Volume 6 (2022-23)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. 

Volume 6 Number 4

  • Editorial
    Simon Beckett, Publisher
  • How CISOs can truly align with the business
    Candy Alexander, CISO, NeuEon

    Over the last few years, there has been a growing movement within organisations to improve the alignment of cybersecurity efforts with business objectives. But what does this mean? And can this really be accomplished? If the answer is ‘yes’, how should this be done? And when will it be known that the alignment is right? To begin answering these important questions, it is essential first to answer a different question: ‘Why is alignment so important today’? And to effectively understand the ‘why’, there is a need to reflect on the past.
    Keywords: business, alignment, value, leadership, maturity

  • Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats
    Vladimir Strogov, Director of Development, Kernel Team, Acronis and Sergey Ulasen, Senior Director of AI Development, Rolos

    This paper focuses on a successful and fruitful combination of machine learning (ML)-based approach and heuristics-based approach in the case of Advanced Ransomware Defence, where the advanced ransomware is the ransomware that maliciously exploits the trusted context of execution, so it is the case of ransomware injection into well-known trusted processes, system services, that are used for the disguise of the malicious encryption. ML is used for malicious or benign classification of call stacks that match injections into trusted processes. The heuristics-based technique is based in our case on just one of the examples of injections, using such API as CreateRemoteThread and WriteProcessMemory. This approach has been used with good results to the case of Ryuk ransomware, one of the deadliest malware weapons. We show how the ML helps to find those call stacks which match malicious injections with high probability. Then we augment the results of the ML classifier with the special detection of threads, created in the trusted process, using other sensors, including kernel drivers. This combination provides the maximum accuracy and the ability to remediate the attack. This paper also presents the architectural materials as well as the links and references to the hands-on demonstration of collecting suspicious stacks. We also show how to use ML decisions and pair these decisions with the thread creation events as the sensor examples. The links with demonstrations use the execution of the real-world Ryuk malware strain. The analysis of the events flow is also shown in the kernel debugger coupled with the case analysis with the help of other tools like Process monitor.
    Keywords: zero day, anti-ransomware, machine learning, call stack analysis, process injection, automatic remediation

  • The curse of knowledge can damage awareness programs: Here’s how to defeat it
    Kerry Tomlinson, Cyber News Reporter and Editor-in-Chief, Ampere News

    Now, more than ever, cybersecurity professionals need their messages of security to reach the people who work for their organisations. But a phenomenon known as the ‘curse of knowledge’ may be standing in their way. This ‘curse’ – knowing so much about a subject that explaining it to beginners is difficult – plagues many human risk programs, according to industry reports, and can actually damage programs and negatively affect the credibility of those who run them. This paper shows how cybersecurity practitioners can overcome the curse of knowledge by examining its destructive path and identifying key steps to manage it. Techniques like removing certain terminology from cybersecurity messaging and tools like the De-Jargonizer can bring practitioners in line with their audience and lead to successful programs and more security for organisations.
    Keywords: human risk, cybersecurity awareness, awareness program, terminology, cybersecurity messaging

  • Privacy threats and vulnerabilities: Reinvent your privacy engineering practices and win
    Smitha Sriharsha, Leader, Dell Technologies

    The ever-changing paradigm of data generation, storage and consumption has led to the exponential growth in data incidents. The year 2021 has been the year of highest data breaches exposing personal information of millions of users. The root cause of these data breaches ranges from vulnerabilities in unprotected databases, misconfigurations in cloud systems, ransomware, malware or slip from marketing service providers. Most organisations have strong privacy organisational functions that are compliance-focused; however, they lack privacy engineering functions focused on embedding privacy into the engineering practices. This paper makes recommendations about privacy engineering best practices that can help prevent, detect and mitigate privacy threats and vulnerabilities and provides information about appropriate privacy and security controls to mitigate the privacy risks. It also provides a practice lab section which serves as a practical playground to apply the above concepts.
    Keywords: data privacy, privacy engineering, privacy threats, privacy controls, security controls

  • Analysis of software bill of materials tools
    Arushi Arora, Researcher, National and Homeland Security, Idaho National Laboratory and Christina Garman, Assistant Professor, Computer Science, Purdue University

    Modern software development has gradually become more complex, leveraging available open-source software and third-party components. This practice has raised questions about the provenance, licensing, versioning and compliance of reused code and its dependencies. Furthermore, it is particularly important to review such code fragments and third-party components for known vulnerabilities before they are included in a software product. A Software Bill of Materials (SBoM) is a mechanism to achieve such an analysis, providing transparency and visibility into a software product to both the software developer and its respective consumer. SBoM lists information and details about all the elements constituting a piece of software and can, therefore, be used to evaluate associated security risk. While the concept of SBoM is growing in popularity, it is still fairly new to many organisations, causing them to potentially struggle with producing and processing SBoM and limiting their widespread adoption. In this work, we delve into the area of SBoM and present state-of-the-art SBoM tools, creating a framework for analysis and categorising them based on a diverse set of features and functionalities. We are the first to provide a detailed analysis of 83 open-source SBoM tools along with a perspective on how potential SBoM users can select a tool based on their specific requirements. Our work aims to help promote understanding of this domain, thereby encouraging and furthering its overall adoption. We additionally seek to pave a path for future work in this area by providing recommendations to tool developers and users, researchers and standardising organisations.
    Keywords: software bill of materials (SBoM), software supply chain security, SBoM tools

  • The human side of cybercrime
    Kylie Watson, National Cybersecurity Partner, PwC and Tayla Payne, Cyber Security & Strategy Consultant, IBM

    An understanding of the human element in cybercrime can provide deeper insights into assessing the damage malicious attacks can cause and strengthen defence against such attacks. This paper outlines the little insights we do have on the human elements of cybercrime and the need to undertake more research into the psychological and behavioural aspects of cybercriminals, as well as those of their victims. This is in order to better detect, prevent and respond to cybercriminals and cybercrimes in the future.
    Keywords: cybercrime, cyber security, human element, cyberwarfare, psychology

  • A strong story to tell: Top ten mistakes by administrators
    Paula Januszkiewicz, CEO, CQURE

    The sudden shift to remote working has left businesses at a far higher risk of cyberattacks, largely due to their corporate infrastructure being exposed to new external attack vectors and threats. Although cybercriminals worldwide used the global COVID-19 crisis to spread their wings on an unprecedented scale, there are possibilities and ideas that administrators and regular users can come up with. This paper deep-dives into the top ten mistakes related to remote work security, different situations hackers can create to be able to access the company’s information by overusing the situation, and solutions and approaches companies can implement to create a safe workplace. This topic is crucial for all cloud/identity admins, as it showcases problems with identity that can be found in almost every organisation, which most probably will be a part of the IT reality for many years to come.
    Keywords: remote work, administrators, network segmentation, misconfigurations, password security, cyberattacks

  • Approach to establishing a multi-organisational public sector security operations centre
    Mark Brett, Visiting Fellow, Cyber Security Centre London Metropolitan University

    This paper presents a conceptual approach towards a public sector security operations centre capability at a regional level. This study supports the concept of the Government Cyber Coordination Centre as detailed in the UK Government Cyber Security Strategy December 2022, supporting the ‘Defend as One’ approach. The paper further proposes that the approach should work with nodes at a peer sub-regional and local level with information being aggregated at a regional or national level, with central oversight. This paper also considers some of the open-source tools available to support a security operations centre (SOC) approach, offering a framework for local and distributed analysis to reduce traffic flows and improve the flow of useful information to the SOC.
    Keywords: security operations centre, open-source intelligence, microservices, risk management, information asset registers, local government, cyber security, cyber resilience

Volume 6 Number 3

  • Editorial
    Simon Beckett, Publisher
  • Building a high-performing data ethics programme from the ground up
    Alexandra Ross, Senior Director, Autodesk, Ilana Golbin, Director, PwC and Bret S. Cohen, Partner, Hogan Lovells

    Companies are presented with increasingly complex legal, ethical and operational challenges when implementing algorithmic data processing to detect security threats or generate business insights. In this paper we will share leading practices on how to navigate the compliance landscape, build and maintain an ethics-by-design programme for data and technology, leverage existing frameworks and manage stakeholders. We will also introduce emerging technical concepts from the privacy and security domains and provide a perspective of how these technical concepts may be introduced into the governance process for organisations.
    Keywords: governance; artificial intelligence; machine learning; data ethics; data protection

  • Dangers of succumbing to bias in cyber security : An evaluation of the impact of cognitive biases on threat assessments and cyber security strategies
    Hanah-Marie Darley, Cambridge Analyst Team Lead and Head of Threat Research, Darktrace

    The greatest cyber threat to an organisation may be opposite to what its own security team assesses, a challenge that commonly arises from the impact of cognitive biases. At every turn, cognitive biases can distract and derail cyber security teams and their strategies away from the key risks and threats likely to catastrophically damage their network environments, in favour of new headline-making attack techniques or vulnerabilities which may never be used against their organisation. Focusing on psychological analysis within cyber security contexts including macro and micro examples from the international cyber community and Darktrace’s own customer base, this paper explores the dramatic impact cognitive biases can have on cyber security professionals, cyber strategies and decision making if left unchecked. Statistically, persistent, widely available, lower-sophistication malware and run-of-the-mill phishing campaigns remain a greater global risk to corporations than the newest, most devious exploit kit or ransomware. This paper examines multiple contextual examples of how cognitive biases negatively affect and influence cyber security teams from their security stack, the greatest threats to their networks and digital estates, understanding an attacker’s mindset and selecting technical experts to guide their programmes. Understanding these biases and identifying their role in cyber decision making is the only way to protect organisations from succumbing to biases and likely misdirecting already stretched security resources.
    Keywords: cognitive biases; cyber security; AI; security stack; risk

  • The Zoom effect: A framework for security programme transformation
    Heather Ceylan, Head of Security Standards, Compliance and Customer Assurance and Ariel Chavan, Head of Security Product and Program Management, Zoom

    As companies grow from start-ups to global enterprises, their information security organisations often need to undergo rapid transformations to meet the needs and scale of each business and its customers. It can be challenging for information security teams to clearly define and communicate those needs and obtain necessary executive support, funding and resources for their programmes. Establishing a transformation framework can help security teams communicate effectively and gain executive support and buy-in for information security objectives, thereby facilitating the prioritisation of objectives based on risks and capabilities, and the measurement of the programme’s ongoing effectiveness on a regular basis.
    Keywords: security governance; security risk; security programme management; security programme measurement

  • Users are not stupid: Six cyber security pitfalls overturned
    Julie Haney, Usable Cybersecurity Program Lead, National Institute of Standards and Technology

    The skilled and dedicated professionals who strive to improve cyber security may unwittingly fall victim to misconceptions and pitfalls that hold other people back from reaching their full potential of being active partners in security. These pitfalls often reflect the cyber security community’s dependence on technology and failure to fully appreciate the human element. This paper offers cyber security professionals a primer so they can recognise and overcome six human element pitfalls in cyber security. In addition to gaining an awareness of these pitfalls, readers will learn about specific strategies on how to improve cyber security and empower users by addressing the human element in their organisations’ cyber security products, processes and policies.
    Keywords: cyber security; usability; usable security; human element; users

  • Improving your active directory security posture: AdminSDHolder to the rescue
    Guido Grillenmeier, Principal Technologist EMEA, Semperis

    This paper covers a key aspect of Active Directory (AD) security, which is often overlooked: the wealth of default read permissions that Microsoft has granted to any user and computer in the directory. The concept of an AD forest being a security boundary must now not only be understood as a protective feature; if you do not have an account in an AD forest, you cannot access any of its AD objects and connected resources. Instead, the security boundary must also be understood as the scope of reach for an intruder to access and assess the security of AD objects once they gain a foothold into an organisation’s network. Removing certain default read permissions in AD is a low-risk operation that pays off by making it much more difficult for intruders to perform reconnaissance that helps them in planning their next steps to domain dominance. Understanding the mechanism of the built-in logic that Microsoft has added to AD to protect the most privileged accounts in the directory (eg members of the domain admins group) is key to realising both the benefits and weaknesses of this mechanism. This paper discusses how this protection mechanism works behind the scenes and how it can be adjusted to remove risky default read permissions to make AD safer. Many AD infrastructures were implemented many years ago and operated by different teams of administrators over time, so most AD implementations today have incurred a solid ‘misconfiguration debt’. This paper covers one aspect of that debt: specifically, how to fix the permissions on objects that had once been added to a privileged group but are no longer a part of that group. Essentially, locking down the visibility of objects and general read permissions in AD is vital to reducing the AD attack surface and thus increasing its security posture.
    Keywords: identity security; default security; Active Directory (AD); privileged objects; AdminSDHolder; SDPROP; MITRE ATT&CK: reconnaissance; MITRE D3FEND: harden

  • The psychology of social engineering
    Barry Coatesworth, Director, Guidehouse

    Social engineering is an ever-growing threat to organisations and people. This paper discusses the psychology behind social engineering and why it is still an effective strategy for criminals, nation states and hacktivists. The tactics, techniques and procedures (TTPs) described in this paper may help you identify threat actors/groups and aid in identifying emerging threats and developing appropriate countermeasures and awareness.
    Keywords: social engineering; information security; cyber security; psychology; cognitive bias

  • OTP bots and crypto: A tactic to disrupt
    Kristen Spaeth, Senior Investigator, Coinbase

    One-time password (OTP) bots are a form of crimeware-as-a-service that is being used to bypass two-factor authentication (2FA) on victim accounts. The bots are operated through Telegram and are sold at various price points in exchange for cryptocurrency. The bot operators facilitate a false phone call to victims, impersonating their financial institution, to obtain their OTP to commit an account takeover. Account takeovers facilitated by this type of social engineering are an enormous threat to financial institutions due to the inability to identify the attack without secondary corroboration. This paper illustrates the typical workflow of an OTP bot, avenues of institutional platform investigation and detection, as well as potential mitigation options to combat OTP bot attacks.
    Keywords: otp bots; 2FA; fraud; account takeovers; cryptocurrency

Volume 6 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Social engineering and the use of persuasion to commit cyber fraud
    Lance Wantenaar, Cyber Security Analyst

    The use of social engineering in cyberattacks has increased in recognition. The gap in understanding is how the various aspects of psychology influence the outcome of social engineering attacks. In this paper Cialdini’s principles of persuasion are discussed in conjunction with neuroscience. Additional insights are introduced, including how biases function within the structure of a business e-mail compromise (BEC) e-mail and what part the persuasion principles play in the structure of the e-mail and the requests. Additional context is provided with examples to clarify the concepts of the various topics discussed. Previous research has focused on isolated disciplines of psychology and its use in phishing attacks. This singular focus has failed to address the various nuances which take place with a social engineering attack. Referencing Cialdini’s extensive work in persuasion as well as social hierarchies and the role of physiology in decision making allows for additional insights to be explored. This unique perspective will offer a more holistic understanding of the aspects that influence decisions a person makes when targeted by a social engineering attack.
    Keywords: social engineering; BEC; cognitive biases; persuasion; psychology; neuroscience

  • Threat intelligence meets risk management for operational resilience
    Teresa T. Walsh, Global Head of Intelligence, FS-ISAC

    Threat intelligence, especially cyber threat intelligence, is often given limited value. Some treat it as mutually exclusive from resilience activities or decisions, while others may opine it is not valuable if it cannot be automated. In practice, applying a combination of threat data and intelligence analysis into a business risk management plan is an essential part of how cyber defence and risk management teams can effectively prioritise and focus their programmes. In order to manage cyber risks effectively, private sector companies need to branch out from intelligence-led security to intelligence-supported business resilience. This requires a holistic approach to establishing priority intelligence requirements (PIRs) and analytical products for specific stakeholders. Intelligence analysis is not created for other intelligence analysts but for those seeking to protect the company and its customers, such as risk and business continuity managers. Using the example of third-party and supply chain risks, this paper argues the merits of using advanced levels of intelligence analysis to support cyber defences, as well as risk management and operational resilience.
    Keywords: cyber threat intelligence; risk intelligence; cyber security; priority intelligence requirements; governance and compliance; organisational resilience; third-party risk; supply chain risk; cyber intelligence analysis

  • Think beyond IT security — cyber resilience to build future-ready world : OT and ICS, critical infrastructure and beyond
    Sanam Makadia, Cyber Security Architect, Interactive

    In the current scenario, cyber security professionals, along with industry leaders, are working hard to protect digital assets from current and emerging threats. Besides this, little thought has been given to securing the physical world consisting of vulnerable connected systems. Insecure operational technology (OT) and industrial control systems (ICS) have been installed within critical infrastructure and the manufacturing industry, making it vulnerable to cyberattack. Aside from that, satellites play a key role in communication, mobile phone networks, global positioning systems (GPS), weather prediction, ships, defence forces and much more, which are insecure and vulnerable to hacking. This paper provides insight into current issues, disintegrated workforces and its challenges, critical infrastructure security and how to think beyond information technology (IT) security to secure the digital and physical world. While providing an insight into the US Army in multi-domain operations 2028, it explains how taking a similar approach within the cyber security industry will help improve cyber maturity to defend against adversaries.
    Keywords: OT/ICS security; IIoT; OT and IT convergence; critical infrastructure; cyber resilience; zero trust

  • The how and why of cyber security policy : Create behavioural and technical rules to mitigate risk
    Jael Lewis, Risk Expert and Cara E. Turbyfill, Senior Manager II, Walmart

    This paper discusses the importance of a well-written cyber security policy. It examines the risks associated with not having policy or having weak policy, and the three ways policy seeks to address those risks: risk prevention, risk mitigation and result mitigation. It also describes how to create strong policy by identifying the audience and choosing a framework; establishing a process for drafting and publishing the policy; communicating and training on the policy; and finally, monitoring compliance with the policy’s requirements. Creating and maintaining a policy programme that follows this roadmap not only provides the tools for an organisation’s employees to work securely but can protect an organisation from negative financial impact — be that legal, reputational or regulatory.
    Keywords: policy; technical writing; governance; cyber security; information security; risk mitigation

  • Browser isolation as an enterprise security control
    Henry Harrison, Co-founder and Chief Scientist, Garrison

    Browser isolation is a category of security control that allows users of sensitive endpoint devices to access potentially risky web content without putting their devices at risk of compromise by malware. A key use case is to provide web access from the privileged access workstations that should be used by those with elevated system privileges such as systems administrators. If endpoints for such users are compromised, then the attacker may gain the ‘keys to the kingdom’, making the risk of direct access to unknown and untrusted websites too high. Browser isolation, however, may also be used as a control to protect endpoints for broader classes of users to prevent attacks such as phishing e-mails containing malicious uniform resource locators (URLs). In order to form a useful control, browser isolation must deliver a significant ‘step up’ in security compared to the extensive web security already typically deployed within the enterprise, both in third-party security products such as proxies and endpoint agents, and within existing browser software such as Google Chrome. The Browser Isolation security model depends critically on the data transfer format between an untrusted component responsible for processing risky web content and a trusted component responsible for transmitting information to the user’s endpoint. The gold standard in this area is a technique known as ‘pixel pushing’, whereby risky web content is transformed into raw pixels. Beyond today’s implementations, browser isolation may likely play a broader role in future, in keeping with the role that equivalent technologies already play within the military and intelligence sectors, as referenced by a recent White House memorandum.
    Keywords: browser isolation; web security; privileged access workstations; pixel pushing; phishing; ransomware; cross-domain solutions

  • Why deep learning holds the key to preventing cyberattacks before they can strike
    Karen Crowley, Director Solutions Marketing, Deep Instinct

    Cyber security has always been a game of cat and mouse, with both sides reacting and attempting to outflank each other. While the security industry continuously develops new solutions for identifying and preventing attacks, the threat actors are innovating and evolving their techniques to bypass these defences. In order to break away from a reactive approach, organisations must prevent and neutralise the threat before it can execute inside their network. This is where deep learning (DL) comes in.
    Keywords: cyber security; ransomware; AI; deep learning

  • Exploring phronesis in cyber security, management and resilience
    Mark Brett, Visiting Fellow, Cyber Security Centre, London Metropolitan University

    The aim of this paper is to introduce phronesis and fractal knowledge to present a practical approach that can help a local public service to contextually understand the information assurance (IA) and cyber journey in a holistic way, by considering the various components that integrate information governance strategy, policy and assurance. It goes on to present a case study and ideas for further research. The fields of cyber security, information security and governance have a number of overlapping domains and spheres of interest. Within a local authority (LA), resources are sparce, with one person often having to oversee the entire security process, which is often regarded as an integral part of the information and communications technology (ICT) function.
    Keywords: local authorities; phronesis; cyber security; information assurance; break glass policies; principles-led policy; cyber playbooks; cyber incident response; business continuity; knowledge systems; cyber resilience; emergency planning; business continuity management; fractal knowledge; practice-based research; reflective practice

  • Mitigating challenges in an evolving cyber threat landscape
    Benjamin Ang, Senior Fellow, Cyber Homeland Defence; Deputy Head, Centre of Excellence for National Security,S. Rajaratnam School of International Studies

    This paper gives a snapshot of the current state of cyber security and public awareness, using Singapore as an example of a well-connected economy. Public awareness focuses on sharing common cyber security best practices, which are essential in reducing the risk of cyber security breaches. The paper then explores how current cyber threats have responded to the spread of public awareness, by evolving in ways that can overcome the common cyber security best practices or can even exploit them in some cases. It goes on to describe how the countermeasures to these evolved cyber threats must also evolve in turn and suggests processes and technologies which can be developed to mitigate these evolved cyber threats.
    Keywords: cyber threats; Asia; best practices; phishing; multi-factor authentication

  • Malware development threats with modern technologies
    Lawrence Amer, Cybersecurity Manager, PwC

    Despite a significant increase in the level of defence strategies across the enterprise, cyberattacks continue to have a damaging impact on organisations. Due to insufficient threat intelligence capabilities established in many organisations, attackers use this weakness to port their attack procedure and plan future attacks. From highlighting the problem to solving it, this paper explores possible attack procedures and builds awareness to shortcut the risk and reduce the possibility of compromise. It describes a case study of cyberattacks to illustrate the pros and cons of advanced detection and prevention systems.
    Keywords: malware; red teaming; simulated attacks; threat actors; detection; prevention; emulation

Volume 6 Number 1

  • Editorial
    Simon Beckett, Publisher
  • Securing decentralised organisations
    Damir Rajnović, Cyber Security Manager, Panasonic Business Support Europe

    This paper compares efforts required to secure a centralised organisation and a conglomerate (holding structure). Achieving a uniform level of security across a conglomerate is more challenging due to the nature of the organisational structure — ie every subsidiary is independent, so each can define its own processes and select how to implement global security guidelines. Implementing security measure in a conglomerate is an equivalent of managing a distributed project. Having a very strong governance function is the only way to make such an endeavour successful. Governance function, by itself, is not sufficient, but additional impetus must come from individual headquarters and the holding company itself. Security is different from other organisational functions (eg payroll, sales, etc.) because of the relationships between individuals from different subsidiaries, which can be used to more easily compromise the organisation.
    Keywords: cyber security, organisational structure, conglomerate, holding company, organisational governance

  • Anomaly-based threat detection: Behavioural fingerprinting versus self-learning AI
    Jeff Cornelius, EVP, Darktrace, et al.

    When a malicious actor has access to a digital estate, they control compromised devices and user accounts to achieve their objectives. Given that an attacker’s objectives are often at odds with devices’ normal patterns of life, identifying deviations from these patterns can be used to detect an ongoing attack. This paper outlines and compares two approaches to anomaly-based threat detection: behavioural fingerprinting and self-learning artificial intelligence (AI). It argues that the self-learning approach is significantly superior in several important ways due to the fact it provides a more complex and accurate understanding of what is normal. The paper explains the motivation behind anomaly-based threat hunting, describes the fingerprinting approach and the self-learning approach to anomaly detection, and details real-world examples that demonstrate the advantages of the self-learning approach.
    Keywords: artificial intelligence, machine learning, anomaly detection, self-learning, behavioural fingerprinting

  • A security concept for a global factory network: Practical considerations in implementation
    Michael Voeth, Director for IT in Manufacturing, Robert Bosch GmbH, Clare Patterson, Advisory Board Member and Jannis Stemmann, CEO, Bosch CyberCompare

    On top of information technology (IT) security risks faced by almost all companies, manufacturers need to deal with additional challenges from operating their own factories. For example, typical difficulties arise from legacy systems, proprietary communication protocols and real-time requirements in highly automated production environments. At the same time, budget constraints need to be considered, as manufacturers often face strong competition (plants are usually unprofitable at low utilisation, and therefore each competitor has a strong incentive to lower prices down to the marginal cost of production). This paper explains the combined IT and operational technology (OT) security concept used by a corporation with a global manufacturing footprint operating in various industry sectors. Lessons learned from testing some security tools are included. In order to scale know-how and make security more affordable for companies in similar situations, the concept of a curated marketplace is introduced, and its implementation described.
    Keywords: OT, ICS, defence in depth, production

  • Financial services insider threat: Why a shift in mindset is required to combat this silent risk
    Dave Harvey, Managing Director, FTI Consulting

    The traditional mindset around insider threat is outdated and a shift is required to combat this silent risk. This paper describes the various types of insider threat, common cyberattack types that involve insiders and insider threat risks specific to mergers and acquisitions. From there, key elements of an effective insider threat programme are defined and resources involving existing guidelines and frameworks for how to get started building a proper programme are provided. This paper explains why insider threat must be taken seriously and why moving away from a network protection mindset is essential to improve cyber security protections.
    Keywords: insider threat, financial services, cyber security, cyber risk, cyberattack, M&A/mergers and acquisitions

  • Active Directory security: Why we fail and what auditors miss
    Sylvain Cortes, Security Strategist, Tenable

    The task of a security auditor is not an easy one. Organisations depend heavily on regular audits to analyse and evaluate the risks related to their IT assets. Unfortunately, traditional auditing methods do not adequately assess the latent risks present in Active Directory (AD). This paper will help readers understand the specific challenges and pitfalls associated with auditing AD and to adapt the method to avoid a false sense of security. It concludes that it is critical to maximise auditing assignments to obtain a clear and precise view of the important remediation tasks to come.
    Keywords: audit, auditor, active directory, security, ransomware, malware, lateral movement, privileges escalation, domain dominance, backdoor

  • Integration versus convergence: A battle of the buzzwords?
    Rodman Ramezanian, Enterprise Cloud Security Advisor, Skyhigh Security Australia/New Zealand, Australia

    In cyber security, integration has been a near-obligatory requirement for organisations considering new products. They want assurance that new products will complement existing investments to collectively produce more effective and efficient solutions. But, as this paper discusses, the term convergence has recently emerged as another key capability and expectation of technology platforms. Convergence and integration are pathways to solving some of cyber security’s biggest challenges. They may sound like the same thing, but they are not. So, what is the difference? And how will those differences shape security considerations and investments in the future?
    Keywords: integration, convergence, platform, interoperability, workflow, efficiency

  • The PIVO process for identifying vulnerabilities impact for organisation risks: An automated solution
    Jean-Luc Simoni, Senior Cyber Security Consultant, Thales SIX GTS France, et al.

    Risk management (RM) and vulnerability management (VM) are both essential cyber security domains. They are often managed independently without a proper interface to provide context information to each other and share information. This paper proposes an approach to connect RM and VM processes based on data standardisation through referential and automation to relate vulnerabilities to operational risk scenarios. The focus is mainly on the identification of the referential and their added value to complement a method described in a previous paper.
    Keywords: vulnerability management, risk management, CMDB, automation, CVSS, cyber kill chain

  • Financial services security risks and remediations
    Lior Arbel, Chief Technical Officer, Performanta

    Cybercrime routinely targets financial services, which in kind spend lavishly to protect themselves — with notable success, as cyberattacks are often less successful against financial service industries (FSI) than other sectors. Yet the excessive costs of cyber security could be less, and not all FSIs have the resources to pursue an escalating cybercrime conflict. There are several areas that FSIs can focus on to improve their cyber security posture while keeping budgets in check. They can look beyond compliance checks as an acceptable level of protection. They can police access to their networks by supply chain providers with more nuance. They can use prevention to curtail successful attacks that can create astronomical remediation costs. Lastly yet perhaps most crucially, they can encourage board participation by articulating security issues as strategic business considerations. FSIs must look beyond the checks and balances of traditional compliance and governance, and risk questionnaires. They should avoid construing unknown risks due to a lack of IT visibility as acceptable risks, and they must consider creating space for technology and security experts at the highest levels of management, such as mandatory board seats. At a technical level, they should adopt the zero trust security framework of ‘Never Trust, Always Verify’, enhanced monitoring of all IT areas, and unplanned audits to encourage compliance as a continual project. This paper focuses on where FSIs face security risks and how to address them.
    Keywords: financial services, cyber security, compliance, security budget, remediation costs, supply chain security

  • Book review
    Cybercrime through social engineering: The new global crisis
    Reviewed by Lance Wantenaar