CS1705
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
New encryption<br />
in use technology<br />
ELIMINATES MASS<br />
DATA BREACHES<br />
Panoptex Technologies<br />
releases its groundbreaking<br />
Olfactex Solution<br />
Computing Security May/June 2017<br />
PANOPTEX CTO INTERVIEW<br />
PG<br />
12
comment<br />
CYBER ATTACKS DENT BUSINESS GROWTH<br />
Should we be surprised by the news that one in five businesses have fallen victim to cyber<br />
attacks in the past year - or is this now almost a given? Either way, it is of deep concern<br />
as attacks are ramped up in intensity and sophistication.<br />
A survey carried out of more than 1,200 businesses across the UK by the British Chambers<br />
of Commerce (BCC) has come up with the findings, at the same time reporting that big businesses<br />
are far more likely than their smaller counterparts to be victims of attacks ( a total of<br />
42% of companies with more than 100 staff, compared to 18% of companies with fewer<br />
than 99 employees).<br />
The results of the survey indicate that businesses are most reliant on IT providers (63%) to<br />
resolve issues after an attack, compared to banks and financial institutions (12%) or police<br />
and law enforcement (2%).<br />
Particularly worrying is the finding that 21% of businesses believe the threat of cybercrime is<br />
preventing their company from growing. The survey also shows:<br />
Only a quarter (24%) of businesses have cyber security accreditations in place<br />
Smaller businesses are far less likely to have accreditation (10% of sole traders and 15% of<br />
those with 1-4 employees) than big businesses (47% with more than 100 employees)<br />
Of the businesses that do have accreditations, 49% believe it gives their business a competitive<br />
advantage over rival companies, and 33% consider it important in creating a<br />
more secure environment when trading with other businesses.<br />
From May 2018, all businesses who use personal data will have to ensure they are compliant<br />
with the new General Data Protection Regulation (GDPR) legislation (see page 22)<br />
Reacting to the findings, Dr Adam Marshall, director general of the British Chambers of<br />
Commerce, had this to say: "Firms need to be proactive about protecting themselves from<br />
cyber attacks. Accreditations can help businesses assess their own IT infrastructure, defend<br />
against cyber security breaches and mitigate the damage caused by an attack. It can also<br />
increase confidence among the businesses and clients who they engage with online.<br />
Companies are reporting a reliance on IT support providers to resolve cyber-attacks. More<br />
guidance from government and police about where and how to report attacks would provide<br />
businesses with a clear path to follow in the event of a cyber-security breach, and increase<br />
clarity around the response options available to victims, which would help minimise the<br />
occurrence of cybercrime."<br />
GDPR will, hopefully, concentrate people’s minds, although protecting your business and all<br />
who engage with it should surely be a given, without the strictures of compliance.<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
PRODUCTION: Abby Penn<br />
(abby.penn@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© 2017 Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
www.computingsecurity.co.uk May/June 2017 computing security<br />
@CSMagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security May/June 2017<br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
New encryption<br />
in use technology<br />
ELIMINATES MASS<br />
DATA BREACHES<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
Panoptex Technologies<br />
releases its groundbreaking<br />
Olfactex Solution<br />
PANOPTEX CTO INTERVIEW<br />
PG<br />
12<br />
COMMENT 3<br />
Cyber attacks soar across the UK<br />
EDITOR’S FOCUS 5<br />
The massive cyber attack that crippled the<br />
NHS could have been readily avoided<br />
ARTICLES<br />
CAN PRIVACY BE PROTECTED? 6<br />
The NHS breach, plus revelations over CIA<br />
hacking methods, have cast a long shadow<br />
over how to keep data safe and secure<br />
DATA BREACHES ELIMINATED 12<br />
Panoptex Technologies is making waves by<br />
providing a powerful industry first<br />
SHOW TIME ONCE AGAIN 18<br />
Infosecurity Europe 2017 is not far off<br />
now - and it’s the right place to be!<br />
REAL PRICE OF SECURITY 29<br />
Making purchasing decisions for security<br />
solutions that are based on quality is vital<br />
PRESSURE MOUNTS ON ISPS 30<br />
More and more security professionals are<br />
demanding additional help from their ISPs<br />
to block DDoS traffic before it hurts them<br />
MANY HAPPY RETURNS! 31<br />
Recalls happen, but handled right they<br />
can be turned into a positive experience<br />
HEAVEN SCENT? 32<br />
Two new 'fragrances' have been released<br />
by Kaspersky that have that certain whiff<br />
of danger about them<br />
REVIEWS<br />
• Acunetix 11 20<br />
• Aegis Secure Key 3z 34<br />
NOWHERE TO HIDE 8<br />
With email under constant attack, what is<br />
the best way to protect your organisation's<br />
communications? How do you keep your<br />
data vital and easily accessible to you and<br />
yours, yet useless to anyone out to<br />
access/steal it?<br />
THE DOUBLE-EDGED SWORD 14<br />
Encryption plays a vital role in protecting<br />
valuable information from being stolen or<br />
altered. But it can be used by your enemies<br />
just as readily<br />
THE CLOCK IS TICKING 22<br />
With the new European General Data<br />
Protection Regulations soon due to<br />
become law, many businesses will need to<br />
look closely at how they protect their data<br />
throughout the course of its lifecycle<br />
AFTER THE FLOOD 26<br />
With mobile devices now in their multibillions<br />
globally, and more and more<br />
applications flooding the market, the<br />
need for mobile monitoring and device<br />
management has never been greater or<br />
more urgent<br />
4<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
NHS breach<br />
OBSOLETE SOFTWARE LEFT NHS TRUSTS WIDE OPEN<br />
THE MASSIVE CYBER ATTACK THAT CRIPPLED THE NHS COULD - AND SHOULD - HAVE BEEN AVOIDED<br />
Almost all NHS trusts were using<br />
an obsolete version of Windows<br />
for which Microsoft had stopped<br />
providing security updates in 2014. This<br />
left them at the mercy of the kind of<br />
attack that crippled a swathe of hospitals<br />
across the UK. The perilous state to which<br />
the trusts were exposed was revealed less<br />
than six months ago, but there was a<br />
widespread failure to act on that warning.<br />
A statement from Microsoft president<br />
and chief legal officer Brad Smith has<br />
criticised the way governments store<br />
up information about security flaws in<br />
computer systems. "We have seen<br />
vulnerabilities stored by the CIA show up<br />
on WikiLeaks, and now this vulnerability<br />
stolen from the NSA has affected<br />
customers around the world," he<br />
commented. The global ransomware<br />
attack used hacking tools widely believed<br />
to have been developed by the US<br />
National Security Agency, causing chaos<br />
across the NHS, but also infecting<br />
computers in what is thought to<br />
have been nearly 100 countries. "The<br />
governments of the world should treat this<br />
attack as a wake-up call," he warned.<br />
Microsoft also pointed out that many<br />
organisations had failed to keep their<br />
systems up to date, allowing the virus to<br />
spread. The software giant had released<br />
a Windows security update in March to<br />
tackle the problem that lay at the core of<br />
the latest attack, but many users were yet<br />
to run it. "As cybercriminals become more<br />
sophisticated, there is simply no way for<br />
customers to protect themselves against<br />
threats, unless they update their systems,"<br />
added Smith.<br />
According to IS Decisions, which recently<br />
conducted research into the poor state of<br />
IT security in healthcare:<br />
39% of healthcare workers do not<br />
receive IT training<br />
37% do not have unique logins<br />
Only 38% of healthcare organisations<br />
enforce the use of secure passwords<br />
29% of healthcare workers are not<br />
required to log in to a network to<br />
access files and folders<br />
Only 63% of healthcare organisations<br />
have a documented security policy<br />
Less than half (48%) of healthcare<br />
organisations offer ongoing security<br />
training to employees<br />
Only 27% of healthcare workers<br />
believe senior management takes<br />
enough responsibility for IT security<br />
75% of healthcare workers have access<br />
to patient data (quite a wide window<br />
of opportunity for hackers to exploit).<br />
The stats are from the company's<br />
healthcare compliance report, based on<br />
a survey of 500 healthcare professionals.<br />
Significantly, Christopher Graham, the<br />
information commissioner at The<br />
Information Commissioner's Office, said in<br />
2015: "The Health Service holds some of<br />
the most sensitive personal information<br />
available, but instead of leading the way<br />
in how it looks after that information, the<br />
NHS is one of the worst performers. This<br />
is a major cause for concern." Indeed it is.<br />
But will the lesson be grasped and the<br />
NHS made secure in the future?<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
05
privacy under siege<br />
CAN PRIVACY STILL BE PROTECTED?<br />
THE LATEST DEVASTATING NHS BREACH, PLUS THE WIKILEAKS’<br />
REVELATIONS ON THE CIA'S HACKING METHODS, HAVE CAST A LONG<br />
SHADOW OVER THE RIGHT TO KEEP DATA SAFE AND SECURE<br />
In the largest leak of CIA documents,<br />
Wikileaks recently disclosed the tools<br />
that the agency allegedly uses to hack<br />
computers, phones and smart TVs around<br />
the world.<br />
The agency's apparent ability to<br />
compromise Apple and Android<br />
smartphones with ease is especially<br />
troubling, since spies can access private<br />
information through these devices,<br />
including photos, emails, texts and videos.<br />
Further, a program called Weeping Angel<br />
even uses Samsung smart TVs as secret<br />
listening devices that operate even when<br />
TV is turned off, recording the<br />
conversations and sending them on<br />
Internet to a covert CIA server.<br />
While it's understandable that<br />
governments do take advantage of the<br />
new technologies in their operations, it's<br />
also possible that newly disclosed CIA's<br />
hacking methods will cause more harm<br />
than benefit. The cyberweapons described<br />
include programs that crash a targeted<br />
computer or steal passwords, or malware<br />
that can record keystrokes on a mobile<br />
device without breaking encryption.<br />
VULNERABLE TO ATTACK<br />
"Since it seems that the government<br />
deliberately targets smart devices, it is<br />
possible their techniques might be<br />
exploited by criminals, hackers and also<br />
other governments," says Marty P. Kamden,<br />
CMO of NordVPN, a Virtual Private<br />
Network. "Our devices should be made<br />
safer, not more vulnerable."<br />
Unfortunately, the decline of digital<br />
freedom and government surveillance is<br />
not an isolated incident, but a rising trend.<br />
According to Freedom House, Internet<br />
freedom has been on decline for six<br />
straight years, and there's no sign of it<br />
stopping.<br />
Recently, there have been huge Internet<br />
liberty crackdowns around the world -<br />
such as the introduction of strict data<br />
retention laws (ie, in the UK, Poland etc)<br />
and laws attacking communications apps<br />
such as WhatsApp and Viber, as well as<br />
blocking certain social media sites. "These<br />
crackdowns on communications apps and<br />
social media sites goes hand-in-hand with<br />
attempts to limit citizen privacy and<br />
increase mass surveillance. For example,<br />
Americans fear that the new<br />
administration might 'erode cyber privacy',<br />
and the UK now has an unprecedented<br />
surveillance law that allows for mass<br />
hacking, among other things - which could<br />
lead to massive data breaches," according<br />
to NordVPN.<br />
The good news is that, even though the<br />
CIA can access and tinker with people's<br />
devices, encryption is out of reach even<br />
for government spies. It is highly<br />
recommended to use secure privacy tools,<br />
such as VPNs, which help hide the user's<br />
true location (IP address) and encrypt all<br />
the information that is being transferred<br />
through the Internet. Such a user becomes<br />
impossible to track. NordVPN points to<br />
how it helps anonymise browsing the<br />
Internet with its modern security protocols<br />
and no logs policy. WhatsApp, Signal<br />
and Telegram still remain encrypted<br />
communication apps, and, for safe<br />
emailing, there are such encrypted email<br />
service providers as ProtonMail.<br />
It is likely that CIA will not change its<br />
hacking policies and that everyone's privacy<br />
will be even more challenged in the future,<br />
the company comments. "The only solution<br />
for private citizens seems to be taking their<br />
online privacy into their own hands."<br />
NordVPN believes that, by taking the right<br />
precautions, people can still guard their<br />
privacy online. "In addition to using<br />
encryption and safe communication apps,<br />
Internet users need to be careful not to<br />
click on strange emailed links, not to<br />
download from unofficial app<br />
marketplaces, to always have strong<br />
06<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
privacy under siege<br />
passwords and to be generally cautious<br />
when sharing information online."<br />
HEATH WARNING<br />
All of which would have been excellent<br />
advice for the many NHS Trusts across the<br />
UK whose systems were so badly hacked<br />
recently (see also page 5).<br />
In light of the WannaCry ransomware<br />
cyber-attack - which hit more than 150<br />
countries in total - a new report from<br />
SolarWinds MSP highlights what it<br />
describes as businesses' over-confidence in<br />
their cybersecurity defences. The report<br />
reveals that 87% of UK and US businesses<br />
consider their cybersecurity readiness<br />
as robust, despite 71% having reported<br />
breaches within the last 12 months. Some<br />
77% of UK and US businesses also revealed<br />
that they had suffered a tangible loss<br />
as a result, such as monetary impact,<br />
operational downtime, legal actions or<br />
the loss of a customer or partner.<br />
While Microsoft was quick to announce<br />
a new software update to overcome the<br />
WannaCry attack, the SolarWinds MSP<br />
report shows that, by contrast, businesses<br />
are somewhat complacent when it comes<br />
to cybersecurity procedures, including in<br />
their response to a breach. In fact, for UK<br />
businesses, states the company:<br />
Only 43% of businesses implemented<br />
new security technology following a<br />
breach<br />
Only 29% enforce and audit security<br />
policies. The rest either only do so<br />
occasionally or without controls - or<br />
not at all<br />
Only 13% consider user training as a<br />
priority, with the rest reinforcing this<br />
at best once a year<br />
23% have no mechanism in place for<br />
reporting vulnerabilities.<br />
SolarWinds MSP has also calculated<br />
that, based on the number of personally<br />
identifiable information typically held by<br />
SMBs and enterprises, the typical cost of a<br />
single data breach to a UK SMB is £59,000<br />
and £724,000 to enterprises.<br />
PATCHING SYSTEMS<br />
While it's been universally acknowledged<br />
that there's very little hospitals can really<br />
do to prevent ransomware and other<br />
cyberattacks outright - due to user error<br />
and susceptibility to phishing attacks -<br />
there's been much conversation around<br />
mitigating these types of attacks by<br />
patching systems. "Patch early and patch<br />
often is good advice," comments Imprivata,<br />
"and should always be observed.” But adds<br />
the caveat that, when it comes to these<br />
types of cyberattacks, patching alone<br />
doesn't stop the problem. “It only stops<br />
the propagation of the malware."<br />
Why? Because the real source of the<br />
problem isn't the systems; it's the users<br />
who initially downloaded them onto their<br />
computers, it states. So, if you have to<br />
make the assumption that your systems<br />
are going to get compromised, how do<br />
you build resiliency around your users?<br />
How, as a healthcare industry, do we focus<br />
beyond keeping the bad guys out, to<br />
keeping our systems running?<br />
"First, and as part of a best-practices<br />
systems hardening approach, we've got to<br />
manage user-system privileges," advises<br />
Imprivata. "The majority of users in clinical<br />
settings have full admin rights to their<br />
systems. In many cases, admin access is<br />
necessary in order for users to access<br />
legacy applications. But, if a user can't<br />
control software or run software that's not<br />
vetted by IT, why should they have admin<br />
level privileges? It's too easy for a user in<br />
a rush to click on a link and download<br />
malware hidden in an attachment."<br />
The company says that it has learned<br />
from interactuion with its customers that<br />
anywhere from 8-28% of users will click on<br />
a malicious link in their email. "Phishing<br />
exercises and other methods of user<br />
education can be helpful tools to prevent<br />
user error, but to truly manage user<br />
vulnerability, hospital IT teams should<br />
adhere to the principle of least privilege,"<br />
Imprivata cautions. "Take steps to limit<br />
admin rights or, at the very least, ensure<br />
that machines with admin access can be<br />
locked down or quarantined immediately,<br />
in the event of a cyber incident."<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
07
email security<br />
NOWHERE TO HIDE<br />
WITH EMAIL UNDER CONSTANT ATTACK, WHAT IS THE BEST WAY TO PROTECT YOUR ORGANISATION'S<br />
COMMUNICATIONS? HOW DO YOU KEEP YOUR DATA VITAL AND EASILY ACCESSIBLE TO YOU AND YOURS,<br />
YET USELESS TO ANYONE OUT TO ACCESS/STEAL IT?<br />
on a laptop, which may not make it into<br />
the office for weeks at a time."<br />
SAFETY STEPS<br />
Securing email is not for the fainthearted,<br />
he adds. "If you want to go the whole hog,<br />
there are a few things that could be done<br />
to keep your information safe, including:<br />
Use of email encryption end to end for<br />
important communications (TLS, PGP<br />
or S/MIME)<br />
Use of Data Loss Prevention features to<br />
monitor emails with sensitive data that<br />
should not be left anyway (this goes<br />
back to knowing whom has access to<br />
what and where)<br />
End-user training and awareness to<br />
ensure employees are aware of things<br />
to do and not do. For example, clicking<br />
on attachments that emanate from<br />
unknown senders, etc.<br />
Regular backup of devices (ransomware,<br />
flavour de jour with attackers, encrypts<br />
all data on a device and this can be<br />
painful for several months to restore, if<br />
you have no backup).<br />
Email is built into almost everything -<br />
from phones and tables to traditional<br />
computers to gaming devices, to your<br />
car. And yet email was not designed with<br />
any privacy or security in mind, making it<br />
highly vulnerable to attackers out to<br />
infiltrate your systems.<br />
Keeping business email and data secure is<br />
none too simple a matter. The security of<br />
data depends on its importance, where it<br />
is stored, and whom can access it. As we<br />
learn more about public data breaches,<br />
often the case proves to be that attackers<br />
have had access to sensitive information for<br />
weeks, months or even years. "Over the<br />
years, many organisations have failed to<br />
protect data and intellectual property,"<br />
comments Jason Steer, solutions architect,<br />
EMEA at Menlo Security. "The struggle to<br />
keep track of where it all is, and who does<br />
and doesn't have access to it, results in<br />
difficulties in ensuring that it is adequately<br />
monitored and protected. Email further<br />
complicates this, as a lot of sensitive data is<br />
stored in inboxes and other folders, perhaps<br />
However, the challenge remains that,<br />
despite all these guidelines, most of which<br />
are already followed by large organisations,<br />
employees will continue to be compromised<br />
via email. Why? Because they both look and<br />
seem so authentic.<br />
"Phishers and spammers no longer send<br />
tens of millions of the game message<br />
anymore, which makes it much harder<br />
to detect at the network and ISP level.<br />
Indeed, even top level anti-phishing<br />
gateway solutions cannot detect them<br />
accurately every time," says Steer. "Many of<br />
the low-level and professional phish mails<br />
are truly unique, like snowflakes, called<br />
08<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
email security<br />
'patient 0' in the industry. This means that it<br />
is impossible to create a rule to each unique<br />
version of every phish mail without slowing<br />
down email to such an extent that<br />
employees are no longer able to do their<br />
job via email."<br />
Anti-phish vendors have to balance being<br />
able to detect enough of the bad stuff<br />
without blocking too much of the good.<br />
This allows a grey area in which good<br />
targeted phishing mails can safely 'play'<br />
within. "Herein lies the problem - if my<br />
solution catches the majority of bad stuff,<br />
then it blocks too much of the good. But if<br />
I turn the detection down, then employees<br />
get inundated with junk and spam.<br />
"The net result is that bad mails end up in<br />
the inbox of an employee. Many employees<br />
have been told that their mail has been<br />
filtered for potentially unsafe content and<br />
assume that they can click on most things.<br />
Without thinking or questioning, they<br />
assume that security is doing its job. If<br />
we layer user education into this, then the<br />
employee will remember their training,<br />
hopefully."<br />
As Steer points out, attackers will always<br />
outsmart defensive layers. "Assume this.<br />
Be prepared for bad things to happen via<br />
email, because they will. With GDPR & NIS<br />
EU legislation being enacted in 2018, the<br />
time to start preparing is now."<br />
FIGHTING BACK<br />
According to David Peters, technical<br />
director for ANSecurity, the more insidious<br />
threats can be readily countered with<br />
advanced anti malware, sandboxing and<br />
URL analysis features on most modern<br />
email security platforms.<br />
"Correct configuration and deployment<br />
of email and messaging security tools is as<br />
important as always," he states. "A default<br />
'out of the box' configuration will likely still<br />
leave users frustrated with a reasonable<br />
amount of spam and CISOs sleepless with<br />
the quantity of malicious content still<br />
arriving in corporate mailboxes.<br />
"Authenticity can still be a real headache,<br />
as in how to stop email spoofing and<br />
security of messages during transport.<br />
Thankfully, many additions to SMTP have<br />
been made, such as the ability to use<br />
SSL/TLS for transport security between<br />
mail relays and many additional features<br />
for verifying authenticity like SPF, DKIM<br />
and DMARC."<br />
However, these standards cannot be<br />
deployed in isolation, he warns.<br />
"Unfortunately, they require correct<br />
deployment at both sender and recipient<br />
email systems. Rarely are signed SSL<br />
certificates deployed on gateways; relying<br />
on self-signed or out of the box certs<br />
means a recipient cannot verify the<br />
authenticity of the sender. Likewise, if a<br />
sender email domain has not configured<br />
records for SPF or DKIM, a recipient cannot<br />
use them to verify the sender."<br />
An equally bad, but common, occurrence<br />
is that many organisations do not maintain<br />
these records after infrastructure changes,<br />
leading to emails becoming incorrectly<br />
blocked or quarantined. "In my experience,<br />
it's not uncommon to see organisations<br />
with SPF or DKIM records that are badly<br />
misconfigured."<br />
There is light at the end of the tunnel,<br />
he adds, but email administrators need to<br />
collaborate with their security counterparts<br />
at their own organisations and with partner<br />
companies to ensure all the right boxes are<br />
ticked. "Finally, security and access to email<br />
is no different to any other private resource,<br />
and strong encryption and authentication<br />
access methods should be deployed.<br />
Administrators should ideally be required<br />
to go further with such controls as multifactor<br />
authentication, along with the ability<br />
to remotely wipe corporate content from<br />
mobile devices, should they be stolen or<br />
misplaced."<br />
Jason Steer, Menlo Security: securing<br />
email is not for the fainthearted.<br />
Sam Elsharif, Echoworx: nothing beats<br />
the application of common sense.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
09
email security<br />
LOGICAL SOLUTION<br />
Without protections in place, "email is<br />
a postcard, not a sealed letter", cautions<br />
Jacob Ginsberg, senior director of products<br />
for email encryption software company<br />
Echoworx. He says people often don't<br />
understand the permanence of data and<br />
how it can exist on servers long after<br />
they've forgotten about it.<br />
Sam Elsharif, the company's vice president<br />
of software development, reiterates how<br />
email is one of the most common ways for<br />
hackers to infiltrate a company's systems.<br />
He also cites the ruse of using phishing<br />
scams, sending out emails that appear to<br />
come from a legitimate source, asking<br />
recipients to click on a link that then directs<br />
them to provide credit card or password<br />
information.<br />
How do they both believe organisations<br />
can protect their email communications?<br />
Ginsberg points to how encryption is a<br />
logical solution and provides effective<br />
protection. And even small and medium<br />
size businesses should consider encryption,<br />
he says, especially if they deal with data<br />
such as intellectual property and customer<br />
credit card information.<br />
"There are old holdover misconceptions<br />
about encryption - it must be difficult to<br />
use, only IT experts can understand it, it<br />
slow things down - but those are no longer<br />
valid," states Ginsberg. "The tools are simple<br />
to use and I encourage encryption."<br />
With encryption, only users and intended<br />
recipients can see the data. For added<br />
security - and a tool that addresses phishing<br />
- users might want to add a digital<br />
signature (a coded message associated<br />
with a specific person).<br />
Educating staff about email use is critical.<br />
Hold regular training, in order to make<br />
employees aware of the rules and practices<br />
surrounding email, suggests Elsharif. Do<br />
your due diligence: research threats and<br />
solutions, and review how your<br />
organisation stores data, how you email<br />
data and how you deal with credit card<br />
information. Ensure your company is<br />
complying with current regulations.<br />
He also advises organisations to consult<br />
more than one vendor, depending on their<br />
needs. "Everyone needs firewalls and antivirus<br />
software. Do you allow employees to<br />
access your network from the outside?<br />
You may have to look at a VPN (Virtual<br />
Private Network). Don't be afraid to check<br />
with multiple providers. No one company<br />
can do it all."<br />
The final message is that technology can<br />
be effective in mitigating email threats, but<br />
it is important not to rely solely on it.<br />
"Nothing beats human common sense,"<br />
cautions Elsharif. "As a user, try to follow<br />
best practices and don't be sloppy when<br />
dealing with your data."<br />
OUTSIDE IN: BEWARE THOSE SNEAKING BENEATH THE RADAR<br />
Clearly, users are highly susceptible to emails that purport to be from 'inside the<br />
business' - ie, from the IT team, HR etc - as these seem to come from a recognised<br />
user. So, although phishing is now recognised as a well-known technique, time and<br />
again users are executing content and disclosing credentials.<br />
"One way to solve this issue is to add a simple 'EXT' tag to the subject line of emails,<br />
so that those from an outside source can be easily identified," advises Chris Pickering,<br />
security consultant at Pen Test Partners, the ethical hacking company. "That way, even<br />
if an attacker registers a similar domain name to the organisation's and then tries to<br />
impersonate an employee or internal group, the end user will be able to quickly<br />
identify that it is not from an internal source and report it."<br />
This, he says, can be easily implemented with transport rules and rule actions.<br />
"However, bear in mind that unauthenticated emails sent by equipment and software<br />
on your network will be classified as external email and will also have their subjects<br />
prefixed with EXT. Examples include routers, firewalls, UTM, printers, networking<br />
monitoring software and backup software.<br />
"To prevent messages from those services and devices being classified as EXT, you<br />
need to configure those services and devices to send their messages authenticated. In<br />
most cases, this is straightforward, but you may experience issues configuring some<br />
Linux software."<br />
Chris Pickering, Pen Test Partners:<br />
emails from an outside source can be<br />
easily identified.<br />
10<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
Weleverageinnovativetechnology,automationandapplicationstodeliverrealtimecyber<br />
threatinteligencetoourcustomersworldwide.<br />
Wecombinetheinteligentuseofourtechnologyandtheindustry'sfinestanalyticalminds<br />
toprovideaplatform thatalowsyoutoeasilyandquicklybuildameaningfulcyberthreat<br />
inteligencecapabilityidentifyingthedigitalriskstoyourorganisation.<br />
REQUESTAFREEDEMONSTRATIONANDTRIALOFTHE CYAX J<br />
CYBERTHREATINTELLIGENCEPLATFORM NOW.<br />
www.cyjax.com +44(0)2070960668<br />
trial@cyjax.com
encryption in transit<br />
MASS DATA BREACHES ELIMINATED<br />
PANOPTEX TECHNOLOGIES IS A SOFTWARE COMPANY OUT OF THE U.S. THAT'S MAKING WAVES BY<br />
PROVIDING AN INDUSTRY FIRST: A MASSIVE SCALE NOSQL DATABASE THAT ACTS AS THE LAST LINE OF<br />
DEFENCE AGAINST MASS DATA BREACHES BY PROVIDING ENCRYPTION IN TRANSIT, AT REST AND IN USE.<br />
WE INTERVIEWED PANOPTEX'S CHIEF TECHNOLOGY OFFICER JOSEPH YANNACCONE TO GET A BETTER<br />
UNDERSTANDING ON OLFACTEX AND WHY IT'S A GAME-CHANGER. HERE'S WHAT HE HAD TO SAY<br />
Q. Computing Security: We've heard<br />
a great deal about your Olfactex<br />
solution. How exactly does it work?<br />
Joseph Yannaccone: Olfactex is a massively<br />
scalable NoSQL hybrid DBaaS that provides<br />
unprecedented protection against mass<br />
data breaches and privacy violations,<br />
while delivering the ability to perform<br />
sophisticated in-cloud queries and analytics.<br />
Olfactex encrypts all data using an<br />
enterprise gateway before sending it to<br />
the cloud for storage and data remains<br />
encrypted while it is in the cloud, even<br />
during query and analysis. Data is only<br />
decrypted after being returned to the<br />
enterprise gateway as results for a query<br />
operation or analysis routine. Olfactex<br />
achieves this powerful capability by<br />
combining a unique transformation process<br />
with strong industry-accepted encryption<br />
algorithms.<br />
Q<br />
. Can you tell us more about how<br />
you prevent mass data breaches?<br />
Olfactex employs a variety of safeguards to<br />
protect against internal and external threats,<br />
regardless of whether they originate<br />
accidentally or intentionally. This includes<br />
division of data and key information into<br />
separate administrative domains, finegrained<br />
policy-based data access rules,<br />
integrated non-repudiated audit reporting<br />
to an administratively separate security team<br />
and, of course, always-on data encryption<br />
while data is in the cloud, even while it is<br />
being queried or analysed. This combination<br />
of security, privacy, auditing and advanced<br />
query capabilities is absolutely<br />
unprecedented for database solutions.<br />
Q<br />
. Aren't there already encrypted<br />
databases available on the market?<br />
Existing database solutions employ a variety<br />
of encryption technologies, but they all<br />
suffer from the same fundamental<br />
weakness: they must decrypt the data,<br />
in order to perform query operations or<br />
return results. This provides database<br />
administrators with direct access to<br />
unencrypted data and the unrestricted<br />
ability to manipulate or exfiltrate data.<br />
12<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
encryption in transit<br />
While a variety of add-on solutions exist to<br />
help detect or prevent such activity, none of<br />
them is integral to the database system itself<br />
and therefore has the risk of being<br />
circumvented.<br />
Q<br />
. How can organisations use Olfactex<br />
to protect their sensitive data?<br />
We are currently working with organisations<br />
that are investigating it for a variety of<br />
applications, including as a backend for new<br />
applications that house sensitive data, as a<br />
means to migrate data and applications to<br />
the cloud that would otherwise have to be<br />
kept in-house for compliance reasons and<br />
even as a secure online disaster recovery<br />
solution to protect against everything from<br />
catastrophic failures to ransomware events.<br />
Q<br />
. What about emerging solutions that<br />
use homomorphic encryption?<br />
Most security and privacy standards exclude<br />
the loss or leakage of encrypted data from<br />
the definition of a breach, as long as the<br />
encryption is an accepted standard. This<br />
means that, if a hacker obtained full<br />
administrative access to an Olfactex<br />
persistence engine, it would still not be<br />
considered a breach and, in most cases,<br />
would not need to even be reported,<br />
because Olfactex employs only proven<br />
and accepted strong encryption algorithms.<br />
Unfortunately, there is no accepted standard<br />
for homomorphic encryption. In fact, there<br />
isn't even one in progress. This means<br />
it would be years before homomorphic<br />
encryption could be accepted as a<br />
compliant means of securing sensitive data.<br />
Q<br />
. Does Olfactex support SQL?<br />
Not directly. Olfactex is a NoSQL database<br />
that employs its own rich query language to<br />
deliver its advanced analytical capabilities on<br />
encrypted data. However, many applications<br />
can be mapped from SQL to the Olfactex<br />
query language and we have a Panoptex<br />
team that can perform that translation<br />
work for solution integration projects.<br />
Q<br />
. You mentioned that Olfactex<br />
can secure sensitive data for new<br />
applications. What type of applications<br />
do you have in mind?<br />
Olfactex could support a wide range of<br />
possible applications, including IoT (Internet<br />
of Things) and mobile applications, as many<br />
of them collect large volumes of private data<br />
regarding users. We are also seeing very<br />
positive responses regarding upcoming<br />
applications in the health and financial<br />
industries, as Olfactex is the only database<br />
solution that can secure their data in the<br />
cloud using compliant encryption algorithms<br />
while retaining the ability to query and<br />
analyse that data.<br />
Q<br />
. How can you prevent ransomware<br />
attacks?<br />
Ransomware depends on the ability for an<br />
attacker to directly access an organisation's<br />
data, encrypt it and then threaten to destroy<br />
the key, if a ransom is not paid. Olfactex<br />
distributes data across many systems with<br />
multiple replicas of every data object. Further,<br />
data from many companies is distributed<br />
across the same infrastructure. Only the<br />
owner of the data is able to generate the<br />
index values necessary to identify their<br />
information from among the masses.<br />
Q<br />
. If companies are storing their sensitive<br />
data in Olfactex, reliability will be an<br />
important requirement. How does Olfactex<br />
ensure that data is stored reliably?<br />
Olfactex stores data in a distributed manner<br />
by spreading it across hundreds or even<br />
thousands of systems with multiple replicas<br />
of every data object. Further, these systems<br />
may be distributed across geographically<br />
diverse data centres to provide protection<br />
against localised disasters.<br />
Q<br />
. Explain why Olfactex is more secure<br />
than in-house data storage<br />
Olfactex divides system functionality into two<br />
distinct administrative domains to ensure that<br />
no single breach can yield any unencrypted<br />
data. In-house database systems are often<br />
wide open to DBAs, even with significant<br />
security measures in place. The root problem<br />
with these systems is that they were not<br />
designed from inception to address today's<br />
threat landscape. Every additional layer<br />
of security introduces more cost and<br />
complexity, restricts capability and<br />
introduces new opportunity for human<br />
error. This is analogous to putting a bandaid<br />
over a deep wound; it simply hides it<br />
from view and it doesn't address the actual<br />
problem. Additionally, this often results in<br />
the secret keys and bulk data being present<br />
in the same security domain. This presents<br />
an opportunity for an attacker to obtain the<br />
keys and bulk data from a single infiltration.<br />
Q<br />
. You mentioned privacy - how do you<br />
protect this?<br />
Fine grained access control policies define<br />
rules for what data a user can access and<br />
how it may be presented. Each user can<br />
have different rules for queries and results.<br />
This makes it possible to define rule sets that<br />
allow a user to include restricted data in a<br />
secure analysis pipeline without granting<br />
them the ability to actually view any<br />
restricted data. This could have significant<br />
benefits for industries where fraud detection<br />
and prevention are presently hampered by<br />
privacy regulations.<br />
Q<br />
. How is the Olfactex system being<br />
made commercially available in the UK?<br />
We are launching our service in the UK and<br />
throughout the EU with our Cloud partner<br />
SURE from the Channel Islands. We will<br />
be commercialising the software via the<br />
Panoptex and Sure direct sales teams,<br />
as well as via key industry agents and<br />
consultants.<br />
Q<br />
. This all sounds really interesting and<br />
engaging. Where can our readers can<br />
go to get more information?<br />
They can go online to our web site at<br />
www.panoptex.com either to schedule a<br />
meeting with a sales representative or<br />
schedule a demo.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
13
encryption<br />
BEWARE THE DOUBLE-EDGED SWORD<br />
ENCRYPTION PLAYS A VITAL ROLE IN PROTECTING VALUABLE INFORMATION FROM BEING STOLEN<br />
OR ALTERED. BUT IT CAN BE USED BY YOUR ENEMIES JUST AS READILY<br />
How do you stay one step ahead of the<br />
attackers, when it comes to employing<br />
the latest encryption technology?<br />
What is the right solution for your<br />
organisation? How do you make sure your<br />
systems aren't breached? In the wake of<br />
constant breaches, the time to focus on<br />
encryption has never been more urgent.<br />
As Mark Hickman, chief operating officer,<br />
WinMagic, points out, encryption is the last<br />
line of defence against any data breach, such<br />
as an external hacker. "But it is often forgotten<br />
that the role of security is to protect against<br />
problems on the inside, as much as the<br />
outside, whether an accidental breach of data<br />
or a rogue employee. Sensitive data, whatever<br />
it is, should always be encrypted and be kept<br />
in that state. A simple rule is that, if you don't<br />
want just anyone to see it, then it should be<br />
encrypted. That way, encryption becomes<br />
embedded in the organisation from a<br />
technology and process perspective."<br />
QUESTION TIME<br />
Starting from that premise, we can then ask<br />
the following, he says: “What do I need to<br />
encrypt? How will that data be used and<br />
shared? Where will it be stored? Who needs<br />
access to it? These questions help you identify<br />
the scope of your encryption needs - for<br />
example, whether you need to be able to<br />
encrypt in the cloud.<br />
Any data that you would fear losing, or that<br />
is sensitive in any way, should always be<br />
encrypted at the end point in the<br />
organisation, he adds. "This can also be used<br />
to ensure that, when data leaves the<br />
organisation, it remains encrypted wherever<br />
it goes by enforcing a security policy that<br />
requires it. The only way to make this work<br />
over modern infrastructures, which are<br />
diverse and multi-layered, is through<br />
centralised key management."<br />
Since you own and control the encryption<br />
keys on a centrally controlled key server,<br />
access to the files remains completely under<br />
your control - wherever it goes, on any device.<br />
With centrally controlled encryption, it is also<br />
possible to ensure that files are only readable<br />
by certain individuals, thus helping a<br />
company enforce both regulatory and<br />
governance requirements.<br />
But there are other examples where it is<br />
helpful, Hickman points out. "If an employee<br />
leaves the company, or you stop working with<br />
a specific partner organisation, access can be<br />
instantly terminated. Without encryption,<br />
users would retain access to those files and<br />
the practice would have no way of removing<br />
them from devices. Using centrally managed<br />
encryption, access can be removed in the<br />
policy engine; the user instantly loses the<br />
ability to decrypt and read the files."<br />
If your company wants to use third party<br />
cloud storage services, it is critical to use<br />
solutions where encryption keys are always in<br />
the control of the organisation, rather than<br />
the cloud service, he says. "This adds yet<br />
another level of protection, should a breach<br />
of usernames/passwords occur at a thirdparty<br />
cloud service provider. A hacker will not<br />
be able to read the files they can see."<br />
This type of cloud-based approach to<br />
encryption, does not just protect from<br />
hackers, he continues, but equally it protects<br />
against anyone, accidentally or otherwise,<br />
sharing data with those that should not have<br />
access to it.<br />
RANSOMWARE ATTACKS<br />
Although encryption forms one layer of<br />
a cyber security policy by providing a<br />
mechanism to protect access to data by<br />
unauthorised individuals, whether at rest or<br />
in-transit, that is far from the whole picture.<br />
"Unfortunately, we also see encryption used<br />
as a tool against us in Ransomware attacks,<br />
where our data is encrypted by a third-party<br />
preventing our access to it," says Brian<br />
Chappell, senior director, Enterprise &<br />
Solutions Architecture from BeyondTrust.<br />
"Given that Ransomware will encrypt any data<br />
a user has access to write to, it makes it very<br />
hard to protect against. The rapid evolution<br />
of Ransomware means that signatures,<br />
14<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
encryption<br />
hashes etc are quickly out of date and it's<br />
difficult to uniquely identify the activity of<br />
Ransomware before it's already too late."<br />
It should be clear that the key here is the<br />
data that users have access to and how that<br />
access is provided. "Administrative access<br />
should be limited to accounts that are only<br />
used for that purpose; no-one should be<br />
using an account with super-user rights for<br />
daily work," adds Chappell. "The risk is too<br />
high to allow that; clicking on the wrong<br />
attachment or file could be catastrophic,<br />
as the super-user has access to everything.<br />
Making sure that users have limited access<br />
to file shares, if they only need to view files,<br />
then make the access read-only and<br />
Ransomware is rendered impotent. If users<br />
do need to update and/or write to files, then<br />
ensure it's only the files they absolutely need<br />
access to."<br />
Wherever possible, move data into more<br />
structured repositories, such as document<br />
management systems, databases etc, he<br />
further advises. "This may seem like a lot of<br />
effort and cost for a small to medium<br />
business, but losing access to all your data<br />
will make a £5,000 extortion payment seem<br />
like a reasonable option. By ensuring that<br />
users aren't directly accessing your data<br />
stores, even for administrative work, you<br />
present Ransomware with the least<br />
opportunity to impact your business and<br />
keep encryption as a tool that gives you<br />
benefits, rather than pain," he says.<br />
LAST LINE OF DEFENCE<br />
In itself, data encryption isn't a silver bullet.<br />
However, when properly embedded within<br />
an holistic information security plan, it will<br />
provide the most effective last line of defence.<br />
"If bad actors manage to break through<br />
gateway defences to access internal servers,<br />
or data is intercepted whilst being transferred<br />
electronically or, for that matter, physically on<br />
removable media, as long as the bits and<br />
bytes recovered are unintelligible to an<br />
unauthorised recipient, the last line of<br />
defence has held firm," states Jon Fielding,<br />
managing director, EMEA Apricorn.<br />
"Granted, the encryption must be correctly<br />
implemented with sufficiently strong<br />
encryption keys, ideally protected in<br />
hardware, so that the only method of attack<br />
is brute force. If you can also manage the<br />
number of unsuccessful brute force attempts<br />
before determining the device holding the<br />
data is being attacked and act, you build in<br />
another layer of protection."<br />
Encryption is necessarily complicated with<br />
tales of Bob and Alice, primary numbers,<br />
multiple algorithms, symmetric and<br />
asymmetric keys and a plethora of three-letter<br />
acronyms, he concedes. "However, to the<br />
average user, there is no need to understand<br />
this. Encryption should be automatic and<br />
invisible. The user shouldn't be left with a<br />
decision to encrypt or not. The organisation's<br />
information security policy should be<br />
enforced through technology, where possible,<br />
by locking USB ports to only accept<br />
corporately approved hardware encrypted<br />
USB devices, for example."<br />
Encrypting valuable or sensitive data enables<br />
organisations to manage their risk. In a<br />
commercial world where mobile working is<br />
increasingly becoming the norm against a<br />
back drop of stronger regulatory powers,<br />
encryption is a critical piece of the armoury.<br />
"For example, let's look at the General Data<br />
Protection Regulation (GDPR), which serves to<br />
harmonise a common legal framework in<br />
support of protecting EU citizen data and<br />
comes into effect in May of next year,"<br />
suggests Fielding. "There are various articles<br />
that cover consent and EU citizen rights<br />
amongst others, but there are clear mandates<br />
for data encryption: first, for compliance<br />
(Article 32); secondly, to mitigate the impact<br />
on any organisation that suffers a breach.<br />
Article 34 also removes the obligation to<br />
individually inform each citizen affected, if<br />
the data remains unintelligible. Article 83<br />
suggests that fines (which can be as high as<br />
4% of global turnover or 20 million euros)<br />
Ed Kidson, Wick Hill: many organisations<br />
are left clueless as to which of their data is<br />
encrypted and which isn't.<br />
Jacob Ginsberg, Echoworx: always<br />
monitor your network and follow best<br />
practices.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
15
encryption<br />
Mark Hickman, WinMagic: sensitive data<br />
should always be encrypted at the end<br />
point in the organisation.<br />
Brian Chappell, BeyondTrust: wherever<br />
possible, move data into more structured<br />
repositories.<br />
will be moderated where the company has<br />
been responsible and mitigated any damage<br />
suffered by data subjects."<br />
Worryingly, a recent survey by Apricorn<br />
found that 24% of surveyed companies<br />
are not even aware of the GDPR and its<br />
implications, he adds. "On top of this, 17%<br />
are aware of the regulations, but don't have a<br />
plan for ensuring compliance. Organisations<br />
should analyse their data, identify everything<br />
that should be protected, understand where<br />
it exists and how it is transported, and ensure<br />
that it is encrypted at all stages of its lifecycle."<br />
GAPING HOLES<br />
With high-profile malware breaches<br />
continuing to make headlines, organisations<br />
are acutely aware of the dangers of leaving<br />
themselves vulnerable to attack. Against that<br />
backdrop, encryption technology can and<br />
should play a pivotal role in any organisation's<br />
IT security strategy, points out Ed Kidson,<br />
product manager at Wick Hill (part of the<br />
Nuvias Group).<br />
"However, a problem exists when companies<br />
believe they are shielded from attack by<br />
encryption software, but without realising it<br />
are susceptible to attack. Encryption isn't a<br />
new thing, which is part of the difficulty. It's<br />
likely that different, disparate encryption<br />
policies may have been implemented over<br />
several years with numerous vendors, leaving<br />
organisations clueless as to which of their<br />
data is encrypted, and which isn't - creating<br />
gaping holes in their defences in 2017."<br />
So how do you stay one step ahead of the<br />
attackers, when it comes to employing the<br />
latest encryption technology? "It usually isn't<br />
practically or financially viable to encrypt<br />
everything, so the first step is to conduct an<br />
audit of your data and decide what is<br />
sensitive," he says. "Look at where you need<br />
encryption - on endpoints such as mobile<br />
phones, laptops or tablets; or for data<br />
that's stored on servers or in datacentres.<br />
Regardless of which solution you choose<br />
thereafter, it is just as important to keep your<br />
encryption key secured and managed<br />
properly. Some companies will encrypt their<br />
database, for example, but their encryption<br />
key might be sat on the same server as the<br />
database - it is comparable to locking your<br />
car and leaving your keys on the bonnet!"<br />
Best practice involves implementing a key<br />
management policy, putting the keys into<br />
a Hardware Security Module (HSM) and<br />
recycling the key regularly. If all these<br />
safeguards are in place and you are breached,<br />
the chances of your data leaking are vastly<br />
reduced.<br />
"Most hackers will discover encrypted files<br />
and move on - they tend to go for the 'open<br />
window' approach to theft," adds Kidson.<br />
"As such, encryption should form part of<br />
a traditional layered security approach,<br />
alongside endpoint and gateway defences."<br />
With ransomware attacks on the rise and<br />
forthcoming regulations like GDPR meaning<br />
any data breach is financially ruinous for a<br />
business, it has never been more important to<br />
make sure you have a watertight encryption<br />
policy in place, he concludes.<br />
TOP PROTECTION<br />
"If you're a system administrator, make sure<br />
you're using the best tools to protect your<br />
system, including the latest patches and fixes<br />
given by your service providers," comments<br />
Jacob Ginsberg, senior director of products<br />
for email encryption software company<br />
Echoworx. "Always make sure your systems<br />
are up to date and run scans, monitor your<br />
network and follow your best practices."<br />
Best practices include following compliance<br />
rules, knowing how to properly dispose of<br />
and store data, determining who can have<br />
access to the network and learning how to<br />
detect breeches. Ginsberg advises consulting<br />
with vendors, to be aware of the latest<br />
advances in encryption software, keeping<br />
updated about networking and security, and<br />
reading the news to learn about what new<br />
areas hackers are targeting.<br />
16<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
Recalls happen and you need to be<br />
prepared if you’re faced with one.<br />
The Sims Asset Return Management Portal makes product recalls and returns<br />
quick and easy to administer. Online, efficient and straightforward, the portal<br />
ensures products are returned to your store or our processing facility with<br />
minimal hassle for your customers. Let Sims help you prepare to protect your<br />
bottom line and brand reputation at a critical time.<br />
ASSET<br />
RETURN<br />
MANAGEMENT<br />
PORTAL<br />
+44 (0)800 6526 100<br />
srsuk.info@simsmm.com<br />
www.simsrecycling.com
Infosecurity Europe<br />
IT'S SHOW TIME ONCE AGAIN!<br />
INFOSECURITY EUROPE 2017 IS NOT FAR OFF NOW, WHERE YOU CAN SEE THE LATEST TECHNOLOGIES<br />
AND SOLUTIONS TO TAKE YOUR BUSINESS FORWARD. THE SHOW PLACES THE EMPHASIS FIRMLY ON<br />
INTERACTIVITY, BRINGING PRODUCTS TO LIFE THROUGH A SERIES OF AREAS, ZONES AND PRESENTATIONS<br />
The theme of this year's Infosecurity<br />
Europe is ‘Cybersecurity at the<br />
Speed of Business’. Against a<br />
backdrop of global economic and<br />
political uncertainty, organisations<br />
are rapidly transforming and taking<br />
advantage of new technologies and<br />
working practices. Featuring a host of<br />
inspirational thought-leaders and expert<br />
practitioners, Infosecurity Europe's<br />
Keynote Stage seminars will focus on the<br />
challenges of developing an agile security<br />
strategy that can keep pace with both<br />
business transformation and the<br />
evolution of the cyber threat landscape.<br />
Speakers will include representatives from<br />
companies and organisations including<br />
Camelot, Centrica, Costa Coffee,<br />
Department of Work & Pensions (DWP)<br />
Hargreaves Lansdown, HSBC, KPN<br />
Telecom, Metropolitan Police Service,<br />
Network Rail, Skyscanner, Telefónica UK,<br />
The Economist Group and UCL.<br />
Also within the Conference Programme<br />
will be a series of 25-minute long<br />
vendor-led presentations in Tech Talks<br />
and Strategy Talks addressing the latest<br />
challenges in information security and<br />
cyber security, and the latest infosecurity<br />
VENUE, DATES AND OPENING TIMES<br />
business challenges respectively. Both<br />
theatres are located on the ground floor.<br />
The Technology Showcase, also located<br />
on the ground floor, will see exhibitors<br />
take to the stage to demonstrate the<br />
capabilities of their products and<br />
technologies, and take questions.<br />
Intelligent Defence, a one-day technical<br />
conference stream, takes place within<br />
Olympia London, Hammersmith Road, London, W14 8UX<br />
Tuesday 6 June 2017: 09:30-17:30<br />
Wednesday 7 June 2017: 09:30-17:30<br />
Thursday 8 June 2017: 09:30-16:00<br />
Registration is free until midday, Monday 5 June. After this, onsite registration costs £35.<br />
To register, visit www.infosecurityeurope.com<br />
18<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
Infosecurity Europe<br />
Infosecurity Europe on Tuesday, 6 June.<br />
The sessions will focus on the latest<br />
research, including insights into key<br />
vulnerabilities and exploits, and how<br />
to defend against them. Presentations<br />
include: Barbarians in the Throne Room;<br />
The IP Address Black Market - A Primer;<br />
Adversarial Machine Learning: The Pitfalls<br />
of Artificial Intelligence-based Security<br />
and Behavioural Analysis Using DNS &<br />
Network Traffic.<br />
NEW EXHIBITORS<br />
New exhibitors to Infosecurity Europe will<br />
be located in the upstairs Gallery in the<br />
Discovery Zone and the Cyber Innovation<br />
Zone, featuring over 100 companies with<br />
something new to show. In the Discovery<br />
Zone, you can tune in to a series of<br />
presentations throughout the day on the<br />
Cyber Innovation Showcase theatre.<br />
HALL OF FAME<br />
This year, Professor Mary Aiken will be<br />
inducted into Infosecurity Europe's Hall<br />
of Fame, recognising her long-term<br />
contribution to the information security<br />
sector as the world's leading expert in<br />
forensic cyberpsychology, her work as an<br />
advocate and educator in information<br />
security, and her role in raising the profile<br />
of the information security sector.<br />
She has written and spoken extensively<br />
on issues relating to the intersection<br />
between people and technology - or, as<br />
she describes it, "where humans and<br />
technology collide". An adjunct associate<br />
professor at University College Dublin,<br />
Geary Institute for Public Policy, and<br />
Academic Advisor (Psychology) to the<br />
European Cyber Crime Centre (EC3) at<br />
Europol, she has conducted research and<br />
training workshops with multiple global<br />
agencies, from INTERPOL to the FBI and<br />
the White House.<br />
Aiken will be officially inducted into the<br />
Infosecurity Europe Hall of Fame on the<br />
Keynote Stage on Thursday, 8 June,<br />
13.45-14.30. During the session, she<br />
will discuss her career as a forensic<br />
cyberpsychologist, her current research<br />
projects and will share insights on future<br />
threats, and the importance of human<br />
factors in information security.<br />
INFOSECURITY WEEK<br />
New for 2017 is Infosecurity Week,<br />
sponsored by the Security Serious Unsung<br />
Heroes Awards - a seven-day, city-wide<br />
landmark event bringing Infosecurity<br />
professionals together to learn, explore<br />
and have fun in and around London<br />
during the week of 5-11 June 2017.<br />
Planned around Infosecurity Europe,<br />
Infosecurity Week will be providing a<br />
central portal listing all the many events,<br />
parties, conferences, training and other<br />
activities which have been organised for<br />
all of the Infosecurity professionals in<br />
London that week. Events taking place<br />
during Infosecurity Week, include:<br />
Monday, 5 June, 09:00-17:30:<br />
Securing the Converged Cloud,<br />
Olympia Conference Centre, London<br />
This year's Cloud Security Alliance Summit<br />
welcomes world leading security experts<br />
INFOSECURITY EUROPE IN NUMBERS<br />
and cloud providers to discuss global<br />
governance, the latest trends in<br />
technology, the threat landscape,<br />
security innovations, best practices and<br />
global governance in order to help<br />
organisations address the new frontiers<br />
in cloud security.<br />
Wednesday, 7 June, 08:30-11:00,<br />
Women in Cybersecurity Networking<br />
Event, Olympia Conference Centre<br />
A Keynote speech will be followed by a<br />
panel discussion on ‘How to Sell Your<br />
Professional Self in a Male-Dominated<br />
Industry’. The session will consider (and<br />
dispel) gender stereotypes, offer tips and<br />
advice on how to gain credibility and<br />
change employers perceptions, while the<br />
panel of speakers will share their<br />
experiences overcoming challenges and<br />
driving their career forwards. The event<br />
will end with a 45-minute networking<br />
session. To book tickets, browse the lineup<br />
of events at the show and much<br />
more, just go to the following:<br />
www.infosecurityeurope.com/en/Infosecurity<br />
Computing Security will have a strong<br />
presence at InfoSec and we look forward<br />
to seeing you there.<br />
The show offers a great experience in so many ways:<br />
2 Networking Bars - on both the ground floor and gallery levels<br />
8 theatres<br />
140 hours of free accredited education<br />
240 speakers<br />
360 global vendors<br />
18,000 infosecurity professionals, showcasing and debating the latest innovations and<br />
challenges in cybersecurity<br />
DOWNLOAD THE EVENT APP<br />
Make the most of your visit and download the Mobile App before you arrive to connect with<br />
peers and set up meetings. It will provide all the key information you need to make the most<br />
of your time at the event, including speaker, exhibitor and sponsor profiles; activity feed<br />
that features onsite polls and discussions; plus an interactive floorplan - and much more:<br />
http://www.infosecurityeurope.com/visit/whats-on/mobile-app<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
19
product review<br />
ACUNETIX 11<br />
With web sites now under a daily<br />
onslaught of attacks, businesses<br />
can't afford to be lax about<br />
security. Their very survival may depend on it<br />
when the EU GDPR (General Data Protection<br />
Regulations) come into force in May 2018, as<br />
any business that falls foul of these will be hit<br />
with punishing fines.<br />
Acunetix specialises in automated web<br />
application security and its latest web<br />
vulnerability scanner Acunetix 11 seems to be<br />
the perfect solution, as it offers some of the<br />
industry's highest detection rates. Available as<br />
both an on-premises and an online edition, it<br />
subjects your web sites and webapps to its<br />
advanced scanning techniques, tests for over<br />
3,000 web vulnerabilities and prioritises them<br />
for simplified resolution.<br />
Along with a slick new web interface, the<br />
Enterprise edition introduces role-based users<br />
for enhanced vulnerability management.<br />
Multiple users can be assigned one of three<br />
roles, allowing security assessments and<br />
report generation tasks to be delegated<br />
across different divisions.<br />
We found the new web console very easy to<br />
use, with its dashboard presenting a clear<br />
overview of high, medium and low severity<br />
vulnerabilities. Beneath is a table showing<br />
your five most vulnerable targets, a listing<br />
alongside for the most common detected<br />
vulnerabilities and yearly trending views<br />
below.<br />
Basic web site scans take seconds to start as<br />
we entered the target URL, assigned one of<br />
four business criticality levels, chose from<br />
four scan speeds, picked a report type and let<br />
it go. We could also set the scan to run<br />
continuously, schedule it for regular daily,<br />
weekly, monthly or yearly intervals and add<br />
login credentials, if the web site required<br />
them.<br />
During the scan process, Acunetix'<br />
DeepScan technology crawls the web site,<br />
analyses all discovered links and builds a<br />
complete map of its structure. We used our<br />
own live sites for testing and found it<br />
returned a perfect view of our site structures.<br />
The scanner tests the web site by emulating<br />
a series of hacker attacks, and Acunetix'<br />
AcuSensor technology offers deeper<br />
scanning techniques for ASP .NET and PHP.<br />
Enabled on selected scan jobs, the console<br />
provides links for downloading the<br />
appropriate AcuSensor agent and installing it<br />
on the web site host.<br />
Once loaded, it retrieves a list of web sites<br />
on the target and, from its local Manager<br />
interface, you select which ones to use it on.<br />
Security is tight, as the agent is uniquely<br />
generated for the target host and password<br />
protected so it can only communicate with<br />
your console.<br />
The console's Target view lists all scanned<br />
web sites, along with a colour-coded grading<br />
system, so we could see at a glance which<br />
were safe or had low, medium or high risks<br />
associated with them. Clicking on the<br />
relevant colour block took us straight to the<br />
vulnerabilities page where Acunetix provided<br />
an in-depth explanation of the problem.<br />
It included a full impact assessment that<br />
highlighted precisely where the vulnerabilities<br />
were found. More importantly, it offered<br />
sage advice on how to close the security<br />
hole, with links to helpful tutorials and<br />
videos.<br />
Reporting is another key feature as, along<br />
with developer and executive summary<br />
options, you can configure the scan to<br />
produce detailed compliance reports for ISO<br />
27001, HIPAA, SoX and many more.<br />
Selected targets can also be linked to the<br />
GitHub, Microsoft TFS and Atlassian JIRA<br />
issue trackers, allowing vulnerability alerts to<br />
be passed directly to development teams for<br />
swift resolution. Acunetix can also integrate<br />
into new and existing Jenkins Continuous<br />
Integration (CI) and Continuous Delivery<br />
workflows via its Jenkins plugin.<br />
With data protection regulations getting<br />
ever stricter, Acunetix' Web Vulnerability<br />
Scanner could be all that stands between<br />
business success and disaster. It delivers the<br />
toughest vulnerability scan technologies on<br />
the market, amalgamates them neatly into a<br />
single management console and delivers<br />
them all at a very affordable price. CS<br />
Product: Acunetix 11<br />
Supplier: Acunetix UK<br />
Web site: www.acunetix.com<br />
Telephone: +44 (0)330 202 0190<br />
Price: Pro Edition, 1 year subscription, €2,995<br />
(euros)<br />
20<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
VISIT THE WEBSITE TO<br />
DOWNLOAD THE AGENDA<br />
11 -12 july, 2017 -<br />
hilton syon park hotel,<br />
london<br />
THE CYBER SECURITY EXCHANGE WILL BRING TOGETHER SENIOR INFORMATION SECURITY LEADERS FROM<br />
A NUMBER OF INDUSTRIES SUCH AS; FINANCIAL SERVICES, PHARMACEUTICALS, HEALTHCARE,<br />
AUTOMOTIVE AND RETAIL TO SEE WHAT BUSINESS CONTINUITY STRATEGIES ARE IN PLACE AND HOW<br />
SECURITY AWARENESS IS BEING PROMOTED ACROSS THEIR ORGANISATIONS.<br />
CHECK OUT SOME OF THE SPEAKERS:<br />
HEAD OF INFORMATION<br />
DEPUTY DIRECTOR, CYBER &<br />
GROUP DATA PRIVACY &<br />
SECURITY CONSULTANCY<br />
GOVERNMENT SECURITY<br />
INFORMATION SECURITY OFFICER<br />
WE'VE SURVEYED OUR NETWORK OF CISOS AND HEADS OF INFORMATION SECURITY TO DISCOVER WHAT<br />
THEIR KEY CHALLENGES AND PROJECTS ARE FOR THE UPCOMING 6 TO 12 MONTHS, PLUS WHAT SOLUTIONS<br />
AND SERVICES THEY ARE PLANNING TO INVEST IN TO HELP THEM OVERCOME THEIR CHALLENGES AND MEET<br />
THEIR GOALS.<br />
HERE ARE SOME OF THEIR PRIORITIES:<br />
IF YOUR CHALLENGES AND PRIORITIES ALIGN WITH ANY MENTIONED ABOVE, YOU'RE IN LUCK!<br />
COMPUTING SECURITY MAGAZINE READERS QUALIFY FOR A 20% DISCOUNT BY QUOTING<br />
CSCYBER17 CONTACT EXCHANGEINFO@IQPC.COM TO SECURE YOUR PLACE TODAY!<br />
*20% DISCOUNT ONLY APPLICABLE TO QUALIFYING DELEGATES AND YOU MUST BE A READER OF COMPUTING SECURITY MAGAZINE<br />
WWW.CYBERSECURITYEXCHANGEEUROPE.IQPC.CO.UK
IT asset management<br />
THE CLOCK IS TICKING…<br />
WITH THE NEW EUROPEAN GENERAL DATA PROTECTION REGULATIONS<br />
SOON DUE TO BECOME LAW, MANY BUSINESSES WILL NEED TO LOOK<br />
CLOSELY AT HOW THEY PROTECT THEIR DATA THROUGHOUT THE<br />
COURSE OF ITS LIFECYCLE<br />
Any business that stores data on EU<br />
citizens will become subject to the<br />
new European General Data Protection<br />
Regulations (GDPR), to take effect by early<br />
2018. Even the UK, post-Brexit (voting wise, at<br />
least), must comply. This has the potential to<br />
impact a broad spectrum of both EU and<br />
international companies. With the potential<br />
for huge fines (up to 4% of global turnover)<br />
will this see companies becoming more<br />
mature in their attitudes towards data<br />
protection and, if so, what methods will<br />
they need to adopt to achieve regulatory<br />
compliance?<br />
Richard Brown, director EMEA Channels<br />
& Alliances at Arbor Networks, says that the<br />
main barrier with the EU GDPR lies in the<br />
understanding of this new legislation.<br />
"Changes to the definition of what is and<br />
is not personal data, the need for 'explicit'<br />
consent for data collection and different<br />
documentation requirements all need to be<br />
interpreted and any relevant changes made.<br />
It will also require process documentation to<br />
be regularly audited and updated, as in many<br />
cases documentation is created, 'put on the<br />
shelf' and then forgotten about. Finally, there<br />
will need to be a process put in place for the<br />
notification of any breach to the relevant<br />
authorities and customers."<br />
Some of these changes, he points out,<br />
may incur additional costs to business, while<br />
others may reduce overall costs, such as the<br />
unification of regulation, but getting a good<br />
understanding of this is still a work-inprogress<br />
for many organisations. "For<br />
providers outside of the EU who currently<br />
handle personal data on EU citizens, this<br />
will be more complex, as they will have to<br />
ascertain whether their local data-protection<br />
legislation is compatible with the GDPR. With<br />
appropriate assistance from national<br />
governments, organisations should be able<br />
to comply with the legislation.<br />
"As with all regulations, it is important that<br />
organisations maintain their focus on the<br />
'goal', rather than purely on compliance,"<br />
Brown adds. "The impact of data breaches<br />
to both business and the end user can be<br />
significant, and businesses need to invest<br />
appropriately to protect themselves and their<br />
customers, not just comply with the<br />
legislation."<br />
MANY UNPREPARED<br />
According to Rob Norris, director of enterprise<br />
and cyber security in EMEIA at Fujitsu,<br />
the majority of organisations are not yet<br />
preparing for the new legislation. "GDPR<br />
readiness will oblige organisations to carry<br />
out thorough preparation, to set up the<br />
processes necessary for compliance, as well as<br />
supporting alignment of their systems and<br />
services with GDPR's requirements. That's why<br />
we recently announced a comprehensive<br />
portfolio of services to help organisations<br />
comply with the new legislation. This includes<br />
implementing contingency measures, as well<br />
as establishing both GDPR-related strategies<br />
and clearly defined processes in how to detect<br />
and react to data breaches, he says.<br />
"GDPR will apply to organisations of all sizes<br />
and in all industry sectors, and not just those<br />
within the EU, so it's important companies<br />
"Businesses need to invest appropriately to protect<br />
themselves and their customers, not just comply<br />
with the legislation."<br />
22<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
IT asset management<br />
take the first step and conduct data inventory<br />
scans to help discover the relevant data held<br />
today and where it resides.<br />
"As well as this, organisations must take<br />
responsibility, whether they are private or<br />
public sector, and take the fight to cyber<br />
criminals before they can act," Norris advises.<br />
"This should be done through real-time threat<br />
reporting, a clear and well-rehearsed incident<br />
management plan, and addressing internal<br />
and external communication, in addition to<br />
containment and recovery activities. This will<br />
allow businesses to identify threats as soon as<br />
they hit the network and rectify them<br />
immediately."<br />
"Now is the time for businesses to stop being<br />
hunted and instead become the hunter when<br />
it comes to cyber security," he adds. "Ensuring<br />
a compliant business environment, that will<br />
help protect the company and its employees,<br />
needs to be the number one priority."<br />
MAJOR CULTURE SHIFT<br />
GDPR is forcing a culture shift in the industry<br />
as it puts the responsibility firmly on the<br />
businesses that hold customer data,<br />
comments Alex Guillen, go-to-market<br />
manager at Insight. "There are two sides<br />
to what will engineer this shift - the first is<br />
prevention, which will be shaped in the<br />
preparation phase before the regulations<br />
come into play. For most organisations of all<br />
sizes, this will mean establishing the critical<br />
data they need to protect and identifying<br />
where it resides and the value it holds. Once<br />
established, we'll see organisations creating<br />
security strategies and policies for the end-toend<br />
management of this data, with a<br />
particular focus on governance.<br />
"When it comes to securing the data<br />
itself, we expect organisations to lean on<br />
consultancy services to help them navigate<br />
the best provider in what we know is a<br />
crowded market. A priority for businesses<br />
should be to look for holistic solutions that<br />
can ensure the integrity of the data, rather<br />
than throwing money at the problem and<br />
creating a patchwork of ineffective tools, as<br />
has been done in the past."<br />
There are a number of hurdles that<br />
organisations will need to overcome,<br />
including the significant problem of dark<br />
data. According to Veritas' 2016 Databerg<br />
Report, dark data will prove the biggest<br />
challenge for most businesses preparing for<br />
the new GDPR. Why? "On average, 54% of<br />
the data held by organisations in Europe is<br />
considered 'dark data' - that is, operational<br />
data that isn't being used by an organisation,"<br />
explains Guillen. "It's a tough one to prepare<br />
for, because organisations don't tend to<br />
understand the nature of their data and we<br />
expect, or hope, to see businesses using the<br />
time before 2018 to get to grips with it."<br />
RISK APPETITE<br />
Once the regulations are in force, it will take<br />
a few cases to build up case law and assess<br />
how various aspects are interpreted before<br />
there is a full understanding of the<br />
implications, suggests Graham Mann,<br />
managing director, Encode Group UK.<br />
"Depending on the severity of the fines,<br />
organisations will be better positioned to<br />
assess their 'risk appetite'; but, given the<br />
potential fines, it could be a risky strategy.<br />
Punitive fines are only one of the powers<br />
wielded by the supervisory authorities: they<br />
can undertake audits, issue warnings or<br />
demand myriad corrective action. In short,<br />
they have the power to seriously disrupt your<br />
business and leave you with a rap sheet."<br />
'It wasn't me, guv' is no defence, he adds.<br />
"Data controllers and processors have dual<br />
liability under GDPR and so there's nowhere to<br />
hide. Therefore, it's vital that data controllers<br />
vet their processors carefully. Corporations will<br />
now have to define and implement a data<br />
strategy throughout the organisation. More<br />
importantly, they must think carefully about<br />
whether they need to store certain data,<br />
because there is now a defined cost. This will<br />
avoid consumer data being held unnecessarily<br />
Graham Mann, Encode Group UK:<br />
Punitive fines are only one of the powers<br />
wielded by the supervisory authorities.<br />
Michael Hack, Ipswitch: two areas to<br />
focus on are technology and training.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
23
IT asset management<br />
"Key technologies businesses said they needed to invest in are encryption,<br />
analytics and reporting, perimeter security, file sharing and mobile device<br />
management"<br />
with all the accompanying security risks.<br />
GDPR has been a long time coming," he<br />
continues. "Its implications are far from being<br />
known, but self-governance simply isn't<br />
working, as evidenced by the millions of<br />
people globally who have been impacted<br />
through no fault of their own."<br />
DATA ERASURE<br />
Clearly, with the advent of GDPR, it's critical<br />
and urgent for organisations to understand<br />
data lifecycle management and the processes<br />
and systems required at each stage - from<br />
creation of data to when it reaches end-of-life<br />
- before it becomes unmanageable.<br />
"In particular, it's important to factor in data<br />
erasure, which is one small piece of the puzzle<br />
that is frequently overlooked," cautions<br />
Richard Stiennon, chief strategy officer at<br />
Blancco Technology Group. "What companies<br />
really need is an enterprise-class, certified data<br />
erasure solution that employs legally required<br />
overwriting standards, is approved by<br />
governing bodies and provides physical proof<br />
that all data is permanently gone. If a solution<br />
doesn't meet all three of these criteria,<br />
then companies might find themselves in a<br />
situation where they are unable to verify that<br />
data has been removed - and could face<br />
serious legal action and fines from governing<br />
bodies such as the FCC, FTC and EU GDPR<br />
Supervisory Authorities.<br />
"I also think companies need to stop<br />
compartmentalising data management and<br />
customer experience into separate categories,"<br />
he says. "It's not the best strategy and the two<br />
can't flourish without each other.<br />
Organisations will need to change their way<br />
of thinking about data management across<br />
the entire lifecycle so that this kind of<br />
compartmentalisation doesn't keep<br />
happening. They need to proactively plan for<br />
the secure removal of data at the same time<br />
as they're collecting, storing and analysing<br />
data."<br />
STARK FINDINGS<br />
Meanwhile, Ipswitch conducted a survey of IT<br />
professionals from the UK, France and<br />
Germany and found that one in three<br />
businesses reported not knowing how the<br />
GDPR will apply to them, while 55% claimed<br />
they were not ready as they recognised a need<br />
"Self-governance simply isn't working, as evidenced<br />
by the millions of people globally who have been<br />
impacted through no fault of their own."<br />
to invest in new technologies. In the UK, that<br />
picture is even starker - less than one in five<br />
say they are ready for the GDPR.<br />
FOCUS AREAS<br />
There are two areas that need to be focused<br />
on ahead of the implementation of the GDPR<br />
- technology and training - with 55% of those<br />
surveyed by Ipswitch saying they would need<br />
to invest in new technologies or services,<br />
according to Michael Hack, head of the<br />
company’s EMEA Field Operations. "The key<br />
technologies that businesses said they needed<br />
to invest in are encryption, analytics and<br />
reporting, perimeter security, file sharing and<br />
mobile device management, with encryption<br />
being mentioned by the most (50%)."<br />
Transferring data in motion, in use and at<br />
rest needs special consideration with GDPR,<br />
Hack adds. "Companies should allow for<br />
flexibility when deciding on the right solutions<br />
for their needs. Risk assessment is a key<br />
strategy and covers all areas of the business."<br />
One important technology for mitigating risk<br />
and ensuring compliance is managed file<br />
transfer, which manages the entire process<br />
both within and outside the business.<br />
“A comprehensive managed file transfer<br />
solution not only provides secure routes for<br />
assets, it also adds value with tools for the end<br />
users for tasks such as managing attachments<br />
and working in local folders,” states Hicks.<br />
“A managed file transfer solution also<br />
streamlines processes by automating<br />
workflows, managing performance and<br />
security, and providing reporting and<br />
analytics, so that the business is always on<br />
top of data and documents as they move<br />
through, out of and back into the business."<br />
NOT AN OPTION<br />
One of the biggest misconceptions is that<br />
non-EU based companies do not have to<br />
comply with the GDPR. "I hate to break it to<br />
them, but, if they're a global organisation<br />
that collects EU citizen data, then they must<br />
comply," says Matt Lock, director of sales<br />
engineers, Varonis. "If a US company collects<br />
data from EU citizens, it would be under<br />
the same legal obligations as though the<br />
company had headquarters in, say, France,<br />
the UK or Germany - even though they don't<br />
have any servers or offices there! This may be<br />
hard for the EU regulators to enforce, but,<br />
if you're large enough or a high-profile<br />
multinational organisation, our guesstimate<br />
is that the EU authorities will likely go after<br />
any violations. In order to meet these new<br />
regulations or even determine if they have to<br />
24<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
IT asset management<br />
"Organisations haven't taken privacy and cyber<br />
security seriously enough until now."<br />
be met, every organisation, regardless of<br />
location, should create an asset register of<br />
sensitive files, understand who has access and<br />
who is accessing them, and determine when<br />
data can and should be deleted."<br />
ADAPTING PRACTICES<br />
Clearly, companies must look to adapt their<br />
practices ahead of schedule, given the<br />
complexity and scope of the new regulation.<br />
"While it is billed as European legislation, the<br />
nature of networks and the digital economy<br />
imply that it will be far more wide-reaching<br />
than that," comments John Madelin, CEO at<br />
Reliance acsn.<br />
"Organisations must take a holistic approach<br />
to privacy and security, with their most<br />
sensitive information at the heart of it, in<br />
order to adhere to the stringent guidelines<br />
more easily, as well as manage its downfalls.<br />
"Businesses haven't taken privacy and cyber<br />
security seriously enough until now, and these<br />
higher levels of 'parental controls' will help<br />
security experts hold business leaders up to<br />
board level more accountable. Perhaps the<br />
most significant change is in notification.<br />
"In the past, a company only had a problem,<br />
if there was a breach," says Madelin. "The<br />
new legislation will require companies to<br />
demonstrate that they will detect and report<br />
a breach. Companies will have to invest in<br />
creating 24/7 alarming and reporting<br />
capabilities, integrated with their security<br />
infrastructure, which will allow them to<br />
adequately understand where the data is and<br />
protect it. At the moment, the majority of<br />
systems deployed are not fit for purpose."<br />
MASSIVE UNDERTAKING<br />
Preparing for GDPR is likely to be a crossfunctional<br />
exercise, as legal, risk and<br />
compliance, IT and security all have a part to<br />
play in its implementation. "As it is not a small<br />
amount of regulation to comprehend, with<br />
99 Articles and 173 Recitals to trawl through,<br />
there will be numerous processes, procedures,<br />
and training required, in addition to the need<br />
for technology and services, in order to<br />
demonstrate compliance," states Samantha<br />
Humphries, international solutions marketing<br />
manager at Rapid7.<br />
"For some organisations, changes to roles<br />
and responsibilities will be required, too, such<br />
as appointing a data protection officer and<br />
nominating representatives within the EU to<br />
be necessary points of contact. Completing<br />
Privacy Impact Assessments and<br />
implementing processes for access control,<br />
incident detection and response, and breach<br />
notification will all be crucial in ensuring<br />
compliance. By introducing such processes,<br />
businesses can show that they understand<br />
where personal data physically resides, the<br />
categories of personal data they control<br />
and/or process, how and by whom it is<br />
accessed, and how it is secured," she adds.<br />
Disaster recovery should also be high on any<br />
organisation's list. "Being able to detect<br />
attackers early can ease this process. User<br />
Behaviour Analytics can provide businesses<br />
with the capabilities to detect anomalous user<br />
account activity within their environment, so<br />
they can investigate and remediate quickly."<br />
Recognising weak spots in systems and<br />
networks can also help businesses find focus.<br />
"By attacking their own systems through pen<br />
tests to demonstrate real-world scenarios,<br />
businesses can highlight potential failures and<br />
weaknesses that can be rectified to avoid the<br />
threat of a real attack," Humphries concludes.<br />
"This will aid compliance with Article 32,<br />
which states the need to have a process for<br />
regularly testing, assessing and evaluating the<br />
effectiveness of security measures."<br />
Richard Brown, Arbor Networks:<br />
documentation is often created, 'put on<br />
the shelf' and then forgotten about.<br />
Rob Norris, Fujitsu: now is the time to<br />
stop being hunted and instead become<br />
the hunter.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
25
mobile management<br />
AFTER THE FLOOD<br />
WITH MOBILE DEVICES NOW IN THEIR MULTI-BILLIONS GLOBALLY,<br />
AND MORE AND MORE APPLICATIONS FLOODING THE MARKET, THE<br />
NEED FOR MOBILE MONITORING AND DEVICE MANAGEMENT HAS<br />
NEVER BEEN GREATER OR MORE URGENT<br />
Anew report, 'On the Radar', from<br />
leading research company Ovum<br />
shines a light on the extent of<br />
the mobile security problem affecting<br />
businesses of every size around the globe.<br />
It exposes "the inadequate level of mobile<br />
device protection offered by most<br />
mainstream endpoint security providers<br />
who have failed to keep pace with market<br />
requirements and the subsequent threat<br />
this has created for businesses who are<br />
unwittingly exposed to cybercriminals".<br />
The report has turned the spotlight on<br />
an area of great concern - and one that<br />
needs to be addressed urgently.<br />
"Corporate mobile devices are inherently<br />
personal," states Michael Covington,<br />
VP Product Strategy, Wandera. "When it<br />
comes to BYOD, it should be understood<br />
that the end user has more control over<br />
the day-to-day running of the device.<br />
Unfortunately, this means more risk is<br />
introduced to the platform. There is a<br />
general notion amongst businesses and<br />
end users that mobile platforms are<br />
secure. For example, there are few<br />
security tools out there for Apple devices<br />
and not many news headlines around iOS<br />
vulnerabilities. The first thing people need<br />
to understand is these devices are not<br />
secure and, with the rise of mobile<br />
devices, hackers will only continue to<br />
attack them."<br />
Not only do people believe device<br />
platforms are secure, but also the apps<br />
themselves, he adds. "In reality, app<br />
developers are rushing to deliver their<br />
apps to the market and security is often<br />
an afterthought in the process. From<br />
a regulatory perspective, companies<br />
are obligated to protect credit card<br />
information. However, sometimes their<br />
apps haven't gone through secure<br />
development processes." Mobility has not<br />
been treated the same way that classic<br />
end-point has within the enterprise, says<br />
Covington. "Laptops and desktops have<br />
layers of defences, with a variety of<br />
different tools. On the mobile platform,<br />
enterprises are unlikely to have invested<br />
in even one tool, let alone multiple, to<br />
control multiple threat factors."<br />
One threat vector which is often<br />
ignored are the users themselves.<br />
"Investing in educating an individual is<br />
not normally something a business would<br />
do. However, if the individual is putting<br />
themselves or their data ta risk on a<br />
device that holds company data, they<br />
become the weak link in the chain.<br />
Employees often go around existing<br />
security policies using mobile devices.<br />
There have been instances of staff<br />
26<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
mobile management<br />
tethering their mobile device when<br />
they're in the office, because they want<br />
to go to websites that are blocked on<br />
the corporate gateway." This is once<br />
again opening up security issues for<br />
businesses, he warns.<br />
"Both the enterprise and the end user<br />
have an interest in making sure their<br />
sensitive mobile data is secure. But end<br />
users also don't want to feel like a 'Big<br />
Brother' is watching their every move<br />
on their BYOD devices; which is why a<br />
solution that simultaneously protects end<br />
user privacy, without compromising<br />
business-critical reporting, traffic control<br />
or device management, is so important,"<br />
adds Covington.<br />
KEY ATTACK POINTS<br />
Michael Shaulov, head of mobility<br />
solutions, Check Point, believes there<br />
are five major categories of attack and<br />
vulnerabilities that organisations need to<br />
protect their mobile fleets against, which<br />
demand multiple mobile security<br />
capabilities.<br />
The first is system vulnerabilities. "Each<br />
version of a mobile operating system will<br />
contain vulnerabilities that criminals can<br />
use to launch attacks. Devices need<br />
to be continually analysed to uncover<br />
vulnerabilities and the behaviours that<br />
cyber criminals use to attack them. When<br />
a threat is identified, the solution must<br />
automatically mitigate any risk until the<br />
threat is eliminated," he states.<br />
Next comes root access and<br />
configuration channels. "Root access<br />
enables a wide range of customisations<br />
and configurations, and gives criminals<br />
greater access, which exposes devices<br />
and data to risk," Shaulov points out.<br />
"Criminals can even bypass MDMs using<br />
relatively simple techniques, so it's<br />
necessary to monitor all configuration<br />
changes and use behavioural analysis to<br />
detect unexpected system behaviour."<br />
Then there are repackaged and fake<br />
apps. "Malicious apps can take complete<br />
control of mobile devices. It is remarkably<br />
easy for criminals to reverse-engineer<br />
popular apps or to create seemingly<br />
authentic copies of existing ones. In turn,<br />
these apps can be used to gain remote<br />
access to the device or download<br />
malicious payloads. Apps' installation<br />
processes should be monitored and run<br />
in a quarantined 'sandbox' environment<br />
to analyse their behaviour."<br />
Fourth on his list are Trojans and<br />
malware. "An app's code is huge and<br />
complex, making it difficult to identify<br />
a Trojan's malicious activity. A security<br />
solution should capture apps and<br />
automatically reverse-engineer them,<br />
enabling analysis that identifies<br />
suspicious patterns and behaviours."<br />
Fifth, Man-in the-middle attacks. "Manin-the-middle<br />
attacks can eavesdrop,<br />
intercept and alter traffic between two<br />
devices," he says. "Enterprises need<br />
behavioural analysis that can detect<br />
rogue hotspots and malicious network<br />
behaviour and conditions, and<br />
automatically disable suspicious networks<br />
to keep devices and data safe."<br />
Finally, he advises that this system of<br />
mobile security components must work<br />
together cohesively to identify a wide<br />
variety of threats, protect data and<br />
address employee privacy concerns,<br />
rather than being a loosely-integrated<br />
mix of point products. "The solutions<br />
have to be able to analyse behaviour<br />
across all possible vectors for indicators<br />
of attack, to keep mobile devices safe."<br />
SECURITY HEADACHE<br />
According to Mark Noctor, VP EMEA at<br />
Arxan Technologies, "a mobile-ready<br />
workforce can deliver some powerful<br />
advantages, in terms of flexibility and<br />
Dave Williams, 3M: another factor to<br />
consider is the 'low tech' one of prying<br />
eyes.<br />
Michael Covington, Wandera: both the<br />
enterprise and the end user have an<br />
interest in making sure their sensitive<br />
mobile data is secure.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
27
mobile management<br />
responsiveness, but can also be a major<br />
security headache without strict<br />
management. The network's attack<br />
surface is increased with each new<br />
mobile device, and many organisations<br />
quickly lose track of what devices are<br />
connected and how they are being used".<br />
The BYOD approach, in particular, can<br />
expose companies to a much greater level<br />
of risk, as a mobile that is also used as<br />
personal device will be more likely to be<br />
hit by threats such as mobile malware<br />
and fake or corrupted apps.<br />
A compromised device can then be used<br />
to infect the rest of the corporate<br />
network or access confidential emails and<br />
other data. "Any company with a mobilecentric<br />
workforce should ensure it has a<br />
strict Mobile Device Management (MDM)<br />
strategy to secure emails and corporate<br />
documents, segregate corporate data,<br />
and enforce security policies," states<br />
Noctor. "However, MDM is not always<br />
applicable and can be difficult to<br />
combine with BYOD or apply to<br />
individuals such as contractors and others<br />
who have access to corporate resources,<br />
but are not full employees."<br />
Mobile Application Management (MAM)<br />
is a more flexible and secure approach for<br />
this more diverse workforce, he suggests.<br />
"This approach places security and app<br />
management policies around the<br />
individual business applications, so they<br />
are protected without the need to enrol<br />
the device in MDM. Workers are provided<br />
access to officially sanctioned and<br />
secured mobile apps via a private<br />
enterprise app store. This ensures that<br />
employees are able to easily access the<br />
best apps for the job, while also enabling<br />
the organisation to keep track of what<br />
applications are being used." Managing<br />
mobile apps in this way can also help<br />
enterprises ensure the highest levels of<br />
security even without requiring MDM.<br />
"Powerful app-level policies can be used<br />
to enforce security policies, such as<br />
detecting jailbroken devices and applying<br />
run-time integrity checks, as well as<br />
ensuring that all apps are kept updated,"<br />
he adds.<br />
INADEQUATE PROTECTION<br />
Despite the publicity around mobile<br />
security, research seems to suggest that<br />
many organisations are not adequately<br />
protecting workers and devices when on<br />
the move or in public spaces, comments<br />
Dave Williams, business manager - UK<br />
Electronics Market, 3M. "As well as more<br />
robust software-based measures, another<br />
factor to consider is the 'low tech' one of<br />
prying eyes. Just looking over someone's<br />
shoulder, he cautions, is "one way to<br />
obtain confidential information. Security<br />
breaches are not confined to savyy<br />
hackers".<br />
In the recent Public Spaces Survey<br />
commissioned by 3M and conducted by<br />
the Ponemon Institute, nine out of 10<br />
people questioned had noticed someone<br />
looking at data on their laptops in public,<br />
according to Williams. "Seventy-six per<br />
cent had also inadvertently seen<br />
something on someone's screen that they<br />
should not have done. However, just over<br />
50% confirmed they had not taken any<br />
preventive steps to protect their own<br />
screens from onlookers in public."<br />
VISUAL HACKING<br />
Other research also demonstrates just<br />
how easy it is to carry out a 'visual hack',<br />
whether inside or outside the office," he<br />
continues. "In the Global Visual Hacking<br />
Experiment, also carried out by the<br />
Ponemon Institute on behalf of 3M,<br />
involving a 'white hat' hacker, more than<br />
90% of visual hacking attempts were<br />
successful, with 49% of breaches taking<br />
less than 15 minutes, with an average of<br />
3.9 pieces of sensitive data obtained per<br />
attempt.<br />
"The reality is that, while visual hacking<br />
is fast and easy to achieve, it is also fast<br />
and easy to prevent, using techniques<br />
such as installation of privacy filters,<br />
which stop on-screen information from<br />
being viewed, unless straight-on and<br />
close-up; angling screens, so they cannot<br />
easily be seen; plus educating employees<br />
about their responsibility to prevent<br />
sensitive data being visible to others,<br />
particularly when they are working in<br />
public spaces."<br />
28<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
purchasing strategies<br />
REAL PRICE OF SECURITY SOLUTIONS<br />
THE IMPORTANCE OF MAKING PURCHASING DECISIONS FOR SECURITY SOLUTIONS BASED ON QUALITY,<br />
RATHER THAN INITIAL PURCHASE PRICE ALONE, IS NOW BEING HAMMERED HOME<br />
Astark warning has been laid down in<br />
a new white paper concerning the<br />
challenges involved in buying and<br />
selling high-quality security solutions.<br />
The paper aims to explore the price versus<br />
quality debate from the perspectives of both<br />
buyers and sellers of security solutions, in<br />
order to identify the relative advantages and<br />
disadvantages between low-priced and highquality<br />
solutions. The main findings of the<br />
paper clearly suggest that end users would<br />
find it far more beneficial to consider and<br />
deploy high-quality security solutions. The<br />
findings also reveal that there are many<br />
advantages for security providers who offer<br />
high-quality solutions to their customers,<br />
rather than merely competing with each<br />
other on the basis of price. Security providers<br />
would be much better off collaborating with<br />
their customers and developing a good<br />
understanding of buyers' needs in order to<br />
provide suitable solutions that meet those<br />
requirements and perform well over time.<br />
Commissioned by the British Security<br />
Industry Association, the white paper, which<br />
is titled 'The (Real) Price of Security Solutions',<br />
has been authored by Dr Terence Tse,<br />
an Associate Professor of Finance at ESCP<br />
Europe Business School, and sponsored by<br />
BSIA member companies Securitas and<br />
ATEC Fire and Security.<br />
The research was driven by immediate past<br />
chairman of the association, Pauline<br />
Norstrom, during her time as chairman.<br />
"I have been in the industry some 16 years,<br />
before that in tech marketing across a broad<br />
spectrum of industries," she commented.<br />
"During that time, I have watched and<br />
experienced the manufacturers within<br />
our industry race to the lowest price,<br />
compromising on materials and functionality<br />
in order to do so and often at the expense of<br />
UK jobs in the process.<br />
"I have seen the industry rush to the cheapest<br />
price to win the bid, with companies offering<br />
solutions at very low margins being left with<br />
substantial additional costs they cannot cover.<br />
In addition, end users are often provided with<br />
an inferior solution which does not solve their<br />
problems," she added.<br />
"Essentially, I hope that the paper will<br />
educate the security buyer as to the art of<br />
buying a specialised security solution, rather<br />
than a bunch of part numbers or just cost per<br />
hour; and instead to consider the value of the<br />
sum of the parts bringing a larger benefit<br />
than those parts working in isolation."<br />
The paper sets out recommendations for<br />
both security providers and security buyers<br />
through checklists that aim to help security<br />
buyers make better informed purchase<br />
decisions and security providers to better<br />
demonstrate the value of their offering,<br />
rather than compete on price alone.<br />
Pauline Norstrom: "I have seen the<br />
industry rush to the cheapest price<br />
to win the bid."<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
29
DDoS attacks<br />
PRESSURE MOUNTS ON ISPS<br />
MORE AND MORE SECURITY PROFESSIONALS ARE DEMANDING ADDITIONAL HELP FROM THEIR ISPS TO<br />
BLOCK DDOS TRAFFIC BEFORE IT REACHES THEM<br />
Ashley Stephenson, Corero Network<br />
Security: important crossroads ahead.<br />
DDoS attacks are a greater security<br />
threat to businesses in 2017 than ever<br />
before and Internet service providers<br />
(ISPs) need to do something about it now.<br />
That is one of the findings in a new survey<br />
of IT security professionals and network<br />
operators from Corero Network Security.<br />
The 'Corero DDoS Impact Survey 2017',<br />
polled top technology decision makers and<br />
security experts and found that the majority<br />
(56%) view DDoS attacks as a greater and<br />
graver concern than in previous years.<br />
This elevation of risk comes at a time<br />
when DDoS attacks continue to increase in<br />
frequency, scale and sophistication over<br />
the last year. Some 31% of IT security<br />
professional and network operators in the<br />
survey experienced more DDoS attacks than<br />
usual in recent months, with 40% suffering<br />
attacks on a monthly, weekly or even daily<br />
basis. To alleviate this problem, 85% are<br />
demanding additional help from their ISPs<br />
to block DDoS traffic before it reaches them.<br />
The findings follow reports in the UK that<br />
Britain's National Cyber Security Centre<br />
(NCSC) is putting pressure on ISPs to rewrite<br />
Internet standards around spoofing, in order<br />
to reduce the volume of DDoS attack traffic<br />
on their networks. Dr Ian Levy, technical<br />
director at NCSC, has called for ISPs to make<br />
changes to the Border Gateway Protocol<br />
(BGP) and Signalling System 7 (SS7)<br />
standards to halt the rerouting of traffic<br />
used in simple, volumetric DDoS attacks.<br />
"As new, large-scale attacks have come<br />
online, leveraging IoT devices, the DDoS<br />
threat has become top of mind for CISOs,"<br />
said Rob Ayoub, research director at IDC.<br />
"This shift in precedence puts increased<br />
pressure on Internet and cloud providers<br />
to enable this protection for their customers<br />
and also to eliminate DDoS threats closer to<br />
the source."<br />
Ashley Stephenson, CEO at Corero<br />
Network Security, added: "Providers will<br />
likely find themselves at an important<br />
crossroads during the next year, as pressure<br />
builds on them from both customers<br />
and governments to address the growing<br />
DDoS problem. By accepting a greater<br />
responsibility for defending their customers<br />
and networks against DDoS attacks, ISPs<br />
could modernise their security service<br />
offerings and increase customer satisfaction<br />
- in contrast, ignoring this call to action<br />
could open up the possibility of future<br />
regulatory controls related to DDoS<br />
protection."<br />
The Corero study found that a worrying<br />
58% of security professionals are still relying<br />
on 'home grown' open source solutions,<br />
or traditional security infrastructure like<br />
firewalls, to protect themselves against<br />
DDoS attacks. Just more than a third<br />
(36%) are adopting cloud-based solutions,<br />
including scrubbing centres, and a further<br />
35% are employing on-premises DDoS<br />
mitigation products.<br />
While the vast majority (85%) believe their<br />
ISP should be dealing with the DDoS<br />
problem for them, as part of their service,<br />
almost half (46%) indicated they would be<br />
prepared to pay an additional fee to have<br />
DDoS traffic removed before it reaches their<br />
network. Of those who were willing to pay<br />
their ISP for such a premium service, almost<br />
three quarters (74%) said they would<br />
consider spending up to a quarter of their<br />
total ISP spend to eliminate this threat.<br />
30<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
sustainable solutions<br />
MANY HAPPY RETURNS!<br />
RECALLS HAPPEN AND, WHEN THEY DO, ORGANISATIONS COME UNDER PRESSURE TO PROTECT THEIR<br />
BRAND AND ENSURE THEIR CLIENTS HAVE A POSITIVE PRODUCT RETURNS EXPERIENCE<br />
With commerciality, brand<br />
reputation and data security at<br />
the forefront of everyone's<br />
minds, it's easy for sustainable solutions<br />
to slip down the priority list. But ignoring<br />
sustainability can further damage a<br />
brand's reputation. Some high-profile<br />
manufacturers have publicly come under<br />
pressure for not keeping sustainability<br />
front and centre when managing<br />
defective product recalls.<br />
Yet this is not an either/or situation, as<br />
Anand Narasimhan, managing director,<br />
Sims Recycling Solutions, EU, India,<br />
points out. "Simple solutions exist to help<br />
companies demonstrate their desire to<br />
protect the environment, conserve natural<br />
resources and participate in the circular<br />
economy, all at the same time as<br />
delivering a truly effective IT product<br />
recall," he says.<br />
"Corporate participation in the circular<br />
economy is becoming increasingly<br />
important, as the public and press<br />
continually scrutinise corporate ethics<br />
and social responsibility efforts. More<br />
than previous generations, millennials<br />
consistently rank a company's positive<br />
impact on the world as a key<br />
consideration when choosing an<br />
employer, according to research carried<br />
out by consultancy Global Tolerance.<br />
Corporations are regularly ranked on their<br />
environmental credentials, including the<br />
level of sustainability built into their<br />
supply chain and processes. At times<br />
when a company is under scrutiny, such<br />
as managing a global product recall,<br />
these standards come under pressure.<br />
"It is vital, therefore, that returned<br />
products are handled appropriately.<br />
Working with a certified, credible and<br />
auditable vendor to manage your<br />
returned IT product gives an organisation<br />
this peace of mind and reassurance.<br />
The 'Waste Hierarchy' developed by the<br />
European Union provides useful<br />
guidelines on the right way to approach<br />
sustainability - reuse, recycle and<br />
recovering energy to avoid landfill."<br />
These considerations do not just apply<br />
to recalls, he points out. "As products<br />
become more robust and long-lasting,<br />
many manufacturers are introducing<br />
trade-in and trade-up schemes to<br />
encourage the purchase of new products.<br />
These programmes necessitate returned<br />
products be recycled, thereby reducing<br />
the grey market for their products."<br />
Reuse might not seem like a viable<br />
option when dealing with defective IT<br />
product recalls, but that is not necessarily<br />
the case. "Even when reusing an entire<br />
asset isn't possible, circular economy<br />
practices can be followed and<br />
considerable value can still be recovered<br />
through parts harvesting," says<br />
Narasimhan. "IT assets likely still contain<br />
valuable component parts that can be<br />
used to refurbish or remanufacture other<br />
devices, or can be sold on their own.<br />
These efforts deliver value back to a<br />
business to help offset the cost of the<br />
recall, while increasing the lifecycle of a<br />
product and minimising harmful waste."<br />
Perhaps parts recovery is not feasible and<br />
recycling is the only option. "Vendor<br />
selection might not be at the forefront of<br />
your mind when managing priorities<br />
during your recall, but a recycling provider<br />
needs to be thoroughly vetted," he adds.<br />
"Many different services are marketed<br />
under the term 'recycling', so you need to<br />
carefully consider a vendor's capabilities<br />
and their sustainability credentials. Truly<br />
sustainable recycling providers have a few<br />
common characteristics. The best recyclers<br />
actively innovate to improve material<br />
recovery levels. They work closely with<br />
manufacturers to ensure they are fully<br />
capable of processing new products and<br />
materials. Best-in-class technology and<br />
processes allow many materials to be<br />
recovered and separated to a level<br />
suitable for remanufacturing back to<br />
usable products. This reduces the demand<br />
for scarce and limited raw materials.<br />
"Though not necessarily welcome, a<br />
thoughtfully managed global product<br />
recall offers businesses the opportunity<br />
to be put their best sustainable foot<br />
forward," he concludes.<br />
Anand Narasimhan, managing director,<br />
Sims Recycling Solutions, EU, India<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
31
online threats<br />
THE SMELL OF FEAR: THREAT DE TOILETTE<br />
GLOBAL CYBER-SECURITY COMPANY KASPERSKY LAB HAS LAUNCHED WHAT IT CLASSIFIES AS "TWO<br />
THREATENING, YET PROVOCATIVE, SCENTS". WILL THAT HAVE THE BIG FRAGRANCE AND PERFUME PLAYERS<br />
WORRIED, THOUGH?<br />
my business and my ability to grow my<br />
channel. My audience's experience would<br />
also be disrupted, because they wouldn't<br />
have any new content to watch."<br />
Kaspersky Lab is aware that there are<br />
many virtual threats facing consumers and,<br />
in order to address this, has additional<br />
scents in the Threat range:<br />
Kaspersky Lab has launched its Threat<br />
de Toilette pour femme and pour<br />
homme fragrances onto the market -<br />
but whether they will ever compete with<br />
the likes of Yves Saint Laurent, Versace and<br />
Chanel is most doubtful.<br />
Then again, the new perfumes have a<br />
somewhat different purpose to making<br />
you feel good in your own skin. In fact,<br />
quite the reverse. They are, instead, part of<br />
a campaign whose aim is to "educate<br />
today's modern man and woman about<br />
the virtual threats we face daily". Threat de<br />
Toilette contains all the perfectly coded<br />
base notes of cybercrime; hints of spam<br />
and drops of ransomware that, according<br />
to Kaspersky Lab, will "ensnare your love<br />
affair and cast a love virus".<br />
Says David Emm, Kaspersky Lab's principal<br />
security researcher and face of the new<br />
scent: "The men and women who wear<br />
Threat de Toilette understand today's<br />
online threats and protect themselves<br />
against them. Fear is no longer felt only in<br />
the physical world - it's all around us in our<br />
connected lives, too, and we need to make<br />
sure we're constantly protected."<br />
Scarlett London, the well-known UK<br />
beauty blogger, attending the event to<br />
illustrate how cybercrime poses a constant<br />
threat to her online livelihood, says, "I don't<br />
feel that we discuss cyber-security enough<br />
- or that enough attention is given to it,<br />
especially considering how much of our<br />
time and life is spent online. My business<br />
and livelihood is based online - so, if a<br />
hacker was to be able to get in and steal<br />
content or wipe files from my computer,<br />
channel or feeds, it would severely disrupt<br />
RANSOM<br />
Reassuringly expensive<br />
Ransomware is the theft of confidential<br />
data, with a cost (ransom) to regain access<br />
to the encrypted files. This could be<br />
priceless items, such as family photos, or<br />
financial details, such as banking<br />
documents. Imagine someone removing all<br />
your prized possessions from your<br />
bedroom and then requesting money for<br />
the safe return of them - this is the real life<br />
equivalent to ransomware.<br />
MAL-WEAR<br />
The wicked way to pierce the heart<br />
Malware (Malicious Software) are the<br />
programs that sneak onto your computer<br />
without permission, with the intent to<br />
steal your personal data or capture your<br />
passwords and other sensitive information.<br />
The term covers all sorts of viruses, worms,<br />
Trojans and spam. It's like somebody<br />
dipping into your bag unnoticed, stealing<br />
all your keys and using them to get access<br />
to all your stuff.<br />
SOCIAL ENGINOIR<br />
Lure them in<br />
One word to use when thinking of social<br />
engineering is manipulation. When using<br />
this attack method, a cybercriminal will<br />
often trick their victim into breaking their<br />
32<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
online threats<br />
usual security procedures, for example<br />
giving away passwords, so they can gain<br />
access to the computer. It's as if you hand<br />
over your keys to someone you think is<br />
your best friend - but they're a thief<br />
masquerading as your best friend.<br />
PHISH<br />
Catch your deepest love<br />
Phishing emails are the electronic<br />
equivalent of the 'junk mail' that arrives on<br />
your doormat. These can be dangerous -<br />
posing as a tailored, credible email with<br />
the purpose being to steal financial<br />
information. These emails are designed to<br />
grab your attention, making you drop<br />
your guard, for example, they may include<br />
information on an event you've just<br />
attended. Trust us, it's not a coincidence.<br />
Meanwhile, Emm offers the following top<br />
tips to stay safe online:<br />
Get protected. This may seem obvious,<br />
but security software is the new 'black'.<br />
Its helps you stay fully protected<br />
against malware, spyware, hackers and<br />
identity theft at all times.<br />
Keep up to date. Make sure all your<br />
devices are up to date with all the<br />
latest security and firmware updates.<br />
Practise safe online shopping and<br />
banking. Always shop and bank on a<br />
secure site. Look for a URL that starts<br />
with 'https' and has the lock symbol<br />
when entering your credit card details<br />
or other personal information.<br />
Privacy is key. Avoid using public Wi-Fi<br />
to access any web sites that need a<br />
login and password to access them or<br />
that involves typing in confidential<br />
information.<br />
Socialise safely. By now, we've all had a<br />
bad link or two sent to us over our<br />
favourite social network. Utilise your<br />
social network's security settings to<br />
their optimum level. Do you really<br />
need to display every detail about your<br />
life?<br />
Safe passwords. Use secure passwords<br />
- a different one for each Internet<br />
service. Set passwords to include 12 or<br />
more upper and lower case characters<br />
and numbers.<br />
Stomp out spam. Most Internet Service<br />
Providers and security software<br />
programs have anti-spam<br />
technologies. The spam blocker will<br />
help prevent fraudulent emails from<br />
showing up in your Inbox. Fake lottery<br />
wins or chances to win the latest<br />
gadget can be very tempting!<br />
And if all of this alerts you and your<br />
organisation to be better prepared against<br />
the threats that are escalating all around,<br />
then you would have to say the Kaspersky<br />
campaign could be heaven scent!<br />
BLACKOUT BLUES<br />
Meanwhile, Eugene Kaspersky, founder<br />
and CEO, Kaspersky Lab, has warned that<br />
a blackout such as the one recently<br />
experienced in Ukraine could have deep<br />
and worrying ramifications on a much<br />
wider scale. During a blackout, none of<br />
the devices connected to the lauded<br />
Internet of Things would be able to 'talk'<br />
to each other. "By a cyberattack on critical<br />
infrastructure taking control of a country's<br />
power grid, simply nothing would work,"<br />
he warns. "No urban facilities, no water,<br />
no air conditioning, no elevators, no<br />
Internet, no mobile network.<br />
Far-fetched sci-fi? "Unfortunately, this<br />
scenario is very real," he adds. "The world<br />
we live in is based upon technologies and<br />
ideas which were made 50 years ago.<br />
Many of them rely upon an architecture<br />
that predates the era of cybercrime. The<br />
hackers simply didn't exist then. As we<br />
increasingly depend on technology as the<br />
backbone of our civilisation, we need to<br />
ensure our critical infrastructure is built<br />
upon a robust architecture that is not only<br />
secure, but immune. If we don't adopt a<br />
security-first approach, we will face a very<br />
uncertain future."<br />
Eugene Kaspersky: without a security-first<br />
approach, we will face a very uncertain<br />
future.<br />
David Emm: fear is all around us in our<br />
connected lives.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
33
product review<br />
THE AEGIS SECURE KEY 3Z FROM APRICORN<br />
With the EU GDPR (General Data<br />
Protection Regulation) active<br />
early in 2018, businesses of all<br />
sizes must start work on full compliance<br />
now. This legislation is very specific<br />
concerning loss of personal data and<br />
any business falling foul will be punished.<br />
All businesses have a legal duty to<br />
protect sensitive and personal data<br />
while it's in transit - and that means<br />
encryption. Apricorn has the perfect<br />
answer: its latest Aegis Secure Key 3z<br />
USB flash drive delivers military-grade<br />
256-bit AES XTS hardware encryption<br />
at a very tempting price. Its available in<br />
capacities from 8GB up to 64GB and<br />
the 3z is FIPS 140-2 Level 3 certified<br />
for added confidence. This means it<br />
will meet stringent US government<br />
requirements, such as physical security,<br />
cryptographic key management and<br />
authentication.<br />
Apricorn hasn't left anything to chance.<br />
Our 8GB model arrived in a tamper-proof<br />
package with a large security seal.<br />
Enclosed in a tough aluminium shell,<br />
the 3z provides a small, but easily<br />
accessible, keypad and is powered by<br />
a rechargeable Li-Ion battery.<br />
Setup was simple: press a couple of<br />
two-key combinations and enter an<br />
admin PIN of between 7 and 16 digits.<br />
Next, you can enter a user PIN yourself<br />
or activate the enforced enrolment state<br />
and let your staff select their own PIN.<br />
If they should forget their user PIN, an<br />
administrator can enter admin mode and<br />
reset it. To unlock the 3z, simply press<br />
the green padlock key, enter the PIN<br />
and insert it in the recipient device.<br />
Data on the 3z can be further<br />
protected from malware by setting it to<br />
read-only mode. The administrator can<br />
enforce read-only or it can be delegated<br />
to the user to decide when to apply this<br />
mode.<br />
For forgetful users, you can create up<br />
to four one-time recovery PINs that will<br />
set it back to the enrolment state. The<br />
entire drive can also be reset to factory<br />
defaults where it performs a crypto-erase<br />
and randomly generates new encryption<br />
keys.<br />
The 3z also protects itself from bruteforce<br />
attacks, as after three unsuccessful<br />
PIN entries it adds an extra delay after<br />
each subsequent attempt, up to a<br />
maximum of ten. You can unlock it and<br />
try again, but after the requisite number<br />
of attempts is reached, the 3z assumes it<br />
is under attack and destroys all of its data.<br />
It comes pre-formatted as NTFS, but you<br />
can reformat it to FAT, FAT32 or Mac OS<br />
compatible. While unlocked, it functions<br />
no differently to any other USB flash<br />
device and we noted that, whenever the<br />
3z was removed from its USB port, it<br />
automatically locked itself for added<br />
safety.<br />
The 3z has a high-speed USB 3.1<br />
interface with Apricorn claiming top<br />
read and write speeds of 190MB/sec<br />
and 80MB/sec. The majority of users<br />
will probably have slower USB 3 ports,<br />
where our copy tests of a 5GB file<br />
returned read and write speeds of<br />
135MB/sec and 29MB/sec.<br />
Support staff managing large numbers<br />
of flash drives and PINs will<br />
love the Configurator. Costing around<br />
£80, it teams up a 10-port USB docking<br />
station with the Apricorn Aegis<br />
Configuration software.<br />
From the intuitive interface, we created<br />
a master profile with admin, user,<br />
recovery and self-destruct PINs, along<br />
with a permitted number of brute-force<br />
attempts and the auto-format file system.<br />
The profile could then be applied in<br />
seconds to all devices inserted in the<br />
docking station. Being software free,<br />
there is nothing to install and the<br />
encryption and authentication<br />
functionality resides on the device.<br />
With Apricorn, businesses no longer<br />
have an excuse at all for failing to protect<br />
personal data in transit. The Aegis Secure<br />
Key 3z teams up the toughest encryption<br />
with plenty of security measures and is<br />
one of the best value solutions that we<br />
have yet seen.<br />
Product: Aegis Secure Key 3z<br />
Supplier: Apricorn Europe<br />
Web site: www.apricorn.com<br />
Tel: +44 (0)161 870 76369<br />
Price: 8GB - £65, excluding VAT<br />
34<br />
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk
MEET THE<br />
INFOSEC<br />
WORLD, ALL<br />
UNDER ONE<br />
ROOF<br />
REGISTER<br />
NOW<br />
CONNECT<br />
WITH PEERS,<br />
PARTNERS AND<br />
THOUGHT-<br />
LEADERS<br />
FIND<br />
SOLUTIONS<br />
AND PRE-EMPT<br />
PROBLEMS<br />
Everyone and everything you need<br />
to know about information security<br />
ENHANCE<br />
YOUR<br />
KNOWLEDGE<br />
& EARN CPE/CPD<br />
CREDITS<br />
FIND NEW<br />
OPPORTUNITIES<br />
TO FURTHER<br />
YOUR<br />
CAREER<br />
“InfoSecurity Europe<br />
is the highlight of<br />
the security event<br />
calendar, given the<br />
scale of the event,<br />
the vibrancy and buzz<br />
surrounding the show<br />
and the attendance<br />
of industry leading<br />
vendors and the world<br />
class speakers.”<br />
Join the region’s premier information security event<br />
featuring 360+ of Europe’s most established players<br />
& newest cybersecurity talent. Learn from our most<br />
comprehensive conference programme yet with over<br />
160 hours of complimentary thought-leader seminars.<br />
In 2016 we opened our doors to more than 17,500<br />
professionals all under the beautiful domed roof of<br />
Olympia, London. Can you afford not to be<br />
there in 2017?<br />
@infosecurity<br />
Mark Shutt<br />
IT Security and Assurance Manager,<br />
Secure Trust Bank<br />
REGISTER TO<br />
ATTEND AT<br />
www.infosecurityeurope.com
2013