OASIS Summer Event: Red Teaming, Scorecarding, and Endpoint Security

This week, the Ham Yard Hotel in London became the hub for cybersecurity thought leaders as the OASIS summer event unfolded. Industry experts gathered to dissect pressing topics, with a particular focus on endpoint security, Red Teaming strategies, and the growing importance of cybersecurity scorecards. The discussions offered actionable insights for organizations striving to stay ahead of evolving threats.

Red Teaming: Beyond Technical Vulnerabilities

Mark Nicholls, principal security consultant at Context, kicked off the presentations by exploring the nuances of Red Team testing. He emphasized that this approach evaluates the entire organization, not just its technology. “Red Team testing can mean different things to different people,” Nicholls explained. “Ultimately, we’re testing the whole business and processes—attacking systems, people, and workflows to triage issues by severity.”

However, he noted that Red Teams often uncover non-technical problems, such as inadequate phishing training. “Our approach balances depth versus breadth,” he added. “We target people, processes, and technology, assessing an organization’s ability to detect and respond to an attack.” This holistic perspective helps companies strengthen their defenses from all angles.

Building a Cybersecurity Scorecard: A Proactive Approach

Next, Chris Strand, senior director of compliance and governance at Carbon Black, addressed the challenge of measuring security posture amid shifting regulations. With GDPR enforcement looming in 2018, Strand argued that a cybersecurity scorecard is essential. “No matter your role—board member, CISO, or analyst—regulations affect you,” he said. “Every security incident triggers new policies or stricter standards.”

Strand outlined nine steps for creating an effective scorecard, from defining business objectives to reporting critical controls. “Scorecarding reduces liability and provides security assurance, not insurance,” he stressed. “Assurance is proactive; insurance is reactive.” This framework helps organizations present complex security data in a clear, actionable format.

Key Components of a Risk Scorecard

Strand’s nine-step process includes identifying stakeholders, applying a framework like NIST, and enforcing policies. By collecting data based on these policies, companies can report on critical security controls. This structured approach ensures that security efforts align with business goals and regulatory demands.

Endpoint Security: The Persistent Weakness

Adam Bridge, senior intrusion analyst at Context, closed the event with a sobering look at how breaches occur. He highlighted that most companies learn of compromises through third parties—such as banks or ransomware messages—rather than internal detection. Phishing attacks remain the top vector, followed by drive-by downloads and malvertising.

Bridge lamented that organizations still neglect endpoint security. “Defenders are improving, but things remain pretty bad,” he said. “Companies invest heavily in network perimeter defenses but forget the endpoint.” Relying solely on firewalls and antivirus leaves organizations vulnerable. “Endpoint protection complements other technologies; it doesn’t replace them,” Bridge concluded. Without it, businesses lack a critical layer of defense.

For more insights, explore our guide on cybersecurity strategies or learn about Red Teaming best practices.

Fansmitter: The Malware That Turns Cooling Fans into Data Leak Tools

Imagine a computer that is physically disconnected from the internet, with no Wi-Fi, no Bluetooth, and no speakers. It seems impenetrable, right? Not anymore. A new breed of malware called Fansmitter has proven that even air-gapped systems can be compromised—using something as mundane as cooling fans. Developed by researchers at Ben-Gurion University of the Negev in Israel, this malware exploits the vibrations of internal fans to leak sensitive data. This discovery challenges the long-held belief that air-gapping offers foolproof security.

How Fansmitter Malware Works on Air-Gapped Computers

Fansmitter does not rely on network connections or speakers. Instead, it manipulates the speed of a computer’s cooling fan to generate acoustic tones. These tones encode binary data—ones and zeros—by varying the fan’s rotations per minute (RPM). A receiving device, such as a smartphone or another computer with a microphone, picks up these sounds and decodes the information.

In the researchers’ test, they installed Fansmitter on a desktop computer and a nearby Samsung Galaxy S4 smartphone. The malware successfully transmitted data from the air-gapped machine to the phone, which then relayed it via SMS. This method works because cooling fans are essential for hardware survival; removing them would cause overheating and system failure.

Why Fansmitter Undermines Traditional Air-Gap Security

Air-gapping has been a cornerstone of cybersecurity for decades, especially in government and military settings. The idea is simple: if a computer is not connected to any network, it cannot be hacked remotely. However, Fansmitter shows that physical isolation is not enough. Previous research demonstrated data leaks via ultrasonic signals from speakers, but removing speakers was an easy fix. Fans, on the other hand, are non-negotiable components.

This means that any device with a cooling fan—laptops, desktops, servers, embedded systems, and even IoT devices—is potentially vulnerable. The attack requires both the transmitter and receiver to be infected, but that is not as difficult as it sounds. Infection can occur via a compromised USB drive or other removable media, similar to how Stuxnet infiltrated Iranian nuclear facilities.

Limitations and Real-World Feasibility

Fansmitter is not a fast attacker. Its transmission speed is a mere 900 bits per hour, or about 15 bits per minute. That is painfully slow for large files, but it is more than enough to steal small chunks of data like passwords, encryption keys, or login credentials. Once obtained, these can be used in follow-up attacks to access larger datasets.

Additionally, the acoustic tones are audible to the human ear, so an attack would likely occur after hours when offices are empty. However, the receiving device does not have to be a smartphone; any device with a microphone within zero to eight meters can serve as a receiver. This includes another computer in the same room, making the attack more versatile than initially thought.

Implications for Cybersecurity and Future Mitigations

The development of Fansmitter malware serves as a wake-up call for cybersecurity professionals. It highlights the need for layered defenses that go beyond air-gapping. Organizations that rely on isolated systems must consider additional measures, such as monitoring fan RPM for anomalies, using acoustic dampening materials, or implementing strict physical access controls.

As the Internet of Things expands, the attack surface grows. IoT security best practices must now account for unconventional attack vectors like acoustic data leaks. Similarly, critical infrastructure protection strategies should evolve to address these emerging threats.

In conclusion, Fansmitter proves that air-gapping is not a silver bullet. While it remains a valuable security layer, it cannot stand alone. The research from Ben-Gurion University underscores the importance of continuous innovation in defensive strategies. As attackers find new ways to exploit hardware, defenders must stay one step ahead.

Millennials and Cybersecurity Risks: The Digital Native Dilemma

Every generation reshapes the workplace in its own image. Millennials, now the largest demographic in the workforce, bring extraordinary digital fluency. Yet this technological comfort zone comes with a hidden cost: a troubling disregard for millennials cybersecurity risks that can leave organizations vulnerable. How did the generation that grew up with smartphones become such a significant security liability?

The Digital Native Paradox: Tech-Savvy Yet Security-Naive

Millennials have never known a world without the internet. They navigate apps, cloud services, and social media with instinctive ease. But this very familiarity breeds complacency. Unlike older generations who approached technology with caution, millennials often skip basic security precautions. They reuse passwords across multiple accounts, accept social media friend requests from strangers, and actively seek workarounds to security protocols.

Research underscores this pattern. A Software Advice survey found millennials are the worst offenders when it comes to password reuse and accepting unknown social media invitations. Another study by Equifax revealed that millennials are nearly twice as likely to store sensitive data like PINs and passwords on mobile devices compared to other age groups. These behaviors represent more than personal habits—they are organizational vulnerabilities waiting to be exploited.

BYOD Culture and the Laptop Cafe Phenomenon

One of the most visible manifestations of millennials cybersecurity risks is the Bring Your Own Device (BYOD) culture. Millennials expect to connect their personal laptops, tablets, and smartphones to corporate networks without hesitation. They see nothing wrong with logging into work systems from an unsecured WiFi hotspot in a coffee shop. This “laptop cafe phenomenon” has become so widespread that working from a cafe in London without a laptop now feels unusual.

The problem lies in the mindset. Millennials rarely question the security of public networks or consider the implications of connecting personal devices to corporate infrastructure. For them, technology is a seamless tool, not a potential threat vector. This trust-based approach clashes directly with enterprise security needs, creating gaps that cybercriminals can exploit.

The Culture of ‘Accept’: Terms and Conditions Ignored

Another troubling trend is the “culture of accept.” Most millennials download mobile apps and update software without reading the terms and conditions. They click ‘accept’ automatically, bypassing crucial security information. This behavior extends beyond apps. Recently, a digital contract arrived with a prominent ‘sign’ button that bypassed the document’s content entirely—assuming the user would not read the fine print. The contract came from a millennial.

This casual approach to consent and privacy reflects a deeper issue: millennials often lack awareness of the risks embedded in digital agreements. They prioritize convenience over caution, a habit that can lead to unintended data exposure or legal liabilities.

Why Education, Policy, and Technology Must Converge

Addressing millennials cybersecurity risks requires a multi-pronged strategy. Technology alone cannot solve the problem. Organizations must combine education, formal policies, and user-friendly technology to create a security-conscious culture.

Cybersecurity Education Programs

Ideally, digital security skills would be taught in schools. But the digital landscape has evolved faster than curricula. The responsibility now falls on employers. A robust cybersecurity education program is essential. Training should cover password hygiene, recognizing phishing attempts, and safe use of public WiFi. Interactive workshops and real-world scenarios can make the lessons stick.

Clear Security Policies and Enforcement

Formal policies must address BYOD, remote work, and software downloads. Employees should understand their obligations regarding data protection before they start work. Regular device reviews by the IT department can ensure compliance. Policies should be communicated clearly and reinforced periodically. A written handbook is not enough—millennials respond better to visual, engaging formats.

User-Friendly Security Technology

Technology must take the burden of trust away from users without compromising their experience or privacy. Solutions that deny access based on suspicious behavior, or that protect data in transit, can help maintain control. To prevent millennials from finding workarounds, security tools must be intuitive and seamless. Data loss prevention systems that separate personal and corporate data are particularly effective.

The Urgency of GDPR Compliance and Future Readiness

The millennial generation is now a dominant force in the workforce. With data breaches on the rise and the EU General Data Protection Regulation (GDPR) imposing fines of up to 4% of global annual turnover, organizations cannot afford to ignore millennials cybersecurity risks. The clock is ticking. Companies must adapt quickly or face severe financial and reputational consequences.

Millennials are not inherently a threat—they are an engaged, motivated workforce that wants meaningful work. With the right education, policies, and technology, they can become your strongest security asset. The key is to transform their digital confidence into digital responsibility, turning a potential liability into a competitive advantage.