PowerPoint Presentation Project work

8 Network Security April 2020

FEATURE

Are your IT staff ready for the pandemic-driven insider threat? Phil Chapman

Obviously the threat to human life is the top concern for everyone at this moment. But businesses are also starting to suffer as productivity slips globally and the workforce itself is squeezed. The UK Government’s March budget did announce some measures, especially for small and medium-size enterprises (SMEs), that will make this period slightly less painful for organisations. However, as is apparent from the tank- ing stock market (the FTSE 100 has hit levels not seen since June 2012) the economy and pretty much all businesses in the country (unless you produce hand sanitiser) are going to suffer. There is no time like now for the UK to embrace its mantra of ‘keep calm and carry on’ because that is what we must do if we’re going to keep business flowing.

For the IT department at large there is lots of urgent work to do to ensure that the business is prepared to keep running smoothly even if people are having to work remotely. The task at hand for cyber security professionals is arguably even larger as Covid-19 is seeing cyber criminals capitalising on the fact that the insider threat is worse than ever, with more people working remotely from personal devices than many IT and cyber security teams have likely ever prepared for.

This article will argue that the cyber security workforce, which is already suf- fering a digital skills crisis, may also be lacking the adequate soft skills required to effectively tackle the insider threat

that has been exacerbated by the pan- demic. It will first examine the insider threat, and why this has become so much more insidious because of Covid- 19. It will then look into the essential soft skills required to tackle this threat, before examining how organisations can effectively implement an apprentice- ship strategy that generates professionals with both hard and soft skills, includ- ing advice from the CISO of globally respected law firm Pinsent Masons, who will provide insight into how he is mak- ing his strategy work. It will conclude that many of these issues could be solved if the industry didn’t rely so heavily on recruiting graduates and rather looked towards hiring apprentices.

The insider threat In the best of times, every cyber-pro- fessional knows that the biggest threat to an organisation’s IT infrastructure is people, both malicious actors and – much more often – employees and partners making mistakes. The problem is that people lack cyber knowledge and so commit careless actions – for exam- ple, forwarding sensitive information to the wrong recipient over email or plug- ging rogue USBs into their device (yes, that still happens). Cyber criminals capitalise on this ignorance by utilising social engineering tactics ranging from the painfully simple, like fake emails from Amazon, to the very sophisticated,

such as CEO fraud. A contact from the industry that works at one of the world’s largest consultancies recently relayed a case of CEO fraud where a cyber criminal hacked into a CEO’s email server to learn the syntax he used. The hacker then sent a carefully crafted redemption request to the CEO’s fund manager and was able to steal £5m.

“Hackers are producing scams taking advantage of the Covid-19 pandemic – with Check Point finding that coronavirus-related domains are 50% more likely to install malware onto your system”

Remote working adds a new layer of complexity to the problem. In 2018, CybSafe claimed that 32% of organisa- tions surveyed had experienced a cyber attack as a direct result of an employee working outside of the businesses’ secu- rity perimeter.1 This statistic is prob- ably conservative in contrast to what the reality would be now, with The International Workplace Group report- ing last year that 50% of employees globally work away from the office at least two and a half days a week, which seems high, and this is shifting closer to the 100% mark, albeit temporarily.2

Working remotely brings up the same problems as bring your own device (BYOD) – if your users are working on a personal device, is this device secured with a company-sanctioned level of anti-virus software and password pro- tection technologies? Then, personal device or well-secured work device

Phil Chapman, Firebrand Training

As this article is being written it’s mid-March. The situation likely will have changed significantly by the time you read this, as it does by the day and even the hour. The World Health Organisation (WHO) has declared Covid-19 to be a global pandemic and the UK Government has stepped up its response from the ‘contain’ to the ‘delay’ phase. Public spaces and transport are noticeably quieter and many workplaces are getting emptier as staff members work from home.

April 2020 Network Security 9

FEATURE

aside, what network are they connect- ing to? Are they relying on a virtual private network (VPN) or their home Internet service provider (ISP) capabil- ities, which could be more vulnerable to infiltration than your well-fortified internal network? As well, being physi- cally away from the organisation usually results in a slower response to regular health-checks such as patching, updates and upgrades, so it must be a priority for businesses to establish regular and planned activities to ensure that all of this is looked after.

Taking advantage To make matters worse, hackers are producing scams taking advantage of the Covid-19 pandemic – with Check Point finding that coronavirus-related domains are 50% more likely to install malware onto your system.3 Some attackers have even designed specif- ic websites that encourage visitors to download an application that will keep them updated on the latest Covid-19 news. When you download the file, a map of how the disease is spreading pops up, but a malicious binary file (using software known as AZORult) has been installed in the background. AZORult is known to steal victims’ browsing history, cookies, ID, pass- words and crypto-currencies.4 The situ- ation is so dire that even the WHO has provided a six-step guide as to what to look out for, which includes verifying email addresses, heightened awareness around providing personal identifiable

information (PII), not feeling pressured to supply and respond in these times of urgency and reporting anything that doesn’t feel right.5

Cyber security teams must make sure that strict measures and policies are in place to ensure the highest level of secu- rity when staff are working from home. And if this isn’t a common practice already, now is the time to implement it – and quickly. Top strategies include requiring multi-factor authentication to log into company portals, and requiring all personal devices to be equipped with employer-provided security software and the latest software updates prior to permitting any access to remote systems. But, of equal importance is ensuring that staff are equipped with the essential cyber skills needed to avoid scams – and that they follow company policy because they understand why strict measures are in place. And, funnily enough, to deal with and teach people, you need people skills!

Hard and soft skills Before discussing the importance of peo- ple skills, it must be acknowledged that something the cyber security workforce is missing is people. UK cyber security is now worth £8.3bn and is staffed by 43,000 full-time employees.6 However, despite this, as we’re all aware, there are not enough people to fortify organisa- tions against cybercrime, with the average data breach costing businesses £3m.7 The International Information System Security Certification Consortium, or (ISC)² – a non-profit specialising in train- ing and certifications for cyber security professionals – found the global skills gap grew by 33% in 2019. Some 65% of firms have a shortage of cyber staff and the UK needs to increase its workforce by 291,000 people to plug the gap.8

Many organisations will assume that, because the job is technical, cyber secu- rity professionals must have a university degree to qualify. However, this simply isn’t the case and is part of the reason why we are struggling to fill the cyber security skills gap – there aren’t enough cyber security graduates to defend against the UK’s cyberthreat. The solu- tion lies with an incredibly underes- timated group of people. Apprentices become fantastic cyber security profes- sionals, who have the technical skills that graduates have, as well as arguably better soft skills because their learning process requires them to get real-world experi- ence working with people.

Apprentices gain a deep understand- ing not just of the network, but also the

Weekly registrations of coronavirus-related domain names, mostly by spammers and other cyber criminals. Source: Check Point Software.

Cyber criminals have exploited copies of the genuine John Hopkins University Covid-19 map on sites designed to deliver malware. Source: Reason Security.

10 Network Security April 2020

FEATURE

business and its culture. This means that, when putting a cyber security policy together, they can develop something that is bespoke to their business. It also means education and general cyber security com- munications can take place in the com- pany’s tone of voice, via the medium that employees are most likely to read. This sounds simple, but sadly many businesses view education, policy and communica- tion as an afterthought. And, as discussed earlier, this is especially important at the moment when remote working and Covid-19-themed hacks are making the organisation especially vulnerable.

Of course, technical knowledge is crit- ical. Professionals must understand sys- tems architecture and be able to identify attacks and implement relevant defences (as well as mitigate against issues). But apprenticeships can still come out tops because they enable individuals to imple- ment new skills immediately, allowing them to put into practice what they’ve learned. Apprenticeships must not be underestimated – they are arguably the best option out there to develop the truly rounded professionals that the modern workforce needs.

The cost of apprenticeship training A business concern may be that the dif- ference with an apprentice is that the organisation has to help train an indi- vidual from scratch as there is a chance they’ll have no cyber security knowledge whatsoever. This is a legitimate con- cern because apprenticeships do require investment in time and money, but arguably no more than a good graduate scheme would.

“Your organisation may have a recruitment rule, such as only hiring from red brick universities, but to find apprentices from all walks of life you need to move away from traditional funnels”

To expand on this, the average cost of an apprentice for a company amounts to £18,000 for a one-year programme. With

that, each apprentice will study towards three to four vendor certifications, as well as getting a full year’s worth of mentoring while working and developing those all- important practical skills at the same time. This approach exposes them to every nook and cranny of your systems while at the same time equipping them with the skills they need to spot threats from within. Aside from this being far less than you’d pay for the average graduate, with salaries starting around the £28,000 a year mark, apprenticeships are valuable in another, less-obvious way – retention.

Paying for apprenticeship qualifications also doesn’t need to come from your precious HR budget. The Apprenticeship Levy is a compulsory UK tax on organi- sations whereby those with an annual pay bill in excess of £3m keep aside 0.5% of the bill minus an additional annual ‘levy allowance’ of £15,000 which they must spend on apprenticeships.9 Basically, organisations have a pot of money which, for many, goes untouched when it could be used to bring in new apprentices or upskill existing employees.

Implementing an apprenticeship strategy In terms of implementing these schemes so as to have a strategy that produces the most well-rounded cyber-professionals, Christian Toon, CISO at Pinsent Masons, believes that training apprenticeships are a key part of a wider, layered approach to cyber defence within the organisation.

With regards to bringing in apprentices for the first time, he says: “It’s important

to broaden your recruitment approach. Your organisation may have a recruitment rule, such as only hiring from red brick universities, but to find apprentices from all walks of life you need to move away from traditional funnels. Look out for peo- ple showing a willingness to learn – some of the best apprentices I have found have been via online forums like Twitter. Put a post out via your organisation’s profile and see what sort of responses come back to you – you will soon find that people who aren’t necessarily qualified but have a real passion for technology will emerge.”

Once you’ve found apprentices and brought them into your organisation, Toon acknowledges that there can be challenges, but flexibility is key.

“Organisations must make allowances for the development of people and of course this takes time and resources,” he says. “Especially if you are hiring younger people who have never worked in an office before, patience is absolutely essential and setting aside time for your apprentices to spend time studying as well as learning practical skills is key. In terms of giving them real-world experience, there are two ways to do this efficiently.

“First, allow them to help on tasks where they will see a demonstrable change – for example, blacklisting domains. Second, give them projects to work on independently: even better if these projects allow them to break something. I recently challenged an apprentice to work on a vulnerability assessment because with the rise of the IoT we’ve seen some new wifi networks pop up on our network. The apprentice had to scan and identify the networks, profile

Apprentices gain a deep understanding not just of the network, but also the business and its culture.

April 2020 Network Security 11

FEATURE

them to see what data was beaconing from them to identify their owners and finally, if compliant with the Computer Misuse Act, they could try to break any networks that weren’t meant to be there.”

He concludes with a call out to the industry.

“I don’t come from a traditional uni- versity-educated background,” he says, “so may be more passionate than others about the importance of supporting young people who want to get into digital roles but may find university an inaccessible route. Training more people doesn’t just benefit them, it benefits the entire industry. As Jack Lemmon said: ‘No matter how successful you get, always send the elevator back down’.”

The cyber security industry must start valuing apprenticeships as equal to, if not better than, a university degree. This argument may be controversial, especially seeing as the majority of the cyber secu- rity populace at this stage probably do come from a university background. We most definitely should not stop hiring graduates but it is of critical importance that we widen the hiring pool to also include apprentices, and those from other departments that have upskilled via digi- tal apprenticeships.

This unique way of learning the trade equips people with both the hard and soft skills needed to fight insider threat-centric cybercrime, which is especially important at the present when Covid-19 is pushing more people than ever to work remotely. We will get through this tricky period and the cyber-challenges it is throwing at us, as long as we don’t ignore the cyber security

skills gap and keep educating fantastic pro- fessionals who can defend the UK and the world against mounting cybercrime.

About the author Phil Chapman is a senior cyber security instructor for Firebrand Training (https:// firebrand.training/uk) who predominant- ly helps train UK law enforcement. He has 13 years’ experience as a Microsoft Certified Trainer and security specialist and five years’ experience as a military instructor. Before becoming a trainer he spent 23 years in both the Ministry of Defence and the Royal Air Force.

References 1. Jones, Connor. ‘A third of cyber

attacks exploit unsecure remote working’. ITPro, 20 Dec 2018. Accessed March 2020. www.itpro. co.uk/security/32617/a-third-of- cyber attacks-exploit-unsecure-re- mote-working.

2. Murphy, Hannah. ‘How remote working increases cyber security risks.’ Financial Times, 8 Dec 2019. Accessed March 2020. www.ft.com/ content/f7127666-0c80-11ea-8fb7- 8fcec0c3b0f9.

3. Mix. ‘Coronavirus domains 50% more likely to infect your system with malware’. The Next Web, 6 Mar 2020. Accessed March 2020. https://thenextweb.com/securi- ty/2020/03/05/coronavirus-do- mains-malware-infect/.

4. Mehta, Ivan. ‘Hackers are using coronavirus maps to infect your computer’. The Next Web, 11

Mar 2020. Accessed March 2020. https://thenextweb.com/securi- ty/2020/03/11/hackers-are-us- ing-coronavirus-maps-to-in- fect-your-computer/.

5. ‘Beware of criminals pretending to be WHO’. The World Health Organisation, 2020. Accessed March 2020. www.who.int/about/commu- nications/cyber security.

6. Warman, Matt. ‘UK’s boom- ing cyber security sector worth £8.3 billion’. UK Department for Digital, Culture, Media & Sport, 30 Jan 2020. Accessed March 2020. www.gov.uk/government/news/ uks-booming-cyber security-sec- tor-worth-83-billion.

7. Caines, Jason. ‘Kaspersky reveals magnitude of British business cyber-complacency’. Software Testing News, 14 Feb 2020. Accessed March 2020. www.soft- waretestingnews.co.uk/kaspersky-re- veals-magnitude-of-british-busi- ness-cyber-complacency/.

8. Green, Chris. ‘Cyber security skills gap reaches all-time high’. Firebrand Training Blog, 18 Nov 2019. Accessed March 2020. https://blog. firebrand.training/2019/11/cyber security-skills-gap-reaches-all-time- high.html.

9. ‘Guidance: Apprenticeship funding: how it works’. Education & Skills Funding Agency, 13 Mar 2020. Accessed March 2020. www.gov.uk/ government/publications/apprentice- ship-levy-how-it-will-work/appren- ticeship-levy-how-it-will-work.

Essentials for selecting a network monitoring tool

Cary Wright

In 2020, we’re already seeing threats morph more and more rap-

idly. Standardised attack methods are being automatically synthesised into

multiple, even individually customised attack vectors based on results from prior attacks. Rapidly changing attacks custom- ised to individuals are relegating standard signature-based threat detection to basic

Cary Wright, Endace

Enterprises are increasingly aware of how essential it is to have efficient tools in place to monitor for cyber security and performance issues. However, the selection process can be daunting and some organisations are not clear on the key features to look for in a network-monitoring tool.