How a cyber-Richter scale could benefit CISOs

Posted: March 20, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , | Leave a comment

The phrase “world leading” is almost comically overused. The British government misapplied it with a frequency that bordered on the absurd in its post-Brexit press statements, for example. Many corporate minnows have done the same in a bid to punch above their weight in global markets. But a new British non-profit initiative could genuinely lay claim to such a title.

The Cyber Monitoring Centre (CMC) aims to do what has never been done before: to classify cyber events impacting UK organisations on a simple 1-5 scale. The hope is that, in so doing, it could help insurers price coverage more accurately and CISOs to improve cyber resilience and incident response plans.

Why we need one

Like their global peers, UK firms are increasingly reliant on IT and OT systems to function. Yet this also exposes them to a growing risk of digital extortion, service disruption and data theft. Such events can cause severe financial and reputational damage, as well as impacting customers and citizens. Over the past year alone, UK organisations and end users have suffered significantly from the global CrowdStrike outage and a ransomware attack on NHS supplier Synnovis.

Yet up to now, there has been no standardised way to categorise such events.

“Up until now The National Cyber Security Centre’s (NCSC) incident management (IM) team, which is responsible for triaging and categorising incidents, has been where people have traditionally turned to gauge the impact of an attack,” explains Trend Micro UK cybersecurity director, Jonathan Lee. “Its system works by considering the severity of the incident and its potential impact on the UK which then informed its response. However, this approach is based around directing the NCSC’s own resources towards managing the most significant UK cyber incidents.”

There are several reasons why measuring cyber incident severity is a challenge, argues CyXcel CEO, Edward Lewis, who helped to lead the CMC as a director during its incubation year.

Unlike physical disasters – where financial loss, casualties, and recovery times are well understood – cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another,” he tells me.

Additionally, many incidents never get disclosed – whether due to legal concerns, regulatory pressure, or reputational risk. Even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.”

Lewis adds that traditional approaches have focused too much on direct costs rather than the wider consequences of a cyber incident.

“A cyber attack doesn’t just stop at the victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure,” he says.

“The CMC cuts through this by establishing a common framework for measuring severity, aggregating data across sectors, and giving CISOs and policymakers a clearer, quantified picture of cyber risk.”

What the CMC will do

The CMC’s inspiration is the Saffir-Simpson hurricane wind scale, which was designed by a wind engineer (Herbert Saffir) and a meteorologist (Bob Simpson) as a simple way to describe the potential impact of hurricanes. The CMC calculates a score from 1-5 for each qualifying cyber event, based on its financial impact to the populace and the percentage of UK businesses affected to the tune of over £1,000.

The CMC says that losses due to business interruption, data restoration, incident response, extortion, and transfer of funds as well as “downstream impacts of a cyber event” will be included. However, costs due to “liability, any fines or regulatory costs, apology payments, loss adjustment costs, and impacts to individuals” will not be considered in the calculations as these aren’t often available in the immediate aftermath of an event. In any cases, these costs are often “a transfer of costs, rather than the true financial cost of an event”, it argues.

Although its still early days, the CMC has been operating in stealth mode for a year, honing and testing its methodology, and expanding the public and private data sources with which its Technical Committee makes its all-important final assessments.

These data sources include public data from the NHS and media reports, as well as impacted organisations, and partners across incident response, breach lawyers, cybersecurity vendors, insurance claims handlers, and industry associations. It also includes event polling and industry-specific panels from the British Chambers of Commerce, and ONS Business Insights Data & Analytics and Conditions Survey (BICS) respondents. Parametrix helps with cloud monitoring and outage data, while Cirium offers insight into the impact of an event on the UK aviation industry.

The CMC is also developing database of historical events and their impact, which will help with benchmarking, stress testing and to calibrate models going forward.

“When an event occurs, we analyse the event and group the impacted organisations into those that can be modelled in a similar manner (“Archetypes”). We then collect available event data and model the financial impact to each Archetype,” the CMC says. “Through 2024 we developed models for aviation, healthcare (Synnovis event), and for widespread events (CrowdStrike event).”

Better for insurers

Given its origins as proposal by global insurer CFC, it’s perhaps unsurprising that the centre’s output could be a major boost for the sector. It has been argued that the CMC’s cyber-event ranking system could help the industry price its policies more accurately, and improve how insurers cover “systemic incidents” which impact large numbers of businesses simultaneously. It may, for example, lead to simpler language in policies.

Assured director, Ed Ventham, is concerned the move could lead to more exclusions based on the CMC Scale, although he admits this could be better than vaguer scenario-specific exclusions which are more common today.

“We’re obsessed as an industry with systemic risk, and it feels like the sector has had a couple of lucky escapes of late,” he tells me. “But we’re generally supportive of better data being collected. I’m excited by the prospect of what the CMC will bring to the industry. There’s a good team and a lot of experienced people behind it.”

Driving black box thinking

Trend Micro’s Lee is enthused by the potential benefits for CISOs.

“It boasts all the hallmarks of the concept of ‘black box thinking’, something which has really benefited the airline industry and it is a very welcome development.Every breach should be seen as an opportunity to learn to be more resilient in the future,” he tells me.

“This culture of openness and a robust methodology of breach impact analysis goes some way to making it easier for CISOs to understand the practical steps that they could take. Ultimately, as is the mantra in the public sector, our nation needs to continuously measure and understand risk, and take a proactive approach to cybersecurity.”

CMC CEO, Will Mayes, agrees that the initiative will be a boon for CISOs, in helping them to think through incident response strategies more clearly.

“For example, if a category 5 event were to occur, their incident response or other providers may have limited capacity to support them individually, given the number of organisations impacted. A CISO should consider alternative response plans in these scenarios,” he tells me.

“The CMC also creates a common language for talking about cyber risks that will help everyone within the cyber ecosystem to communicate about events to non-experts. It will provide greater clarity and could be used by a CISO to talk to executives about potential events, and get buy-in for security investment.”

It may also help security leaders demonstrate compliance to regulators and benchmark risk posture more effectively, Mayes argues.

However, there are limitations. For one, it doesn’t take into account the potential human impact of cyber incidents such as the Synnovis breach, which led to at least two NHS patients suffering long-term harm, according to Trend Micro’s Lee.

“Indeed, former NCSC CEO, Ciaran Martin, who chairs the CMC Technical Committee, acknowledged this at the launch event. He said that, although the CMC model categorised the Synnovis supply chain attack as a category 2 incident, in societal and human impact terms he would describe it as one of the most impactful cyber-attacks the UK has experienced lately,” he says.  

“We should never forget the human impact that a cyber-attack can have in today’s digitally dependant world.”

CyXcel’s Lewis adds that the effectiveness of the modelling will depend on the quality of data fed in.

“The CMC’s success depends on getting enough organisations to share data. If participation is patchy, or companies hold back critical details, the output could be less reliable,” he says. “Cyber threats are also shifting constantly. The CMC will need to adapt and refine its models over time.”

Leading the way

Despite these challenges, Lewis describes the CMC as “a huge leap forward in cyber resilience”. So could the UK finally have a world-leading, world-first cyber initiative?

“Its success will depend on continued collaboration between government, industry, and cybersecurity professionals – ensuring its insights stay sharp and actionable,” Lewis concludes.

However, the CMC’s Mayes is less circumspect.

“We’ve already received interest and demand to replicate this approach in other countries,” he explains. “In response to demand from partners, we are actively exploring potential expansion to the US.”

Where the UK leads, others follow.

This article first appeared on Assured Intelligence.

What is PS21/3? Why time’s running out to comply with the UK’s DORA

Posted: March 11, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , , | Leave a comment

Plenty has been written about the need for financial services firms to enhance operational resilience. But most of those column inches have until now focused on the EU’s Digital Operational Resilience Act (DORA), which came into force in January – even if many UK banks may not yet be compliant. Arguably more important for a larger number of British financial services companies is the Financial Conduct Authority (FCA)’s new Policy Statement: PS21/3.

Alongside the Prudential Regulation Authority (PRA)’s Supervisory Statement SS1/21, it forms a series of exacting new requirements for the sector that must be in place by 31 March 2025. For any organisations thinking of quietly deprioritising these efforts, a “Dear CEO” letter from the FCA in early February should focus minds.

The bottom line is that the regulator expects compliance. Fortunately, ISO 27001 can help in-scope organisations to create the culture of operational resilience that the FCA, PRA and DORA demand.

Digital change means digital risk

Like most sectors, financial services has grown steadily more dependent on digital infrastructure to stay competitive and provide the seamless online experiences that customers crave. As of 2024, some 86% of UK adults used online banking, and the figure for this and mobile banking is set to continue climbing upwards over the coming years – thanks partly to the disruptive impact of fintech firms. The UK market for these businesses is set to be worth over $24bn (£19bn) by 2029.

The challenge with the growing pace of this digital transformation is the extra risk that comes with it. An increasing reliance on technology exposes banks and other firms to a greater risk of digital extortion, primarily from ransomware, while at the same time expanding the attack surface so that breaches become almost inevitable. That’s a potentially serious reputational and financial risk. According to the International Monetary Fund (IMF)’s Global Financial Stability Report, more than 20,000 attacks on the banking sector have caused losses exceeding $12bn (£9.5bn) over the past 20 years. Additionally, “extreme losses” have more than quadrupled since 2017 to $2.5bn (£2bn).

However, cyber risk does not always stem from malicious third parties. At the end of January, a major Barclays IT outage left countless customers high and dry, unable to pay taxes, bills and mortgage payments, or even access correct information on their accounts. The fallout has been predictably torrid for the high street lender, which at the time of writing had still not explained the cause of the incident.

What the FCA wants

That’s why the FCA for one appears to be keen to increase regulatory requirements around digital operational resilience in the sector. PS21/3 demands that banks, building societies, insurers, payment providers and others get the following in order before the end of March:

  • Identify the organisation’s most important business services and keep them regularly under review
  • Set impact tolerances for each of these services and regularly review them
  • Identify and document the people, processes, technology, facilities, and information needed to deliver key services. This includes any supplier relationships which could impact the organisation’s ability to remain within impact tolerance limits
  • Develop testing plans which describe how the organisation can remain within impact tolerances for each “important business service” – identifying plausible scenarios aligned to risks and vulnerabilities. This will help senior managers ensure vulnerability remediation plans are appropriately funded
  • Develop and test incident response plans
  • Deliver a self-assessment in line with handbook guidance to the relevant governing body. This should highlight the organisation’s journey to operational resilience, including an overview of vulnerabilities found, scenarios tested (plus their outcome), remediation plans, and the overall strategy for remaining within impact tolerances for all important business services
  • Regular horizon scanning to help understand new and emerging risks, and ensure the right controls are in place to detect, respond to and recover from operational disruptions

The FCA has already published some observations on current compliance efforts, which it says should help to guide financial services companies as they assess readiness and finalise PS21/3 plans. The regulator is particularly keen to ensure that third-party risk is continuously and actively managed by in-scope companies, including through testing where appropriate. And that remediation plans are fully funded. It also demands that complying organisations do not treat PS21/3 as a “once and done activity”, but instead embed its requirements into corporate culture.

How ISO 27001 can help

This is where ISO 27001 comes into its own. According to ISMS.online chief product officer, Sam Peters, there’s alignment between the standard and PS21/3 in multiple key areas, including:

Governance and Accountability

Both emphasise leadership accountability in setting and overseeing resilience strategies.

Impact Tolerance and Risk Management

Both require risk-based decision-making and setting risk thresholds to maintain resilience.

Testing and Scenario Analysis

Both require regular testing to assess and improve operational resilience so that organisations can handle disruptions effectively.

Third-Party Risk Management

Both require due diligence on third parties, although ISO 27001 provides a structured approach for managing supplier security risks.

Incident Reporting and Response

Both require incident response planning, although “ISO 27001 goes further by ensuring incident handling is documented, monitored, and improved over time,” according to Peters.

Continuous Improvement and Learning from Disruptions

Both emphasise learning from disruptions to continuously enhance resilience.

“Firms using ISO 27001 already have a solid foundation for meeting FCA resilience requirements, especially in risk management, incident response and continuous improvement,” says Peters. “By leveraging ISO 27001, financial services firms can strengthen compliance with FCA rules while enhancing their overall security posture and resilience.”

As mentioned, the new FCA rules also share core principles around operational resilience with DORA. This includes greater leadership accountability, third-party resilience, improved incident response, and “mapping critical services, identifying vulnerabilities, and setting risk thresholds,” says Peters. Although the two regimes differ in terms of scope and enforcement, this offers an opportunity for UK financial firms operating in the EU to align FCA operational resilience strategies with DORA’s, using ISO 27001 as a foundation.

This will ultimately “help streamline compliance efforts and reduce regulatory risks”, Peters concludes.

This article was originally published on ISMS.online.

How much do words matter? Why Interpol wants to stop talking about ‘pig butchering’

Posted: March 10, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , | Leave a comment

This article originally appeared on Assured Intelligence.

Cyber crime reporting is worryingly low. According to one estimate from the Crime Survey of England and Wales (CSEW) only 13% of fraud cases are reported to Action Fraud or the police by victims. National Trading Standards reckons the figure is more like 32%.

It means estimated victim losses of $652m (£801m) to romance and confidence fraud in 2023 are likely to be just the tip of the iceberg. That’s part of the reason why Interpol wants industry to do more to encourage victims to come forward. A good start, it argues, is to change the way we refer to victims of a particularly prevalent romance/investment scam hitherto known as “pig butchering”.

But can changing the way we refer to cyber crimes really have the desired effect? Or is the policing group overthinking things?

Romance baiting is the new pig butchering

Pig butchering derives its English moniker from the Chinese word “shazhupan”, which roughly equates to “killing pig game”. It refers to the way victims are often approached on dating sites by scammers, who then try to build a trusted relationship with them – “fattening them up” for the kill. Once the fraudster has won over hearts and minds, they will then suggest their victims invest in a fake crypto scheme or similar. By the time they realise it’s all a con, it’s too late for the victim. The animal has already been metaphorically slaughtered, and their hard-earned cash is gone.

Interpol’s argument is that using such language shames victims to the point where they may not be keen on coming forward. The policing group wants “romance baiting” to enter the cybersecurity lexicon instead.

“Words matter. We’ve seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognise that our words also matter to the victims of fraud,” says Interpol acting executive director of police services, Cyril Gout.

“It’s time to change our language to prioritise respect and empathy for the victims, and to hold fraudsters accountable for their crimes.”

Is Interpol right?

This isn’t the first time that a call has gone out to change specific cyber crime terminology. Back in 2020, the National Cyber Security Centre (NCSC) led a largely successful push to change “black/whitelist” to the more racially neutral “denylist/allowlist”. The terms “black hat” and “white hat” are far less common today for similar reasons. And the maintainers of programming language Python replaced terms “slaves” to “workers” or “helpers” and “master process” to “parent process”.

But does Interpol have a point about “pig butchering”? There’s certainly a case for saying that some cyber crimes can have a particular emotional impact on the individual, especially those where the victim has been betrayed by someone they thought could be trusted. It can cause distress, shame and feelings of helplessness. One victim of a historic dating scam even told researchers she felt like the experience was akin to being “mentally raped”.

Elisabeth Carter is an associate professor of criminology and forensic linguist at Kingston University London. She agrees that language can have a “huge impact” on victims and societal narratives.

“The terminology ‘pig butchering’ is used by criminals intent on harm. It is pejorative, dehumanising and it does harm victim reporting, victim self-identification, self-esteem, recovery, and harms societal narratives around fraud victimhood which also in turn feds into barriers to reporting,” she tells me.

“Language is the very way in which criminals engage with and attack victims, using this to create an alternate reality where victims believe they are making reasonable choices, but in fact are being exploited and harmed financially and psychologically. The terms we use when communicating with the public are therefore all the more important. Far from being a distraction or overthinking, language in relation to fraud should be considered and extremely carefully selected, and only done so with an evidence-based reasoning behind it.”

KnowBe4 lead security awareness advocate, Javvad Malik, agrees up to a point.

“Kudos to Interpol for recognising the power of words. They’re not wrong – language can indeed be a barrier to reporting crimes,” he tells me. “On one hand, changing terminology could potentially confuse the public. But if the current terminology is preventing victims from coming forward, then it’s worth solving the issue.”

The power (or not) of words

Kingston University’s Carter highlights other ways in which language can in subtle ways undermine the fight against cyber crime and fraud. Although the language, manipulation and silencing tactics used by fraudsters are similar to those of domestic abusers, many people still say victims “fell for fraud” – which implies they were in some way to blame for being tricked, she argues.

“We wouldn’t say ‘don’t fall for domestic abuse’”, Carter adds. “Similarly, ‘scam’ should be avoided, as it minimises the crime, which is fraud, and ‘money you lost’ should instead be ‘money that was stolen/taken from you.’”

However, others expressed scepticism over Interpol’s calls. Silvija Krupena has over two decades of experience in financial crime prevention and is currently director of the financial intelligence unit at RedCompass Labs. She tells me that Interpol should be focusing on policing crime, not language.

“These scams are bleeding hundreds of billions annually. Do we seriously believe terminology is what’s keeping victims from reporting?” she argues. “Changing the term now adds friction, inefficiency and confusion to an already overwhelmed industry. And for what? Victims aren’t holding back because of terminology – they’re devastated, afraid and focused on recovery, not word choice.”

Krupena adds that “romance baiting” is far from ideal as a replacement, as not all pig butchering fraud involves a romance element.

The bigger picture

It is, of course, difficult to calculate just how under-reported cyber crime is. But it’s not impossible. Victim support group The Cyber Helpline estimates that, while reporting rates for all crime is 79%, it drops to just 36% for cyber-related incidents. That’s bad news not just for the victims, but also UK PLC, because it means the perpetrators are more likely to continue operating with impunity – and may turn their attention to business targets.

If the government can’t even get a proper picture of how widespread specific crime types are, and who is committing them, it will hamper both efforts to design effective public policy, and the ability of law enforcers to track down specific offenders. It’s one of the reasons why the new Labour government has made mandatory incident reporting a key part of its forthcoming Cyber Security and Resilience Bill.

Yet there’s more to encouraging incident reporting, especially among individual victims, than changing the way certain crimes are referred to. Krupena wants to see “bold transnational awareness campaigns” focused on breaking the stigma that fraud victims are caught out because they are “stupid” in some way.  

“The campaigns should educate on red flags and warning signs, protecting both victims recruited by traffickers to run scams and those targeted by them,” she continues. “These efforts must start on social media, especially Meta platforms, and then telecommunication providers; the next biggest channel. Let’s go beyond wordplay and focus on what matters – education and prevention. That’s how we disrupt the cycle of cyber crime.”

According to Home Office research from over a decade ago which The Cyber Helpline claims is still relevant today, cyber crimes are also under reported because of a perception that the police can’t or won’t do anything to solve them. This in turn is influenced by a perception that digital offences are not ‘real’ crimes. Victims may also not consider themselves to be such if they’ve been refunded money stolen by fraudsters.

Yet here too language may have a part to play.

“We need to avoid saying ‘you will get your money back’, as it is not the victim’s money that is coming back; that money has gone to feed criminal enterprises,” Carter argues. “We need to instead say ‘you will be made financially whole’ or ‘you will be reimbursed’, because framing it as the victim getting their money back feeds into the wider misperception that once this is done there was no harm.”

In fact, fraud causes tremendous economic and societal harm. The proceeds of fraud are often reinvested into other nefarious activities, including cyber crime, drugs, gun running and even human trafficking. The challenge is so acute that one noted think tank has described fraud as a threat to national security. In this context, gaining a more accurate picture of the scale of the problem is the first step towards tackling it.

Why remote access software could be a backdoor into your network

Posted: March 10, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , | Leave a comment

This article first appeared on ISMS.online.

Remote access software has been a popular tool for IT administrators, managed service providers (MSPs), SaaS firms and others for many years. It offers an invaluable way to remotely manage and monitor multiple IT and OT endpoints from a single, centralised location. But by the same token, they provide a powerful way for threat actors to bypass corporate defences and remotely access victim networks.

Whether they’re remote access tools (RATs), remote monitoring and management (RMM) products or remote administration solutions, the risk is the same. It’s time to close down a potentially dangerous backdoor into corporate IT environments.

What are RATs?

Tools like Atera, AnyDesk, ConnectWise, and TeamViewer are well-known in the IT community. Although they’ve been used for years to help admins troubleshoot problems, set up and configure machines, patch endpoints, and more, RATs really came into their own during the pandemic. Yet just as attacks on remote desktop tools ramped up during that period, we also witnessed a growing interest in remote access software as a way to bypass security tools.

They’ve even been deployed in attacks targeting individuals, where the victim is socially engineered into downloading one to their PC or mobile device to provide a fraudster with access to their banking and other accounts. This happens frequently in tech support scams and, most recently, in a sophisticated government impersonation campaign designed to steal victims’ card details.

Why are RATs attractive?

It should come as no surprise that threat actors are targeting such tools in greater numbers. They offer a useful way to blend in with legitimate tooling and processes, in a similar way to living off the land (LOTL) attacks. Because remote access software is signed with trusted certificates, it won’t be blocked by anti-malware or endpoint detection and response (EDR) tooling. Other advantages for adversaries include the fact that remote access software:

  • May have elevated privileges, making initial access, persistence, lateral movement, access to sensitive resources and data exfiltration easier
  • Enables threat actors to carry out intrusions without needing to spend time and money developing malware like remote access Trojans (also abbreviated to “RATs”), which security tools may identify
  • Enables adversaries to bypass software management control policies and potentially even execute unapproved software on the targeted machine
  • Uses end-to-end encryption, enabling attackers to download files that corporate firewalls would otherwise stop
  • Can support multiple simultaneous attacks, for example, via a compromised MSP

How adversaries are targeting remote access

According to the US Cybersecurity and Infrastructure Security Agency (CISA), threat actors may either exploit vulnerable versions of remote access software or use legitimate compromised accounts to hijack the use of the tools. Alternatively, they could socially engineer victims into downloading legitimate RMM software or similar. In more sophisticated attacks, they may target a remote access software vendor and manipulate its software with malicious updates. They may also use PowerShell or other legitimate command line tools to covertly deploy an RMM agent on the victim’s machine.

Sometimes, threat actors also use remote access software in concert with penetration testing tools like Cobalt Strike or even remote access malware to ensure persistence. Once they have access to a target network/machine, they can use remote access software to:

  • Move laterally through the victim’s network
  • Find lists of other systems for lateral movement
  • Establish command and control (C2) channels

Such techniques are being used by both cybercrime groups and nation-state operatives for sophisticated data theft operations and ransomware attacks. They’ve been spotted targeting US government employees in financially motivated scams. One security vendor has also warned about the “excessive” use of non-enterprise grade RATs in OT environments, which ends up expanding organisations’ attack surface.

Its research reveals that 79% of firms have more than two such tools installed on OT network devices. Because these lack sufficient access controls and features such as multi-factor authentication (MFA), they’re exposed to hijacking by threat actors.

In the wild

There are numerous examples of RAT-based breaches with serious consequences over the past few years. They include:

  • In February 2024, vulnerabilities in unpatched ScreenConnect software were exploited in multiple organisations to deploy malware on servers and workstations with the remote access software installed.
  • In February 2022, CISA and the UK’s National Cyber Security Centre (NCSC) warned of a campaign by Iranian APT group MuddyWater which may have had both cyber-espionage and financial motives. The threat actors used ScreenConnect for initial access and lateral movement.
  • In January 2023, CISA warned of a campaign using ScreenConnect and AnyDesk to carry out a “refund scam” on federal government employees. The campaign used phishing techniques to persuade the victims to download the software as self-contained, portable executables, enabling them to bypass security controls.
  • In July 2024, a security vendor discovered a modified version of the open-source RMM tool PuTTY (renamed “KiTTY”) which could bypass security controls. The tactic enabled the threat actors to create reverse tunnels over port 443 to expose internal servers to an AWS EC2 box under their control to steal sensitive files.

How to mitigate remote access attacks

CISA lists a range of host and network-based controls and policy/architectural recommendations that could help build resilience against such attacks. These include:

  • Phishing awareness training for employees
  • Zero trust and least privilege approaches to identity and endpoint security
  • SecOps monitoring for suspicious activity
  • External attack surface management (EASM) for improved visibility into unknown and unmanaged assets
  • Multi-factor authentication (MFA) for remote access software
  • Auditing of remote access software and configurations
  • Application controls, including zero-trust principles and segmentation, to manage and control software execution
  • Continuous risk-based patching
  • Network segmentation to limit lateral movement
  • Blocking of inbound/outbound connections on common RMM ports and protocols
  • Web app firewalls (WAFs) to protect remote access software

However, the security agency also recommends organisations “maintain a robust risk management strategy based on common standards, such as the NIST Cybersecurity Framework”. Javvad Malik, lead security awareness advocate at KnowBe4, agrees.

“The NIST framework’s core functions provide a comprehensive approach to managing RMM tool risks,” he tells me.

“This includes maintaining an inventory of systems with RMM software, enforcing strong authentication, implementing behavioural analytics for anomaly detection, developing specific incident response playbooks, and ensuring business continuity plans account for RMM tool dependencies.” Malik adds that ISO 27001 can also help mitigate the risks of using remote access software.

“ISO 27001’s controls on access management, cryptography, operations security, and supplier relationships provide a solid foundation,” he explains. “For example, organisations can implement formal RMM tool access management processes, ensure encrypted remote sessions, and set up automated alerts for unusual activities.”

Ian Stretton, director of EMEA at cybersecurity consultants Green Raven, agrees that “successful cybersecurity is based on firm foundations such as ISO 27001”.

He tells me that one key tenet of such approaches is to deploy continuous monitoring backed by threat intelligence.

“This is brought into sharper focus by the adoption of AI by threat actors as a challenge to AI-based defence tools,” Stretton concludes.

“The deployment of tools such as anomaly detection systems that specifically monitor for suspicious behaviours in AI processes – such as misclassification, sudden shifts in decision-making logic or other behaviour – can aid in combating this type of AI-based threat.”