Volume 7 (2023-24)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. 

Volume 7 Number 3

  • Editorial
    Simon Beckett, Publisher
  • Practice papers
    Consequence is not enough: The role of cyber intelligence in improving cyberattack estimates
    Sarah Freeman Chief Engineer for Intelligence, Modeling and Simulation, MITRE and Mark Bristow, Director of MITRE’s Cyber Infrastructure Protection Innovation Center

    Intelligence assessments continue to emphasise adversary ability and desire to hold critical infrastructure at risk. At the same time, the field of cyber threat intelligence is predominately focused on a review of past cyberattacks to yield insights into future risk. Few researchers focus on methods to improve assessments of adversary capability and intent or address the need for more proactive, predictive analysis. This paper identifies some of the existing weaknesses in cyber threat intelligence analysis and provides some recommendations for how organisations can more comprehensively consider their cyber risk.
    Keywords: risk management; threat intelligence; critical infrastructure; impact-driven analysis

  • Improving likelihood calculation by mapping MITRE ATT&CK to existing controls
    Gerald Beuchelt, Chief Information Security Officer and Sonal Agrawal, Director of Governance, Risk and Compliance, Sprinklr

    Assessing the likelihood of threats is notoriously difficult for assessors. This paper will demonstrate a new, evidence-based approach to leverage existing security control assessments in determining likelihood of specific MITRE ATT&CK adversarial tactics, techniques and procedures (TTPs). Through automation, we can develop organisation-specific threat profiles for known adversaries and assist in strategic security programme management.
    Keywords: risk management; likelihood; cyber security; NIST; MITRE ATT&CK; strategy; threats; vulnerabilities; security controls

  • Purple Teaming: A comprehensive and collaborative approach to cyber security
    Erik Van Buggenhout, Head of Managed Services, NVISO

    This paper introduces Purple Teaming as a comprehensive and collaborative approach to cyber security, emphasising the need for organisations to adapt their cyber security testing methodologies in response to evolving cyber threats. Traditionally, cyber security efforts were divided into offensive (Red Team) and defensive (Blue Team) units; however, the concept of Purple Teaming has gained prominence, advocating for the integration of these units to create a dynamic and cooperative cyber security environment. The paper covers various topics including the significance of adversary emulation, the role of the MITRE ATT&CK framework in standardising communication, the value of traditional Red Team exercises and how Purple Teaming activities can complement these exercises. It differentiates between types of Purple Teaming activities and proposes an approach and architecture to support continuous Purple Teaming efforts. Adversary emulation, a key aspect of Purple Teaming, involves replicating the tactics, techniques and procedures (TTPs) of real-world threat actors to evaluate an organisation’s defences. The paper outlines how, when properly combined, Red and Purple Team efforts can significantly enhance an organisation’s capability to proactively improve its preventative, detection and response mechanisms against adversary tactics. Through its comprehensive coverage, the paper underscores the vital role of Purple Teaming in modern cyber security, highlighting its potential to foster a more resilient and proactive security posture for organisations.
    Keywords: Red Teaming; Purple Teaming; adversary emulation; BAS; security operations

  • Issues to consider relating to information governance and artificial intelligence
    Mark Brett, Visiting Fellow, Cyber Security Centre London Metropolitan University

    Information governance and policy guidance will be essential for effectively deploying artificial intelligence (AI) in the business world. This paper considers some of the aspects relating to AI which need to be considered. The paper highlights some of the current work being conducted in UK local government. It will look at the UK government strategy for AI and consider some of the issues relating to AI policy and governance. The paper offers an approach for organisations and other researchers to develop their own AI assurance and governance framework. The future work section explores some of the areas in which there is a need for future work and research.
    Keywords: UK Local government; AI policy; AI governance; AI supply chain; Purple Team approaches

  • How can national policies support the development and implementation of coordinated vulnerability disclosure?
    Valéry Vander Geeten, Head of Legal, DPO, Centre for Cybersecurity Belgium

    Every computer system or network may contain vulnerabilities. Therefore, vulnerability handling and disclosure are key elements of the cyber security technical, operational and organisational risk management measures of every organisation that develops or administers network and information systems. Coordinated vulnerability disclosure (CVD) policy or bug bounty can enable organisations to work together with well-intentioned people (ethical hackers) who look for and report vulnerabilities. The fear of being sued or the limited scope of the CVD can prevent such a collaboration. In the context of the implementation of the NIS2 directive, member states of the European Union will have to address the challenges posed by CVD processes. As a first attempt, Belgium has already adopted a national policy which includes a legal framework protecting vulnerability reporters and a coordinator role for its national computer security incident response team (CSIRT).
    Keywords: cyber security; coordinated vulnerability disclosure; ethical hacking; vulnerability management

  • Online Potemkin villages: Discovering a Russian influence operation on social media
    Patricia Bailey, Senior Intelligence Analyst, Orbis Operations

    State-sponsored influence operations are a significant and ongoing problem on social media platforms, which are constantly playing whack-a-mole with an ever-evolving adversary. When distinguishing an influence operation from real users, the key principle is to look for signs of ‘coordinated inauthentic behaviour’ (CIB), which are anomalous behaviours that set a group of accounts apart from authentic users. When numerous CIB indicators are present in a network or account, and when the messaging fits certain patterns and parameters, we can more confidently assess it to be part of an influence operation. These detection principles were applied to unmask a multilingual Russian influence operation, sponsored by the Russian state-sponsored media outlet RT (formerly Russia Today). The network began on Telegram in April 2022 and then migrated to X (formerly Twitter), promoting multilingual video content to legitimise the invasion of Ukraine and to justify the annexation of four Ukrainian oblasts in September 2022. This paper offers analysis on the network’s strategic geopolitical messaging, the specific CIB indicators we observed, its connections to Russian embassies on various levels, the languages it boosted the most, and an update on the network’s current ongoing activity on X.
    Keywords: influence operation; disinformation; propaganda; social media; Russia; RT; Telegram; Twitter

  • Caught in the web: Pitfalls of electronic communications
    E. J. Yerzak, Managing Director, Salus GRC

    This paper explores the regulatory interest in and examination focus on electronic messaging at financial institutions. The regulatory landscape for recordkeeping at broker-dealers and registered investment advisers is discussed in the context of enforcement actions for alleged recordkeeping failures. Practical considerations are offered to enable compliance professionals to monitor and supervise electronic messaging.
    Keywords: electronic communications; recordkeeping; off-channel communications; monitoring; cybersecurity; messaging

  • Case study
    The EU cyber security skills academy : A silver bullet to address the cyber security skills gap in the European Union?
    Despina Spanou, Head of Cabinet of European Commission Vice-President Margaritis Schinas, European Commission

    The economic, social and security imperative of addressing the cyber security skills gap, further exacerbated by recent crises and the evolving nature of cyber threats, is now widely acknowledged as a key priority to ensure the resilience of our digital economies and societies. This paper explores the potential of the proposed EU Cybersecurity Skills Academy, introduced by the European Commission (EC) as a flagship of the European Year of Skills in April 2023, to address this challenge in the European Union (EU). With an increasing shortage of cyber security professionals, the paper highlights the expected upsurge in demand for cyber security experts in the face of new EU cyber security legislation. The diversity of the expertise required, especially in non-technical fields, poses a unique challenge. At the same time, existing initiatives at both national and EU levels lack coordination and synergy, hindering their impact on the EU job market. This paper outlines how the EU Cybersecurity Skills Academy can offer a comprehensive solution to this challenge by providing a one-stop shop for cyber security training and funding offers across Europe and addressing the mismatch between available skills and market needs. The Academy’s pillars, which cover knowledge generation and training, stakeholder involvement, funding and progress measurement, are further detailed. The paper concludes with a set of recommendations for the EU cyber security ecosystem in order to help make this initiative a success and a potential model for replication in other parts of the world.
    Keywords: European Union; Cybersecurity Skills Academy; cyber security skills; education and training; funding; stakeholder involvement

Volume 7 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Reducing complexity in cyber security architecture: A practical model for security classifications
    Eleni Richter, Chief Architect IDM, Energie Baden-Württemberg

    Building and running cyber security in both worlds, modern cloud security in combination with legacy on premises, introduces extra complexity. Some of the well-known security patterns and models are not applicable in cloud systems, while modern security models like zero trust (ZT) barely fit into legacy systems. Security technologies and tools are the subject of constant enhancements and adaptions to their environment. They can make security decisions on a very fine-grained basis. The corresponding rule sets and policies are becoming more and more decentralised, detailed and complex. Introducing modern security models such as ZT or micro-perimeter enforces the effect. The overall situation makes it hard for the responsible person to control the cyber security situation and the staff operating cyber security systems and technologies. Both are overwhelmed by the mass of fine-grained, fragmented and distributed security workloads. This paper introduces a practical model for security classifications in cyber security environments. The main goal of the model is to reduce complexity and keep cyber environments manageable. The model delivers not only a cyber risk classification regarding a single business application but works as an integrated view over risks for complete cyber environments.
    Keywords: cyber security classification; complexity reduction; cloud; legacy systems; OT systems

  • How processes affect IT systems and business complexity, and what correlations are present
    Reidar J. Boldevin, Senior Manager – Cyber and Privacy, PwC Norway

    This paper is a deep dive into the subject of the current author’s presentation, ‘De-cluttering your identity space’, delivered at Identity Day Norway in March 2023, and at the KuppingerCole European Identity and Cloud conference in May 2023, respectively. The paper focuses on identity and access management/identity governance and administration (IAM/IGA) and approaches the subject of IT systems in a broader context.
    Keywords: complexity; cost; architecture; security; rationalisation; governance; automation; culture

  • Cyber security culture as a strategic asset
    Glendon Schmitz, Chief Information Security Officer, Virginia Dept of Behavioral Health and Developmental Services

    Governments and companies rely heavily on information technology (IT) to perform even the most basic functions of the business. The technology is, however, only a piece of an overall strategy that must be considered for success. The need for a strong cyber security culture is an equally vital part. So how does the modern cyber security professional create, nurture and sustain such a culture across the organisation? With over 69 per cent of cyber-aware trained employees knowingly bypassing security controls to conduct their critical business functions and achieve their objectives quicker, the answer to a more secure environment is not just the addition of more security technology, but cultivating a culture of cyber judgment to empower and enable the business to fulfil its mission in the most secure way possible without hindering outcomes. This paper delves into the importance of cyber security in today’s digital landscape, and suggests ways to overcome the challenges and develop a successful cyber security culture as a strategic asset.
    Keywords: cyber security culture; AI; talent; security friction

  • The vital importance of a successful threat intelligence programme
    Yochai Corem, CEO, Cyberint

    Many organisations are currently wide open to cyber attacks. Effective intelligence is the only direct tool organisations have to significantly reduce cyber risk, as it involves taking the fight direct to the cybercriminals. This paper first describes the three layers of threat intelligence: data collection, analysis of collected intelligence, and, most crucially negating the impact of incoming threats. The paper describes how any threat intelligence that does not result in immediate remedial action is irrelevant to an organisation’s needs. The paper describes how a combination of human and machine forms effective intelligence gathering. Few organisations have the resources needed to build a truly successful threat intelligence platform. The paper outlines a few basic criteria that organisations must look for a cyber security provider. The paper concludes that taking the fight directly to the cybercriminals, and being able to predict incoming attacks with maximum accuracy, is a crucial first line of defence against cyber attacks, and that it is vital that the new threat intelligence platform enables truly impactful intelligence in order to control and reduce the organisation’s overall business risk — the aim of any cyber security strategy. The paper concludes it is essential that new threat intelligence platforms are designed to deliver accurate and actionable information that is relevant to the organisation concerned.
    Keywords: cyber attacks; cyber risk; threat intelligence; AI; HumInt; threat intelligence platformm; cyber security strategy

  • Why policy-based authorisation is critical for identity-first security
    Gal Helemski, Co-Founder & CPO, PlainID

    The enterprise perimeter is changing; it is now about data objects, application programming interfaces (APIs), microservices and applications. In this evolving, decentralised and highly segmented world, security and identity access management (IAM) leaders find themselves struggling with a security methodology to address their concerns — specifically to answer the very basic question: Who has access to what and when? Identity-first security is emerging as the most effective way to answer these concerns, by placing identity at the centre of the security design. This paper will cover the ‘why’ of identity-first security, what is important to know and consider, and then the ‘how’ it can be achieved. The paper argues for this methodology and presents detailed flow of why modernised policy-based authorisation is crucial for identity-first security. The paper is directed to security and IAM professionals and leaders who want to learn more about how security and identity are tightly coupled and the way to get there with policy-based authorisations.
    Keywords: identity-first security; PBAC; policy-based authorisation; authorisation; identity-aware security

  • A case for public support for vulnerability disclosure policies
    Francesco Bordone, Manager for Cybersecurity Policies, European Cyber Security Organisation

    This paper makes a case for public administrations to give fiscal incentives to companies that have internal processes in place to manage vulnerabilities in their digital environments. It presents an exploration of the importance of implementing a vulnerability disclosure policy (VDP) and the potential benefits of government fiscal contributions to companies adopting such policies. It emphasises the significance of fostering a culture of transparency, collaboration and enhanced cyber security through responsible vulnerability disclosure practices. By incentivising organisations to adopt a VDP, governments will strengthen threat detection and response capabilities, foster public-private partnerships, promote national and international cyber resilience and ultimately achieve economic and societal benefits. By providing financial support, governments could transform cyber security departments from cost centres to profit centres that would attract the interest of the management and turn in more resource allocation. In some cases, governments use legislation to push top-down the adoption of VDPs. This approach is normally adopted for sectors that are considered critical for the society, but it seems impractical to replicate for all business and organisations that are not critical simply because the government would not have the resources to enforce such a measure. Thousands of companies and organisations that are not critical could still benefit from adopting a VDP, making society as a whole more resilient. This paper argues that the right approach towards VDP consists in combining the ‘stick’ of legislative obligations with the ‘carrot’ of fiscal and financial support to companies and organisations to generate a large-scale bottom-up support for VDP adoption. Fiscal or financial support from public institutions to private organisations that have procedures in place to manage vulnerabilities could be a game changer and transform cyber security departments into profit centres able to attract more private resources internal to the company. Another element that could help wider adoption of VDP would be a legal shield for both companies that adopt a VDP and cyber security researchers that report vulnerabilities through this system. To strengthen the resilience of a digital society, it is important that laws on computer crime distinguish between someone that hacks into a computer system with malicious intent and someone that does it to identify weaknesses and report them to the owner of the system. Cyber security researchers that act in good faith provide an invaluable positive contribution to cyber security and must not feel discouraged or intimidated by legislations or prosecutors.
    Keywords: vulnerability disclosure; public policies; fiscal support; VDP; CVD; bug bounty; investments in cyber security; resilience

  • The post-breach threat landscape and the need for an ‘effective’ compliance programme
    Brian Mitchell Warshawsky, Director, University of California

    In today’s rapidly evolving cyber security landscape, organisations face a multitude of threats beyond traditional hackers and state actors. The aftermath of a data breach involves not only the immediate response and recovery efforts on the part of the breached organisation but also a complex web of regulatory and legal consequences. This paper delves into the often-overlooked challenges posed by regulatory enforcement and the potential collateral damage that organisations may face following a breach. By understanding these aspects, organisations can develop effective compliance programmes that mitigate risks and protect against legal repercussions.
    Keywords: data breach; GRC; governance; risk and compliance; enforcement; cyber risk

  • How to get your board and executive team cyber-ready and achieve a culture of cyber security from the board down: The CEO Method for breach prevention: Part 1
    Andrzej Cetnarski, Chairman, CEO, Founder, Cyber Nation Central

    Most boards and executive teams do not know how to achieve a culture of cyber security in their organisations, which puts company assets and ROI at risk. Many also do not know how to behave securely in all areas of their lives, much less what their role in driving the cyber security strategy of their organisation is or should be, which further drives up the risk. Given that culture always starts at the top, this paper, published in two parts across consecutive Journal issues, teaches CEOs, board chairs, their CISOs, as well as other board directors, C-suite executives and their Investors, the CEO-driven yet decentralised, board-down method for breach prevention, getting all board directors and C-Suite executives cyber-ready to execute their part and creating a culture of cyber security from the board down, thus also helping organisations alleviate the pressure on CISOs as the focal point of creating and sustaining cultures of cyber security and serving as an indispensable complement to CISOs’ work of cyber-securing the IT and OT infrastructure of organisations. This method, called The CEO Method™, was invented by global tech and defence investment banker, entrepreneur, US Congressional adviser, Wharton and Harvard alum Andrzej Cetnarski, Chairman, CEO and Founder of Cyber Nation Central®, global cyber security protocol education, insights and advisory company dedicated to creating cyber-secure-by-design boards, executive teams and organisations. Cetnarski invented The CEO Method™ and its protocol process in response to a fatal breach of his first venture, where even the most cyber-secure technology and best-performing CTO were not able to prevent a breach caused by lack of understanding by the board, C-suite and blue-chip investors of what a true culture of cyber security entailed, allowing the threat actors to take advantage of the still-very-typical-of-boards-and-investors-today gap in cyber security knowledge and awareness, further exacerbated by a still-CISO-centric approach to cyber security. In so doing, this paper also teaches its readers the process for bridging the widening gap between CISO, regulatory compliance and technology as ‘the answer’ versus actual hacker-deterrent cultures of decentralised cyber security, individual ownership of cyber-specific fiduciary roles and tactical responsibilities, ‘partnership with’ instead of ‘over-reliance on’ the CISO and mastery of individual risk and response, individual cyber security and organisational cyber-strategy and each board director’s and executive’s role in it. Part I of the paper (this issue) covers the answers to ‘Why and how should CEOs, board chairs and CISOs treat breach prevention readiness differently than they are now?’, ‘Why and how is the core concept of cyber security different than what most boards and C-suites think it Is?’ and ‘What do boards and C-suites need to be doing differently to close the gap between the 37.5 per cent chance of breach and US$10mm average cost of breach and actual breach deterrence?’ Part 2 of the paper (next issue) covers the three-part, six-step Process for Creating a Culture of Cyber Security from the Board Down, including a comparison between the market’s current CISO-centric approach versus The CEO Method™, as well as results to be expected from both approaches. By the end of Part 2, readers will have learned what ingredients CEOs, Board Chairs, Directors and non-CISO Executives need to be deploying in their own cyber roles to build a culture of cyber security from the board down, and do so in a way that critically complements (but does not replace) what the CISO is doing, thus providing organisations with an actual chance of preventing a breach.
    Keywords: breach prevention; cyber acuity; North Star; culture of cyber security; CISO-centric approach; hacker-deterrent cultures; decentralised cyber security

Volume 7 Number 1

  • Editorial
    Simon Beckett, Publisher
  • European cyber security law in 2023: A review of the advances in the Network and Information Security 2 Directive 2022/2555
    Charanjit Singh, Assistant Head, Principal Lecturer in Financial Law, Barrister-at-Law, University of Westminster

    Cyber security capabilities must be designed to mitigate attacks and threats to key network and information systems and ensure continuity in service provision, contribute to the security and effective functioning of economies and societies, and the Network and Information Security 2 Directive (NIS2) seeks to strengthen the European Union (EU) approach to this. Advances in artificial intelligence (AI) have revolutionised industries including banking (FinTech), law (RegTech), insurance (InsureTech), charities (CharityTech) and health (HealthTech). The EU understands this and has therefore introduced the requirement for member states to embrace AI, as a cyber security tool used to protect against and prevent cyber security attacks/threats. The purpose of this paper is to review the NIS2 and the changes it makes to the European approach to cyber security including the use of AI, and the implications for businesses subject to the new rules. The subject is explored through an analysis of literature, EU law and policy documentation. This paper critically reviews a significant advent in European cyber security and technology law: the advances created by the NIS2 Directive, which are considered alongside other key legislation that came into force in January 2023. In addition, the UK’s contrasting evolving position is also critically reviewed. The paper concludes with several practical suggestions on the, if any, steps for businesses as at April 2023. The NIS2 makes some significant inroads to close security gaps that existed in the EU cyber security-related legislative framework; importantly, it creates a requirement for the use of AI in the EU’s cyber security defence armoury. Businesses need to undertake several steps in preparation for full implementation of the NIS2. This research is among the first to review key advances made in EU cyber security and technology law, and to contrast that with the UK position as at April 2023. It is also the first to discuss the likely powers of competent authorities, and the potential results of breaching other EU legislation such as the General Data Protection Regulation (GDPR).
    Keywords: cyber security; artificial intelligence; EU law; NIS2; cyberthreat; UK law

  • From stress to success: Neuroscience-informed training for cyber security first responders
    Carol Barkes, Conflict & Communication Advisor, Boise State University and Colby Jones. Litigation Attorney, Cordell Law

    This paper proposes a neuroscience-informed approach to training cyber security first responders for disaster preparedness. By incorporating insights from neuroscience research, organisations can develop training strategies that promote stress resilience and enhance decision-making under pressure. The training programmes and techniques proposed herein are not exclusive to a certain personnel role within the response team but are generalisable to all within an organisation facing stressors from large scale disasters requiring timely emergency response. As each organisation has its own particular response team protocols for various types of cyber security emergencies, the authors have suggested approaches to training, particularly as it relates to stress resilience, that are more easily scalable, generalisable and adaptable.
    Keywords: neuroscience; training; disaster; stress; cyber security; preparedness

  • CIO and CISO collaboration for a shared vision that enables a cyber-resilient future
    Nastassja van den Heever, Chief Information Security Officer, First National Bank South Africa

    This paper provides an alternative perspective on how to manage cyber resiliency within an organisation, utilising common customer relationship management principles and techniques. Arguably two of the most important principles would be to ‘listen and understand’ one’s customer (‘understand all stakeholders within a process’, ‘understand the implementation cycles’, ‘understand the business challenges’, ‘understand the true requirements and outcomes a customer hopes to achieve’, ‘understand importance of requirements in relation to existing priorities’, ‘understand the strategy’, and many more examples). Organisations utilise sales management processes to drive profits, and CISOs could benefit from following similar processes or utilise common metrics in achieving the same success with information technology and, more importantly, security operational outcomes. This does require a degree of cultural open-mindedness and does not take away from the knowledge, training, experience and understanding required as a cyber security professional. Rather it focuses direction to reigniting the passion for the job, while trying to navigate the many challenges cyber security professionals face today.
    Keywords: resiliency; strategy; alignment; context; data; structure

  • Cryptography works — but needs a system-wide view
    Keith Martin, Professor, Information Security Group

    Cryptography lies at the heart of most cyber security technologies, providing the core security services that enable notions of security to be constructed in cyberspace. Cryptographic algorithms are based on mathematics and increasingly subjected to such demanding levels of scrutiny that established cryptographic algorithms rarely fail from a theoretical perspective. Cryptography exists, however, to support practical information systems. It is thus necessary to take a system-wide view when assessing the effectiveness of cryptography in delivering security in cyberspace. This paper considers the wider system within which cryptography is deployed, identifying the most common points of failure, where even use of strong cryptographic algorithms may fail to deliver intended security. The paper also discusses the possible impacts of some future developments. The core message is that cryptography works, but only if the wider system in which it is deployed is given full consideration.
    Keywords: cryptography; cryptographic algorithms; key management; Snowden revelations

  • Legacy apps to cloud: A risk-based approach
    Naresh Sharma, Head of IT Risk and Security, Cathay Pacific Airways

    Legacy systems or applications constitute a certain portion of IT systems running in an organisation. The percentage of these legacy systems varies depending on the IT maturity, IT vision, roadmap, business needs and compliance or legal requirements faced by organisations. In some cases, the organisations run key operations on legacy systems because of the nature of their business or the upstream/downstream requirements of that application. Managing legacy applications puts a heavy burden on IT budgets and with organisations moving the applications on cloud, legacy applications will need to be considered to meet these long-term goals. Legacy systems come with their own challenges and moving them on cloud does alleviate some of them, but it needs thorough planning along with comprehensive risk management. This paper provides insights on challenges coming from legacy systems, planning their migration to supported systems on-premise or embarking to cloud journey, and how to run an effective risk management programme that will facilitate enterprises to take risk-based decisions.
    Keywords: legacy systems; risk management; EOL/EOS; migration; application rationalisation; migration patterns; culture; regulatory/compliance

  • Exploring the practicalities and quality of pentesting at scale : Globally, pentest coverage is increasing but remains insufficient
    Jay Paz, Senior Director Pentester Advocacy & Research and Caroline Wong, Chief Strategy Officer, Cobalt

    Over the course of the last two years, we have seen cybercrime increase during the COVID-19 pandemic and beyond. But despite this increase, most organisations do not do enough pentesting to combat cyberattacks. This paper explores the practicalities and quality of pentesting at scale to help organisations understand the importance of implementing a pentesting programme. Too often, development, security and operations work in silos. Organisations must work together to create a cohesive partnership. As an industry, we must decide that we want to fix things, and then we have to do it. It is not going to be easy, but it is simple. We need to work together — security practitioners and engineers — to collaboratively decide that it is important enough to get asset inventory right. Organisations must decide that it is important enough to update their software, install patches when software is vulnerable and implement a pentest programme. Security leaders must decide to look for the vulnerabilities that are exploitable and find them and fix them.
    Keywords: cyber breaches; security testing; pentest; pentest program; pentesting-as-a-service; PtaaS

  • Approaches to cyber security in small and medium-sized businesses (SMBs): Why it needs to change
    Simon Newman, Chief Executive Officer, Cyber Resilience Centre for London

    Over the last decade, the growth in technology has created numerous opportunities for businesses to improve efficiency, develop new products and services and reach new customers. But it has also provided an opportunity for the criminal fraternity to find new, and incredibly lucrative, ways of targeting victims from anywhere in the world. This has led to cybercrime becoming one of the fastest-growing types of crime affecting individuals, businesses and third-sector organisations alike. For example, in England and Wales, official government statistics show the number of cybercrime incidents has risen by 89 per cent in the past year alone. This paper describes the effect cybercrime has on small and medium-sized enterprises (SMEs), in particular those at the smaller end of the spectrum. The paper explains why SMEs are among the most vulnerable to a breach or an attack and what challenges they face against this growing threat. The paper also describes what the UK government is doing to support SMEs specifically.
    Keywords: SME; cyber security; phishing; cyber breach; cyberattack; supply chains; cyber resilience

  • Beyond detection: Uncovering unknown threats
    George Chen, Head of Threat Hunting, PayPal

    Threat management is essential for ensuring an organisation’s security, but traditional strategies often only address known threats, leaving the organisation vulnerable to unknown threats. To be well equipped against advanced cyberattacks, a proactive approach beyond detection that uncovers unknown and emerging threats is necessary. This paper proposes a comprehensive approach to threat management involving the partnership between the threat detection, threat hunting, threat intelligence and threat exposure teams. Various approaches for hunting unknown threats are explored, including simulation, forensics, threat modelling, incident pivoting, deception, and a process to hunt once and automate. Insights detailed in this paper will also help organisations make informed decisions on resources and practices around threat hunting. The proposed strategy emphasises the need for a proactive and iterative approach to threat management, allowing organisations to stay ahead of adversaries and be prepared for unknown threats.
    Keywords: threat hunting; threat detection; unknown threats; data breach; threat management