Is AI the antidote to the cybersecurity minefield?

Artificial Intelligence (AI) isn’t going anywhere anytime soon. With 20% of the C-suite already using machine learning and 41% of consumers believing that AI will improve their lives, wide scale adoption is imminent across every industry – and cybersecurity is no exception. A lot has changed in the cyber landscape over the past few years and AI is being pushed to the forefront of conversations. It’s becoming more than a buzzword and delivering true business value. Its ability to aid the cybersecurity industry is increasingly being debated; some argue it has the potential to revolutionise cybersecurity, whilst others insist that the drawbacks outweigh the benefits.

With several issues facing the current cybersecurity landscape such as a disappearing IT perimeter, a widening skills gap, increasingly sophisticated cyber attacks and data breaches continuing to hit headlines, a remedy is needed. The nature of stolen data has also changed – CVV and passport numbers are becoming compromised, so coupled with regulations such as GDPR, organisations are facing a minefield.

Research shows that 60% think AI has the ability to find attacks before they do damage. But is AI the answer to the never-ending cybersecurity problems facing organisations today?

The cost-benefit conundrum

On one hand, AI could provide an extremely large benefit to the overall framework of cybersecurity defences. On the other, the reality that it equally has the potential to be a danger under certain conditions cannot be ignored. Hackers are fast gaining the ability to foil security algorithms by targeting the data AI technology is training on. Inevitably, this could have devastating consequences.

AI can be deployed by both sides – by the attackers and the defenders. It does have a number of benefits such as the ability to learn and adapt to its current learning environment and the threat landscape. If it was deployed correctly, AI could consistently collect intelligence about new threats, attempted attacks, successful data breaches, blocked or failed attacks and learn from it all, fulfilling its purpose of defending the digital assets of an organisation. By immediately reacting to attempted breaches, mitigating and addressing the threat, cybersecurity could truly reach the next level as the technology would be constantly learning to detect and protect.

Additionally, AI technology has the ability to pick up abnormalities within an organisation’s network and flag it quicker than a member of the cybersecurity or IT team could; AI’s ability to understand ‘normal’ behaviour would allow it to bring attention to potentially malicious behaviour of suspicious or abnormal user or device activity.

As with most new technologies, for each positive there is an equal negative. AI could be configured by hackers to learn the specific defences and tools that it runs up against which would give way to larger and more successful data breaches. Viruses could be created to host this type of AI, producing more malware that can bypass even more advanced security implementations. This approach would likely be favoured by hackers as they don’t even need to tamper with the data itself – they could work out the features of the code a model is using and mirror it with their own. In this particular care, the tables would be turned and organisations could find themselves in sticky situations if they can’t keep up with hackers.

Organisations must be wary that they don’t adopt AI technology in cybersecurity ‘just because.’ As attack surfaces expand and hackers become more sophisticated, cybersecurity strategies must evolve to keep up. AI contributes to this expanding attack surface so when it comes down to deployment, the benefits must be weighed up against the potential negatives. A robust, defence-in-depth Information Assurance strategy is still needed to form the basis of any defence strategy to keep data safe.

Dan Panesar, VP EMEA, Certes Networks



BitSight responds to third-party healthcare breach exposing 31,000 records

The healthcare industry continues to be target of cyberattacks, with Managed Health Services (MHS) of Indiana Health Plan reporting that a third-party data breach of its vendor, LCP Transportation, exposed up to 31k patients’ information.

Jake Olcott, VP Communications and Government Affairs at BitSight, comments below:

“With medical data and personal patient information migrating to the digital world, and cyberattacks growing in complexity, the regulatory landscape is evolving. Third-party breaches, like the recent incident involving Managed Health Services (MHS), demonstrate companies should be more concerned about the security posture of their business associates—and the maturity of their vendor risk management (VRM) program—than ever before.

Simple contractual provisions are not enough to manage this risk: healthcare organisations must perform robust diligence assessments and continuously monitor third party business relationships to prevent catastrophic failure.

The issues and complexities that today’s healthcare organisations face aren’t waning. Vendor ecosystems are expanding, the number of patients is increasing, and business demands are growing. Organisations need to create scalable programs to manage the risk.”



Security researcher comment: Iran blamed for Global DNS Hijacking campaign

Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

Initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success.

Commenting on the news are the following security researchers:

Craig Young, computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT):

“From what I know of this wave of attacks, most of the hijackings have involved compromised credentials being used to directly manipulate DNS records. This is very easy to guard against by limiting access to DNS server management portals and using FIDO based multi-factor authentication.

Organizations should also be taking advantage of certificate transparency logs to actively recognize if an illegitimate HTTPS certificate has been issued. Certificate transparency logging is required for all certification authorities in the CA/Browser Forum. For added security, organizations can even use HSTS preloading with certificate pinning to make sure browsers will not trust a certificate created through DNS hijacking.


In general, it is very important to closely monitor DNS configuration and promptly remove any stale records. This is especially true when stopping a cloud campaign, where the service required DNS records pointing to the cloud provider’s network. Frans Rosén with Detectify labs has demonstrated repeatedly that this situation can be used to take control of many high-value domains.


Compromised domains can be used to distribute malware, harvest credentials, and even spy on email.”


Chris Doman, security researcher at AlienVault:


“This is continuing activity that was earlier reported on by Cisco back in November. The main intention behind these attacks seems to be able to bypass the encryption on traffic to certain websites, by issuing attacker controlled security certificates.
It’s interesting that attackers in Iran are pointed to as a possible source of these attacks. Attackers in Iran were linked to somewhat similar attacks back in 2011 that involved compromising a certificate authority to issue their own certificates. US-CERT has provided some advice on how to respond to these attacks, with the primary recommendation being to ensure you have two-factor authentication enabled on your domain name setting panels.”



OXO International discloses data breach that occurred over two year period – Magecart likely suspect

United States based kitchen utensil manufacturer OXO International disclosed a data breach that spans numerous periods over two years. This breach notification states that customer and payment information may have been exposed and further research indicates this was most likely a MageCart attack.

Commenting on the news is Felix Rosbach, Product Manager at comforte:

“This is yet another example of what we’ve been seeing for years now. If you have to manage an enterprise with a complex network, complex web pages and an ever-expanding attack surface, it’s becoming exceedingly difficult to protect yourself against targeted attacks. This is especially true for online retailers, which not only process a huge amount of data but also need very sensitive data to process orders and online payments. Unfortunately, this makes online retailers a very attractive target for threat groups and hackers.

The famous quote, “know your enemy and know yourself, then you will not once be defeated in a hundred battles” sounds good in theory, but in practice, it seems to be impossible to know your enemy at all. Hackers always seem to be one step ahead. In addition, most companies are shocked when they find out that the average time it takes to detect a breach is 170 days. Nowadays it seems to take even longer when looking at the most recent breaches – meaning OXO is not alone – stating that the breach may have exposed customer information over the course of two years.


Bearing that in mind we have to conclude that cybersecurity is not only about preventing breaches. More importantly, you must protect the data & privacy of your customers by protecting their data at the earliest possible stage. Furthermore, it is important to have a well-trained incident response team that is prepared to react whenever a breach happens.”



Unsecured MongoDB database containing over 200 million CVs exposed

A huge MongoDB database containing over 200 million records with resumes from job seekers in China was left unprotected for at least one week with anyone able to locate it. The size of the cache weighed 854GB. The information exposed this way, 202,730,434 records in total, includes all the details one would expect to see in a resume: personal information (full name, date of birth, phone number, email address, civil status), professional experience and job expectations.

Commenting on the news is Jonathan Deveaux, head of enterprise data protection for comforte:

“In the case of this data breach, or data exposure, the unprotected data was open and available for about a week, according to the report.  Forensics from past data breaches have revealed that outside access to data was typically available for months, and sometimes years.  Therefore, one might say that the owners of this database were ‘lucky’ that the data was only exposed for a week.


Another interesting detail about this data exposure incident is that the personal information resided in a MongoDB database.  A quick view of the MongoDB website states that it is a document database that is highly scalable and flexible.  And it’s free and open source. Does technology that is free and open source mean its unsecured?  NO, but often data protection and privacy are applied *after* the initial objectives are met. This could mean that data is exposed and is unprotected for a while.


It is the responsibility of the administrator of the database, and ultimately the organisation collecting and storing the data, to enact effective data protection and privacy methods.  An 854GB cache of data with 200 million records initially doesn’t seem to be small, however, in the daily workload of an organisation, it is possible that securing this database may have been missed.


No matter what the reason is behind this data exposure, this incident surely points out that any kind of data could be at risk at any given time.  More must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimise exposures of all sizes.”




Hiscox stages ‘real world’ cyber attack on iconic bike manufacturer Brompton

Members of the public watched in astonishment recently as staff at a retailer of the iconic bike manufacturer Brompton arrived to find their store had been ‘hacked’.

In its latest cyber initiative, global insurer Hiscox, a specialist in small business and cyber insurance, collaborated with Brompton Bicycle to stage a ‘real world’ hack – simulating the effects of a cyber attack by constructing a complete clone of their east-London store overnight, hiring look-a-like staff and even stocking the shelves with counterfeit merchandise.

Reactions of staff and passers-by(watch the video) were captured as the fake store – ‘3rompton’ – opened its doors to the public on the opposite side of the road and subsequently launched a series of cyber attack simulations on the genuine Brompton store in Shoreditch.

Common hacking techniques such as ransomware and phishing were brought to life through a series of simulated offline attacks; the real store was boarded up, displaying a ransom note demanding Bitcoin in exchange for re-entry; genuine stock deliveries were diverted to the fake ‘3rompton’ store, highlighting the potential effects of a phishing scam; finally the real Brompton store was flooded with imitation customers overwhelming staff, simulating a denial-of-service (DDoS) attack.

According to the insurer, one in three (33%) UK small businesses have suffered a cyber breach and this simulation is the latest initiative in its cyber awareness campaign, set-up to highlight this risk.

James Brady, Head of Cyber at Hiscox, commented: “The frequency and severity of cyber attacks on UK businesses is alarming. Cyber criminals are swift, sophisticated and consider businesses of all shapes and sizes worthy targets so it’s vital that organisations are both aware of these risks and prepared to manage them.

“Businesses need to take ownership of their cyber security and put solid preventative measures in place. Unfortunately attacks will still get through and being prepared for those attacks is critical.”

Robert Hannigan, former Director of GCHQ and Special Advisor to Hiscox, commented: “Cyber crime is one of the biggest security risks facing businesses today but many aren’t taking it seriously and many more are underprepared. It’s a less tangible risk than burglary or a fire which can make it hard for businesses to grasp, so bringing cyber crime to life with an exercise like this is a useful way of conveying an important message.

“The hacking techniques being simulated such as ransomware and phishing are extremely commonplace and have been for many years. At the same time, new types of cyber crime continue to emerge, which makes staying on top of cyber security an ever-evolving challenge.”

 Will Butler-Adams, CEO Brompton Bicycle, added: “Our business is about our bike; the design, function and support we give to our customers over the life of the product. We have spent forty years developing the Brompton brand and continue to take risks to innovate and improve the design. When people copy us, with little understanding of the engineering and care behind the design, they are trying to fool our customers who may go on to buy a potentially dangerous product. We wanted to work with Hiscox to highlight these risks, as it is a serious issue and is not limited to the product but also to online cyber fraud, spam emails and viruses, that hurt businesses and their customers alike.”

Cyber security incidents cost the average small business £25,700, a year in direct costs (e.g. the costs of IT experts in response to the incident, lost revenue and replacement systems) but this is just the beginning. Indirect costs such as damage to reputation, the impact of losing customers and difficulty attracting future customers, means the true figure can be significantly higher.



What can be learnt about the approach to Forensic Science in other jurisdictions? Lords to hear evidence

On Tuesday 15th January the House of Lords Science and Technology Select Committee will continue to hear evidence about the use of forensic science in courts in England and Wales and its contribution to the delivery of justice.

The Committee will question Dr Sheila Willis, former Director-General of Forensic Science Ireland, the national forensic laboratory of the Republic of Ireland. Dr Willis is currently a guest researcher at the  United States of America’s National Institute of Standards Technology.

The Committee will ask what structures are in place in the Republic of Ireland, the U.S. and other countries that enable the most needed research in forensic science. The Committee will also explore approaches that successfully provide a current source of responsive, independent, balanced and accessible analysis of emerging science and technology to those involved in criminal investigations.

The Session will begin at 3:25pm in Committee Room 4A of the House of Lords. Giving evidence will be:

  • Dr Sheila Willis, Guest Researcher, National Institute of Standards and Technology

Questions the Committee are likely to ask include:

  • Where are the gaps in forensic science research and in the understanding of forensic science evidence given your experiences in various jurisdictions?
  • The Committee has heard in written and oral evidence about the value of a ‘sterile corridor’ between investigators and the delivery of forensic science. To what degree is this achieved in other jurisdictions and in your view what challenges does having a separation of this nature create, and address?
  • Are they any lessons from the way the forensic science market operates in other jurisdictions that can learned for England and Wales?



€1bn in Cyber Security Research Funding Evaluated, Revealing Academic Trends and Threats for 2019 and Beyond

Crossword Cybersecurity plc (AIM:CCS), the cyber security technology commercialisation company, has released insights from its global review of academic cyber security research.  The new database looked at nearly 1,200 current and past research projects from academic institutions in the United Kingdom, United States, Europe, Australia, and Africa.  It reaffirmed the value of the cyber security research market, with reported funding of EU projects at over €1 billion.

The database identified several global trends by comparing the periods January 2008 to June 2013 with July 2013 to December 2018.

  •   Cyber Physical Systems (CPS) – Over 100 projects were found in this area alone, a significant figure. The United States appears to be the most active in CPS research, with a    focus on securing critical infrastructure.
  •   Privacy – Projects related to privacy have increased by 183% in recent years.
  •   Internet of Things (IoT) – Projects with an IoT element have increased by 123% lately, with around 14% of current projects having this characteristic.
  •   Cryptography – With the promise of quantum computing on the horizon, there has been an influx of new projects that apply the technology to the future of cryptography, with a 227% increase in this area of research (albeit this was from a low base).

Significant differences can also be seen between regions. For instance, the EU appears distinctly focused on minimising Small & Medium Enterprises’ (SME) exposure to cyber security risk. Conversely, when compared with other regions, the US has a greater focus on the human component of cyber security. Other US top project funding areas include Cyber Physical Systems (as applied to smart cities and power grids), securing the cloud, cybercrime, and the privacy of Big Data sets (as applied to the scientific research community).

UK invests in securing the physical world

In the UK, the leading research verticals are critical infrastructure and securing the health sector (with 11 current projects each). Current funding across UK projects exceeds £70m, with quantum and IoT-related projects both more than doubling over five years.  There are currently nine new UK projects with a focus on Cyber Physical Systems.

The four UK projects with the greatest funding are in the fields of Safe and Trustworthy Robotics, Big Data Security, Cybercrime in the Cloud and Quantum Technology for Secure Communications.

The most notable UK decline was in big data projects, which have dropped by 85%.

Cryptography remains strong

There are currently 52 global projects with a cryptographic focus, and at least 39 current live EU projects featuring a cryptographic element. In the UK, this area has been consistently strong over the last ten years, with 18 projects starting between 2008 and mid 2013, and 19 projects from mid 2013 to now.

Tom Ilube, CEO at Crossword Cybersecurity plc said of the analysis, “The need to protect critical infrastructure has never been stronger as technology becomes more deeply embedded in every aspect of our daily lives.  However, one apparent omission is research solely focused on the application of AI techniques to complex cyber security problems. We hope to see more of that in the future, as the industry works to stay ahead of the constantly evolving cyber security landscape.”

The Crossword Cybersecurity database will be periodically updated, to deliver ongoing insight into the most prevalent cyber security research trends and investment areas. If you are interested in further details, please contact the Scientific Advisory Team at Crossword Cybersecurity on




GCHQ challenges girls to save the UK from cyber-attacks and seeks new generation of female codebreakers- Comment

GCHQ has created a new competition for girls aged 12 – 13 in codebreaking, in a bid to create the next generation of female cybersecurity professionals.

Because of the massive shortage of cybersecurity professionals today, it is more critical than ever for historically underrepresented demographics to help fill the need. There will be up to 3.5 million job openings by 2021 but in the meantime, women make up only 20% of the cybersecurity workforce. While that is up from a mere 11% in 2013, there is still a lot of opportunity to be seized in cybersecurity careers. What’s more, the UK needs people with disparate backgrounds because the people cybersecurity vendors are pursuing, (threat actors, hackers, ‘bad guys’) also have a wide variety of backgrounds and experiences. The wider variety of people and experience the UK has defending networks nationwide, the better our chances of success.

Thales eSecurity’s global CISO, Bridget Kenyon, comment: “It is great to see GCHQ launch its CyberFirst Girls Competition, which specifically targets girls aged 12 to 13. I’d like to see more of these initiatives targeted at harnessing the interest of female students in STEM subjects, and nurturing it to create cybersecurity practitioners for our future.

“Though the number of women in our industry is rising, women still represent only 20 percent of the overall cyber security community. Given the waves of data breaches hitting British organisations throughout 2018, and the ongoing skills shortage, it’s vital that we work to make cyber security an exciting and accessible career choice for all.”