Volume 4 (2020-21)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. Articles scheduled for Volume 4 are available to view on the 'Forthcoming content' page. The articles and case studies confirmed for Volume 4 are listed below: 

Volume 4 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Industrial Internet of Things: From preventive to reactive systems — redefining your cyber security game plan for the changing world
    Lesley Kipling, Chief Cybersecurity Adviser, Microsoft

    Information technology (IT) and operational technology (OT) share a common set of technologies, but these platforms differ greatly in operational life cycle requirements, potential life/safety impact, and security assurance requirements for confidentiality versus availability. A new generation of OT platforms, called the Industrial Internet of Things (IIoT), offers both challenges and opportunities to forge new connections between the cyber and physical worlds. The urgency to connect these worlds from a security visibility perspective is high, as attackers can and will attack any connected platform; the classic OT security strategy of air-gapping devices does not adapt well to this new generation of connected devices. As a plethora of devices and systems are connected to allow for IIoT innovation, the increased number of endpoints makes protecting these devices ever more challenging even as they give ample opportunity for attackers. The vital importance of securing devices that run critical infrastructure or life-saving devices is paramount, and proactive and reactive elements must work together to protect, detect and automate response to threats using cloud scale and machine learning to amplify human intelligence.
    Keywords: zero trust, automated remediation, machine learning, anomaly detection, automated response, digital twins

  • The complexity of performing cyber audits in the space sector along the supply chain
    Jose Ramon Coz Fernandez, Cyber Internal Auditor, European Space Agency and Vicente José Pastor Pérez, Head of Cyberspace Situational Awareness, NATO Cyberspace Operations Centre

    Cyber audits are not at all easy to perform. The number of dependencies present in the modern systems makes the process truly complicated and the findings, when available, are difficult to interpret and understand. The increasing trend to subcontract large parts of a programme or project hides some of those dependencies and other details under a huge number of contracts and other legal documentation which, in some cases, obliges the auditor to become a real documentation archaeologist in search of the Holy Grail. The required security controls span across those documents and the responsibility of one or the other party in the supply chain within a complex programme is not always obvious. The mission is clear, however, and the auditor needs to ensure that the processes, controls and safeguards are in place as originally designed, regardless of the added complexity. In this paper, the authors will introduce the concept of cyber audits, explain some of the factors that contribute to the complexity of the projects in the space sector along the supply chain, and describe tools that can assist in the audit process, before concluding with some recommendations to be taken into account to facilitate the process.
    Keywords: cyber audits, space, complexity, audit tools, supply chain

  • Cheetahs, COVID-19 and the demand for crypto-agility
    Michael Thelander, Director of Product Marketing, Venafi

    ‘Digital transformation’ means many things to the different stakeholders who drive today’s business and technical strategies. For the business manager it means creating hyper-responsive, always-on, multichannel paths to profitably engage with customers and partners. For the technologist it means leveraging the newest capabilities in cloud delivery, application development, and DevOps tooling and doing it faster and more economically than ever before. But in all of these cases, digital transformation relies on the underlying foundation of well-protected ‘machine identities’, as well as the technologies that create them, such as TLS certificates, SSH keys, API keys and code-signing certificates. These, in turn, all rely on cryptography: the process of ‘constructing and analysing protocols that prevent third parties or the public from reading private messages’ while also assuring safe machine-to-machine authentication. This paper focuses on the increasingly critical need for an organisation’s cryptographic processes to be agile. Readers will learn what ‘agile’ means to them, and how it leads to a kind of cryptographic flexibility they can leverage whether they deliver applications and services through new cloud architectures, traditional on-prem environments or hybrid models. They will learn how this agility can rapidly replace cryptographic algorithms, tools or providers that have been compromised, without affecting the availability or integrity of the applications or services they enable. They will also learn how organisations can control costs and limit their dependency on third-party services, all while maintaining a robust posture around their rapidly increasing population machine identities.
    Keywords: cryptography, SSL/TLS, encryption, SSH, certificate authority, code signing

  • Cyber leadership across a business ecosystem
    Matthew Doan, Senior Manager, Boston Consulting Group

    This paper makes the case that cyber leaders need to take a proactive, ecosystem-based leadership approach to have the influence and impact that their organisation requires of them.
    Keywords: leadership, strategy, design, influence, value

  • A framework for fostering a dynamic information security culture
    Renay Carver, Operations and Technology Strategist, Veritable Associates

    This paper proposes how organisations may attend to key factors influencing organisational culture to facilitate and nurture a well-prepared information security culture. Organisational culture is the formative part of organisational behaviour, establishing the social interaction norms, best practices and processes required to achieve organisational objectives. In defining what organisational culture is, and by recognising what a worthy culture should entail, companies may increase opportunities to detect problems, design solutions and develop healthier environments. Employees have accord in decision making and experience a shared understanding of how to accomplish organisational goals. The organisation’s cultural orientation dictates the acceptable system and leadership behaviours expected to effectively achieve enterprise strategy; ultimately, employee behaviour and interaction become defined by such orientation. Attempts to change organisational culture is problematic, since organisational culture often lives on long after founders depart, leaders exit, and products and services cease. Hence, organisational culture may become static. Understanding the organisation’s culture is valuable in managing responses to security challenges, since awareness of the organisation’s cultural profile helps in recognising the organisation’s readiness in dealing with dynamic security hazards. Information security culture, a sub-culture of organisational culture, represents the employee’s behaviour and attitude toward information security. The Information Security Culture Framework offers a model to assess the organisation’s status (resiliency and readiness) of its information security culture and mitigate security issues heightened by human error. Adopting a dynamic information security culture fosters beneficial change necessary to confront and diminish security threats. By promoting information security consciousness and focused security awareness to address dynamic information security threats, organisations may achieve a robust information security culture.
    Keywords: organisational culture, information security culture, information security awareness, training, change management, human behaviour

  • Vulnerabilities on the wire: Mitigations for insecure ICS device communication
    Michael Hoffman, Principle Industrial Consultant, Dragos

    Modbus transmission control protocol (TCP) and other legacy ICS protocols ported over from serial communications are widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate programmable logic controller (PLC) code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution. This paper examines the viability of deploying PLC configuration modifications, programming best practices and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluating ICS protocols and device configurations.
    Keywords: ICS, OT, Protocols, PLC, automation, Modbus

  • The landscape from above: Continuous cloud monitoring for continuous assurance
    Fouad Khalil, Corporate Compliance Executive

    The concept of monitoring information system security has long been recognised as sound and valuable management practice. For additional consideration, a large portion of compliance requirements for information security and privacy are supported by such monitoring. Security programmes must be aligned with privacy and compliance programmes to ensure those areas of data protection compliance are appropriately met and monitored, and then actions based on maturity levels must be aligned with information assurance programmes. Some key areas to consider in information security programmes include: 1) Continuous assurance (full data life cycle, continuous monitoring, continuous awareness, continuous compliance, challenges, benefits); 2) continuous supply chain management (continuous vendor management and oversight, benefits, challenges); 3) continuous cloud assurance (private cloud, community cloud, public cloud, hybrid cloud); and 4) continuous improvement (what is involved and necessary, including actions, monitoring and metrics). This paper posits that organisations, building out their digital transformation strategies, must think strategically about the way in which they manage privacy compliance in the cloud, committing to a data-driven continuous assurance privacy programme which would provide a more robust compliance posture.
    Keywords: continuous, compliance, cloud, technology, assurance, cyber security

Volume 4 Number 1

  • Editorial
    Simon Beckett, Publisher
  • Taking risk to the edge of acceptable
    Steve Williamson, Director, GlaxoSmithKline

    This paper discusses evolving technology architectures, such as cloud and edge computing, which enable the development of smart systems that interact with their environment and make human-like decisions. These are Internet of Things (IoT) devices with embedded artificial intelligence (AI) functionality. Furthermore, these are relatively quick to build due to the availability of reusable software components and high-availability processing resources. AI simulates a broad range of human specialisations, such as medical diagnosis, driving and speech recognition. The benefits of AI are transformational, but the consequences of failure can be catastrophic. New technologies introduce new threats and the need for new safeguards. The paper analyses the challenge for our industry, which is to enable the benefits of AI, while ensuring risks are maintained at an acceptable level. This can be achieved by adopting a security by design approach to new product development. This is a discipline that helps identify threats and ensures appropriate safeguards are engineered into the product from the start. The paper discusses how, if we are to safely realise the game-changing benefits of AI, security by design will have to become normal practice in product engineering.
    Keywords: artificial intelligence (AI), data poisoning, edge computing, security by design, attack trees, Watson, DeepMind

  • Consider the consequences: Understanding and limiting physical impacts caused by an ICS cyberattack
    Richard Wyman, Professional Control Systems Engineer, CS 7 Consulting

    Industrial control systems have significantly improved the quality of life for most of the world’s population by controlling manufacturing processes that produce high-quality products at lower costs. Many products would be impossible to manufacture without the speed and accuracy provided by these computerised marvels. They are also crucial in transporting people (airlines, trains, public transport) and information (voice and data), as well as supporting essential utilities such as electricity, gas, water and sewage. Computerised control systems have also improved operating safety, resulting in fewer injuries, deaths, environmental impacts and equipment damage. Because of their potential to shut down critical infrastructure and cause physical damage, however, they have become high-value targets for cyberattacks. This paper explores the relationship between cyber exploit and physical impact and how engineers and IT specialists can use this understanding to build more robust control systems and processes. It also describes a recently patented controller architecture that prevents the malicious modification of control algorithms from a remote adversary.
    Keywords: ICS cyber security, cyberattacks, physical impacts, risk analysis

  • Effectively integrating physical security technology into the operational technology domain
    Matthew Wharton, President, Strategic Accounts Guidepost Solutions

    The operational technology (OT) domain has historically been an area of sensitivity primarily within the industrial (manufacturing, petrochemical, medical) and critical infrastructure (power, water, utility, data, telecommunication) markets. Recent compromises of OT have expanded the exposure to loss from this domain into more core corporate markets, including pharmaceutical, technology, logistics/supply chain, software, banking/finance, retail, warehouse/distribution and commercial office. This paper promotes a holistic countermeasure implementation programme must be put in place and be managed as a core competency within the overall cyber security posture of an organisation in order to effectively mitigate threats to this domain. It advises how physical security controls must be a priority within this posture to effectively control access to the on-site assets that manage OT. The control strategy put forward in this paper introduces two key attributes. The first is to apply physical security controls to protect OT, which may require an expansion of the locations at a site where these controls are deployed. The second is to treat physical security assets as OT so they fall under the same level of network segmentation, threat management, version control and access management as core OT assets.
    Keywords: operational technology (OT), convergence, physical security, cyber security, process control, SCADA, robotics, manufacturing security

  • Users are an intelligence source: Are you leveraging them in your detection strategy?
    Tonia Dudley, Security Solutions Advisor, Cofense

    Users are a built-in army of cyber defenders — if they are properly educated and conditioned to do the right things. From entry-level clerks to C-level executives, employees whose jobs have little to do with IT or security nonetheless perform critical tasks, making them a target for phishing attacks. While over the years organisations have done a commendable job of making users ‘aware’ of phishing, too often security professionals blame people for security failures. In this paper, learn the many reasons why the blame game is not fair. Discover how phishing has evolved faster than most organisations have adapted. Learn the most common forms of phishing today and why it is imperative to train employees not only to recognise phish but to report, quickly and easily. See the importance of reiteration and developing ‘muscle memory’ in training, along with the value of communicating back to employees who flag e-mails that seem suspicious. Frequency matters in phishing awareness — the stats bear this out. Organisations that run phishing simulations at least monthly are twice as resilient to phishing attacks than those simulating less often. Further, grasp the value of user-generated phishing intelligence to security operations. This paper examines how prompt notification by vigilant users enables security operations centre (SOC) teams to respond to phishing threats faster, reducing dwell time and protecting networks. Gain an understanding of how a human-centric phishing defence fills the gaps left by secure e-mail gateways, which cannot catch every phish and security orchestration, automation and response (SOAR) solutions as well. Threat actors are patient, methodical and smart. They use the most powerful machine ever — the human brain. Discover how honing users’ intuition flips the script, turning phishing targets into active defenders, whose success is easily measured, maintained and improved.
    Keywords: phishing, security awareness, threat intelligence, change behaviour, resiliency, data breach

  • Think like a hacker: Reducing cyber security risk by improving api design and protection
    Gerhard Giese, Senior Manager, Akamai Technologies

    Application programming interface (API) traffic now dominates the Internet. Unlike traditional web forms, APIs are faster and more powerful, but often do not get the correct protection — expanding the security risk for organisations. APIs connect people, places and things to create seamless integrations, richer experiences and new revenue models. This paper deals with when an API is misused, and stipulates how the exposure to an organisation can be significant. The paper discusses why it is no longer safe to assume APIs will be used as intended or remain hidden to prevent unauthorised access or abuse. To stay ahead of the next cyber security exploit, API developers need to start thinking like a hacker. The paper promotes a proactive approach to identifying, designing, managing and protecting APIs which will minimise the attack surface and prevent damaging data breaches.
    Keywords: API, attack surface, apps, Internet of Things (IoT), pen testing, hacking, web security

  • The challenge of assessing strategic cyber security risk in organisations and critical infrastructure
    Charles Harry, Associate Research Professor, University of Maryland

    The increasing threat of cyberattacks against systemically important institutions and critical infrastructure continues to highlight the need to improve the defence and resilience of organisations. The US government focuses its defence strategy on applying a risk-based approach to optimise the allocation of scarce resources across federal networks and promotion of best practice for critical infrastructure. This paper discusses the framing national policy and the core methodological challenges facing practitioners who seek to implement such an approach. The paper defines three key areas of fundamental challenge: 1) defining tiers, categories, and severity measures of end effect; 2) linkage of devices to organisational processes; and 3) a mechanism for connecting organisations together to analyse emergent societal effects. This approach is broadly applied to an example of commercial airline operations identifying the interconnection between key functions in the production chain that, if disrupted, lead to strategic effects in the critical infrastructure sector.
    Keywords: risk, critical infrastructure, cyber strategy, interdependence

  • What the market is not telling you about the cyber security skills shortage
    Karla Reffold, Founder, BeecherMadden

    In this paper, we examine the common myths surrounding the reason for the skills gap within cyber security. Many common beliefs are repeated on social media, fuelling the belief that the market is not moving on or solving common problems. Issues such as low salaries and unachievable job descriptions are often quoted but are rarer than we would all believe. With research spanning the past six years, we examine what professionals in cyber security actually value in a job search. We also examine options to solve the skills gap quicker than we consider possible. Rather than focusing on attracting school or university leavers, it is possible to reduce the gap from other talent pools. Finally, we look at whether and why talent does leave the industry, questioning if the negative press about culture around security teams is actually contributing to the skills gap or if people are simply choosing a different way of working.
    Keywords: skills gap, talent, retention, recruitment, careers, jobs

  • Non-traditional cyber adversaries: Combatting human trafficking through data science
    Danielle Borrelli, Operations Coordinator, California Cybersecurity Institute and Program Lead, Trafficking Investigations Hub and Sherrie Caltagirone, Founder and Executive Director, Global Emancipation Network

    Human trafficking is a complex and challenging global crime exacerbated by the use of technology. This paper begins by dicussing how traffickers utilise technology for scalability, anonymity and profitability as the Internet, social media platforms and encrypted messaging make the recruitment, exploitation and profit of an individual a low-risk, high-reward enterprise. It goes on to describe how counter-trafficking efforts are often siloed approaches, resulting in decentralised information and analysis on the size and scope of trafficking in persons. It presents resources and tools such as the human trafficking kill chain methodology and Artemis, a machine learning (ML) human trafficking risk classifier, show promising disruption tactics which may also be applied to other asymmetrical threats. Recommendations for centralised data collections methods, interagency collaboration and cybersecurity adjacent legislation are also made.
    Keywords: trafficking, sexual exploitation, cyber, adversaries, data