network SECURITY ISSN 1353-4858 JuneJuly 2017 2020 www.networksecuritynewsletter.com

Featured in this issue: Contents

How data can be the lingua franca for security and IT NEWS takeholder engagement, expecta- effective systems. But while they may Russian nation-state attackers target Exim mail servers 1 Stion management and cross-team be looking at the same raw information, Network and web app attacks increase 2 communications are among the most their interpretations can be wildly dif- Scammers exploit Covid-19 measures 3 challenging aspects of business. And ferent. Some form of automated data FEATURES all of these come together in a unique analysis can help get both teams on the How data can be the lingua franca confluence for security teams. same page, argues Dr Leila Powell of for security and IT 6 IT and security teams are both aim- Panaseer. IT and security teams are both aiming for the same goal – secure and effective systems. But their priori- ing for the same goal – secure and Full story on page 6… ties often differ. While they may be looking at the same raw information, their interpretations can be wildly different. Some form of automated data Keeping a secure hold on data through modern analysis can help get both teams on the same page, electronic content management argues Dr Leila Powell of Panaseer. Keeping a secure hold on data ompanies are attempting to deal through modern electronic content tent or to ensure that data is stored in the management 8 Cwith a tidal wave of data. And a right way. Companies need to gain a tight Companies are attempting to deal with a tidal wave lack of integration inside a business rein on their digital assets and institute a of data. And a lack of integration inside a business can promote the dangerous phenomenon of content can promote the dangerous phenom- rigid content management system to keep sprawl. Companies need to keep a tight rein on their enon of content sprawl. digital assets and institute a rigid content manage- up with the data explosion. But that can ment system to keep up with the data explosion. This occurs when different departments be easier said than done, explains Paul But that can be easier said than done, explains Paul do not harmonise their processes and Hampton of Alfresco. Hampton of Alfresco. there is no plan to address outdated con- Keeping critical assets safe when Full story on page 8… teleworking is the new norm 11 The Covid-19 pandemic has led to an explosion of Keeping critical assets safe when teleworking is the remote working. And this brings with it some fresh challenges – not least the need to safeguard critical new norm corporate assets within an information security landscape that has been profoundly altered, almost he Covid-19 pandemic has upended none of these is more important than the overnight, says Gus Evangelakos of XM Cyber. Talmost every aspect of our lives – and need to safeguard critical corporate assets Safeguarding against the insider threat 14 work is no exception. Remote working within an information security landscape Data breaches are on the rise and a significant proportion of the threat comes from insiders. Some has suddenly become the norm for many. that has been profoundly altered, almost breaches are malicious but many are simply acciden- There are many advantages to remote overnight, says Gus Evangelakos of XM tal. To manage the insider threat, organisations must ensure that identity is at the heart of cyber security working. Yet our new professional reality Cyber. and compliance risk assessment monitoring, says also comes with fresh challenges. Perhaps Full story on page 11… Ben Bulpett of SailPoint. Keep security top of mind when moving into the cloud 17 Russian nation-state attackers target Exim Cloud adoption is soaring. However, as Thomas Deighton of Westcon and Michael Wakefield of mail servers Check Point warn, the defence of sensitive data and he US National Security Agency Russian activity as we approach anoth- information is no less important when it is in the cloud than on premise. It is vital for businesses look- T(NSA) has issued a warning stat- er US presidential election. ing to make the move into the cloud to understand ing that Russian nation-state attackers Since at least August 2019, the so-called why and how it has become so popular and the importance of securing it. belonging to a military intelligence Sandworm Team has been launching ThreatWatch 3 agency are actively exploiting a weak- attackers against Exim mail transfer agent Report Analysis 4 ness in Exim mail servers. The purpose (MTA) installations, taking advantage of News in brief 5 of the attacks is unclear but many a known flaw (CVE-2019-10149). The Firewall 20 commentators have noted increased Continued one page 2... Events 20

ISSN 1353-4858/101353-4858/20 © 20112020 Elsevier Ltd. All rights reserved This journalpublication and andthe individualthe individual contributions contributions contained contained in it inare it protectedare protected under under copyright copyright by Elsevier by Elsevier Ltd, Ltd,and andthe followingthe following terms terms and andconditions conditions apply apply to their to their use: use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. NEWS

...Continued from front page an estimated $10bn in damage world-

Editorial Office: The vulnerability was patched last year, wide in 2017, campaigns against NATO Editorial Office: Elsevier Ltd Elsevier Ltd but many organisations are reluctant to members and European governments The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom patch mail servers because of the potential in 2019 and attacks on several US state Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 disruption. election boards leading up to the 2016 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com The NSA said: “The Russian presidential election. Publisher: Greg Valero actors, part of the General Staff Main The NSA has identified two IP addresses Publishing Director: Sarah Jenkins E-mail: [email protected] Intelligence Directorate’s (GRU) – 95.216.13.196 and 103.94.157.5 – and Editor:Editor: Steve Steve Mansfield-Devine Mansfield-Devine Main Centre for Special Technologies one domain, hostapp.be, that seem to be E-mail:E-mail: [email protected] [email protected] (GTsST), have used this exploit to add associated with the attacks. It encourages Senior Editor: Sarah Gordon privileged users, disable network security organisations to search their logs for these InternationalColumnists: EditoralIan Goslin, Advisory Karen Renaud, Board: Dario Forte, DaveEdward Spence, Amoroso, Colin AT&T Tankard Bell Laboratories; settings and execute additional scripts as possible indicators of compromise. FredInternational Cohen, Fred Cohen Editoral & Associates; Advisory Jon David,Board: The for further network exploitation.” “The election is right around the corner Fortress;Dario BillForte, Hancock, Edward Exodus Amoroso, Communications; AT&T Bell Laboratories; Ken Lindup, ConsultantFred Cohen, at Cylink; Fred CohenDennis & Longley, Associates; Queensland Jon David, University The The exploit starts with nothing more and this is an actor that was involved in the ofFortress; Technology; Bill Hancock, Tim Myers, Exodus Novell; Communications; Tom Mulhall; Padget Ken than a specially crafted email being sent to 2016 incidents,” John Hultquist, director of Lindup,Petterson, Consultant Martin Marietta;at Cylink; EugeneDennis Longley,Schultz, Hightower;Queensland EugeneUniversity Spafford, of Technology; Purdue University; Tim Myers, Winn Novell; Schwartau, Tom Mulhall; Inter.Pact the server. “The actors exploited victims intelligence at FireEye, told Wired. “We’re PadgetProduction Petterson, Support Martin Marietta; Manager: Eugene Lin Schultz,Lucas using Exim software on their public- very concerned they’ll be involved again in Hightower;E-mail: Eugene [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact facing MTAs by sending a command in this election. This is an actor that’s been SubscriptionProduction Information Support Manager: Lin Lucas the ‘MAIL FROM’ field of an SMTP involved in election-related hacking in the An annual subscriptionE-mail: [email protected] Network Security includes 12 (Simple Mail Transfer Protocol) message,” past and the most important, destructive issues and online access for up to 5 users. Prices: the NSA explained. The attackers then attack in history. Any development involv- Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan download a shell to provide them with ing them is worth watching.” issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date additional control, which can ultimately The NSA is urging all users of Exim (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. include full control over the server. to ensure that their systems are patched. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Bleeping Computer obtained a There’s more information, including Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com copy of the initial script and found it mitigations, here: https://bit.ly/2XIv5xn. Subscriptions run for 12 months, from the date payment is received.Permissions Periodicals may be sought postage directly is paid from at Elsevier Rahway, Global NJ 07065,Rights was subsequently able to: add a new USA.Department, Postmaster PO Boxsend 800, all USAOxford address OX5 1DX, corrections UK; phone: to: +44 Network 1865 ‘mysql_db’ user with root privileges on Security,843830, 365fax: +44 Blair 1865 Road, 853333, Avenel, email: NJ [email protected]. 07001, USA You Network and web app may also contact Global Rights directly through Elsevier’s home page the hacked server; import an SSH key (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights attacks increase & permission’. In the USA, users may clear permissions and make the attackers can later use to gain access Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 igures from a new report by 843830, fax: +44 1865 853333, email: [email protected]. You to the compromised server via SSH; Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page FAmazon Web Services (AWS) show 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright execute base64-encoded commands that Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham that network and web application & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: connect to a remote site and download payments through the Copyright Clearance Center, Inc., 222 Rosewood security events rose by nearly a quar- +44 (0)20 7631 5500. Other countries may have a local repro- Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 commands/executables to launch on graphic rights agency for payments. ter (23%) in the first quarter of 2020, 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P the hacked machines; add a MySQL compared to the same period in 2019. Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists user named ‘mysqldb’ running MySQL The firm’s ‘Threat Landscape Report’ countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works instances, giving it full access to all the for Q1 2020 is based on monitoring institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of arti- distribution outside the institution. Permission of the Publisher databases on the server; and restart the cles including abstracts for internal circulation within their institutions. data drawn from its AWS Shield system. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside sshd and MySQL daemons. and translations. This rise in attack volume was driven the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. In addition to the potential for inter- largely by web application-layer events, Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically cepting or spoofing emails – which could Permission of the Publisher is required to store or use electronically reflecting other reports that web apps are any material contained in this publication, including any article or any material contained in this journal, including any article or part of be used in supporting fake news and prop- part of an article. Except as outlined above, no part of this publica- becoming a favoured target for hackers. an article. Except as outlined above, no part of this publication may tion may be reproduced, stored in a retrieval system or transmitted be reproduced, stored in a retrieval system or transmitted in any form aganda operations – compromised servers AWS saw a total of 310,954 suspi- in any form or by any means, electronic, mechanical, photocopying, or by any means, electronic, mechanical, photocopying, recording or recording or otherwise, without prior written permission of the could also be exploited as proxies for any cious events in Q1 2020, with the larg- otherwise, without prior written permission of the Publisher. Address Publisher. Address permissions requests to: Elsevier Science Global permissions requests to: Elsevier Science Global Rights Department, at number of other attack types. est bit rate being 2.3Tbps and the largest Rights Department, at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Exim is widely deployed, as it’s often the Notice packet rate reaching 293Mpps. In terms Notice No responsibility is assumed by the Publisher for any injury and/or dam- default MTA used in a number of Linux No responsibility is assumed by the Publisher for any injury and/ of the largest volumes of malicious traf- age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, distributions. Searches on the Shodan search fic, distributed denial of service (DDoS) negligence or otherwise, or from any use or operation of any meth- instructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. engine suggest there may be more than a rapid advan­ces in the medical sciences, in particular, independent attacks are the key culprits. Because of rapid advan­ces in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although million unpatched Exim servers online, the independent verification of diagnoses and drug dosages should be “DDoS attacks are the primary driver all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee vast majority of them being in the US. of larger network volumetric events,” ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of The Sandworm Team – Unit 74455 says the report. “The most commonly made of it by its manufacturer. such product or of the claims made of it by its manufacturer. of the GRU – has been blamed for the observed network volumetric DDoS BlackEnergy malware that led to elec- vectors are UDP reflection attacks. This 12987 Pre-press/Printed by Digitally Produced by tricity blackouts in Ukraine in 2015 and includes attacks like DNS reflection, Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited 2016, the NotPetya worm that caused NTP reflection, SSDP reflection and

2 Network Security June 2020 NEWS/THREATWATCH

Threatwatch

Cycldek jumps air gaps code-execution (RCE) attack via version 3.1.1 CrossTalk CPU bug An advanced persistent threat (APT) group known of the Microsoft Server Message Block (SMB) Researchers at Vrije University’s Systems and as Cycldek (aka APT27) has added a new tool protocol used by Windows 10 and Windows Network Security Group (VUSec) in the to its malware arsenal in an attempt to infect Server 2019. Microsoft patched the vulnerability Netherlands have revealed yet another bug in and steal information from air-gapped computers. in March 2020, but many machines will remain Intel CPUs. Called CrossTalk, it allows attack- The group, which has been targeting govern- prone to the attack due to inadequate patching ers running their own code on one core to ments in Southeast Asia since 2013, has developed processes. Some attackers are already probing obtain sensitive information leaked from other USBCulprit. This searches for certain kinds of unpatched machines, said CISA. Someone with cores. This is another example of a microarchi- files which it then infects and moves to any USB- the Twitter handle ‘Chompie’ announced the PoC tectural data sampling (MDS) attack. CrossTalk attached devices. “This suggests the malware was code, which others have confirmed works. There’s attacks data while it’s being processed by the designed to reach air-gapped machines, or those more information here: https://bit.ly/2BNCBhL. CPU’s Line Fill Buffer (LBF) cache system. that are not directly connected to the Internet or The research team has been working with Intel any other computer connected to Internet,” said PonyFinal ransomware since September 2018 on mitigations and Intel Kaspersky, which discovered the malware. The Microsoft has released details of a new strain of said it has made appropriate changes to recent USBCulprit code seems to have been in develop- Java-based, “human-operated” ransomware it has products. There’s more information here: www. ment since 2014. “This malware consists of two dubbed PonyFinal. Rather than using infection via vusec.net/projects/crosstalk/. variants with advanced data-stealing capabilities: software vulnerabilities or phishing, the malware BlueCore and RedCore,” according to Kaspersky. first requires the attacker to gain access to a tar- StrandHogg 2.0 “BlueCore appears to have been deployed against get machine, typically through brute force attacks Promon has released details of an update to an diplomatic and government targets in Vietnam, against the systems management server. Once the earlier Android bug which now has the abil- while RedCore was first deployed in Vietnam attacker has a foothold on the system, a VBScript ity to impersonate most legitimate apps while before being found in Laos.” There’s more infor- runs a PowerShell reverse shell that connects to stealing information. StrandHogg 2.0 (CVE- mation here: https://bit.ly/2AcQEgI. a command and control (C&C) server on port 2020-0096) affects all versions of Android up to 80. “In certain cases, the attackers deploy Java 9.0. It uses overlays or abuses app permissions SMBGhost proof of concept Runtime Environment (JRE), which the Java-based to effectively replace the interface of real apps. The release of proof of concept (PoC) exploit code PonyFinal ransomware needs to run. However, evi- Possible exploits include stealing credentials, for the SMBGhost (CVE-2020-0796) vulnerabil- dence suggests that attackers use information stolen intercepting two-factor authentication codes, ity (aka CoronaBlue) could spark a wave of attacks, from the systems management server to target end- taking photographs, making or recording phone according to a warning by the US Cyber security points with JRE already installed,” said Microsoft. calls, obtaining location information and more. and Infrastructure Security Agency (CISA). The There’s more information in Microsoft’s Twitter There’s full information here: https://promon. flaw makes possible a critical, wormable remote thread here: https://bit.ly/3cPvOkD. co/strandhogg-2-0/. many others. Each of these vectors is mounting malware campaigns or that from which any voice calls or text mes- similar in that an attacker spoofs the attackers are using more dynamic detec- sages will be sent. The guidelines are source IP of the victim application and tion evasion techniques. here: https://bit.ly/2zlBntu. floods legitimate UDP services on the The report is available here: Similar scams are rife in the US, with Internet. Many of these services will https://go.aws/37avwn8. some downloading malware to the device unwittingly respond with one or more rather than leading to phishing pages. The larger packets, resulting in a larger flood Scammers exploit situation is complicated by the fact that of traffic to the victim application.” Covid-19 measures nearly every state has a different tracking Close behind UDP reflection attacks are hile many scammers have simply programme, and so even legitimate mes- SYN floods – a simple and old technique Wused coronavirus-related themes sages vary widely from one place to another. that remains surprisingly effective. SYN in order to lure victims during the cur- The US Treasury Department posted a floods use small packets designed to over- rent pandemic, others are specifically warning about criminals making phone calls whelm the resources of servers, load balanc- targeting official government schemes. and sending emails purporting to relate to ers and firewalls by tying up connections. In the UK, criminals are sending out grants and stimulus payments. These scams Web request floods and HTTP reflection SMS text messages that purport to be part seek to either harvest personal information attacks were also common. While these of the government Test & Trace scheme. or demand advance payments. might also be attempts at DDoS attacks, The messages allege that the receiver has Another SMS phishing scam in the they can also be the result of activities “that been in contact with someone who has UK is targeting the Government’s Self- are incidental to web content scraping, tested positive for Covid-19 and provide Employment Income Support Scheme account takeover bots, or other unauthor- a link for more information. The link (SEISS), which has been much-used by ised, non-human traffic,” says the report. leads to a phishing page that attempts to self-employed people during the lock- Malware attacks also rose by 57% dur- capture personal data about the victim. down. The phishing messages claim that ing the first quarter, with the unique num- The NHS has posted guidelines about the recipient is due a tax rebate and a link ber of sources rising by 33%, suggesting how the genuine scheme will contact leads to a very convincing counterfeit of either that there are a lot of new players people, including the phone number the official HMRC site.

3 June 2020 Network Security NEWS

Report Analysis Trend Micro: Shifts in Underground Markets alicious hacking and cybercrime have always been a more sociable Mactivity than most people imagine. The popular image of a hoody- wearing teenager hunched alone over a keyboard in a darkened bedroom remote desktop protocol (RDP) logins, now is a dangerously misleading cliché. Cybercrime is big business, often highly this area has widened in scope. organised and revolves around communities. According to the report: “Access to differ- ent organisations and companies was obtained Hackers have used forums to buy, sell, details are traded – have been in existence for through ransomware, credential-stealing malware exchange information and offer support for some time, the bigger and more popular cyber- and botnets. We found multiple levels of access decades – going back to the days of dial-up crime forums and marketplaces used to be pretty sold: executive-level credentials, remote desktop bulletin boards. The advent of onion routing inaccessible to anyone who didn’t speak Russian. access, administrative panels, cloud storage, email and the dark web that has been built on top of Now, multi-language sites are the norm. accounts and even full company network access. it has added a layer of anonymity and security According to one source quoted in Trend’s Many of these offerings are found on the Russian for those whose activities are illegal. And it has report, cybercrime generates around $1.5tr in forum Exploit[.]in. One actor was selling access to led to the formation of dark web marketplaces, annual revenue – outselling Apple or Amazon. But an American insurance company for $1,999 and a acting much like an underground Ebay where, it would be wrong to think of this as being like any European software company for $2,999. Prices for in place of knock-off luxury goods, kitchen other kind of industry. While a few things remain Fortune 500 companies can reach up to $10,000. appliances you never knew you needed and stable – Trend found that the price of ransomware Some offerings include access with read and write dubious clothing choices, you can instead doesn’t change much – there is much about this privileges.” indulge yourself in firearms, illegal drugs, business that is highly volatile. As mentioned, mar- One burgeoning area is the availability of malware, stolen payment card details and ketplaces are often disrupted by law enforcement fake news services. You can buy fake com- many more illicit goods and services. and occasionally people even go to prison. It’s not ments, YouTube likes or even large-scale social At the same time that these marketplaces have unknown for marketplaces to disappear for no media promotions. Prices start as low as $1 developed (and have occasionally been dismantled apparent reason, with the most likely explanation for 10,000 likes. Not surprisingly, the best by law enforcement actions) we have witnessed a being that its operators have absconded, along with prices are offered by operators based in Russia. ‘professionalisation’ of cybercrime. Groups now all the funds they were holding in escrow. These services often come with related offer- offer distributed denial of service (DDoS) attacks There are fashions in cybercrime, too. ings – Trend noted a Turkish voter database as a rentable service. Malware is sold with money- Ransomware is popular right now and it’s easy for $400, for example. back guarantees and technical support services. for people with limited technical skills and not “One underground forum had over 300 And both buyers and sellers have shown them- much money to get in on the act by buying database links containing 5 billion entries with selves to be keen adopters of new technologies and readymade exploits and services from mar- information such as PII, credit card informa- platforms – for example, Discord channels have ketplaces. Botnets available for hire are most tion, social security numbers, emails and pass- become a popular way to conduct business. likely to consist of Internet of Things (IoT) words,” the report says. “All this information Trend Micro has noted a certain internation- devices these days. And there has been a boom came from data breaches that occurred between alisation of marketplaces. Although English- in ‘access as a service’ – the trade in stolen cre- 2015 and 2019. Compromised voter databases language ‘carder’ forums – where payment card dentials. Where once these tended to focus on combined with other data available in under- ground forums can help malicious actors create very effective cyber propaganda campaigns.” Another development is the use of deep- fakes – AI-generated images and video in which individuals’ faces are realistically superimposed on other images, often pornographic. Trend believes these are likely to be used increasingly in blackmail – or so-called ‘sextortion’ – scams. But there’s bound to be a crossover into the fake news arena, with deepfakes being employed for political purposes. Similar things are being done with audio to impersonate people – for example, simulating the voice of a senior executive for use in business email compromise scams. Given that the cybercrime underground is such an unstable environment, it’s hard to make predictions for how dark web marketplaces will develop. Trend believes that deepfake extortion is likely to be a growing threat. It also sees crimi- nals focusing increasingly on Africa, as online banking and e-commerce continue to grow in that continent. And we’re likely to see cyber criminals moving away from escrow services towards blockchain-based systems as a way of building trust between buyers and sellers. The report is available here: https://docu- As an indication of what dark web marketplaces are being used for, Trend Micro monitored ments.trendmicro.com/assets/white_papers/ the number of discussion threads on various topics across 600 forums. wp-shifts-in-the-underground.pdf.

4 Network Security June 2020 NEWS

In brief

Black Lives Matter under attack sis by RiskSense. The total number of issues labelled TA410 was active between July and Human rights groups supporting the Black listed in the Common Vulnerabilities and November 2019 using portable executable (PE) Lives Matter movement have found their web- Exposures (CVE) database reached 968 by the attachments and Microsoft Word documents with sites coming under distributed denial of service end of 2019, compared to 421 the year before. malicious macros in attempts to infect machines (DDoS) attacks, according to Cloudflare. The RiskSense also said there is a problem with the with the LookBack remote access trojan (RAT) firm compared overall attack traffic – for all increasing time it takes such issues to make it into and a variant called FlowCloud. According to websites – on May 25, the day that George the National Vulnerability Database (NVD), Proofpoint: “The senders of the emails that deliv- Floyd was killed, against that of a month ear- which is often monitored by developers to judge ered FlowCloud malware utilised threat actor-con- lier and found it had blocked 135.5 billion risk exposure. The average time is now 54 days trolled domains for delivery which impersonated such requests – a 17% increase. By the end of following public disclosure, which could leave energy sector training services, as well as utilised May, the increase in attack traffic had risen by organisations vulnerable for up to two months. subdomains which contained the word ‘engineer’.” 26%. However, when looking specifically at The OSS projects with the most CVEs were the When a successful infection occurs, this gives the advocacy groups associated with Black Lives Jenkins automation server (646) and MySQL attackers full control over the targeted machine, Matter and the protests that have followed (624), for each of which 15 ‘weaponised’ vulner- including the ability to exfiltrate data and possibly Floyd’s death, the attack traffic has risen 1,120 abilities had been developed. OSS projects with to pivot in order to attack servers from inside the times. “In fact, those groups went from hav- vulnerabilities have been exploited in real-world network. The spear-phishing emails impersonated ing almost no attacks at all in April, to attacks attacks that included Apache Tomcat, Magento, the American Society of Civil Engineers (ASCE). peaking at 20,000 requests per second on a Kubernetes, Elasticsearch and JBoss. The report Proofpoint also saw similar activity by the TA429 single site,” wrote Cloudflare. “One particular is here: https://info.risksense.com/open-source- hacking group, but it’s possible this was a ‘false flag’ attacker, likely using a hacked server in France, spotlight-report-pr. operation with the TA410 group impersonating was especially persistent and kept up an attack TA429. There’s more information here: https:// continuously hitting an advocacy group for over PPE supplier attacked bit.ly/2AYUb2c. a day.” Cloudflare’s Project Galileo, which helps IBM’s X-Force says it has uncovered a highly to protect rights groups – many of them fight- targeted attack campaign against an unnamed NASA attacks increase ing racism – has also seen a dramatic increase in company in Germany that is tasked with sup- Research by AtlasVPN, based on data gathered the number of attempted attacks. There’s more plying personal protective equipment (PPE) for by the US Government’s Office of Management information here: https://bit.ly/2MKsJYn. the nation’s healthcare professionals. The attacks, and Budget (OMB), shows that cyber attacks mainly consisting of well-crafted spear-phishing against NASA increased by 366% in 2019, CREST calls for greater gender diversity attempts, began at the same time the company compared to the previous year. This was the A report by CREST, the not-for-profit body that was appointed as part of Germany’s PPE task same period in which the agency’s cyber security represents the technical security industry, has force in the fight against the Covid-19 pandemic. budget was cut by $3.1m. For the purposes of found that there has been insufficient progress The purpose of the attacks is unclear. One pos- the research, a cyber security incident was defined in promoting gender diversity in the informa- sibility is that this is a nation-state campaign by as “any attempted or actual unauthorised access, tion security industry. Based on findings from a a country looking to improve its own bargaining use, disclosure or destruction of information” gender diversity workshop, most attendees (86%) power in negotiations for PPE supplies. Another as well as incidents involving “interfering with thought that progress has been made, but not is that a group, or country, is seeking a way into operations within the organisation and violations nearly enough to make a practical difference. Some key supply chains before pivoting the attack as a of NASA’s computing policies and regulations.” 59% of participants classified their experience in way of gaining sensitive information about other Incidents labelled as “improper usage” – where the industry as mixed, having received support issues relating to the pandemic, such as the devel- an authorised user violates an organisation’s and enjoyed roles but pointing to obstacles and opment of vaccines. There’s more information acceptable usage policies – accounted for 90.5% challenges that had to be overcome as a result of here: https://ibm.co/2XN85Nx. of the increase. There’s more information here: being female. The report suggests that the primary https://bit.ly/3f2cn9M. reason for the poor representation of women in the Hacking for hire cyber security industry is down to a lack of interest Citizen Lab in Canada has identified a group that Vigilante hackers fight scammers in the subject from school age. It also points to is masquerading as an IT security company but is A hacking grouping, styling itself as ‘CyberWare’, issues with current recruitment practices, including actually offering hacking-for-hire services. A cam- claims to be targeting scammers it believes are the way job descriptions are written, the language paign, dubbed Dark Basin, has been attacking engaged in loan scams. According to the group, used and arguably even candidate requirements. political activists, lawyers, CEOs and others, with the scammers offer loans but demand an up-front Female representatives at the workshops agreed more than 10,000 people targeted over the past payment. The loan amount never materialises that the inclusion of training options on the job seven years. Citizen Lab believes this campaign is and victims never hear from the companies again. advert would encourage more female applicants, being mounted by BellTroX InfoTech Services, CyberWare says it is targeting these companies as would flexible working hours, good mater- based in India, which, it said, “likely conducted with phishing emails and malware disguised as nity policies and back-to-work support. Another commercial espionage on behalf of their clients PDF files, as well as mounting distributed denial key finding is the demand for an industry-wide against opponents involved in high-profile public of service (DDoS) attacks on their websites. The female mentoring and coaching scheme to create events, criminal cases, financial transactions, news malware includes ransomware, which appears to a stronger, closer female community. The report is stories and advocacy.” The report is available be HiddenTear. Although it’s being deployed as a here: https://bit.ly/2YrldY6. here: https://bit.ly/2AUq5wI. file wiper – because no ransom is demanded and there’s no offer to recover encrypted files – this OSS vulnerabilities increase US energy providers targeted particular form of ransomware is actually fairly Vulnerabilities in open source software (OSS) Security firm Proofpoint says it has detected weak. The Hidden Tear Decryptor is available packages and libraries more than doubled a major spear-phishing campaign targeting US for free and allows victims to easily recover their between 2018 and 2019, according to an analy- energy companies. A group that Proofpoint files. It’s available here: https://bit.ly/2Yi8Bm0.

5 June 2020 Network Security FEATURE How data can be the lingua franca for security and IT Dr Leila Powell Dr Leila Powell, Panaseer

Stakeholder engagement, expectation management and cross-team communica- tions are some of the most challenging aspects of business to navigate. And all of these come together in a unique confluence for security teams. tems – but on a team level, security could be trying to speed up time to patch, The position of the security team is some- that what’s done with that data can vary whereas IT may have been set targets to what unique in a business – it often has a widely. Often, out-of-the-box reports increase data-transfer speeds across the high level of scrutiny from the board, par- from security tooling do not show network, so need to minimise other work ticularly in recent years, but often lacks a enough context to be directly applicable (including patching) to make time for ‘direct line to the top’ or other advocates to the organisation, so teams export data this. It can come down to a question of to represent its perspective and influence in order to do some custom analysis that priorities – something that can’t be solved policies set at that level. suits their needs. The problem is, mul- by good data practices alone. However, The team also has a relationship with tiple teams export the data and then do improving your awareness of the business teams of its peers – like IT and infra- different things to it. context for certain tasks for teams can structure – that can best be described as help make it clear why a team is analysing ‘it’s complicated’. Each of these teams “Both security and IT want and using data in a particular way – and will have its own priorities set by its secure, effective systems – can help you discover if you can find leadership. The challenge for the security but on a team level, security common ground for your analysis – or people is that they are not always able could be trying to speed up whether you need to go back and find to directly impact their own objectives. out more about how the business wants time to patch, whereas IT They will often be accountable for security competing priorities to be balanced. targets, but they are not responsible for the may have been set targets to work required to meet them. More often increase data-transfer speeds Potential pitfalls than not, it is one of the other teams that across the network” will be responsible for an activity such as There are other potential pitfalls of patching. So now the security team has There are many things you can do to a separate analysis streams, on top of just a to work with another team to understand CSV file of vulnerability data. While they fundamentally different objective. A lack its workload and communicate the prior- could all be equally mathematically ‘cor- of change tracking and process recording ity of its request. And, of course, it needs rect’, they may offer very different perspec- often goes hand in hand with manual to communicate what progress has been tives on the data and be suited to different data analysis – and manual data analysis made back up to the board/risk commit- use cases. If security teams and their col- is prevalent when teams don’t have access tee. This high scrutiny but low control is leagues don’t discuss this ahead of time, to a fit-for-purpose reporting tool but a sure-fire recipe for high stress. they are potentially trying to meet differ- do have access to the raw data. To put ent use cases and it will result in everyone manual analysis without standardised Points of friction talking at cross-purposes, despite starting processes into context, think about when out with identical data. It’s like taking a you get a report from another department One of the main points of friction we’ve list of events that make up a story outline – do you ever know how the final charts seen arise in this scenario is where both and one person editing it into a horror were arrived at? How would you find out security and IT teams have direct access movie and the other into a comedy – then if you needed to? to the raw data for one of the areas wondering why you don’t share the same This can be problematic for multiple where they need to collaborate, such as perspective on the outcome. reasons: open vulnerabilities from the reporting But surely all teams are pulling in the • Without some form of standardised interface of a vulnerability scanner. One same direction, you may ask? Well, yes process, how can you ensure the pro- would think this would improve clar- and no. At the highest level yes – both cess is repeatable and you’re looking ity on both sides, but the issue here is security and IT want secure, effective sys- at equivalent data from week to week?

6 Network Security June 2020 FEATURE

• What if the person who analyses the ryone buys in to what should be in the IT team only reasonably has 0.25 data is off sick, or leaves? scope and how any exceptions should FTE to work on this, this could show • No-one can challenge the assump- be managed. Look for measures and it in a bad light. However, if both tions of the analysis if they don’t metrics that can help serve a purpose teams work together on what is an know what they are. for multiple teams’ goals – if you can achievable scope – say focusing on • People just don’t trust black boxes – help showcase the good work that’s critical patches for business critical buy-in for your analysis will likely be being done, people will be more machines, and then report on X% of low even if it is high quality. positive about the use of data. those patched within 30 days (provid- • Document the technical details of ing full context as to what is being “Even a spreadsheet with the analysis process. The appropriate measured and why) – the security team formulae is better than location depends on what tooling can drive down patching time while someone performing ad hoc you’re using but could range from IT can be rewarded for meeting the spreadsheet manipulations anything from comments in code to targets they helped negotiate. a post on your internal wiki. Think on a daily basis. If you have about what the scope is for this “It’s worth keeping in mind to change your analysis analysis. Are things being filtered that having high-quality every time you do it to get out, such as low-severity vulner- data analysis doesn’t change the ‘answer you want’ then abilities and test servers? Are you what it’s humanly possible this is a red flag” removing any exceptions, and if so to accomplish in any given where do you get these from? Do To follow data analysis ‘best practice’ exceptions expire? The level of detail day, or remove any of the you should look to all of these, but the sec- should be such that someone could thorny issues around how ond two bullet points are particularly rel- reproduce your analysis from scratch businesses weigh up multiple evant for the scenario we’re reviewing here. if required. priorities. But it can improve Both teams, security and IT, have access to • Review analysis outcomes with the communication dramatically” raw data and both know enough to under- stakeholders before any important stand the data in detail – so it’s reasonable meetings – never surprise anyone they should both want clarity about the with stats that relate to their team! Now, this example is, of course, sim- analysis each team is undertaking. • Consult relevant stakeholders before plifying what can be a very complex pro- making a change to the process and cess of communication and negotiation. Speaking the same ensure that everyone who uses the It’s worth keeping in mind that having data downstream is informed of the high-quality data analysis doesn’t change language change – update your docs. what it’s humanly possible to accomplish So how can you make data the lingua • Document important assumptions in any given day, or remove any of the franca for your security organisation? in a way that the report audience thorny issues around how businesses Data analysis should be automated, not can understand and always include weigh up multiple priorities. But it can manual. Ideally, we’re talking about an them with your analysis. Someone improve communication dramatically, ETL pipeline that runs the same analysis consuming your report doesn’t need which helps surface what the real chal- at a scheduled frequency. all the technical details up front – lenges are, rather than keeping everyone But there are degrees of automation. but people should be made aware arguing over a decimal place. Even a spreadsheet with formulae is bet- of important assumptions that may ter than someone performing ad hoc impact the way they interpret your About the author spreadsheet manipulations on a daily analysis and the decision they make Dr Leila Powell is lead security data sci- basis. If you have to change your analysis based on it. Keep it brief or it won’t entist at Panaseer (https://panaseer.com). every time you do it to get the ‘answer be read – something like ‘Analysis for She started out as an astrophysicist, using you want’ then this is a red flag. It sug- production servers only’ is sufficient supercomputers to study the evolution gests there is significant effort being put or ‘patching team capacity at 50% of galaxies. Now she helps information into ‘data curation’ over data analysis due to vacation time’ can add critical security functions in global organisations – you can make your data say anything context. understand and reduce their cyber security if you change it in completely uncon- risk exposure. She’s an advocate for diversi- strained ways. Working together ty and inclusion in tech and co-created the To address this, the teams need to fol- We Empower Diverse Startups (WEDS, low the following principles: So, let’s revisit the security/IT dilem- https://medium.com/weds-network) • Agree your data analysis process for a ma with this in mind. If the security Network with other women in cyber tech specific use case up front with all rel- team wants to report on X% of all startups to champion inclusive practices evant stakeholders. Ensure that eve- patches applied within 30 days, but beyond her own team.

7 June 2020 Network Security FEATURE Keeping a secure hold on data through modern electronic content Paul Hampton management Paul Hampton, Alfresco

Proper storage of data is a security necessity. This is because data can often contain valuable company information, which is liable to fall into the wrong hands if not impacts information security by leaving properly managed. The problem is growing in tandem with increased content crea- data vulnerable to being hacked or stolen. tion – the world is full of data. It is estimated that the aggregate amount of data, Checking network traffic to see what is which doubles in size every two years, measures 4.4 zettabytes (trillion gigabytes) being accessed provides information on and is likely to reach a massive 44 zettabytes by 2020.1 what systems are being used. Assess all Companies are attempting to deal with the company, then those files are still the ways that information is leaked, lost this tidal wave of data, and emerging com- out there to be accessed by anyone. This or placed in other areas. If an employee pliance guidelines and standards highlight leaves a gap in a company’s security safety is using a tool that is not IT-sanctioned, that there need to be accompanying secu- net, making the rest of the company’s then it may create an extra dimension of rity guarantees. Companies need to keep a systems vulnerable to potential hacks or danger. Employees may also use insecure tight rein on their digital assets and insti- data breaches. servers, which can lead to security issues. tute a rigid content management system Even storing information on shared that utilises the latest technology to keep drives such as Microsoft OneDrive, Financial burden up with the data explosion. But that can Google Drive or Dropbox can be prob- be easier said than done. lematic. Most organisations need to Things can get particularly complicated manage multiple areas where files are for a company if litigation is involved. Preventing sprawl being stored, but the problem with that For example, if a company is taken to is that there is no single source of infor- court and needs to provide all its evi- The lack of integration inside a business mation. Discovering the best modus dence, if the necessary information is can promote the dangerous trend of operandi is difficult, and it is too easy to spread across many different systems content sprawl. This occurs when differ- share information with too many people, then it has to audit all those systems to ent departments do not harmonise their including those outside of the organisa- find everything about a specific case, processes and there is no plan to address tion, with no traceability. whether it is IP infringement, an HR outdated content or to ensure that data Mistakes often arise from employees disciplinary or any other equally serious is stored in the right way. using different versions of updated docu- matter. In these situations, auditors have There are several other reasons why ments with file names such as ‘version x’ to search through all the content systems this happens. Organisations may have or ‘final version’. With multiple versions, to find everything on that topic and put acquired other companies with existing possibly stored in multiple locations, this it on hold. Because it is hard for compa- technologies, or there may be groups of creates inefficiencies in the organisation, nies to find the resources internally, this employees within an organisation who such as time wasted searching, decisions kind of work is often outsourced, which believe that the corporate systems do made using outdated information, or can come at considerable cost. not work for them. They may feel like recreating information because it has Having all files and servers controlled they have special technological needs and been lost in cyberspace. and secure is important to protect the that they need different systems in place. As soon as employees develop different company from added litigation issues as They may start by using IT-sanctioned preferences for systems, or do not have well as saving time and money. Rather tools but then realise that they cannot up-to-date content across the board, then than being retrospective, if an audit is give their colleagues access to files, so companies have a problem on their hands. designed to provide concrete opinions in they create a public folder. If the person This does not just have an impact on relation to prospects and risks, auditors who originally created the folder leaves productivity and the bottom line, it also are likely to be more reliant than ever on

8 Network Security June 2020 FEATURE receiving extensive and reliable informa- tion from directors and management. An increased audit scope means an even greater risk of litigation, which may well increase the ‘audit burden’ and increase the costs involved.2 The dangers of dark data Content sprawl also leads to large volumes of company data being hidden on non- conventional platforms. When a company cannot shed light on its data assets then this is known as ‘dark data’. Gartner defines dark data as “the information assets organisations collect, process and store during regular business activities, but gen- erally fail to use for other purposes”.3 Dark data can present real problems around compliance, legal issues, productivity and costs of storage, so controlling it is integral to maintaining security in any business. When reining in dark data, content control is the big focus that companies need to use to ensure they have a solid digital foundation. The issue is that employees rarely delete old content Figure 1: Obstacles to recovering dark data. Source: Splunk. – storing documents such as old pres- entations and contracts in certain places lifecycle procedures in place can also help make sure that all data and files are only when it is important, but neglecting to to manage and secure data. Rather than accessible to employees as and when revisit these documents later to assess keeping data on expensive hard drives, needed to do their job. whether they are still useful. companies can migrate it to cheaper stor- Documents can be left idle on non- age known as cold storage. This enables Information governance secure platforms that do not have suf- employees to still access it if necessary but ficient encryption and if they are forgot- can dramatically reduce the cost. To combat the dark data problem, ten about, then they are a potential haz- Additionally, creating an in-depth frame- companies need to utilise an up-to-date ard to the company. Many businesses are work to organise and store content helps electronic content management (ECM) trying to migrate all their legal content reduce the risk of content sprawl and secu- system. ECM systems are nothing new away from Google Docs, for instance, rity breaches. It also helps companies tackle – they have been around in one shape due to fears around its security measures the beast of dark data and lets employers or form since the genesis of electronic being lacking and susceptible to attack and employees alike focus on their work. content, but many legacy systems are from hackers or viruses. Removing the worry around data enables now often fundamentally insecure and growth and can ultimately help businesses potentially porous when it comes to leak- Dark corners of data reach their goals. Is there a real need for ing critical content. Outdated ECM sys- this data or does it exist because someone tems also do not comply with tough new Any organisation looking at dark data has decided to set up their own system? It regulations and mandates. Furthermore, should have several priorities on the list is critical to seek out ‘ROT’ – redundant, they are unlikely to offer the level of user- that require due attention. These priorities outdated or trivial content. This is content experience that we have come to expect, are necessary as part of any new organisa- that companies can just dispose of and do which means that user adoption suffers. tional strategy in order to ensure optimum not need to maintain. As recently as a couple of years ago, security. As an initial step, organisations Dark platforms are part of the great over 50% of organisations noted that should create retention schedules as part unknown and that is where IT and com- most content still lives outside the ECM of information governance capability that pliance teams lose control of valuable system, in emails and file shares. This helps identify what needs to be kept, why corporate information.4 Companies need underscores the huge shift that organisa- and for how long. Putting information to reinforce their security perimeters to tions are trying to make and brings the

9 June 2020 Network Security FEATURE depth of the compliance and security sive and slow to change, open source issue to light. That content is all poten- platforms are agile and quick, often tially susceptible to theft because it is cost-effective and have the ability to be not sufficiently encrypted, stored on launched with less initial investment. safe servers or connected to accounts Open source platforms are also often with security features like multi-factor modular and customisable and therefore authentication (MFA). However, hav- can be scaled-up through cascading com- ing a controlled ECM system can ensure plexity. With ardent fans and a strong that content is housed in a centralised community following, open source place featuring security measures and could become the default in the future. shielded from external forces. Such platforms can accommodate the unique contours of any business and Well-oiled machines ensure that a customised and safe data infrastructure is in place. Figure 2: Answers to the question, ‘How long The biggest problem that prolongs secu- before a system outage or major slowdown of When integration advantages are rity flaws in a company is the inertia your most critical content application would combined with new ECM systems, this that many decision-makers face when it cause serious business disruption?’. Source: also allows for better co-ordination of AIIM Industry Watch. comes to updating legacy ECM systems. separate systems for enhanced commu- Many organisations today hold off replac- technology that can be viewed, edited and nication. Unlike legacy ECM that does ing a legacy ECM system until their redistributed freely by the public, which not easily connect with other core busi- current system is no longer sustainable. means that it is often one step ahead of ness systems, such as accounts receiv- This process is incremental, with users more restrictive software and it benefits able (AR), accounts payable (AP), ERP perhaps first missing out on capability from the hive mind. systems and business social platforms to initiate newer file formats or sync for This can be especially important as – causing data to be fragmented and software updates. But the problem is technology costs continue to increase, therefore insecure – synchronising all the exacerbated when security updates are and compatibility with external prod- elements is a way to establish control. not regular, or total vendor support lapses ucts, new file formats and other tech- Using up-to-date ECM systems is a and no new updates are on the horizon. nologies such as cloud and mobile may new security prerequisite of the modern At best, employees will have to carry be an issue for proprietary software. age. In nearly a quarter of organisations on with workarounds to perform daily Open source-based platforms offer night today, almost all staff require ECM to do tasks, increasing costs and wasting time. and day improvements when compared their jobs. In a scenario where there is a At worst, the entire system becomes a with proprietary software and may be a productivity bottleneck, because propri- liability in the event of an exposed vul- valuable alternative. Where proprietary etary ECM infrastructure cannot align nerability, critical security breach, or an software has been traditionally expen- with key applications, then unsustainable undiscovered bug that cripples a system and compromises the data. Any of these scenarios represents a huge operational problem, because ECM is one of the pillars of enterprise IT on which the business depends. For instance, when users were asked to quantify how long before ECM downtime or malfunction would cause serious disruption, 30% said one hour or less; 47% would experience serious business disruption after 2 hours, and a total of 78% would struggle if their ECM capability was to be out of action for a whole day (see Figure 2).5 Fortifying digital defences One of the most robust ways to safeguard data and ensure that software is constant- ly evolving to meet new challenges is to Figure 3: Answers to the question, ‘Is your ECM/DM system integrated with the following enter- prise applications?’. Source: AIIM Industry Watch. invest in open source technology. This is

10 Network Security June 2020 FEATURE costs of a workaround can develop. Staff About the author Email-Statistics-Report-2019-2023- or customers who require this compatibil- Executive-Summary.pdf. ity can be left fumbling in the dark. Paul Hampton is the senior director of • Saxena, Sarang. ‘Dark Data and For these reasons, alignment and better product marketing at Alfresco. He is cur- Its Future Prospects’. International integration for a legacy ECM is becom- rently the marketing director for Northern Journal of Engineering Technology ing a driver for migration. Over 25% of Europe (which includes the UK, Ireland, Science and Research, vol.5, issue respondents found that their ECM system Benelux and Nordic regions) and has spent 1, Jan 2018. Accessed Jun 2020. could not integrate with other enterprise over 23 years in the IT industry. Hampton www.ijetsr.com/images/short_ applications (see Figure 3). Without inte- was at Ariba for four and half years, car- pdf/1516242268_510-515-.pdf. gration a business can find itself having to rying out a number of different market- deal with dark data, where departments do ing-related activities (product marketing, References not share content and it gets lost in digital product management and field marketing). 1. EY, ‘Digital supply chain: it’s all recesses, susceptible to cybercrime. Prior to this, he spent over six years at about that data’. EY. Accessed Jun Documentum and helped to launch EMEA 2020. www.ey.com/Publication/vwL- The road ahead operations, growing the company to over UAssets/Digital_supply_chain_-_ 200 strong within Europe. He also man- its_all_about_the_data/$FILE/ In the battle against dark data and content aged the pre-sales team at Interleaf, a desk- EY-digital-supply-chain-its-all-about- sprawl, content management solutions top publishing vendor, for four years. that-data-final.pdf. need to feature an updated ECM system 2. ‘PwC Perspectives – The Future as well as establish company-wide policies Resources of Audit’. Lexology, 21 Oct 2019. around data retention and disposal. In • ‘Protect critical assets: safeguarding Accessed Jun 2020. www.lexology. addition, utilising an open source ECM data, apps and endpoints’. IBM. com/library/detail.aspx?g=cf002215- system with collaborative improvements Accessed Jun 2020. https://ibm- cc4e-46db-84fd-d50548117ef4. will also help companies keep technologi- security-solutions-protect-critical- 3. ‘How to tackle dark data’. Gartner, cally up to date for security purposes. assets-ebook.mybluemix.net. 28 Sep 2017. Accessed Jun 2020. Companies are keen to get everything • ‘Dark analytics: illuminating oppor- www.gartner.com/smarterwith- they can out of data, but it is important tunities hidden within unstructured gartner/how-to-tackle-dark-data/. to remember that not all data is necessar- data’. Deloitte. Accessed Jun 2020. 4. ‘The State of Dark Data’. Splunk. ily good data. Old data can lose value and https://www2.deloitte.com/con- Accessed Jun 2020. www.splunk. dark data can be a danger to the company. tent/dam/Deloitte/is/Documents/ com/pdfs/dark-data/the-state-of- To truly thrive in the digital, data-driven technology/deloitte-uk-tech-trends- dark-data-report.pdf. age, organisations need to take a more 2017-dark-analytics.pdf. 5. ‘The Cost of Standing Still: Top 6 rigorous approach to data control and con- • ‘Email Statistics Report, 2019- Reasons to Renovate Legacy ECM’. tent management to curb the possible neg- 2023’. Radicati, Feb 2019. Accessed AIIM Industry Watch. Accessed ative impact of exponential data growth Jun 2020. www.radicati.com/wp/ Jun 2020. https://info.aiim.org/top- and maintain a competitive advantage. wp-content/uploads/2018/12/ 6-reasons-to-renovate-legacy-ecm. Keeping critical assets safe when teleworking is the new norm Gus Evangelakos Gus Evangelakos, XM Cyber

The Covid-19 pandemic has upended almost every aspect of our lives – and work is no exception. With social distancing protocols in effect across the world, tele- commuting (or remote work), has suddenly become the norm for many, rather but now the infrastructure is in place than the exception. And the flexibility offered by remote work is a major benefit. to make this shift a viable prospect. Yet our new professional reality also comes The thought of pre-broadband and ing would have been enough to make with some fresh challenges, made all the pre-cloud lockdowns and social distanc- any business owner or worker shudder, more acute by the unprecedented speed

11 June 2020 Network Security FEATURE by which much of the world’s workforce Workers at home – especially those With Covid-19 radically increasing the has transitioned to telecommuting. who telecommute less frequently – are number of workers who operate outside Perhaps none of these challenges is more largely unprepared to manage these risks. the protective bubble of on-premises IT, important than the need to safeguard It’s not merely a question of human scenarios like these become much more critical corporate assets within an infor- error or adaptation, either. Working likely to occur, requiring some smart coun- mation security landscape that has been off-premises expands the attack surface termeasures to be taken by defenders. profoundly altered, almost overnight. by lessening protections. While in the office, firewalls, proxies, DNS filtering Six critical security Hygiene problems and so on mitigate threats when employ- ees are web browsing. When these work- considerations The adoption of telecommuting was ers are home, those protections are often Now that we’ve outlined the pressures surging long before Covid-19, however. missing and employees are exposed, organisations are facing with expanded According to Global Workplace Analytics, especially in the absence of a VPN. telecommuting, let’s take a closer look five million people in the US work at least at some of the key security issues to con- 50% of their hours remotely, a number New security gaps sider as we move forward. that has increased 173% over the past 1. Rapidly deploying systems and imag- 15 years. Roughly 43% of Americans, Here’s a typical example of how basic es can leave your assets vulnerable. As meanwhile, telecommute “with some fre- remote work activities can create new you quickly expand your workforce, quency”. While we lack strong data to rep- vulnerabilities. the need for speed sometimes forces resent the number of workers who became A worker has a new laptop and leaves security to take a backseat. To hedge full-time telecommuters post-pandemic, the office. She connects to her home wifi against these risks, it’s important to we do have some figures that illustrate the and begins browsing personal email, social carefully consider how the mandate magnitude of this shift. During the initial media and conducts web searches. This for fast deployment creates new outbreak in Wuhan, China, Microsoft traffic may be unprotected without a DNS stresses on a security environment. reported a 500% increase in Microsoft or proxy enforcement. The worker then 2. It may be necessary to make changes Teams meetings, calls and conferences. opens an Excel document from her per- to firewall and VPN rules to allow Videoconferencing software operator sonal email, bypassing her office anti-spam communications to flow smoothly Zoom, meanwhile, added more users in solution. There is a macro that endpoint between remote and on-premises the first six weeks of 2020 than it had in security doesn’t pick up – and the attacker staff. These changes may open unan- all of 2019, according to CNBC. now has command and control (C&C) ticipated doors or pathways. This communication back from that laptop. The means that it’s imperative to visualise “Never in history have we worker then logs into the corporate network how this communication flow should seen a situation where the via VPN to connect to an on-premise server be optimised to protect critical assets temptation to bring your or other resources. The attacker now has and ensure business continuity. access to the corporate network. 3. When work laptops are at home, they own device, or use your It’s a simple scenario – and one that are more vulnerable without DNS fil- preferred cloud-based could instantly jeopardise the ‘crown tering and good next-generation anti- consumer application, is so jewels’ of that worker’s organisation. virus. If your enterprise devices are appealing to vast numbers borrowed by other family members, of suddenly homebound Covid-19 specific attacks plugins, games and other software can workers” greatly increase the risk factor. Attackers are also leveraging the public’s 4. IT admins working from home must As remote work sees extraordinary insatiable desire for news and advice still support users by installing soft- growth, however, shadow IT concerns related to Covid-19. Early research has ware or making changes. Remote grow in tandem. Never in history have we already shown an alarming rise in hackers logins from these IT admins then seen a situation where the temptation to referencing Covid-19 for phishing and cache credentials on user laptops, bring your own device, or use your pre- malware attacks. making it easier for an attacker ferred cloud-based consumer application, According to the US Federal Trade to compromise elevated domain is so appealing to vast numbers of sud- Commission, email scammers are posing accounts. To avoid this, think about denly homebound workers. Even prior to as representatives of the US Centres for how you can identify where creden- Covid-19, shadow IT risks were underap- Disease Control and Prevention. These tials can be harvested and how to preciated. Research from Gartner estimates attackers then send messages with mali- remediate any issues. that shadow IT represents up to 40% of cious links and downloads, allowing them 5. Organisational cloud data access overall IT spending in large enterprises, to penetrate IT systems and steal assets. must also be thought through care- while also being responsible for nearly one- The healthcare industry, in particular, has fully. If you are creating new groups third of security vulnerabilities. been targeted in this fashion. and policies for access to S3 and

12 Network Security June 2020 FEATURE

Lambda, it is important to identify This approach is critical, as security is an For security and IT teams working any misconfigurations that can open asymmetrical game; hackers only have to remotely, a BAS platform can identify that data to an unintended audience. succeed once, while defenders must be per- vulnerabilities arising from delayed As we’ve seen countless times, one fect. Attackers know this, and will patient- system updates or patch management server misconfiguration can unleash a ly probe every opening, waiting for the one issues, ultimately providing a high cascade of devastating security effects. change or mistake that grants access. degree of automated, continuous protec- 6. Finally, using a risk assessment solu- tion that can be executed and assessed tion that is continuous, comprehen- Automated, continuous remotely – the gold standard for asset sive and consistent can help identify protection in our current environment. these risks as they happen in real time, protection helping protect the most important After identifying vulnerabilities, BAS What to look for assets to your business. One such platforms then provide prioritised option is an advanced breach and remediation recommendations to help When evaluating BAS platforms, there attack simulation platform. eliminate any vulnerabilities uncovered are a few attributes for interested organi- Let’s take a closer look at how these by those simulations. In this sense, a sations to consider. It’s a good idea to platforms work and the role they have to BAS platform operates as an automated look for the following: play in a world where remote work has purple team – with one substantial • The ability to safely simulate an suddenly become the norm. distinction. Red and purple teams advanced persistent threat (APT) are highly manual and expensive to against organisational assets. Given the Mitigating risks engage, which means such testing must elevated level of risk posed by APTs, be carried out episodically. Changes and their ability to move laterally, In addition to remote workers expand- to a security environment that occur steal assets, and remain undetected for ing the attack surface, travel restrictions between testing periods may introduce months or even years, this is a key fea- from Covid-19 can also hamstring an new vulnerabilities that were previously ture for any advanced BAS solution. organisation’s ability to conduct regular unaccounted for, increasing the odds • Organisations should choose a plat- penetration testing, red team exercises of a breach. The demands of social form that can identify every attack and security control tests. Given that distancing will likely make testing exer- vector that can be exploited by these gaps can leave an organisation cises more difficult to stage with regu- attackers. badly exposed to risk, it’s essential to larity, increasing these dark periods to a • An advanced BAS platform should address these changes with a solution significantly greater degree. also have the ability to protect criti- that doesn’t require worker travel or To close these gaps, organisations need cal assets within AWS environments physical proximity, yet still performs a solution that can test and help remedi- – an even greater consideration in many of the same functions. ate on a continuous and automated basis today’s world. – ideally with no on-premises imple- • Flexible architecture for cloud and on “By simulating attacks in a mentation required. Only 24/7 testing premises is critical. controlled environment, BAS in a production environment can offer a • A good solution should have the platforms allow defenders true understanding of evolving risk. BAS ability to run with zero impact to a platforms fit this bill, and are uniquely production network. to assume the mindset and positioned to solve the problem of testing • Prioritised remediation recommenda- tactics of an attacker, rather gaps that are exacerbated by restrictions tions to quickly close identified gaps than taking a purely reactive placed on travel or office-based work. are also key, along with validation of posture” Security testing, however, is just security controls. one part of the picture. As mentioned By closely evaluating BAS platforms Breach and attack simulation (BAS) above, today’s organisations must also and looking for the features that ensure platforms fit that description. They contend with expanded attack surfaces, the most robust level of protection, work by launching continuous attacks thanks to the extraordinary growth in organisations can make the best decision that simulate the likely techniques and remote work precipitated by Covid-19. – and help protect their most closely paths used by malicious actors to breach An advanced BAS platform can help held assets from dedicated attackers. defences and exfiltrate key assets. By solve this by identifying all attack paths simulating attacks in a controlled envi- from any assumed breach point, includ- In conclusion ronment, BAS platforms allow defenders ing remote access, then modelling the to assume the mindset and tactics of likely consequences should a hacker gain Remote working and the growth of an attacker, rather than taking a purely access. Given that these platforms map cloud have long helped expand shadow reactive posture. This allows organisa- an entire network, these products can IT challenges. The Covid-19 pandem- tions to stop attacks before they happen play an important role in identifying and ic has acted as a radical accelerant for by seeing through the attackers’ eyes. mitigating all shadow IT gaps. this trend, turning millions of formerly

13 June 2020 Network Security FEATURE office-bound workers into instant tele- help mitigate these risks, organisations operated remotely is the best available commuters. Many of these workers are should pay close attention to the six key insurance policy for organisations that not used to working outside the office. security issues raised above. need to protect their crown jewels. Many are also using new cloud col- Additionally, with penetration and laboration and conferencing tools – or security control testing likely to be About the author tools with which they may have only disrupted to some degree, it makes Gus Evangelakos is the director of North limited familiarity. To make matters sense to incorporate a risk assessment American field engineering, at XM Cyber more complicated, many of these same tool that is built around the principle (https://xmcyber.com/). He has extensive workers are now tasked with educat- of automated, continuous protection. experience in cyber security, having man- ing their children at home, ushering in The right BAS platform can protect aged implementations and customer suc- an era of multitasking on an unprec- critical assets by mapping a full net- cess for many major global brands such as edented scale. work and pinpointing shadow IT gaps Varonis, Bromium and Comodo. He has Without firewalls, proxies, BNS filter- created by users attempting to solve also spent a decade working on the client ing and VPNs to protect them, that’s new productivity challenges, such as side, supporting IT infrastructure and cyber a perfect storm for human error. The file sharing. security projects. He has a strong back- ambient stress of Covid-19 also makes In a new world where uncertainty is ground in micro virtualisation, machine workers more susceptible to phishing the norm and distance from the office is learning, deep learning (AI), sandboxing, and malware, as bad actors prey on their required, aggressive, 24/7 risk assessment containment, HIPS, AV, behavioural anal- fears with pandemic-related attacks. To and protection that can be deployed and ysis, IOCs and threat intelligence. Safeguarding against the insider threat Ben Bulpett, SailPoint Ben Bulpett In 2019, data breaches were deemed the ‘worst on record’, up 26% from 2015 according to research from Forrester.1 But contrary to the popular image of hooded hackers hiding behind laptops, the survey also shows that 48% of these simple. Employees might depart to join were actually down to workers. a competitor keen to hear their insights, or as a result of their position being Enter the ‘insider threat’ – revenge cyber to corporate data on a timely, need- eliminated altogether. It’s even more attacks, hours of network downtime, and to-know basis, which is based on their problematic if disgruntled employees leaked payroll data all on the long list identities and their identities alone. with an axe to grind decide they’ve had of consequences. In the past 18 months enough. In fact, it’s believed that depart- alone, malicious threats are reported to A changing workforce ing employees account for over half of have led to seven billion exposed records all insider threats, with two out of three globally. Examples of sensitive corpo- For many organisations, the insider professionals admitting to taking data rate information or even renumeration threat is a tricky problem to keep under when they quit their job.4 records leaked via social media have led control. Job hopping, second careers and All of this extends beyond business to headlines around the world. the ‘portfolio’ career are becoming all the – politicians, for example, have been But while some instances might rage, making digital access provisioning known to change allegiance as their affil- resemble a Hollywood movie plot, with more complex than ever. The average ten- iations change. With Brexit arguments recent leavers taking revenge on former ure for a job position in the UK is about intensifying, for example, more than 80 employers, the insider threat can also five years.2 In the US, it’s even shorter Members of Parliament (MPs) changed be accidental, or unknowing. It might at four years, with those in the private political parties in the past two years. be the result of long-term employees sector moving around more on average As staff come and go for different rea- breaking protocol, or more alarmingly, compared to those in the public sector.3 sons, it’s crucial for companies to look a hacker hijacking a user’s credentials Increasingly, a job is no longer for life. into identity as the cornerstone of cor- without anyone realising. You might say handling job leavers porate security. Implementing a strong Either way, protecting the identity of can be easy enough, provided the transi- identity architecture provides increased today’s digital workforce is vital. And tion is smooth and without ill-feeling. visibility and control over data access in this means ensuring that staff have access However, sometimes the picture isn’t as the organisation. This also helps bring

14 Network Security June 2020 FEATURE peace of mind to those responsible for corporate performance and compliance – especially important given that companies are responsible for safeguarding their own data, as well as being in-line with privacy and compliance regulations related to customer data, such as the General Data Protection Regulation (GDPR).

“Sometimes the picture isn’t as simple. Employees might depart to join a competitor keen to hear their insights, or as a result of their position being eliminated altogether. It’s even more problematic if disgruntled employees with an axe to grind decide How many times employees have put sensitive data at risk in the preceding 12 months. Source: they’ve had enough” ‘Insider Data Breach Survey 2020’, Egress.

Moreover, with the post-Brexit transi- advantage of multiple user access points. compromised can cost an organisation tion period upon us, businesses need to With so much exposure, employees millions in damages. decide whether they need to open new can therefore unwittingly become the Fortunately, this is where technology offices, relocate staff or hire more people ‘insider threat’, more vulnerable to being such as user identity platforms driven by in particular locations. This potentially hijacked for illicit purposes. Staff could artificial intelligence (AI) and machine increases the attack perimeter and subse- be accessing company data through an learning (ML) come to the rescue. The quently the risk of data breaches. unprotected personal device, a public latest identity solutions can provide wifi hotspot from multiple locations, geolocation alerts if a user who normally Remote working with company servers and databases accesses the network in, say, Basingstoke, slowing down for all as a result – all is suddenly accessing the network from Not only do we change jobs. Digital at the same time. All of these factors Brazil, for example. These can help access provisioning is also being made multiply each other, with visibility over IT teams recognise abnormal access or more complex by more people work- access to data becoming more difficult behaviours that aren’t typical for the role ing remotely from home. Over 60% to maintain. Even one identity being or individual in question. of global companies now allow remote working, and we’re seeing an even greater shift towards this globally given the currently difficult circumstances which we’re facing.5 Moreover, many organisations boost their ranks with temporary workers, such as freelanc- ers and contractors, to provide much- What organisations needed support during crunch times. believe is the most likely cause result- A Deloitte report found that 87% of ing in intentional UK students with first- or second-class insider breaches. degrees said freelancing is ‘highly attrac- Source: ‘Insider Data Breach tive’ and a ‘lucrative’ career option. Survey 2020’, Over 53 million people in the US free- Egress. lanced last year, with 1.4 million pursu- ing such activities in the UK.6 With so many people working from a variety of locations, this can make it more difficult for IT teams to moni- tor the enterprise security perimeter, as hackers could be looking to take

15 June 2020 Network Security FEATURE

accessing their corporate data.8 Things must change, and fast. Identity has never been as strategically important to a company’s success before. However, it needs to be a board-level priority for any business to get its iden- tity systems right. To manage the insider threat properly, organisations must invest in the right technology and ensure that identity is at the heart of cyber security and compliance risk assessment monitoring today and in the future. Organisations must always aim to prevent – this is better than trying to cure. Next- generation compliance and corporate gov- ernance will include identity platforms that The factors perceived as the biggest advantages in flexible or home working. Source: Merchant Savvy. provide companies with risk-based alerting capabilities. This will enable IT leaders to If businesses fail to adapt to the new them to focus on higher-risk security and detect suspicious or anomalous activities in employment landscape, they risk losing business threats. real time, allowing them stay informed and control of their cyber attack perimeter as on top of any potential threats. well as their corporate data. Therefore, Reducing access points access must be granted with the goal of “These solutions can remove limiting this to only what is required Another important issue to consider is the legitimate access which by each user. This is critical in helping how new technologies have multiplied hackers target most often, in companies ensure that access privileges usernames and passwords, increasing turn freeing up organisations are appropriate and conform to policy. the number of access points for hackers to focus on areas of access to potentially take control of. While it’s that are most at risk” Identity in the cloud not easy for businesses to stay three steps ahead, technology can help in many ways. As remote working increases, more com- Governance-based identity and access It’s important for organisations not panies are moving their systems to the management solutions, for example, to forget to continue to stress-test their cloud. For organisations, it is paramount can provide a single sign-on portal for systems and re-evaluate and update their to ensure that the right users have access users while minimising the exposure of security defences. Doing so will mini- to the right information – when, where shared passwords by enforcing strong mise the chances of vital business data and how they need it. and unique ones across an organisation. getting into the wrong hands – whether Identity is the best way to do this – These solutions can also enable access to the insider threat is unknowingly allow- and this need not be restricted to just applications and data regardless of loca- ing this through insecure systems, or human employees. In addition to per- tion, and then revoke access automati- doing so with malicious intent. manent staff, contractors, sub-contrac- cally when this is no longer required. For organisations small or large, fast- tors, or freelancers, it can include AI-led These solutions can remove the legiti- growing or maintaining their position in bots or even complex Internet of Things mate access which hackers target most the market, identity must become a key (IoT) systems. Identity platforms can often, in turn freeing up organisations to component of their cyber security defence. govern any person, object or code that focus on the areas of access that are most Only then can they ensure they are an interacts with company information. at risk. organisation which is being truly responsi- In particular, AI- and ML-led identity ble in the modern working environment. solutions will start playing a bigger role to Combatting the insider support evolving business and individual About the author employee needs. And, as the attack perim- threat Ben Bulpett is EMEA identity platform eter becomes more complex and fluid, AI Insider breaches continue to plague IT director at SailPoint (www.sailpoint.com). and ML technologies will free IT directors leaders – a recent survey across the UK, He is responsible for supporting customers from the burden of routine administrative US and Benelux found that 97% of and partners across EMEA, enabling them identity tasks. These include access approv- respondents listed insider data breaches to manage their identity and access govern- als and compliance reviews, which can and as a major point of concern.7 Indeed, ance platforms more effectively and protect should be automated as a result of these almost half (48%) of companies still against cyberthreats and data theft and technologies. Subsequently, this will allow have limited or no visibility into who is fraud across all data types.

16 Network Security June 2020 FEATURE

References Bureau of Labor Statistics, 20 Sep 29 Aug 2019. Accessed March 2020. 2018. Accessed March 2020. www. https://freetrain.co/freelance-statistics/. 1. Bolden-Barrett, Valerie; Schwartz, bls.gov/news.release/tenure.nr0.htm. 7. Gopalakrishnan, Chandu. ‘Insider Samantha. ‘Forrester: To stay secure, 4. Gopalakrishnan, Chandu. ‘Black Hat data breaches continue to worry IT employers must balance insider threat Europe 2019: Did your employee leaders’, SC Media, 19 Feb 2020. protection and employee rights’. leave with the data?’, SC Media, 5 Accessed March 2020. www.scmaga- CIO Dive, 6 Jan 2020. Accessed Dec 2019. Accessed March 2020. zineuk.com/insider-data-breaches-con- March 2020. www.ciodive.com/news/ www.scmagazineuk.com/black-hat- tinue-worry-leaders/article/1674454. forrester-to-stay-secure-employers- europe-2019-employee-leave-data/ 8. ‘93% of IT Security Leaders to must-balance-insider-threat-protec- article/1667877. Maintain or Increase Identity and tion/569851/. 5. ‘Global Remote Working Data & Access Management Spending – 2. Hope, Katie. ‘How long should you Statistics’. Merchant Savvy, 2020. Study’. SailPoint. Accessed March stay in one job?’, BBC News, 1 Feb Accessed March 2020. www.merchant- 2020. www.sailpoint.com/news/93- 2017. Accessed March 2020. www. savvy.co.uk/remote-working-statistics/. per-cent-security-leaders-maintain- bbc.co.uk/news/business-38828581. 6. ‘Freelance Statistics: The Freelance increase-identity-access-management- 3. ‘Employee Tenure Summary’. US Economy in Numbers’. Free Train, spending-study/. Keep security top of mind when moving into the cloud Thomas Deighton Michael Wakefield Thomas Deighton, Westcon and Michael Wakefield, Check Point

Anybody operating in the technology or IT space in recent years will be aware of the many benefits of moving to the cloud. Cloud adoption is soaring, with 88% of UK organisations already having adopted cloud services, and 67% of having to spend so much time and effort users expecting to increase their use of the cloud.1 The multitude of reasons maintaining physical infrastructure, includes, among others, the lower costs of infrastructure and maintenance, instead allowing them to place more increased flexibility and the ability to streamline operations. focus on innovation and product devel- However, alongside all the advantages upfront costs compared to local data opment, allowing businesses to expand and reasons to use the cloud in one form storage, and low ongoing maintenance and grow. or another, it is critical to keep in mind costs. Moving from capital expenditure the importance of security when mov- (CAPEX) to operational expenditure Dark clouds on the ing to cloud platforms. The defence of (OPEX) is a significant advantage for sensitive data and information is no less many organisations. horizon? important when it is stored or used in As well as the low costs, there is the However, there are some potential the cloud than on premise.2,3 It is there- advantage of quick and easy deployment security issues that can arise when using fore vital for businesses looking to make when using a managed cloud service, cloud computing services. In fact, for the move into the cloud to understand and clear advantages to using the cloud many years, the biggest barrier stopping why and how it has become so popular from an operational point of view. These businesses from adopting cloud comput- and the importance of securing it, as include improved opportunities for col- ing solutions was the perceived security well as the steps that IT professionals laboration and agility within the work- risks that came with the transformation. can take to ensure that security. force, including the potential for more The idea of relinquishing control of data employees to work remotely and still and essential applications, putting poten- Growing popularity benefit from the same user experience of tially sensitive information and systems being on the same system. in the hands of a third party, was of Among the many reasons for the Furthermore, using the cloud can extreme concern for IT professionals and growing popularity of the cloud are even allow IT teams to free up time and business decision-makers. Organisations the financial benefits of relatively low resources, stopping technical staff from need to be reassured about the security

17 June 2020 Network Security FEATURE

– especially when it comes to the stor- age or use of sensitive data and systems – does present potential vulnerabili- ties, but these can largely be combated through simple security measures. For example, ensuring that you know about the cloud that you are moving into and understand the security processes asso- ciated with it can help deal with many issues. A study found that 21% of files that are uploaded to cloud-based file-sharing services contained sensitive information, including intellectual property, and that number is consistently on the rise.4 The fact that one in every five files uploaded Primary types of data stored in the cloud. Source: Gemalto/Ponemon Institute. into a cloud storage system contains sensitive – and therefore potentially of their data before they undergo the period, there is an inherent element monetisable – information makes cloud transformation. of risk. There is a greater potential for systems a real target for cyber criminals. Companies are increasingly using the human error in setting up new systems It is critical that cloud security is sophis- cloud to store files that contain sensi- or moving from one to another, rather ticated enough to stay ahead of new and tive data, and when data breaches are than keeping things the same as they innovative cyberthreats. such a prevalent risk in cloud storage, always have been. it’s no wonder that users are sometimes The weakest link mistrustful. There is also a potential risk “The fact that one in every associated with cloud computing services five files uploaded into As with many security risks, the majority if the terms and conditions of the service a cloud storage system of vulnerabilities that are present within claim ownership over the data that is contains sensitive – and the cloud are human-initiated. For many, uploaded to them. this will invoke thoughts of an external therefore potentially threat actor, hacking their way into the monetisable – information Transitional threat network. However, this typical image makes cloud systems a real is not always accurate – contractors, One of the main reasons why moving target for cyber criminals” employees, or in fact anybody with access into the cloud can pose a threat to an to systems can present just as much of a organisation’s cyber security is because it Changing or transforming the way an threat. And they needn’t always be mali- is a transition. As with any transitional organisation does more or less anything cious insiders or disengaged employees. There are plenty of cases and issues where security flaws are down to a sim- ple human error, such as misconfiguring a security platform, losing or acciden- tally sharing log-in details, or accessing a secure cloud over an insecure connec- tion – for example, an employee logging in using the public wifi network in a cafe. However, the fact still remains that whether it be malicious or human error, most security risks come from people. This perspective and scale may make the issue seem insurmountable; if any- body and everybody is capable of mak- ing a decision or a mistake that could result in the security of the company’s data being compromised, then how The types of data stored in the cloud that are considered to be most at risk. Source: Gemalto/ can the potential threat be managed? Ponemon Institute. The simplest way is making sure that

18 Network Security June 2020 FEATURE everybody within your organisation and targeted threats. The onus is on and cyber criminals finding ways around understands that they are responsible for the customer to ensure that there is suf- the current security measures. security. When everyone who has access ficient security at the data upload end, At the end of the day, your security to the cloud understands the implica- such as making sure their own network solution, however sophisticated and tions of being slack or negligent when and system is secure. Uploading files agile it may be, is only as good as its it comes to security, and is fully trained that are insecure or contain viruses can user. Having a prepared and well-trained and equipped with the necessary knowl- give cyber criminals access to the cloud team will not only help with your cloud edge and tools, the risk is significantly from the inside, but this is an area for security. Using training programmes and reduced. which the cloud provider cannot be held educating a team, or using a specialist accountable, so there is responsibility third-party operating team, will ensure Shared responsibility from a customer perspective in terms of that your cloud files are safe and secure keeping your account secure. from cyber criminals. The cloud provider is responsible for lots of areas of the service they pro- The silver lining About the authors vide to you, as well as many aspects of Thomas Deighton is a business unit direc- security when it comes to your data. The key to keeping your data and sys- tor at Westcon, an international distribu- However, there are some areas which tems secure lies in making sure that the tor of business technology. the user must take responsibility for. security really works for your organisa- Michael Wakefield is head of channel This is known as the shared responsibil- tion. Every cloud system is different and sales, UK & Ireland, at cyber security ity model. every client using the system is differ- solutions company Check Point. ent. You shouldn’t have to compromise “The onus is on the customer your security to find a cloud system or References to ensure that there is cloud security tool that works for your 1. Horton, Christine. ‘UK Cloud sufficient security at the strategy, and you shouldn’t have to com- Adoption Hits a High’. ChannelBiz, data upload end, such as promise your strategy either just to find 14 Mar 2017. Accessed May 2020. a system that will keep you safe. www.channelbiz.co.uk/2017/03/14/ making sure that their own Making sure that your cloud security uk-cloud-adoption-hits-high/. network and system is secure. solution is up to date as well is also key 2. Seals, Tara. ‘Ponemon: Cloud Uploading files that are in this day and age. There is no point Adoption Grows as Security Lags’. insecure or contain viruses can in putting time and effort into selecting InfoSecurity, 27 Jul 2016. Accessed give cyber criminals access to and sourcing the ideal security solution, May 2020. www.infosecurity-mag- the cloud from the inside” but letting it become outdated by fail- azine.com/news/ponemon-cloud- ing to update it. Just as cyberthreats and adoption-grows-as/. criminals are evolving, growing in speed 3. ‘Gemalto and Ponemon Institute Under this model, the cloud provider and sophistication, so should your secu- Study: Cloud data security still a chal- is responsible for the security of the rity adapt and evolve. lenge for many companies’. Gemalto/ cloud itself, and the customer is respon- Being secure is one thing, but staying Ponemon Institute, 26 Jul 2016. sible for security in the cloud. This secure is quite another. A cloud security Accessed May 2020. www.gemalto. means the provider will ensure that the system should adapt with the chang- com/press/pages/gemalto-ponemon- servers, network and wider infrastructure ing cyberthreat landscape and be able to institute-study-cloud-data-security-still- are secure, but the responsibility for con- tackle current issues, protecting your data a-challenge-for-many-companies.aspx. figuring the software properly lies with against new and unexpected threats as 4. Coles, Cameron. ‘9 Cloud the customer. they evolve. If there is a trend of cyber- Computing Security Risks Every While the provider will often also crime coming from a certain area or angle Company Faces’. McAfee. Accessed provide basic additional security tools, from within the cloud then the security May 2020. www.skyhighnetworks. the customer is responsible for sourcing system should be able to deal with the com/cloud-security-blog/9-cloud- and using more sophisticated security threat. However, it should also be capable computing-security-risks-every-com- systems, to defend against advanced of evolving to deal with changing threats pany-faces/.

A SUBSCRIPTION INCLUDES: Online access for 5 users An archive of back issues www.networksecuritynewsletter.com

19 June 2020 Network Security NEWS/CALENDAR

The Firewall EVENTS Trusting the CISO CALENDAR Kate MacMillan, security consultant Due to the Covid-19 pandemic, many conferences are being cancelled, post- Many of us can remember when the how many times have we read of AWS poned or converted into virtual events. title of chief information security officer buckets containing sensitive informa- The events listed here were still planned (CISO) was brand new and promised tion being left publicly available with no to proceed at the time of publication. much. The elevation of information password protections? security to the C-level seemed to herald Some 90% of companies are using 1–6 August a new age where security was finally software as a service (SaaS) and 76% are Black Hat USA seen as a business-critical issue, and the using infrastructure as a service (IaaS). Virtual conference concerns of specialists would finally be The IT department will be responsible www.blackhat.com/us-20/ heard among the top echelons of the for many of these implementations, organisation. but whether they fully involve security 6–9 August And, indeed, some of that has come specialists in the process is another mat- DEF CON Safe Mode to pass. Driven more by damaging head- ter. And often it’s an individual team Virtual conference lines than anything security practitioners – even an individual person – who sees www.defcon.org might have said, CEOs and other top no harm in running up a quick server executives are being kept awake at night on Digital Ocean, storing some data 1 October 2020 by the fear of a major, business-crippling in an AWS bucket or sharing files with ArcticCon breach. More money than ever (although colleagues over Dropbox as a matter Anchorage, Alaska never enough) is being spent on security of convenience. No wonder that three- https://arctic-con.com systems and training. And more organi- quarters of IT professionals say their 6–8 October 2020 sations than ever have an employee with organisation has suffered data loss from Critical Infrastructure that CISO job title. a cloud service more than once. Protection & Resilience However, all is not perfect and one It all comes back to responsibility and Europe of the biggest problems seems to be you would imagine that, somehow, the Bucharest, Romania the persistent disconnect between the CISO would be at the centre of all this www.cipre-expo.com security function and the business as a activity. But perhaps the most concern- whole. And this is being exacerbated by ing result from this survey is that many 7–8 October 2020 the move to the cloud, which is typi- organisations appear not to have a great International Cybersecurity cally a business-driven process, leaving deal of trust in their CISOs. It says & Intelligence Conference the security function to play catch-up. that: “69% report their CISO reacts (ICSIC) A recent survey by Oracle and KPMG and responds to public cloud projects Toronto, Canada reveals a messy picture. More than only after a cyber security incident has https://www.icsicanada.org three-quarters (78%) of organisations occurred”. More than half (53%) of are using more than 50 separate cyber organisations have created a new posi- 8 October 2020 security products, and 37% have more tion – the business information security Florida Cyber Conference than 100. While three-quarters of IT officer (BISO) – to work alongside the Orlando, Florida, US professionals think that cloud services CISO in an attempt to improve the https://flcybercon.com have better security than their own data- security culture throughout the organisa- centres, most (92%) do not trust their tion. Does this suggest a lack of engage- 14–16 October 2020 own organisation to secure public cloud ment by CISOs with the business side of International Conference on services. And only 8% are confident that the organisation? Or are business units Digital Forensics & Cyber they understand the shared responsibil- and executives failing to grasp that a Crime (ICDF2C) ity that comes with using cloud services. ‘security first’ culture is the only way to Boston, US Not knowing who is responsible for reduce risk as much as possible? Either http://icdf2c.org doing what (or even how you secure way, there’s still a dangerous discon- 20–21 October 2020 cloud-based implementations in the first nect, and adding a new job title feels an 600Minutes Information and place) leaves a lot of gaps that attackers implausible way of fixing it. can exploit. A common weakness is mis- The report is here: Cyber Security configuration of cloud services – after all, https://bit.ly/2MaGRtG. Stockholm, Sweden https://bit.ly/3bNwTcr

20 Network Security June 2020