Volume 4 (2020-21)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. Articles scheduled for Volume 4 are available to view on the 'Forthcoming content' page. The articles and case studies confirmed for Volume 4 are listed below: 

Volume 4 Number 1

  • Editorial
    Simon Beckett, Publisher
  • Taking risk to the edge of acceptable
    Steve Williamson, Director, GlaxoSmithKline

    This paper discusses evolving technology architectures, such as cloud and edge computing, which enable the development of smart systems that interact with their environment and make human-like decisions. These are Internet of Things (IoT) devices with embedded artificial intelligence (AI) functionality. Furthermore, these are relatively quick to build due to the availability of reusable software components and high-availability processing resources. AI simulates a broad range of human specialisations, such as medical diagnosis, driving and speech recognition. The benefits of AI are transformational, but the consequences of failure can be catastrophic. New technologies introduce new threats and the need for new safeguards. The paper analyses the challenge for our industry, which is to enable the benefits of AI, while ensuring risks are maintained at an acceptable level. This can be achieved by adopting a security by design approach to new product development. This is a discipline that helps identify threats and ensures appropriate safeguards are engineered into the product from the start. The paper discusses how, if we are to safely realise the game-changing benefits of AI, security by design will have to become normal practice in product engineering.
    Keywords: artificial intelligence (AI), data poisoning, edge computing, security by design, attack trees, Watson, DeepMind

  • Consider the consequences: Understanding and limiting physical impacts caused by an ICS cyberattack
    Richard Wyman, Professional Control Systems Engineer, CS 7 Consulting

    Industrial control systems have significantly improved the quality of life for most of the world’s population by controlling manufacturing processes that produce high-quality products at lower costs. Many products would be impossible to manufacture without the speed and accuracy provided by these computerised marvels. They are also crucial in transporting people (airlines, trains, public transport) and information (voice and data), as well as supporting essential utilities such as electricity, gas, water and sewage. Computerised control systems have also improved operating safety, resulting in fewer injuries, deaths, environmental impacts and equipment damage. Because of their potential to shut down critical infrastructure and cause physical damage, however, they have become high-value targets for cyberattacks. This paper explores the relationship between cyber exploit and physical impact and how engineers and IT specialists can use this understanding to build more robust control systems and processes. It also describes a recently patented controller architecture that prevents the malicious modification of control algorithms from a remote adversary.
    Keywords: ICS cyber security, cyberattacks, physical impacts, risk analysis

  • Effectively integrating physical security technology into the operational technology domain
    Matthew Wharton, President, Strategic Accounts Guidepost Solutions

    The operational technology (OT) domain has historically been an area of sensitivity primarily within the industrial (manufacturing, petrochemical, medical) and critical infrastructure (power, water, utility, data, telecommunication) markets. Recent compromises of OT have expanded the exposure to loss from this domain into more core corporate markets, including pharmaceutical, technology, logistics/supply chain, software, banking/finance, retail, warehouse/distribution and commercial office. This paper promotes a holistic countermeasure implementation programme must be put in place and be managed as a core competency within the overall cyber security posture of an organisation in order to effectively mitigate threats to this domain. It advises how physical security controls must be a priority within this posture to effectively control access to the on-site assets that manage OT. The control strategy put forward in this paper introduces two key attributes. The first is to apply physical security controls to protect OT, which may require an expansion of the locations at a site where these controls are deployed. The second is to treat physical security assets as OT so they fall under the same level of network segmentation, threat management, version control and access management as core OT assets.
    Keywords: operational technology (OT), convergence, physical security, cyber security, process control, SCADA, robotics, manufacturing security

  • Users are an intelligence source: Are you leveraging them in your detection strategy?
    Tonia Dudley, Security Solutions Advisor, Cofense

    Users are a built-in army of cyber defenders — if they are properly educated and conditioned to do the right things. From entry-level clerks to C-level executives, employees whose jobs have little to do with IT or security nonetheless perform critical tasks, making them a target for phishing attacks. While over the years organisations have done a commendable job of making users ‘aware’ of phishing, too often security professionals blame people for security failures. In this paper, learn the many reasons why the blame game is not fair. Discover how phishing has evolved faster than most organisations have adapted. Learn the most common forms of phishing today and why it is imperative to train employees not only to recognise phish but to report, quickly and easily. See the importance of reiteration and developing ‘muscle memory’ in training, along with the value of communicating back to employees who flag e-mails that seem suspicious. Frequency matters in phishing awareness — the stats bear this out. Organisations that run phishing simulations at least monthly are twice as resilient to phishing attacks than those simulating less often. Further, grasp the value of user-generated phishing intelligence to security operations. This paper examines how prompt notification by vigilant users enables security operations centre (SOC) teams to respond to phishing threats faster, reducing dwell time and protecting networks. Gain an understanding of how a human-centric phishing defence fills the gaps left by secure e-mail gateways, which cannot catch every phish and security orchestration, automation and response (SOAR) solutions as well. Threat actors are patient, methodical and smart. They use the most powerful machine ever — the human brain. Discover how honing users’ intuition flips the script, turning phishing targets into active defenders, whose success is easily measured, maintained and improved.
    Keywords: phishing, security awareness, threat intelligence, change behaviour, resiliency, data breach

  • Think like a hacker: Reducing cyber security risk by improving api design and protection
    Gerhard Giese, Senior Manager, Akamai Technologies

    Application programming interface (API) traffic now dominates the Internet. Unlike traditional web forms, APIs are faster and more powerful, but often do not get the correct protection — expanding the security risk for organisations. APIs connect people, places and things to create seamless integrations, richer experiences and new revenue models. This paper deals with when an API is misused, and stipulates how the exposure to an organisation can be significant. The paper discusses why it is no longer safe to assume APIs will be used as intended or remain hidden to prevent unauthorised access or abuse. To stay ahead of the next cyber security exploit, API developers need to start thinking like a hacker. The paper promotes a proactive approach to identifying, designing, managing and protecting APIs which will minimise the attack surface and prevent damaging data breaches.
    Keywords: API, attack surface, apps, Internet of Things (IoT), pen testing, hacking, web security

  • The challenge of assessing strategic cyber security risk in organisations and critical infrastructure
    Charles Harry, Associate Research Professor, University of Maryland

    The increasing threat of cyberattacks against systemically important institutions and critical infrastructure continues to highlight the need to improve the defence and resilience of organisations. The US government focuses its defence strategy on applying a risk-based approach to optimise the allocation of scarce resources across federal networks and promotion of best practice for critical infrastructure. This paper discusses the framing national policy and the core methodological challenges facing practitioners who seek to implement such an approach. The paper defines three key areas of fundamental challenge: 1) defining tiers, categories, and severity measures of end effect; 2) linkage of devices to organisational processes; and 3) a mechanism for connecting organisations together to analyse emergent societal effects. This approach is broadly applied to an example of commercial airline operations identifying the interconnection between key functions in the production chain that, if disrupted, lead to strategic effects in the critical infrastructure sector.
    Keywords: risk, critical infrastructure, cyber strategy, interdependence

  • What the market is not telling you about the cyber security skills shortage
    Karla Reffold, Founder, BeecherMadden

    In this paper, we examine the common myths surrounding the reason for the skills gap within cyber security. Many common beliefs are repeated on social media, fuelling the belief that the market is not moving on or solving common problems. Issues such as low salaries and unachievable job descriptions are often quoted but are rarer than we would all believe. With research spanning the past six years, we examine what professionals in cyber security actually value in a job search. We also examine options to solve the skills gap quicker than we consider possible. Rather than focusing on attracting school or university leavers, it is possible to reduce the gap from other talent pools. Finally, we look at whether and why talent does leave the industry, questioning if the negative press about culture around security teams is actually contributing to the skills gap or if people are simply choosing a different way of working.
    Keywords: skills gap, talent, retention, recruitment, careers, jobs

  • Non-traditional cyber adversaries: Combatting human trafficking through data science
    Danielle Borrelli, Operations Coordinator, California Cybersecurity Institute and Program Lead, Trafficking Investigations Hub and Sherrie Caltagirone, Founder and Executive Director, Global Emancipation Network

    Human trafficking is a complex and challenging global crime exacerbated by the use of technology. This paper begins by dicussing how traffickers utilise technology for scalability, anonymity and profitability as the Internet, social media platforms and encrypted messaging make the recruitment, exploitation and profit of an individual a low-risk, high-reward enterprise. It goes on to describe how counter-trafficking efforts are often siloed approaches, resulting in decentralised information and analysis on the size and scope of trafficking in persons. It presents resources and tools such as the human trafficking kill chain methodology and Artemis, a machine learning (ML) human trafficking risk classifier, show promising disruption tactics which may also be applied to other asymmetrical threats. Recommendations for centralised data collections methods, interagency collaboration and cybersecurity adjacent legislation are also made.
    Keywords: trafficking, sexual exploitation, cyber, adversaries, data