Volume 7 (2023-24)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. 

Volume 7 Number 4

  • Editorial
    Simon Beckett, Publisher
  • Practice papers
    A guide to evaluating AI vendors: Key questions to mitigate security risks
    Davi Ottenheimer, Vice President of Trust and Digital Ethics, Inrupt

    The proliferation of Generative AI (GenAI) marketing claims has thrust businesses into high-stakes decisions amid evolving societal attitudes towards emerging technologies. Exercising caution is paramount, however, given the prevalence of forward-looking assertions by nascent artificial intelligence (AI) vendors regarding future capabilities. This paper advocates for a pragmatic approach, underscoring the significance of tackling immediate safety concerns while manoeuvring through the realm of AI solutions. With insights gleaned from over five decades of AI evolution, the paper highlights the cyclical nature of AI’s allure and underscores the importance of drawing lessons from past cycles. It champions a methodical assessment of risks associated with adopting generative AI solutions, stressing the imperatives of transparency and accountability. A pivotal suggestion is to demand tailored AI solutions from vendors, ensuring that AI frameworks prioritise the welfare of data proprietors. The paper cautions against vendors putting their own interests before those of their clientele, urging readers to pose probing inquiries before committing to AI deployments. Ultimately, the paper endeavours to arm readers with the acumen and tools necessary to navigate the intricacies of AI vendor relationships. By furnishing actionable guidance on recognising and mitigating AI vendor risks, it endeavours to embolden businesses to innovate judiciously in the ever-evolving AI landscape.
    Keywords: Generative AI; GPT chatbot; data ownership; ethics; risk assessment; governance

  • Understanding and prioritising cyberattack paths amid growing organisational complexity
    Elliott Went, Senior Security Systems Engineer, SentinelOne

    This paper explores the role of attack path modelling (APM) in modern cyber security, addressing the challenges posed by the rapidly evolving digital landscape. It provides a comprehensive overview of APM frameworks and their application in identifying and prioritising potential attack paths. The challenges associated with manual APM efforts, the need for standardisation and the potential for innovation in automated APM tools are examined throughout. Drawing from real-world examples, the paper demonstrates the practical implications of APM in dissecting attack components and mitigating risks. It emphasises the dual approach of human-led APM initiatives and the integration of APM functionality in technical solutions, advocating for improved hygiene with manual and periodic APM assessments that can be optimised with advanced SecOps APM tooling. The paper serves as a general resource for all cyber security practitioners, providing insights into the historical context, frameworks and practical challenges of APM. The paper describes the significance of human-led APM initiatives, using open frameworks to enhance cyber security posture. Furthermore, the paper explores the evolving landscape of APM tools, anticipating their integration with big data platforms and artificial intelligence (AI) for comprehensive security analyses. This paper presents insights into the current state of cyber security, the practical applications of APM frameworks, and the potential future developments in APM technology.
    Keywords: attack path modelling (APM); attack framework; consolidation; digital transformation; risk assessment

  • Red Team testing: Essential KPIs and metrics
    Richard Hollis, Chief Executive Officer, Risk Crew

    This paper first discusses the diverse types of Red Team engagements and established exercise and attack frameworks and the importance of documented rules of engagement, then details the difference between metrics and key performance indicators (KPIs), and finally identifies the essential data points to be captured and compared in your next Red Team Test.
    Keywords: Red Team testing; Blue Team testing; Purple Team testing; TTP; exercise framework; attack framework; rules of engagement; KPI; metric

  • Bridging the gap between IT and OT to improve industrial cyber security
    Dino Busalachi, Chief Technology Officer and Co-Founder, Velta Technology

    Understanding cyber security risks is important for everyone. In this paper you will gain perspective on the cyber security challenges facing organisations today that operate within manufacturing and critical infrastructure industries, across their information technology (IT) and operational technology (OT) teams. You will also gain insight into potential solutions. IT teams have evolved distinctly, prioritising data security, access controls and system hardening in networked computing environments. OT teams manage and operate industrial control system (ICS) equipment with specific requirements around reliability and uptime for the purpose of ensuring physical outcomes in manufacturing or critical infrastructure production environments. IT and OT have traditionally operated separately within organisations because they serve different functions. The lack of interaction and understanding between IT and OT has led to cyber security vulnerabilities and frustration between organisations. IT may want to patch OT systems but get pushback because downtime halts production. OT may distrust IT recommendations because they have historically caused operational disruptions. This tension has caused many organisations to avoid trying to connect these two worlds; however, as digital transformation and Industry 4.0 initiatives bring IT and OT systems together, new cyber risks emerge. Industrial Internet of Things (IIoT) devices, legacy equipment, unpatched programmable logic controllers (PLCs) and obscured asset inventories create vulnerabilities. Despite their differing perspectives and priorities, however, collaboration between IT and OT is essential to secure today’s converged environments. Discover proven steps that can be taken to bridge the gaps between organisations to provide greater security across the enterprise, while strengthening internal teams and improving business outcomes.
    Keywords: ICS OT cyber security; OT security; IT OT convergence; cyber security; critical infrastructure protection; NIST cyber security

  • Analysing and managing risk from third-party OAuth application access
    Jenko Hwong, Principal Threat Researcher, Netskope

    Modern cloud application architectures allow users to dynamically grant third-party apps access to their cloud resources. When looking at a large, anonymised dataset of over 600,000 users and their approvals of over 43,000 applications, we found that organisations often are unaware of the magnitude of the access problems: on average, an organisation will grant 440 unique third-party apps access to Google data and resources; one organisation’s users approved 12,330 unique applications; out of all the approved applications, over 44 per cent have been granted access to either sensitive data or all data on the user’s Google Drive. The use of OAuth 2.0 has resulted in users creating numerous, unknown access paths from external third-party apps to organisations’ data and resources, in a way that is often hidden and unmanaged by organisations’ IT or security departments. In addition, the credentials granted to access users’ cloud data and resources often can be refreshed indefinitely. Security operations face challenges such as minimal to no tracking or management of these paths or credentials, along with immature or incomplete technical controls. This paper discusses an approach to understanding, assessing, analysing and managing third-party OAuth application risk, using anonymised real-world data as relevant examples, to provide prescriptive guidance on reducing risk associated with third-party applications.
    Keywords: OAuth; identity; data access; third-party cloud applications

  • Security testing as part of a digital assurance toolkit
    Graeme Huddy, Director, Mobius Binary

    The role of IT audit and other digital assurance functions is to provide comfort to stakeholders regarding risks and the controls that have been implemented by management to safeguard an organisation. This paper discusses the misalignment between digital assurance activities and security testing. When performing security testing from an assurance perspective, it is common for the discussion with management to focus on the number of findings, not necessarily the impact. From a security testing perspective, a single finding could result in a business compromise, or multiple low findings could be chained together to result in a more significant business impact. Citing example findings across multiple sectors and geographic locations, the paper details what security testing results often look like, related challenges in an assurance context, the difference between security testing and other assurance activities, how to get management buy-in, and key recommendations on how best to use security testing as part of a digital assurance toolkit, with the caveat that scarce specialist skills are required.
    Keywords: penetration testing; information risk management; digital assurance; IT audit; cyber security

  • The challenge of securing electric vehicle charger infrastructure
    Thomas Caldwell, Chief Technology Officer, Techniche

    With the advent of clean energy and the transformation of internal combustion engines (ICE) to battery electrical vehicles (BEV), a new generation of electric vehicle (EV) charger infrastructure connected to the power grid has emerged. Along with any infrastructure comes the responsibility of cyber security. This paper explores the attack surface of EV charger infrastructure and the various dimensions of cyber protection. Large language models (LLMs) enable new technologies such as artificial intelligence (AI). It is the early days of cyberattacks on EV chargers; however, some early attacks have already occurred. Once a critical mass of EV chargers is achieved, cyberattacks pose a more significant potential threat to our power grid and our society.
    Keywords: cyber security; cyberattacks; EV; EV chargers; power grid; AI; LLM; ISO 15118; OCPP

Volume 7 Number 3

  • Editorial
    Simon Beckett, Publisher
  • Practice papers
    Consequence is not enough: The role of cyber intelligence in improving cyberattack estimates
    Sarah Freeman Chief Engineer for Intelligence, Modeling and Simulation, MITRE and Mark Bristow, Director of MITRE’s Cyber Infrastructure Protection Innovation Center

    Intelligence assessments continue to emphasise adversary ability and desire to hold critical infrastructure at risk. At the same time, the field of cyber threat intelligence is predominately focused on a review of past cyberattacks to yield insights into future risk. Few researchers focus on methods to improve assessments of adversary capability and intent or address the need for more proactive, predictive analysis. This paper identifies some of the existing weaknesses in cyber threat intelligence analysis and provides some recommendations for how organisations can more comprehensively consider their cyber risk.
    Keywords: risk management; threat intelligence; critical infrastructure; impact-driven analysis

  • Improving likelihood calculation by mapping MITRE ATT&CK to existing controls
    Gerald Beuchelt, Chief Information Security Officer and Sonal Agrawal, Director of Governance, Risk and Compliance, Sprinklr

    Assessing the likelihood of threats is notoriously difficult for assessors. This paper will demonstrate a new, evidence-based approach to leverage existing security control assessments in determining likelihood of specific MITRE ATT&CK adversarial tactics, techniques and procedures (TTPs). Through automation, we can develop organisation-specific threat profiles for known adversaries and assist in strategic security programme management.
    Keywords: risk management; likelihood; cyber security; NIST; MITRE ATT&CK; strategy; threats; vulnerabilities; security controls

  • Purple Teaming: A comprehensive and collaborative approach to cyber security
    Erik Van Buggenhout, Head of Managed Services, NVISO

    This paper introduces Purple Teaming as a comprehensive and collaborative approach to cyber security, emphasising the need for organisations to adapt their cyber security testing methodologies in response to evolving cyber threats. Traditionally, cyber security efforts were divided into offensive (Red Team) and defensive (Blue Team) units; however, the concept of Purple Teaming has gained prominence, advocating for the integration of these units to create a dynamic and cooperative cyber security environment. The paper covers various topics including the significance of adversary emulation, the role of the MITRE ATT&CK framework in standardising communication, the value of traditional Red Team exercises and how Purple Teaming activities can complement these exercises. It differentiates between types of Purple Teaming activities and proposes an approach and architecture to support continuous Purple Teaming efforts. Adversary emulation, a key aspect of Purple Teaming, involves replicating the tactics, techniques and procedures (TTPs) of real-world threat actors to evaluate an organisation’s defences. The paper outlines how, when properly combined, Red and Purple Team efforts can significantly enhance an organisation’s capability to proactively improve its preventative, detection and response mechanisms against adversary tactics. Through its comprehensive coverage, the paper underscores the vital role of Purple Teaming in modern cyber security, highlighting its potential to foster a more resilient and proactive security posture for organisations.
    Keywords: Red Teaming; Purple Teaming; adversary emulation; BAS; security operations

  • Issues to consider relating to information governance and artificial intelligence
    Mark Brett, Visiting Fellow, Cyber Security Centre London Metropolitan University

    Information governance and policy guidance will be essential for effectively deploying artificial intelligence (AI) in the business world. This paper considers some of the aspects relating to AI which need to be considered. The paper highlights some of the current work being conducted in UK local government. It will look at the UK government strategy for AI and consider some of the issues relating to AI policy and governance. The paper offers an approach for organisations and other researchers to develop their own AI assurance and governance framework. The future work section explores some of the areas in which there is a need for future work and research.
    Keywords: UK Local government; AI policy; AI governance; AI supply chain; Purple Team approaches

  • How can national policies support the development and implementation of coordinated vulnerability disclosure?
    Valéry Vander Geeten, Head of Legal, DPO, Centre for Cybersecurity Belgium

    Every computer system or network may contain vulnerabilities. Therefore, vulnerability handling and disclosure are key elements of the cyber security technical, operational and organisational risk management measures of every organisation that develops or administers network and information systems. Coordinated vulnerability disclosure (CVD) policy or bug bounty can enable organisations to work together with well-intentioned people (ethical hackers) who look for and report vulnerabilities. The fear of being sued or the limited scope of the CVD can prevent such a collaboration. In the context of the implementation of the NIS2 directive, member states of the European Union will have to address the challenges posed by CVD processes. As a first attempt, Belgium has already adopted a national policy which includes a legal framework protecting vulnerability reporters and a coordinator role for its national computer security incident response team (CSIRT).
    Keywords: cyber security; coordinated vulnerability disclosure; ethical hacking; vulnerability management

  • Online Potemkin villages: Discovering a Russian influence operation on social media
    Patricia Bailey, Senior Intelligence Analyst, Orbis Operations

    State-sponsored influence operations are a significant and ongoing problem on social media platforms, which are constantly playing whack-a-mole with an ever-evolving adversary. When distinguishing an influence operation from real users, the key principle is to look for signs of ‘coordinated inauthentic behaviour’ (CIB), which are anomalous behaviours that set a group of accounts apart from authentic users. When numerous CIB indicators are present in a network or account, and when the messaging fits certain patterns and parameters, we can more confidently assess it to be part of an influence operation. These detection principles were applied to unmask a multilingual Russian influence operation, sponsored by the Russian state-sponsored media outlet RT (formerly Russia Today). The network began on Telegram in April 2022 and then migrated to X (formerly Twitter), promoting multilingual video content to legitimise the invasion of Ukraine and to justify the annexation of four Ukrainian oblasts in September 2022. This paper offers analysis on the network’s strategic geopolitical messaging, the specific CIB indicators we observed, its connections to Russian embassies on various levels, the languages it boosted the most, and an update on the network’s current ongoing activity on X.
    Keywords: influence operation; disinformation; propaganda; social media; Russia; RT; Telegram; Twitter

  • Caught in the web: Pitfalls of electronic communications
    E. J. Yerzak, Managing Director, Salus GRC

    This paper explores the regulatory interest in and examination focus on electronic messaging at financial institutions. The regulatory landscape for recordkeeping at broker-dealers and registered investment advisers is discussed in the context of enforcement actions for alleged recordkeeping failures. Practical considerations are offered to enable compliance professionals to monitor and supervise electronic messaging.
    Keywords: electronic communications; recordkeeping; off-channel communications; monitoring; cybersecurity; messaging

  • Case study
    The EU cyber security skills academy : A silver bullet to address the cyber security skills gap in the European Union?
    Despina Spanou, Head of Cabinet of European Commission Vice-President Margaritis Schinas, European Commission

    The economic, social and security imperative of addressing the cyber security skills gap, further exacerbated by recent crises and the evolving nature of cyber threats, is now widely acknowledged as a key priority to ensure the resilience of our digital economies and societies. This paper explores the potential of the proposed EU Cybersecurity Skills Academy, introduced by the European Commission (EC) as a flagship of the European Year of Skills in April 2023, to address this challenge in the European Union (EU). With an increasing shortage of cyber security professionals, the paper highlights the expected upsurge in demand for cyber security experts in the face of new EU cyber security legislation. The diversity of the expertise required, especially in non-technical fields, poses a unique challenge. At the same time, existing initiatives at both national and EU levels lack coordination and synergy, hindering their impact on the EU job market. This paper outlines how the EU Cybersecurity Skills Academy can offer a comprehensive solution to this challenge by providing a one-stop shop for cyber security training and funding offers across Europe and addressing the mismatch between available skills and market needs. The Academy’s pillars, which cover knowledge generation and training, stakeholder involvement, funding and progress measurement, are further detailed. The paper concludes with a set of recommendations for the EU cyber security ecosystem in order to help make this initiative a success and a potential model for replication in other parts of the world.
    Keywords: European Union; Cybersecurity Skills Academy; cyber security skills; education and training; funding; stakeholder involvement

Volume 7 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Reducing complexity in cyber security architecture: A practical model for security classifications
    Eleni Richter, Chief Architect IDM, Energie Baden-Württemberg

    Building and running cyber security in both worlds, modern cloud security in combination with legacy on premises, introduces extra complexity. Some of the well-known security patterns and models are not applicable in cloud systems, while modern security models like zero trust (ZT) barely fit into legacy systems. Security technologies and tools are the subject of constant enhancements and adaptions to their environment. They can make security decisions on a very fine-grained basis. The corresponding rule sets and policies are becoming more and more decentralised, detailed and complex. Introducing modern security models such as ZT or micro-perimeter enforces the effect. The overall situation makes it hard for the responsible person to control the cyber security situation and the staff operating cyber security systems and technologies. Both are overwhelmed by the mass of fine-grained, fragmented and distributed security workloads. This paper introduces a practical model for security classifications in cyber security environments. The main goal of the model is to reduce complexity and keep cyber environments manageable. The model delivers not only a cyber risk classification regarding a single business application but works as an integrated view over risks for complete cyber environments.
    Keywords: cyber security classification; complexity reduction; cloud; legacy systems; OT systems

  • How processes affect IT systems and business complexity, and what correlations are present
    Reidar J. Boldevin, Senior Manager – Cyber and Privacy, PwC Norway

    This paper is a deep dive into the subject of the current author’s presentation, ‘De-cluttering your identity space’, delivered at Identity Day Norway in March 2023, and at the KuppingerCole European Identity and Cloud conference in May 2023, respectively. The paper focuses on identity and access management/identity governance and administration (IAM/IGA) and approaches the subject of IT systems in a broader context.
    Keywords: complexity; cost; architecture; security; rationalisation; governance; automation; culture

  • Cyber security culture as a strategic asset
    Glendon Schmitz, Chief Information Security Officer, Virginia Dept of Behavioral Health and Developmental Services

    Governments and companies rely heavily on information technology (IT) to perform even the most basic functions of the business. The technology is, however, only a piece of an overall strategy that must be considered for success. The need for a strong cyber security culture is an equally vital part. So how does the modern cyber security professional create, nurture and sustain such a culture across the organisation? With over 69 per cent of cyber-aware trained employees knowingly bypassing security controls to conduct their critical business functions and achieve their objectives quicker, the answer to a more secure environment is not just the addition of more security technology, but cultivating a culture of cyber judgment to empower and enable the business to fulfil its mission in the most secure way possible without hindering outcomes. This paper delves into the importance of cyber security in today’s digital landscape, and suggests ways to overcome the challenges and develop a successful cyber security culture as a strategic asset.
    Keywords: cyber security culture; AI; talent; security friction

  • The vital importance of a successful threat intelligence programme
    Yochai Corem, CEO, Cyberint

    Many organisations are currently wide open to cyber attacks. Effective intelligence is the only direct tool organisations have to significantly reduce cyber risk, as it involves taking the fight direct to the cybercriminals. This paper first describes the three layers of threat intelligence: data collection, analysis of collected intelligence, and, most crucially negating the impact of incoming threats. The paper describes how any threat intelligence that does not result in immediate remedial action is irrelevant to an organisation’s needs. The paper describes how a combination of human and machine forms effective intelligence gathering. Few organisations have the resources needed to build a truly successful threat intelligence platform. The paper outlines a few basic criteria that organisations must look for a cyber security provider. The paper concludes that taking the fight directly to the cybercriminals, and being able to predict incoming attacks with maximum accuracy, is a crucial first line of defence against cyber attacks, and that it is vital that the new threat intelligence platform enables truly impactful intelligence in order to control and reduce the organisation’s overall business risk — the aim of any cyber security strategy. The paper concludes it is essential that new threat intelligence platforms are designed to deliver accurate and actionable information that is relevant to the organisation concerned.
    Keywords: cyber attacks; cyber risk; threat intelligence; AI; HumInt; threat intelligence platformm; cyber security strategy

  • Why policy-based authorisation is critical for identity-first security
    Gal Helemski, Co-Founder & CPO, PlainID

    The enterprise perimeter is changing; it is now about data objects, application programming interfaces (APIs), microservices and applications. In this evolving, decentralised and highly segmented world, security and identity access management (IAM) leaders find themselves struggling with a security methodology to address their concerns — specifically to answer the very basic question: Who has access to what and when? Identity-first security is emerging as the most effective way to answer these concerns, by placing identity at the centre of the security design. This paper will cover the ‘why’ of identity-first security, what is important to know and consider, and then the ‘how’ it can be achieved. The paper argues for this methodology and presents detailed flow of why modernised policy-based authorisation is crucial for identity-first security. The paper is directed to security and IAM professionals and leaders who want to learn more about how security and identity are tightly coupled and the way to get there with policy-based authorisations.
    Keywords: identity-first security; PBAC; policy-based authorisation; authorisation; identity-aware security

  • A case for public support for vulnerability disclosure policies
    Francesco Bordone, Manager for Cybersecurity Policies, European Cyber Security Organisation

    This paper makes a case for public administrations to give fiscal incentives to companies that have internal processes in place to manage vulnerabilities in their digital environments. It presents an exploration of the importance of implementing a vulnerability disclosure policy (VDP) and the potential benefits of government fiscal contributions to companies adopting such policies. It emphasises the significance of fostering a culture of transparency, collaboration and enhanced cyber security through responsible vulnerability disclosure practices. By incentivising organisations to adopt a VDP, governments will strengthen threat detection and response capabilities, foster public-private partnerships, promote national and international cyber resilience and ultimately achieve economic and societal benefits. By providing financial support, governments could transform cyber security departments from cost centres to profit centres that would attract the interest of the management and turn in more resource allocation. In some cases, governments use legislation to push top-down the adoption of VDPs. This approach is normally adopted for sectors that are considered critical for the society, but it seems impractical to replicate for all business and organisations that are not critical simply because the government would not have the resources to enforce such a measure. Thousands of companies and organisations that are not critical could still benefit from adopting a VDP, making society as a whole more resilient. This paper argues that the right approach towards VDP consists in combining the ‘stick’ of legislative obligations with the ‘carrot’ of fiscal and financial support to companies and organisations to generate a large-scale bottom-up support for VDP adoption. Fiscal or financial support from public institutions to private organisations that have procedures in place to manage vulnerabilities could be a game changer and transform cyber security departments into profit centres able to attract more private resources internal to the company. Another element that could help wider adoption of VDP would be a legal shield for both companies that adopt a VDP and cyber security researchers that report vulnerabilities through this system. To strengthen the resilience of a digital society, it is important that laws on computer crime distinguish between someone that hacks into a computer system with malicious intent and someone that does it to identify weaknesses and report them to the owner of the system. Cyber security researchers that act in good faith provide an invaluable positive contribution to cyber security and must not feel discouraged or intimidated by legislations or prosecutors.
    Keywords: vulnerability disclosure; public policies; fiscal support; VDP; CVD; bug bounty; investments in cyber security; resilience

  • The post-breach threat landscape and the need for an ‘effective’ compliance programme
    Brian Mitchell Warshawsky, Director, University of California

    In today’s rapidly evolving cyber security landscape, organisations face a multitude of threats beyond traditional hackers and state actors. The aftermath of a data breach involves not only the immediate response and recovery efforts on the part of the breached organisation but also a complex web of regulatory and legal consequences. This paper delves into the often-overlooked challenges posed by regulatory enforcement and the potential collateral damage that organisations may face following a breach. By understanding these aspects, organisations can develop effective compliance programmes that mitigate risks and protect against legal repercussions.
    Keywords: data breach; GRC; governance; risk and compliance; enforcement; cyber risk

  • How to get your board and executive team cyber-ready and achieve a culture of cyber security from the board down: The CEO Method for breach prevention: Part 1
    Andrzej Cetnarski, Chairman, CEO, Founder, Cyber Nation Central

    Most boards and executive teams do not know how to achieve a culture of cyber security in their organisations, which puts company assets and ROI at risk. Many also do not know how to behave securely in all areas of their lives, much less what their role in driving the cyber security strategy of their organisation is or should be, which further drives up the risk. Given that culture always starts at the top, this paper, published in two parts across consecutive Journal issues, teaches CEOs, board chairs, their CISOs, as well as other board directors, C-suite executives and their Investors, the CEO-driven yet decentralised, board-down method for breach prevention, getting all board directors and C-Suite executives cyber-ready to execute their part and creating a culture of cyber security from the board down, thus also helping organisations alleviate the pressure on CISOs as the focal point of creating and sustaining cultures of cyber security and serving as an indispensable complement to CISOs’ work of cyber-securing the IT and OT infrastructure of organisations. This method, called The CEO Method™, was invented by global tech and defence investment banker, entrepreneur, US Congressional adviser, Wharton and Harvard alum Andrzej Cetnarski, Chairman, CEO and Founder of Cyber Nation Central®, global cyber security protocol education, insights and advisory company dedicated to creating cyber-secure-by-design boards, executive teams and organisations. Cetnarski invented The CEO Method™ and its protocol process in response to a fatal breach of his first venture, where even the most cyber-secure technology and best-performing CTO were not able to prevent a breach caused by lack of understanding by the board, C-suite and blue-chip investors of what a true culture of cyber security entailed, allowing the threat actors to take advantage of the still-very-typical-of-boards-and-investors-today gap in cyber security knowledge and awareness, further exacerbated by a still-CISO-centric approach to cyber security. In so doing, this paper also teaches its readers the process for bridging the widening gap between CISO, regulatory compliance and technology as ‘the answer’ versus actual hacker-deterrent cultures of decentralised cyber security, individual ownership of cyber-specific fiduciary roles and tactical responsibilities, ‘partnership with’ instead of ‘over-reliance on’ the CISO and mastery of individual risk and response, individual cyber security and organisational cyber-strategy and each board director’s and executive’s role in it. Part I of the paper (this issue) covers the answers to ‘Why and how should CEOs, board chairs and CISOs treat breach prevention readiness differently than they are now?’, ‘Why and how is the core concept of cyber security different than what most boards and C-suites think it Is?’ and ‘What do boards and C-suites need to be doing differently to close the gap between the 37.5 per cent chance of breach and US$10mm average cost of breach and actual breach deterrence?’ Part 2 of the paper (next issue) covers the three-part, six-step Process for Creating a Culture of Cyber Security from the Board Down, including a comparison between the market’s current CISO-centric approach versus The CEO Method™, as well as results to be expected from both approaches. By the end of Part 2, readers will have learned what ingredients CEOs, Board Chairs, Directors and non-CISO Executives need to be deploying in their own cyber roles to build a culture of cyber security from the board down, and do so in a way that critically complements (but does not replace) what the CISO is doing, thus providing organisations with an actual chance of preventing a breach.
    Keywords: breach prevention; cyber acuity; North Star; culture of cyber security; CISO-centric approach; hacker-deterrent cultures; decentralised cyber security

Volume 7 Number 1

  • Editorial
    Simon Beckett, Publisher
  • European cyber security law in 2023: A review of the advances in the Network and Information Security 2 Directive 2022/2555
    Charanjit Singh, Assistant Head, Principal Lecturer in Financial Law, Barrister-at-Law, University of Westminster

    Cyber security capabilities must be designed to mitigate attacks and threats to key network and information systems and ensure continuity in service provision, contribute to the security and effective functioning of economies and societies, and the Network and Information Security 2 Directive (NIS2) seeks to strengthen the European Union (EU) approach to this. Advances in artificial intelligence (AI) have revolutionised industries including banking (FinTech), law (RegTech), insurance (InsureTech), charities (CharityTech) and health (HealthTech). The EU understands this and has therefore introduced the requirement for member states to embrace AI, as a cyber security tool used to protect against and prevent cyber security attacks/threats. The purpose of this paper is to review the NIS2 and the changes it makes to the European approach to cyber security including the use of AI, and the implications for businesses subject to the new rules. The subject is explored through an analysis of literature, EU law and policy documentation. This paper critically reviews a significant advent in European cyber security and technology law: the advances created by the NIS2 Directive, which are considered alongside other key legislation that came into force in January 2023. In addition, the UK’s contrasting evolving position is also critically reviewed. The paper concludes with several practical suggestions on the, if any, steps for businesses as at April 2023. The NIS2 makes some significant inroads to close security gaps that existed in the EU cyber security-related legislative framework; importantly, it creates a requirement for the use of AI in the EU’s cyber security defence armoury. Businesses need to undertake several steps in preparation for full implementation of the NIS2. This research is among the first to review key advances made in EU cyber security and technology law, and to contrast that with the UK position as at April 2023. It is also the first to discuss the likely powers of competent authorities, and the potential results of breaching other EU legislation such as the General Data Protection Regulation (GDPR).
    Keywords: cyber security; artificial intelligence; EU law; NIS2; cyberthreat; UK law

  • From stress to success: Neuroscience-informed training for cyber security first responders
    Carol Barkes, Conflict & Communication Advisor, Boise State University and Colby Jones. Litigation Attorney, Cordell Law

    This paper proposes a neuroscience-informed approach to training cyber security first responders for disaster preparedness. By incorporating insights from neuroscience research, organisations can develop training strategies that promote stress resilience and enhance decision-making under pressure. The training programmes and techniques proposed herein are not exclusive to a certain personnel role within the response team but are generalisable to all within an organisation facing stressors from large scale disasters requiring timely emergency response. As each organisation has its own particular response team protocols for various types of cyber security emergencies, the authors have suggested approaches to training, particularly as it relates to stress resilience, that are more easily scalable, generalisable and adaptable.
    Keywords: neuroscience; training; disaster; stress; cyber security; preparedness

  • CIO and CISO collaboration for a shared vision that enables a cyber-resilient future
    Nastassja van den Heever, Chief Information Security Officer, First National Bank South Africa

    This paper provides an alternative perspective on how to manage cyber resiliency within an organisation, utilising common customer relationship management principles and techniques. Arguably two of the most important principles would be to ‘listen and understand’ one’s customer (‘understand all stakeholders within a process’, ‘understand the implementation cycles’, ‘understand the business challenges’, ‘understand the true requirements and outcomes a customer hopes to achieve’, ‘understand importance of requirements in relation to existing priorities’, ‘understand the strategy’, and many more examples). Organisations utilise sales management processes to drive profits, and CISOs could benefit from following similar processes or utilise common metrics in achieving the same success with information technology and, more importantly, security operational outcomes. This does require a degree of cultural open-mindedness and does not take away from the knowledge, training, experience and understanding required as a cyber security professional. Rather it focuses direction to reigniting the passion for the job, while trying to navigate the many challenges cyber security professionals face today.
    Keywords: resiliency; strategy; alignment; context; data; structure

  • Cryptography works — but needs a system-wide view
    Keith Martin, Professor, Information Security Group

    Cryptography lies at the heart of most cyber security technologies, providing the core security services that enable notions of security to be constructed in cyberspace. Cryptographic algorithms are based on mathematics and increasingly subjected to such demanding levels of scrutiny that established cryptographic algorithms rarely fail from a theoretical perspective. Cryptography exists, however, to support practical information systems. It is thus necessary to take a system-wide view when assessing the effectiveness of cryptography in delivering security in cyberspace. This paper considers the wider system within which cryptography is deployed, identifying the most common points of failure, where even use of strong cryptographic algorithms may fail to deliver intended security. The paper also discusses the possible impacts of some future developments. The core message is that cryptography works, but only if the wider system in which it is deployed is given full consideration.
    Keywords: cryptography; cryptographic algorithms; key management; Snowden revelations

  • Legacy apps to cloud: A risk-based approach
    Naresh Sharma, Head of IT Risk and Security, Cathay Pacific Airways

    Legacy systems or applications constitute a certain portion of IT systems running in an organisation. The percentage of these legacy systems varies depending on the IT maturity, IT vision, roadmap, business needs and compliance or legal requirements faced by organisations. In some cases, the organisations run key operations on legacy systems because of the nature of their business or the upstream/downstream requirements of that application. Managing legacy applications puts a heavy burden on IT budgets and with organisations moving the applications on cloud, legacy applications will need to be considered to meet these long-term goals. Legacy systems come with their own challenges and moving them on cloud does alleviate some of them, but it needs thorough planning along with comprehensive risk management. This paper provides insights on challenges coming from legacy systems, planning their migration to supported systems on-premise or embarking to cloud journey, and how to run an effective risk management programme that will facilitate enterprises to take risk-based decisions.
    Keywords: legacy systems; risk management; EOL/EOS; migration; application rationalisation; migration patterns; culture; regulatory/compliance

  • Exploring the practicalities and quality of pentesting at scale : Globally, pentest coverage is increasing but remains insufficient
    Jay Paz, Senior Director Pentester Advocacy & Research and Caroline Wong, Chief Strategy Officer, Cobalt

    Over the course of the last two years, we have seen cybercrime increase during the COVID-19 pandemic and beyond. But despite this increase, most organisations do not do enough pentesting to combat cyberattacks. This paper explores the practicalities and quality of pentesting at scale to help organisations understand the importance of implementing a pentesting programme. Too often, development, security and operations work in silos. Organisations must work together to create a cohesive partnership. As an industry, we must decide that we want to fix things, and then we have to do it. It is not going to be easy, but it is simple. We need to work together — security practitioners and engineers — to collaboratively decide that it is important enough to get asset inventory right. Organisations must decide that it is important enough to update their software, install patches when software is vulnerable and implement a pentest programme. Security leaders must decide to look for the vulnerabilities that are exploitable and find them and fix them.
    Keywords: cyber breaches; security testing; pentest; pentest program; pentesting-as-a-service; PtaaS

  • Approaches to cyber security in small and medium-sized businesses (SMBs): Why it needs to change
    Simon Newman, Chief Executive Officer, Cyber Resilience Centre for London

    Over the last decade, the growth in technology has created numerous opportunities for businesses to improve efficiency, develop new products and services and reach new customers. But it has also provided an opportunity for the criminal fraternity to find new, and incredibly lucrative, ways of targeting victims from anywhere in the world. This has led to cybercrime becoming one of the fastest-growing types of crime affecting individuals, businesses and third-sector organisations alike. For example, in England and Wales, official government statistics show the number of cybercrime incidents has risen by 89 per cent in the past year alone. This paper describes the effect cybercrime has on small and medium-sized enterprises (SMEs), in particular those at the smaller end of the spectrum. The paper explains why SMEs are among the most vulnerable to a breach or an attack and what challenges they face against this growing threat. The paper also describes what the UK government is doing to support SMEs specifically.
    Keywords: SME; cyber security; phishing; cyber breach; cyberattack; supply chains; cyber resilience

  • Beyond detection: Uncovering unknown threats
    George Chen, Head of Threat Hunting, PayPal

    Threat management is essential for ensuring an organisation’s security, but traditional strategies often only address known threats, leaving the organisation vulnerable to unknown threats. To be well equipped against advanced cyberattacks, a proactive approach beyond detection that uncovers unknown and emerging threats is necessary. This paper proposes a comprehensive approach to threat management involving the partnership between the threat detection, threat hunting, threat intelligence and threat exposure teams. Various approaches for hunting unknown threats are explored, including simulation, forensics, threat modelling, incident pivoting, deception, and a process to hunt once and automate. Insights detailed in this paper will also help organisations make informed decisions on resources and practices around threat hunting. The proposed strategy emphasises the need for a proactive and iterative approach to threat management, allowing organisations to stay ahead of adversaries and be prepared for unknown threats.
    Keywords: threat hunting; threat detection; unknown threats; data breach; threat management