“Public GitHub is 54 often a blind spot in the security team’s perimeter”

Jérémy Thomas Co-founder and CEO GitGuardian

Volume 5 | Issue 06 | June 2021 Traceable enables security to manage their application and API risks given the continuous pace of change and modern threats to applications.

Know your application DNA

Download the practical guide to API Security

Learn how to secure your API's. This practical guide shares best practices and insights into API security. Scan or visit Traceable.ai/CISOMag EDITOR’S NOTE

DIGITAL FORENSICS EDUCATION MUST KEEP UP WITH EMERGING TECHNOLOGIES

“There is nothing like first-hand evidence.” Brian Pereira - Sherlock Holmes Volume 5 | Issue 06 Editor-in-Chief June 2021 f the brilliant detective Sherlock Holmes and his dependable and trustworthy assistant Dr. Watson were alive and practicing today, they would have to contend with crime in the digital world. They would be up against cybercriminals President & CEO Iworking across borders who use sophisticated obfuscation and stealth techniques. That would make their endeavor to Jay Bavisi collect artefacts and first-hand evidence so much more difficult!

As personal computers became popular in the 1980s, criminals started using PCs for crime. Records of their nefarious Editorial Management activities were stored on hard disks and floppy disks. Tech-savvy criminals used computers to perform forgery, money Editor-in-Chief Senior Vice President laundering, or data theft. Computer Forensics Science emerged as a practice to investigate and extract evidence from Brian Pereira* Karan Henrik personal computers and associated media like floppy disk, hard disk, and CD-ROM. This digital evidence could be used [email protected] [email protected] in court to support cases. Assistant Editor Director of Marketing Augustin Kurian Nandakishore Until then, forensics was straightforward. Investigators had to locate the media and extract the data. They ran into a wall [email protected] [email protected] if the files were password protected or encrypted, but experts soon found a way around that challenge. Sr. Feature Writer General Manager - Marketing Rudra Srinivas Seema Bhatia Then computers were connected to the networks, and eventually to the Internet. And the trail got longer and ran into a [email protected] [email protected] maze. So, we had a new branch, Network Forensics. Sr. Technical Writer Senior Director Mihir Bagwe Raj Kumar Vishwakarma As technology evolved through the years, cybercrime extended to the Web, the cloud, and mobile devices. Malware [email protected] [email protected] became more sophisticated, and today we have ransomware. Sub Editor Head - Research & Content Pooja Tikekar Jyoti Punjabi Smartphones with watertight encryption came along, and that posed a huge challenge to forensics investigators. Do pooja.v@eccouncil.org [email protected] you remember the Apple iPhone incident a few years ago, when the FBI asked Apple to unlock the iPhone of a criminal? Publishing Sales Manager Apple refused. The tussle between the FBI and Apple was holding up the investigation until a third-party finally figured Taruna Bose out how to unlock the iPhone. [email protected]

Manager - Digital Marketing Today, forensic experts travel to different countries to find digital evidence, as cybercrime is performed across borders. Rajashakher Intha These digital forensic experts are the modern-day version of Holmes investigating clues left by criminals. [email protected]

Asst. Manager Visualizer cum Graphic Designer Emerging technologies and borderless cybercrime have made Digital Forensics more challenging than ever. Jeevana Rao Jinaga [email protected] So how do we counter all this with a completely different strategy? Manager – Marketing and Operations Munazza Khan SURVEY & REPORT [email protected] To better understand the challenges and state of readiness in implementing Digital Forensics in emerging technologies, CISO MAG, in collaboration with EC-Council’s CHFI group (Computer Hacking and Forensic Investigation), launched a

Image credits: Shutterstock & Freepik Technology Trends Survey in April 2021. The resulting report included in this issue offers an in-depth analysis of how Illustrations, Survey Design, Cover & Layouts by: Jeevana Rao Jinaga important it is to incorporate the effects of digital forensics on emerging technologies into the curriculum of digital forensic education.

* Responsible for selection of news under PRB Act. Printed & Published by Brian Pereira, E-Commerce Consultants Pvt. Ltd., The key findings of the survey, as well as the insights provided by experts in our Focus on Forensics section, will be an The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this eyeopener for those seeking training and a career in Digital Forensics. publication are not necessarily those of the publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be appropriate for the readers’ particular circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored in a retrieval system, or transmitted in any form without the permission of the publishers in writing. And it surely is a career with a lot of opportunities! INDEX

SURVEY

Bringing Implementing Contents Forensics Education Digital Forensics FOCUS ON Up to Speed in Emerging DIGITAL FORENSICS Technologies

72 82

Is Forensics Possible in a 8 COVID-19 scenario? The Dark Side Beware of the Return to Office: of the Attack How Organizations Can Protect 22 How Digital Forensics on Colonial Complements Cybersecurity Against Pandemic Sleeper Threats Pipeline 32 Challenges and Applications of Digital Forensics 40 112

“Public GitHub is often a blind How to Know Mobile Side of spot in the Technology Adoption security team’s When it’s Time Still Continues to perimeter” to Break Up with Your Tech Present a Challenge Jérémy Thomas Provider Co-founder and CEO Ritesh Chopra Director Sales and Field Marketing, GitGuardian India & SAARC Countries NortonLifeLock

54 62 120 130 FOCUS ON DIGITAL FORENSICS

Is Forensics Possible in a COVID-19 scenario?

Narendra Sahoo Founder and Director VISTA InfoSec

he COVID-19 pandemic has created While the entire world is focusing on health, havoc not just in the lives of people the economy, and restoring normalcy, Tbut also rocked the business world criminals are constantly capitalizing on the globally. With countries going into lockdown, situation to stage a well-planned cyberattack. businesses are today forced to adapt Not only does the incident of cyberattack to the situation and operate remotely. have severe reputational, legal, operational, With this, businesses are confronted with and compliance implications, it also severely new challenges and threats. Although impacts the forensic investigation. Speaking organizations around the globe have adopted more on this, we have explained in the article the work-from-home operating model, this the challenges of remote working, pre- has opened doors to malicious cyberattacks. requisites to prevent incidents of the breach, With the new working norms and companies the protocols to be followed in case of a accelerating their digital transformation, data breach, and all the nitty-gritty of cyber cybersecurity is now a major concern. forensics. The article provides insight on the impact of remote working on Cybersecurity, and the process of cyber forensics in case of a breach.

8 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 9 FOCUS ON DIGITAL FORENSICS

What happens in Cyber Forensics? Cyber Forensics Investigation that organizations should follow in case of the exploited security vulnerabilities, identify a data breach. Once there is a breach, the immediate steps that can be taken to limit the Handling a data breach incident in a Before the pandemic, when a data breach organization should follow a few essential loss, and determine steps for resolution and normal scenario is very different from the incident occurred, organizations had to follow steps immediately to limit the impact of the improvements. If an attack is confirmed, it is current situation for both the organization a specific protocol to respond and contain breach. well advised to hire external professionals to and the cyber forensic team. Before the the incident. With that, a cyber forensic team investigate and take steps. pandemic, when businesses were running in investigates the situation at the location and Protocol to be followed in a Data a controlled environment, even in case of a helps the organization respond, recover and Breach Incident Step 2: Contain the Situation data breach, immediate response, measures resolve the incident. The process of handling to contain, and investigations helped lower the incident involves two primary steps Step 1: Survey the damage Once the organization determines the impact the impact. However, now in the pandemic which include: of the incident, security vulnerabilities, and situation, with the remote working model, Once the organization discovers the data the attackers they should take steps to the situation is completely different. Not only • Responding and Containing Incidents breach incident, the Information Security contain the damage. This should include has this increased the risk of a cyberattack, • Investigating the Incident and Collecting Officer along with the designated information steps like: but it has also hampered the process of Evidence security team should conduct an internal investigation and containing the situation in investigation. This is to first determine • Isolating the compromised network case of a data breach. But, before we get into While the approach taken by the organization whether an incident has happened and to • Filter or block traffic the details of the challenges faced in cyber may vary based on their priorities, severity of access the impact of the incident on critical • Re-route network traffic forensics during the pandemic, let us first the incident, and impact of the incident, there business functions. They further need to • Temporarily disable remote access understand the process of a cyber forensics are certain basic protocols organizations conduct an in-depth investigation to identify capability and wireless access points investigation. must follow. Given below is a list of protocols the attacker/source of the attack, discover (situation-based)

10 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 11 FOCUS ON DIGITAL FORENSICS

• Change Access Control credentials enforcement or regulators. The notifiable • Segregate all hardware devices from the breach should be reported at the earliest but infected system or network not later than 72 hours after being aware of • Isolate and quarantine identified malware the breach. The duration depends primarily rather than deleting it (for future analysis on the local regulatory framework, compliance and evidence) requirements, and client SLA. Reporting should • Preserve firewall settings, firewall logs, be done only by approved official channels system logs, and security logs for future and personnel. All other personnel should analysis and evidence be explicitly prevented from sharing any information with anyone, whether internal or Step 3: Record and file details external to the organization.

Once the survey is conducted and situations are When reporting the incident of the breach, the contained, the information security team must organization will have to provide the following maintain a written log of all the actions taken details to the regulator: to respond to the breach. The information that should be collected and filed must include: • Description of the nature of data breach • Approximate number of individuals affected • Details of the affected systems • Nature of the data which is breached • Compromised network and accounts • Name and contact details of the Data • Services disrupted due to the breach Protection Officer • Data and network affected by the breach • Severity of the data breach • Amount and type of damage done to the • Description of measures taken to contain systems the impact and handle the data breach

Other details that should be documented must In case the data breach involves a large number include details like how you learned about the of people affected, then the regulator may breach, the date, and time you were notified, contact the media. how were you notified, all actions taken between now and the end of the incident, Step 5: Inform those affected date and time you isolated systems infected, and disconnected from the Internet, disabled Individuals affected by the incident of breach remote access, changed credentials/passwords, must be informed and notified about the risk. and system hardening or any other remediation The individuals may be notified via phone, steps taken over time. email, or in person. However, the information provided to them will be restricted to avoid Step 4: Inform the Regulators unauthorized disclosure. When notifying the incident to individuals, the organization will In case of a breach, the organization should have to provide the following details in clear immediately report the incident to law and plain language:

12 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 13 FOCUS ON DIGITAL FORENSICS

• Nature of the data breached • Name and contact details of the Data Protection Officer • Description of the likely consequences of the data breach • Description of measures taken and actions that may be implemented to deal with the breach • Description of the measures taken to mitigate any possible adverse effects • Give specific and clear advice on steps to be taken to protect themselves • Mention the kind of assistance you may offer them to take any specific measures

Step 6: Analyze the Breach Incident

A data breach can greatly impact the organization in terms of reputational loss, monetary loss, and other legal implications. So, with such a bitter experience, the organization must analyze and take note of the incident to establish a strong cybersecurity defense and Incident Management Response. This will enable them to take preventive measures in the future and further enable them to handle the incident better. The organization must analyze the incident by:

• Documenting all the mistakes • Assess the mistakes and listing out preventive measures for the future • Design a training program and incorporate lessons learned in the program

COVID-19 and Cyber Forensics Challenges As we know, the COVID-19 pandemic has pushed companies to operate remotely and adapt to the new working style for most businesses.

14 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 15 FOCUS ON DIGITAL FORENSICS

This has severely affected the cybersecurity for which ensuring the preservation of measures and initiatives of organizations trails is essential. However, in situations that otherwise work as a strong defense like these, there is a high probability of against any cyberthreats. Moreover, in the evidence contamination or destruction, current scenario when the breach occurs, especially in an uncontrolled environment the cyber forensic team faces exasperating where it is difficult for the team to track challenges that severely hamper the down the trail of incidents. investigative process. Listed below are some • Actionable Measures - Taking decisive of the challenges that the forensic team and actionable measures can also be faces in the current scenario that makes the a task in this scenario. With no trail of investigation process extremely difficult: evidence, or identification of attacker, the exploited security vulnerabilities, or • Investigating the environment - Under the systems and networks compromised, normal circumstances, the investigation taking any decisions or implementing is a lot easier for it is performed in any action can be difficult. For instance, a controlled environment using well without identifying the exploited configured and company-approved security vulnerabilities or the systems hardware/software. However, in a and networks compromised, isolating remote working scenario, with systems the compromised network or filtering, and networks operating in a neutral and blocking or re-routing of network traffic publicly accessible environment, it makes can be a huge challenge. the investigation challenging. Moreover, identifying the attacker, discovering the With challenges like these, the organization exploited security vulnerabilities, and and the forensics team will be in no position to determining the systems and networks perform or close an investigation. However, compromised can be very difficult. if organizations come up with a process to • Containing situations – This can be deal with situations like these and train their very challenging during the pandemic staff accordingly, things can probably be a lot as the entire office is running remotely. easier. Ideally, organizations must conduct Taking preventive measures like training programs for staff to deal with such isolating the network, changing access situations. Moreover, conducting regular control credentials, dealing with service awareness programs on prevailing threats disruption, and ensuring Business will also alert the staff about the potential Continuity becomes a nightmare. threats they may encounter with time. We • Evidence Gathering – It is extremely also believe that having in place strong difficult for the organization and the security measures, designed for the work- forensics team to prevent contamination from-home model will give the organization of evidence. The isolation and collection of an edge in the prevailing situation. evidence is a crucial part of investigation

16 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 17 FOCUS ON DIGITAL FORENSICS

Here is a summary of pre-requisites that to avoid becoming victims of such scams. For instance, the cloud-based secure virtual organizations must follow and have in place to E-learning or web-based training programs desktop services provide IT professionals prevent incidents of a breach. can be a good solution. with remote access to employee’s systems, including files and networks. Further, Pre-requisites to prevent incidents Cloud Security deployment of Cloud-based data leakage prevention and threat-protection controls In this new environment and working model, Organizations should be swift with deploying can secure critical assets. Moreover, the the organization and its internal Cybersecurity technologies and solutions that are effective cloud-based managed detection and team must be proactive in implementing and quick to deploy. For instance, considering response technology can be extended to measures and monitoring crucial systems the adoption of a cloud-based solution. remote workplaces. and data. Constant vigilance and aggressive Further, implementing strong cloud-based confrontation of potential risks are the need security and platform services will ensure VPN Set-up of the hour. Having said that, here are some safe business operations. This initiative adds measures that can help businesses deal with additional layers of protection and enhances One way of ensuring good security is the prevailing situation: the layers of security. With cloud-based using a Virtual Private Network (VPN). VPN security, the internal IT security team can allows a secure connection by providing Work-from-home Policy also manage and monitor systems remotely. an alternative IP address to your network while bringing in traffic to your network. It Create a work-from-home policy that includes provides security by protecting the browsing all the guidelines that staff members working activity from hackers and scammers on remotely need to follow. It should outline public Wi-Fi. It also helps bypass geographic necessary steps that need to be taken on ways restrictions on websites or even streaming to access systems, data restricted from sharing, audio and video. The technology helps hide and other related details. Establishing a proper your private information and even prevents policy will eliminate more than half of your data-throttling. Moreover, VPN encrypts data cybersecurity problems. Moreover, remote transfer thus ensuring data protection. workers will know the guidelines and practice their work process accordingly, to meet the PAM requirements and working standards of remote cybersecurity. Organizations can also use Privileged Access Management (PAM) services to Awareness programs allow special remote access to their IT and application administrators. With multi-factor For starters, the organization should educate authentication including biometric and text- its staff members working from home about based methods, it can enable security on various scams, phishing techniques that are risk-based access to internal applications flooding the market and threatening the security that are accessed remotely. of IT infrastructure. They should be trained

18 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 19 FOCUS ON DIGITAL FORENSICS

Encrypted communication tools About the Author

When working remotely, employees must Narendra Sahoo (PCI use encrypted commination tools to prevent QSA, PCI QPA, CISSP, CISA, any security issues. Communication tools and CRISC) is the Founder include emails, video conferencing, and data and Director of VISTA InfoSec, a global transfer that may involve the use of sensitive Information Security Consulting firm, data. So, using encrypted tools for remote based in the U.S., Singapore & India. working can prevent data security issues. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with Conclusion expertise in Information Risk Consulting, Assessment, and Compliance services. In the prevailing pandemic situation, remote VISTA InfoSec specializes in Information working will now be the new norm for most Security audit, consulting, and certification organizations around the globe. With that services which include GDPR Compliance said, the cybersecurity program should be and Audit, HIPAA, CCPA, NESA, MAS-TRM, made the top focus point for all businesses. PCI DSS Compliance & Audit, PCI PIN, While cyber forensic investigation can still SOC2, PDPA, PDPB to name a few. The be a huge challenge, establishing strong company has for years (since 2004) worked cybersecurity measures should be the with organizations across the globe to top priority. Taking necessary preventive address the Regulatory and Information measures is essential for businesses to Security challenges in their industry. prevent any incidents of the breach. VISTA InfoSec has been instrumental in helping top multinational companies Although tackling the implications of remote achieve compliance and secure their IT working on cybersecurity can be complicated infrastructure. and will require legislative intervention, yet on the business level, it can be dealt with, by implementing necessary security measures. Businesses must consider allocating resources to IT Infrastructure and cybersecurity for improved cybersecurity, better-integrated, and well-encrypted communications, automation, and enhanced IT management. This is for building a stringent cybersecurity defense mechanism. Disclaimer Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

20 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 21 FOCUS ON DIGITAL FORENSICS

How Digital Forensics Complements Cybersecurity

Anis Pankhania CISO Cloud Infrastructure Services, Capgemini India

nalyzing pieces of evidence found in a digital device is a laborious task. The challenges of which are Afurther augmented by the ever-changing methods and technologies adopted by threat actors. Cyber forensics applies scientific methods to analyze and recreate the sequence of events that occurred either during the security breach in a corporate firm or during a criminal investigation for the law and enforcement body. This process of procuring artifacts, analyzing, documenting, and reporting is accompanied by many challenges and aided by useful tools and technology that this article aims to describe in brief.

22 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 23 FOCUS ON DIGITAL FORENSICS

Trends in Cybercrime to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), As stated earlier, the ever-changing threat there is very little probability of getting landscape and the development technology back the encrypted data. being used maliciously pose a variety of • Botnets: Botnets are compromised challenges for the digital forensic investigator. systems that are controlled by the Organizations are under constant threat threat actors through a remote network of attack as there is no shortage of factors of command and control without the that induce disruption, which range from knowledge of their owners/users. substantial information breaches to malware Botnets are generally used to conduct a and botnet assaults. Some of the current DDoS attack, cryptojacking, click fraud, trends in cyberattacks could be listed as: phishing, spam, and multiple other malicious operations. The threat actor • Malware: The spreading of malware could issue the command for the attack today has turned into a sort of to the bots at any moment through the continuous campaign, with the majority command-and-control network. A high- of recent incidents involving the use level of internet privacy and security of ransomware or some other form of knowledge is required on the part of malware. Spyware and ransomware are the network administrator and forensic the most dangerous malware that poses a analyst to identify and stop the botnet serious threat to information security, as attack. they tend to encrypt or exfiltrate sensitive • Cryptojacking: This is the advanced information. To make matters worse, this application of the botnet network, where malware is increasingly equipped with the bots are installed with crypto mining sophisticated anti-forensic techniques programs to mine cryptocurrency. This that tend to increase the amount of time cryptojacking malware is designed to required for the investigators to retrieve hijack the processor of the device to any artifact or evidence. Encryption of run crypto-mining programs effectively, data itself is an anti-forensic technique which will, in turn, overheat the power wherein if the threat actor gains a greater source, hence, damaging the device. privilege, then not only the sensitive Though crypto mining is not illegal, it is information (which is to be held for a legitimate method used by blockchain ransom) but also their digital footprints experts to mine and generate digital could be encrypted, never to be decrypted currency, but this process requires high again. Ransomware typically targets and fast performance on the part of the all types of file extensions without any systems, which is generally expensive. barriers, as such files that are of some Where legitimate miners use their importance to the victim. Even if the high-end systems and tools, malicious targeted organization pays the ransom, attackers use their botnet network to which by the way is now illegal, according mine digital currency.

24 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 25 FOCUS ON DIGITAL FORENSICS

Importance of Cyber Forensics recovers information using complex tools and techniques in business data breaches Though it may seem that cyber forensics exists or a civilian data breach. The recovered data due to the existence and implementation could either be used as evidence in a court of cybersecurity programs, and a failed of law or to help the victim restore business information security framework feeds the continuity. This aspect of cyber forensics digital forensics operations. But in reality, extends into the disaster recovery model of both are co-dependent and go hand-in-hand. the information security framework, where Digital forensics provides the information the plan involving a step-by-step strategic that feeds the developments in cybersecurity. approach is designed and implemented to The cumulative information about the state recover disrupted networks in case of both of security is obtained through numerous cyberattack or natural disaster. cases investigated through cyber forensics. Understanding this delicate balance between Digital Forensic Tools the two will help cybersecurity professionals to create a better security architecture. To state There exist several tools to aid the cyber this plainly, the two main uses of implementing forensic process, which are available in both cyber forensics are: open source and commercial modes. The wide scope of digital forensic investigation requires • Preventing attacks: Digital forensics a combination of different tools and suites analyzes the crime scene in the digital working together to find evidence and recover landscape and obtains information upon data. Some of the major tools and suites are which the cybersecurity industry could listed below as follows: build better security solutions to patch the vulnerabilities and prevent malicious • Autopsy: The most widely known tool hackers from accessing the information on for forensic investigation is a GUI-based a network, website, or device. Threat actors tool that analyzes hard drives and mobile are skilled at identifying and exploiting devices. Its prime feature involves timeline vulnerabilities of a system or application. analysis, hash filtering, keyword search, web Hence, digital forensics is important to study artifacts extraction (history, bookmarks, in detail the tactics used by the attacker and and cookies), data carving (PhotoRec), provide information to security personnel multimedia extractors, and IoC collection to develop countermeasures. (Indicators of Compromise - STIX). • Data recovery: The main aim of any cyber • CAINE: The Computer-Aided Investigative forensic investigation is recovering the Environment (CAINE) is a user-friendly deleted or damaged information. This is interface that has an optimized environment generally how digital forensics is understood to conduct a forensic analysis, which also in corporate and IT sectors. Digital forensics includes a semi-automatic report generator.

26 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 27 FOCUS ON DIGITAL FORENSICS

• Encrypted Disk Detector: MAGNET’s purposes. The multimedia-rich content Encrypted Disk Detector is a command- today has further augmented the issue About the Author line tool that can search for encrypted related to the explosion in the volume of data on the physical drives of a system. data and its storage. I began teaching and • Magnet RAM Capture: As the name • Data complexity: Today, data is found fulfillment from suggests, it is used to capture volatile no longer confined to a single host, data on the physical memory, allowing especially in the IoT network where the educating others in the field forensic investigators to recover data is scattered across different physical of Information Security. I also am important information. It captures and or virtual nodes. The location itself may passionate about the implementation of exports the memory information in Raw or may not be under the control of the student success, integrity, and academic (.DMP/.RAW/.BIN) format and works with jurisdiction of the group conducting the excellence. Driven by a quest for unique other Magnet AXIOM and Magnet IEF investigation. This issue is highlighted in accomplishments, although cautious tools to analyze it. cloud computing, where the task of data and calculating and with the ability to • The Sleuth Kit: It is a GUI-based suite that procurement is ladled with issues. has a collection of different command- • Development of standards: The think and act quickly when the situation line tools used to find data in the disk advances in technologies have compelled requires. As one who welcomes change, and recovers files. It also allows the the research community to agree upon I tend not to leave things in the same incorporation of additional modules for standards for file formats, schema, and manner they began. With a proven and the analysis of data and the building of ontologies. The investigation for crimes robust background in leadership and the automated systems. conducted using cutting-edge technology ability to operate at a fast and decisive requires collaboratively processing Challenges information. pace, I focus on productivity and results, • Privacy issues: The forensic all the while welcoming new challenges The growth and development in technology investigations related to online social and new opportunities. I have five years of have greatly affected the storage, transport, networks and media sites pose many experience in the education field and 19 and processing of data in the digital challenges related to privacy, as many years of experience in the security field. landscape. Emerging technologies such as people share personal aspects of their I hold a Master of Science in Information cloud and IoT have opened up a new front lives on such platforms. where the state of information security needs • Anti-forensics techniques: Hackers Security from the University of Phoenix. to be defended. Some of the corresponding today are increasingly using defensive challenges of these technologies onto the measures such as encryption, cyber forensic domain cloud could be listed obfuscation, and cloaking techniques, to as: hide their digital footprints.

• Data volume: The colossal amount of Best Practices data stored and processed by today’s information technology platforms has To overcome the existing security challenges created issues related to acquiring, and recover evidence/data effectively, some storing, and processing data for forensic digital forensics good practices need to be

28 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 29 FOCUS ON DIGITAL FORENSICS

followed whi`le conducting the investigation. Conclusion Some of these are: The state of cyber forensics in today’s • Establish a proper plan and guideline in digital landscape is continuously evolving preparation for incident response and due to developing technologies and their forensic practices. implementation into cybercrime by threat • Secure the compromised/affected device actors. Malware is being developed to along with its peripherals and removable increase exploitation while covering the media as part of incident response and attackers’ digital footprint to much possible forensic investigation. extent. Hence, the forensic must look at • Prepare for device and data quarantined these issues and develop its assets, scope, for forensics while simultaneously and policies to overcome these challenges. ensuring that business continuity is not Organizations should develop and train their affected. resources in the forensic domain and have • Have a thorough understanding of the this as a separate vertical. device and data types involved in the investigation. • Duplicate the data through memory About the Author drive cloning according to the norms and compliance. Anis Pankhania is a • Use forensic approved storage drives to technology leader, with avoid cross-contamination of evidence. thorough understanding of • Follow the established guidelines for adapting technology expertise to ethically identifying, collecting, analyzing, “business vision.” He is an award-winning and reporting the data. information security leader with 23 years • Document every activity related to of experience in leading the complete seizure, examination, storage, and information security, infrastructure management, digitalization, application transfer of digital evidence. development and management, program/ • Follow the guidelines for ethically project management, IT network and persevering the data for legal data center operations, telecom circle/ requirements. corporate/business operations, etc. • The digital forensic investigator must act Majority of his tenure has been spent with ethically and must conduct an accurate, large telecom and IT companies in India unbiased, and independent analysis (Bharti Airtel, Aircel, IBM and Vodafone). of the artifacts irrespective of their Pankhania established IT divisions from affiliation. scratch, involving design of strategy & Disclaimer execution roadmap, objectives, operating Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of procedures, multi-site facilities, end-user CISO MAG and CISO MAG does not assume any responsibility or liability for the same. workspace for 30k+ end users.

30 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 31 FOCUS ON DIGITAL FORENSICS

Challenges and Applications of Digital Forensics

Priyanka S. Joshi CISO - Risk and Control Specialist & Technical Advisory UBS

rimes committed within the electronic or digital domains, particularly within cyberspace, have become general. They Cuse technology as a footprint, commit offenses, and create new blueprints for law enforcement, attorneys and security professionals, and the legal departments. Digital Forensics has become an essential instrument in identifying and solving computer- based and assisted crime.

The digital age has undoubtedly revolutionized the life and work of many. On the flip side, the alarming rise in cybercrimes has become a major concern for cyber specialists as the continuous changes in the digital world attract more cybercrime. And experts use Digital Forensics to check this crime. Digital Forensics is the procedure of investigating computer crimes in the cyber world. The forensics process involves collecting, preserving, analyzing, and presenting the evidence from digital sources. Digital forensics experts have devised scientifically proven methods for identifying, collecting, preserving, validating, analyzing, interpreting, and presenting digital evidence derived from digital sources to facilitate the reconstruction of events that led to a breach.

32 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 33 FOCUS ON DIGITAL FORENSICS

Let’s discuss the major challenges of the In most cases, the cyber police force lacks and availability of e-documents are easily vulnerability, a major activity to prevent. digital world: the necessary information that qualifies, manipulated. In this, the WAN and the 3. Crime Analysis - The investigation agents and the ability to identify the possible internet support a vast hand, which can reconstruct the fragments of the data source of evidence is unavailable. Often, share the data beyond physical boundaries, (searched by investigation) and draw a the electronic evidence challenges the court and creates the difficulty of understanding conclusion based on the evidence found. due to its integrity, where the absence of the origin of the data. 4. Preservation of Crime - Protecting the Technical Challenges proper guidelines and the non-availability of crime scene and the digital evidence appropriate explanations of the details and Application in Digital Forensics or setup from further manipulation Legal Challenges acquisition gets dismissed. and photographing and videographing The diversity of digital media and devices the crime scene, for future reference. Other common challenges are: coupled with social media has led to the Also, this process involves stopping any Resource Challenges • Privacy issues emergence of various branches of digital ongoing command that may be linked to • Admissibility in the courts forensics such as Mobile Forensics, Network the crime. • The preservation of electronic digital Forensics, Database Forensics, and Email 5. Identification - This process involves evidence Forensics. identifying the digital media and devices Technical Challenges: Encryption, data • Analyzing a running computer that can serve as potential evidence. hiding in the storage space, covert The major applications of digital forensics 6. Extraction - This process involves the channel are the major technical challenges Resource Challenges: Change in are: imaging of the digital evidence, (to today. Digital forensics experts use forensic technology, volume and replication can maintain the authenticity of the original tools for collecting shreds of evidence against be found in the resources area (Indian 1. Crime Detection - Phishing, spoofing, evidence), for further analysis. criminals. And criminals themselves use such Evidence Act 1872). Due to rapid changes and ransomware are the major examples. 7. Documentation - This involves tools for hiding, altering, or removing the in the technology, operating system, and Also, various malware and malicious maintaining the chain of custody and traces of their crime; this process is known application software and hardware, reading activities that happen over digital media. documenting all the evidence collected as anti-forensic techniques. Another digital evidence from an older version 2. Crime Prevention - Crimes that happen from the crime scene. common challenge is operating in the to support a newer version is a growing due to the lack of security or existing 8. Interpretation - The digital forensic cloud, time to archive the data, skill gap, challenge. The confidentiality, integrity, unknown vulnerabilities such as zero-day expert prepares a report about the and steganography. analysis conducted on the digital evidence, using various tools such as FTK Legal Challenges: There is an absence of (for imaging and mounting of evidence), guidelines and standards, and limitations Sleuth Kit and Autopsy (analyses disk of the Indian Evidence Act 1872. For images and recover files from them), instance, consider the case of dealing with and presenting it in the court of law. the admissibility of an intercepted telephone The conclusion is based on the evidence call in a CDR (call data record). This was collected and reconstructing data done without a certificate under Section fragments. 65B of the Indian Evidence Act, 1872. The court observed that the secondary electronic evidence without a certificate under Section References 65B of the Indian Evidence Act, 1872 is not 1. Casey Eoghan. Handbook of Digital Forensics and Investigation. London. Elseveir Inc. 2010 admissible and cannot be investigated by the 2. Solomon G Michael, Rudolph K, Tittel Ed, Broom Neil, Barrett court for any purpose whatsoever. Daine. Computer Forensics Jumpstart. Canada. Wiley Publishing Inc. 2011.

34 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 35 FOCUS ON DIGITAL FORENSICS

Importance in Today’s Context • File Signature Verification: Compares that helps in a thorough examination of Latest Trends and Developments header and footer information of the data retrieved and gathered. and Legal Aspects and Legalities In the physical world, one tends to leave traces suspicious files with known files. • Copy: Evidence should always be copied of oneself, such as fingerprints, clothes, hair • Network Device Investigation: or captured according to local procedures. The modern world is driven by social strands, and DNA. Likewise, when we move Generally, involves network logs. The • Seizing evidence has limitations. networks. The evolution in digital technologies into the digital world, we move and interact probe includes routers, switches, and Hence, it is crucial to investigate with an has further evolved cybercrimes that with people, places, and objects – and we firewalls to investigate suspicious DNS officer who can provide the necessary significantly contributed to the development leave digital traces, echoes of the activities requests, connections to the unknown IPs equipment and prevent tampering of of new techniques, tools, and attacks that we perform online. These virtual or digital or unexpected spikes in network activity. evidence. A needle in a haystack can enable attackers to penetrate even in a traces include file fragments, activity logs, • Recovering Hidden Files: Decryption, easily be found when you know which well-controlled environment. With that timestamps, and metadata. Cryptanalysis and drive-in image analysis needle it is, and how it got lost in there. said, security experts, academics, and law to actively look for hidden data and files. enforcement agencies use digital forensics These shreds of digital evidence can help to tackle the increasing number of cyber establish the document’s origins or pieces Best Practices in Digital Forensics anomalies. of the software for legal purposes. This helps determine the activities of the parties These are fundamental practices used for involved in the criminal activities --- or even a working on crime investigations. resource for the criminals to plot or re-plot • Review your notes. Always review notes the information or to identify the data of for relevant information as this can ease their victims. the investigation. • Funnelling down information will help Robert Brown posted a quote on LinkedIn narrow leads to answers. The first that says: “For the cybersecurity team whose step of the investigation might have led role it is to protect the organization, or the the investigator to several IP addresses. investigators who are trying to establish Once an investigator finds a keyword that how the business was breached, these bits suspects a crime, for instance, a keyword of evidence are crucial. They will show how such as “child pornography,” the number an incident happened, who was responsible, of suspects owning the IP addresses can how to respond to it, and most importantly, be narrowed down. how to stop it happening again in the future.” • Eliminate or solidify evidence. Always look at the information you gathered Techniques for Investigating Under from a different perspective. Digital Forensics • Watch your time. The investigator needs • Preserving the evidence: This is done to avoid distracting information. They using common software tools that include need to consider the time wasted when Encase, Forensic Toolkit (FTK), SIFT, etc. they focus on the irrelevant. • Web Activity Reconstruction: Generally, • Always analyze: An investigator’s report becomes useless without proper analysis. the aim is to restore browsing history, Source: Market Intelligence temporary internet files, and accepted A computer forensic investigator is cookies. provided with high-technology software References Digital Forensics Market - Growth, Trends, COVID-19 Impact, and Forecasts (2021 - 2026) (mordorintelligence.com)

36 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 37 FOCUS ON DIGITAL FORENSICS

The digital forensics market was valued at fraudulent activities. Europe is witnessing Digital Forensic Market $4,490 million in 2020 and it is expected to an increase in cybersecurity measures reach $8,210.5 million by 2026, registering a with the outbreak of COVID-19. CAGR of 10.97% during the forecast period • Vendors in the market are also announcing of 2021-26. solutions for controlling the COVID-19 pandemic. For instance, in 2019, MSAB (a Most forensics is related to desktops, laptops, global leader in forensic technology for and associated media, including hard drives, mobile device investigations), announced removable media (USB external storage), and that its technology could be used to optical media. Form factors such as mobile assist first responders, law enforcement and other handheld devices are becoming officials, public health officials, and more detailed and popular. others involved in controlling the current coronavirus pandemic. The technology • The adoption of digital forensics is uses mobile phone data to identify where growing due to advancements in the individuals have been, whom they have traditional crime lab infrastructure, been in contact with, and their activity increasing corporate penetration to the timeline, along with other key information Internet Crime Complaint Centre (ICC) that might be needed. and Federal Bureau of Investigation (FBI). • However, factors, such as lack of In 2019, 16,503 cases of online identity specialized skills, usage of proprietary Conclusion About the theft were reported to the IC3. operating systems, and high level of Author • COVID-19 will boost the digital forensics encryption in new mobile applications, Digital forensics, sometimes known as digital forensic science, is fundamental to investigations market as it helps tackle increased may hinder the growth of the market. Priyanka Joshi is a Risk and performed in reality. Modern digital societies Control Specialist/Technical Advisory Key Market Trends are subject to cybercrime activities. There at UBS. As an infosec professional, she believes should updates for forensics tools that should knowledge and experience are pathfinders to be engineered to support the heterogenous success. Joshi also believes in maintaining the investigations, privacy data, and scalability --- to company’s legal and ethical integrity. Before preserve important data. The use of different joining UBS, Joshi was a Compliance Manager at a small firm for a health care company based tools and techniques poses new problems due in the U.S., where she was responsible for the to their differences in data storage, accessibility, HIPAA security enforcement on the business and investigative trade-offs. software and people working for it.

References: • Casey Eoghan. Handbook of Digital Forensics and Investigation. London. Elsevier Inc. 2010 • Solomon G Michael, Rudolph K, Tittel Ed, Broom Neil, Barrett Daine. Computer Forensics Jumpstart. Canada. Wiley Publishing Inc. 2011. • Digital Forensics Market - Growth, Trends, COVID-19 Impact, and Forecasts (2021 - 2026) (mordorintelligence.com)

Disclaimer Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

38 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 39 t daybreak on May 7, an employee of Colonial Pipeline found a ransom note on a control-room computer. AThe signs were clear, a ransomware attack had just The Dark Side of the targeted one of the largest oil pipeline systems of the U.S. The engineers immediately locked the systems to contain the spread of the attack to its 260 delivery nodes across 13 states. It took them over an hour to successfully complete the Attack on Colonial shutdown procedure, eventually preventing its operational technology (OT) systems from getting infected. But, by then, the damage was done. Pipeline The scale of the attack was unprecedented, to say the least. The attack had compromised the billing system, eventually leading to a halt in pipeline operations. The company had Augustin Kurian to shut down the pipeline as a precaution due to concerns Assistant Editor that the attackers may have obtained information allowing CISO MAG them to carry out further attacks on vulnerable parts of the pipeline. Apparently, the attackers had also stolen nearly 100 gigabytes of data and threatened to release it on the internet if the ransom was not paid.

In the days that followed this incident, fuel shortages began to occur at filling stations, caused by panic buying, with states like Alabama, Georgia, Florida, North and South Carolina reporting gas shortages. In some cases, 71% of filling stations ran out of fuel. American Airlines changed flight schedules temporarily after the shortage hit Charlotte Douglas International Airport. Consequentially, several flights had fuel stops or plane changes added to their schedules for four days. Airports directly serviced by Colonial Pipeline had to look for alternatives.

Eventually, the government had to intervene, and President Joe Biden declared a state of emergency removing limits on the transport of fuels by road. Several states also waived taxes on diesel and gasoline. The situation was so dire in certain parts of the country due to panic buying that the U.S. Consumer Product Safety Commission had to issue an advisory asking people to “not fill plastic bags with gasoline” (an obvious fire hazard).

40 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 41 Colonial paid the DarkSide too

Within hours of the attack, Colonial’s team was not sure about the extent, time, and cost of getting back up and running. This led the CEO, Joseph Blount, to make a difficult decision – paying up. In an interview with the Wall Street The Risks of Paying Ransom Journal, Blount acknowledged that he authorized the ransom payment of 75 Bitcoins, which approximately accounts for $4.4 million. Charles Brook Threat Intelligence Specialist “I know that’s a highly controversial decision. Tessian I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do Paying the ransom is sometimes an However, some ransomwares may for the country,” Blount said. option but it is high risk. You should go for a “double dip” which means always work with a security consultant that once you pay the initial ransom Whether paying the ransom was the right thing to advise on the whole process and demand, they will continue to to do or not, as Blount said, it was indeed highly handle the negotiations - ideally have withhold the decryption key and ask controversial. one on retainer - and you should for more money. Sometimes, you may inform law enforcement. never receive a decryption key and Colonial engaged cybersecurity firms and attackers will just continue to ratchet third-party security experts to investigate the For most ransomware, it is in up the price to see how much they incident and informed law enforcement and the the attacker’s interest to provide can get from you. Department of Energy about the attack. In the decryption keys upon receiving early stages of the investigation, several industry payment. This means they maintain a Other ransomware only exists to experts opined that ransomware group DarkSide good reputation, which can promote disrupt or destroy. NotPetya is was likely behind the cyberattack. DarkSide further payouts by other victims and considered to have been a wiper ransomware group is known for encrypting lead to increased financial gain for the disguised as ransomware. Even when systems with ransomware and extorting victims attacker. payment was made the attackers did to pay the ransom. not provide decryption keys.

In the ensuing days, DarkSide released a statement stating that its “goal is to make money, and not creating problems for society.”

This was probably the second biggest ransomware attack only after Wannacry that had such a massive scale of real-world consequences.

42 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 43 The biggest implication of the demand, and civilian panic (well-founded just electricity. We have already seen the cyber attack or not). And because the global supply announcement of the President’s new chain is starting to wear thin (like too little executive order. My belief is this is just “The largest implication would be its butter on too much toast), events like this the beginning of what will be a significant impact on national security. Unfortunately, Ron Brash demonstrate the fragility of the system shift in private sector requirements today, but also demonstrate a massive and for those industries considered ‘critical our aging infrastructure is extremely Director of overdue investment opportunity. In the infrastructure’. If this turns out as we vulnerable to attacks like this, making it an Cyber Security past, such large investment projects have expect, this will have a massive impact on easy and lucrative target. Just because we Insights also brought about prosperity as they did the investment and focus on private sector only hear about these types of incidents Verve Industrial on our critical infrastructure once in a during the 1960s/1970s and this should be cybersecurity.” while, doesn’t mean that more advanced looked at similarly.” attackers from nation-states are unable Incidents such as this one have a to get in. It’s highly probable that they’re Another implication will likely be the drastic effect on the economics already present, which should be even increased focus of the U.S. government of society, futures trading, more concerning. Organizations in charge on private sector cybersecurity. According supply and demand, and civilian of critical infrastructure should be required to John Livingston, CEO, Verve Industrial, panic (well-founded or not). And to adhere to specific cybersecurity “Regulation is almost always the result of because the global supply chain standards, or even be required to obtain a major event. NERC CIP was in large part is starting to wear thin (like too certain compliance certifications, which get due to the Northeast blackout of 2003. To little butter on too much toast), audited yearly. We should be past the point date, TSA has been the regulator of pipeline events like this demonstrate the of recommending best practices to critical security and its focus has primarily been fragility of the system today, infrastructure given the increasing number on physical attacks. The biggest impact but also demonstrate a massive of sophisticated actors and the impact of Colonial will almost certainly be a shift and overdue investment these attacks can have,” said Tim Bandos, to a more robust compliance regime for opportunity. CISO and VP of Managed Security Services the whole energy value chain…beyond at Digital Guardian. such an important piece of infrastructure Several incidents also highlighted how seemingly had large failings that an ransomware gangs were indiscriminately opportunistic actor took advantage of. Tim Bandos targeting critical infrastructure. Many a Whether DarkSide is apolitical or not, their CISO and VP of Managed Security Services times, these infrastructures supported claim is moot because Colonial was the Digital Guardian important economic activities which may third critical infrastructure organization not be limited to the business itself. Ron they compromised. It’s all about the The largest implication would be its impact on national security. Unfortunately, Brash, Director of Cyber Security Insights, money/revenue generation from ransom, our aging infrastructure is extremely vulnerable to attacks like this, making it Verve Industrial, pointed out, “Many and that needs to be changed.” an easy and lucrative target. Just because we only hear about these types of organizations – even society – are generally incidents on our critical infrastructure once in a while, doesn’t mean that more unable to consider consequences that He continued, “Incidents such as this one advanced attackers from nation-states are unable to get in. It’s highly probable are beyond their own boundaries or at have a drastic effect on the economics that they’re already present, which should be even more concerning. scale, and this incident demonstrates that of society, futures trading, supply and

44 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 45 How did the government • The CISA Cyber Exercise Act (H.R. 3223) respond? establishes a National Cyber Exercise program within CISA to promote

In the wake of the attack, the U.S. House more regular testing and systemic Committee on Homeland Security passed assessments of preparedness and seven bipartisan security bills to bolster resilience to cyberattacks against critical defense capabilities, enhance pipeline infrastructure. The bill was introduced security, and defend supply-chain attacks by Congresswoman Elissa Slotkin. targeting U.S. organizations and critical • The DHS Blue Campaign Enhancement infrastructure. Act (H.R. 2795) strengthens the DHS Blue Campaign and enhances the availability

The Bills include: of human trafficking prevention training • The Pipeline Security Act (H.R. 3243), opportunities and the development of introduced by Congressman Emanuel such training and materials. The bill Cleaver, will enhance the ability of TSA — was introduced by Congressman Peter the principal Federal entity responsible Meijer. for pipeline security — to guard pipeline • The DHS Medical Countermeasures systems against cyberattacks, terrorist Act (H.R. 3263), introduced by attacks, and other threats. Congresswoman Mariannette • The State and Local Cybersecurity Miller-Meeks, establishes a medical Improvement Act (H.R. 3138), countermeasures program to support introduced by Congresswoman Yvette DHS mission continuity and facilitate D. Clarke, seeks to authorize a new the readiness and resilience in the event $500 million grant program to provide of a chemical, biological, radiological, State and local, Tribal, and Territorial nuclear, or explosives attack, naturally governments with dedicated funding to occurring disease outbreak, or secure their networks from ransomware pandemic. and other cyberattacks. • The Domains Critical to Homeland • The Cybersecurity Vulnerability Security Act (H.R. 3264), introduced Remediation Act (H.R. 2980), introduced by Ranking Member John Katko, by Congresswoman Sheila Jackson Lee, authorizes DHS to conduct research and will authorize CISA to assist critical development into supply chain risks for infrastructure owners and operators critical domains of the U.S. economy with mitigation strategies against the and transmit the results to Congress. most critical, known vulnerabilities.

46 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 47 The attack had also prompted the Biden discuss their unique technology needs. administration for an Executive Order (EO) In-house legal teams often handle some specifically aimed at improving the current of their company’s most sensitive and state of the nation’s cybersecurity. The EO confidential data, and law firms face an stated: even more daunting security challenge, having to manage the highly confidential • The IT service providers are now and privileged data of all their clients. mandatorily required to notify the In the last year alone, 29% of law firms government about cybersecurity reported a security breach, and we saw breaches that could impact U.S. federal this play out most recently when hackers and public networks. The EO states compromised the servers of a high- that any contractual barriers that profile law firm and leaked gigabytes of might stop providers from threat intel highly sensitive data. We’re going to keep sharing can now be bypassed as it is in seeing this play out until this gap between the best interest of the nation. formed which can give expert advice been a forcing function for security teams security and legal teams is bridged. We see • A standardized playbook and set and analyze the situation making embracing new workflows and partnering a great opportunity for both in-house legal of definitions that will help federal recommendations post a cyberattack more seamlessly with all teams within an teams and law firms to invest in domain- agencies to give a prompt response to or breach incident. organization. Corporate legal departments specific tools that offer much higher levels future cyber incidents. • The EO creates cybersecurity event log have an exciting opportunity to seize the of security and compliance than what they • Recommendation to the federal requirements for federal departments moment and partner with their CIO to might be using today.” government to upgrade their and agencies. Robust and consistent operations to secure cloud services logging practices solve latency issues and other cyber infrastructure. Apart of investigation and remediation from this, a mandatory deployment measures. of multifactor authentication and • An intra-governmental robust encryption for all data accessed, stored, information sharing will be established and communicated, is necessary. to provide Government-wide Endpoint AJ Shankar • Software service providers rendering Detection and Response (EDR) CEO deployment. services to the Federal Government Everlaw agencies are now required to improve the security of the software sold to Cybersecurity and legal teams have the government, which also includes historically been operating in silos but President Biden’s recent cybersecurity executive order has been a forcing its developers sharing certain security this needs to change. AJ Shankar, CEO of function for security teams embracing new workflows and partnering more data publicly. The EO also recommends Everlaw, spoke about how to go about seamlessly with all teams within an organization. Corporate legal departments employing a zero-trust model and eliminating these silos --– and the pitfalls have an exciting opportunity to seize the moment and partner with their CIO to security in all software modules in a that will continue if the departments discuss their unique technology needs. In-house legal teams often handle some ground-up manner. remain separate. of their company’s most sensitive and confidential data, and law firms face an • A new “Cybersecurity Safety Review even more daunting security challenge, having to manage the highly confidential Board” comprising public- and He said, “President Biden’s recent and privileged data of all their clients. private-sector officials will soon be cybersecurity executive order has

48 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 49 How much of the serve as a reminder to companies in responsibilities fall on all industries, but especially those in more “physical” industries such as Colonial Pipeline? supply chain, logistics, and shipping, that they are not immune from In short, quite a lot, even after negating cybersecurity incidents and should the entire fact that the company went incorporate those threats into their ahead and paid the ransom to the risk assessments,” said Tony Pelli, attackers, which is “illegal” according Security and Resilience Practice to an advisory by the U.S. Department Director at BSI. of the Treasury’s Office of Foreign Assets Control (OFAC). Concurring with Pelli, Bandos said, “Typically, ransomware attacks are “The hack of the Colonial Pipeline successful because organizations – which provides about 2.5 million neglect to implement even the most of the 8 million barrels of oil used basic security measures and are not in the U.S. each day – shows the being properly prepared. The types importance of preparation and proper of questions that need to be posed to risk assessment in avoiding and Colonial Pipeline are, ‘How prepared mitigating supply chain disruptions were they for an attack like this?’ and and how cybersecurity incidents can ‘What types of security gaps were taken have serious real-world impacts. As advantage of here that facilitated the far back as February 2020 (following success of this attack?’ If we learn that another pipeline-related cybersecurity Colonial Pipeline had major issues incident), the Department of with their security program, then there Homeland Security indicated that Tony Pelli should be a level of accountability owners of critical infrastructure should Security and Resilience Practice Director placed on them for being at least take specific measures to reduce BSI partially responsible. Ransomware or lessen the risk of ransomware attackers typically seek out targets attacks. The agency highlighted a As far back as February 2020 (following another pipeline-related cybersecurity with ‘low hanging fruit’ vulnerabilities. lack of cybersecurity knowledge and incident), the Department of Homeland Security indicated that owners of critical Identifying and removing these types the inordinate amount of attention infrastructure should take specific measures to reduce or lessen the risk of of vulnerabilities is imperative in paid to physical emergency and ransomware attacks. The agency highlighted a lack of cybersecurity knowledge addition to implementing appropriate incident scenarios in preparation and the inordinate amount of attention paid to physical emergency and incident security measures.” scenarios in preparation and planning. and planning. This incident should

50 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 51 John Livingston CEO Verve Industrial

Your absolute priority is to know your plan if you are hacked. What is the response plan if you see devices being ransomed? What can you stop? How do you reduce the spread? Secondly, practice the basics of cybersecurity. You want to make it harder to attack you than it is to attack your neighbor.

What should be learnt from of wins tomorrow, and lowered TCO while the attack? remaining efficient. “Critical infrastructure or industry is not off limits to ransomware. It’s opportunistic, so be ready, be prepared, Organizations should realize that nobody and be tested to recover at scale. It should is immune to these types of cyberattacks. be a part of every organization’s practiced Bandos added, “Simply hoping that it won’t end-to-end training curriculum!” said Ron happen to you puts your organization at Brash. risk of becoming the next victim on a news headline with significant business impact To conclude, “Your absolute first priority to match. All organizations in the critical is to know your plan if you are hacked,” infrastructure sector need to be prepared said John Livingston. According to him, and have a formal incident response it must begin from understanding, the process in place as well to ensure decisions response plan and your methods to stop, are being made quickly to recover as fast as and reduce the spread of an attack. He possible. This attack merely highlighted that continued, “Secondly, practice the basics of services like heat, light, and transportation cyber security. You want to make it harder can be threatened and stopped in an to attack you than it is to attack your instant by a small team of hackers halfway neighbor. So, “lock the doors,” and “put around the world.” up outside lights”. The cyber equivalent About the

is to patch your critical devices, ensure Cyber basics go a long way, and Author network protection devices like firewalls organizations need to invest in correcting and switches are properly configured to decades of security rot and build the segment critical assets, ensure no dormant Augustin Kurian the foundations of successful backbones to or inappropriate accounts or users on the their business for tomorrow. If you “do Assistant Editor of CISO MAG. He writes system.” security right,” generally, you can get a lot interviews and features.

With inputs from Rudra Srinivas and Mihir Bhagwe

52 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 53 “Public GitHub is often a blind spot in the security team’s perimeter”

itHub and the community surrounding it have changed the way the world uses and builds open source components and software. At present, there Gare more than 50 million developers using GitHub; 60 million repositories are created in a single year, with over two billion contributions. With such a vast resource of data publicly available, there is also an abundance of sensitive data that is unknowingly or accidentally pushed to the platform, namely secrets like API keys, credentials, and other digital authentication strings. These secrets can be used by attackers to gain access to infrastructure, systems, and PII.

It will still be a mammoth task to quantify the problem that arises due to the public GitHub. To evaluate that, Augustin Kurian, Assistant Editor of CISO MAG, has interviewed Jérémy Thomas, Co-founder and CEO of GitGuardian. Thomas is an engineer and an entrepreneur. A graduate from Ecole Centrale in Paris, he first worked in Finance and then began his entrepreneurial journey by first founding Quantiops, a consulting company specializing in the analysis of large amounts of data, then GitGuardian in 2017.

In this interview, Thomas talks about the exposure of secrets within public repositories on GitHub and how this threat is evolving year on year. He also talks about the responsibilities of CISOs to ensure their developers do not accidentally leak secrets, Intellectual Property, or PII, and the best practices that need to be established.

Jérémy Thomas Co-founder and CEO GitGuardian

54 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 55 UNDER THE SPOTLIGHT

Recently, an unknown actor compromised the official PHP Git repository and pushed backdoored code under the guise of a minor edit. And these are a common affair. With organizations oftentimes On one side, taking most of their codes from Git organizations don’t repositories, don’t you think this is a major cybersecurity issue? have to reinvent the

Indeed, leveraging open source wheel and can reduce dependencies comes with both risks and their time-to-market opportunities for organizations. On one side, organizations don’t have to reinvent by easily importing the wheel and can reduce their time-to- market by easily importing external open external open source source software in their codebase, in the software in their form of dependencies. If carefully chosen (not all open source codes are equal), codebase, in the form these dependencies are battle-tested at unprecedented scales, scales that only the of dependencies. open source can allow. There are 50 million developers on GitHub. These developers If carefully chosen collaborate publicly, write code, test code, (not all open source solve bugs, and deploy code in various environments. The more a code snippet codes are equal), is deployed in as many environments as possible, the more it is tested, the more these dependencies eyeballs are on it, the safer it is. However, it are battle-tested at happens that certain dependencies contain vulnerabilities (just like every software unprecedented scales, does). In such cases, the huge scale of the open source can become a downside, scales that only the because the vulnerable code is instantly open source can allow. deployed in so many environments. Hence the need for Software Composition Analysis tools to have visibility about components imported in the codebase, their version and vulnerability status, so that they can be patched quickly when a vulnerability is discovered.

56 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 57 PHP is thought to underpin almost 80% example, GitGuardian Internal Monitoring application programming interface public GitHub is often a blind spot in of websites. This includes all WordPress solution scans for sensitive data within (API) keys, private keys, certificates, their security perimeter. It is difficult for sites, which are built on PHP. With internal Version Control Systems and alerts usernames, and passwords – discovered organizations to identify developers’ public malicious actors pushing backdoors for users in real-time if any are discovered. This on a public repository. What measures activity on personal repositories without remote code execution (RCE) like the means that even if an attacker gains access must CISOs take to ensure that the data a proper solution. Our report indicates earlier incident mentioned, do you think to these internal systems via a backdoor of their organization must not be among that many corporate credentials are found these can result in a much larger-scale or any other method we can prevent them these secrets? on developers’ personal repositories, attack surface? How does GitGuardian from using secrets to move laterally into where CISOs have no visibility and no come into this picture? different systems. CISOs are starting to realize that even if authority to enforce any kind of preventive their company has limited official activities security measures. On top of this, most Backdoors are a particularly major According to a GitGuardian study, there on public GitHub, their developers most organizations underestimate the number cybersecurity issue especially if they has been a 20% year-on-year increase certainly use the platform regularly. of secrets that are exposed within their remain undetected for extended periods. in the number of secrets – such as The difficulty for security teams is that internal repositories. And this, even if they This is only compounded when these deployed secrets management solutions. As backdoors are added to technology which, code is a very leaky asset, widely accessible as you say, underpins many websites within the organization, it is critical that and web applications. Another example CISOs secure their Software Development backdoor recently discovered was for Lifecycle by implementing efficient secrets CodeCov’s continuous integration (CI) tool. detection. This backdoor was undetected for months and allowed the attackers to steal sensitive Sixty million repositories were information from users’ CI environments. created last year, representing a 35% increase over the previous year. On Many think of security as building a wall the flipside, cybercriminals are now around your assets and infrastructure, the actively scanning repositories looking core idea being to keep intruders out. While for secrets that would enable them to this wall is important, there are multiple compromise applications. What tips ways an attacker can penetrate past this should developers keep in mind while wall, a backdoor as we just discussed is pushing code to GitHub? one example. It may be a backdoor in your application, in the underpinning technology The best practices for developers include: of your application such as the PHP example or as part of your application environment 1. They should scan their code to verify as was the case with the CodeCov example. there are no secrets in their Git history. This means we need a shift in how we Git is an iceberg-like environment approach security that considers what and the current version, the tip of the happens when the walls are breached. iceberg, is not the only part of the code Solutions can help ensure sensitive that should not contain secrets. It is information is not exposed to attackers important to remember that this is not even in the event of an intrusion. For just the current version of the project

58 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 59 that is made public, but all changes and application. These make them a very high- About the iterations too. value target for attackers. From there they Interviewer 2. If any secret is found by the secrets were able to move laterally and breach detection solution, they must rotate more deeply, but this is a long story. their credentials and optionally remove Augustin Kurian the the secrets from Git history. Here is a You have mentioned the shift left testing Assistant Editor of CISO MAG. cheatsheet they can follow. approach. Can you give us an example? He writes interviews and features. 3. If they want to shift left their security, How does secret detection serve this they can even implement secret purpose? detection as a pre-commit hook. The earlier a vulnerability is uncovered, the Shifting left is about making security more less costly it is. This way the developer developer-centric, and giving developers can catch the secret locally and prevent security feedback where they are, when it from reaching the server. they are coding. A good example of shift left testing put into practice is the Can you give us an example of a recent implementation of automated vulnerability breach leveraging credentials? detection at each incremental change made by developers. This is exactly what I will illustrate this with a white hat attack you do when implementing an automated on the Indian Government. The white secrets detection system. The advantage hat group named Sakura Samurai did a of this early detection is dual: on the one huge breach that spans across multiple hand, you limit the cost of development as different state-owned entities. In total, a you can fix early and on the other hand, lot of information was found, including 35 you keep your developer in the loop. They separate sets of exposed credential pairs, are in context and can respond to alerts as three instances of a very sensitive file they code. Real-time is far better than days disclosure, five exposed private RSA keys, later at deployment or months later from a 13,000 PII records, dozens of sensitive penetration test report. And this is critical police reports, and forensic reports. They in terms of vulnerability exposure and cost also discovered remote code execution of remediation. on a financial server and then in the end, they hijacked an application running on that financial server. After establishing a perimeter and potential vulnerabilities, they searched for secrets to make their initial access, and they found 10 Git directories with hardcoded credentials. They were also able to find 23 exposed env files, which are environment variable files and regularly used to set up the environment of an

60 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 61 How to Know When it’s Time to Break Up with Your Tech Provider

Tim Bandos Chief Information Security Officer Digital Guardian

ven if your organization doesn’t want to address it, there comes a time when Eevery company needs to take a step back, take stock of their technology stack, and ask themselves if it’s time for a change.

It’s not your fault – let’s say your organization has grown, not just in size but in business maturity, since you first implemented your current vendor. It may be the case that the provider hasn’t had the capacity or means to scale along with you.

While not always easy to know when the time is right, there are three tell-tale signs that you’ve outgrown your provider.

62 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 63 Lack of innovation questions about the direction your vendor may be going. With an acquisition, corporate If your provider isn’t staying on top of reshuffles are commonplace. Could this the latest technology – solutions that can impact leadership, engineering, and budget add value to your business and empower at a vendor you use? Are you willing to trust employees to learn new skills and execute a company and its vision despite these their work at a high level – it may be time changes? to look elsewhere. Maybe your company has grown too comfortable with legacy In some instances, when a tech company technology. Its drawbacks may seem like is acquired, innovation is stifled, and the slight annoyances to you. Still, it could indicate acquiring company does little more than a larger problem or a missed opportunity to maintain the product. Acquisitions can also cut costs or add customer value with new result in cutbacks on support resources and alternative technology. Your vendor should failure to invest in new features that help be proactive in keeping you apprised of the ensure the security of their software. latest technology and solutions, especially if they can help your company become more That’s not to mention that old, depreciated economical and productive. technology can put your employee and customer data at risk. As more and Every organization wants to stay focused on more companies can attest these days, maintaining its competitive edge, especially experiencing a data breach can pose a risk in a market as volatile as the one today. If your to your company’s brand and have a serious vendor isn’t doing their part – investigating in effect on carrying out day-to-day business. interoperability, so your organization can get Your organization is part of a supply chain; a greater return from the sum of your tech it’s essential to ensure that every vendor you investments – it should set off a red flag. partner with is following best practices.

Does your vendor have a CISO? Do they use It’s not you, it’s me (your needs safe APIs? Are they using DevOps? Have they have changed) moved to the cloud for added speed and flexibility? If you answered “no” to any of As I hinted earlier, maybe your organization these questions, you might want to ask them has grown since you first implemented your – why not? current technology vendor, and they haven’t been able to keep up. Perhaps your business Maybe your provider was recently bought has grown so fast that your needs have and absorbed by another corporation. changed from what they once were. Whenever a company is acquired and a business changes hands, there’s a lot in flux. If your vendor isn’t keeping up by periodically With change, it’s not unusual to have some performing audits to ensure that policies and

64 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 65 procedures you have in place are effective in meeting those needs, you may have blind spots in your coverage. Your vendors’ IT Poor customer service is one of the services should be tailored to meet you. leading reasons why companies The old marketing slogan, “set it and forget entertain switching their technology it,” rarely applies to your technology stack. Staying with a vendor that isn’t constantly vendor these days evolving alongside your business could be hurting your company’s bottom line.

Perhaps your organization has elected to move away from the rigidness of the waterfall software development method and go the agile route to deliver products rapidly and to better respond to changes in your environment. If so, you know that creating a truly agile team requires a big cultural shift and reduced organizational resistance. If your vendor isn’t agile or does something to hold you back from fulfilling that cultural change, you may need one better suited to complement your needs.

Depending on your space, shifting regulatory compliance requirements can often dictate a company’s needs. Satisfying governance, risk management, and compliance (GRC) requirements demand a higher degree of attention. It’s one thing to tick checkboxes associated with regulations like HIPAA, GLBA, and SOX. All of them, in addition to state, federal, and global legislative requirements, require organizations to have the appropriate technical safeguards in place.

To keep up with evolving regulations, especially those slated to take effect soon, organizations need a higher level of

66 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 67 engagement, planning, and collaboration Having to deal with a seemingly endless line of from their vendors. Ensuring there’s visibility support tickets or a messy support workflow, across all your critical assets to identify data, where it’s challenging to get status updates, the organizational policies they’re governed could be a sign it’s time for a change, too. by, and whether it complies, is essential to navigating the risk landscape, too. Your Poor customer service is one of the leading provider should be aware of these changing reasons why companies entertain switching regulations and offer advice and guidance on their technology vendor these days. satisfying them if they’re not already. Remember: their technology is supposed to enable your business, not hold it back. If your The vendors you use are integral to your vendor is serious about their relationship company’s success – they help drive growth, with you, their customer service should revenue, and goals. If yours aren’t, it’s time to speak for itself. reevaluate those relationships. We’ve already discussed why vendors should The relationship is strained adopt new technologies to help them better respond to customer needs. Suppose your There’s a chance your vendor relationship vendor isn’t doing something to remedy has reached a stalemate or has run its negative support experiences, resolve course. Like any good partner, yours should churn, or address the lag between customer be keeping your best interests top of mind. support requests – in that case, you know firsthand how quickly the negatives outweigh Vendor lock-in, a situation when a customer the positives. becomes forcibly dependent on a vendor or product, can be a real problem for Transparency and visibility are also vital. Lack organizations. Sometimes it can get to a point of communication around known product where the costs and difficulties associated issues, bugs, product management road with switching seem almost insurmountable. maps, and scheduled maintenance dates can relationship via a customer success program with vendors. If your vendor doesn’t run If your provider is strong-arming your leave you in the dark. It often translates to is a strategic imperative. After all, how can a a customer success program and your organization and taking advantage of the downtime and lost revenue. business run smoothly if you, their customer, questions to support continue to fall on deaf high cost of switching from their product aren’t happy? ears, it can often feel like screaming into the to raise licensing continually, subscription, Vendors who proactively reach out to void. If you’re not happy with your current or support prices, it needs addressing. customers to make these issues known and Customer success programs often deliver relationship and your vendor isn’t working Becoming too dependent on a vendor and communicate other issues generally succeed value to both parties and can often be the to remediate your issues, why are you fearing the repercussions around switching at reducing churn. For some companies, reason customers renew their contracts continuing to stay in the relationship? is a textbook sign that you’re at an impasse. nurturing that company-customer

68 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 69 I’ve recently worked with several customers themselves due to a lack of resources and have existing solutions that offer additional About the who have come to us after experiencing time. We were able to fill this gap for them services, it will make managing your stack Author these three tell-tale signs with their current and provide a complete 24/7 managed a lot easier. Fewer vendors provide fewer vendors. Some were finally looking to service offering that fulfilled their needs. relationships to manage, and you’ll have a Tim Bandos was recently migrate their solution to the cloud and have higher purchasing power. announced as the Chief Information a more innovative experience. Others felt Organizations that incorporate these security like their relationship wasn’t going anywhere, stack evaluations as a part of their overall Changing, or even just beginning to think Security Officer (CISO) for Digital and their current vendor did not support the maturity program tend to have a greater about changing IT vendors, takes time. If Guardian. He has over 15 years of capabilities they needed today. It’s critical likelihood of success and ultimately reduce yours isn’t meeting your needs and some of experience to the position including to re-evaluate your security stack each year their level of risk to the company. these signs sound familiar, it may be time to his five years as VP of cybersecurity to ensure you’re receiving a return on your look for an alternative. While identifying the at Digital Guardian. Prior to joining investment and keeping up with the ever- It’s also essential to ensure that, during the right security stack that works for you and Digital Guardian, Bandos was Director evolving threat landscape. evaluation period, your team can continue your organization may require a significant of Cybersecurity for Dupont where he to support the stack you’ve implemented. As amount of planning, the more you simplify, was responsible for overseeing internal In one case, we had a client who was no longer time goes on and responsibilities shift, it’s with quality tools and solutions over quantity, controls, incident response, and threat happy with their vendor, and they were possible that running these tools in-house is the better. intelligence. unable to run their data protection solution no longer viable. Consolidation is key. If you

Disclaimer Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

70 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 71 Bringing Forensics Education Up to Speed

By EC-Council Cyber Research & Computer Hacking Forensic Investigator Teams

72 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 73 ovel criminal activities in the digital other attacks are being developed to increase landscape always accompany the exploitation while covering the attacker’s digital Ntrends and development in technology, footprint to the much possible extent. Hence, and consequentially, digital security lags. The forensics must look at these issues and develop same could be true for digital forensics (DF), its assets, scope, and policies to overcome these especially in its education curriculum, which challenges,” says Anis Pankhania, CISO – Cloud has encountered significant obstacles over the Infrastructure Services, Capgemini India. last decade, and now stands at the crossroads of development. It is entirely logical for organizations and businesses to think first about their technical Cyber/digital forensics, without a doubt, has and market performance. They readily tend become an integral part of the cybersecurity to incorporate the latest developments in domain. Due to increasing cyberattacks against information technology into their business individual users, corporate organizations, and operations. But these developments may even states, have taken the security of their Anis Pankhania increase the risk if information security isn’t digital assets more seriously. The role of digital CISO – Cloud adequately implemented. In some cases, forensics is to examine the attack and to detect Infrastructure security measures deployed for the protection the attacker’s digital footprint to identify the Services, of consumer privacy end up hindering the Capgemini India vulnerabilities that were missed by the multiple forensic process during its data acquisition layers of security deployed. stage, making it more difficult for the digital forensic analyst to ascertain the cause more Today, the world is largely dependent on global The state of cyber forensics accurately. Cloud computing technology is an data connectivity for its functioning, decimated in today’s digital landscape is apt example for such issues, where the artifacts across various networks, systems, mobile and continuously evolving due to required for forensics is in the custody of the smart devices. This complex environment has developing technologies and cloud service provider. given rise to multiple opportunities for threat their implementation into cybercrime by threat actors. actors to conduct e-crimes. The adoption In the CISO MAG “Implementing Digital Forensics Malware and other attacks are and widescale implementation of emerging in Emerging Technologies” survey included in being developed to increase technologies such as cloud computing, Internet this issue, more than 60% of the respondents exploitation while covering the of Things (IoT), and Blockchain, have further believe that organization factors (63.84%) and attacker’s digital footprint to the augmented the existing security issues, and the legal factors (76.01%) do have a significant much possible extent. Hence, influence over cloud forensics readiness of digital forensic is no exception. “The state of forensics must look at these cyber forensics in today’s digital landscape issues and develop its assets, any organization. Apart from technological is continuously evolving due to developing scope, and policies to overcome elements, the volume of data that these technologies and their implementation into these challenges. emerging technologies create and store has cybercrime by threat actors. Malware and also become a major hurdle. The amount of

74 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 75 data is directly proportional to the amount technology understanding of the analyst. of digital evidence and artifacts that need to Hence, it is imperative for digital forensic be analyzed in the given period. experts, universities, certification bodies, and the digital forensics community to come Impact on Digital Forensics Education together and understand where we are currently, where we need to go, and how we Digital forensics cannot be mastered by can get there. unifying skills and experience acquired by various practitioners. Aspirants could learn Where are we currently? and thoroughly understand the concepts and technology involved in digital forensics Today, most organizations mandate through course training and certifications. certification or a degree as a prerequisite, The underlying perspective for any DF with experience for the digital forensics education revolves around teaching the investigator/analyst role. The aim here is concepts of collecting, preserving, examining, to hire forensics-ready investigators, which analyzing, and presenting digital evidence in also complies with the goal of the forensics a form that would be admissible in a court readiness policies. of law. Certification and accreditation are essential Since digital forensics is about the aftermath to attach validity to the evidence while of any incident, the curriculum for many presenting it in a court of law. Without a DF education programs and certifications relevant degree or certificate, it has become revolves around the existing technologies difficult for an investigator to claim to be an and widely known genres of cases. expert in computer forensics to validate the evidence. New technology could be implemented without fully understanding the security Today, digital forensics has become a implications of each of its actions. That leads required approach for organizations to an unprecedented series of threats and to develop their information security cyberattacks due to misconfigurations. The infrastructure further. There are multiple digital forensics education domain is thus at courses for digital forensics education in a crossroads. The challenges posed by these both physical and online learning modes. emerging technologies have a significant These cater to the digital forensic education impact, and an analyst is expected to solve needs at undergraduate and master’s levels these challenges by default. So, there is of information technology curricula. These dependence on the personal experience and certification programs provide holistic and

76 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 77 specialized courses that include training to Where do we need to go? handle different software and toolkits and practice data sets to gain practical knowledge. Emerging technologies and trends have impacted digital forensics in a significant “Different courses and certifications have a Angelo G. way. The consensus in the community is that different focus. Some courses may involve Longo the current state of forensic readiness and incident response training for students to CISO, education is in chaos and flux. Considering understand threat mitigation better and BetMGM emerging technologies such as IoT, Blockchain, prepare for worst-case scenarios,” says Angelo and cloud, the fundamental concepts and G. Longo, CISO for BetMGM. “Whereas some abstract thinking techniques are not adequately focus is needed on establishing a security policy developed and introduced into curricula and framework and its management. Apart from Different courses and practice. this, supplementary teaching can elaborate certifications have a different on investigation techniques and methods to focus. Some courses may The limitation of current training programs is prepare the students for performing forensic involve incident response that they are not balanced with specializations investigation under diverse environments.” training for students to of new technologies, and those that do may or understand threat mitigation may not correspond to industry needs. Besides, better and prepare for worst- Longo recently published a whitepaper entitled the lack of coherence between the curriculum case scenarios. “Computer Forensic Education Guidance for and quality of training leads to program 2021,” and we quote from his paper. differences between certifications.

The general focus of any digital forensics The emerging technologies that need to be training program revolves around technical incorporated and further researched into digital content and the operational procedures forensics education include cloud forensics, involved in the investigation process, such as data recovery, IT forensics, Dark-web forensics, data recovery, artifact identification, extraction, and IoT forensics. and report writing. The concepts involved in technical training tend to discuss some of the Cloud forensics currently poses multiple most critical problems concerning the forensic challenges for investigation in the cloud investigation processes today. These concepts environment. As the nature of the cloud is could be categorized under several sections closely associated with multitenancy, multi- or modules: hard disks and file systems, data jurisdiction, data duplication, and a high degree acquisition and duplication, anti-forensics of virtualization, this adds to the multi-layer techniques, operating system forensics, complexity of forensics in a cloud environment. network forensics, web forensics, database forensics, malware forensics, email forensics, The data recovery program, especially the and mobile forensics. recovery of encrypted data, impacts the forensics capabilities of any organization

78 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 79 experience and improve learning efficiency for examining case studies, competitions, lifelong learning skills, research & development. Dark-web forensics could be categorized into browser forensics (TOR) and Bitcoin The crux of any research into trends in the towards information security. Forensics forensics. Whereas the former is similar market and technology lies in knowing what analysts need to understand decryption to that of regular browser forensics, i.e., to Apart from developing tools and techniques, the current challenges are and then working using open source or existing keys regarding obtain the information present within the the focus should be on creating a global upon them to develop a solution. With ransomware, as ransomware continuously browser. The latter aims to draw information consensus with regards to establishing regards to this, CISO MAG conducted a survey grows in scale and performance ability. related to the cryptocurrency, as most widely acceptable policies and frameworks. this year on “Implementing Digital Forensic malicious transactions in the darknet take Many of the technologies are affected by in Emerging Technologies.” IoT forensics involves more than what current place in the form of digital currency. the regional government’s compliances and cyber forensics covers. It is a vast network laws. Hence, there must be a common policy The study and the corresponding report of multiple devices linked together across How do we get there? framework that could be agreed upon by all examine the current and future challenges various networks, transmitting data across the governments and stakeholders across in digital forensics and how the latest multiple layers of connectivity. IoT involves To accommodate emerging technologies into the globe. developments in the existing forensic multiple devices, networks, applications, a security architecture, more research must technologies affect the community. The protocols, processing architectures, and be done into how these technologies interact A trend that is bound to incorporate itself report analyzes the impact and the current information dissemination layers. And this with existing platforms. Then one needs into the digital forensic education curriculum understanding of the forensic readiness expands the scope of digital forensics in to design and implement digital forensics is gamification and interactive learning. of organizations and how it is subjected to terms of artifact identification and extraction. techniques and protocols around it. These methods of learning provide hands-on digital forensics education.

80 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 81 SURVEY

Implementing Digital Forensics in Emerging Technologies

o better understand the challenges and state of readiness in implementing Digital Forensics (DF) in emerging technologies, TCISO MAG, in collaboration with EC-Council’s CHFI (Computer Hacking and Forensic Investigation), launched a Technology Trends Survey in April 2021. The report offers an in-depth analysis of how important it is to incorporate the effects of digital forensics on emerging technologies into the curriculum of digital forensic education.

This survey is oriented towards skills, training, and industry opportunities, specifically for digital forensics.

This exclusive report, based on the survey, showcases the viewpoints of industry experts and their perspectives from across the table.

82 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 83 SURVEY

Aim

The survey aims to better understand the forensic readiness and challenges of implementing digital forensics in emerging technologies. The widespread adoption of technologies such as the Internet of Things (IoT), cloud computing, mobile and web applications has changed the way data is being processed and stored. From the perspective of cybersecurity education in digital forensics, this survey attempts to gauge the upcoming challenges that will arise upon deeper integration of digital forensics with these technologies.

Methodology

This report is based on the results of an online survey conducted by CISO MAG for its readers. The survey was conducted using a system that is integrated with EC-Council’s enterprise systems.

Questions for the survey were vetted by CISOs, industry experts, and advocates in the field of digital forensics. On closure, CISO MAG editors further discussed the findings of the survey results with industry experts, which helped in deriving an expert commentary while analyzing and interpreting them.

Key Findings

94.83% of the respondents believe that cloud computing technology and its corresponding cloud forensics will have a greater impact on digital forensics education in the future.

60.51% of the respondents feel that gaining evidence files of around 50 GB for digital forensics study and research, will be extensively or quite helpful, as there is a general lack of high-volume data in forensics for study and practice.

52.40% of the respondents believe that smartphones connected to, or as an IoT device will be the most challenging task while performing IoT forensics.

39.11% of the respondents believe that performing forensics of a network is the most challenging task when conducting TOR forensics.

86.72% of the respondents believe that analyzing and decrypting will be the widely used methods for dealing with the anti-forensics technique of encryption.

84 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 85 SURVEY

Survey Respondent Profile (In alphabetical order)

• Analyst • Information Security • AppSec Manager Operation manager • Associate Manager • Information Technology • Auditor Manager • Business Analyst • Infrastructure Specialists • Business Applications • Integration Engineer Support Officer • IS Compliance Officer • CEO/Founder • IT Administrator • Chairman • IT Analyst • CIO • IT Auditor/Risk manager • CISO • IT Director /IT Development 72 Countries • Co-Founder & Director Manager The 271 validated respondents represent a cross-section of • Compliance Leader • IT Engineer organizations and institutes across 72 countries, as listed below. • Consultant • IT Head • CTO • IT Security Analyst 1. Afghanistan 19. Deutschland 39. Mexico 59. Sri Lanka • Cyber Investigations Head • Lead Investigator • Cyber Security Engineer • Network Admin 2. Australia 20. Egypt 40. Morocco 60. Tanzania • Cyber Security Researcher • Network Engineer 3. Bahamas 21. Estonia 41. Myanmar 61. Thailand • Data Analyst • Network Threat Analyst 4. Bangladesh 22. Ethiopia 42. Namibia 62. Togo • Detective • Pentester 5. Botswana 23. France 43. Netherlands 63. Trinidad and • Digital Forensics Analyst • Professor 6. Brazil 24. Germany 44. Nicaragua Tobago • Director Director of • Project Manager 7. Bulgaria 25. Ghana 45. Nigeria 64. Tunisia Operations • Security Administrator 8. Cambodia 26. Greece 46. Norway 65. Uganda • Director of R&D • Security analyst 9. Cameroon 27. Hong Kong 47. Oman 66. Ukraine • Graduates • SOC Analyst 10. Canada 28. Hungary 48. Pakistan 67. United Arab • GRC Manager • Software Engineer 11. Chile 29. India 49. Peru Emirates • Information Security • Student 12. China 30. Indonesia 50. Philippines 68. United Kingdom Analyst • Tech Lead 13. Colombia 31. Iraq 51. Poland 69. United States of • Information Security • Technical Manager 14. Cote d’Ivoire 32. Ireland 52. Portugal America Engineer • Threat Hunter 15. Croatia 33. Israel 53. Saudi Arabia 70. Vietnam • Information Security Head • VP 16. Cyprus 34. Italy 54. Sierra Leone 71. Zambia • Information Security • VP of Cloud and Manager Container Security 17. Czech Republic 35. Kenya 55. Singapore 72. Zimbabwe • Information Security • Web Developer 18. Democratic 36. Lebanon 56. Slovakia Officer Republic of the 37. Malawi 57. South Africa Congo 38. Mauritius 58. Spain

86 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 87 SURVEY

Makoma Toona Senior Consultant – Jenai Marinkovic IT Forensics CISO/CTO Control Risks, Tiro Security, USA South Africa

One of the most significant risks to the forensics Digital Forensics has become an integral field are breaches where threat actors leverage part of most forensic investigations. and exploit artificially intelligent systems. The process involves the use of multiple tools, techniques, and qualified experts Forensics professionals must become skilled in to uncover evidence residing in electronic digitally recreating a successful attack against a devices and networks. It is imperative to thinking system and attacks that leverage AI-based use experienced and qualified personnel digital weapons. to ensure that proper handling and examination of evidence is applied. We must also consider the legal implications, In recent times, there has been an especially around how we implement the principles urge for organizations to consider of forensically sound processes (meaning, errors, digital transformation following the transparency and trustworthiness, reproducibility, repercussions caused by the global and experience) when dealing with AI systems that pandemic. This has presented a need for use black-box models at their core. Digital Forensics investigators to consider using advances in artificial intelligence (AI), robotics, and the Internet of Things (IoT) to handle challenges such as large data volumes during investigations. These advances can be embedded in Digital Rakesh Sharma Forensics tools and the investigation VP – Cloud & Container Security workflow; to ensure efficient results Standard Chartered Bank during current and future investigations. Singapore Digital forensic experts have to keep Advanced data recovery techniques and tools abreast with the latest trends and upskill are required when performing data acquisitions themselves in order to stay relevant and from emerging technology platforms including to understand the incorporation of 4th ephemeral infrastructure. Emerging technologies industrial revolution into the expert work. will continue to shape digital forensics but the most powerful tool we have at our disposal is our brain. Critical thinking will continue to evolve and will be highly required in threat analysis and breach investigations.

88 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 89 SURVEY

What qualities and skills are important for a digital forensics (DF) analyst?

87.45% Analytical skills 77.12% Technical skills 57.20% Ethical and compliance knowledge

(More than one option was selected)

he present state of digital forensics knowledge (57.20%) were most favored. education is continuously changing Those who have the right combination of Tdue to the impact of emerging these three skills will excel in their careers technologies on information security. Hence, as DF specialists. Though other skills such along with the tools and technologies, those as case awareness (45.76%), patience and pursuing digital forensics must possess a perseverance (44.28%), and understanding certain set of skills. As to which skills are of your role in the entire process (33.58%) were prime importance, the survey results indicate deemed necessary but not as prominent as that analytical skills (87.45%), technical skills the former. Base: 271 respondents. (77.12%), and ethical skills and compliance

90 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 91 SURVEY igital forensics programs and has become important to advance one’s certifications have become too career in this domain. Nearly 55% of the Dspecialized to adapt to continuously respondents feel that the main reason these evolving technological advancements. Since certifications could be considered important Why are digital forensics many cybersecurity professionals transit from is that they validate and improve the forensic certifications important? IT, obtaining a digital forensics certification knowledge of an individual.

54.98% They improve and validate the forensic knowledge of an individual 24.72% They create confidence in an individual’s ability to meet forensic challenges

Base: 271 respondents.

92 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 93 SURVEY

Which emerging technologies do you agree/disagree with, will have a greater impact on digital forensics education in the future?

Cloud Forensics 94.83% Agree; 4.80% Neutral; 0.37% Disagree

Mobile Forensics 84.83% Agree; 14.76% Neutral; 0.37% Disagree

Internet of Things (IoT) Forensics 87.45% Agree; 11.81% Neutral; 0.74% Disagree

Web Application Forensics 80.07% Agree; 18.08% Neutral; 1.85% Disagree Agree Neutral Disagree

• Cloud Forensics: 94.83% Agree; 4.80% Neutral; 0.37% Disagree • Database Forensics: 67.90% Agree; 31.36% Neutral; 0.74% Disagree • Mobile Forensics: 84.87% Agree; 14.76% Neutral; 0.37% Disagree • Internet of Things (IoT) Forensics: 87.45% Agree; 11.81% Neutral; 0.74% Disagree merging technologies such as cloud malware that are evolving and developing • Dark Web Forensics: 74.91% Agree; 23.24% Neutral; 1.85% Disagree computing, mobile and IoT have continuously. Hence, all this is increasing • Malware Forensics: 78.60% Agree; 20.66% Neutral; 0.74% Disagree Echanged our current understanding their respective impacts on digital forensics. • Network Forensics: 73.06% Agree; 25.46% Neutral; 1.48% Disagree of data storage, processing, and transport Among the various technologies that may • Web Application Forensics: 80.07% Agree; 18.08% Neutral; 1.85% Disagree across the digital landscape. This has led greatly impact the future of digital forensics to the increase in risk posed to information education, the top three selected are Cloud security. The same is also true for the forensics (94.83%), IoT forensics (87.45%), (More than one option was selected) Base: 271 respondents. applications, browsers, networks, and and Mobile forensics (84.87%).

94 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 95 SURVEY he evolving threat landscape contains attacks, but it still has its challenges. Most of one of the most potent cybersecurity the respondents feel that understanding the Trisks known as fileless malware; it does malware infection chain (85.24%), its analysis Which areas do you believe not use the file system to carry out its attack, (80.81%), and understanding malware which helps it evade many security barriers attacks via memory exploits (78.60%) are the are challenging, or require such as signature-based detection systems. prime challenges faced during its forensic Thus, forensic measures are among the analysis. further research to understand limited solutions to detect these catastrophic the forensics of fileless malware?

1.11% 85.24% (More than one option was selected) Fileless malware infection chain 78.60% Understanding the malware attack via memory exploits 80.81% 1.11% Analysis of fileless malware

Base: 271 respondents.

96 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 97 SURVEY

Which IoT devices, do you believe, face the most challenges while performing digital forensics?

52.40% Smartphones

oT forensics tends to include more than is considered a challenge, and many of the what conventional cyber forensics covers respondents feel that smartphones are more Iand is not just a mere part of digital challenging (52.40%) to conduct forensics forensics as it includes multiple layers than other IoT devices such as smart speakers across the internet and the interconnected (21.40%), smartwatches (20.66%), and others device for data transmission and storage. (5.54%). Base: 271 respondents. Thus, conducting forensics for IoT devices

98 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 99 SURVEY loud forensics is a cross-discipline obtaining the data hosted with third-party application of digital forensics for the systems that also host data from other Cdata stored in the cloud environment. clients is quite troublesome. Even with the As a cloud user, which “cloud As cloud servers are expensive, most presence of service level agreements (SLA), organizations rely on cloud service providers many of the respondents feel that working service” model do you believe to provide different types of cloud services out digital forensics with SaaS (45.39%) is such as IaaS (Infrastructure as a Service), PaaS more challenging when compared to IaaS would present the most (Platform as a Service), SaaS (Software as a (35.42%) and PaaS (17.34%). challenges during cloud forensics? Service), etc. But, for forensic investigators,

35.42% IaaS (Infrastructure as a Service) 45.39% SaaS (Software as a Service)

Base: 271 respondents.

100 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 101 SURVEY

While performing TOR forensics, which of the following forensic techniques would you consider being the most challenging?

30.26% RAM forensics 39.11% Network forensics

hile conducting dark web RAM forensics is used to obtain volatile forensics, the primary element memory from the RAM that will mostly Wthat any digital forensics provide evidence related to file types and investigator deals with is a browser such as website browsing history. Both network TOR, Subgraph OS, Waterfox, ISP - Invisible and database forensics are conducted Internet Project, etc., of which TOR is the to get data on the traffic and content, most widely used browser. Many of the whereas the registry forensics will indicate respondents feel that, during analysis, while information related to TOR installation and collecting evidence from TOR, the most access. Bitcoin transaction forensics involves challenging part is network traffic forensics extracting artifacts from installed Bitcoin Base: 271 respondents. (39.11%). wallet applications on the user’s system.

102 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 103 SURVEY hile digital forensics is the means amongst the techniques available to counter to counter threats, threat actors such anti-forensics techniques, decrypting Ware developing and incorporating the encryptions, popularly known as Which techniques do you techniques such as steganography, Cryptanalysis (86.72%), will be widely used encryption, packing programs, damaging in the future. This also indicates that an believe will be widely used files, etc., to hide their digital footprint. increase in ransomware and data encryption in the future to counter Many of the respondents believe that attacks could also be seen. anti-forensics techniques?

1.11%

65.31% File carving 69.74% Steganalysis

(More than one option was selected) 86.72% Cryptanalysis 55.35% Unpacking program packers 1.11%

Base: 271 respondents.

104 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 105 SURVEY

Which infamous malware and its forensic investigation procedures should DF analysts be aware of as a part of forensic readiness?

34.69% WannaCry 37.27% Metasploit PHP/Exe exploits

alware is a cause of security suggested that Metasploit PHP/Exe exploits breaches in most incidents. Hence, are exploited by infamous malware that Mmalware forensics is essential for DF analysts should be aware of, including every digital forensic analyst to understand. forensic investigation procedures as part of Base: 271 respondents. A majority of the respondents have forensic readiness.

106 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 107 SURVEY igital forensics readiness is the skills are generally not taught during the ability of an organization to quickly DF programs and are said to be acquirable Drespond to an incident and carry through experience. But a majority of the Do you agree that out the forensics investigation. This involves survey respondents fully agree with the establishing protocols and quickly collecting suggestion that forensics readiness should incorporating knowledge digital evidence with minimal cost or be incorporated into DF certifications and be of forensics readiness into interruption of the business process. These mandated. digital forensics certifications should be mandated?

74.54% Fully agree

Base: 271 respondents.

108 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 109 SURVEY

Conclusion

he survey was designed to development required by an individual understand the state of digital pursuing digital forensics. Tforensics in emerging technologies and the challenges posed to it, both in Thus, to help a student in a more abstract existing and upcoming technologies. The way, digital forensics programs must survey was able to provide new insights build a relevant academic architecture into how all these aspects could impact around the current curriculum to and guide the current digital forensics include the impact of digital forensics on readiness and education to a direction emerging technologies and vice versa. of understanding the existing challenges and developing possible solutions (see Key Findings).

This survey not only highlights the challenges of incorporating digital forensics in emerging technologies such as IoT, cloud, etc., but also sheds light on the existing branches of digital forensics such as malware forensics, databases forensics, browser forensics, dark web forensics, etc., which are either seeing development in some of their aspects or the overall change due to their implementation into an evolving digital environment.

With new developments in technologies, it has become imperative that digital forensics education programs need to develop their curriculum to include a broader skill set, techniques, and technologies that allow for a much- needed exponential change and

Go to Index Page 110110CISOCISO MAG MAG - Vol - Vol5 5 Go to Index Page JuneJune 2021 2021 Issue Issue 06 06 111 111 KNOWLEDGE HUB

Beware of the Return to Office: How Organizations Can Protect Against Pandemic Sleeper Threats

Rick Vanover Senior Director of Product Strategy Veeam Software

Dave Russell Vice President of Enterprise Strategy Veeam Software

112 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 113 KNOWLEDGE HUB

s organizations get closer to The admins worry that, after a period of taken on a lower priority than it should have. working became standard practice, some implementing return-to-work plans, being lax about security, employees will bring Cybercriminals are well-aware of how were able to issue company standard devices Amost employees are excited about compromised devices back to the office and insecure employee environments have with regularly patched antivirus security. But getting back into an office routine. They miss expose the company to new threats. been. They struck with a round of phishing the majority found themselves scrambling to their colleagues, their favorite lunch spots, attacks during the spring 2020 lockdown enable quick and adequate work-from-home and the on-site corporate culture that cannot They may have a point. Work computers period. Now, administrators are concerned setups that didn’t require regular updates, be replicated over Zoom. have played many roles during the pandemic that hackers might implant vulnerabilities patches, and security checks. – hosting everything from social gatherings in unsecure laptops and unleash them once IT administrators have a slightly different to workouts, online learning sessions, employees reconnect with a wider array of A cybersecurity survey conducted in view. They miss all the in-office benefits, home shopping, and Netflix streams. Family resources inside the corporate network. February reflects just how unprepared too, but for them, the prospect of having members have borrowed Mom’s computer enterprises appear to be for the return-to- employees all get back on the network after to play online games, and passwords have Some companies did a good job getting work security threat. Of those surveyed, a year of remote working is a scary thought. been passed around. Cyber diligence has ahead of security threats. When remote 61% used their personal devices – not work-

114 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 115 KNOWLEDGE HUB

issued computers – at home. Only 9% used account? These checks need to be performed an employer-issued antivirus solution, and to minimize risk and make sure compliance only 51% received IT support services while standards like General Data Protection transitioning to remote workstations. Regulation (GDPR) are being maintained.

Administrators are bracing for trouble. Also, check to see if employees have given They’re bringing large numbers of potentially away passwords to family members using unsecured devices back into the fold at the work computers. Did employees change same time they’re preparing to accommodate their passwords? Did they use the same a new normal based on hybrid home/office passwords across work accounts and staffing. According toVeeam’s Data Protection personal accounts? Did they install any new Report, 89% of organizations increased their software or remove any during the remote cloud services usage significantly as a result work period? Administrators need to know of remote work, and the trend is expected before they let employees back on their to continue, meaning there will be more networks. endpoints to protect. Next, ensure you scan all relevant devices for So, how can organizations prepare for this unauthorized apps and software. Employees transition? Here are a few steps they can needed to get creative with work solutions, take: so they may have tapped resources that help them get through everyday tasks but aren’t Undergo rigorous return- up to security standards. Run endpoint detection scans on all returning devices to-work preparation to uncover any hidden vulnerabilities. Cybercriminals often target endpoints, so This is essentially the step where IT IT teams need to scan all corporate and administrators physically go through all the personal employee devices that will be affected resources and ensure they’re ready brought back to the network. to re-enter the game. Improve employees’ digital Start by carrying out risk assessments for each employee and each device. Which hygiene devices have been patched and regularly maintained? Computers used for remote While employees may have let their proverbial working are likely to have confidential hair down during remote work, they’ll company data on them; where has the need to rededicate themselves to proper company data been saved, and under which digital hygiene. Push them to use separate

116 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 117 KNOWLEDGE HUB

passwords for home and work devices. And employee makes a change in an application, programmed with practices that will ensure make sure they’re using conventions that you’ll want to know. It could be a bug altering that the data in question is protected and Conclusion are complex and hard-to-crack. Bring back a piece of code. Or it could be a change that fully available. Keeping the so-called “3-2-1 While IT administrators are looking regular training to ensure that they’ll be able you made – purposefully or inadvertently rule” in mind: Make sure to maintain at least forward to water-cooler talk and on-site to spot phishing emails and other threats. – that you’ll want to reset. Get in the habit three copies of business data, store critical collaboration as much as anybody else, Set up guidelines for using public Wi-Fi and of checking your monitoring tools at least a business data on at least two different types they’re understandably concerned about the for downloading materials. As employees couple of times a day. It takes a minute, but of storage media, and keep one copy of the cybersecurity implications of a more broad- return to work, it’s up to the administrators it allows you to continually reassess your backups in an off-site location. To that, in the based return to work. It could be a challenge. to refine IT practices, one by one, to protect cybersecurity footprint. ransomware era, we’d expand 3-2-1 to 3-2- But with proper planning and follow-through, against the top threats in the organization. 1-1-0: Adding another one to the rule where enterprises can manage the risk and solidify one of the media is offline and ensuring that Ensure cloud data their strategies for protection going forward. all recoverability solutions have zero errors. Monitor all activities management and backups

The best way to spot problems is to set up are sound a system to flag them as they happen. This About the Authors practice can be applied to workers’ tools – and This is a time for IT administrators to make Rick Vanover (Cisco Champion, VMware vExpert) is Senior Director of Product behaviors – as they reintegrate themselves sure all data management and backup Strategy for Veeam Software based in Columbus, Ohio. Vanover’s experience with all the company’s applications. Take services are in good order. If a rogue device includes system administration and IT management; with virtualization, cloud, and advantage of monitoring tools that track does put any data at risk, you’ll want to storage technologies being the central theme of his career recently. As a blogger, changes in usage and applications. If an make sure to have backups in service and podcaster, and active member of the IT community, Vanover builds relationships and spreads excitement about Veeam solutions. Before becoming the “go-to” guy for Veeam questions, Vanover was in system administration and IT management. His community designations include VMware vExpert and Cisco Champion.

Dave Russell recently joined Veeam as its new Vice President of Enterprise Strategy, responsible for driving strategic product and go-to-market programs, spearheading industry engagement, and evangelizing Veeam’s vision for the Hyper-Available Enterprise at key events across the globe, and working with the Executive Leadership team in accelerating the company’s growth in the enterprise. Russell most recently held the role of Vice President and Distinguished Analyst at Gartner. His research focus at Gartner was on storage strategies and technologies, with an emphasis on backup/recovery, snapshot and replication, software-defined storage (SDS), and storage management. He was the lead author of the Magic Quadrant for Data Center Backup & Disclaimer Recovery Solutions from 2006 to 2017. Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

118 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 119 Mobile Side of Technology Adoption Still Continues to Present a Challenge

ndia has transformed into a drive the adoption of NortonLifelock mobile-first economy. The ease products among consumers in Iof accessibility and cheaper the sub-continent. He champions data make smartphone steaming NortonLifelock’s partner strategy content a primary source of in India and manages OEM/ISP and entertainment. Given the transition online channel relationships. Chopra to remote working, people are well also held the position of Country accustomed to new technologies Manager until June 2018 and has and discover different ways to stay been with the company since 2012. connected. Recent incidents have With over 20 years of extensive shown the vulnerabilities individuals experience in the technology sector, and business owners can witness if he is a sales and marketing strategist one is not cautious to protect their in India and Asia-Pacific regions. He data and identity in the digital world. has been recognized with Six Sigma qualification and has successfully In an interaction with Augustin conceptualized and implemented Kurian, Assistant Editor of CISO multi-tier channel loyalty programs MAG, Ritesh Chopra, Director in his previous role with Seagate, Sales and Field Marketing, Singapore. India & SAARC Countries, NortonLifeLock, discusses the In the interview, Chopra provides increasing cyberthreats given the insights on the growing usage of the current social apps scams that are dark web and critical findings from making consumers vulnerable. the NortonLifeLock Digital Wellness Report. Chopra is responsible for developing Ritesh Chopra and implementing strategies to Director Sales and Field Marketing, India & SAARC Countries NortonLifeLock

120 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 121 Email addresses were the most common workforce – regardless of geo-location or As far as PCs are concerned, people are piece of PII shared with apps and were platform. With myriad compliance and increasingly using paid software. They are even shared with 48% of the iOS apps and 44% regulations norms varying from country We often download free adopting security products for Mac machines. of the Android apps analyzed. With the to country, how should a company ensure apps and, often, without But the mobile side continues to present a rise of the dark web, do you think better that best practices are in place across thinking, permit them to challenge. We see people adopt VPN and mobile national cybersecurity regulation can their offices globally? security products; however, it still appears to be access different features make much difference? a bit further away from what we would want it The COVID-19 pandemic has changed and data on our device. If to be. Personally Identifiable Information (PII) such the way we work; the concept of “remote something like a weather as medical records, bank details, passwords, working” is gaining popularity. While people app asks us to grant India witnessed several state-sponsored phone numbers, and email IDs are most seek opportunities that allow remote work, attacks during vaccine development. Even targeted by cybercriminals. Cybersecurity they must also equip themselves with cyber access to our contact list, the vaccine makers are being targeted in regulations will certainly help in making a safety and data protection tools. There are it should give us pause nation-state attacks. What can the country difference in how data is handled on the some basic measures you can adopt to avoid for thought and its cybersecurity divisions do to combat dark web. But consumers also need to be falling prey to cyberattacks: these threat vectors? aware of the kind of data that is shared through apps. Certain apps can enable • Speak to your employer to understand Scammers and cybercriminals exploited the attackers to mine information from the the policies that help keep you, your co- COVID-19 pandemic and, more recently, the device in the background, even without the workers, and the business safe. ongoing vaccination drive, to create new user’s knowledge. Unlike desktop users, • Always use the company’s tech toolbox, hooks to lure victims. Although the authorities smartphone users cannot see the entire URL as it likely includes firewall and antivirus warned people, there has been an enormous of the site they are visiting, making them protection and security features like VPN increase in the number of phishing scams since vulnerable to phishing attacks. Such threats and two-factor authentication. the pandemic began. Cybercriminals send can be avoided, to an extent, by using strong • Beware of coronavirus-themed emails that appear to be sent by government passwords, avoiding public WiFi, watching phishing emails used by cybercriminals. agencies, employers, and other global health out for phishing emails, regularly backing Immediately report such phishing organizations, inviting users to click on what, in up important data, and keeping all apps attempts to your employer. reality, are malicious links. and operating systems up-to-date. Amidst • Keep your VPN turned on, as it provides Consumers can adopt some basic measures to the evolving cybersecurity landscape, it is a secure link between employees and falling prey to cyberattacks: imperative for individuals to invest in robust businesses by encrypting data. A VPN anti-theft device security to ensure digital helps keep information secure from • Beware of online requests for personal safety. cybercriminals and competitors. information. A coronavirus-themed email • While working remotely, it is important to that seeks your personal data is likely to be COVID-19 changed the cybersecurity understand that online safety is a shared a phishing scam. Legitimate government landscape. It is now even more critical for responsibility that begins at the individual agencies will not ask for such information. companies to support the security of their level. Do not respond to such emails.

122 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 123 • Check the email address or link. You can systems. Individuals often neglect to log out inspect a link by hovering the cursor over of their social media accounts and apps. This the URL to see where it leads. Sometimes, habit needs to change. We must bring some it is obvious that the web address is not good practices from the real world into the legitimate. Even otherwise, be careful virtual one. Akin to how we lock the main because phishers can create malicious door before going to sleep, we should log links that closely resemble legitimate out of emails and social media accounts, and addresses. online banking sessions once we are done • Phishing emails are unlikely to address using them. you by your name. Greetings like “Dear Sir or Madam” are an indication that We often download free apps and, usually, email might not be legitimate. without thinking, permit them to access • Avoid emails that urge you to take different features and data on our device. immediate action. Phishing emails often If something like a weather app asks us to try to create a false sense of urgency. The grant access to our contact list, we should goal is to get the user to click on a link pause for thought. We need to read the and divulge personal information. If you terms and conditions carefully too, rather receive a suspicious-looking email of this than accepting them blindly. It is advisable type, delete it. to install an application scanner to check for security vulnerabilities and a VPN to mask Millennials top the charts in online our identity. transactions compared to women and Data from our Digital Wellness Report reveals Gen X, who are most complacent about some interesting facts: security. Yet, trends indicate Gen X to be more susceptible to cyberattacks than • 81% of the respondents in the survey millennials. Do you think it is entirely were using parental control mechanisms around digital literacy, or is there more to on their devices, while 70% knew that this trend? connecting with strangers while playing online games could lead to problems like The lines between the virtual and the real cyberbullying. world have blurred today. Individuals, • The report found that female irrespective of their age or generation, are respondents (84%) were more aware vulnerable to cyberattacks when using public than men (74%) about security threats or private networks if they do not have any and had security software installed on cyber safety solutions installed on their their smartphones.

124 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 125 • 71% of female respondents (versus 63% of you feel there is a need for a standard set male respondents) concerned themselves of compliance and regulation for fintech with app privacy and permissions on their and cryptocurrency? phones. • Gen Z users (95%) were found to be You’ve probably heard of Bitcoin. But what more proactive than millennials (94%) about Ethereum? Or Tether and Polkadot? and Gen X users (90%) in adjusting the What are these? They’re all examples of privacy permissions on their phones. cryptocurrency – a digital currency that you can buy with real money and then spend on According to our 2019 NortonLifelock online transactions. It’s true that you probably Cyber Insight Report: can’t buy a meal at your favorite restaurant with Bitcoin or rely on Ethereum to fill your • 40% of millennials reported having car’s gas tank. But cryptocurrency is becoming experienced cybercrime in the past year. increasingly more popular and valuable. • Nearly 3 in 10 people said they could not Coindesk.com, which covers cryptocurrency, detect a phishing attack. Another 13% reported that, as of January 2021, the total said they have to guess between a real value of all cryptocurrencies topped $1 trillion message and a phishing email. Thus, 4 for the first time. in every 10 people were vulnerable to phishing. New cryptocurrencies emerge frequently. • 86% of respondents said they may have Coinmarketcap.com listed more than 4,100 experienced a phishing incident. types of them in an early 2021 price index • 7 in 10 respondents wished they could published on its site. But what do these digital make their home Wi-Fi network more currencies mean to you? Do you need to learn secure. how to purchase them and spend them? • 27% of respondents believed it was Probably not. But while digital money isn’t a likely their home Wi-Fi network could be necessity, it does have its uses. Users say that compromised. digital transactions closed with cryptocurrency are more secure than those using credit cards. At present, fintech is one of the most As cryptocurrencies become popular, so do the regulated industries in the world. But the scams associated with them. Some scammers critical challenge is the presence of too set up fake cryptocurrency exchanges. You many governing bodies but no universal might send real money to buy Bitcoins that standards – a singular regulatory policy or don’t exist. Once you send your funds, they are framework for the industry is lacking. Do gone, and your crypto wallet remains empty.

126 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 127 To avoid such scams, only buy cryptocurrency people’s perceptions about the company a mere hygiene exercise, but a business About the from reputed exchanges. Don’t do business and the company’s financial prospects. differentiator. with exchanges that seemingly pop up out of Customers might stop engaging with the Interviewer nowhere. brand entirely or engage at a significantly There are no set rules for building a security lower level than before. framework, and no system can guarantee Augustin Kurian the What kinds of changes should be made 100% protection against all threats. However, Assistant Editor of CISO MAG. during vendor sourcing and onboarding Data security has, for long, been viewed imbibing a culture of security within the He writes interviews and features. processes? And how much of the as a “hygiene” factor by many businesses organization and ensuring the independence responsibility must fall on the CISO? and consumers. However, in today’s and empowerment of the CISO indicates interconnected world, where data is that the organization is serious about cyber Data beaches have a direct negative impact more valuable than ever and a company’s safety and data security. It also ensures that on at least three fundamental aspects of a reputation is based on its ability to protect critical security-related changes within the brand: presence, affinity, and trust. In the customer data and establish digital trust, organization can be effectively taken care of age of social media, negative news can affect cyber safety, and data security are no longer by the CISO.

128 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 129 REWIND<

TOP CYBERSECURITY NEWS OF THE MONTH

130 CISO MAG - Vol 5 May 2021 - Issue 05 131 130 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 131 REWIND<

How to send a tip using Tip Jar? Security researcher Rachel Tobac THREATS Problem 1: found out that while sending someone Users can send or donate a tip using Tip Jar money via PayPal, it revealed her home Twitter’s Latest Feature “Tip Jar” Draws by: address to the receiver. • Click on the Tip Jar. Privacy Concerns • Select the payment service which you Problem 2: Former Federal Trade want to send money from (eg. Bandcamp, Commission chief technologist, Ashkan n May 6, Twitter added a new feature, • Select one or multiple services and add a Cash App, Patreon, PayPal, and Venmo. Soltani, also dug deeper and found that using the Tip Jar. The intent behind this $Cashtag. Additionally, on Android, tips can also be PayPal for the Tip Jar not revealed users’ Oinnovation, as Twitter says, “is to • Once done, the Tip Jar account for your sent using Spaces). addresses but even their email addresses, support voices of creators, journalists, experts, profile is successfully set up and a small • Once selected, a Tip Jar prompt appears although no transaction took place. and nonprofits.” However, within hours of the button appears on the profile next to the indicating that the tipper will be launch, security experts raised concerns over “Follow” button. redirected to a third-party service outside Following these discoveries, Twitter quickly the privacy of people sending the tips, which the platform. Click Continue. worked around the problem and noticed that according to Twitter’s policies seemed like a • Go to the platform and complete your the privacy issue was not at their end but the violation. payment. third-party i.e. at PayPal’s end. After working out the permutations, they decided that What is Twitter’s Tip Jar? Twitter’s Tip Jar Privacy Issue they cannot change PayPal’s functionality but update its notification process. Twitter’s Tip Jar allows the Twitterati to generate an Though Twitter seems to have nailed this support handle backed this by tweeting. additional income source directly via the function, some privacy advocates stated that social media platform. It is a new way of it was exposing the tipper’s identity under “We’re updating our tipping prompt and Help sending and receiving tips so that people certain scenarios. Center to make it clearer that other apps may can support each other not only in terms share info between people sending/receiving of Follows, Retweets, and Likes but even tips, per their terms.” monetarily. The Real Problem How to enable Twitter’s Tip Jar On the other hand, PayPal, in its terms and Setting up the Tip Jar feature is just a matter conditions, has already mentioned under of few clicks. Follow these simple steps: which scenarios will the receiver get the • Go to the Edit Profile address in the receipt. When people are • Switch On the “Tip Jar” setting. receiving payments through the platform, • Toggle and activate Allow Tips. This will they need to either select a “goods and display a list of all payment services and services” or “friends and family” payment. platforms available for setting up your tip In the case of the former, their address is receiving account. shared, and in the other case, it is not.

132 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 133 REWIND<

THREATS

Snip3: A New Crypter-as-a-Service that Deploys Multiple RATs

icrosoft discovered a spear-phishing compromised systems. Snip3 implements campaign in the wild targeting several advanced techniques to bypass Mairline, cargo, and travel industries detection, such as: with multiple Remote Access Trojans (RATs). The technology giant stated that attackers • Executing PowerShell code with the distributed malware payloads via phishing Remotesigned parameter emails imitating legitimate businesses with • Validating the existence of Windows malicious image and PDF attachments. Sandbox and VMWare virtualization • Using Pastebin and top4top for staging “The campaign uses emails that spoof • Compiling RunPE loaders on the endpoint legitimate organizations, with lures relevant in runtime to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link Once the malicious attachment is (typically abusing legitimate web services) downloaded, the first-stage VBScript VBS files that downloads a malicious VBScript, which will be installed simultaneously executing drops the RAT payloads,” Microsoft said. the second-stage PowerShell script, which in turn executes the final RAT payload using Microsoft Fixes 55 Flaws Stealthy Malware Loader Process Hollowing. In a recent development, Microsoft’s May Threat actors leverage multiple RATs to “The Snip3 Crypter’s ability to identify Patch Tuesday security update addressed exfiltrate sensitive data from critical systems sandboxing and virtual environments make over 55 vulnerabilities including four critically by adding extra malware payloads. According it especially capable of bypassing detection- rated Zero-Day bugs. The now patched Zero- to cybersecurity firm Morphisec, RATs are centric solutions. As a result, organizations Day vulnerabilities include CVE-2021-31204 delivered via a new and stealthy malware with detection-focused stacks need to .NET and Visual Studio Elevation of Privilege loader Crypter-as-a-Service that spreads be wary of attacks like Snip3 and others. Vulnerability, CVE-2021-31207 Microsoft them onto targeted machines. Morphisec customers can rest easy that they Exchange Server Security Feature Bypass are protected against the evasive techniques Vulnerability, CVE-2021-31200 Common The Crypter-as-a-Service, dubbed “Snip3,” is Snip3 and other attacks like it employ,” Utilities Remote Code Execution Vulnerability, used to deploy Revenge RAT, Agent Tesla, Morphisec said. and Zero Day Initiative flagged CVE-2021- AsyncRAT, and NetWire RAT payloads on 31166.

134 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 135 REWIND<

CYBER ATTACKS

Irish Health Services Shut Down After Being Hit by Ransomware Attack

reland’s health care services were the most significant cybercrime attack on the temporarily disrupted after being hit by Irish State,” Smyth said. Ia ransomware attack. The Irish Health Service Executive (HSE) claimed that the Patients – The Primary Victims attack affected several diagnostic services, disrupted COVID-19 testing operations, and The attack primarily affected several patients forced hospitals to cancel many medical who needed medical attention as the majority emergencies. of the hospitals canceled all appointments.

Zero-Day Attack! No Ransom!

According to Ossian Smyth, Ireland’s minister While there was no sign of any ransom of e-government and head of the HSE, an demand from cybercriminal groups, the international cybercriminal gang is behind Prime Minister of Ireland Micheál Martin the attack. It was found that the attackers announced that they will not be going to pay exploited an unknown vulnerability in the any ransom. IT systems that led to a Zero-Day attack, affecting IT systems services at all local Besides, Ireland’s Health Minister Stephen and national health care facilities. While Donnelly stated the attack impacted most the attack may potentially affect sensitive health and social care services severely. information stored on central servers, health care officials stated that there was no sign Currently, the health care authorities in of misuse of any patient data or connected the country are working on restoring the IT medical equipment. systems to help patients who are in medical need. “We apologize for the inconvenience “These are cybercriminal gangs, looking for caused to patients and the public and will give money. What they’re attempting to do is to further information as it becomes available. encrypt and lock away our data, and then Vaccinations not affected are going ahead as to try to ransom it back to us for money. It’s planned,” HSE said. widespread. It is very significant, and possibly

136 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 137 REWIND<

DATA BREACH

Toshiba’s European Subsidiary Confirms Ransomware Attack; DarkSide’s Involvement Suspected

s the ransomware pandemic ongoing and only “some regions in Europe” ravages through the big and small were affected by the attack. It further added Asize industries alike, the Japanese that until now, there was no information tech giant joins the list of those affected available that could pinpoint the fact that by it. Toshiba’s European subsidiaries customer-related information was leaked have confirmed that it was targeted bya externally during the course of the attack. “cyberattack”. As per the initial investigation, However, it has not entirely ruled out the the involvement of the DarkSide possibility of the leak either. It said, “The ransomware gang is being suspected as the group recognizes that it is possible that some malware signatures of this attack are similar information and data may have been leaked to those used in the Colonial pipeline hack. by the criminal gang, we will continue to conduct further investigation in cooperation Toshiba Subsidiary Confirms with the external specialized organization to Ransomware Attack grasp the details.”

The European subsidiaries of Toshiba Tec DarkSide’s Involvement Group on May 14 disclosed information that a cyberattack on their network and systems Nowhere in its statement or on official had meant that the network connections channels did Toshiba Tec Group name the between their company assets in Japan and DarkSide ransomware gang’s hand in the Europe were taken offline to stop the spread attack. But in a report from CNBC, a Toshiba of the malware. A tweet from Toshiba’s French spokesperson said that the DarkSide criminal subsidiary, Tec France Imaging System (TFIS), group appeared to be responsible for the confirmed that it was indeed a ransomware security incident. However, the spokesperson attack and took place on the night of May 4. confirmed that it did not intend to pay the ransom and instead used its data backup The official statement made by the Toshiba procedures to get the systems and networks Tec Group said that the investigation was back online.

138 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 139 REWIND<

DATA BREACH

Personal Data of 4.5 Mn Passengers Exposed in Air India Data Breach hile most flight passengers want A Decade Worth of Passenger Data to make their air travel hassle-free Wduring the pandemic, the growing Air India stated the data breach affected cyberattacks on the aviation industry have passengers who had registered between become a challenge for several airlines. August 26, 2011 and February 3, 2021. It Travelers are skeptical and cautious about was found that the attackers managed to sharing their personal information with access a decade worth of passenger data airlines in the wake of heightened security including names, passport, credit card breaches. details, birth dates, contact information, passport information, ticket information, Recently, India’s national airline Air India and Air India’s frequent flyer data from SITA’s revealed that it sustained a sophisticated systems. However, the company clarified data breach in February 2021, which affected that CVV/CVC numbers were not exposed in over 4.5 million passengers globally, after the incident. its data management service provider SITA Passenger Service System (SITA PSS) was Measures Taken by Air India After hacked by unknown threat actors. SITA PSS the Data Breach: is responsible for storing and processing of personal information of Air India passengers. • Investigating the data security incident “While we had received the first notification • Securing the compromised servers in this regard from our data processor on • Engaging external specialists of data February 25, 2021, we would like to clarify security incidents that the identity of the affected data subjects • Notifying and liaising with the credit card was only provided to us by our data processor issuers on March 25 and April 05, 2021. The present • Resetting passwords of the Air India FFP communication is an effort to apprise of program accurate state of facts as on date and to supplement our general announcement While there is no sign of any misuse of users’ of March 19, 2021, initially made via our leaked data, Air India urged passengers to website,” Air India said. update their passwords at the earliest to avoid any security risks.

140 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 141 REWIND<

GOVERNANCE

Belgium’s National Security Council Approves Cybersecurity Strategy 2.0

t the beginning of the month, Belgium Resilience, which the government submitted faced a widespread internet outage to the European Commission at the end of Aacross the country. Reportedly, the April. country’s leading internet service provider (ISP), Belnet, was targeted with multiple Cyberthreats are dynamic and require waves of DDoS attacks that forced nearly evolving countermeasures. Thus, to take its 200 organizations, including government cyber defenses a notch higher, Belgium’s websites, to go offline. Incidentally, around National Security Council has approved the same time, Belgium’s National Security adding and adopting a new and more refined Council (NVR) was finalizing the country’s cybersecurity strategy based on six specific Cybersecurity Strategy 2.0, whose objectives: first version was introduced in 2012 and implemented in the preceding year. The • Strengthen the digital environment and original strategy, which contains 11 of the confidence in it. 15 strategic goals of the European Union • Protect the computers and networks of Agency for Cybersecurity (ENISA), has been both, end-users and service providers. renewed to add six more specific areas that • Protect critical organizations from it will concentrate on in the next five years. cyberthreats. • Raise awareness and educate all Cybersecurity Strategy 2.0: Six stakeholders to tackle all possible Strategic Areas of Focus cyberthreats. • Improve partnerships and sharing of Belgium’s various industrial sectors and even expertise between government, industry, SMEs are taking huge strides towards cutting- and academic institutions. edge technological adoptions. The country’s • Make a clear international commitment cyberspace is continuously evolving and thus concerning cybersecurity. the challenges that come with it have evolved too. However, the country has always paid The CCB will work closely with various attention to this and invested in securing its government services for which cybersecurity cyber front. Cybersecurity is one of the main is of central importance. pillars of their National Plan for Recovery and

142 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 143 REWIND<

GOVERNANCE

Japan to Impose Strict Regulations on Private Sector’s Adoption of Foreign Equipment and Technology

earing a situation like the Colonial However, the recent turn of events in Pipeline-like hack, the Japanese the U.S., where the privately run Colonial Fgovernment is set to impose restrictions Pipelines was hacked, probably pressured on the usage of foreign equipment and the Japanese government into extending technology in its private sector. It will this ban to the private sector too. The brutal introduce new security regulations for 14 ransomware attack on the Colonial Pipeline critical infrastructure sectors including, infrastructure saw a temporary halt in its telecommunications, electricity, finance, supplies affecting many major East Coast railroads, government services, and health cities including Washington, DC., Baltimore care. and Atlanta. Concerns over a fuel crunch and price hike saw frantic buying from citizens The Policy in Public Sector of these regions, which further escalated the fuel shortage. The situation was later Japan had reportedly stopped procuring brought under control as a partial recovery foreign equipment in government purchases of fuel supplies was attained soon. The chaos since 2018 “to avoid hacks and intelligence led to the POTUS signing an Executive Order leaks.” The move was specifically aimed at to bolster the nation’s fight against rising keeping China at bay, who at the time were cyberattacks. being blamed by the U.S. for carrying out spying and espionage campaigns through Present Private Sector Woes Huawei’s 5G equipment. Following these accusations, the U.S., the U.K., and Australia In the same week, another Japanese tech ordered an immediate ban on importing giant Toshiba’s subsidiary in Europe fell victim Huawei’s 5G equipment and ordered the to a ransomware attack, which was probably removal and replacement of the installed conducted by the same threat group involved equipment too. Japan being a close ally of the in the Colonial Pipeline hack. The attack led U.S., and the fact that it could cause economic to the suspension of all communication lines security risks to its homeland, followed suit. between Toshiba’s European and Japanese offices.

144 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 145 STAY VISIBLE!

reach out to the ever growing global infosec community

Advertise with us

for more info write to 230,000 30,000+ 90,000 [email protected] Readership Reach Registered Readership New Page Views EC-Council & CISO MAG Combined EC-Council & CISO MAG Combined

146 CISO MAG - Vol 5 Go to Index Page June 2021 Issue 06 147 cisomag.eccouncil.org

SCAN AND STAY UPDATED WITH REAL TIME CYBERSECURITY NEWS