Spring seems to be all around us. But the feeling of optimism and happiness that spring generally produces hasn’t rubbed off on the cyber-criminal brotherhood (yes, most of them are men). We are still seeing ransomware causing enormous damage and the pandemic adding its own level of difficulty to manage. If only there were cyber vaccines we could employ!
To be more effective the cyber security profession needs to be far more diverse. So it is good to see tech experts talking gender bias. Unfortunately according to some women with experience of working in cyber security: “Equality will take a decade”.
The “story of the week” this week is how Chinese hackers have exploited Microsoft Exchange flaw to target European Banking Authority servers. While European organisations are by no means the worst at defending their IT infrastructure, it’s worrying that such critical organisations are coming under attack.
Supply chain attacks seem to be on the rise again. Unfortunately it is extremely hard to guard against all of them, so ones systems and processes have been hardened, there is also a need to ensure resilience is increased. Another major vulnerability in most organisations is email. And the way that cyber-criminals are attacking email is going to change in 2021. We give you some tips on how to keep safe.
Plenty of thoughts on improving cyber security teams this week. We have five tips for leading teams through pandemic fatigue. And an article on how to supercharge the SOC with a joined-up approach to incident response.
From a strategic perspective, we discuss the need to balance attackers and defenders in the security team. And we discuss how CISOs need to be more effective at quantifying risk.
Always on trend, we also take a look at Secure Access Service Edge, an increasingly popular architecture that combines software-defined wide area networking with security functions to support the dynamic nature of today’s modern workforce.
Cyber insurance: The lockdown in the UK lockdown has led to a spike in cyber insurance uptake. Have you claimed against a cyber insurance policy recently? What was the outcome? We would love to know.
West Ham United fans: A West Ham United’s website has leaked the personal data of fans. Given the losses the club has suffered recently, it is to be hoped that the ICO is sympathetic.
From supply chain attack to single-use domains, Darktrace tells us what we can expect this year.
In 2020, we saw cyber-criminals take advantage of collective uncertainty with “fearware” phishing attacks, and continued to shrink the lifespan of their attack campaigns by purchasing cheap domains in their thousands and regularly updating their attack infrastructure. As organisations began to rely heavily on SaaS collaboration tools, we saw a marked increase in account compromise and phishing from the inside.
This article looks at the tactics and techniques we can expect email attackers to deliver this year – and how companies can react.
Supply chain fraud will overtake CEO fraud
Targeting the C-suite is a well-known tactic that has brought attackers success, due to both the sensitive and valuable data these executives are exposed to and the authority they hold within a company. But with special protections increasingly put in place, it can be hard for an attacker to get to these individuals. The alternative for attackers? Go after whoever an organisation trusts.
When an attacker can take over the legitimate email account of a trusted third-party supplier, they can net a big return without ever interacting with a C-level executive. Because of the implicit trust between established contacts, it’s likely that suppliers and contractors with large client bases will become ever more tempting targets. Why work hard to compromise 500 companies separately when you can compromise just one and send fraudulent invoices to 1,000?
There are signs already hinting at this direction. Research earlier this year found that spoofing attacks that target the C-suite were decreasing. Meanwhile, the high-profile SolarWinds hack has shown just how effective cyber-attacks that come through the supply chain can be.
The email attack cycle will continue to shorten
Once upon a time, attack infrastructure lasted for weeks or months. Darktrace research found that the average lifespan of fraudulent email dropped from 2.1 days in March 2018 to just 12 hours in 2020. Attackers can easily purchase new email domains with just a few pennies, and a brand-new domain, with no malicious activity on its record, will pass most email security reputation checks with ease.
It’s a worrying trend for legacy security tools reliant on signatures and blacklisting. And this lifespan will continue to trend towards zero. In the near future, we can expect attackers to reach a stage where a new domain is created, a single targeted email is sent, and the attack infrastructure is then retired before the cycle repeats.
Phishing will become even more targeted
The overwhelming, rapid proliferation of “fearware” this year has shown how effective targeted and topical phishing lures can be. The sheer availability of information online and across a plethora of social media platforms allows attackers to move from a spray-and-pray approach to sending well-researched, tailored emails that have a considerably higher chance of succeeding. And as the technology becomes available to automate much of this reconnaissance, it is natural to assume attackers will take advantage of these tools.
Hackers will target identities rather than devices
For attackers going after businesses that have expanded remote working, targeting cloud services might be favorable to going after centralised, on-premises infrastructure. Email-borne fraudulent invoices could prove a quieter and more lucrative alternative for the money-minded cyber-criminal than ransomware. Successful impersonations of trusted suppliers frequently enable successful wire fraud attacks. And since these attacks involve “clean” emails – containing no links or attachments – they usually skip past legacy security tools with ease.
Cyber-criminals continue to find new ways to skirt by the traditional, legacy-based email security tools commonly relied on today. Organisations must prepare now for the next wave of email attacks by turning to a new approach to email security capable of neutralising novel and sophisticated attacks that gateways miss.
Hundreds of organisations have adopted a self-learning approach that doesn’t rely on hard-coded rules and signatures, but uses AI to spot unusual patterns in email communications indicative of a threat. As attackers continue to innovate, having an adaptive email security technology that continuously reassesses emails in light of new evidence will be crucial for security teams.
Click here to learn more about AI email security
Originally Aired: Tuesday 9th March 2021, 16:00
This episode is now available to view on-demand.
Main take-aways:
One technique is to promote awareness of the consequences of being an insider threat. This won’t necessarily help people who are bent on major revenge for something. But it should help prevent people who are being careless or want to pay someone back. Tell them what could go badly for them!
Think about what systems are linked together and whether sensitive information is accessible from less important systems. A central identity provider is useful for managing people, and this is often not difficult to implement. And always have secondary checks.
You need to get the underlying processes – the polices and education etc – right. Once that is sorted you can think about using automation to manage the processes, but you need to get the basics right. Automation is a valuable strategy. With manual operations there is room for human error while automation can provide a single source of truth that is always accurate. That isn’t to say that a hybrid solution won’t work – often there is a need for a human approach, an approach where people feel they are valued as humans and not treated like machines.
One way to think about this is that the automation does the heavy lifting. It prevents simple things like accounts being cancelled when people leave. But a machine will never detect whether people are likely to be a risk because they are angry or disappointed. That’s when you need people who can spot a potential problem with an employees, especially one who is leaving, and do something about it.
Remember that most internal incidents come from careless rather than malice. And it’s even easier to be negligent when you are working remotely. So you need strong processes. You can’t be sure that the person responsible for managing IT access will know that someone is leaving unless you have strong systems. That’s where automation can help – it makes sure the basics are done properly.
It’s hard to get the right “etiquette” when you aren’t inducting people face to face. You need to think about complementing e-learning with other assets such as online talks and information put in places where people can’t miss it – such as when they first switch on their office computer. Look at the online material that has been published by the organisation that gets accessed the most regularly – and then add the important information that you want to disseminate to it – even if it doesn’t really fit well.
However, you can’t control everything. At best you can hope to be given notice of when people are joining and leaving the organisation!
The pandemic has put pressures on organisations to improve security. These changes need to be reviewed regularly of course, so that if change continues the processes will adapt to them. You also need usable systems and processes. New people may find it difficult to understand processes if they are not being shown face to face. So the processes need to be intuitive and easy to learn. There is also a need to avoid being heavy handed with security, just because the risk has increased. People need to feel trusted if they are to engage with their organisation.
There needs to be flexibility as well. If people have become used to printing documents at home then when they come back into the office they will probably expect the same ability and convenience. Processes may need to change as a result, and if not there will be a need for persuasion and education.
It’s easy when you are dealing with people you know and who know the organisation. But when new people join and there is no longer a proper on boarding process you still need to deliver the same information. The new member of staff won’t want a time consuming process when they are being set up as a new IT system user. Sometimes you have to trust the new people won’t go rogue. But you also have to imagine what might go wrong – for instance what damage do people who have been made redundant or furloughed have the power to create.
Ultimately, remote working is becoming standard. That’s unlikely to change, even if the amount of remote working alters. So businesses need to accept that they need to identify the risks associated with remote working and then identify the risks where they apply to people, processes and technology. If security teams can do this, while allowing a flexible workforce to work effectively, this will then be a great advertisement for them. This is an opportunity for cyber security that must not be missed!
With pessimism about gender equality in cyber security, it's clear that better support and career progression will have the most positive impact.
Research from the Chartered Institute of Information Security (CIISec) sheds light on the worrying state of diversity within the cyber security industry. 57% of women working in the industry believe it will take at least a decade for them to be treated as equals to men, with 20% believing it will ‘never happen’. However, women are clear on what is needed to address the issues; 56% say better support and career progression, 49% say the industry needs to be less of a “boys only club” and 47% say more women in the industry would make a positive impact.
The research also shows women are struggling to progress both due to the status quo of the industry and also not getting the required support. Almost half (47%) have experienced or observed blatant sexism that was not disciplined. Meanwhile, half (50%) say they feel they lack the necessary skills to progress to a new role and 61% say a lack of confidence in their own abilities is holding them back.
“There’s no question that the cyber security industry must become more diverse. This isn’t only a matter of creating a more inclusive and fairer world. Without greater diversity and inclusion, the industry risks stagnating,” said Amanda Finch, CEO of CIISec. “Organisations need to work together to eradicate the “boys only club” culture cyber security has built up over the years. As an industry facing a skills shortage, it can’t afford to drive away valuable new blood that could bring fresh new ideas. We need to encourage a new generation of talent into the industry and give women better support; both to help them progress, and so they want to stay in their careers.”
The survey shows there are some perennial issues that must be addressed:
To encourage women to join the industry and support those already in it, organisations need to understand what women want in their careers. When asked what was most important to them when considering a role in cyber security:
“Addressing the diversity issue isn’t a quick overnight fix,” continued Amanda Finch. “We need to dig deep into the underlying issues and address them from the ground up to really put this right. Understanding exactly what women are experiencing and need are just the first steps to help make a change. We need to offer clear paths to progression through frameworks and ongoing training. We need to break down barriers and demonstrate the varied roles and career paths within the industry. Doing this will help make a real difference in encouraging women into the industry, bringing with them the new skills we so desperately need to fight against the changing threat landscape.”
The Chartered Institute of Information Security, formerly the IISP, was established in 2006 to act as a focal point for the setting of standards in the information security profession and to promote the availability and growth of talent for government and businesses alike. Unlike many other certifications, the institute does not accredit on knowledge alone but requires professionals to provide evidence that they have successfully performed the required skills in the real world and have a track record of delivering to the highest standards. The institute works with academia to help develop new courses and entry routes into the profession, as well as corporate and government organisations to promote the growth of talent in the workplace. For this research, CIISec surveyed women working in the cyber security industry. The results are based on the 90 women who positively identified themselves as working in the UK.
Originally Aired: Thursday 11th March 2021, 10:00
This episode is now available to view on-demand.
Main take-aways:
Why wouldn’t you patch? However it’s not always a good idea to patch everything in the event of an emergency. This might get in the way of doing other more important things. Instead focus on what needs attention first.
First see if you are affected by the issue. And then if you are, look for where the critical vulnerabilities are. Then follow best practice against your infrastructure.
With this problem, some organisations have felt that they weren’t really at risk because they have a direct relationship with Microsoft. That might be the case but even so you may still be at risk of internal abuse with a vulnerability like this enabling bad internal actors to steal data.
And furthermore, ultimately a problem like this will affect everyone: because it will affect your suppliers even if it doesn’t affect you. For example, if people can see the emails your suppliers or lawyers are sending you they can use that to insert fake emails and perhaps steal money. So you will need to reinforce your processes around the mot vulnerable areas of your organisation, such as the finance department’s email accounts.
It’s possible to write software that can fix breaches such as the MS Exchange breach: scripts can be used to collect data and automate reactions. And automated tools are essential –most SOCs have them. The issue is what do you automate? Automation won’t take care of everything. Perhaps you wouldn’t want to automate tasks like closing off ports if the SOC isn’t very sophisticated. Instead automation should take care of the volume, taking the load away from analysts.
Another use of automation is to get rid of the noise. Phishing simulations create a huge amount of noise for SOCs – and automation can help take care of that. But you need really strong processes before you start automating. It’s “rubbish in rubbish out” really so you need the right processes and policies to be in place before you start to automate their management.
The maturity of the security operation is important as well. Many mid-sized organisations have generalised security teams and they may be less skilled at certain areas. Perhaps they are good at vulnerabilities and risk management but less good at incident response etc. Even good generalists can only do one thing at a time. So there comes a time when security teams need to start to specialise.
The SolarWinds attack was on the latest patches and variants. This raises a big question: how can we trust the latest patch? It’s not always simple to get the latest version of software installed and the SolarWinds attack makes it tempting to delaying running with the latest software variant.
Instead, perhaps you might think that waiting until everyone else has updated their software is a smart move so you can see if there are any issues. But the reality is that isn’t a great move. It’s always best practice is to patch. But you also need to have good patch management and testing protocols. For example it’s important to be able to test in a controlled environment so that you can test the patches too ensure that they won’t impact other areas of the organisation.
Air Date: Thursday 18th March 2021, 10:00 (GMT)
Guests:
Adrian Searle - Head of Security Risk, Royal Bank of Scotland
Mike Seeney - Head of Supply Chain Information Risk, Pinsent Masons
Jean Carlos - Group Head of Information Security, Nomad Foods
Andrew Rose - Resident CISO (EMEA), Proofpoint
Air Date: Tuesday 23rd March 2021, 16:00 (GMT)
Guests:
Dr Dave Chatterjee - Associate Professor, The University of Georgia
Garry Scobie - Deputy Chief Information Security Officer, The University of Edinburgh
Enis Sahin - Head of Information Security, Federated Hermes – International
Air Date: Thursday 25th March 2021, 16:00 (GMT)
Guests:
Roland Cloutier - Global CSO, TikTok
Mudassar Ulhaq - Chief Information Officer, Waverton Investment Management
Andrew Tsonchev - Director of Technology, Darktrace
Air Date: Tuesday 30th March 2021, 16:00 (GMT)
Guests:
Gaynor Rich - Global Director Cyber Security Strategy, Unilever
Gary Sorrentino - Global Deputy CIO, Zoom
Jitender Arora - Chief Information Security Officer, Deloitte
Sudeep Venkatesh - Chief Product Officer, Egress