Brad Wolfenden of livelihoods?Visit us @ 12 In this ‘game of protection’ to bal- Circadence. Could the Internet of Things (IoT) usher in risks that are difficult to assess, let alone deal with? In a world ance defensive and offensive security Full story on page 9… where companies can use Alexa to help set up new office IT, unsecured IoT systems might be the equivalent of careless talk, giving away company secrets and endangering livelihoods. IoT-enabled devices must IoT security: could careless talk cost livelihoods? talk securely to the company’s core IT. Without this ‘secure conversation’, IoT’s learning capabilities could he rise of the Internet of Things IoT-enabled devices behind cutting-edge simply enableVisit hackers to carry us out wider-scale @ attacks, explains Marc Sollars of Teneo. T(IoT) promises exciting capabili- consumer and business products must talk www.networksecuritynewsletter.com ties for business but could it usher in securely to the company’s core IT and busi- How ethical hacking can protect organisations from a greater threat 15 risks that are difficult to assess, let ness systems. Without this secure conversa- Cyber attacks pose serious risks to critical data, alone deal with? tion, IoT’s learning capabilities could sim- infrastructure and processes. Identifying where these attacks could come from should form part of any Unsecured IoT systems could be the ply enable hackers to carry out wider-scale risk-managementVisit process andus every organisation @ equivalent of careless talk giving away com- attacks, explains Marc Sollars of Teneo. connected to the Internet must assume that it will be a victim www.sealingtechnology.infosooner or later. Penetration testing and red pany secrets and endangering livelihoods. Full story on page 12… teaming combine to help organisations identify gaps and vulnerabilities in networks, devices and infrastructure, with the end result of mitigating an attack, says Church scammed as FBI warns of major rise in BEC fraud Scott Nicholson of Bridewell Consulting. Editorial 2 US church has lost $1.75m after scammers who were apparently aware the Report analysisVisit us @ 4 being targeted in a business email News in brief 5 A church was making regular payments to www.filtrationindustryanalyst.com compromise (BEC) scam. Meanwhile, a local construction business for renova- The Sandbox 20 the FBI has warned we can expect tion work. The first the church knew of Calendar 20 more of the same, with BEC losses a problem was when the construction having surged to $1.2bn last year. firm, Marous Brothers, called to ask why The Saint Ambrose Catholic Parish the previous two months’ payments, Visit us @ in Brunswick, Ohio was defrauded by Continued on page 3... www.computerfraudandsecurity.com

ISSN 1361-3723/19 © 2019 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutionsVisit that wish to make us photocopies @ for non-profit educational classroom use. www.pumpindustryanalyst.com EDITORIAL

Editorial Office: Elsevier Ltd One would hope that searches of The Boulevard,Editorial Langford Office: ElsevierLane, Kidlington, Ltd Editorial social media and communications ape victims in the UK are being The Oxford,Boulevard, OX5 Langford 1GB, United Lane, Kingdom Kidlington, would be limited to concrete facts Oxford,Fax: OX5 +44 1GB, (0)1865 United 843973 Kingdom Rtold that they must surrender E-mail:Tel: [email protected]+44 1865 843239 pertinent to the case – for example, access to their phones and social Web: www.computerfraudandsecurity.com friendly exchanges between accuser media accounts or risk having their and accused after the assault is said to PublishingPublisher: Director:Greg Sarah Valero Jenkins cases withdrawn. Editor:E-mail: [email protected] Mansfield-Devine have taken place, or evidence that the According to the Crown E-mail:Editor: [email protected] Steve Mansfield-Devine two people could not have been in the E-mail: [email protected] Prosecution Service (CPS), new con- Editorial Advisors: same place at the same time. sent forms that have been introduced Silvano OngettaEditorial, Italy; Advisors: Chris Amery , UK; But who’s to say that prosecu- JanSilvano Eloff , OngettaSouth Africa;, Italy; Hans Chris Gliss Amery, Germany;, UK; do not represent a new policy but an David Herson, UK; P. Kraaibeek, Germany; tors won’t amass ‘evidence’ of the Jan Eloff, South Africa; Hans Gliss, Germany; attempt to standardise an approach WayneDavid Madsen Herson, ,Virginia, UK; P. Kraaibeek USA; Belden, Germany; Menkus , complainant’s character, attitudes Tennessee, USA; Bill Murray, Connecticut, USA; across all police forces. But they have Wayne Madsen, Virginia, USA; Belden Menkus, and behaviour to provide an excuse DonnTennessee, B. Parker USA;, BillCalifornia, Murray USA;, Connecticut, Peter Sommer USA; , drawn widespread criticism – not DonnUK; Mark B. Parker Tantam, California,, UK; Peter USA; Thingsted Peter Sommer, Denmark;, UK; not to proceed with a prosecution? Hank Wolfe, New Zealand; Charles Cresson Wood, least because there is little informa- Mark Tantam, UK; Peter Thingsted, Denmark; Because the sad fact is that only 1.7% Hank WolfeUSA;, New Bill Zealand; J. Caelli, Charles Australia Cresson Wood, tion on how personal, and sometimes Columnists: Simon Cuthbert, Roger Grimes, of reported rapes were prosecuted in USA; Bill J. Caelli, Australia very intimate, information will be Kai Grunwitz, Tom Parsons 2018 and 40% of cases were aban- Production Support Manager: Lin Lucas treated, other than bland assurances ProductionE-mail: Support [email protected] Manager: Lin Lucas doned with the comment “evidential E-mail: [email protected] that the data will only be used as Subscription Information difficulties”. There is no epidemic part of “reasonable lines of enquiry”. AnSubscription annual subscription Information to Computer Fraud & Security includes of false rape claims. Victims must 12An issues annual and subscription online access to forComputer up to 5 Fraud users. & Security Unfortunately, ‘reasonable’ is a dan- Prices:includes 12 issues and online access for up to 5 users. already fight hard to get their cases E gerously vague term. Subscriptions1139 for all European run for 12 countries months, & from Iran the date taken seriously and now a handful of US$1237payment for is allreceived. countries except Europe and Japan On the one hand, the arguments ¥151 620 for Japan failed cases make prosecution even for the ‘national disclosure improve- (PricesMore valid information: until 31 December www.elsevier.com/journals/institu 2011) - more difficult. Totional/computer-fraud-and-security/1361-3723 subscribe send payment to the address above. ment plan’ might seem logical. The Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 The phrase ‘you have nothing to Permissions may be sought directly from Elsevier Global Rights move was prompted by the collapse Email: [email protected], fear if you have nothing to hide’ has orDepartment, via www.computerfraudandsecurity.com. PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 of a number of high-profile rape cases Subscriptions843830, fax: +44 run 1865 for 853333,12 months, email: [email protected]. the date payment You is never been true. The problem with received.may also Periodicalscontact Global postage Rights directly is paid through at Rahway, Elsevier’s NJ home 07065, page in 2017 when evidence, based on the USA.(www.elsevier.com), Postmaster send selecting all USA first address ‘Support corrections & contact’, thento: Computer ‘Copyright private data is that it’s slippery stuff, & permission’. In the USA, users may clear permissions and make victims’ communications via text, Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA open to interpretation. Victims will payments through the Copyright Clearance Center, Inc., 222 email and social media, cast doubt Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 be disinclined to report attacks if they Permissions8400, fax: +1may 978 be 750 sought 4744, anddirectly in the from UK throughElsevier theGlobal Copyright Rights on their allegations. One can under- Department,Licensing Agency PO Box Rapid 800, Clearance Oxford OX5Service 1DX, (CLARCS), UK; phone: 90 Tottenham +44 1865 think their private lives are going to 843830,Court Road,fax: +44 London 1865 W1P 853333, 0LP, email:UK; phone: [email protected]. +44 (0)20 7631 5555; You stand that prosecutors don’t want to mayfax: also +44 contact (0)20 7631 Global 5500. Rights Other directly countries through may Elsevier’shave a local home repro page- be trawled for evidence against them. (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright waste time and public money on cases graphic rights agency for payments. There are also questions about how & permission’. In the USA, users may clear permissions and make where the alleged victim is being less paymentsDerivative through Works the Copyright Clearance Center, Inc., 222 Rosewood this data will be stored and used. Drive,Subscribers Danvers, may MA 01923,reproduce USA; tables phone: of +1 contents 978 750 or8400, prepare fax: +1 lists 978 than completely open. 750of 4744,articles and including in the UK abstracts through thefor Copyrightinternal circulation Licensing withinAgency their Rapid How long will it be retained? Will Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P The CPS has emphasised that institutions. Permission of the Publisher is required for resale or complainants be told what personal 0LP,distribution UK; phone: outside +44 (0)20 the 7631 institution. 5555; fax: Permission +44 (0)20 of 7631 the 5500.Publisher Other providing access to accounts is at countriesis required may for have all aother local reprographicderivative works, rights including agency for compilations payments. data has been retrieved and how it Derivativeand translations. Works the discretion of the complainant, Subscribers may reproduce tables of contents or prepare lists of arti- has been interpreted? Will decisions cles including abstracts for internal circulation within their institutions. who can not only refuse but also Electronic Storage or Usage based on this private data be fully PermissionPermission of of the the Publisher Publisher is isrequired required for to resale store oror distributionuse electronically outside submit reasons for doing so. Or the theany institution. material contained Permission in thisof thejournal, Publisher including is requiredany article for or allpart other of transparent? And will the accused derivativean article. works, Except including as outlined compilations above, no andpart translations. of this publication may complainant can specify what data Electronicbe reproduced, Storage stored or inUsage a retrieval system or transmitted in any form face similar treatment – not just hav- Permission of the Publisher is required to store or use electronically or time periods she believes to be or by any means, electronic, mechanical, photocopying, recording or ing to provide access to private com- anyotherwise, material without contained prior in writtenthis journal, permission including of the any Publisher. article Addressor part of relevant and limit the search to those. anpermissions article. Except requests as outlined to: Elsevier above, Science no partGlobal of Rightsthis publication Department, may munications but face consequences if beat reproduced, the mail, fax stored and email in a retrievaladdresses system noted orabove. transmitted in any form The CPS has said: “We recognise that or by any means, electronic, mechanical, photocopying, recording or this is denied? otherwise, without prior written permission of the Publisher. Address only the reasonable lines of enquiry Notice Women claiming to have been vic- permissionsNo responsibility requests is to:assumed Elsevier by Science the Publisher Global Rights for any Department, injury and/ at should be pursued to avoid unneces- theor mail, damage fax andto persons email addresses or property noted as a above. matter of products liability, tims of rape are being made to feel Noticenegligence or otherwise, or from any use or operation of any meth- sary intrusion into the personal lives Noods, responsibility products, instructions is assumed or by ideas the Publishercontained for in theany materialinjury and/ herein. that they are acting in an unreason- or damage to persons or property as a matter of products liability, of individuals. Police officers fill in Because of rapid advances in the medical sciences, in particular, able and suspicious manner – one that negligenceindependent or otherwise, verification or offrom diagnoses any use orand operation drug dosages of any methshould- what information they will look for ods,be products,made.Although instructions all advertising or ideas contained material isin expectedthe material to conform herein. could undermine their entire case – if Becauseto ethical of rapid (medical) advan standards,ces in the medicalinclusion sciences, in this inpublication particular, doesinde - before obtaining a signature.” pendentnot constitute verification a guarantee of diagnoses or endorsement and drug dosages of the shouldquality beor made.value they don’t allow access by the authori- Although all advertising material is expected to conform to ethical The problem is that this is all one- of such product or of the claims made of it by its manufacturer. ties to communications they might (medical) standards, inclusion in this publication does not constitute a sided and there is still much that is guarantee or endorsement of the quality or value of such product or rightly regard as intimate and private. of the claims made of it by its manufacturer. vague. Worse, this process carries an 12986 That is a dangerous precedent. Digitally Produced by implicit assumption that the accuser Mayfield Press (Oxford) Limited 02065 may be lying. – Steve Mansfield-Devine Pre-press/Printed by Mayfield Press (Oxford) Limited

2 Computer Fraud & Security May 2019 NEWS

...Continued from front page Meanwhile, Proofpoint has published Investigators in Germany, the totalling $1.75m, had not been paid. a study looking at BEC in the financial Netherlands and the US collaborated The surprise was all the greater because services sector – an increasingly popular to take down the Wall Street Market the church had been receiving its regular, target for scammers. Its ‘2019 Email (WSM), with arrests of three German standard notifications from its bank that Fraud in Financial Services’ report ana- nationals and a Brazilian man, all of payments were going out as normal. lysed more than 160 billion emails sent whom are in custody in Germany. The An investigation by the FBI found that in the two years 2017-2018 and reveals WSM was one of the world’s largest someone at the church had been duped into a relatively high level of sophistication dark markets, trading in illegal drugs, believing that Marous Brothers had changed among the attackers in terms of tailoring counterfeit goods and malware. The its banking details and wiring instructions – a their emails for this sector. market, which operated in six languages, classic BEC tactic. It’s unclear how this was “Wire-transfer scams are a large com- had an estimated 5,400 vendors selling done, but it seems that two email accounts ponent of email fraud in the financial to 1.15 million customers worldwide. were compromised, possibly via phishing or services industry,” the report says. “Over The WSM was run for three years, but keylogging malware. The church has sub- the past two years, the top subject cat- it’s alleged that the three German opera- mitted an insurance claim, but at the time egories used to target financial services tors were in the throes of executing an ‘exit of writing there was no confirmation that it firms have included ‘payment’, ‘request’ scam’. This is where they abandon the site would be reimbursed. and ‘urgent’. Payment-related subject while stealing all crypto-currency funds held The recent ‘2018 Internet Crime lines such as ‘payment status’, ‘payment in escrow and user accounts. According to Report’ from the FBI’s Internet Crime request’ and ‘swift transfer’ were twice as prosecutors, these three men diverted $11m Complaint Centre (IC3) says that the common among financial services firms. worth of virtual currency into their own agency dealt with more than 350,000 They accounted for 10% of total mes- accounts. The defendants are facing charges fraud and cybercrime incidents that result- sages vs just 5% across all industries." in both Germany and the US. A further ed in losses of over $2.7bn, around half of Domain spoofing, in which the two people, accused of selling narcotics via which were BEC scams. Just over 20,000 scammers’ emails are made to look as WSM, have been arrested in Los Angeles. people made complaints to IC3 about though they are coming from legitimate As the takedown operation was in pro- BEC or email account compromise (EAC) sources – often from within the target gress, one of the site’s moderators, going scams that totalled $1.2bn – well ahead organisation itself – was also very common. by the handle Med3l1n, began contacting of the next-biggest categories, confidence Nearly two-fifths (39%) of emails sent from vendors and customers, threatening to fraud and romance scams ($362m) and financial services domains in Q4 2018 were reveal details of their illicit activities unless investment fraud ($253m). Tech support categorised by Proofpoint as suspicious they paid a ransom – typically 0.05 bitcoins scams, extortion (including ransomware) or unverified. A significant proportion of (around $280). The US Justice Department and payroll diversion also featured signifi- BEC emails are sent on Monday mornings alleges that Med3l1n is Marcos Paulo De cantly in the centre’s figures. – partly to avoid the suspicion that might Oliveira-Annibale of Sao Paulo, Brazil, who The IC3 report is based on data from attach to messages sent outside office hours has been indicted in the US District Court complaints made by the general public, but also, perhaps, to take advantage of in Sacramento, California. He’s also facing mostly via the centre’s website. Given people’s more relaxed attitudes immediately federal drug distribution and money laun- that many people are too embarrassed to following the weekend. dering charges. report being the victim of fraud, or feel The report is here: Meanwhile, in Finland, the country’s that there is little point, the real scale of http://bit.ly/2vKFucW. Customs authority said it had shutdown the problem is certain to be much larger. Finally, nine men were arrested in the servers of Silkkitie, also known as According to the report: “BEC and the US on charges related to BEC and the Valhalla Marketplace, which had EAC are constantly evolving as scammers romance scams plus fraud involving a been operating since 2013. There are no become more sophisticated. In 2013, Russian oil deal, all of which are said to reports of arrests although the Finnish BEC/EAC scams routinely began with the have netted them $3.5m. authorities said that the takeover of the hacking or spoofing of the email accounts “The common denominator in all servers had resulted in the seizure of a sig- of chief executive officers or chief finan- three schemes was the defendants’ alleged nificant amount of Bitcoin crypto-curren- cial officers and fraudulent emails were fleecing of their victims through ficti- cy. They also commented that the opera- sent requesting wire payments be sent to tious online identities,” said US Attorney tors of the site had been seen moving to fraudulent locations. Through the years, Geoffrey Berman in a statement. other dark websites, including WSM. the scam has seen personal emails com- “These two investigations show the promised, vendor emails compromised, Dark markets busted importance of law enforcement co-oper- spoofed lawyer email accounts, requests for ation at an international level and dem- W-2 [tax] information, and the targeting wo more dark markets – under- onstrate that illegal activity on the dark of the real estate sector.” Tground marketplaces operating web is not as anonymous as criminals The FBI report is here: via the dark web – have been taken may think,” said Europol executive direc- http://bit.ly/2H5Yt8f. down by law enforcement agencies. tor, Catherine De Bolle.

3 May 2019 Computer Fraud & Security NEWS

Report Analysis Malwarebytes Labs: Q1 2019 Cybercrime Tactics and Techniques Cybercrime is a plague that affects all parts of society – businesses and individuals alike. Yet there are distinctions to be made in the nature of out,” he says. “A consumer would not be the threat facing different elements of society. willing to pay much to unransom their system, but a business can easily be con- Common criminals, looking to make a ware aimed at consumers has dropped vinced to pay £50,000 to recover a large fast, illicit buck have historically gone by 40% and crypto-mining has all but number of systems.” after individuals – via spam, phishing, disappeared. The latter, says the report, As cyber criminals change their tactics, ransomware and the other tricks of the is in no small part due to the demise so too must enterprises. “IT teams often digital con-man. Businesses have more of Coinhive. This was a crypto-mining prioritise stopping a breach occurring at typically been the target of more sophis- operation that was employed in a (more all, but in today’s cyber climate a success- ticated attacks. or less) legal fashion by websites to use ful breach is inevitable,” says Tectrade’s These distinctions have always been their visitors’ CPU cycles to generate Clutterbuck. “The most important aspect blurred somewhat: phishing, for exam- crypto-currency. But it was also heavily of cyber security is that businesses pre- ple, is often the first stage of an advanced abused. When Coinhive shut its doors, pare for the worst and have effective data persistent threat attack or a business much illicit crypto-mining went with it. recovery and back-up systems in place. email compromise (BEC) scam aimed “There’s been a definite shift in the Zero-day recovery makes sure critical at a business. And the threat landscape cyber landscape in recent years,” says systems are down for as little time as pos- constantly morphs. Over the past couple Marie Clutterbuck, CMO at Tectrade. sible. It’s often true that real damage from of years, for instance, we witnessed the “Cyber criminals have changed their focus these breaches doesn’t come from the focus of ransomware attacks shift from from consumers to businesses. Zero-day attack itself, but the resultant downtime individuals to businesses, as criminals attacks are on the rise and estimated to be after a breach.” realised the latter have deeper pockets. a daily occurrence by 2021. This is largely Individuals have always presented Then we saw ransomware attacks fall off down to digitisation within organisations criminals with an easy target because entirely as other forms of attack, notably and there’s more pressure on developers of a general lack of knowledge about, BEC, came into vogue. to deliver software faster, leaving systems or investment in, protective measures. Malwarebytes’ latest report, with vulnerable. This problem is exacerbated by Your average computer user probably figures drawn largely from telemetry hackers becoming more sophisticated, ena- knows enough about the threat to pay from its business and consumer security bling them to bypass defences more easily.” for an anti-malware package, but not products, shows how this evolution is The shift in focus towards business enough to keep it, and other software, continuing, with cyber criminals lean- should not come as a surprise, comments fully patched. You might think that ing more towards setting their sights on Andy Baldwin, VP EMEA at Ivanti. enterprises would be better protected businesses and with two threats being “When it comes to an enterprise business, but that’s not always the case. particularly prevalent – the widespread a threat actor is able steal a larger quantity “The expectation is that large organisa- use of the Emotet trojan and a return of of data, such as credit card information or tions have the resources to implement the ransomware menace. health records, or ransom a large number strong security controls,” says Baldwin. “Threat actors are continuing to eye of systems in order to get a higher pay- “Having the resources, and applying the businesses for high returns on invest- right priorities for investment in security, ment,” says the report in its introduction, unfortunately, are two different things. “breaching infrastructure, exfiltrating or Project priorities tend to focus on sup- holding data hostage and abusing weak porting business strategies rather than credentials for continued, targeted moni- preventing attacks. And yet a successful toring. From a steadfast increase of per- cyber attack does a lot more damage than vasive trojans, such as Emotet, to a resur- a delayed business SAP implementation, gence of ransomware lodged against cor- for example. As a result, the cyber crimi- porate targets, cyber criminals are going nals are seeing greater potential for suc- after organisations with a vengeance.” cess – both in hacking business systems, The figures from Malwarebytes show a as well as the rewards associated with this 195% increase in ransomware detections – so they are investing more of their time – that is, attempted attacks – caught and efforts into this strategy.” by enterprise defensive systems. On The report is available here: the other hand, ransomware targeted at Top 10 countries for malware detections. https://go.malwarebytes.com/q1-2019-ct- Source: Malwarebytes Labs. individuals remains at a low level, mal- nt-report-lp.html.

4 Computer Fraud & Security May 2019 NEWS

In brief Israel bombs alleged Hamas hackers experienced a cyber attack caused by a third cial mail rules to mask their activity. Around In the first known example of a nation mounting party’s unsecured IoT devices in the last year. a quarter of the IP addresses used during a ‘kinetic’ response to alleged hacking attacks, And things are not likely to get better any time suspicious logins were based in China, with aircraft of the Israel Defence Forces (IDF) soon – 87% of respondents said it’s likely their others located in Brazil (9%), Russia (7%), the bombed a building in the Gaza Strip which, own organisations will experience a cyber attack Netherlands (5%), and Vietnam (5%). There’s it said, housed a Hamas cyber operation. No such as a denial of service caused by unsecured more information here: http://bit.ly/2Y7w7jC. details were offered about the activities of the IoT devices or applications in the next 24 Hamas group, but an IDF statement claimed months, and 84% expect their organisations to Police warn schools that its own cyber unit, in co-operation with experience a data breach for the same reason. Police forces in Scotland have written to every Israel’s Shin Bet security service, had successfully secondary school in the country warning them repelled a cyber attack from hackers which it said Quick response for US agencies that children are increasingly being targeted for it had traced to the building in the Gaza Strip. The US Department of Homeland Security has recruitment as ‘money mules’ for cyber crimi- Even though the alleged cyber attack was not issued Binding Operational Directive 19-02 nals. Mules are people used by criminals gangs successful, Israel took the decision to respond which now requires all federal agencies and to ‘cash out’ – for example, by using cloned with an air strike rather than ‘hacking back’. This departments to patch critical vulnerabilities in payment cards at ATMs to withdraw funds, has raised questions in the international commu- Internet-exposed systems within 15 days of cashing in gift cards and so on. Cyber criminals nity over the proportionality and legality of the detection and high-severity flaws within 30 days. have long recruited mules via spam campaigns, military action. “The scarce official announce- This effectively halves the time permitted to fix social media and – increasingly – WhatsApp ment suggests that the potential cyber attack has Internet-facing issues. Actions will be monitored messages. They offer easy money for ‘working been thwarted using technical means. That will by the Cyber security and Infrastructure Security at home’, with the mules sometimes not realis- make analysts wonder what was the point, and Agency (CISA). Full details are here: https:// ing they are part of a cybercrime operation. justification grounds for using kinetic force,” cyber.dhs.gov/bod/19-02/. “The fraudsters involved in orchestrating mule commented Dr Lukasz Olejnik, an independent accounts are often from serious organised crime Trump issues executive order cyber security, privacy advisor and research asso- groups and any involvement with them can be US President Donald Trump has issued an exec- ciate at the Centre for Technology and Global dangerous,” said Detective Inspector Graeme utive order aimed at improving cyber security co- Affairs, Oxford University. Everest of the Organised Crime and Counter ordination and training within government and Terrorism Unit (OCCTU). “There are victims TA505 targets financial firms the military. The order directs the Secretary of affected by fraud across Scotland and this can Security firm Cybereason has uncovered a major Homeland Security to create a scheme providing have a devastating effect on people financially hacking campaign by a group known as TA505. for the rotation of cyber security staff between and emotionally. It isn’t a victimless crime and Believed to be responsible for the information- organisations to help build broader experience by laundering money gained from these victims, stealing malware Dridex and the Locky ransom- and share insights. It also calls for the use of the you are playing a part in this.” Money mules ware, TA505 is now engaged in a highly targeted National Initiative for Cybersecurity Education have received sentences of as much as 14 years. spear-phishing campaign aimed at financial ser- (NICE) and NIST’s Cybersecurity Workforce vices companies. The attacks are notable for their Framework to gauge the skills of industry prac- Ethereum brute forcing advanced techniques, which include the use of titioners and instructs the Director of the Office Researchers at Independent Security Evaluators signed executables and ‘living off the land’ bina- of Personnel Management (OPM) to compile a (ISE) have discovered that it’s possible to brute ries (LOLBins), which exploit existing, legitimate list of cyber security aptitude tests that agencies force private keys being used for the Ethereum software present on the target’s computer, partly can use to evaluate practitioners. There will also blockchain, and that this is facilitating theft of to achieve persistence. The attackers focus on just be an annual competition among agencies. This the crypto-currency. ISE was able to identify a few targets within each company, using careful move comes a year after Trump suddenly, and 732 actively used private keys as a result of poor timing to maximise their chance of success. They without explanation, eliminated the position of key generation practices by Ethereum users. It are also careful to clean up after an attack, includ- cyber security co-ordinator, a role established by also noted that 13,319 Ether (ETH) was trans- ing using self-destruct mechanisms to prevent the Obama administration. The order is here: ferred to invalid destination addresses (and thus analysis of the malware. The malware is signed http://bit.ly/2vHKRcW. lost forever) as well as to wallets derived from and verified by the Sectigo RSA Code Signing weak private keys which were targeted for theft. Office 365 takeovers Certificate Authority, with this happening just This represents a loss of $18.9m at peak prices Account takeovers (ATOs) of Microsoft Office hours before an attack in some cases. There is for the crypto-currency. There’s more informa- 365 accounts have been used to mount major more information here: http://bit.ly/2DUKMr3. tion here: http://bit.ly/2V2HLKU. attacks, according to research by Barracuda. IoT risks The firm found that around 4,000 accounts that People cause cloud breaches Research by the Ponemon Institute, sponsored had been compromised within a single month Nine out of 10 data breaches involving cloud by risk management firm the Santa Fe Group, were exploited to launch attacks such as spear- services are caused by people, not issues with shows a dramatic increase in data breaches phishing, business email compromise (BEC) the platform or technology, according to new arising from unsecured Internet of Things and malvertising. Gaining control of accounts research by Kaspersky Lab. While organisations (IoT) devices. Since 2017, such attacks have involved a combination of “brand impersona- place a lot of attention on ensuring that cloud increased 26%. A quarter of firms reported a tion, social engineering and phishing,” accord- services assume responsibility for the security of data breach and 24% reported a cyber attack ing to Barracuda’s report. The attackers would data on their services, data breaches mostly occur due to an unsecured IoT device or applica- often impersonate high-profile companies such as a result of social engineering attacks against tion in the last year, up from 15% and 16% as Microsoft to convince account owners to the organisations’ own staff. This is true in 88% respectively in 2017. And more IoT exploits are visit web pages where they had set up fake of cases with smaller firms and 91% of cases being reported at the third-party level: 18% of login pages. Once they were able to access an involving enterprises. The report is here: http:// companies experienced a data breach and 23% account, the hackers would then establish spe- bit.ly/2VmGALm.

5 May 2019 Computer Fraud & Security FEATURE How readable are data breach notifications? Stephen Jackson, University of London Stephen Jackson Data breaches – broadly defined as incidents where protected data that is considered sensitive and confidential has been disclosed, accessed and/or altered in an unauthorised manner – present a growing threat to society and organisa- among others. Interestingly, as a result of tions. While much of the focus to date has been on technical countermeasures, strict notification regulations, as well as particularly the ways to prevent and detect security threats associated with data being enforced across all states, US firms breach incidents, we also need greater insights into the readability of the noti- amass the highest data breach notifica- fication response used by firms to alert affected consumers after a suspected 2 incident has taken place. tion costs at £740,000. While laws can differ between and even The proliferation of data breaches has led Since 2018, all US states have within countries, companies are typically to the creation of mandatory data breach endorsed legislation requiring private required to notify consumers, usually in notification laws. The need for mandato- and government entities to notify indi- writing, if they have been subjected to a ry data breach notification was first intro- viduals who may be victims of a data data breach. Often the purpose of these duced by the state of California back in breach involving their personal informa- laws is to ensure that firms provide con- 2002 (enacted 2003). This was largely in tion.1 Emerging from the US, manda- sumers with accurate and timely informa- response to the growing number of data tory data breach notification laws have tion concerning the incident, with much breaches putting consumers’ personal and spread worldwide, including, for exam- advice recommending that notifications sensitive information at risk from hackers, ple, Australia, Canada, South Korea, should be written in a clear manner accidental loss or misplacement. Philippines and European countries, which, one would expect, are easy for consumers to read. This raises an inter- esting question: how readable are data breach notifications? Before attempting to answer this question, let’s briefly examine the concept of readability. Readability

Readability is concerned with how difficult it is for one to understand a message in rela- tion to the writing style.3,4 In order for a message to be comprehensible, it must be written (encoded) in a way which is easy for individuals to understand at the moment of decoding.5,6 If the message is offered in a manner that is overly convoluted and exceeds the capacity of the reader to grasp, the consequences can be a restriction in the decision-making capabilities of the intended readers or poor knowledge absorption.7 In assessing reading difficulty, a common approach is to use a readability formula. For this study, the Flesch Reading Ease test was used. The Flesch test is among Figure 1: Data breach notification costs, in US$ millions. The Middle East includes the UAE and Saudi the most common methods for assessing Arabia. ASEAN includes Singapore, Indonesia, Philippines and Malaysia. Source: Ponemon Institute. the readability of a passage in English.

6 Computer Fraud & Security May 2019 FEATURE

Drawing on two core measures (word length and sentence length), Flesch assesses how difficult a passage in English is to read.8 To calculate the Flesch score, the Advanced Text Analyser tool from the website UsingEnglish.com (which provides advanced readability resources and tools for researchers) was utilised. The use of a computerised tool to calculate the Flesch score was chosen as this method is deemed Figure 2: Flesch Reading Ease interpretation. to be more precise and consistent than by manual calculation.9 with guidance advising that businesses there can be many explanations for bad The formula to calculate the Flesch should strive for grade 8 to enable the writing in the workplace, in the context of Reading Ease is: message to be read by 80% of the US data breach incidents, some of the key rea- population.10,11 In a separate study, sons may be lack of knowledge about the which examined the readability of data causes and/or outcomes of the data breach breach notifications in conjunction with incident, inadequate resource provision or For the Flesh Reading Ease test, the firm characteristics and the severity of dearth of experience in communicating higher the reading ease score, the easier the data breach incident, the findings data security issues. it is to read the text. Alternatively, the revealed that the greater the data breach A second possible explanation, referred lower the reading ease score, the more severity, the higher the reading complex- to here as the information assumption, is difficult it is to read the text. ity of the breach notification becomes.12 that data breach incidents may be difficult More severe data breach incidents to describe, thus requiring more complex Analysing results were associated with higher financial, words – or those crafting the response reputational and legal costs, as well as believe that those affected by the incident As part of an investigation examining the long-term organisational impact. In will require (and demand) more complex readability of data breach notifications addition, the results revealed that pri- writing and terminology. Managers may to consumers following a data breach vately owned firms were more inclined deliberately increase the complexity of incident, 521 US notification letters to craft less-complex data breach noti- their vocabulary so as to reassure consum- across various sectors, including educa- fication responses, and there was a ten- ers that the business managers know what tion, finance, healthcare, retail, service, dency for larger firms to produce letters they are talking about. technology and travel/hospitality, were that consist of fewer words, fewer unique A third explanation for the results analysed. Since US firms encounter the words, and slightly longer words. relates to impression management. As highest notification costs and data breach data breaches can be a form of negative notifications can be easily accessed from Interpreting the results news for organisations, it is important that Attorney General websites, it was decided those disclosing the data breach attempt to focus on that country. This raises an important question: why to frame the communication in a way that Thirty-four out of 521 data breaches do business managers write in more com- makes the firm look as good as possible.13 were associated with public firms and the plex ways when crafting data breach noti- Consequently, it may be the case that average firm size consisted of 200-1,000 fication responses? As a way of addressing firms are deliberately manipulating the employees. The results reveal the mean this question and interpreting the results, information by making the writing more Flesch Reading Ease score to be 45, with three possible explanations drawn from difficult as a way of masking the implica- results falling within the range 30 (very the readability literature are considered: a) tions of the situation, distracting the reader difficult/difficult) to 71 (fairly easy). bad writing; b) information assumption; from the significance of the event and dis- Although much guidance advises that and c) impression management. couraging them from reading further.14 notification should be written in a man- Rather than assuming that complex If impression management is at play, ner that is clear and straightforward, these writing practices are a product of delib- why would organisational managers, in results indicate that the majority of firms erate manipulation whereby managers the case of data breaches, want to engage use a writing style that is difficult to read. intentionally set out to write in a convo- in these types of behaviours or tactics? In To put the results into perspective, luted manner, reading difficulty can be the the US, for example, unlike other types the recommended readability in terms product of bad writing practices through of security vulnerabilities – which, from a of typical education level is grades 7-8, the use of overly complex words. While regulatory perspective, do not always have

7 May 2019 Computer Fraud & Security FEATURE to be reported – companies have a legal the overall communication. Instead, 7. Courtis, J. ‘Readability of annual obligation to follow specific actions when improvements to the readability are need- reports: Western versus Asian evi- responding to and reporting data breach- ed to increase the clarity and transparency dence’. Accounting, Auditing and es.15 Since data breach incidents are in the of the disclosure communication. Accountability Journal, Vol.8, Issue public eye, it may be the case that manag- 2, 1995, pp.4-17. ers are more inclined to engage in impres- About the author 8. Flesch, R. ‘A new readability yardstick’. sion management compared to other IT Stephen Jackson is a senior lecturer in Journal of Applied Psychology, Vol. security incidents. As a firm’s performance technology and information management 23, 1948, 221 – 233. can be associated with financial incentives at Royal Holloway, University of London. 9. Bakar, AS; Ameer, A. (eg, cash bonuses, remuneration packages, Prior to joining academia, he worked in the ‘Readability of Corporate Social tenure, salary), managers may have a finan- area of computer forensics for a ‘big four’ Responsibility Communication cial incentive to make the reading difficult accounting firm on a variety of assignments in Malaysia’. Corporate Social as a way to protect their reputation, pros- across various sectors in Europe and Asia. Responsibility and Environmental pects and compensation and/or maximise His current research interests include data Management, Vol.18, Issue 1, material outcomes. breaches, information security and the man- 2011, pp.50-60. agement of IT projects. He can be reached 10. Casola, C. ‘Content, readability, Implications at [email protected]. and understandability of dense breast notifications by state’. The If mandatory data breach notification letters References Journal of the American Medical are being drafted in ways that are too com- 1. ‘Brown Rudnick alert: All US states Association, Vol.315, Issue 16, plex, this runs the risk of undermining the now require breach notification and pp.1786-1788. quality and purpose of such notifications. more mandate cyber security meas- 11. Colmer, R. ‘The Flesch reading More specifically, consumers, as members ures’. Monodovisione, 10 Apr 2018. ease and Flesch-Kincaid grade of society, may not be effectively informed Accessed Feb 2019. www.mond- level’. Readable. Accessed Feb of the facts pertaining to the data breach ovisione.com/media-and-resources/ 2019. https://readable.com/blog/ incident, as well as the inability to take news/brown-rudnick-alert-all-us- the-flesch-reading-ease-and-flesch- appropriate and effective remedial measures. states-now-require-breach-notifica- kincaid-grade-level/. Furthermore, consumers may need to tion-and-more-ma/. 12. Jackson, S; Vanteeva, N; Fearon, take more time to read and fully under- 2. ‘2018 Cost of a data breach study: C. ‘An investigation of the impact stand the data breach notification, par- Global overview’. Ponemon Institute, of data breach severity on the read- ticularly the impact that the breach will Jul 2018. Accessed Feb 2019. https:// ability of mandatory data breach have on their personal data and the actions databreachcalculator.mybluemix. notification letters: Evidence from they may need to take. It may be useful net/assets/2018_Global_Cost_of_a_ US firms’. Journal of the Association for business managers and regulators to Data_Breach_Report.pdf. for Information Science and develop better policies and clearer incident 3. Klare, G. ‘The measurement of read- Technology. In Press. response mechanisms by promoting educa- ability’. The Iowa State University 13. Veltsos, J. ‘An analysis of data tional programs re what data breach notifi- Press, Ames, Iowa, 1963. breach notifications as negative cations should be comprised of. 4. Pound, GD. ‘A note on audit report news.’ Business and Professional The Flesch readability test, among other readability’. Accounting and Finance, Communication Quarterly, Vol.75, readability measures, is a useful starting Vol.21, Issue 1, 1981, pp.45-55. Issue 2, 2012, pp.192-207. point for gauging the reading complexity 5. Bayerlein, L; Davidson, P. ‘The 14. Courtis, J. ‘Annual report readability of a piece of text. What might be surprising influence of connotation on read- variability: Tests of the obfuscation is that readability measures, including the ability and obfuscation in Australian hypothesis’. Accounting, Auditing & Flesch test, are often part of common word chairman addresses’. Managerial Accountability Journal, Vol.11, Issue processing packages. Readability scores can Auditing Journal, Vol.27, Issue 2, 4, 1998, pp.459-472. provide writers with useful information 2011, pp.175-198. 15. Brew, K. ‘What’s the difference regarding how complex the message is for 6. Hall, S. ‘Encoding/decoding’. In between a data breach and a security the intended audience, and if necessary, Hall, Hobson, Lowe & Willis, incident?’ AlienVault, 30 Dec 2014. allow them to redraft the response in a ‘Culture, media and language: Accessed Feb 2019. www.alienvault. more straightforward manner. Working papers in cultural stud- com/blogs/security-essentials/whats- Merely providing additional information ies’, 1972-1979 (pp.128-138). the-difference-between-a-data- relating to the disclosure will not improve Hutchinson, 1980. breach-and-a-security-incident.

8 Computer Fraud & Security May 2019 FEATURE Gamification as a winning cyber security strategy

Brad Wolfenden, Circadence Brad Wolfenden

We are more connected than ever before. Our smart TVs and refrigerators, phones and drones, online bank accounts and electronic health records, and so in the employer-employee dynam- much more, are on the web and in the cloud – connected and ‘talking’ to each ic. Gamified activity is hands-on activ- other. While creating convenience for the end user, this growing interconnected digital footprint creates a ripe surface for a cyber criminal to attack. ity and it taps into the ‘learn by doing’ approach that is the natural way humans Why? The more devices we connect to to use their mobile app to ‘check in’ to learn even the most basic of skills, such each other, the more difficult it becomes places they visited. The term hit buz- as walking, using a keyboard, driving a to attribute where a threat is coming zword fame in 2011 when Gartner offi- car, cooking etc. from, not to mention the increased cially added it to its Hype Cycle list.2 The next generation of cyber profes- number of entry points for exploitation.1 sionals is also the first digitally native And that means the bad guys are more Hands-on activity generation. Beyond video games, these likely to get away with their attack before people have been raised with educational defenders even know what’s happening. But gamification is more than just add- smart apps, classroom smart boards and Just like in some video games, consumers ing gaming elements to an environment shared Google Docs. It is second nature and business leaders find themselves bat- or scenario. It is adding those elements for them to socialise as they play and tling the consequences of interconnectiv- in ways that prompt our human desires as they learn, and to broadcast their ity and are trying to keep the opponent to socialise, achieve, and master and achievements on social platforms, gath- from exploiting their information and build skills and status. Think about your ering informal ‘likes’ and sharing formal damaging their reputation. In this ‘game favourite game. Maybe it is a board or ‘certs’ to validate their efforts. of protection’ to balance defensive and card game, sport or even a computer or These activities allow employers to offensive security techniques, now is the video game. Why can’t you stop playing create ways to make learning, team time for CISOs and business leaders to it? Because you are rewarded in some building and skill-proving cyber security reach for a new cyber security manual – way for ‘good’ actions and that makes fun. Cyber challenges, code sprints and one that leverages gamification. you feel notable. This kind of positive other gamified activities and competi- Gamification, a popular buzzword in reinforcement motivates humans and tions hold enormous promise in both the technology sphere, is now gaining offers tangible – often immediate – evi- the public and private sectors and can momentum as a learning strategy both dence of our progress. be used in all phases of the employ- in academia and across the enterprise for ment lifecycle. This includes supporting professional development. It’s commonly “Cyber challenges, code organisational needs for candidate sup- defined as a process of adding game-like sprints and other gamified ply, assessing skills with a more engaging elements to something. In short, gamifi- activities and competitions candidate experience, as well as from a cation integrates aspects of gaming – eg, hold enormous promise in career development strategy to upskill chat boxes, leaderboards, levelling up, both the public and private existing talent. unlocking badges, etc – into real-world, sectors and can be used in all It isn’t all about Gen Z though; virtual environments. phases of the employment learn-by-doing models are advanta- The term was originally coined in lifecycle” geous to professionals of all generations, 2002 by British computer programmer from millennials to mid-career workers Nick Pelling and hit the mainstream New learning methods are now more because gamification is more than the when a location-sharing service called important than ever. The 21st Century new, shiny object on the heels of artifi- Foursquare emerged in 2009 (at Austin, has introduced five generations (ie, Gen cial intelligence and machine learning. Texas’ SXSW, no less), offering gamifi- Z, Millennials, Gen X, Baby Boomers, As a learning strategy, gamification is cation elements such as points, badges the Greatest Generation) into the work- proving its effectiveness both for knowl- and ‘mayorships’ to motivate people force, with shifts being experienced edge retention and for encouraging

9 May 2019 Computer Fraud & Security FEATURE re-engagement of perishable skills, mak- as a ‘train as you would fight’ tool but using ranges to educate themselves on ing them more ‘sticky’ – two critical businesses are finding other complemen- security best practices and policies such necessities for cyber teams in the wake of tary uses for them as well, including hir- as what a suspicious email looks like, imminent and evolving cyberthreats. ing and retaining talent and promoting how to tell if you are receiving a phish- general security awareness. ing email, or unintentionally installing Cyber ranges malware, etc. Skills gap In cyber security, gamification can “Non-technical profession- manifest within cyber ranges – that is, Gamified cyber ranges can be used to als are using ranges to edu- virtual environments that provide simu- recruit and assess incoming and pro- cate themselves on security lations of real-world networks, systems spective talent. This is important given best practices and policies and tools for professionals to safely test the widening cyber skills gap the indus- such as what a suspicious and train in a closed environment that try faces today. Currently there are over email looks like, how to tell does not compromise the stability and 300,000 open cyber positions across if you are receiving a phish- security of production networks.3 The the US, according to CyberSeek.4 ing email, or unintentionally National Initiative for Cyber Security Recruiters can start filling these posi- installing malware, etc” Education reports that ranges provide: tions using gamification to compare • Performance-based learning and prospective employees’ listed credentials Humans are the weakest point in assessment. on their resumé to what they actually any security strategy. According to • A simulated environment where know and apply in a real-life situation. the ‘2018 Cost of Data Breach’ study teams can work together to improve This method can help hiring managers by the Ponemon Institute, 25% of data teamwork and capabilities. hire new talent with confidence and breaches in the US were triggered by • Real-time feedback. better evaluate their contributions to human error, including failure to prop- • Simulated on-the-job experience. the workplace. erly delete data from devices.5 This is • An environment where new ideas In addition, gamified cyber ranges can why gamification in cyber security is can be tested and teams work to be used to raise general security aware- not only necessary but is an exciting solve complex cyber problems. ness among staff. One does not need to way to engage all types of professionals Cyber ranges were initially developed have a technical certification or extensive in an important issue that impacts us for government entities looking to bet- background in cyber to engage on a all, from back-end tech developers to ter train their workforce with new skills range. Non-technical professionals are end-users. and techniques. Today, cyber ranges are known to effectively train the cyber workforce across industries from healthcare to government or financial institutions. Individuals and teams can participate in a virtual environment at any time, creating comfortable social settings that allow them to practise and master skills, collaborate in team-based challenges and compete for leaderboard status in friendly situations. Users can apply what they know within the simulated environments or ‘worlds’, creating a natural flow that keeps them engaged and focused. The outcome is highly skilled and educat- ed professionals who have better under- standings of cyber best practices and can effectively apply learned knowledge to real-world situations. As technology advances, ranges gain in their training scope and potential. Today, ranges are still primarily used The Cyber Seek heat map shows cyber security job availability across the US.

10 Computer Fraud & Security May 2019 FEATURE

Cyber learning outcomes

The use of gamification in cyber learning is breaking ground as research and real-time results demonstrate its use- fulness in hardening company cyber preparedness efforts. Hands-on activity puts learned knowledge to the test so that instructors and managers can identify gaps in performance and find ways to continuously improve – helping professionals do their jobs better and more efficiently. Additionally, the learn- by-doing approach helps users apply concepts to real-world exercises and scenarios, improving information retention rates to 75% compared to 5% through more lecture-based, passive-learning methods.6 Increasing information retention is critical for cyber security departments because there is a monetary cost associated with training professionals as well as the related potential costs associated with Knowledge retention rates for different teaching methods. Source: Play to Teach. attacks that get past ill-equipped security teams. The cost of traditional offsite cyber training junior personnel rather than In conclusion courses can carry a high price tag when experienced professionals, employee you factor in travel and course materials retention, and situations where teams What we need now are open minds: as well as the impact of time away from spend most of their time dealing with minds that embrace the power of people the defensive frontlines. PowerPoint and the emergency du jour, rather than pro- to drive better security solutions; that ‘click-fest’ learning models often fail to active planning. understand today’s cyber skills short- truly engage students – they hear the con- When you think about the next evolu- age demands automated and augmented cepts, retain a subset of the learning, but tion of cyber security readiness, gamifi- approaches to job efficiency; and that struggle to put the material into practice cation makes perfect sense. know how to beat the hackers at their once back in the office. • Game-like environments are more own game. With gamification and engaging than sitting and watching through gamified learning we can evolve “A workforce that is a lecture-based presentation. the industry for the better. A workforce dedicated to continuous • Completing realistic exercises on that is dedicated to continuous learning learning demonstrates a company emulated networks with demonstrates a spirit of problem-solving, spirit of problem-solving, teammates promotes strategic prob- exploration and discovery vital to cyber exploration and discovery lem-solving. security work. vital to cyber security work” • Continuous learning hones skills in In today’s interconnected business ways traditional courses cannot offer. world, made more vulnerable with every In short, management are not truly Gamification brings more to the table. new connection and sync, we have a lot getting the most ROI bang for their Gamified learning environments also to be fearful about – but we also have a buck. These applied learning limita- provide a safe space for trial and error, lot to be excited about. Unique innovations are critical because according enabling cyber professionals to explore tions, advances in artificial intelligence to an ESG/ISSA study, 70% of cyber new techniques and think outside the and machine learning and gamification security professionals claim their organ- box. Both outcomes are extremely are paving new pathways for security isation is impacted by the industry important to professionals’ ability to professionals to win the cyber security skills shortage.7 Ramifications include think on their feet and react quickly but ‘game’. It is a pathway, a playbook, an an increasing staff workload, hiring and strategically to new threats and attacks. approach that is sustainable, persistent

11 May 2019 Computer Fraud & Security FEATURE and proactive. When it comes to playing partnerships focused on computer science Circadence, 13 Nov 2018. Accessed the game of protection, every second of and cyber security. He is a member of Apr 2019. www.circadence.com/ increased information retention, skills the NICE Working Group, the NICE about/circ-blog/modern-cyber- application, badge rewards and problem- Collegiate, Competitions, and K12 ranges/. solving matters. Subgroups, and member of the Microsoft 4. ‘Cyber security Supply/Demand Education Partnership Advisory Council. Heat Map’. Cyber Seek. Accessed About the author Apr 2019. www.cyberseek.org/heat- Brad Wolfenden is the director of cyber References map.html. academic partnerships for Circadence 1. ‘The Internet of Things will cause 5. ‘2018 Cost of a Data Breach Study’. and a technology leader in cyber security more security problems next year, Ponemon Institute/IBM. Accessed education, learning and assessment. He exec warns’. CNBC, 29 Nov 2018. Apr 2019. www.ibm.com/security/ has built a successful portfolio of academic Accessed Apr 2019. www.cnbc. data-breach. partners using a gamified cyber learning com/2018/11/29/Internet-of-things- 6. ‘Solving the training dilemma with platform to drive increased awareness, will-cause-security-problems-next- game-based learning’. Play to Teach. engagement opportunities and dynamic, year-says-exec.html. Accessed Apr 2019. https://cdns3. virtual learning environments to com- 2. Chandran, Kavita. ‘Hype Cycle trainingindustry.com/media/3203537/ puter science and cyber security students for Education, 2017’. Gartner, game based learning.pdf. at all proficiency levels. Ranging from 24 Jul 2017. Accessed Apr 2019. 7. ‘The life and times of cyber security K-12 to post-graduate programming, www.gartner.com/en/docu- professionals’. ESG/ISSA. Accessed Wolfenden has designed, delivered and ments/3769145. Apr 2019. www.esg-global.com/esg- managed industry-academic-government 3. ‘Modernising Cyber Ranges’. issa-research-report-2017. IoT security: could careless talk cost livelihoods? Marc Sollars Marc Sollars, Teneo

The rise of the Internet of Things (IoT) promises exciting capabilities for edge consumer and business products business but could it usher in risks that are difficult to assess, let alone deal must talk securely to the company’s with? In a world where companies can use Alexa to help set up new office IT, could unsecured IoT systems be the equivalent of careless talk giving away core IT and business systems. Without company secrets – and endangering livelihoods? this ‘secure conversation’, IoT’s learning capabilities could simply enable IoT-based advances such as real-time Demand for IoT is skyrocketing: Gartner hackers to carry out wider-scale attacks. control of utilities’ supervisory control forecasts that worldwide IoT spending will The problem is only exacerbated by and data acquisition (SCADA) systems, hit $1.5bn in 2018, up 28% on 2017. But companies’ complex network infrastruc- brands boosting customer service with risks are growing too: Symantec reported tures and surging data volumes in our machine learning and property firms pro- a 600% increase in IoT device attacks in online world. viding personalised climates for offices, 2017 while the US Family Online Safety show the exciting, innovation-shaping Institute’s research found that three in Planning IoT security capabilities of these technologies. But if 10 parents had children potentially using IoT systems – and the teams developing Internet-enabled toys that share data: the Given this bewildering picture, how them – aren’t brought into an overarch- potential for privacy breaches from poorly- should in-house operational, network ing data and network security strategy, secured IoT products is huge.1,2 infrastructure and data security teams these technologies could become a weak The nub of these problems is that mitigate IoT risks? Can in-house person- link in big companies’ defences. IoT-enabled devices behind cutting- nel realistically run expanded security and

12 Computer Fraud & Security May 2019 FEATURE network monitoring models? For all these reasons, IoT security presents a formida- ble challenge. Addressing IoT system risks and dealing with them depends on companies developing regular risk analysis; bring- ing internal and external teams into IoT security planning; operating company- wide security policies; protecting network endpoints and segmenting networks; generally achieving far better awareness of what is going on in their corporate IT networks; and engineering enhanced network control and automation in the future. Assessing the risk

Next-generation security begins with IT and security teams modelling ‘what if’ risk scenarios. These need to assess if the IT or IoT development team has put the latest protection on systems and IoT devices and if the various networks are segmented. How and how quickly can internal teams identify potential issues from different categories of traffic on The types of Internet of Things (IoT) devices seen performing attacks against Symantec’s honeypot their networks? Securing IoT means mak- systems. Source: Symantec. ing a step change in understanding how individual components communicate out their products or reputation being given the explosion in networks and with back-end IT systems and getting compromised. cloud services. Company WANs not only sufficient network visibility to plan better The risks from failing to bring IoT into reach from enterprises to the cloud but risk mitigation and security policies. corporate security strategy are becoming also across cloud regions and different clear. In a recent test, a children’s toy vendors. Increased mobile working also “There are readily available could be hacked and used to track chil- means more branch office and individual tools such as open source dren’s movements and listen remotely. endpoint connections. And ever-wider network traffic analysers Incidents like this could potentially sink a connectivity options – such as MPLS, being used for live event brand’s reputation or lead to consequen- public Internet and 4G – also have to be monitoring or as flexible tial losses from lawsuits. managed for optimum performance and analytical platforms for net- IoT security and the advanced analyt- security. With business data increasingly work performance measure- ics required have to be embedded in a moving to the cloud, innovative compa- ment and trouble-shooting” company’s new product development nies will need fresh network insights if (NPD) – and be robust enough to with- they are to fully grasp how their IoT sys- Another factor is commercial pressure stand commercial pressures and potential tems communicate across the cloud and on companies to cut process costs and threats – from the start. These solu- see how their security can be hardened. speed up time to market. It’s likely that tions must also be integrated with that under-pressure in-house IT and security under-realised challenge – getting a grip In-depth security teams have quietly tried to fix security on today’s complex global networking after a product’s launch. Organisations infrastructures. The overall task for global companies must stay one step ahead of consumers Organising network security, espe- running global networks and cloud and potential attackers to safely develop cially analysing the data generated to operations is naturally to defend in next-stage products and services – with- help evolve security policies, is a big task depth – based on network segmentation,

13 May 2019 Computer Fraud & Security FEATURE

Enforcing policies

Companies are highly motivated with regards to security following high-profile hacks and the arrival of the General Data Protection Regulation (GDPR). But a lasting barrier to locking down IoT is the lack of understanding and co-operation between internal NPD, IT and security teams. As IoT is widely adopted, organisations need closer co-operation between operational technology professionals (dealing with IoT devices as part of NPD) and IT and infrastructure teams (handling network infrastructure monitoring and optimisation) and secu- Responses from parents of children aged 12 and younger. Source: Family Online Safety Institute. rity teams driving overall strategy and employee access controls, reducing or that are giving corporate customers enforcement. Ad hoc thinking, such as controlling the level of remote access, the extra resources and new insights to NPD plugging gaps revealed by penetra- strong password policies, use of encryp- cope with this workload. Specialists will tion tests, has to give way to co-ordinat- tion and separating sensitive networks find gaps in the customer’s networks ed company-wide policies. and using trusted and audited third- and IoT set-up and identify solutions While internal collaboration is improv- party contractors. to harden the security all the way to ing, companies need to organise wider the datacentre or the cloud: they give education and training on responsibilities “With business data increas- in-house teams the tools to get the IoT for all internal teams, taking account of ingly moving to the cloud, security job done. business goals, corporate and IoT security innovative companies will As a result, we are already seeing needs, desired solutions and analytics need fresh network insights global companies partnering with resourcing plans. IoT security demands if they are to fully grasp how security vendors to protect IoT devel- that everyone pulls in the same direction. their IoT systems commu- opments in their industrial platforms. nicate across the cloud and There are readily available tools such as Network segmentation see how their security can be open source network traffic analysers hardened” being used for live event monitoring It’s fundamental to securing IoT that or as flexible analytical platforms for enterprise networks and devices should But the real difference in effective network performance measurement and not meet, since this creates many security is being made in the crucial trouble-shooting. These innovations opportunities for unauthorised access second part of the security task. This is give hard-pressed internal teams new of core networks using sensors and when all that data arrives at the back end options such as smarter post-processing devices. Working with outside experts and IT teams try to understand whether or the use of alternative back-ends such in network traffic segmentation, IT hackers or criminals are piggybacking on as external databases for making added teams can define relevant controls, so that traffic – using logs, packet capture security checks. that only desired traffic passes between and meta traffic – to access core business As levels of incoming system and secu- systems or traffic takes only defined or IoT systems. But this second stage rity data only increase, IT and security paths between zones. inevitably creates monitoring and analyt- teams can bring in the people and sys- In-house teams that enlist external spe- ics workloads that are often beyond the tems to segment traffic and the corporate cialists can better assess their networking capabilities – and the budgets – of many network fabric to ensure that the right landscapes and desired traffic flows and internal IT and networking teams. data goes to the right place. As a result, draw up enhanced segmentation policies. And as savvy enterprise IT teams corporate IT and security gain fuller vis- As well as supporting IoT security plan- demand more visibility of data and net- ibility of traffic, events and suspicious ning, this joint approach also reduces work traffic to assist this task, it’s third- behaviour on core and IoT networks and companies’ industry and legal compli- party networking and analytics experts devices to feed into their security plans. ance workloads.

14 Computer Fraud & Security May 2019 FEATURE

Anticipating risks is coming with the growing use of About the author software-defined wide area networks Global businesses will always need to (SD-WAN) to put control layers over Marc Sollars is CTO of Teneo, a spe- continual review their security posture companies’ different networks and cialist integrator of next-generation and policies and drive enforcement. components. This advance will bring technology. He is chief evangelist and Can any IT or security team ever say benefits like IT teams better control- plays a key role in identifying technol- that they have done enough without ling WANs from a central point, ogies that are early to market and can asking for outside help or more budget? clearer pictures of network issues and be integrated into the company’s services For example, a business services compa- intelligent routing of traffic across net- portfolio. Sollars is on Twitter at ny that has implemented firewalls and works. SD-WAN could enable com- @MarcatTeneo. enabled endpoint security may struggle panies to re-architect legacy networks with the details of segmentation before and potentially gain greater insights References it can take steps to achieving better IoT into business applications and poten- 1. ‘Internet Security Threat Report: protection. There is a broad compari- tial threats to them as the backdrop to Volume 23’. Symantec. Accessed son with GDPR here: companies can- long-term IoT development. Apr 2019. www.symantec.com/ not develop perfect solutions but they Companies excited by IoT’s real-time content/dam/symantec/docs/reports/ can take practical steps and selectively capabilities need to ensure that their istr-23-2018-en.pdf. use outside specialists to help ensure security is ‘next generation’ too. While 2. ‘Connected Families: how parents workable security systems. investing in IoT innovations, enter- think & feel about wearables, toys, And looking ahead, how do enterprises need to enlist external analytics and the Internet of Things’. Family prises investing heavily in NPD and and security expertise to mitigate risks Online Safety Institute. Accessed Apr IoT strategies simplify their security and realise their exciting commercial 2019. www.fosi.org/policy-research/ planning? An important opportunity opportunity. connected-families/. How ethical hacking can protect organisations from a greater threat Scott Nicholson

By Scott Nicholson, director, Bridewell Consulting

As digital technologies are becoming embedded in all aspects of life, cyber attacks can come from many directions. A significant proportion of these how it could be compromised is not attacks pose serious risks to critical data, infrastructure and processes within so easy. all manner of organisations, both large and small. Shifting landscape The World Economic Forum (WEF) average clean-up cost of £25,700 per now regards cybercrime as one of the year.2 The threat landscape is constantly biggest threats to businesses and the Identifying where these attacks could shifting and businesses need to do economy, as noted in its 2019 Global come from should form part of any all that they can to keep up to date. Risk Report.1 And it’s no longer risk management process and every For instance, Symantec’s latest report just large enterprises that are at risk. organisation connected to the Internet observes a decrease in ransomware 3 Hiscox estimates that small businesses must assume that it will be a victim activity for the first time since 2013. alone are the target of 65,000 cyber sooner or later. Understanding this is This shift is probably due to a decline attacks every day, which leads to a suc- the first step to assessing an organisa- in exploit kit activity and a move to cessful hack every 19 seconds and an tion’s vulnerabilities – but predicting email campaigns as the chief ransom-

15 May 2019 Computer Fraud & Security FEATURE

code each month. It’s often small and medium-sized retailers that have code injected into their sites which can then spread globally to any business that accepts payments online. Organisations also have to adapt their defence strategies as breaches can occur through the cloud, from vulnerabilities in hardware chips, through open source DevOps and by infecting Internet of Things (IoT) devices. And this adaptation is not an easy process for organisations to achieve, especially at a time when it is increasingly difficult to recruit and retain technically adept cyber security professionals.4 As a result, all organisations need to adopt a cyber security-aware culture that is supported at all levels, from board members to office juniors, and is embedded in all decision making. Having the right policies and proce- dures in place is critical and this should also include any employee-owned devices. Cyber security should certainly be part of any organisation’s key values. Penetration testing is one way to make Of the top 10 short-term risks that respondents to a World Economic Forum survey expect to increase in 2019, cyber attacks appear at positions four and five. Other cyber-related risks in the sure this happens. top 10 include fake news and personal identity theft. Source: World Economic Forum. White hat hacking ware distribution method. However, increasing by 12%. Symantec also this exposes those organisations that noted an increase in formjacking Hacking is often carried out for political are heavily dependent on email traf- attacks, with an average of 4,800 web- purposes, criminal intent or sometimes fic – leading to enterprise infections sites compromised with formjacking just for notoriety or fun. However, all methods seek to exploit an organisation’s vulnerabilities and are illegal. On the other hand, hacking for research – for example, the use of honeypots or white- hat hacking – is legal.

“Cyber security should certainly be part of any organisation’s key values. Penetration testing is one way to make sure this happens.”

Penetration testing is a form of ethical hacking but, for clarity, in order for Ransomware attacks by market by month in 2018, showing a drop over the course of the year. hacking to be classified as ethical there Source: Symantec. needs to be an agreement between the

16 Computer Fraud & Security May 2019 FEATURE ethical hacker and the organisation – with written approval from the organisation. Otherwise, according to the letter of the law – the UK’s Computer Misuse Act 1990, for example – it’s just hacking. More than that, any chosen security company should have the right credentials and qualifications aligned with independent industry bodies such as CREST. In essence, the ethical hacker’s assessment of a system’s security needs to answer key questions: what information can intruders see? What can The average cost they do with it and does this all go of a data breach, per record. unnoticed? There are also practical Source: Ponemon considerations that need to be consid- Institute/IBM. ered such as how often the tests should be performed and which testing strategy should be deployed. Should the test be carried out internally or externally, in a targeted way, or as a blind or double-blind test? Each organisation will have a preference but, essentially the penetration test will take on one of four forms – web application; infrastructure; mobile device and mobile application; and red teaming. Web application penetration testing ods in use (SSL versions and certifi- their network from an internal and This can be approached in several ways. cates). external perspective and involve mul- It can be performed from the angle of • Session management: Cookie flags, tiple manual and automated enumera- an attacker who would initially know scope and duration, session tion techniques to systematically com- nothing about the configuration of the management. promise systems in scope to establish application (blackbox testing). Or a full • Authorisation: Path traversal, the current threat landscape. review of the external aspects and inter- privilege escalation. A typical infrastructure penetration nal configuration of the application can • Data validation: Testing for security test will consist of the following activi- be carried out, including such elements vulnerabilities such as SQL injection ties. as APIs, databases and user configura- (SQLi), cross site scripting (XSS) and • Planning and preparation: Scoping. tion (whitebox testing). XML external entity (XXE). • Discovery: Host discovery; port A typical test would consist of: scanning • Information gathering: Outdated Infrastructure • Enumeration: Service enumeration framework versions, hidden content, penetration testing and fingerprinting; vulnerability user enumeration. assessment. • Configuration: HTTP methods and This method sees ethical hackers test- • Exploitation: Compromise; privilege headers, old back-up references, sen- ing all elements of the infrastructure escalation. sitive information within client-side from servers and routers to switches, • Clean up: Removal of any files/ code. firewalls and endpoints, such as PCs tools that the penetration tester • Secure communications: Login and laptops. It should enable organi- may have used. encryption and cryptography meth- sations to understand the security of • Report generation.

17 May 2019 Computer Fraud & Security FEATURE

Mobile devices and immediately to the business so that it effectiveness of technical and organisa- applications can be fixed. tional measures for ensuring the secu- As an example, red teaming was rity of the processing”.5 Mobile device penetration testing used recently to assess a large financial “In the event of a breach, can be the act of performing a secu- services organisation. The approach rity assessment against devices that was previously agreed with the client organisations need to access or hold sensitive information. and it involved multiple attack vec- demonstrate accountabil- It includes their physical security as tors and a team with various skill sets. ity, that they have put the well as performing penetration tests Key to the approach was a reconnais- right practices and processes against applications that are created sance phase that allowed the team to in place to mitigate risk. specifically for mobile devices such as build a detailed picture of the client, Penetration testing is one of applications on the iOS and Android understand any potential weaknesses the ways they can show this platforms – this type of testing is simi- and then plan a credible attack strat- accountability” lar to a web application test. egy. These attacks consisted of gaining physical access to the building and In the instance of the GDPR, it’s Red teaming connecting to the client network and, easy to see why penetration testing is later, the client’s main customer data- held in high regard. All organisations Whereas ethical hacking focuses on base. Social engineering tactics were know that the associated fines follow- testing one specific element of an used to create fake LinkedIn profiles, ing a breach are significant – as much organisation’s infrastructure and has a deploy malware onto the client’s lap- as E20m or 4% of global turnover. In particular goal – for example, gaining tops and gain access to a large set of the event of a breach, organisations access rights to a system – red teaming personal data files. need to demonstrate accountability, takes things further. When presented back to the board that they have put the right practices A red team engagement is a full- there were no arguments – the com- and processes in place to mitigate risk. attack simulation that focuses on all pany retained the team to help improve Penetration testing is one of the ways areas of a business, from breaching the organisation’s internal security they can show this accountability. networks and systems, to using social architecture to identify and prevent engineering tactics and gaining physi- similar attack scenarios in the future. The value of ethical cal access to premises and devices. hacking It helps identify critical issues that Assurance, accountability need remediation. The simulation and commitment With the WEF confirming that cyber- also takes a lot longer than traditional crime is one of the biggest threats to penetration testing, with engagements Ethical hacking is gaining traction businesses, it does seem surprising that lasting from a few weeks to a few within organisations across differ- in a recent report, only 38% of business months. ent industries as a significant way leaders said that improving cyber secu- to improve their security posture rity was a priority for their IT invest- “The findings are presented and demonstrate accountability. ment.6 back to the organisation Sometimes, it’s even mandated by These threats are not going to go with steps and suggestions some risk and compliance frame- away, so the key question for many to remediate the gaps and works, such as the Payment Card businesses is: do we really need penetra- vulnerabilities. If, however, Industry Data Security Standard (PCI tion testing? In today’s environment, a critical issue is identified DSS) and the UK Government’s IT the answer will always be yes. Of early on, this is flagged Health Check that enables public sec- course, penetration testing is seen as a immediately to the business tor organisations joining the Public costly exercise. However, as with most so that it can be fixed” Services Network (PSN). things, organisations need to balance Most recently, penetration testing has the cost with the risk of an attack. For Typically, at the end of the exercise, been highlighted as a key part of the some, the cost of an attack is more the findings are presented back to the General Data Protection Regulation tangible – for example, is the business organisation with steps and sugges- (GDPR). Article 32 of the GDPR heavily reliant on an online application tions to remediate the gaps and vul- includes the requirement that there to process personal data that can be nerabilities. If, however, a critical issue needs to be: “A process for regularly stolen? Or is its network and infrastruc- is identified early on, this is flagged testing, assessing and evaluating the ture critical to the business? This makes

18 Computer Fraud & Security May 2019 FEATURE penetration testing an easier sell to the those that place their faith in a third grammes such as ISO27001:2013, PCI C-level executives or financial director. party, one with the appropriate experi- DSS, NIST, Cyber Essentials Scheme, For others who don’t process sensitive ence and accreditations, reap the most PSN, PSNP and CESG (now NCSC) data, the impact of an attack or breach rewards. Penetration testing and red guidance. could include reputational damage or teaming combine to help organisations irate customers as the result of down- identify gaps and vulnerabilities in net- References time on a website. works, devices and infrastructure, with 1. ‘The Global Risks Report the end result of mitigating an attack. 2019’. World Economic Forum. Conclusion In addition, these measures may be Accessed Apr 2019. www.wefo- required for certain compliance frame- rum.org/reports/the-global-risks- The Ponemon Institute calculates the works and can be used to demonstrate report-2019. average total cost of a data breach to a commitment, both to customers and 2. ‘UK small businesses targeted with 7 be $3.86m in its 2018 report. This employees, as well as securing more 65,000 attempted cyber attacks per includes the costs associated with lost buy-in from the board. day’. Hiscox. Accessed Apr 2019. revenues, regulatory fines, damaged The threats are not going to go away. www.hiscoxgroup.com/news/press- reputations and costs to recover from Attackers are becoming more sophis- releases/2018/18-10-18. an attack. This translates to an average ticated – so the longer an organisation 3. ‘2019 Internet Security Threat cost of $148 for every compromised waits to act, the greater the risks. Report’. Symantec. Accessed Apr employee or customer record (and Penetration testing should play a key 2019. www.symantec.com/security- more in certain countries, such as the role in identifying and mitigating these centre/threat-report. US), so it is easy for organisations to risks, now and on a regular basis mov- 4. Touhill, Gregory. ‘Challenges on work out the potential costs of coming forward. Cyber security Landscape Demand promise. Strong Leadership’. ISACA, 20 Mar Data breaches may not account for About the author 2019. Accessed Apr 2019. www. all hacking attempts, but if the hack- Scott Nicholson is technical delivery isaca.org/Knowledge-Centre/Blog/ ers are doing it for monetary reasons, leader for Bridewell Consulting (www. Lists/Posts/Post.aspx?ID=1154. then your data assets will be what bridewellconsulting.com). He has deliv- 5. ‘Article 32, EU GDPR, Security of they want. Organisations may not ered security and privacy solutions on processing’. PrivazyPlan. Accessed have an unlimited budget to spend on a global scale within a number of sec- Apr 2019. www.privacy-regulation. cyber security, but a penetration test tors such as central government, police, eu/en/article-32-security-of-process- can help to prioritise spending in key financial services, police, retail, oil and ing-GDPR.htm. areas and prevent unnecessary spend gas and has also worked with a num- 6. Johansson, Grace. ‘Cyber attacks in others. ber of software development companies, one of the biggest threats to the cloud service providers and some of the world in 2018 says WEF’. SC “Attackers are becoming largest hosting companies in the world. Media, 18 Jan 2018. Accessed more sophisticated – so the Before joining Bridewell, Nicholson Apr 2019. www.scmagazineuk. longer an organisation waits operated across a number of industries. com/cyber attacks-one-biggest- to act, the greater the risks. His most recent roles before joining threats-world-2018-says-wef/arti- Penetration testing should Bridewell were director of security cle/1473450. play a key role in identifying and head of security and compliance. 7. ‘2018 Cost of a Data Breach and mitigating these risks” Working with companies ranging from Study: Global Overview’. Ponemon SMEs to organisations such as IBM, Institute and IBM. Accessed Apr There are tools available for carrying he has provided a mixture of security 2019. www.ibm.com/downloads/ out penetration testing in-house, but leadership and technical delivery of pro- cas/861MNWN2

A SUBSCRIPTION INCLUDES: Online access for 5 users An archive of back issues

www.computerfraudandsecurity.com

19 May 2019 Computer Fraud & Security SANDBOX/CALENDAR

The Sandbox EVENTS 3 June 2019 Fighting fraud European Data Protection Ryan Wilk, NuData Security Summit London, UK With security awareness on the rise, including British Airways, Newegg and https://summit.dataprotectionworldfo- along with the introduction of new Feedify, among others, and is still going rum.com/ regulations such as the General Data strong in 2019 (http://bit.ly/2ISUpdX). Protection Regulation (GDPR) and the There’s a lot of abuse in the mer- 3–4 June 2019 California Consumer Privacy Act, it’s chant world, but one of the things International Conference clear that the digital landscape is chang- that’s high on that list involves trial on Cyber Security and ing. The problem is that despite new fraud (think free trials or coupons for Protection of Digital Services rules, regulations and a higher level of signing up or being a loyal member). (Cyber Security) awareness, fraudulent activity remains Bad actors will use credentials to cre- Oxford, UK a growing challenge. The issue is so ate new accounts and will sell these www.c-mric.com/cs2019/ pervasive that out of 400 billion events free trials for a minor payout. Over monitored worldwide over the course of time, however, these ‘free’ sales can 3–4 June 2019 a year, 28% were high-risk fraudulent add up to hefty amounts. Cyber Incident activity (http://bit.ly/2LwOJZh). New credit lines with instant approv- Oxford, UK The same data showed that the volume al are also a major target that quickly www.c-mric.org/ci2019 of fraudulent activity is actually increas- add up to unbearable losses. According 4–6 June 2019 ing by emulating the way that consumers to a recent report, in 2018 alone it took InfoSecurity Europe interact with an organisation’s pages. To more than 53 million hours to clean up London, UK put it simply, bad actors mask them- the mess of new account fraud. www.infosecurityeurope.com selves alongside a company’s good traffic, This might seem like a no-brainer rendering it more difficult to identify a but having great tools is an absolute 10–12 June 2019 potential threat. Given these findings, must. Even the most skilled security International Symposium on it’s more important than ever before that teams need equally smart equipment. Digital Forensic and Security companies of all sizes and across all indus- The bottom line here is that every busi- (ISDFS) tries not only embrace better security ness needs functionality that allows its Barcelos, Portugal awareness but also put it into action with security protocols to evolve with the http://isdfs.org improved policies and tools. bad actors’ techniques. 16–21 June 2019 As companies scramble to get up to Behavioural biometrics plays a key role FIRST Conference speed with bad actors’ ever-evolving in this area by allowing organisations to Edinburgh, UK tactics, it’s important to note that not better understand where threats are com- www.first.org/conference/2019/ all fraud is created equal. The distribu- ing from. This reinforces real-time risk tion between mobile and desktop is mitigation behind the scenes. By continu- 16–20 June 2019 vastly askew with mobile seeing 78% ally monitoring activity with these tools, Hack in Paris of traffic, while desktop had just 22%. security teams can actually see where Paris, France This is important to mention because threats are coming from and be prepared www.hackinparis.com mobile malware is a major threat to for an attack when it does happen. businesses across various industries, Rules and policies are also vital. 17–20 June 2019 especially those in e-commerce and Security leaders need to ensure that National Homeland Security banking. Kaspersky Lab indicated that all local laws and regulations are Conference the number of attacks using malicious accounted for. Because there is no Phoenix, AZ, US mobile software nearly doubled in one-size-fits-all approach when it www.nationalhomelandsecurity.org 2018 over the previous year (http://bit. comes to running a secure business, 18–20 June 2019 ly/2PISxEV). Magecart, for example, it’s essential that these policies are Infosec in the City has already wreaked havoc on sev- tailored to meet the organisation’s Singapore eral notable e-commerce companies, specific needs. www.infosec-city.com

20 Computer Fraud & Security May 2019