Volume 6 (2022-23)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. Articles scheduled for Volume 6 are available to view 'Forthcoming content' page.

Volume 6 Number 1

  • Editorial
    Simon Beckett, Publisher
  • Securing decentralised organisations
    Damir Rajnović, Cyber Security Manager, Panasonic Business Support Europe

    This paper compares efforts required to secure a centralised organisation and a conglomerate (holding structure). Achieving a uniform level of security across a conglomerate is more challenging due to the nature of the organisational structure — ie every subsidiary is independent, so each can define its own processes and select how to implement global security guidelines. Implementing security measure in a conglomerate is an equivalent of managing a distributed project. Having a very strong governance function is the only way to make such an endeavour successful. Governance function, by itself, is not sufficient, but additional impetus must come from individual headquarters and the holding company itself. Security is different from other organisational functions (eg payroll, sales, etc.) because of the relationships between individuals from different subsidiaries, which can be used to more easily compromise the organisation.
    Keywords: cyber security, organisational structure, conglomerate, holding company, organisational governance

  • Anomaly-based threat detection: Behavioural fingerprinting versus self-learning AI
    Jeff Cornelius, EVP, Darktrace, et al.

    When a malicious actor has access to a digital estate, they control compromised devices and user accounts to achieve their objectives. Given that an attacker’s objectives are often at odds with devices’ normal patterns of life, identifying deviations from these patterns can be used to detect an ongoing attack. This paper outlines and compares two approaches to anomaly-based threat detection: behavioural fingerprinting and self-learning artificial intelligence (AI). It argues that the self-learning approach is significantly superior in several important ways due to the fact it provides a more complex and accurate understanding of what is normal. The paper explains the motivation behind anomaly-based threat hunting, describes the fingerprinting approach and the self-learning approach to anomaly detection, and details real-world examples that demonstrate the advantages of the self-learning approach.
    Keywords: artificial intelligence, machine learning, anomaly detection, self-learning, behavioural fingerprinting

  • A security concept for a global factory network: Practical considerations in implementation
    Michael Voeth, Director for IT in Manufacturing, Robert Bosch GmbH, Clare Patterson, Advisory Board Member and Jannis Stemmann, CEO, Bosch CyberCompare

    On top of information technology (IT) security risks faced by almost all companies, manufacturers need to deal with additional challenges from operating their own factories. For example, typical difficulties arise from legacy systems, proprietary communication protocols and real-time requirements in highly automated production environments. At the same time, budget constraints need to be considered, as manufacturers often face strong competition (plants are usually unprofitable at low utilisation, and therefore each competitor has a strong incentive to lower prices down to the marginal cost of production). This paper explains the combined IT and operational technology (OT) security concept used by a corporation with a global manufacturing footprint operating in various industry sectors. Lessons learned from testing some security tools are included. In order to scale know-how and make security more affordable for companies in similar situations, the concept of a curated marketplace is introduced, and its implementation described.
    Keywords: OT, ICS, defence in depth, production

  • Financial services insider threat: Why a shift in mindset is required to combat this silent risk
    Dave Harvey, Managing Director, FTI Consulting

    The traditional mindset around insider threat is outdated and a shift is required to combat this silent risk. This paper describes the various types of insider threat, common cyberattack types that involve insiders and insider threat risks specific to mergers and acquisitions. From there, key elements of an effective insider threat programme are defined and resources involving existing guidelines and frameworks for how to get started building a proper programme are provided. This paper explains why insider threat must be taken seriously and why moving away from a network protection mindset is essential to improve cyber security protections.
    Keywords: insider threat, financial services, cyber security, cyber risk, cyberattack, M&A/mergers and acquisitions

  • Active Directory security: Why we fail and what auditors miss
    Sylvain Cortes, Security Strategist, Tenable

    The task of a security auditor is not an easy one. Organisations depend heavily on regular audits to analyse and evaluate the risks related to their IT assets. Unfortunately, traditional auditing methods do not adequately assess the latent risks present in Active Directory (AD). This paper will help readers understand the specific challenges and pitfalls associated with auditing AD and to adapt the method to avoid a false sense of security. It concludes that it is critical to maximise auditing assignments to obtain a clear and precise view of the important remediation tasks to come.
    Keywords: audit, auditor, active directory, security, ransomware, malware, lateral movement, privileges escalation, domain dominance, backdoor

  • Integration versus convergence: A battle of the buzzwords?
    Rodman Ramezanian, Enterprise Cloud Security Advisor, Skyhigh Security Australia/New Zealand, Australia

    In cyber security, integration has been a near-obligatory requirement for organisations considering new products. They want assurance that new products will complement existing investments to collectively produce more effective and efficient solutions. But, as this paper discusses, the term convergence has recently emerged as another key capability and expectation of technology platforms. Convergence and integration are pathways to solving some of cyber security’s biggest challenges. They may sound like the same thing, but they are not. So, what is the difference? And how will those differences shape security considerations and investments in the future?
    Keywords: integration, convergence, platform, interoperability, workflow, efficiency

  • The PIVO process for identifying vulnerabilities impact for organisation risks: An automated solution
    Jean-Luc Simoni, Senior Cyber Security Consultant, Thales SIX GTS France, et al.

    Risk management (RM) and vulnerability management (VM) are both essential cyber security domains. They are often managed independently without a proper interface to provide context information to each other and share information. This paper proposes an approach to connect RM and VM processes based on data standardisation through referential and automation to relate vulnerabilities to operational risk scenarios. The focus is mainly on the identification of the referential and their added value to complement a method described in a previous paper.
    Keywords: vulnerability management, risk management, CMDB, automation, CVSS, cyber kill chain

  • Financial services security risks and remediations
    Lior Arbel, Chief Technical Officer, Performanta

    Cybercrime routinely targets financial services, which in kind spend lavishly to protect themselves — with notable success, as cyberattacks are often less successful against financial service industries (FSI) than other sectors. Yet the excessive costs of cyber security could be less, and not all FSIs have the resources to pursue an escalating cybercrime conflict. There are several areas that FSIs can focus on to improve their cyber security posture while keeping budgets in check. They can look beyond compliance checks as an acceptable level of protection. They can police access to their networks by supply chain providers with more nuance. They can use prevention to curtail successful attacks that can create astronomical remediation costs. Lastly yet perhaps most crucially, they can encourage board participation by articulating security issues as strategic business considerations. FSIs must look beyond the checks and balances of traditional compliance and governance, and risk questionnaires. They should avoid construing unknown risks due to a lack of IT visibility as acceptable risks, and they must consider creating space for technology and security experts at the highest levels of management, such as mandatory board seats. At a technical level, they should adopt the zero trust security framework of ‘Never Trust, Always Verify’, enhanced monitoring of all IT areas, and unplanned audits to encourage compliance as a continual project. This paper focuses on where FSIs face security risks and how to address them.
    Keywords: financial services, cyber security, compliance, security budget, remediation costs, supply chain security

  • Book review
    Cybercrime through social engineering: The new global crisis
    Reviewed by Lance Wantenaar