Cybersecurity training for the Board of Directors in the healthcare industry



Overview

The Board and the CEO of legal entities in the healthcare industry must have the knowledge and skills necessary to assess cybersecurity risks, challenge security plans, discuss activities, formulate opinions, and evaluate policies and solutions that protect the assets of their organization. The failure to maintain adequate risk oversight can expose companies, officers, and directors to liability.

Directors owe fiduciary duties to their shareholders and have a significant role in overseeing the risk management of their entities. The failure to exercise appropriate oversight constitutes a breach of the duty of loyalty. A decision about cybersecurity that is negligent constitutes a breach of the duty of care.

The Board and the CEO must also assess whether and how to disclose a cyberattack internally and externally to customers and stakeholders. After a successful cyberattack, healthcare providers must provide evidence that they have an adequate and tested cybersecurity program in place that meets international standards, and that they had the knowledge, policies and procedures to prevent and detect a security breach.

We provide short, comprehensive briefings on key issues the board needs to be informed about in order to exercise professional judgment and adequate risk oversight.


Our Briefings for the Board:

We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive (60 minutes), or longer, depending on the needs, the content of the program and the case studies.

Alternatively, you may choose one of our existing briefings:


A. Cybersecurity briefings specific to the healthcare industry.


A1. Understanding the cybersecurity challenges in the healthcare industry, for the Board of Directors and executive management of EU and non-EU legal entities.

A2. Understanding the European Health Data Space (EHDS), for the Board of Directors and executive management of EU and non-EU legal entities.

A3. The NIS 2 Directive as it applies in the healthcare industry, for the Board of Directors and executive management of EU legal entities.

A4. The NIS 2 Directive as it applies in the healthcare industry, for the Board of Directors and executive management of non-EU legal entities.

A5. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.


B. Cybersecurity briefings for Board development.


B1. An effective cybersecurity culture and the Board of Directors.

B2. Social engineering and the Board of Directors.

B3. Social engineering: the targeting and victimization of key people through weaponized psychology.

B4. State-sponsored but independent hacking groups. The long arm of countries that exploit legal pluralism and make the law a strategic instrument.

B5. Deception, disinformation, misinformation, propaganda, and the role of the Board.

B6. Cyber espionage, intellectual property theft, and the role of the Board.

B7. Steganography in business intelligence and intellectual property theft, and the role of the Board.

B8. Cyber Proxies and the role of the Board.


You can find all information below.


Delivery format of the training program

a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.

b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.

c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.



A1. Understanding the cybersecurity challenges in the healthcare industry, for the Board of Directors and executive management of EU and non-EU legal entities.

Overview

In 2020, hospitals, healthcare providers and medical facilities were struggling to handle not only the influx of patients suffering from Covid-19, but also a surge of ransomware attacks, as criminals (including state-sponsored groups) exploited the crisis to hit the sector.

Month after month, there are many successful cyberattacks on the healthcare industry. Cybersecurity breaches that expose sensitive data from thousands of people are especially important, as the privacy rules have become a nightmare for healthcare providers.

Social engineering, malware attacks, computer theft, unauthorized access to sensitive information (medical history, treatment of patients etc.) and ransomware, are only some of the challenges. WannaCry ransomware, for example, crippled parts of the U.K.’s National Health Service for many days.

After a successful attack, the damage to brand reputation of the healthcare provider is very important.

Healthcare providers must have sufficient defense mechanisms in place, and must be able to provide evidence about that. Cybersecurity awareness and training for healthcare practitioners, doctors and personnel is an important step, as even the best systems cannot protect the industry, when the persons having authorized access do not understand the risks and the modus operandi of the attackers.

Cybersecurity was not historically a major component of healthcare management. Month after month the industry is evolving into an increasingly digital environment, and in today’s threat landscape, healthcare organizations have cybersecurity professionals on staff, establish security policies and procedures, follow corporate governance best practices, ensure C-suite support and board involvement in understanding risks and countermeasures, and train all persons that have access to sensitive data.

A very significant priority is to ensure that each user who has access to sensitive data is well-trained and able to use data efficiently for the appropriate purpose. Cybersecurity leads to inconvenience by design. Only when users understand the risks and the need for countermeasures, they do not cut corners and they follow the policies and the procedures.


Modules of the tailor-made training

Introduction.

- Important developments in the healthcare industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).

- Understanding the challenges.

An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- March 2016, 21st Century Oncology reveals that 2.2 million patients’ personal information may have been stolen, including patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.

- September 2020, a ransomware attack to Universal Health Systems caused affected hospitals to revert to manual backups, divert ambulances, and reschedule surgeries.

- May 2022, hackers targeted Greenland’s healthcare system, causing networks to crash throughout the island, affecting health services.

- January 2022, a hacking group breached several German pharma and tech firms. According to the German government, it was primarily an attempt to steal intellectual property.

- January 2022, hackers breached systems belonging to the International Committee of the Red Cross, gaining access to data on more than 500,000 people and disrupting their services around the world.

- March 2021, intelligence services targeted the European Medicines Agency, stealing documents relating to COVID-19 vaccines and medicines.

- December 2020, hackers accessed data related to the COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.

- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.

- November 2020, hackers targeted COVID-19 vaccine developer AstraZeneca by posing as recruiters and sending the company’s employees fake job offers that included malware.

- May 2018, attackers used Facebook Messenger to distribute spyware to targets in the Middle East, Afghanistan, and India in an attempt to compromise government officials, medical professionals, and others.

- April 2019, pharmaceutical company Bayer announced it had prevented an attack targeting sensitive intellectual property.

- How could all these attacks succeed? Can we prevent challenges like the above?


Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the healthcare industry.

- Professional criminals and information warriors.

- Cyber attacks against doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.


How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.


Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the healthcare industry?


What must be protected?

- Best practices for managers, employees, doctors, nurses, assistants, therapists, laboratory technicians, and all persons having authorized access to systems and data.

- What to do, what to avoid.

- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.


Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.


Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.


Cyber Hygiene.

- The online analogue of personal hygiene.

- Personal devices.

- Untrusted storage devices.


Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

- March 2016, 21st Century Oncology attack.

- September 2020, Universal Health Systems attack.

- May 2022, Greenland’s healthcare system attack.

- January 2022, German pharma and tech firms attack.

- January 2022, International Committee of the Red Cross attack.

- March 2021, European Medicines Agency.

- December 2020, COVID-19 vaccine being developed by Pfizer during an attack on the European Medicines Agency.

- February 2021, attempts to break into the computer systems of Pfizer to gain information about vaccines and treatments for the COVID-19.

- November 2020, hackers targeted AstraZeneca by posing as recruiters.

- May 2018, Facebook Messenger to distribute spyware to medical professionals.

- April 2019, Bayer announced it had prevented an attack targeting sensitive intellectual property.

- What has happened? Why has it happened? Which were the consequences? How could it be avoided? What can we learn from that?


Closing remarks and questions.


Target Audience

The program is beneficial to the Board of Directors and the CEO of firms and organizations in the healthcare industry. We will tailor the program to meet specific requirements. You may contact us to discuss your needs.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



A2. Understanding the European Health Data Space (EHDS), for the Board of Directors and executive management of EU and non-EU legal entities.

Overview.

The European Health Data Space is a health specific ecosystem comprised of rules, common standards and practices, infrastructures and a governance framework that aims at:

1. Empowering individuals through increased digital access to and control of their electronic personal health data, at national level and EU-wide.

2. Fostering a single market for electronic health record systems, relevant medical devices and high risk AI systems.

3. Providing a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities (secondary use of data).

The European Health Data Space is a key pillar of the European Health Union. It builds further on the General Data Protection Regulation (GDPR), and the NIS 2 Directive.

The European Union is building a strong European Health Union, in which all EU countries prepare and respond to health crises, have available, affordable, innovative and adequate medical supplies, and member countries work together to improve prevention, treatment and aftercare for diseases.

The COVID-19 pandemic shows the importance of coordination among European countries to protect health, both during a crisis and in normal times. The European Health Union improves EU-level protection, prevention, preparedness and response against human health hazards.


Understanding the European Health Data Space (EHDS).

1. Thanks to the EHDS, people will have immediate, and easy access to the data in electronic form, free of charge. They can easily share these data with other health professionals in and across Member States to improve health care delivery. Citizens will be in full control of their data and will be able to add information, rectify wrong data, restrict access to others and obtain information on how their data are used and for which purpose.

2. Member States will ensure that patient summaries, ePrescriptions, images and image reports, laboratory results, discharge reports are issued and accepted in a common European format.

3. Interoperability and security will become mandatory requirements. Manufacturers of electronic health record systems will need to certify compliance with these standards.

4. To ensure that citizens' rights are safeguarded, all Member States have to appoint digital health authorities. These authorities will participate in the cross-border digital infrastructure (MyHealth@EU) that will support patients to share their data across borders.

5. The EHDS creates a strong legal framework for the use of health data for research, innovation, public health, policy-making and regulatory purposes. Under strict conditions, researchers, innovators, public institutions or industry will have access to large amounts of high-quality health data, crucial to develop life-saving treatments, vaccines or medical devices and ensuring better access to healthcare and more resilient health systems.

6. The access to such data by researchers, companies or institutions will require a permit from a health data access body, to be set up in all Member States. Access will only be granted if the requested data is used for specific purposes, in closed, secure environments and without revealing the identity of the individual. It is also strictly prohibited to use the data for decisions, which are detrimental to citizens such as designing harmful products or services or increasing an insurance premium.

7. The health data access bodies will be connected to the new decentralised EU-infrastructure for secondary use (HealthData@EU) which will be set up to support cross-border projects.


Modules of the tailor-made training program.

- Reasons, and objectives of the European Health Data Space (EHDS).

- The problems with the uneven implementation and interpretation of the GDPR Regulation, and the considerable legal uncertainties, resulting in barriers to secondary use of electronic health data.

- The EHDS as a domain-specific common European data space.

- Health-specific challenges to electronic health data access and sharing.

- The EHDS as part of the European Health Union.

- How the EHDS complements the Data Governance Act (that lays down conditions for secondary use of public sector data), and the Data Act (that enhances portability of certain user-generated data, that include health data), and provides more specific rules for the health sector.

- How the EHDS interacts with the NIS 2 Directive, that improves cybersecurity risk management and introduces reporting obligations across sectors such as energy, transport, health and digital infrastructure.

- Subject matter, scope and definitions of the EHDS regulation.

- The additional rights and mechanisms designed to complement the natural person’s rights provided under the GDPR in relation to their electronic health data.

- The obligations of health professionals in relation to electronic health data.

- The need for each Member State to have a digital health authority, responsible for monitoring the EHDS rights and mechanisms.

- The new common infrastructure "MyHealth@EU", that facilitates cross-border exchange of electronic health data.

- The mandatory self-certification scheme for EHR systems, and compliance with interoperability and security requirements.

- Compatibility of electronic health records for easy transmission of electronic health data between systems.

- The obligations of each economic operator of EHR systems.

- The labelling of wellness applications, interoperable with EHR systems.

- The EU database where certified EHR systems and labelled wellness applications will be registered.

- The secondary use of electronic health data, for research, innovation, policy making, patient safety or regulatory activities.

- Data types that can be used for defined purposes. Prohibited purposes.

- The implementation of "data altruism" in health.

- Duties and obligations of the health data access body, the data holders and the data users.

- Responsibilities for the health data access bodies and data users as joint controllers of the processed electronic health data.

- The secondary use of electronic health data, the costs, and the transparency of fees calculation.

- The secure processing environment, required to access and process electronic health data.

- The conditions and the information needed in the data request form for obtaining access to electronic health data.

- Conditions attached to the issuance of the data permit.

- Setting up and fostering cross-border access to electronic health data, so that a data user in one Member State can have access to electronic health data for secondary use from other Member States, without having to request a data permit from all these Member States.

- The cross-border infrastructure.

- The international access to non-personal data in the EHDS.

- The ‘European Health Data Space Board’ (EHDS Board) that facilitates the cooperation between digital health authorities and health data access bodies.

- The composition of the EHDS Board, and how it is organised and functioning.

- Joint controllership groups, tasked with taking decisions related to the cross-border digital infrastructure necessary, both for primary and secondary use of electronic health data.

- The European Health Data Space (EHDS) for non-EU healthcare providers.

- The other EU directives and regulations that affect healthcare providers.

- Closing remarks.


Target Audience

The program is beneficial to the Board of Directors and the CEO of firms and organizations in the healthcare industry. We will tailor the program to meet specific requirements. You may contact us to discuss your needs.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



A3. The NIS 2 Directive as it applies in the healthcare industry, for the Board of Directors and executive management of EU legal entities.

Overview

The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.

Important obligations: According to Article 20 (Governance), the management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and "can be held liable for infringements."

According to Article 20, Member States shall ensure that the "members of the management bodies of essential and important entities are required to follow training," and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


Course Synopsis

- Are you sure we must comply with the NIS 2 Directive? Where can we find this information?
- Are we an essential or important entity? Why?

- What is this "high common level of cybersecurity across the EU"?
- The new competent authorities - the Cooperation Group, the cyber crisis management authorities, the single points of contact on cybersecurity, and the Computer Security Incident Response Teams (CSIRTs).
- The European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- The new cybersecurity risk management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

- Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities must approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

- Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The role and the tasks of the representative.

- Cybersecurity information-sharing arrangements.
- General aspects concerning supervision and enforcement.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

- Master plan and list of immediate actions, for firms established in the EU.

- Other new EU directives and regulations that introduce compliance challenges to EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


Target Audience

The program is beneficial to the Board of Directors and the CEO of firms and organizations in the healthcare industry. We will tailor the program to meet specific requirements. You may contact us to discuss your needs.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



A4. The NIS 2 Directive as it applies in the healthcare industry, for the Board of Directors and executive management of non-EU legal entities.

Overview

Under Article 26 of the NIS 2 Directive (Jurisdiction and territoriality), if an entity is not established in the EU, but offers services within the EU, it shall designate a representative in the EU. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive.


Course Synopsis

- What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.
- Are you sure we must comply with the NIS 2 Directive? Where can we find this information?
- Are we an essential or important entity in the EU? We are not established in the EU, and we are regulated in our country.

- Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasks of the representative.

- The "high common level of cybersecurity across the Union".
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.
- The new EU competent authorities and single points of contact.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.

- Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

- General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next - Delegated and Implementing Acts.
- Review.
- Transposition.

- Master plan and list of immediate actions, for firms established in non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


Target Audience

The program is beneficial to the Board of Directors and the CEO of firms and organizations.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



A5. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.

Course Synopsis

The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a country to extend its legal powers beyond its territorial boundaries, and to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.

The Sarbanes-Oxley Act of 2002, for example, applies to foreign auditors and foreign companies whose securities are listed in a US stock exchange.

Extraterritorial application of EU law is the application of EU provisions outside the territory of the EU, resulting from EU unilateral legislative and regulatory action.

For example, according to EU’s General Data Protection Regulation (GDPR), non-EU data controllers and processors in any country, must comply with the GDPR obligations, if they offer goods or services to individuals in the EU.

Anu Bradford, Professor of Law in Columbia Law School, is the author of the book “The Brussels Effect: How the European Union Rules the World” (2020), that was named one of the best books of 2020 by Foreign Affairs.

In 2012, she introduced the concept of the ‘Brussels Effect’, that describes Europe’s unilateral power to regulate global markets.

Anu Bradford explains why most global corporations choose to adopt the European laws, regulations and standards in the design and operation of their products and services.

The EU standards are generally stricter, and in most cases, when you comply with EU rules, you comply with laws and regulations around the world.

Even when this approach is more costly, global corporations prefer to have an enterprise-wide, single mode of production and operations, and to market their goods and services globally.

Following the doctrine "you comply with EU rules, you comply around the world", global corporations and service providers need professionals that understand the EU laws, regulations, standards and guidelines.

When the European Commission determines that the regulatory or supervisory regime of a non-EU country is equivalent to the corresponding EU framework:

- allows authorities in the EU to rely on supervised entities' compliance with equivalent rules in a non-EU country,

- reduces or eliminates overlaps in compliance requirements for both EU and non-EU entities,

- makes services and products of non-EU companies accepted in the EU,

- allows third-country firms to provide services without establishment in the EU single-market.

We will discuss what happens when the European Commission determines that the regulatory or supervisory regime of a non-EU country is not equivalent to the corresponding EU framework, or when the European Commission has not yet determined if the regulatory or supervisory regime of a non-EU country is equivalent.

We can understand better equivalence decisions from the experience we have with the Accounting Directive, the Audit Directive, the Capital Requirements Regulation (CRR), the Credit Rating Agencies Regulation, the European Market Infrastructure Regulation (EMIR), the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II), the Markets in Financial Instruments Regulation (MiFIR), the Prospectus Directive, the Solvency II Directive and the Transparency Directive.

After this presentation, the Board and executive management will have a clear understanding or what is mandatory and what is "nice to have", and the consequences of non-compliance.


Target Audience

The program is beneficial to the Board of Directors and the CEO of firms and organizations.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B1. An effective cybersecurity culture and the Board of Directors.

Overview

The Board of Directors, as the culture owner, must ensure that the beliefs, the perceptions, the attitudes, the assumptions, and the norms regarding cybersecurity are in line with the mission and the vision of their organization. They must also ensure that information security considerations are an integral part of every employee’s and manager’s job, habits, and conduct.

The majority of data breaches within organisations are the result of human actors. Cybersecurity is not only a technical challenge. As long as managers and employees can provide access to systems and data, cybersecurity depends on them too.

Employees that have access to critical assets of an organization, become targets. Those that have access to technology and organizational assets are also responsible for the protection of those assets. Are they fit and proper to handle this responsibility? Do they have the awareness and skills necessary to protect themselves and their organisation?

The economic costs of cyberattacks and breaches are more important than many directors and managers believe. There are direct and indirect costs, that include downtime of services, compromise of confidential information, fines, decreased profits through reputational damage, supervisory scrutiny etc.

We must tailor the program, to include the organization’s cybersecurity compliance obligations and their implications across all relevant jurisdictions, the specific threat actors the organization faces, and how is the organization more likely to be breached.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B2. Social engineering and the Board of Directors

Overview

Cybersecurity is not only a technical challenge. It is also a behavioral challenge. As long as managers and employees can provide access to systems and data, cybersecurity depends on them too.

Employees that have access to critical assets of an organization, become targets. Those that have access to technology and organizational assets are also responsible for the protection of those assets. Are they fit and proper to handle this responsibility? Do they have the awareness and skills necessary to protect themselves and their organisation?

The Board and the CEO are high value targets, so they are high risk targets too. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Are the Board members and the CEO equipped with the knowledge necessary to defend the organization and to protect themselves from well-funded, planned, and sophisticated attacks?


Course Synopsis

Board members and the CEO must understand better the social engineering modus operandi. We will cover:


The Social Engineering Kill-chain.

1. Reconnaissance: The research phase used to identify and select targets.

2. Targeting: Who is the most vulnerable person to attack? What is the biggest vulnerability of the target?

3. Pretexting: The attacker’s cover story.

4. Establishing trust with the target.

5. Manipulating, exploiting, and victimizing.

6. Case studies.


Typical Social Engineering Attacks from a Distance.

1. Phishing Emails.

2. Spear Phishing.

3. Vishing.

4. Smishing.

5. Watering Holes.

6. Spoofing.

7. Baiting.

8. Whaling phishing.

9. Emotional triggers that will make you want to respond - but you shouldn’t.

10. Case studies.

11. Defence.


Is your social media content making you a target?

1. Social media is a primary source of information for attackers.

2. How your social media content can be used against you.

3. Cybersecurity hygiene advice for social media.

4. Attacks through social media.

5. Examples.

6. Defense.


In- Person attacks and manipulation techniques.

1. USB traps.

2. Emotional elicitation & exploitation.

3. Time pressure.

4. Authority.

5. Likeability.

6. Intimidation.

7. Reciprocity.

8. Impersonation.

9. Pity & Helpfulness.

10. Commitment & Consistency.

11. Reverse Social Engineering.

12. Examples & Case Studies.

13. Defence.


Physical security.

1. Why social engineers will try to enter your establishment.

2. What assets can be stolen/ compromised?

3. Gaining unauthorized access to physical spaces.

4. Tailgating and bypassing physical security measures.

5. Locked does NOT mean secure - lockpicking capabilities.

6. Defence.


Identifying a social engineering attack.

1. Identifying manipulation and deceit.

2. Emotional triggers, emotional exploitation & what to do about it.

3. Verifying intentions - subtly.

4. Case studies.

5. Responding to and deterring a social engineering attack.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Christina Lekati, psychologist, social engineering training expert. To learn about her you may visit: https://www.cyber-risk-gmbh.com/About_Christina_Lekati.html


Christina Lekati, Social Engineering Training Expert


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B3. Social engineering: the targeting and victimization of key people through weaponized psychology

Overview

Threat actors are not interested in attacking everyone and anyone in an organization. High value individuals are the ones with elevated access to information, assets, and systems. Board members and the C-Suite become by default high-risk targets for cyberattacks.

The most effective and frequent method to attack high value individuals is weaponized psychology. Board members and C-Level executives must learn the answers to the following questions:

- Which is the advanced psychological game that threat actors use to compromise their targets?

- How do they find their targets’ vulnerabilities?

- What can we do to avoid being exploited from a determined adversary with a carefully planned attack?

High-value individuals must understand the threat, to protect themselves and their organisation from cyber attacks, industrial espionage, competitors, and other threat actors lurking online and offline.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Christina Lekati, psychologist, social engineering training expert. To learn about her you may visit: https://www.cyber-risk-gmbh.com/About_Christina_Lekati.html


Christina Lekati, Social Engineering Training Expert

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B4. State-sponsored but independent hacking groups. The long arm of countries that exploit legal pluralism and make the law a strategic instrument


Overview

According to Article 51 of the U.N. Charter: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”

But is a cyber-attack comparable to an armed attack?

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Nations assert different definitions and apply different thresholds for what constitutes a use of force.

For example, if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force.

Important weaknesses of international law include the assumption that it is possible to isolate military and civilian targets with sufficient clarity, and to distinguish a tangible military objective to be attained from an attack.

More than 20 countries have announced their intent to use offensive cyber capabilities, in line with Article 2(4) and Article 51 of the United Nations (UN) Charter.

Unfortunately, these capabilities will not help when the attackers are State-sponsored groups, and the States supporting them, claim that not only they are not involved, but also that their adversaries (the victims) have fabricated evidence about it. This is a very effective disinformation operation.

Adversaries have already successfully exploited weakness of non-authoritarian societies, especially the political and legal interpretation of facts from different political parties. It is difficult to use offensive cyber capabilities in line with democratic principles and international law, as it is almost impossible to distinguish with absolute certainty between attacks from States and attacks from State-sponsored independent groups.

Even when intelligence services know that an attack comes from a State that uses a State-sponsored independent group, they cannot disclose the information and the evidence that supports their assessment, as disclosures about technical and physical intelligence capabilities and initiatives can undermine current and future operations. This is the “second attribution problem” – they know but they cannot disclose what they know.

As an example, we will discuss the data breach at the U.S. Office of Personnel Management (OPM). OPM systems had information related to the background investigations of current, former, and prospective federal government employees, U.S. military personnel, and those for whom a federal background investigation was conducted. The attackers now have access to information about federal employees, federal retirees, and former federal employees. They have access to military records, veterans' status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, data on age, gender, race, even fingerprints.

But why?

Aldrich Ames, a former intelligence officer turned mole, has said: “Espionage, for the most part, involves finding a person who knows something or has something that you can induce them secretly to give to you. That almost always involves a betrayal of trust.”

Finding this person is much easier, if you have data easily converted to intelligence, like the data stolen from the U.S. Office of Personnel Management (OPM). This leak is a direct risk for the critical infrastructure.

There are questions to be answered, and decisions to be made, not only about tactic and strategy, but also political and legal interpretation.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B5. Deception, disinformation, misinformation, propaganda, and the role of the Board.


Overview

Misinformation is incorrect or misleading information.

Disinformation is false information, deliberately and often covertly spread, in order to influence public opinion, or obscure the truth.

Propaganda is a broader and older term. Propaganda uses disinformation as a method. While the French philosopher Jacques Driencourt asserted that everything is propaganda, the term is most often associated with political persuasion and psychological warfare.

Psychological warfare is the use of propaganda against an enemy (or even a friend that could become an enemy in the future), with the intent to break his will to fight or resist, or to render him favorably disposed to one's position.

In deception (according to Bell and Whaley), someone is showing the false and hiding the real. Hiding the real is divided into masking, repackaging, and dazzling, while showing the fake is divided into mimicking, inventing, and decoying.

People are remarkably bad at detecting deception and disinformation.

They often trust what others say, and usually they are right to do so. This is called the “truth bias”. People also tend to believe something when it is repeated. They tend to believe something they learn for the first time, and subsequent rebuttals may reinforce the original information, rather than dissipate it.

Humans have an unconscious preference for things they associate with themselves, and they are more likely to believe messages from users they perceive as similar to themselves. They believe that sources are credible if other people consider them credible. They trust fake user profiles with images and background information they like.

Citizens must understand that millions of fake accounts follow thousands of real and fake users, creating the perception of a large following. This large following enhances perceived credibility, and attracts more human followers, creating a positive feedback cycle.

People are more likely to believe others who are in positions of power. Fake accounts have false credentials, like false affiliation with government agencies, corporations, activists, and political parties, to boost credibility.

Freedom of information and expression are of paramount importance in many cultures. The more freedom of information we have, the better. But the more information we have, the more difficult becomes to understand what is right and what is wrong. The right of expression and the freedom of information can be used against the citizens. We often have the weaponization of information.

The Internet and the social media are key game-changers in exploiting rights and freedoms. In the past, a secret service should work hard to get disinformation in the press. Today, the Internet and the social media give the opportunity for spreading limitless fake photos, reports, and "opinions". Many secret services wage online wars using Twitter, Facebook, LinkedIn, Google+, Instagram, Pinterest, Viber etc. Only imagination is the limit.

Social media platforms, autonomous agents, and big data are directed towards the manipulation of public opinion. Social media bots (computer programs mimicking human behaviour and conversations, using artificial intelligence) allow for massive amplification of political views, manufacture trends, game hashtags, add content, spam opposition, attack journalists and persons that tell the truth.

In the hands of State-sponsored groups these automated tools can be used to both boost and silence communication and organization among citizens.

Over 10 percent of content across social media websites, and 62 percent of all web traffic, is generated by bots, not humans. Over 45 million Twitter accounts are bots, according to researchers at the University of Southern California.

Machine-driven communications tools (MADCOMs) use cognitive psychology and artificial intelligence based persuasive techniques. These tools spread information, messages, and ideas online, for influence, propaganda, counter-messaging, disinformation, espionage, intimidation. They use human-like speech to dominate the information-space and capture the attention of citizens.

Artificial intelligence (AI) technologies enable computers to simulate cognitive processes, such as elements of human thinking. Machines can make decisions, perceive data or the environment, and act to satisfy objectives.

The rule of the people, by the people, and for the people, requires citizens that can make decisions in areas they do not always understand. When citizens understand the online environment, they will be way more prepared to protect their families, their working environment, and their country.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B6. Cyber espionage, intellectual property theft, and the role of the Board.


Overview

Intelligence is the collection of information that have military, political, or economic value.

Intelligence refers to both:

- information that is collected by clandestine means,

- information available through conventional means.

Espionage is a set of intelligence gathering methods.

The Oxford’s English Dictionary defines espionage as “the practice of spying or of using spies, typically by governments, to obtain political and military information.”

The Merriam-Webster's Dictionary has a slightly different opinion. Espionage is “the practice of spying or using spies, to obtain information about the plans and activities especially of a foreign government or a competing company.”

The U.S. Federal Bureau of Investigations (FBI) defines economic espionage as "the act of knowingly targeting or acquiring trade secrets to benefit any foreign government, foreign instrumentality, or foreign agent."

According to the 2019 Situation Report of the Swiss Federal Intelligence Service (FIS): "Espionage is driven by a variety of different motives and has more than one aim. For example, states strive, using information obtained by their intelligence services, to gain a fuller picture of the situation in order to improve the effectiveness of their actions.

It can furthermore be observed that information is increasingly being procured with the aim of influencing (in so-called influence operations) or damaging the actions of rivals. Both can be achieved through the selective publication of information. The aim of such activities is often to weaken the cohesion of international groups or institutions and thereby to restrict their ability to act."

Cyber is a prefix used to describe new things that are now possible as a result of the spread of computers, systems, and devices, that are interconnected. It relates to data processing, data transfer, or information stored in systems.

With the word cyber we also refer to anything relating to computers, systems, and devices, especially the internet.

The prefix cyber has been added to a wide range of words, to describe new flavors of existing concepts, or new approaches to existing procedures.

Intelligence gathering involves human intelligence (HUMINT - information collected and provided by human sources), signals intelligence (SIGINT - information collected by interception of signals), imagery intelligence (IMINT), measurement and signature intelligence (MASINT), geospatial intelligence (GEOINT), open-source intelligence (OSINT), financial intelligence (FININT), etc.

HUMINT is the oldest form of intelligence gathering. Cyber-HUMINT refers to the strategies and practices used in cyberspace, in order to collect intelligence while attacking the human factor.

Cyber-HUMINT starts with traditional human intelligence processes (recruitment, training, intelligence gathering, deception etc.), combined with social engineering strategies and practices.

Cyber espionage includes:

- unauthorized access to systems or devices to obtain information,

- social engineering to the persons that have authorized access to systems or devices, to obtain information.

Cyber espionage involves cyber attacks to obtain political, commercial, and military information.

Cyber espionage and traditional espionage have similar or the same end goals. Cyber espionage exploits the anonymity, global reach, scattered nature, the interconnectedness of information networks, the deception opportunities that offer plausible deniability.

Economic and industrial espionage, including cyber espionage, represents a significant threat to a country’s prosperity, security, and competitive advantage. Cyberspace is a preferred operational domain for many threat actors, including countries, state sponsored groups, the organized crime, and individuals. Artificial Intelligence (AI) and the Internet of Things (IoT) introduce new vulnerabilities.

Cyber economic espionage is the targeting and theft of trade secrets and intellectual property. It is usually much larger in scale and scope, and it is a major drain on competitive advantage and market share.

According to Burton (2015), cyber threats can be classified into four main categories: Cybercrime, cyber espionage, cyberterrorism, and cyber warfare.

Cybercrime is crime enabled by or that targets computers. Criminal activities can be carried out by individuals or groups who have diverse goals such as financial gain, identity theft, and damaging property. Usually cybercrime is financially motivated.

Cyber espionage activities are conducted by state-sponsored cyber attackers "for the purpose of providing knowledge to the states to obtain political, commercial, and military gain" (Burton, 2015).

According to Denning, cyberterrorism is “the convergence of cyberspace and terrorism" that covers politically motivated hacking and operations intended to cause grave harm such as loss of life or severe economic damage.

Cyber Warfare involves the use of computers and systems to target an enemy’s information systems. The use of cyber power in military operations is an important force multiplier. Since the armed forces are highly dependent on information technologies and computer networks, disruption of these systems would provide great advantages.

Cyberspace is regarded as the fifth domain of warfare after land, sea, air, and space. NATO Secretary General Jens Stoltenberg announced in June 2016 that “the 28-member alliance has agreed to declare cyber an operational domain, much as the sea, air and land are”.

According to the 2019 Situation Report of the Swiss Federal Intelligence Service (FIS): "Espionage operations which have come to light reveal that cyber tools and other communications reconnaissance instruments are being used in parallel and in interaction with human sources.

Depending on the objective, information is also being procured exclusively via cyberspace. The latter has gained in importance insofar as the use of cyber-based information-gathering tools has proven successful for many actors.

Cyber espionage is difficult to detect, the perpetrators can hardly be successfully prosecuted, as the purported country of origin does of course not help to elucidate the affair and determination by the means of intelligence of the origins of the cyber-attack (ʻattributionʼ) can simply be denied based on the lack of provability."

A major challenge today is the lack of awareness and training. Many organizations and companies continue to believe that cyber security is a technical, not a strategic discipline. They believe that cyber security involves the protection of systems from threats like unauthorized access, not the awareness and training of persons that have authorized access to systems and information.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B7. Steganography in business intelligence and intellectual property theft, and the role of the Board.


Overview

Steganography is the art and the science of concealing a message, image, or file within another message, image, or file, and communicating in a way that hides the existence of the message and the communication. For example, a message can be hidden inside a graphic image file, an audio file, or other file format, in a way that it is difficult for steganography experts and impossible for all the others to find it.

The word steganography comes from the Greek words στεγανός (covered or concealed) and γράφω (write). Payload is the data that has been hidden, and carrier is whatever (like a file) hides the payload.

Steganography is different from cryptography. Cryptography is the art of secret writing, it makes a message unreadable by a third party, but it does not hide the existence of the message. Steganography is about concealing the message.

It is relatively easy to identify an encrypted file, but it is usually not so easy to decrypt it. The analysts might be able to identify the encryption method by examining the file header, identifying encryption programs installed on the system, or finding encryption keys (which are often stored on other media).

With steganography, everything is more complex and difficult. The analysts must first find the file that hides another encrypted file (looking for multiple versions of the same image, identifying the presence of grayscale images, searching metadata and registries, using histograms, and using hash sets to search for known steganography software), then the analysts might be able to extract the embedded data, and they still have to find the encryption key (as the hidden file is usually encrypted too).

Steganography can be very useful. Using digital watermarking, an author can embed a hidden message in a file so that ownership of the intellectual property can be proved. Artists can post artwork on a website, and if others claim the ownership of the work, the artists can prove ownership as they can recover the watermark. Steganography has also a number of nefarious applications. Criminals can easier hide records of illegal activity and financial crimes, and terrorists can easier exchange messages.

Steganalysis is the analysis of steganography, and involves the detection of hidden data, the extraction of the hidden message, and sometimes the alteration of the hidden message so that the recipient cannot extract it, or receive a different message.

Many steganalysis tools are signature-based (similar to antivirus and intrusion detection systems). There are also anomaly-based steganalysis systems, more flexible and better for new steganography techniques.

New complex steganography methods continue to emerge. Spread-spectrum steganography methods are similar to spread-spectrum radio transmissions (where the signal is spread across a wide-frequency spectrum rather than focused on a single frequency, in an effort to make detection and jamming more difficult). In spread-spectrum steganography, small distortions to images are less detectable in bright colors, so the hidden message is stored in bright colors only, not each color. You can also check the Biosteganography link at the top of the webpage.


Case study, steganography used in espionage, organized crime, and terrorism.

Consider the following scenario. Every Friday afternoon (for the target's time zone) a member of a foreign state-sponsored group puts an item for sale on eBay, and posts a photograph of the item. The item for sale is real, and it will be sold according to the rules of eBay. Bids are accepted, money is collected, and items are delivered. The photograph of the item hides a message, but this is just one from so many millions of photos that can be found at eBay. Anybody in the world can download the photo, but only members of the same foreign state-sponsored group know how to extract the encrypted message and how to decrypt it.


What can we do?

Corporate security and acceptable use policies, that detail what employees are authorized to do within the corporate environment, can always help and must be in the first line of defense. Awareness training for all employees, that explains the reasons they have to respect policies and includes the modus operandi and risks of steganography attacks is of paramount importance.

User policies explain what is prohibited, and they provide an organization with the legal means to punish or prosecute violators.

We must clearly explain in policies that every line of code or piece of software that is not approved, is strictly prohibited. In this way, we will avoid most of the following:

- anti-forensics tools (used to thwart digital forensic investigations, like drive wiping tools, cache and history erasers, file property and time alternators, VPNs, e-mail, and chat log erasers),

- encryption or steganography tools (there are over 1,000 free steganography tools online, most of them very dangerous for everybody that downloads the "free" tool, or even visits these websites. In some websites we read: "This application does not require installation. You can copy the program files to an external data device, so as to run it on any computer you can get your hands on, with just a click of the button. It is not adding new items to the Windows registry or hard drive without your approval, as installers usually do, and it will not leave any traces behind"),

- exploit kits (programs designed to exploit a known vulnerability in a piece of software or online resource. They are often distributed as a package, which will enable attackers with limited knowledge to launch a sophisticated attacks),

- toolkits (that enable unsophisticated users to construct new malware applications, sometimes not detectable by standard signature-based virus scanning engines),

- keyloggers (designed to covertly monitor keystrokes on a device. Once a device has been compromised, all keystrokes, including passwords, can be monitored, and recorded),

- password cracking tools (designed to break password-protected files and accounts),

- sniffers (that capture and analyze network traffic. Many protocols, including FTP and chat, are not encrypted. These programs obtain cleartext information, and also collect packets that can be used to crack network passwords and find protected files, servers, and user accounts),

- spyware tools (for industrial espionage, unauthorized monitoring, and collection of proprietary data),

- piracy tools (that allow users to bypass copyright protection in various forms of media, making illegal copies, and saving to a storage medium).

There are unlimited methods of steganography, only imagination is the limit. We usually learn about encrypted messages hidden in large files (images, sound files, videos etc.), and nothing more. Although steganography is usually considered a technical problem, it is not. It is also a business intelligence (or just intelligence) problem. If we do not know where to look for hidden messages, it is very unlikely to find them. Only the cooperation of the public and the private sector can protect against these security threats.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B8. Cyber Proxies and the role of the Board.


Overview

The word proxy is interesting. In Latin, procuro means manage, administer - from pro (“on behalf of”) and curo (“I care for”).

Today a proxy is a person or entity who is authorized to act on behalf of another person or entity.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

According to Tim Maurer, proxy is an intermediary that conducts or directly contributes to an offensive cyber operation that is enabled knowingly, actively or passively, by a beneficiary who gains advantage from its effect.

Cyber proxies are valuable actors in political warfare. This is the employment of military, intelligence, diplomatic, financial, and other means, short of conventional war, to achieve national objectives. It encompasses the exploitation of computer networks and platforms, electronic warfare, psychological operations, and information operations.

For some countries, the main battlespace is the mind. With information and psychological warfare, these countries can morally and psychologically depress the enemy’s armed forces personnel and civil population.

In 2019, the United States spent $732 billion on defense, compared to Russia’s $65.1 billion. It is obvious that Russia and other countries in similar position will try to find less expensive means to counter big, expensive U.S. weapons and systems. Cyber espionage is especially economical when countries conduct activities through proxies.

Countries actively create fertile grounds for malicious activities to occur. Cyber actors (which include cyber criminals, hacktivists, and political, economic and religious groups) are continually operating from within the sphere of influence of the sponsoring country with the understanding that their illegal activities will be tolerated, as soon as they will also support the objectives of the sponsoring country.

As John Carlin, former Assistant U.S. Attorney General for National Security has stated, what you’re seeing is the world’s most sophisticated intelligence operations when it comes to cyber espionage, using the criminal groups for their intelligence ends, and protecting them from law enforcement.

Cyber threats posed by cyber proxies must be managed, and the laws must be changed in this area. Publicly attributing malicious cyber activity to a country in a timely manner and holding that country accountable is difficult, but necessary. If international law is unable to solve these problems, national policies will ignore international law and confront cyber adversaries through rapid attribution and offensive countermeasures, to deter future aggression.


COVID-19 and cyber proxies

The COVID-19 pandemic has disrupted life worldwide, with far-reaching effects that extend well beyond global health to the economic, political, and security spheres. The economic and political implications of the pandemic will ripple through the world for years. It is raising geopolitical tensions, and many countries try to take advantage of the situation and increase their influence.

The economic fallout from the pandemic is likely to create or worsen instability in many countries, as people face challenges that include economic downturns, job losses, and disrupted supply chains. Some hard-hit developing countries are experiencing financial and humanitarian crises, increasing the risk of surges in migration, collapsed governments, or internal conflict.

The COVID-19 pandemic is prompting shifts in security priorities for countries around the world. As the public and the private sectors try to cut budgets, gaps are emerging in training and risk management. These gaps are likely to grow.

Cyber proxies consider the Covid-19 pandemic a major opportunity to spread a cyber pandemic and infodemics (disinformation campaigns that use the pandemic as a vector). They can influence citizens around the world to question the policies in many countries and divide the population. They can also attack the health care sector and the institutions involved in the management of the crisis, to make governments weaker in responding to the crisis.

Cyber proxies love the new "work from home" policies, and the exponential digitalization of our lives for work, education, communication and entertainment. Moving activities online creates new opportunities for malicious actors.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Cyber Risk GmbH, some of our clients