Here comes mayhem: How The Com is rewriting the threat landscape

Posted: June 27, 2025 | Author: hongkongblogger | Filed under: cybersecurity, Uncategorized | Tags: AI, cyber security, cybersecurity, NCA, scattered spider, security, technology, The Com, threat landscape | Leave a comment

When it comes to the cyber-threat landscape, Russian actors are usually portrayed as the bogeymen. But over the past few months and years, a more disturbing picture has started to emerge. A different breed of hacker has stepped out of the shadows – technically proficient, native-English speaking and with an almost nihilistic penchant for violence and human misery.

Sometimes described as “The Com” or “Scattered Spider”, these loosely associated grassroots groups defy easy categorisation. The question is, with the likes of M&S, MGM Resorts, and Santander among their growing list of victims, how big a threat do they pose to CISOs?

Uncovering The Com

UK CISOs may have first heard the moniker “The Com” or “Com networks” following the publication of the latest annual report from the National Crime Agency (NCA) in March. In it, the agency warns of “sadistic and violent online gangs” comprised mainly of teenage boys engaging in acts of extremism, sexual violence and sadistic child abuse. Reports of this emerging threat increased six-fold between 2022 and 2024, with the NCA claiming that girls as young as 11 had been coerced by members into “seriously harming or sexually abusing themselves, siblings or pets”.

What has this got to do with enterprise cybersecurity? Curiously, Com network members are also blamed for data breaches, fraud, and malware/ransomware attacks. On paper, The Com seems far removed from the highly professionalised world of Russian cybercrime. Yet some of its supposed members use techniques that traditional threat actors would applaud and have been tied to some of the most damaging breaches on record.

Where does it all begin? According to Unit 221B researcher, Allison Nixon, the Com’s members were largely financially motivated until the early 2020s, when sextortion and high-value fraud also became popular. The “bottom-up social phenomenon” now venerates depravity, harm and misogyny – with youngsters recruited because of their naïvety, hunger for attention and money, and reduced exposure to legal jeopardy. However, although the worst acts of these networks are truly awful, they represent only a small percentage of total members, says Nixon.

High-profile arrests seem to be dampening down their worst excesses, she says. But the threat to enterprises remains undiminished, as recent attacks on UK retailers have shown.

The Com/Scattered Spider crossover

A detailed Brian Krebs investigation into the young men behind many of these attacks shows the strong links between Scattered Spider and Com networks. They include:

Connor Riley Moucka, a Canadian hacker blamed for the major breach of Snowflake accounts, who also goes by the monikers ‘Judische’ and ‘Waifu’. The latter corresponds to “one of the more accomplished SIM-swappers in The Com over the years”, according to Krebs
The ‘@Holy’ screen name, associated with a Telegram user who gave media interviews about the MGM hack. The same account was apparently active on a number of cybercrime channels focused on extorting young people into harming themselves or others, and recording it on video
Noah Michael Urban, a 19-year-old American indicted in January 2024 with a string of wire fraud and identity theft offences. His ‘King Bob’ and ‘Sosa’ monikers are linked to real-world violence-as-a-service offerings
Four other young men who, along with Urban, were indicted in November 2024 by US authorities for a string of attacks involving the phishing of IT helpdesks, data theft and crypto-based extortion
22-year-old Tyler Buchanan, another member of the same group, who allegedly took part in a 2022 phishing campaign which resulted in the theft of 10,000 login credentials related to more than 130 companies
Conor Brian Fitzpatrick (aka Pompompurin), who pleaded guilty to operating the BreachForums criminal marketplace, and possessing child pornography back in 2023

A different way of doing things

According to a recent ReliaQuest report, Scattered Spider relies heavily on social engineering to achieve initial access, often using the off-the-shelf Evilginx tool to bypass multi-factor authentication (MFA). A recent analysis of over 600 publicly shared IOCs by the threat intelligence firm reveals that its phishing domains primarily target services such as single sign-on (SSO), identity providers (IdP), VPNs, and IT support systems.

The end goal is to harvest credentials from high-value users, including system administrators, CFOs, COOs, and CISOs. When Scattered Spider actors fail with initial phishing attempts, they double down, using vishing techniques to impersonate C-level executives. Typically, they make panicked helpdesk calls requesting password resets or enrollment of new MFA devices, ReliaQuest claims.

The report also warns MSPs in particular to be on their guard, as actors are keen on ‘one-to-many’ attacks. In a recent example, they breached an MSP and exploited vulnerabilities in the SimpleHelp remote management software to deploy ransomware across client networks, it claims.

SOCRadar CISO, Ensar Seker, tells Assured Intelligence that this new breed of threat actor presents new challenges to network defenders accustomed to facing more traditional adversaries.

“Scattered Spider and the Com network actors represent a distinct kind of threat compared to traditional Russian-speaking cyber criminal groups. What sets them apart isn’t necessarily technical sophistication, but their boldness, deep social engineering playbooks, and insider-like operational tempo,” he explains. “These groups frequently exploit identity and access mismanagement, leveraging SIM swapping, MFA fatigue attacks, and even targeting IT help desks to gain privileged access. Their tactics resemble those of APTs but are often executed with the agility and audacity of hacktivist crews, making attribution and defence more complex.”

ReliaQuest director of threat research, Brandon Tirado, agrees, explaining that Scattered Spider actors often cause significant damage within just eight hours of initial access – for example, by rapidly escalating privileges and abusing identity systems like Okta and Azure AD.

“In addition to their speed and expertise in social engineering, their potency lies in their fluency in English, which helps avoid tipping off the targeted organisation’s helpdesk, and their ‘scattered’ nature – operating as a loosely organised network rather than a centralised group,” he tells Assured Intelligence.

“This decentralised structure makes them more unpredictable and adaptable.”

Lessons for CISOs

The threat actor profile may be unusual, but ultimately, they are still focused on the same thing as any cyber criminal: making money. That’s why several notable Com attacks have seen actors work as affiliates for ransomware groups like ALPHV/Black Cat (MGM) and – more recently – DragonForce (M&S).

“CISOs should focus on proactive monitoring of third-party accounts, bolstering helpdesk defences with identity verification protocols, and enforcing adaptive MFA policies,” advises Tirado. “Compared to Russian cyber criminals, who often rely on longer dwell times, combating Scattered Spider requires faster detection, automated response playbooks, and real-time threat hunting to neutralise their rapid operations.”

SOCRadar’s Seker agrees that CISOs need to “double down on identity security” with phishing-resistant MFA, privilege access management and regular access audits, alongside specialised employee training.

“Defending against these threat actors demands a mindset shift. While traditional ransomware groups often follow a predictable path – initial access broker, lateral movement, exfiltration, and encryption – groups like Scattered Spider bypass many of these stages by targeting identity and session hijacking. This means the usual EDR, network segmentation, and backup combo isn’t enough,” he adds.

“These homegrown actors are loud, fast, and opportunistic. What they lack in stealth, they compensate for in adaptability. That makes real-time visibility into authentication events and faster incident response cycles non-negotiable.”

Bridewell CTO, Martin Riley, adds that preparedness is vital. “If we compare recent attacks, one retailer has been far worse hit, because it wasn’t able to ‘pull the plug’ on non-essential services that prevented the spread of the attack,” he tells Assured Intelligence. “Do you know your organisation and technology enough to understand what is an operational and defendable cybersecurity position? What can you turn off, what impact will it have on the business, and what must you keep?”

Qodea CISO, Adam Casey, argues that security leaders must also go beyond the technical to drive cultural change through continuous awareness training and testing.

“Security is a shared responsibility and CISOs need to be reinforcing that vigilance is expected from everyone within the organisation. The M&S cyber attack demonstrated how conventional cybersecurity layers weren’t even a factor. They manipulated ‘outsourced’ IT staff through impersonation, then went straight for the jugular by targeting leadership,” he tells Assured Intelligence.

“CISOs are also going to need to put a focus on their outsourced operations. Recent attacks have shown that a third-party risk management programme is essential – and needs to be rock solid.”

Whatever freakish confluence of societal factors originally fomented The Com, it’s here now. This is the reality CISOs need to adapt to, and a new threat to consider in their risk planning.

This article first appeared on Assured Intelligence.

UK government security is foundering: here’s how to fix it

Posted: February 13, 2025 | Author: hongkongblogger | Filed under: cybersecurity, technology, Uncategorized | Tags: AI, cyber security, cyber security strategy, cybersecurity, government, public sector, security, technology, uk government | Leave a comment

This article first appeared on Assured Intelligence.

We knew it was bad, but not as bad as this. On January 29 the National Audit Office (NAO) released a bombshell report revealing, in gory detail, the challenges facing central government cybersecurity leaders. Blaming skills gaps and funding shortages for much of the malaise, it warns that the cyber-threat to government is “severe and advancing quickly”, urging immediate action to protect vital public services.

The spending watchdog did not pull its punches. But the gaps in cyber resilience it identifies are so pronounced that fixing them will be extremely challenging, especially with a self-imposed deadline of 2030.

A giant target

There’s no doubting the massive target central government has painted on its back. The National Cyber Security Centre (NCSC) warns of a “diffuse and dangerous” threat from hostile states as well as cybercrime groups. Hacking tools and easy-to-use pre-packaged services are freely available online, as are breached credentials, including those linked to .gov email domains. The use of generative AI tools to upskill threat actors in penetration testing, and innovative new techniques like IT impersonation are already accelerating and improving outcomes for adversaries.

This matters for central government in particular, given the huge number of citizens that rely on public services. The NAO report cites NCSC figures claiming that 40% of incidents managed by the agency between 2020 and 2021 targeted the public sector. Breaches at NHS provider Synnovis and the British Library show the devastating impact and cost these can have.

Yet despite the ambition outlined in the Government Cyber Security Strategy: 2022–2030, plans appear to have languished under the previous administration.

What’s gone wrong?

The headline-grabbing part of the report is all about visibility and resilience, and the work of the Government Security Group (GSG) – the Cabinet Office body that oversees central government security. It claims that a 2023-24 assessment by the government’s new cyber assurance scheme, GovAssure, found that 58 critical departmental IT systems had “significant” gaps in cyber resilience, creating “extremely high” risk.

“The data highlighted multiple fundamental system controls that were at low levels of maturity across departments including asset management, protective monitoring, and response planning,” the report notes. “GSG reported to ministers the implication of these findings: the cyber-resilience risk to government was extremely high.”

Edwin Weijdema, EMEA field CTO at Veeam, argues that asset management, protective monitoring and incident response planning are three “interconnected pillars” vital to cybersecurity.

“If you don’t know about it, you can’t secure it – so a thorough asset inventory is the first step to knowing exactly what needs protection,” he tells Assured Intelligence.

“Once you have this visibility, protective monitoring of those assets provides real-time detection of suspicious activity, helping to prevent small issues from turning into major breaches. Finally, a robust response plan ensures you’re ready to recover quickly when incidents occur, turning potential chaos into controlled chaos with a smaller blast radius and much less damage tied to it.”

According to the NAO, the GSG also failed to include legacy IT systems in the GovAssure audit because many of its recommended controls were apparently not applicable to such technology. That has unwittingly created a significant visibility gap at the heart of government.

“In March 2024, departments reported using at least 228 legacy IT systems. Of these, 28% (63 of 228) were red-rated as there was a high likelihood and impact of operational and security risks occurring,” the NAO report notes.

Other critical cybersecurity challenges and failings highlighted by the NAO include:

Until April 2023, the government did not collect “detailed, reliable data” about the cyber resilience of individual departments
The government has not improved cyber resilience quickly enough to meet its aim to be “significantly hardened” to cyber-attack by 2025
Departments still find it difficult to understand the roles and responsibilities of the cyber-related bodies at the centre of government
GSG has no effective mechanisms in place to show whether its approach to government cybersecurity is effective, or even a plan to make government organisations cyber resilient by 2030

The NAO also slams individual departments for failing to meet their responsibilities to improve resilience. It claims that leaders “have not always recognised how cyber risk is relevant to their strategic goals” and that boards often don’t even include any members with cyber expertise.

James Morris, CEO of the non-profit Cybersecurity and Business Resilience Policy Centre (CSBR), argues that there’s plenty to be done.

“Cyber resilience needs to be hardwired into the processes of central government departments and made a priority for their core strategic and operational work,” he tells Assured Intelligence.

“It should also be identified as a core strategic priority for ministers and senior civil servants. Each department should identify where skill gaps are putting resilience at risk and plans should be put in place to improve cyber resilience skills among existing staff.”

Too few skills, not enough money

However, at the heart of the problem appear to be both money and talent. A cyber directorate set up by the GSG to lead cybersecurity improvement across government apparently had 32% of posts unfilled when first established. In 2023-24, a third of security roles in central government were either vacant or filled by temporary staff, with the share of vacancies in several departmental security teams over 50%.

“There are only two real options: increase the supply of cybersecurity skills, or recognise that market rates are what they are for cybersecurity skills, and pay them. Better still, do both,” says Ian Stretton, director at consulting firm Green Raven Limited. “But these are long-term fixes that will take years to effect.”

Attracting talent is made harder when departments must compete with deep-pocketed private sector organisations for a limited number of skilled professionals. The government announced in 2021 a £2.6bn funding boost for cyber, of which it apparently allocated £1.3bn to departments for cybersecurity and legacy IT remediation. However, since 2023, departments have “significantly reduced” the scope of improvement programmes, the NAO says. As of March 2024, departments did not have fully funded plans to remediate around half of the government’s legacy IT assets.

How to sort out this mess

In the absence of funding, it will be a tough ask to meet the recommendations set out by the NAO (see boxout). However, it is possible, according to the experts Assured Intelligence spoke to.

“Central government departments can boost cyber resilience – even in the face of legacy IT – by focusing on three core principles: speed, skills and accountability,” argues Veeam’s Weijdema.

“Speed in detection is crucial because the sooner you spot a breach, the less time attackers have to move laterally, exfiltrate data or disrupt critical services. Continuous log monitoring, threat intelligence feeds, and anomaly detection tools should be in place to catch potential intrusions in near real-time. Equally important is the ability to respond swiftly. Well-defined processes and empowered teams prevent small issues from escalating into large-scale crises.”

Government must also recognise the high demand for security professionals and pay competitive salaries, as well as offering clear career progression, and investing heavily in training to plug the skills gap, Weijdema adds. Security teams should be held accountable for the outcomes of the measures they take, he says.

“Finally, regular drills and exercises – like red-team attacks or simulated breaches – will help to instil a culture of digital emergency response,” Weijdema continues. “Just as physical first responders train constantly for disasters, a cyber workforce should practice containing threats under realistic conditions. Such exercises refine tactics, highlight weaknesses and foster collaboration.”

Green Raven’s Stretton agrees that government must find the money to compete with the private sector on salaries, but warns that this alone will not be enough.

“Even if there were enough cybersecurity professionals to go around, current cyber-defence strategies revolve around building higher and higher walls. But this isn’t a sustainable approach to cybersecurity, and cyber pros know it,” he tells Assured Intelligence.

“The problem is the world is still thinking about cybersecurity like medieval monarchs used to think about castles: just dig deeper ditches and build higher ramparts and it’ll be fine. Instead, we need to get smarter and focus defensive resources on where we know they are going to be needed.”

By making the most of AI-powered cyber-threat intelligence, government bodies can get back on the front foot against their adversaries, Stretton argues.

“Rather than constantly reacting to general threats, knowing who is coming after your organisation, and with what ‘weapons’, means you can remove the blindfold and react to what poses the greatest threat,” he says. “It’s analogous to how the security services work: there aren’t enough of them to keep us safe by sheer force of numbers, so they use sophisticated intelligence-gathering to pre-empt attacks and intercept attackers.”

The fact that the NAO report has been published at all is a positive sign. It’s signifies the new government’s recognition of the growing cyber-threat facing Whitehall, and its desire to achieve key parts of the 2022-2030 strategy by the end of the year. However, whether it can match this ambition with results remains to be seen.

Routers are in the firing line: here’s how to protect your organisation

Posted: December 10, 2024 | Author: hongkongblogger | Filed under: cybersecurity, Uncategorized | Tags: cyber security, cybersecurity, router, security, technology | Leave a comment

This article first appeared on ISMS.online.

Modems and routers aren’t the most glamorous of connected technologies. In fact, their ubiquity means that most organisations forget they’re even there. However, they also perform a critical function in enabling networked devices and machines to reach the public internet. Without them, most businesses would struggle to operate.

Yet because of their location at the edge of the network, routers are also an increasingly popular target. It doesn’t help that many are riddled with vulnerabilities and may not be updated as frequently as other critical devices. A report from Forescout released in October warns of 14 new firmware flaws in DrayTek routers.

It’s time to get serious about protecting corporate routers.

What’s Wrong with DrayTek?

According to Forescout, two of the 14 new vulnerabilities it discovered in routers from the Taiwanese manufacturer are rated critical: CVE-2024-41592 has a maximum CVSS score of 10, while CVE-2024-41585 is given a 9.1.

The former is a buffer overflow in the GetCGI() function of the DrayTek VigorConnect Web UI. It could apparently be triggered by a specially crafted and excessively long query string to any of the 40 CGI pages of the Web UI. This, in turn, could be used to achieve denial of services or, if chained with OS command injection bug CVE-2024-41585, to gain remote root access to the underlying host operating system.

That’s potentially far more serious, as it would provide an attacker with the “keys to the kingdom” – enabling complete remote control of the targeted router and, by moving laterally, other devices on the same network, says Forescout.

The popularity of DrayTek routers globally highlights network defenders’ challenges and the opportunity for threat actors. According to Forescout, over 704,000 routers were exposed to the internet – and therefore open to exploitation – when the report was compiled, including 425,000 in the UK and EU. Most are apparently intended for business use.

DrayTek had patched all the firmware vulnerabilities by the time the report was published. Still, there is no guarantee that customers will apply the updates before potential attempts to exploit them. The vendor is also by no means the only manufacturer whose products are at risk of compromise. In September, a joint advisory from several Five Eyes security agencies revealed the existence of a massive botnet of 260,000 hijacked devices, including routers from MikroTik, Ubiquiti, Telesquare, Telstra, Cisco, and NetGear.

Why Routers?

Modems and routers are clearly a popular target for threat actors. This is because they:

Are often riddled with unpatched vulnerabilities that could be exploited
They are often used by SMEs with fewer security resources and know-how, which may leave routers exposed
Are easy for hackers to scan remotely
May only be protected by factory default credentials
Provide a gateway to other devices on the same network and could, therefore, be used as an initial access vector for ransomware and data theft
They can be hijacked and used as bots in a larger botnet to launch DDoS attacks on others or disguise more sophisticated threat campaigns
Could be repurposed as command-and-control servers (if they’re high-performance routers)

End-of-life (EoL) or end-of-sale (EoS) devices are particularly at risk as patches/updates may not be available from the vendor. Forescout claims that 11 of the 24 impacted DrayTek models listed in its research were either EoL or EoS. Even if patches can be applied, they often are not. Almost two-fifths (40%) of those in the report are still vulnerable to similar flaws identified two years previously, according to Forescout.

“Routers can yield access to, or even control of, assets inside an organisation’s network. As the skeletons of the networks and sub-networks they form, they are a great resource for an attacker to infect,” Black Duck Software managing security consultant Adam Brown tells ISMS.online.

“Furthermore, they are administrated by individuals with the highest levels of security credentials, which, if breached, give bad actors the keys to the kingdom.”

This is not a theoretical threat. As well as the massive Chinese threat campaign highlighted above, we can point to the following:

Volt Typhoon: A Chinese state-backed APT group that exploited zero-day vulnerabilities in internet-connected network appliances like routers to compromise strategically important critical infrastructure networks in the US. The end goal, says the Cybersecurity and Infrastructure Security Agency (CISA), was to be primed and ready to launch destructive attacks in the event of a military conflict.

BlackTech: Another Chinese state APT group which targeted various organisations in the US and Japan. It targeted poorly protected routers in branch offices, allowing attackers to blend in with regular traffic as they pivoted to other devices in corporate headquarters. In some cases, the adversaries gained admin rights, enabling them to replace the firmware on the routers and/or switch off logging to hide their tracks.

Cyclops Blink and VPNFilter: Two sophisticated multi-year campaigns from Russia’s Sandworm group, which targeted small office/home office (SOHO) routers and other network devices. Deployment of the eponymous malware was described as “indiscriminate and widespread”, leading observers to speculate that the purpose was to create botnets capable of launching threat campaigns on other targets.

APT28/Fancy Bear: A prolific Russian threat group targeted Ubiquiti EdgeRouters as part of a broader campaign to “facilitate malicious cyber operations worldwide” – including by hosting spear phishing pages and custom attack tools.

How to Mitigate the Threat

Some US lawmakers want to investigate Chinese-made routers in a bid to mitigate Beijing’s cyber espionage threat. But this will do nothing to tackle the problem of routers made elsewhere being hijacked through stolen/brute-forced credentials or vulnerability exploitation. So, how can organisations better protect their routers? Some best practices will help.

An excellent place to start is tried-and-tested cyber-hygiene such as:

Regular patching of firmware as soon as updates are available, using automated update channels where possible
Replacing default passwords with strong, unique credentials
Turning off unused services and ports like UPnP, remote management, file sharing, etc
Promptly replacing EoL kit to ensure maximum protection from exploitation.

Black Duck Software’s Brown adds that Zero Trust security approaches would also help organisations mitigate router security risks, such as network monitoring for unusual traffic volumes and segmentation alongside least privilege access policies.

“Security architecture must be considered when deploying networks, and therefore routers, with care taken to ensure access to router consoles have appropriate security controls,” he adds. “Network trust zones must be considered, and a Zero Trust approach to architecture at all layers will help limit the blast radius should an incident occur.”

As the above examples highlight, powerful state-backed groups as well as sophisticated cybercrime entities are looking are primed to take advantage of security gaps to hijack routers and the networks they straddle. With SMBs in the crosshairs, it’s time to close this critical security gap.

Factory 4.0 and beyond: the challenges of operational technology security

Posted: November 3, 2023 | Author: hongkongblogger | Filed under: Uncategorized | Tags: cybersecurity, operational technology, OT | Leave a comment

This article was first published on ISMSonline.

When a report revealed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products last year, experts hailed it as a wake-up call for the industry. The study highlighted an endemic problem with OT equipment: a need for more basic security-by-design best practices. The fact that three-quarters of those products assessed to contain vulnerabilities had valid security certifications should cause further nervousness among IT/OT managers.

The bottom line is that the issues highlighted in the report run so deep they’re unlikely to be resolved industry-wide anytime soon. That puts the onus on enterprise security programmes to ensure OT risk is managed with the same attention to detail as IT.

The What and Why of OT

Whereas IT systems manage information and applications, OT covers the hardware and software used to monitor and control the physical world. It could be anything from an ATM to an industrial control system (ICS), a factory robot to a programmable logic controller (PLC). The technology can be found most obviously on the factory floor. But it spans a huge range of industries beyond manufacturing, including healthcare, oil & gas, utilities, and transportation.

Historically, OT systems were not internet-connected, and devices tended to be purpose-built, running specialised software. That meant security was treated as an afterthought. However, most equipment has connectivity today, meaning remote attackers can probe it for vulnerabilities. At the same time, it often runs Windows or other commercial software. That makes it an attractive target.

Because OT controls physical processes, security breaches could enable attackers to sabotage or disrupt critical operations. Vulnerable endpoints may even be used as a stepping stone into IT networks for sensitive data theft. One 2022 report claims 83% of organisations suffered an OT breach in the previous 36 months. According to figures cited by McKinsey, the cost per incident of severe attacks can be as much as $140m. It’s not just financial risk organisations must consider. OT is also regulated by the NIS 2 Directive and its UK equivalent.

What Are The Risks?

The specialised nature of OT means that systems are exposed to certain cyber risks that may not apply to IT environments. They include:

Use of legacy, insecure communications protocols
Vendors that don’t pay enough heed to vulnerability management
Hardware lifecycles of 10+ years, meaning admins are forced to run outdated OSes/software
Patching challenges, as equipment often can’t be taken offline to test updates (even if they are available)
Equipment that’s too old to deploy modern security solutions to
Security certifications which don’t recognise severe defects, giving admins a false sense of security
Security-by-design issues that aren’t reported/assigned CVEs, meaning they fly under the radar
Siloed IT/OT teams, which can create gaps in visibility, protection and detection
Insecure passwords and misconfigurations (although this is also common in IT environments)

From a technical perspective, the Forescout report cited earlier highlights several categories of vulnerability in many OT products:

Insecure engineering protocols
Weak cryptography or broken authentication schemes
Insecure firmware updates
Remote code execution (RCE) via native functionality
How To Mitigate Risk From OT Systems

How To Mitigate Risk From OT Systems

As per IT security, defence in depth is the best way to mitigate OT cyber risk. According to Carlos Buenano, Principal Solutions Architect for Operational Technology (OT) at Armis, it starts with visibility of OT assets and then prompt patching.

Since it is very common for OT environments to have vulnerable assets, organisations need to create a comprehensive asset inventory of their network and have additional intelligence on what those assets are and what they are actually doing,” he tells ISMS.online. “Contextual data enables teams to define what risk each device poses to the OT environment and assess their business impact so that they can prioritise remediation of critical and/or weaponised vulnerabilities to reduce the attack surface quickly.

Here’s a quick checklist for organisations:

Asset discovery/management: You can’t protect what you can’t see. So, understand the full extent of OT in the enterprise.

Prompt patching and continuous scanning: OT assets should be continuously scanned for vulnerabilities once discovered. And a risk-based patching programme will ensure CVEs are prioritised effectively. Consider building a non-critical testing environment for patches. And if certain assets can’t be patched, consider alternatives, like virtual patching, network segmentation, SIEM and integrity monitoring.

Identity and access management: Deploy role-based access controls, follow the principle of least privilege and support multi-factor authentication (MFA).

Segmentation: Separate corporate from OT networks, and segment OT networks, to contain the spread of malware.

Threat prevention: Deploy controls such as intrusion detection (IDS), AV software and file integrity-checking tools to prevent and detect malware.

Encryption and backup: Protect OT data at rest and in transit and have backups to mitigate the impact of ransomware.

Breaking Down IT-OT Silos

As OT and IT systems converge in many organisations, threats once confined to IT, such as remote compromise, become more commonplace for industrial systems. Therefore, preventing, detecting and responding to such threats will require more interaction between IT and OT teams. OT teams can learn much from the experience IT has built up over the years regarding security controls, and both have a vested interest in business continuity.

“By working together, IT and OT teams can identify and mitigate cybersecurity risks that affect both IT and OT environments, thus protecting the organisation from cyber-attack,” Trend Micro UK & Ireland technical director, Bharat Mistry, tells ISMS.online. “Additionally, collaboration between the teams will improve the efficiency of security operations teams and ultimately help to reduce costs.”

From a compliance perspective, this may require the organisation to go beyond the limits of ISO 27001 and seek out complementary certifications in the OT space.

“We see frameworks like ISO 27001 used in enterprise IT and bespoke or tailored frameworks like IEC 62443 for OT,” Mistry explains. “On paper, there is some overlap between these, but in reality, these frameworks are start points and are often customised to suit the organisation’s environment.”

Ultimately, it’s in everyone’s best interests to work together, says Armis’s Buenano.

“From an organisational perspective, having a risk-based approach to vulnerability management must go hand in hand with OT and IT departments working together to help coordinate mitigation efforts,” he concludes. “Cross-departmental projects will help streamline process and resource management and achieve greater compliance and data security.”

The government’s new risk register is heavy on cyber. Is that a good or bad thing?

Posted: September 8, 2023 | Author: hongkongblogger | Filed under: Uncategorized | Tags: cyber resilience, cybersecurity, government, national risk register | Leave a comment

What are the chances of a catastrophic cyber incident occurring in the UK in the next two years? How many might die, or be maimed in such an incident? And how much might it cost the country? These are the kinds of unpleasant questions the government seeks to answer in its latest National Risk Register (NRR).

Since 2008, the report has been published to help businesses running critical national infrastructure (CNI), and other organisations, to enhance their resilience to potential risks. The big difference between now and then is that cyber is now one of nine key “themes” examined in the report.

I recently spoke to some experts to write an upcoming feature for Assured Intelligence.

What the NRR says

For the first time, the NRR was compiled from information in the National Security Risk Assessment (NSRA), a classified document written with help from government experts. It highlights potential cyber risk across multiple scenarios. These involve data theft and/or disruption to:

Gas infrastructure
Electricity infrastructure
Civil nuclear facilities
Fuel supply infrastructure
Government
The health and social care system
The transport sector
Telecommunications systems
UK financial infrastructure
A UK retail bank

The NRR ranks the likelihood of such attacks happening in the next two years as a “4” on a scale of 1–5, with 5 being the most likely (>25%). That equates to a “highly unlikely” risk with a “moderate” impact. However, as mild as this sounds, even a moderate incident could lead to up to 1000 fatalities and casualties of up to 2000, with losses in the billions of pounds. By contrast, the estimated economic damage from cyber incidents in 2000 was pegged at £10-100m.

That’s a reflection of the digital world we live in, as is the mention of AI as a potential chronic risk (as opposed to the acute risks highlighted above). Chronic risks, the NRR says, are manifest over a longer period of time and can make acute risks “more likely and serious”.

Should we be concerned?

Egress VP of threat intelligence, Jack Chapman, believes the government has it about right.

“I agree with the government’s risk assessment and its accuracy based on historic threats. Obviously this strongly depends on the geo-political landscape and how it evolves,” he told me.

“However, there’s been an increase in digitalisation in this space, meaning the risks and impact are increasing. There’s also a far higher level of uncertainty with the government’s assessment in comparison to previous reports.”

However, it’s not all doom and gloom, as steps are being taken to mitigate these acute cyber risks and build resilience into CNI, he added.

“It’s important to note that more active work is being done around cybersecurity than ever before; from putting security-by-design at the heart of new projects, to the impact the NCSC is having in the sector to help mitigate this risk,” Chapman said.

How can CNI hit back?

The big question is how exactly can CNI providers enhance resilience? Arun Kumar, regional director at ManageEngine, believes AI may hold the key, in helping to identity threats “faster and more accurately” than humans. But he goes further.

“Regulation will also play a vital role in carefully managing the negative impact of AI. It’s important to maintain strong security practices such as compliance with NIST and GDPR regulations,” he told me.

“Change needs to be foreseen and carefully managed—striking a balance between utilising the benefits of AI and limiting the negative side. To this end, collaboration is also paramount, both internally and externally within the cybersecurity community, encompassing researchers, professionals, enterprises and policymakers.”

Other best practices could include enhanced password management, vulnerability scanning and prompt patching, and user education to ward off the threat of phishing. To that we could add several other best practices, outlined by the National Cyber Security Centre (NCSC) here. It’s a tall job for CNI firms on an increasingly tight budget. But the alternative is undoubtedly worse.

Plugging the gaps to improve healthcare cybersecurity

Posted: July 20, 2023 | Author: hongkongblogger | Filed under: Uncategorized | Tags: cybesecurity, healthcare, IoMT, ISMS | Leave a comment

The UK’s health service turned 75 recently, and its IT infrastructure is starting to show its age. The challenge for cybersecurity professionals working in the sector is one felt by those across many verticals. It’s about mitigating risk even as digital transformation expands the cyber-attack surface. And doing so in an industry where the stakes for failure couldn’t be higher.

I spoke to some experts for a recent ISMSonline feature to find out more.

Raising the stakes

Ransomware represents probably the biggest single cyber threat to healthcare organisations (HCOs) today, whatever country they operate in. A recent report from EU agency ENISA revealed that ransomware accounts for over half (54%) of all cyber-threats targeting the sector, with 46% of all incidents aimed at stealing or leaking data. HCOs don’t just store lucrative personal, medical and financial data in prodigious amounts, they also have a low tolerance for ransomware-related outages.

“When another critical industry is attacked such as the electrical grid for example, power outages ensue, offices and factories shut down during the outage unless they have backup generators and an hour or two, or a day or two later in most cases power is restored, and business and daily life continues as normal,” Richard Staynings, Chief Security Strategist for UK healthcare security specialist Cylera, tells me.

“When healthcare is attacked, clinicians can no longer optimally care for the sick and dying. The industry has changed a lot since the days of Florence Nightingale and today our doctors and nurses are heavily reliant upon health IT and IoT systems such as medical devices to diagnose, monitor, and treat patients.”

In fact, a link between cyber-attacks and patient outcomes has already been established. Studies have shown that a correlation between mortality rates and cyber-attacks, with one report claiming a link between data breaches and heart attack fatalities.

Where are the biggest gaps?

There are so many security gaps that it’s difficult knowing where to start, Staynings says.

“Hospital networks were never designed with cybersecurity in mind so are flat and open access to anyone with credentials. Compare that to a bank or the MoD which have highly compartmentalised access and segmented networks. We are essentially trying to retrofit cybersecurity into healthcare but with limited resources and many other competing projects,” he adds.

“Another area of concern is third party risk. Healthcare uses thousands of vendors, suppliers and outsourcers who provide a wide variety of services necessary for hospitals and clinics to function. Yet Trusts do not adequately vet the security of these vendors or require ISO27001 certification or a SOC2 type attestation of security effectiveness. We have seen the impacts of vendor lapses in security with the 111 attack last year and many others.”

Staynings also points to insufficient staff training on security awareness – unforgivable at a time when most attacks still begin with phishing.

“Insisting on a year-round security awareness programme makes immense sense and probably represents ‘the biggest bang for the buck’ as far as spending on cybersecurity is concerned,” he argues. “Every NHS employee, consultant, contractor, and vendor should be trained, armed and ready to defend against cyberattacks. Currently however, they are not.”

Mohammad Waqas, CTO for Healthcare at Armis, tells me that IoT medical devices (IoMT) represent a critical risk, especially as security teams often don’t have sufficient visibility. A recent survey conducted by the vendor found that a third of NHS Trusts have no method of tracking IoT devices and 10% use manual processes or spreadsheets to do so.

“It’s a common saying within the cybersecurity community that you cannot protect what you cannot see. Complete visibility allows hospital security teams to better understand what devices are connected to their network, when and how they are being used and what are the risks associated with said devices,” he tells me.

“Understanding that context will allow the healthcare organisation to take action and remediate any security need.”

While HCOs might have their PCs locked down, that’s not usually the case with IoMT, Waqas argues.

“The proliferation of IoMT is driving innovation and ultimately improving delivery of care, however its adoption has rapidly enlarged the attack surface. What increases the risk is that existing medical devices on networks are generally running legacy operating systems that no longer receive security patches. These are prime targets for attackers and can be impacted during ransomware attacks,” he explains.

“It’s important to appropriately segment these devices to limit communication as much as possible. Without this, medical devices can very well become non-functional and thereby greatly disrupt patient care—sometimes for weeks. Encouragingly, more than two-thirds of NHS trusts mentioned cybersecurity of medical devices is currently a project on their roadmaps for the upcoming year.”

What’s the government doing?

The good news is that the government’s strategy for a more cyber resilient healthcare sector appears well thought out and fairly comprehensive. The challenge, though, will be implementing all of its recommendations. Staynings argues that a greying population, above-inflation price rises for drugs and equipment, and employee wages will all stretch the budget like never before.

“I would like to believe that this policy document is different from all the others which have come before it, but I can’t help thinking it’s just another excuse to rearrange the deckchairs on the Titanic. It all comes down to funding and the NHS continues to be chronically underfunded, perhaps more-so now that at any time in its history,” he concludes.

“So, while the government’s intent to build-up and expand the healthcare cybersecurity workforce is great in principle, in practice unless the NHS is prepared to adjust salary bands and pay market rates to attract and retain its cybersecurity staff, this initiative will likely fall flat on its face. It all comes down to funding and the will of the government to follow through and deliver on its promises—something that all British governments have a lousy record of.”

End-to-end encryption: What happens next?

Posted: May 3, 2023 | Author: hongkongblogger | Filed under: Uncategorized | Tags: encryption, end to end encryption, government, privacy | Leave a comment

The Online Safety Bill (OSB) is still winding its way through parliament. But while much of the analysis so far has been on its provisions to force social media companies to remove “harmful” content, there’s an elephant lurking in the corner of the room. Clause 110 compels not only social media firms but also messaging app providers to identify and take down child sexual exploitation and abuse (CSEA) content.

There’s one big problem here. End-to-end encryption (E2EE), which makes message content impenetrable to providers like WhatsApp. It appears as if the government might be looking at client-side scanning as a solution. Experts I spoke to for an upcoming feature are unconvinced.

What’s client-side scanning?

Put simply, this “accredited technology” would require individuals to download software to their devices. It would run locally, scanning potentially for suspicious keywords and image content that matches a CSEA database, before a message is encrypted and sent. On paper, this preserves E2EE while allowing the authorities to police child abusers. In reality, it will fail on both counts for several reasons.

Researchers have already worked out it could generate too many false positives to be useful, and could be hacked in other ways
If client-side scanning were targeted by foreign governments or cyber-criminals, it would put private data potentially at risk
The bosses of several big-name messaging apps say they’d rather exit the UK than comply with the OSB, which would also make UK firms and consumers less secure
If client-side encryption comes into force, child abusers will simply gravitate to unpoliced apps, as criminals have in the past with services like EncroChat
There’s a concern that the technology could be used in the future to police other content types – government mission creep

Matthew Hodgson, CEO of secure messaging app Element, argued that the new provisions directly contradict the GDPR in undermining encryption.

“It undermines privacy and security for everyone because every secure communication app which happens to have abusive users could be obligated to incorporate a third-party scanning solution, which then means every single user is at risk of that scanning solution being exploited by an attacker to break their privacy,” he told me.

“Any business depending on E2EE for privacy may find themselves at a loss, given encryption vendors would be forced to stop providing their services in the UK, as it is literally impossible to preserve privacy whilst also adding a mechanism to let third parties exfiltrate user data.”

Corelight cyber security specialist, Matt Ellison, cautioned against government putting its faith in a “magic technical solution” that doesn’t exist – adding that Apple abandoned similar plans for client-side scanning after a privacy uproar.

“Ultimately the government is proposing to significantly weaken the security of almost the entire nation, for the ability to perform a lawful intercept of an individual suspected of a crime,” he told me.

“Should all vehicles be fitted with a remote kill switch, in case you are deemed to be committing a crime in your vehicle? Should all houses have the same door key type, with authorities maintaining a master key that could get into everyone’s house to gather evidence without you knowing, again, if you are under suspicion?”

Ellison argued that smartphones are much more than just a technically advanced mobile phone.

“The reality is that they are an intimate and highly integrated aspect of our lives and mass surveillance approaches such as this are a gross invasion of privacy and civil liberties.”

What should happen?

According to Hodgson, there are plenty of ways law enforcers could hunt down child abusers.

“These include investigation/infiltration of forums where abusers recruit or advertise, or by analysing communication metadata, or by educating users within apps, and in general, to be mindful of abuse,” he added.

“Blanket surveillance which undermines the privacy of everybody is not the answer.”

Ross Anderson, who wrote a paper on this challenging the conclusions of the NCSC technical director Ian levy, agreed that old-fashioned policing techniques are the answer, rather than technology solutions which promise much but deliver little. The debate between law enforcement/government on one side and encryption specialists/tech vendors on the other has been raging for years. Throughout, the former have argued that tech wizards simply need to apply themselves more diligently to the task in order to find an answer. The latter retort that E2EE can’t be broken without undermining security for everyone.

So where does that leave us? With Labour backing the bill, it will undoubtedly become law. But what of Clause 110? If it remains unchanged, it’s unlikely the government will enforce it. The best privacy and security advocates can hope for is that its most controversial provisions are never enforced. That’s what happened with the Investigatory Powers Act – which incidentally already gives the British government theoretical powers to force tech firms to break encryption. It will probably happen again.

Are we paying enough attention to API security?

Posted: April 5, 2023 | Author: hongkongblogger | Filed under: Uncategorized | Leave a comment

Is API security on the radar of most IT teams? It’s arguably still not as high on the priority list as it should be. Consider this: an Imperva/Marsh McLennan study from 2022 claimed that vulnerable and unsecured APIs cause up to 7.5% of global “cyber events and losses”, and cost businesses an estimated $75bn annually.

The experts I spoke to for an upcoming feature highlighteed complexity, visibility gaps and skills shortages as key barriers to enhanced API security. As digital transformation initiatives push on across the globe, the need to fill these gaps will only increase.

Out of control

APIs are essential to digital projects, connecting as they do applications to backend databases. But by the same token, if compromised, they could be used to provide a neat pathway to exfiltrate corporate and customer data.

“APIs that aren’t closely monitored can easily fall victim to high-volume attacks such as brute force login attempts and enumeration techniques. They are also often easily identified, are web accessible, and each of their methods documented,” Bridewell Consulting senior pen tester, Andy Tyler, told me.

“Once an attacker knows how to interact with your API they can quickly hunt for vulnerabilities; from authentication issues, to injection attacks, or access control misconfigurations. All of these can lead to sudden data theft on a large scale.”

In fact, that happened to T-Mobile USA last year. Although full details of the incident are yet to be released, the firm admitted in January that an attacker took data on 37 million customers via an API.

For Forrester analyst, Sandy Carielli, security teams and tools have been slow to catch up, even as the number of APIs has exploded.

“A lot of the traditional web app security tools didn’t support APIs, leaving holes in the protection – even as API security has evolved and more solutions are available, organisations struggle to understand what combination of tools and processes are needed,” she told me.

“The tools and processes exist to counter this threat, but many organizations struggle due to the newness of the technology and the number of APIs in their organization. It’s not uncommon for enterprises to have tens of thousands or even hundreds of thousands of customer and partner facing APIs – and they may not have a good grasp of what those APIs are and what they do.”

Bridewell’s Tyler agrees, but thinks things are improving.

“The tools and testing techniques needed for assessing APIs have only more recently reached maturity. Automated scanners in particular are still very poor at identifying API security issues, which can lead to false negative results for those organisations running their own checks,” he said.

“Many of us in this industry are working to demystify many of the API-specific issues for the organisations we work with and we have seen great improvements in their overall API security approaches.”

Out of the loop

As is so often the case, API risk seems to have been allowed to snowball because security isn’t brought in early enough in the software development lifecycle.

“Unfortunately, many organisations have little to no oversight over their APIs given the pace of application development and the lack of visibility security teams have into development practices,” Imperva director of technology, Peter Klimek, told me.

“For example, APIs are often released into production before security teams can review and catalogue them. Such inadequate security practices lead to both ‘shadow’ APIs – an API that isn’t cataloged and is therefore invisible to the security team – and “zombie” APIs, which haven’t been properly disabled and are still accessible. Both of these can be a potential breeding ground for cyber-criminal activity.”

There’s no silver bullet to the challenge of escalating, API-driven cyber risk. But shifting security left, and protecting right through layered measures including encryption, API gateways, web app firewalls and zero trust approaches would seem like a good place to start.

How scammers are capitalising on the SVB collapse

Posted: April 4, 2023 | Author: hongkongblogger | Filed under: cybersecurity, Uncategorized | Tags: dailyprompt, dailyprompt-1897 | Leave a comment

This piece was first published on ESET’s We Live Security site.

Big news events and major crises usually trigger an avalanche of follow-on phishing attempts. The COVID-19 pandemic and Russia’s invasion of Ukraine are perhaps the most obvious examples, but the most recent one is the collapse of Silicon Valley Bank (SVB). The mid-sized US lender and a key financer of tech start-ups held tens of billions of dollars’ worth of assets when it went bust last week after succumbing to a bank run.

Although the US government stepped in days later to guarantee customers would be able to access their money, the damage was done – and even if you or your business wasn’t affected by the bank’s meltdown, you could still be at risk of cybercrime that exploits such events for nefarious gains.

Ambulance-chasing phishing and business email compromise (BEC) attempts are already hitting inboxes across the globe. Once you’ve weathered the storm, there’s plenty of takeaways that can be used to build a more resilient security awareness program going forward.

The story so far

There’s nothing new in scammers piggy-backing on news events to improve their success rates. But the SVB case has several ingredients that make it arguably a more attractive lure than the norm. These include:

The fact that there’s lots of money at stake: SVB had an estimated US$200 billion in assets when it went bust.
Extreme anxiety from corporate customers worried about how to pay the bills if they can’t access their assets, and of individuals concerned about whether they’d get paid.
Confusion over exactly how customers can get in touch with the failed lender.
The fact that the collapse came after the fall of Signature Bank, sparking even more anxiety about the whereabouts of funds and the health of the financial system.
SVB’s global reach – including a UK arm and various affiliated businesses and offices across Europe. This expands the pool of potential scam victims.
The BEC angle: as many SVB corporate customers will be informing their partners of bank account changes, it offers the perfect opportunity for fraudsters to step in first with their own details.

When something like this happens, it’s not unusual to see multiple domains registered by firms looking to offer legitimate loans or legal services to the ailing bank’s customers. It can be difficult to discern the authentic from those registered for nefarious ends.

There’s a long list of newly-registered lookalike domains that may try to deceive people in the future.

SVB phishing attempts

As always, phishing attempts focus on classic social engineering techniques such as:

Using a breaking news story to lure the recipient in
Spoofing SVB or other brands to gain recipient trust
Creating a sense of urgency to force recipients to act without thinking – not hard given the circumstances surrounding the collapse
Including malicious links/attachments to harvest information or steal funds

Some phishing attempts have focused on stealing the details of SVB customers – possibly to either sell on the dark web or to create a phishing list of targets to hit with future scams. Others have embedded more sophisticated methods of stealing cash from victims.

One effort uses a fake reward program from SVB claiming all holders of stablecoin USDC will get their money back if they click through. However, the QR code the victim is taken to will compromise their cryptocurrency wallet account.

A separate lure with the same QR-related crypto-stealing end goal used an announcement by USDC issuer Circle as its starting point. The firm said USDC would be redeemable 1:1 with the dollar, prompting the creation of new phishing sites with a Circle USDC claims page.

SVB BEC threats

As mentioned, this news event is also slightly unusual in providing the perfect conditions for BEC attacks to flourish. Finance teams are going to be legitimately approached by suppliers that previously banked with SVB and that have now switched financial institutions. As a result, they’ll need to update their account details. Attackers could use this confusion to do the same, impersonating suppliers with modified account payee details.

Some of these attacks may be sent from spoofed domains, but others may be more convincing, with emails that have been sent from legitimate but hijacked supplier email accounts. Organizations without sufficient fraud checks in place could end up mistakenly sending money to scammers.

How to avoid SVB and similar scams

Phishing and BEC are increasingly common. The FBI Internet Crime Report 2022 details over 300,000 phishing victims last year, cementing its status as the most popular cybercrime type of all. And BEC made scammers over US$2.7bn in 2022, making it the second highest-grossing category. Consider the following to stay safe from the scammers:

Be cautious about unsolicited messages received by email, SMS, social media etc. Try to independently verify them with the sender before deciding whether to reply.
Don’t download anything from an unsolicited message, click on any links or hand over any sensitive personal information.
Look for grammatical mistakes, typos etc. that can indicate a spoofed message.
Hover over the email sender’s display name – does it look authentic?
Switch on two-factor authentication (2FA) for all online accounts.
Use strong and unique passwords for all accounts, ideally stored in a password manager.
Regularly patch or switch on automatic updates for all devices.
Report anything suspicious to the corporate security team.
Importantly, ensure you have up-to-date security software on all your devices from a reputable provider.

For BEC specifically:

Check with a colleague before changing account details/approving payments for new accounts
Double check any requests for account updates with the requesting organization: don’t reply to their email, verify independently from your records

From a corporate IT security perspective:

Run continuous, regular phishing training exercises for all staff, including simulations of currently trending attacks
Consider gamification techniques which may help reinforce good behaviors
Build BEC into staff security awareness training
Invest in advanced email security solutions that include anti-spam, anti-phishing and host server protection and protect threats from even reaching their targets
Update payment processes so that large wire transfers must be signed off by multiple employees

We all need to be on the lookout for unexpected emails or calls – mainly those coming from a bank and requiring urgent action. Never click a link and input your banking login credentials nor give them over the phone at any time. To access your banking information, use your bank’s official website.

How to repel cyber-attacks on the COVID-19 vaccine supply chain

Posted: December 23, 2020 | Author: hongkongblogger | Filed under: Uncategorized | Tags: covid-19, COVID19, gchq, supply chain cyber attacks, vaccine, vaccine cyber attack | Leave a comment

With COVID-19 vaccines finally being rolled out to a relieved world, the focus for cybersecurity experts has evolved from attacks on pharma companies that make the stuff to the companies that distribute it. Already, IBM has observed a major nation state phishing campaign targeting various supply chain organisations.

I recently spoke to a few experts for an upcoming Infosecurity Magazine feature to better understand the threats facing these organisations, and what they can do about the situation.

It’s a sabotage

The main threats they highlighted revolved around potential sabotage of distribution pipelines and/or misinformation campaigns designed to discourage users from getting inoculated. Both could be the result of hostile nations like Russia calculating they could gain an economic and geopolitical advantage by getting back to “business as usual” and economic stability before their rivals. There are also opportunities here for more financially minded cyber-criminals.

“It is clear that cyber-criminals will stop at nothing. Whether the motivation is financial gain, disruption, or because they’re on the payroll of a nation-state; not even a pandemic is beyond cyber exploitation,” Nominet’s government cybersecurity expert, Steve Forbes, told me. “Now as the vaccine moves to the transportation phase, there have been more attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, and the manufacturers of cold chain equipment.”

Unfortunately, there are many points of weakness in supply chains which could be exploited to devastating effect, according to Lux Research senior research associated, Lewie Roberts.

“Attackers are going to look for the easiest way in to a network, which is typically some kind of human error. People are statistically bound to make mistakes sometimes, especially as you increase the number of targets,” he told me. “Stuff like confidential customer information or trade secrets are the types of items that get more focus in the IT world. But as you get closer to physical industries, you’re protecting different types of things. False data on cold chains can result in tons of spoiled products. Attacks on operational tech can pose real safety threats to workers.”

Spreading confusion

Two former UK intelligence experts had some interesting things to say about the threat of misinformation.

“The overwhelming majority of activity will be criminal attacks for money. However, we have also seen nation states spreading confusion and undermining confidence, as well as stealing vaccine IP,” former GCHQ boss, Robert Hannigan told me. “Hacktivists and hostile nation states will amplify anti-vax messages for the same reasons: to sow division and polarise societies in the West.”

Former British army electronic warfare operator, Martyn Gill, who is now global managing partner at Wembley Partners, had more.

“Political hacktivists look to spread disinformation and noise through such channels as social media, as per the state-sponsored aim of increasing the lack of confidence in what the broad message may be around the vaccine. In many cases these actors are driven by their ideological and political beliefs, however, there remains a subset of actors who seek to cause disruption primarily as a means of entertainment,” he told me.

“Since the UK announced it was rolling out a COVID-19 vaccine, we have seen an increase in related phishing domains set up looking to target this new opportunity, as the general populace looks to understand what this means for them.”

Taking action

So what happens next? For Gill, information sharing is crucial.

“Strong communication and agreed intelligence sharing around trusted eco-systems will support a broad range of businesses to help them understand new threats whilst being able to share indicators of ongoing campaigns,” he explained. “Micro, small and medium businesses who don’t have big security budgets or security teams to monitor networks, implement vulnerability management and threat intelligence programs can look open source platforms like IBM X-Force, Alien Vault OTX but also trusted individuals who deliver awesome advice through social media.”

According to Lux Research’s Roberts, the right response should focus on people as much as technology.

“Mapping data flows and endpoints, evaluating vendors, and having plans for breaches are all important and deep topics,” he argued.

“But moving away from the technology and towards the organization side, businesses need to hire experts and give them the influence and resources necessary to do the job. Safety and security aren’t often glamorous, but winning players recognise their importance before a problem arises.”

phil muncaster

write about tech