Volume 5 (2021-22)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. Articles scheduled for Volume 5 are available to view on the 'Forthcoming content' page.

Volume 5 Number 3

  • Editorial
    Simon Beckett, Publisher
  • Tackling cybercrime and ransomware head-on: Disrupting criminal networks and protecting organisations
    Marja Laitinen, Digital Crimes Unit Lead, Microsoft EMEA and Sarah Armstrong-Smith, Chief Security Advisor, Microsoft EMEA

    This paper provides a look into the current cybercrime trends, fuelled by the ongoing digital transformation and global pandemic, proliferating across organisations of all sizes and posing high socio-economic risk to critical infrastructure and supply chains. Attackers are capitalising on the technological advances, cloud adoption and hybrid working environments through launching targeted and persistent, human-operated ransomware campaigns. A coordinated and sustained effort is required between governments and the private sector to disrupt criminal infrastructures and global networks that cybercriminals rely on to launch and profit from their attacks. Collaboration and partnerships are also required to support organisations with building necessary cybersecurity capability to prevent, detect and respond to ransomware threats, through adopting zero trust principles and architectures by design and default.
    Keywords: cybercrime, ransomware, law enforcement, organised crime, cyberattacks, cyber security protection, zero trust

  • Paradigm of cyber security transformation in Lithuanian Railways during a pandemic
    Antanas Kedys, Head of Cyber Security, Žaneta Navickienė, Head of Business Safety and Rolandas Šlepetys, Head of Safety and Risk Management, JSC Lithuanian Railways

    Cyber security is not a complete process, so businesses cannot fully ensure cyber resilience in their activities. Every business can be vulnerable, no matter how it is able to respond to the need for security, create a secure cyber environment and apply modern cyber security measures. Therefore, in a changing operating environment, it is very important to find the right balance to meet the needs of business through targeted cyber security measures, as well as to anticipate potential risks and prepare for preventive action. The study described in this paper focuses on the cyber security challenges, threats and adequate mechanisms for managing them during the COVID-19 pandemic. The main aim of the research was to measure the current cyber security state of JSC Lithuanian Railways (also known as LTG) with the following two objectives: 1) to evaluate LTG cyber security practices impacted by COVID-19; 2) to reveal LTG’s cyber security transformation. This paper analyses LTG’s experience in managing cyber security risks during a pandemic. The results of the analysis showed that it is important to identify the peculiarities of emerging risks and their impact on the business environment. Also, it is necessary to assess the possibilities of integrated application of organisational and technical measures aimed at eliminating or minimising the emerging risks.
    Keywords: cyberspace, cyber awareness, cyber security, cyber risks, COVID-19

  • Application security automation in development
    Mike Kennedy, Senior Manager, Medtronic Global Security Office, et al.

    Automated security services can provide on-demand resources that are easily adopted by development teams. To save time and money, application security should be incorporated as early as possible in the application development process. Security requirements are the earliest opportunity to build a secure foundation. Using automation, security requirements can be aligned to system and project attributes and used as a foundation for additional security activities such as secure coding examples and security testing. Later in the development process, automated testing services provide development teams with vulnerability scanning options, depending on whether legacy or modern development practices are used. Legacy development projects can benefit from on-demand source code scanning that does not require tool set-up or configuration. Modern development processes are a better fit for incorporating security testing in automated build-and-test pipelines using working example scripts. When created with development team needs in mind, automated application security services can be valuable resources for development teams that drive better security outcomes. This paper will discuss an approach to building and delivering consumable development security services to drive better security.
    Keywords: application security-as-a-service, automation, best practices, security pipeline, security requirements, security testing

  • Achieving least privilege at cloud scale with cloud infrastructure entitlements management
    Maya Neelakandhan, Head of Customer Success and Support, Guruprasad Ramprakash, Software Engineer and Mrudula Gaidhani, Customer Success and Support, CloudKnox Security

    Managing identities and permissions for enterprises at cloud scale is a major problem today. Cloud infrastructure entitlement management (CIEM) focuses on cloud access risk by providing enterprises with a robust platform for governance and entitlement controls and managing risk. Scaling out an enterprise’s infrastructure using public cloud comes with its own set of risks, including knowing all the identities that have access to your infrastructure and the permissions that they have once access is permitted. Ignoring the proliferation of identities and their associated permissions increases the potential attack surface for hackers who get access to cloud infrastructure. Implementing the principle of least privilege with CIEM helps enterprises manage their growing cloud infrastructure while keeping security in mind. This paper provides an overview of the problems that enterprises face with managing identities and permissions and how CIEM solutions can be effective for these issues.
    Keywords: multi-cloud, CIEM, entitlements management, zero trust, least privilege

  • Enabling cyber incident collaboration in UK local government through fast-time communication
    Mark Brett, Visiting Fellow, London Metropolitan University

    This paper brings together concepts and ideas to support organisations in implementing cyber incident response and coordination, especially focusing on the need for fast-time communications. Normal business operations are slow-time communication, with the shift to fast-time communication occurring during an operational incident. A good example of fast-time communication is instant messaging as opposed to slow-time e-mail. We are proposing a number of strands to formulate an approach. We realised the standard Playstation 3 theme (P3T) approach applies to fast-time communications and can be augmented to provide a novel application of the P3T. We propose to add governance to ensure that the scope application and use is appropriate, within the scope of a threat profile. We also propose to make use of the consequence relevance acceleration severity and harm (crash) gate framework which facilitates the definition of trigger points for escalation in cyber incident response planning and response. We will present some use cases and explain how to integrate them into existing operating processes and procedures. The temporal activities matrix is discussed, which explains the different slowtime/fast-time activities in a cyber response team/security operations centre (SOC). This paper comes at the end of a three-year work programme for local government in England led by MHCLG which focused on cyber resilience from the ICT side and started to build an approach and capacity within the Local Resilience Forums (LRFs). The work delivered a wide range of workshops and cyber exercises for the English LRFs. There was also a similar programme run by the Welsh Government for the wider public sector in Wales. Finally we explore future research considering an additional application around smart cities, incorporating zero trust architecture.
    Keywords: trigger points, fast-time communications, cyber templates, cyber incident response, cyber collaboration, incident message taxonomy, CUON, CCCG, smart cities, smart places, zero trust architecture

  • How national CSIRTs leverage public data, OSINT and free tools in operational practices: An empirical study
    Sharifah Roziah Binti Mohd Kassim, PhD Student, Shujun Li, Professor of Cyber Security and Budi Arief, Senior Lecturer, University of Kent

    Computer security incident response teams (CSIRTs) have been established at national and organisational levels to coordinate responses to computer security incidents. It is known that many CSIRTs, including national CSIRTs, routinely use public data, opensource intelligence (OSINT) and free tools in their work. The current literature, however, lacks research on how such data and tools are used and perceived by the staff of national CSIRTs in their operational practices. To fill such a research gap, an online survey and 12 follow-up semi-structured interviews with staff of 13 national CSIRTs from Asia, Europe, Caribbean and North America were carried out. The aim was to gain detailed insights on how such data and tools are used and perceived by staff in national CSIRTs. The study was conducted in two stages: first with MyCERT (Malaysia’s national CSIRT) to gain some initial results, and then with 12 other national CSIRTs to expand the results from the first stage. Thirteen participants from MyCERT completed the survey and seven of them took part in a semi-structured interview; 12 participants from 11 other national CSIRTs took the survey and five participants from five national CSIRTs were interviewed. Results from the survey and the interviews led to three main findings. First, the active use of public data, OSINT and free tools by national CSIRT staff was confirmed, eg all 25 participants had used public data for incident investigation. Second, all except two (ie 23 out of 25, 92 per cent) participants perceived public data, OSINT and free tools to be useful in their operational practices. Third, there are a number of operational challenges regarding the use of public data, OSINT and free tools. In particular, there is a lack of standard and systematic approaches on how such data and tools are used across different national CSIRTs. There is also a lack of standard and systematic processes for validating such data and tools. These findings call for further research and development of guidelines to help CSIRTs to use such data and tools more effectively and more efficiently.
    Keywords: CSIRT, computer security incident response team, national CSIRT, CERT, computer emergency response team, staff, perception, cyber incident, public data, OSINT, open-source intelligence, free tool

Volume 5 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Digital contact tracing: Privacy versus efficiency
    Ieva Ilves, Adviser to the President of Latvia, Chancery of the President of Latvia

    This paper discusses recently introduced digital technology to limit the spread of COVID-19 by tracing patients’ contacts backwards and sending warning of potential exposure to the virus. While the spread of COVID-19 had devastating consequences and certain technology was made available to limit it, quick and broad application was impeded by privacy and security concerns. The paper explores how the current digital contact tracing technology was designed to operate globally and address these concerns. Digital contact tracing has not reached the expected user rates in democratic societies, which limits its impact on public health. The author analyses the connection between privacy, trust and efficiency of the COVID tracing apps and illustrates the conflict whereby privacy-preserving technology denies access to any data and thus lessens the application of the tool for the benefit of public health. The author argues that with additional layers of privacy protection such as rule of law, transparency and democratic oversight, the minimum data necessary for public health would not compromise privacy yet would contribute to improving the technology and lead to better use in crisis situations such as a pandemic, environmental disaster or war. The research paper is a work in progress, as it is based on one-year experience since the outbreak of the COVID-19 virus, when the crisis is not yet over and partial data limits in-depth studies.
    Keywords: digital contact tracing, privacy, security, COVID-19, democracy, pandemic

  • Improving threat detection with a detection development life cycle
    Augusto Barros, VP Cyber Security Evangelist, Securonix

    Threat detection is one of the main activities of an information security programme. Performing threat detection goes beyond deploying threat detection technologies. These technologies can be highly effective in their job of detecting threats, but their effectiveness is dependent on what detection specialists usually call detection content. Detection content is usually detached from the data analytics capabilities of the tool and needs to be constantly updated to ensure the most recent threats can be detected. These updates are generally developed by the detection technology provider as part of a subscription service, or by the organisation deploying and operating the technology, as part of activities commonly described as detection engineering. This paper describes the implementation and operation of a detection development life cycle (DDLC) process, which can be used to control the selection, creation and management of threat detection content.
    Keywords: security information and event management (SIEM), detection engineering, detection use cases, detection content, detection development life cycle (DDLC)

  • Maturing operational security with an automation-first approach to IAM
    Bryan Christ, IT Specialist

    Over the last few decades, organisations have adhered to a number of security practices that are showing their age. With the explosion of remote work and software as a service (SaaS) adoption, this has become more pronounced. In pursuit of greater operational maturity, initiatives such as Zero Trust have placed these practices under scrutiny and the evidence suggests they are wanting. The rise of new technologies like adaptive authentication, enterprise federation and next-gen IAM offers new options and techniques — options that were once considered hypothetical. Among those worthy of consideration are an automation-first approach to identity and access management (IAM). In organisations where Zero Trust initiatives are being scoped, intelligent IAM can play a foundational role. Notwithstanding, IAM deployments should be regarded as multi-phase projects accompanied by unique obstacles that stakeholders would do well to avoid.
    Keywords: deperimeterisation, Zero Trust, identity and access management, operational maturity, identity and access management (IAM), identity governance, authentication, access requests, systems of record (SoR), joiner-mover-leaver (JML)

  • Optimising cyber threat intelligence for your organisation
    Christina Girtz, Senior Manager, General Mills

    As the sophistication and capabilities of cyber threat actors increase, so does the need for cyber threat intelligence (CTI). Most organisations, however, do not have the resources for a large CTI team. Organisations can offset this disparity by optimising resources and focusing on what really matters. Even one CTI analyst can make a significant difference for an organisation by identifying business assets, aligning those assets to potential threats, and then working with cyber security components to prioritise detection and mitigation efforts. Getting to know the organisation and working with key stakeholders to build priority intelligence requirements will help a CTI team identify where to effectively focus its efforts. A small CTI team must also find force multipliers internal and external to the organisation, tailor deliverables and manage expectations. By following these guidelines, a CTI function will help move the cyber security posture of an organisation from reactive to proactive and gain an advantage over the adversary.
    Keywords: cyber threat intelligence (CTI), priority intelligence requirements (PIR), threat

  • Cyber security and data protection: Learning from your own mistakes is good, learning from somebody else’s mistakes is better — the reasons underpinning fines and what regulators expect of cyber security
    Peter Craddock, Partner and Eline Van Bogget, Associate, NautaDutilh

    Cyber security legislation goes far beyond data protection rules. Data protection, however, offers a very useful point of reference for both information security professionals and lawyers, with important lessons for non-personal data. This paper describes recent decisions that give an indication of how authorities assess potential risks, and thus indirectly help to highlight best practices.
    Keywords: cyber security, data protection, liability, data breaches, cybercrime, ethical hacking

  • The high-performing low-risk mainframe: Reassess security in the context of changing operations to extinguish risk before it bursts out of control
    Mary Ann Furno, Offering Manager, Mainframe Security

    Re-evaluation of ‘low-risk’, data-rich, mission-critical mainframes is a security essential. Solutions against modern-day threats have been implemented on distributed platforms, but implementation of solutions for these threats on the mainframe lags implementation on other platforms due to a perception of ‘low-risk’ operations on the mainframe. This may leave an exposure in the environment that can quickly get out of control. This paper analyses how assessment of the environment against the security plan and changing context of mainframe operations will expose gaps and enable an action plan to mitigate risk.
    Keywords: mainframe, modernise, privileged account management, zero trust, hybrid IT

  • Securing the public cloud estate of a digital-native bank
    Avi Shua, CEO and Co-founder, Orca Security and Thomas Hill, CISO, Live Oak Bank

    Fifteen years ago, the idea of a completely digital-native bank would have been seen as too risky and speculative. Many large institutions built internal IT and development groups solely to digitise their processes as a competitive edge. Where cloud computing was employed, it was private cloud, on-prem and specific to the institution. In this paper, the authors will explore how one financial institution, Live Oak Bank, launched its business as a cloud-first pioneer, leveraging the cloud to disrupt traditional banking competitors while offering improved services and customer engagement with a laser focus on top-tier security. The authors will explore how Live Oak met its goals to build a new bank while also creating technology spin-offs to power new entrants in the financial services industry, with the help of technology partners such as Orca Security and others.
    Keywords: cloud security, financial services, digital transformation, compliance, risk reduction

  • Security and safety incidents and standards
    Robert Kemp, Security and Risk Manager and Richard Smith, Associate Head of School and Head, Cyber Technology Institute, De Montfort University

    Safety and security incidents continue to take place within the critical infrastructure industry. Often the organisations involved in the incidents are following safety and security standards but yet the incidents still take place. This paper analyses safety and security incidents for critical infrastructure and non-critical infrastructure organisations and examines why the standards fail to prevent the incident taking place and whether cyber security safety standards should be merged. It also investigates what standards were being followed and what requirements of the standards would have helped with the incident in question.
    Keywords: security, safety, incident, critical infrastructure, standards, breach

Volume 5 Number 1

  • Editorial
    Simon Beckett, Publisher
  • The human variable: Designing a security strategy for a future in flux
    Gary Sorrentino, Global Deputy CIO, Zoom Video Communications

    The hybrid workforce is no longer a concept, it is a reality. But as employees embrace new working environments and flow in and out of the office, this hybrid approach poses a unique challenge for security leaders. This paper explores how organisations will need to create a security strategy rooted in the variability of the hybrid workforce — one that meets employees where they are and helps them learn the role they play in securing this new model. This strategy is rooted in three key principles: adopt a zero-trust approach, personalise data protection and bolster hands-on, robust training. Readers can expect to learn what it really takes to put this approach into practice — and what threats and roadblocks they should anticipate along the way.
    Keywords: hybrid workforce, security strategy, zero-trust approach, data protection, security training

  • Staying one step ahead of your adversaries: How to build a cyber threat intelligence team capable of delivering business value
    Keith Nicholson, Head of Cyber Threat Operations, Her Majesty’s Revenue and Customs

    From enabling security teams to effectively respond to incidents to ensuring security investments are targeted on real-world risk, when effectively implemented, a cyber threat intelligence (CTI) team can deliver value against a broad range of operational and strategic requirements. While many organisations recognise the value CTI can provide, delivering on that value proposition is often more difficult. CTI is a data-driven process; however, building an effective CTI capability requires far more than effective data collection and exploitation. This paper contends that for many organisations the challenge in realising value from their CTI team is not a data problem, it is a communication problem. To address this challenge, security leaders need to look beyond the traditional intelligence life cycle and a consider a number of organisational factors which, taken together, provide a firm foundation to enable a CTI team to effectively communicate and influence stakeholders across the organisation. Specifically, security leaders should position the team strategically, populate that team with a diverse blend of skills, provide a clear direction and purpose, and implement a robust communication and influencing strategy. Together these measures improve the ability of the organisation to realise business value from CTI.
    Keywords: cyber security, cyber threat intelligence, strategy, influencing stakeholders, communication

  • Discovering CovidLock
    Chad Anderson, Senior Security Researcher, Tarik Saleh, Senior Malware Researcher and Sean M. McNee, Director of Research, DomainTools

    In this paper the authors show the breadth of Coronavirus-themed maliciousness and how they prioritised their hunting across such a large influx of malicious infrastructure to discover CovidLock, a novel Android-based screen locker malware. A full technical analysis of CovidLock and its functions provides a basis for analysing other Android malware. This full-depth paper will show everything from hunting automation and prioritisation techniques to the reversing of the malicious application.
    Keywords: malware, mobile malware, mobile threat research, COVID-19, ransomware

  • Scaling cyber physical systems throughout the organisation
    Matt Leipnik, Lead Industrial Cyber Security Specialist, Nexus Controls

    This paper outlines a realistic and practical examination regarding the considerations and factors in scaling complex cyber physical systems alongside modern digital transformation: a guide for how businesses can strategically and operationally navigate (both proactively and reactively) the ‘unknown unknowns’ not just simply to survive but to be resilient and adaptive, leveraging their own internal processes, structures and constraints without significant disruption or radical changes. It is designed to equip the reader with a blend of strategic, operational, technical and human business thinking paired with a concept of ‘visibility’ beyond just situational business awareness. It aims to guide businesses through management of new business trends, ever -standards and compliance requirements, including larger and more complex developments such as 5G operationalisation, geostrategic challenges and political factors that are increasingly important to and unavoidable for businesses. The paper touches on a variety of disciplines and their convergence within business considerations and their integration and scaling within an organisation.
    Keywords: framework, scale, design, Industrial Internet of Things (IIoT), cyber, physical, maturity model, life cycle

  • Is ransomware winning?
    Chris Goettl, Senior Director of Product Management, Ivanti

    This paper evaluates the performance of ransomware attacks and looks at the tactics and successes to determine effective counterstrategies. By analysing lagging indicators of the successes of ransomware, we can reverse-engineer an effective counterstrategy to fight back and significantly reduce the effectiveness of ransomware. This paper argues that the biggest challenge in countering modern ransomware is that the approach most companies are taking is too narrow. There is no one solution answer to this challenge. The most effective counter to modern ransomware is a balanced security strategy of preventative and detect and response, layered in such a way as to disrupt, reduce and eliminate the tools and tactics that make modern ransomware effective. This also includes activities that happen well in advance of the ransomware attack and devices that may not even be part of the actual attack itself. This paper will also propose an effective strategy to counter modern ransomware and provide organisations with key technologies to remove critical capabilities from our adversary’s arsenal and disrupt the tactics that have made modern ransomware so successful.
    Keywords: zero trust, cyber security, ransomware, risk-based prioritisation, cyberattacks, phishing

  • Home-grown machine learning implementation for a SIRT: A use case — detecting domain-generating algorithms
    Brennan Lodge

    There is a flurry of discussion, press and vendors explaining how helpful data science techniques can assist in cyber security defence; however, there is little information available about how to effectively leverage and implement data science techniques within a company’s cyber security defence team. The goal of this paper is to empower security incident response teams (SIRTs) to seamlessly build, deploy and operate ML solutions at scale. Our proposed solution is designed to cover the end-to-end ML workflows. Take-aways include managing and deploying a prediction pipeline, training data, prediction model evaluations and continuously monitoring these deployments to assist in SIRTs’ ability to defend and thwart cyber security attacks. An additional use case of implementing a machine learning (ML) application to predict domain-generating algorithms with the integrated data science pipeline and platform is also discussed and used as a reference.
    Keywords: data science, machine learning (ML), blue team, domain-generating algorithms (DGAs)

  • Zero trust computing through the application of information asset registers
    Mark Brett, Visiting Fellow, Cyber Security Centre, London Metropolitan University

    It is proposed that information asset registers are a key enabler towards the implementation of zero trust computing (ZTC), which requires a detailed knowledge of the information being processed and especially a detailed, well-documented knowledge of the network and technical infrastructure in order to support a zero-trust environment. ZTC also requires detailed documentation to facilitate operational cyber resilience. Asset registers are a key resource to speed up incident response and recovery. Information asset registers are part of the information management, assurance and governance (IMAG) approach. It is proposed the information asset database is at the heart of the information assurance and ZTC ecosystem. This fact has been partially recognised through the Information Technology Infrastructure Library (ITIL) configuration management database (CMDB). We also explore issues related to hybrid infrastructures.
    Keywords: zero trust computing (ZTC), information asset registers, information governance, information assurance risk management, cyber incident response, information taxonomies, hybrid zero trust environments/operational resilience