Volume 4 (2020-21)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. The articles and case studies confirmed for Volume 4 are listed below: 

Volume 4 Number 4

  • Editorial
    Simon Beckett, Publisher
  • Framework for quantifying cyber security risks
    Reinder Wolthuis, Senior Project Manager, Frank Phillipson, Senior Scientist, Hidde-Jan Jongsma, Cyber Security Researcher and Peter Langenkamp, Cyber Security Researcher, TNO

    Recent years have seen an increasing amount of information becoming available which is of benefit to the security risk process. Traditionally, security risk management is an asset-based, qualitative process based on expert opinion and information at hand; periodically a group of experts assesses applicable risks and determines correct risk levels and whether new risks should be added to the list. This paper proposes a threat-based, traceable quantitative risk management approach that uses current information to quantify risks. This leads to a near real-time risk process, where available information is processed, and the risks are automatically updated. The approach was tested in practice at the main banks in the Netherlands.
    Keywords: quantified cyber security, Bayesian belief network, real-time monitoring, model based

  • Open sesame: Lessons in password-based user authentication
    Bahman Rashidi, Cybersecurity Research Engineer and Vaibhav Garg, Senior Director of Cybersecurity Research & Public Policy, Comcast Cable

    The cost of unusable password policies in the wild is well documented. These costs impinge both business and security. The alternative is to move to multi-factor and risk-based authentication, which include software authenticators, hardware tokens, and biometrics. This paper provides an overview of the research in this area and concludes with guidance on how to best leverage password-based authentication. We recommend that designers should only implement efforts backed by empirical evidence, offer solutions to reduce user effort, and use compensating controls to address the underlying limitations of passwords.
    Keywords: passwords, biometrics, 2FA, MFA, authentication

  • An overview of current issues and practice relating to local government cyber security in England and Wales
    Mark Brett, Visiting Fellow, Cyber Security Centre, London Metropolitan University

    This paper explores some of the current issues around cyber security and resilience relating to local government in England and Wales, covering the period of the current National Cyber Security Programme from 2015 to 2020. The paper outlines the structure of cyber security and resilience and explains the linkages at a regional and devolved administration level in the case of Wales and UK national level. The paper introduces the concept of a cyber asset taxonomy to quantify cyber artefacts, to aid the early warning of organisations with particular type of equipment, systems and services. There is also discussion around a volunteer-led CyberShare Node/Fusion Cell structure to aid incident response in a cost-effective way. Finally, there is a description of current research which will result in future papers.
    Keywords: local government, cyber security, cyber resilience, incident response, incident coordination, cyber asset taxonomy

  • Cyber security for microreactors in advanced energy systems
    Piyush Sabharwall, Senior Staff Nuclear Research Scientist, Idaho National Laboratory, et al.

    Demand for clean and resilient energy has led to new and advancing frontiers of energy development in nuclear technology, specifically in the development of microreactors. These miniaturised modular reactors are generally <20 megawatts thermal (MWt) or 10 megawatts electric (MWe) and offer new opportunities to meet energy needs in remote locations and mobile operations. As with the slightly larger small modular reactors (<300 MWe), microreactor development must demonstrate security and safety, as well as economic competitiveness, to be seen as potential opportunities for new applications. Current research focuses on passive safety features, capital costs, reliability, semi-autonomous or autonomous control, cyber informed design, digital twins and non-proliferation. This paper focuses specifically on microreactor cyber informed design and cyber risk. An overview of microreactor technology provides a basis for examining the cyber nuclear playing field, with an emphasis on the USA. Frameworks for evaluating cyber security threats, and thereby designing for them, are reviewed. Recommendations follow with ideas for future research.
    Keywords: microreactors, cyber digital twins, cyber informed design, cyber risk, nuclear power

  • The laws governing data breaches: An update
    Behnam Dayanim, Partner, Paul Hastings and Roya Butler, Georgetown University Law Center

    Working remotely has compounded vulnerabilities; cybercriminals have exploited the pandemic as an opportunity to target companies. Even before the pandemic, data breaches were increasing in both breadth and scope. According to data from Norton, the first half of 2019 saw 3,800 publicly disclosed breaches, exposing 4.1bn records. That reflected a rise of 54 per cent, compared with the same time period in 2018.3 States across the country have started to react, enacting privacy, data security, cyber security and data breach notification laws, and courts have continued — slowly and inconsistently — to embrace broader theories of potential recovery by victims of those breaches. The past two years have seen several noteworthy developments in the courts and in the legislatures. This paper examines those judicial developments, as well as state statutes and regulations such as the California Consumer Privacy Act of 2018 (CCPA), the 2019 amendment to the Massachusetts Data Breach Notification Act (MA-DBNA) and the New York Stop Hacks and Improve Electronic Data Security Act of 2020 (SHIELD Act). After examining those developments, this paper concludes with insights into best practices in light of the ever-shifting judicial, legislative and regulatory climate surrounding data breaches.
    Keywords: cyber security, information security, ransomware, data breach, standing, class action

  • Managing stakeholder communication during a cyber crisis
    Caroline Sapriel, Managing Partner, CS&A International

    The paper examines the impact on stakeholders during cyber crises and how failing to engage with them can quickly escalate a crisis into a reputation train wreck. While organisations must focus their efforts on preventing and mitigating cyberattacks, it is not always possible to fix the problems when they occur and in some cases it may take weeks or months before the issue is resolved. If the affected organisation does not own up and communicate quickly with its stakeholders, this communication vacuum period can seriously erode stakeholder confidence and ultimately destroy the organisation’s reputation. Using the famous The Good, the Bad and the Ugly film metaphor, this paper delves into three recent cyber crisis examples to define what was done well, which was a badly handled case, and which was a truly ugly one to draw best-practice lessons. Recognising that stakeholders are at the core of our organisations’ echo system is a good place to start. By identifying and mapping them in order of importance, degree of influence and threat level, the organisation can develop engagement strategies that are designed to yield measurable results. Furthermore, the stakeholder mapping process helps uncover opportunities as well as worst-case scenarios that can be prepared for and help weather the storm. Ultimately, stakeholder outrage can drive crises into reputation meltdowns and the ability to communicate swiftly, transparently and credibly is the cornerstone of any effective crisis response strategy, but especially cyber ones where there are seldom quick fixes. The ability to retain stakeholder trust in the midst of adversity and chaos underpins the organisation’s capacity to protect its reputation and possibly emerge stronger on the other side.
    Keywords: stakeholder mapping, scenario planning, stakeholder trust, credibility, reputation, crisis communication

Volume 4 Number 3

  • Editorial
    Simon Beckett, Publisher
  • Risk is a result of human behaviour: Leveraging behavioural analytics to strengthen internal controls
    Arvind Mehta, Vice President, EXL

    Behavioural analytics is an area of data analytics that focuses on providing insight into the actions of people, (eg system configurations, data download, hiring, approvals) which if collected and analysed can help proactively identify the intentions of an insider who looks vulnerable and can pose a risk to the organisation. Behavioural analytics is used to identify opportunities that can manage risk and proactively identify and realise specific business outcomes.
    Keywords: fraud, audit analytics, insider threat, threat agent, audit issues, internal audit, cyber risk, behavioural analytics

  • Insider threat programmes: Time to hit restart
    Jadee Hanson, Chief Information Security Officer, Todd Thorsen, Director of Information Security and Nathan Hunstad, Principal Security Engineer and Researcher, Code42 Software

    Insider threat programmes exist to protect sensitive data and assets from internal threats. While most organisations are comfortable with setting up programmes and technologies to protect against external threats, insider threat programmes have historically been harder to implement due to difficulties with technologies and creating the partnerships necessary to achieve success. Now that so many organisations face distributed working environments and increasing cloud-based collaboration tools, insider threat programmes are both more important than ever, as well as more difficult to implement based on typical insider threat programme frameworks. To address this new reality, we propose a new insider threat programme framework that enables cross-organisational collaboration while protecting critical assets and information. This framework consists of 21 controls broken down in people, process and technology pillars. It allows an organisation to make decisions based on the risk appetite of the organisation, while staying away from strict technology requirements that hamper collaboration. By focusing on visibility to data movement instead of blocking data access, this new approach allows for appropriate levels of collaboration in a distributed environment. This paper outlines some of the challenges that exist in traditional insider threat maturity frameworks as well as in the traditional prevention and blocking focused tools such as DLP.
    Keywords: insider threat, security, data exfiltration, data security, data loss protection (DLP), data leakage

  • The human problem behind credential theft and reuse
    Erich Kron, Security Awareness Advocate, KnowBe4

    Credentials are meant to keep accounts and information secure; unfortunately, they are failing to do this on a regular basis. The key reasons for this is not the length or complexity of these credentials, but rather how people are using and protecting them. It has been estimated that within the next few years the average Internet user will have 207 accounts to keep track of. Because the human brain can only remember so many of these long, complex passwords, people have resorted to using them across different accounts. This means a breach at one website may expose credentials to many others. Cybercriminals know how we behave and use this behaviour against their victims. When they are unable to just use credentials from previous breaches, these attackers know that they can easily trick many people out of them by simply using fake login screens to collect them in credential phishing emails. This paper looks at the issues related to password hygiene and credential phishing and ways to mitigate these risks.
    Keywords: credentials, passwords, phishing, reuse, hygiene, multi-factor authentication, training, education

  • Know your suppliers: A review of ICT supply chain risk management efforts of US Government and its agencies
    Olatunji Osunji, Technical Lead for Security Analytic and Automation, World Bank Group and Doctoral Student, Marymount University

    Every government and enterprise relies on a network of suppliers spanning the globe. This ecosystem of suppliers has been made more complex by the reliance of organisational processes and services on information and communication technologies (ICT). With the awareness that supply chain is serving as a medium in the cyberattack kill chain, it has become necessary to intensify efforts to mitigate the risks inherent in the supply chain of these technology products and services by striving to know who our suppliers really are. The aim of this paper is to review some of the efforts by the US Government and its agencies in reducing the occurrence and impact of supply chain risk on ICT products and services and how organisations within the private sector can leverage on these efforts to incorporate ICT supply chain into their enterprise risk management strategy with emphasis on knowing who their suppliers are.
    Keywords: supply chain risk management, cyber security, NIST, cybercrime, CISA, know your suppliers, threat, cyber security strategy

  • International principles for boards of directors and cyber security
    Larry Clinton, President and CEO, Internet Security Alliance

    As threats emanating from poor cyber security have grown, calls for boards of directors to become more involved as have also grown. The exact role of the board, as opposed to management, in this new field has been murky, however, and effective steps at the board level have not previously been clearly defined. The Internet Security Alliance (ISA), in conjunction with organisations representing corporate board members and governments on four continents, conducted grounded research involving hundreds of directors, senior management government and academic responders. The ISA research generated a series of open source cyber risk handbooks. The handbooks articulated a common set of five core principles and practical steps to implement them. This paper discusses these principles, which include items boards need to be aware of in their own operations, as well as delineating the board’s role in setting expectations for management. Although the core principles were supported by all participating organisations, adaptations were required to reflect differences in culture, board structure and law. The principles depart in significant ways from many commonly held assumptions about addressing cyber risk. For example, the very first principle is that boards need to conceptualise cyber security not as an ‘IT issue’ but as a broader risk management issue. Other principles urge boards to understand their unique legal obligations and access appropriate expertise. Boards are also urged to consider restructuring their cyber security management teams away from their current IT focus and urge management to adopt new cyber risk assessment techniques conceptualising cyber risk in empirical and economic terms. Although not part of the ISA research, the paper reports on an independent assessment PwC conducted on use of the handbooks. PwC’s ‘Global Information Security Survey’ reported use of the handbooks generated higher budgets, better risk management, closer alignment between cyber security and business goals and helped generate a culture of security.
    Keywords: cyber security, effective, principles, boards, international

  • Cyber security for smart cities: End-to-end cyber security strategy for IoT connected services
    Moh Cissé, CEO, M6C Project and Senior GRC Consultant Hydro-Quebec

    A smart city is an urban agglomeration which capitalises on information technologies (IT) and artificial intelligence (AI) facilities to offer special services to its community and visitors. These range from more complex services such as energy production, road traffic management, civil security and territorial administration, to simpler services such as household waste management or free Internet in parks, libraries, shopping centres and other public places. To achieve this integration of management, an important step is to install sensors that are essential for collecting data. The collection of information to manage sensitive infrastructure via IT services comes with security risks, however. The impact of cyber security breach risks linked to these data collection activities and storage can be dramatic, depending on the type of service: power plants, water management systems, automated or driverless trains, vehicle traffic management systems, etc. These types of service, due to IT and AI evolution, are increasingly the victim of attacks by cyber criminals, especially the industrial control system (ICS)/supervisory control and data acquisition (SCADA) and smart grid networks. These networks are nowadays prime targets for professional hackers, cybercriminal organisations, or even competitors who want access to inside privileged information. To support interest in this type of attack for these networks, we can cite malicious programs such as Stuxnet, Dragonfly and BlackEnergy3, which damaged the Ukraine SCADA network with major consequences for energy production and distribution. Ukrainian energy private companies were victims of the attack, which resulted in total blackouts in at least eight regions of the country. Stuxnet has also been used to destroy a large part of the centrifuges fleet used by Iran for its uranium enrichment programme, etc. The rise of electric vehicle (EV) smart cities is based on smart grid infrastructure and IT — a combination that can lead to increased cyber security risks to the electricity network as well as for fast-charging stations. The purpose of this paper is to identify the most sensitive systems in smart cities, describe potential risks associated with these systems, and propose mitigation mechanisms to reduce associated cyber security risks.
    Keywords: smart city, Internet of Things (IoT), smart grid, smart building, green city, autonomous city, smart electricity, security operations centre (SOC), cyber security, risk, audit, vulnerability, log, monitoring

  • Identifying cyber security risks in Spanish airports
    Lázaro Florido-Benítez, Lecturer, University of Malaga

    Spanish airports are exposed to a series of threats associated with the massive use of information and communications systems, which support the vast majority of their business processes. This study focused on cyberattacks that may occur from malicious actions in the future, as the incorporation of smart applications in airports introduces new vulnerabilities. With the motive to increase cyber security awareness to all airports’ stakeholders, we have tried to expose in a simple and understandable way the key issues of cyber security at airports. This is a continuous and mutable battle that destabilises physical and digital security, privacy and data protection, cyberattacks and national operability. Two key factors are influencing the security of the airport environment and the tourist destination: the Internet of Things (IoT), and a deficit of interoperability and regulation when communicating a vulnerability. There are no 100 per cent safe spaces: the risks exist and we have to prevent them. The objective of this research project is to study the dangers and vulnerabilities of Spanish airports, to classify which enemies we face, in order to increase the levels of security and make better decisions in an environment where the control of logistics and passenger safety are vital.
    Keywords: airport, cyber security, interoperability, Internet of Things (IoT), vulnerabilities, risk

Volume 4 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Industrial Internet of Things: From preventive to reactive systems — redefining your cyber security game plan for the changing world
    Lesley Kipling, Chief Cybersecurity Adviser, Microsoft

    Information technology (IT) and operational technology (OT) share a common set of technologies, but these platforms differ greatly in operational life cycle requirements, potential life/safety impact, and security assurance requirements for confidentiality versus availability. A new generation of OT platforms, called the Industrial Internet of Things (IIoT), offers both challenges and opportunities to forge new connections between the cyber and physical worlds. The urgency to connect these worlds from a security visibility perspective is high, as attackers can and will attack any connected platform; the classic OT security strategy of air-gapping devices does not adapt well to this new generation of connected devices. As a plethora of devices and systems are connected to allow for IIoT innovation, the increased number of endpoints makes protecting these devices ever more challenging even as they give ample opportunity for attackers. The vital importance of securing devices that run critical infrastructure or life-saving devices is paramount, and proactive and reactive elements must work together to protect, detect and automate response to threats using cloud scale and machine learning to amplify human intelligence.
    Keywords: zero trust, automated remediation, machine learning, anomaly detection, automated response, digital twins

  • The complexity of performing cyber audits in the space sector along the supply chain
    Jose Ramon Coz Fernandez, Cyber Internal Auditor, European Space Agency and Vicente José Pastor Pérez, Head of Cyberspace Situational Awareness, NATO Cyberspace Operations Centre

    Cyber audits are not at all easy to perform. The number of dependencies present in the modern systems makes the process truly complicated and the findings, when available, are difficult to interpret and understand. The increasing trend to subcontract large parts of a programme or project hides some of those dependencies and other details under a huge number of contracts and other legal documentation which, in some cases, obliges the auditor to become a real documentation archaeologist in search of the Holy Grail. The required security controls span across those documents and the responsibility of one or the other party in the supply chain within a complex programme is not always obvious. The mission is clear, however, and the auditor needs to ensure that the processes, controls and safeguards are in place as originally designed, regardless of the added complexity. In this paper, the authors will introduce the concept of cyber audits, explain some of the factors that contribute to the complexity of the projects in the space sector along the supply chain, and describe tools that can assist in the audit process, before concluding with some recommendations to be taken into account to facilitate the process.
    Keywords: cyber audits, space, complexity, audit tools, supply chain

  • Cheetahs, COVID-19 and the demand for crypto-agility
    Michael Thelander, Director of Product Marketing, Venafi

    ‘Digital transformation’ means many things to the different stakeholders who drive today’s business and technical strategies. For the business manager it means creating hyper-responsive, always-on, multichannel paths to profitably engage with customers and partners. For the technologist it means leveraging the newest capabilities in cloud delivery, application development, and DevOps tooling and doing it faster and more economically than ever before. But in all of these cases, digital transformation relies on the underlying foundation of well-protected ‘machine identities’, as well as the technologies that create them, such as TLS certificates, SSH keys, API keys and code-signing certificates. These, in turn, all rely on cryptography: the process of ‘constructing and analysing protocols that prevent third parties or the public from reading private messages’ while also assuring safe machine-to-machine authentication. This paper focuses on the increasingly critical need for an organisation’s cryptographic processes to be agile. Readers will learn what ‘agile’ means to them, and how it leads to a kind of cryptographic flexibility they can leverage whether they deliver applications and services through new cloud architectures, traditional on-prem environments or hybrid models. They will learn how this agility can rapidly replace cryptographic algorithms, tools or providers that have been compromised, without affecting the availability or integrity of the applications or services they enable. They will also learn how organisations can control costs and limit their dependency on third-party services, all while maintaining a robust posture around their rapidly increasing population machine identities.
    Keywords: cryptography, SSL/TLS, encryption, SSH, certificate authority, code signing

  • Cyber leadership across a business ecosystem
    Matthew Doan, Senior Manager, Boston Consulting Group

    This paper makes the case that cyber leaders need to take a proactive, ecosystem-based leadership approach to have the influence and impact that their organisation requires of them.
    Keywords: leadership, strategy, design, influence, value

  • A framework for fostering a dynamic information security culture
    Renay Carver, Operations and Technology Strategist, Veritable Associates

    This paper proposes how organisations may attend to key factors influencing organisational culture to facilitate and nurture a well-prepared information security culture. Organisational culture is the formative part of organisational behaviour, establishing the social interaction norms, best practices and processes required to achieve organisational objectives. In defining what organisational culture is, and by recognising what a worthy culture should entail, companies may increase opportunities to detect problems, design solutions and develop healthier environments. Employees have accord in decision making and experience a shared understanding of how to accomplish organisational goals. The organisation’s cultural orientation dictates the acceptable system and leadership behaviours expected to effectively achieve enterprise strategy; ultimately, employee behaviour and interaction become defined by such orientation. Attempts to change organisational culture is problematic, since organisational culture often lives on long after founders depart, leaders exit, and products and services cease. Hence, organisational culture may become static. Understanding the organisation’s culture is valuable in managing responses to security challenges, since awareness of the organisation’s cultural profile helps in recognising the organisation’s readiness in dealing with dynamic security hazards. Information security culture, a sub-culture of organisational culture, represents the employee’s behaviour and attitude toward information security. The Information Security Culture Framework offers a model to assess the organisation’s status (resiliency and readiness) of its information security culture and mitigate security issues heightened by human error. Adopting a dynamic information security culture fosters beneficial change necessary to confront and diminish security threats. By promoting information security consciousness and focused security awareness to address dynamic information security threats, organisations may achieve a robust information security culture.
    Keywords: organisational culture, information security culture, information security awareness, training, change management, human behaviour

  • Vulnerabilities on the wire: Mitigations for insecure ICS device communication
    Michael Hoffman, Principle Industrial Consultant, Dragos

    Modbus transmission control protocol (TCP) and other legacy ICS protocols ported over from serial communications are widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate programmable logic controller (PLC) code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution. This paper examines the viability of deploying PLC configuration modifications, programming best practices and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluating ICS protocols and device configurations.
    Keywords: ICS, OT, Protocols, PLC, automation, Modbus

  • The landscape from above: Continuous cloud monitoring for continuous assurance
    Fouad Khalil, Corporate Compliance Executive

    The concept of monitoring information system security has long been recognised as sound and valuable management practice. For additional consideration, a large portion of compliance requirements for information security and privacy are supported by such monitoring. Security programmes must be aligned with privacy and compliance programmes to ensure those areas of data protection compliance are appropriately met and monitored, and then actions based on maturity levels must be aligned with information assurance programmes. Some key areas to consider in information security programmes include: 1) Continuous assurance (full data life cycle, continuous monitoring, continuous awareness, continuous compliance, challenges, benefits); 2) continuous supply chain management (continuous vendor management and oversight, benefits, challenges); 3) continuous cloud assurance (private cloud, community cloud, public cloud, hybrid cloud); and 4) continuous improvement (what is involved and necessary, including actions, monitoring and metrics). This paper posits that organisations, building out their digital transformation strategies, must think strategically about the way in which they manage privacy compliance in the cloud, committing to a data-driven continuous assurance privacy programme which would provide a more robust compliance posture.
    Keywords: continuous, compliance, cloud, technology, assurance, cyber security

Volume 4 Number 1

  • Editorial
    Simon Beckett, Publisher
  • Taking risk to the edge of acceptable
    Steve Williamson, Director, GlaxoSmithKline

    This paper discusses evolving technology architectures, such as cloud and edge computing, which enable the development of smart systems that interact with their environment and make human-like decisions. These are Internet of Things (IoT) devices with embedded artificial intelligence (AI) functionality. Furthermore, these are relatively quick to build due to the availability of reusable software components and high-availability processing resources. AI simulates a broad range of human specialisations, such as medical diagnosis, driving and speech recognition. The benefits of AI are transformational, but the consequences of failure can be catastrophic. New technologies introduce new threats and the need for new safeguards. The paper analyses the challenge for our industry, which is to enable the benefits of AI, while ensuring risks are maintained at an acceptable level. This can be achieved by adopting a security by design approach to new product development. This is a discipline that helps identify threats and ensures appropriate safeguards are engineered into the product from the start. The paper discusses how, if we are to safely realise the game-changing benefits of AI, security by design will have to become normal practice in product engineering.
    Keywords: artificial intelligence (AI), data poisoning, edge computing, security by design, attack trees, Watson, DeepMind

  • Consider the consequences: Understanding and limiting physical impacts caused by an ICS cyberattack
    Richard Wyman, Professional Control Systems Engineer, CS 7 Consulting

    Industrial control systems have significantly improved the quality of life for most of the world’s population by controlling manufacturing processes that produce high-quality products at lower costs. Many products would be impossible to manufacture without the speed and accuracy provided by these computerised marvels. They are also crucial in transporting people (airlines, trains, public transport) and information (voice and data), as well as supporting essential utilities such as electricity, gas, water and sewage. Computerised control systems have also improved operating safety, resulting in fewer injuries, deaths, environmental impacts and equipment damage. Because of their potential to shut down critical infrastructure and cause physical damage, however, they have become high-value targets for cyberattacks. This paper explores the relationship between cyber exploit and physical impact and how engineers and IT specialists can use this understanding to build more robust control systems and processes. It also describes a recently patented controller architecture that prevents the malicious modification of control algorithms from a remote adversary.
    Keywords: ICS cyber security, cyberattacks, physical impacts, risk analysis

  • Effectively integrating physical security technology into the operational technology domain
    Matthew Wharton, President, Strategic Accounts Guidepost Solutions

    The operational technology (OT) domain has historically been an area of sensitivity primarily within the industrial (manufacturing, petrochemical, medical) and critical infrastructure (power, water, utility, data, telecommunication) markets. Recent compromises of OT have expanded the exposure to loss from this domain into more core corporate markets, including pharmaceutical, technology, logistics/supply chain, software, banking/finance, retail, warehouse/distribution and commercial office. This paper promotes a holistic countermeasure implementation programme must be put in place and be managed as a core competency within the overall cyber security posture of an organisation in order to effectively mitigate threats to this domain. It advises how physical security controls must be a priority within this posture to effectively control access to the on-site assets that manage OT. The control strategy put forward in this paper introduces two key attributes. The first is to apply physical security controls to protect OT, which may require an expansion of the locations at a site where these controls are deployed. The second is to treat physical security assets as OT so they fall under the same level of network segmentation, threat management, version control and access management as core OT assets.
    Keywords: operational technology (OT), convergence, physical security, cyber security, process control, SCADA, robotics, manufacturing security

  • Users are an intelligence source: Are you leveraging them in your detection strategy?
    Tonia Dudley, Security Solutions Advisor, Cofense

    Users are a built-in army of cyber defenders — if they are properly educated and conditioned to do the right things. From entry-level clerks to C-level executives, employees whose jobs have little to do with IT or security nonetheless perform critical tasks, making them a target for phishing attacks. While over the years organisations have done a commendable job of making users ‘aware’ of phishing, too often security professionals blame people for security failures. In this paper, learn the many reasons why the blame game is not fair. Discover how phishing has evolved faster than most organisations have adapted. Learn the most common forms of phishing today and why it is imperative to train employees not only to recognise phish but to report, quickly and easily. See the importance of reiteration and developing ‘muscle memory’ in training, along with the value of communicating back to employees who flag e-mails that seem suspicious. Frequency matters in phishing awareness — the stats bear this out. Organisations that run phishing simulations at least monthly are twice as resilient to phishing attacks than those simulating less often. Further, grasp the value of user-generated phishing intelligence to security operations. This paper examines how prompt notification by vigilant users enables security operations centre (SOC) teams to respond to phishing threats faster, reducing dwell time and protecting networks. Gain an understanding of how a human-centric phishing defence fills the gaps left by secure e-mail gateways, which cannot catch every phish and security orchestration, automation and response (SOAR) solutions as well. Threat actors are patient, methodical and smart. They use the most powerful machine ever — the human brain. Discover how honing users’ intuition flips the script, turning phishing targets into active defenders, whose success is easily measured, maintained and improved.
    Keywords: phishing, security awareness, threat intelligence, change behaviour, resiliency, data breach

  • Think like a hacker: Reducing cyber security risk by improving api design and protection
    Gerhard Giese, Senior Manager, Akamai Technologies

    Application programming interface (API) traffic now dominates the Internet. Unlike traditional web forms, APIs are faster and more powerful, but often do not get the correct protection — expanding the security risk for organisations. APIs connect people, places and things to create seamless integrations, richer experiences and new revenue models. This paper deals with when an API is misused, and stipulates how the exposure to an organisation can be significant. The paper discusses why it is no longer safe to assume APIs will be used as intended or remain hidden to prevent unauthorised access or abuse. To stay ahead of the next cyber security exploit, API developers need to start thinking like a hacker. The paper promotes a proactive approach to identifying, designing, managing and protecting APIs which will minimise the attack surface and prevent damaging data breaches.
    Keywords: API, attack surface, apps, Internet of Things (IoT), pen testing, hacking, web security

  • The challenge of assessing strategic cyber security risk in organisations and critical infrastructure
    Charles Harry, Associate Research Professor, University of Maryland

    The increasing threat of cyberattacks against systemically important institutions and critical infrastructure continues to highlight the need to improve the defence and resilience of organisations. The US government focuses its defence strategy on applying a risk-based approach to optimise the allocation of scarce resources across federal networks and promotion of best practice for critical infrastructure. This paper discusses the framing national policy and the core methodological challenges facing practitioners who seek to implement such an approach. The paper defines three key areas of fundamental challenge: 1) defining tiers, categories, and severity measures of end effect; 2) linkage of devices to organisational processes; and 3) a mechanism for connecting organisations together to analyse emergent societal effects. This approach is broadly applied to an example of commercial airline operations identifying the interconnection between key functions in the production chain that, if disrupted, lead to strategic effects in the critical infrastructure sector.
    Keywords: risk, critical infrastructure, cyber strategy, interdependence

  • What the market is not telling you about the cyber security skills shortage
    Karla Reffold, Founder, BeecherMadden

    In this paper, we examine the common myths surrounding the reason for the skills gap within cyber security. Many common beliefs are repeated on social media, fuelling the belief that the market is not moving on or solving common problems. Issues such as low salaries and unachievable job descriptions are often quoted but are rarer than we would all believe. With research spanning the past six years, we examine what professionals in cyber security actually value in a job search. We also examine options to solve the skills gap quicker than we consider possible. Rather than focusing on attracting school or university leavers, it is possible to reduce the gap from other talent pools. Finally, we look at whether and why talent does leave the industry, questioning if the negative press about culture around security teams is actually contributing to the skills gap or if people are simply choosing a different way of working.
    Keywords: skills gap, talent, retention, recruitment, careers, jobs

  • Non-traditional cyber adversaries: Combatting human trafficking through data science
    Danielle Borrelli, Operations Coordinator, California Cybersecurity Institute and Program Lead, Trafficking Investigations Hub and Sherrie Caltagirone, Founder and Executive Director, Global Emancipation Network

    Human trafficking is a complex and challenging global crime exacerbated by the use of technology. This paper begins by dicussing how traffickers utilise technology for scalability, anonymity and profitability as the Internet, social media platforms and encrypted messaging make the recruitment, exploitation and profit of an individual a low-risk, high-reward enterprise. It goes on to describe how counter-trafficking efforts are often siloed approaches, resulting in decentralised information and analysis on the size and scope of trafficking in persons. It presents resources and tools such as the human trafficking kill chain methodology and Artemis, a machine learning (ML) human trafficking risk classifier, show promising disruption tactics which may also be applied to other asymmetrical threats. Recommendations for centralised data collections methods, interagency collaboration and cybersecurity adjacent legislation are also made.
    Keywords: trafficking, sexual exploitation, cyber, adversaries, data