Robin’s Newsletter #192

20 February 2022. Volume 5, Issue 8
DDoS attacks on Ukraine MoD and banks. French signal jamming. New version of 27002 security control framework.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Fancy a new job? I’m hiring for two roles at Cydea! Both are UK-based remote positions, with some occasional domestic travel. More info on the roles and benefits at the links below:

If you like the idea of positive security and want to work for an innovative, growing cyber consultancy, I’d love to receive your application!

And if you know anyone who you think would be a good fit please send them over to our careers page for more info on the roles and what it’s like to work for Cydea :-)

This week

New version of ISO 27002 security controls

Perhaps not the most exciting news, but hopefully useful for you…

The ISO 27002 standard provides a reference “for determining and implementing controls for information security risk treatment”. Many organisations use it as part of risk management processes to identify and report on security controls present within their environments.

The main changes are in the structure and taxonomy of controls under four main categories:

  • people, if they concern individual people
  • physical, if they concern physical objects
  • technological, if they concern technology
  • organisational, for everything else

Controls also have five attributes that will make cross-reference much easier:

  • Type (Preventive, Detective and Corrective)
  • Properties (Confidentiality, Integrity and Availability)
  • Concepts (Identify, Protect, Detect, Respond and Recover — ie. The NIST Cybersecurity Framework categories)
  • Operational capabilities (15 ‘practitioners’ perspectives’ of infosec capabilities)
  • Security domains (Governance_and_Ecosystem, Protection, Defence and Resilience)

The controls themselves have been updated, some merged or deleted and some new ones to reflect the greater focus on response, resilience and cloud in 2022, versus the previous version that was published almost a decade ago in 2013.

My initial reaction is that it will make the standard much more useful for users. The attributes, in particular, will help practitioners to quickly check if they have a balance, or over-reliance on any one type of control (for example preventive, rather than detective).

The first parts of the document, and its headings, are available on the ISO website, though you’ll have to fork out CHF 198 to licence the full thing.

PS, if you’re looking to map between the old and new versions, Annex B at the back of the document has a ‘correspondence table’ mapping the old 2013 identifiers to new 2022 ones.

Interesting stats

130% growth in price cyber insurance cover in the US, and 92% growth in the UK, in the fourth quarter of 2021, according to Marsh

$4,600 average asking price by Initial Access Brokers (IAB) for unauthorised access to company networks, according to KELA

1,483 companies are active in the UK providing cyber security services (+21% over 2020 figures), with  46,683 ‘full time equivalents’ (FTEs) being employed by these companies, and generating  £8.9 billion estimated revenue in 2021, up 7% on 2020, according to UK government figures (PDF)

Other newsy bits 

Ukraine’s Ministry of Defense and two banks were taken offline by DDoS attacks

The website of Ukraine’s defence ministry was taken offline by a significant distributed denial of service (DDoS) attack on Thursday. Two banks were also knocked offline, with some ATM services being unavailable and a website being defaced to say ‘WAF is watching you’.

DDoS attacks are often used as a cover and diversionary tactic away from more covert attempts to compromise systems and gain access to networks. The Kremlin has denied it was behind the attacks, which Ukraine’s deputy prime minister said were ‘the largest’ seen by the country.

As the number of attacks in the region increases, concerns remain about fallout and collateral damage, with former NCSC chief Ciaran Martin reminding The Guardian that NotPetya is widely attributed to a previous Russian cyberattack on Ukraine that spiralled out of control.

“If Russia escalates against Ukraine, there’s the risk of another NotPetya-style accident. After all, NotPetya, perhaps the most economically damaging cyber-attack of all time, was the accidental fallout against the west of the Russians hacking Ukraine.” — Ciaran Martin

They serve as an example of ‘hybrid warfare’ tactics, where such attacks and disruption can just be part of broader efforts to destabilise and distract. Damage doesn’t have to be physical, as Esther Naylor from Chatham House points out: “[The goal of these attacks] is to cause panic, and to make people think what might come next.”

“Fraud is the new dope”

Thomas Brewster has a write up on Forbes about the shift of street gangs in Miami away from the ‘risky’ narcotics business to identity theft and fraud to support lavish lifestyles.

”How many ounces of cocaine would you have to sell, bought at a wholesale price and then sold at retail, to make that profit, when you can put a [fake] business together and the government is going to send you $3 million to $4 million?” — Dan Lipskey, Kroll

In brief

Threat intel

  • Proofpoint says a group, dubbed TA2541, has been relentlessly targeting employees in the aviation, aerospace and transportation sectors with phishing emails leading to remote access trojans
  • Google Threat Horizons report says Google Cloud are counting to see 400,000 scans a day for Log4J systems vulnerable to Log4Shell (PDF)
  • US CISA advisory on preventing Russian state-sponsored attacks against defence contractors recommends enabling multi-factor authentication, in addition to strong passwords, and enabling Microsoft 365 ‘Unified Audit Logs’ and rolling out an EDR solution
  • The FBI says business email compromise (BEC) scammers are increasingly using video call and virtual meeting platforms to impersonate CEOs and CFOs, as part of their attacks, to direct employees to transfer funds, in the same vein…
  • MS Teams accounts are being compromised and used to distribute trojan documents to compromise organisations


  • WordPress force-updated millions of websites running the UpdraftPlus plugin this week to address a vulnerability in the plugin

Cyber defence

  • Kali Linux 2022.1 released
  • CISA has released a list of free cyber security services and tools to help critical infrastructure providers protect their organisations. This is a really useful, consolidated list

Security engineering

  • AWS’ CodeGuru code scanner now has detectors for Log4Shell vulnerabilities in Java and Python code
  • Microsoft has a blog post on ‘ice phishing’ on the blockchain, and what can be done to improve Web3 smart contracts

Internet of Things

  • The US National Institute of Standards and Technology (NIST) is considering what ‘security labels’ for Internet of Things (IoT) devices might need to look like


  • California to introduce ‘age-appropriate design code’ to restrict the data big tech companies can collect on children and regulate the use of behavioural nudges to get them to weaken privacy safeguards
  • Clearview AI is seeking $50 million funding to collect 100 billion images by the end of the year and lobby for ‘favourable regulation’, which it says will be enough to identify almost anyone on the planet

Public policy

  • India to issue outsourcing guidelines to its financial services sector after concerns that this “[exposes] them to significant financial, operational and repetitional risks”
  • US Open App Markets Act presents an opportunity to introduce choice, while also requiring app stores to implement appropriate security and vetting processes


  • The European Data Protection Supervisor (EDPS) has called for a “ban on the development and deployment of spyware with the capability of [NSO Group’s] Pegasus in the EU”

Law enforcement

  • In a victory for common sense, the journalist that reported a flaw exposing teacher’s social security numbers in the source code of a Missouri state website (vol. 4, iss. 42) will not face charges, though Governor Mike Parson’s office insists that the law was broken  The FBI is launching the Virtual Asset Exploitation Team (VAXU) that will be dedicated to tracking cryptocurrency crimes and ransomware profits

Mergers, acquisitions and investments

Probably more threat intel, but seeing as the criminal ecosystem is maturing, perhaps this is M&A news?

 - Conti ransomware gang has ‘acquired’ the team behind TrickBot malware and is focusing development on a new, stealthier alternative BazarBackdoor, to provide a stream of compromised organisations to exploit, according to AdvIntel

And finally

Messanges jammed

A father in the southwestern French town of Messanges faces up to six months in jail and a fine of up to €30,000 for using a signal jammer to keep his teenage children from accessing the internet.

His solution was a little too effective, with him inadvertently blocking mobile phone signals to the rest of the town between midnight and 3:00 am every day, leading to an investigation by Agence Nationale des Fréquences (ANFR).


  Robin's Newsletter - Volume 5

  ISO 27002 Control framework Russia Ukraine Distributed Denial of Service (DDoS) Signal jamming Security labels Organised crime Identity theft Fraud