CS1705

Computing
Security
Secure systems, secure data, secure people, secure business
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
New encryption
in use technology
ELIMINATES MASS
DATA BREACHES
Panoptex Technologies
releases its groundbreaking
Olfactex Solution
Computing Security May/June 2017
PANOPTEX CTO INTERVIEW
PG
12

comment
CYBER ATTACKS DENT BUSINESS GROWTH
Should we be surprised by the news that one in five businesses have fallen victim to cyber
attacks in the past year - or is this now almost a given? Either way, it is of deep concern
as attacks are ramped up in intensity and sophistication.
A survey carried out of more than 1,200 businesses across the UK by the British Chambers
of Commerce (BCC) has come up with the findings, at the same time reporting that big businesses
are far more likely than their smaller counterparts to be victims of attacks ( a total of
42% of companies with more than 100 staff, compared to 18% of companies with fewer
than 99 employees).
The results of the survey indicate that businesses are most reliant on IT providers (63%) to
resolve issues after an attack, compared to banks and financial institutions (12%) or police
and law enforcement (2%).
Particularly worrying is the finding that 21% of businesses believe the threat of cybercrime is
preventing their company from growing. The survey also shows:
Only a quarter (24%) of businesses have cyber security accreditations in place
Smaller businesses are far less likely to have accreditation (10% of sole traders and 15% of
those with 1-4 employees) than big businesses (47% with more than 100 employees)
Of the businesses that do have accreditations, 49% believe it gives their business a competitive
advantage over rival companies, and 33% consider it important in creating a
more secure environment when trading with other businesses.
From May 2018, all businesses who use personal data will have to ensure they are compliant
with the new General Data Protection Regulation (GDPR) legislation (see page 22)
Reacting to the findings, Dr Adam Marshall, director general of the British Chambers of
Commerce, had this to say: "Firms need to be proactive about protecting themselves from
cyber attacks. Accreditations can help businesses assess their own IT infrastructure, defend
against cyber security breaches and mitigate the damage caused by an attack. It can also
increase confidence among the businesses and clients who they engage with online.
Companies are reporting a reliance on IT support providers to resolve cyber-attacks. More
guidance from government and police about where and how to report attacks would provide
businesses with a clear path to follow in the event of a cyber-security breach, and increase
clarity around the response options available to victims, which would help minimise the
occurrence of cybercrime."
GDPR will, hopefully, concentrate people’s minds, although protecting your business and all
who engage with it should surely be a given, without the strictures of compliance.
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2017 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
www.computingsecurity.co.uk May/June 2017 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security May/June 2017
contents
CONTENTS
Computing
Security
New encryption
in use technology
ELIMINATES MASS
DATA BREACHES
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
Panoptex Technologies
releases its groundbreaking
Olfactex Solution
PANOPTEX CTO INTERVIEW
PG
12
COMMENT 3
Cyber attacks soar across the UK
EDITOR’S FOCUS 5
The massive cyber attack that crippled the
NHS could have been readily avoided
ARTICLES
CAN PRIVACY BE PROTECTED? 6
The NHS breach, plus revelations over CIA
hacking methods, have cast a long shadow
over how to keep data safe and secure
DATA BREACHES ELIMINATED 12
Panoptex Technologies is making waves by
providing a powerful industry first
SHOW TIME ONCE AGAIN 18
Infosecurity Europe 2017 is not far off
now - and it’s the right place to be!
REAL PRICE OF SECURITY 29
Making purchasing decisions for security
solutions that are based on quality is vital
PRESSURE MOUNTS ON ISPS 30
More and more security professionals are
demanding additional help from their ISPs
to block DDoS traffic before it hurts them
MANY HAPPY RETURNS! 31
Recalls happen, but handled right they
can be turned into a positive experience
HEAVEN SCENT? 32
Two new 'fragrances' have been released
by Kaspersky that have that certain whiff
of danger about them
REVIEWS
• Acunetix 11 20
• Aegis Secure Key 3z 34
NOWHERE TO HIDE 8
With email under constant attack, what is
the best way to protect your organisation's
communications? How do you keep your
data vital and easily accessible to you and
yours, yet useless to anyone out to
access/steal it?
THE DOUBLE-EDGED SWORD 14
Encryption plays a vital role in protecting
valuable information from being stolen or
altered. But it can be used by your enemies
just as readily
THE CLOCK IS TICKING 22
With the new European General Data
Protection Regulations soon due to
become law, many businesses will need to
look closely at how they protect their data
throughout the course of its lifecycle
AFTER THE FLOOD 26
With mobile devices now in their multibillions
globally, and more and more
applications flooding the market, the
need for mobile monitoring and device
management has never been greater or
more urgent
4
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

NHS breach
OBSOLETE SOFTWARE LEFT NHS TRUSTS WIDE OPEN
THE MASSIVE CYBER ATTACK THAT CRIPPLED THE NHS COULD - AND SHOULD - HAVE BEEN AVOIDED
Almost all NHS trusts were using
an obsolete version of Windows
for which Microsoft had stopped
providing security updates in 2014. This
left them at the mercy of the kind of
attack that crippled a swathe of hospitals
across the UK. The perilous state to which
the trusts were exposed was revealed less
than six months ago, but there was a
widespread failure to act on that warning.
A statement from Microsoft president
and chief legal officer Brad Smith has
criticised the way governments store
up information about security flaws in
computer systems. "We have seen
vulnerabilities stored by the CIA show up
on WikiLeaks, and now this vulnerability
stolen from the NSA has affected
customers around the world," he
commented. The global ransomware
attack used hacking tools widely believed
to have been developed by the US
National Security Agency, causing chaos
across the NHS, but also infecting
computers in what is thought to
have been nearly 100 countries. "The
governments of the world should treat this
attack as a wake-up call," he warned.
Microsoft also pointed out that many
organisations had failed to keep their
systems up to date, allowing the virus to
spread. The software giant had released
a Windows security update in March to
tackle the problem that lay at the core of
the latest attack, but many users were yet
to run it. "As cybercriminals become more
sophisticated, there is simply no way for
customers to protect themselves against
threats, unless they update their systems,"
added Smith.
According to IS Decisions, which recently
conducted research into the poor state of
IT security in healthcare:
39% of healthcare workers do not
receive IT training
37% do not have unique logins
Only 38% of healthcare organisations
enforce the use of secure passwords
29% of healthcare workers are not
required to log in to a network to
access files and folders
Only 63% of healthcare organisations
have a documented security policy
Less than half (48%) of healthcare
organisations offer ongoing security
training to employees
Only 27% of healthcare workers
believe senior management takes
enough responsibility for IT security
75% of healthcare workers have access
to patient data (quite a wide window
of opportunity for hackers to exploit).
The stats are from the company's
healthcare compliance report, based on
a survey of 500 healthcare professionals.
Significantly, Christopher Graham, the
information commissioner at The
Information Commissioner's Office, said in
2015: "The Health Service holds some of
the most sensitive personal information
available, but instead of leading the way
in how it looks after that information, the
NHS is one of the worst performers. This
is a major cause for concern." Indeed it is.
But will the lesson be grasped and the
NHS made secure in the future?
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
05

privacy under siege
CAN PRIVACY STILL BE PROTECTED?
THE LATEST DEVASTATING NHS BREACH, PLUS THE WIKILEAKS’
REVELATIONS ON THE CIA'S HACKING METHODS, HAVE CAST A LONG
SHADOW OVER THE RIGHT TO KEEP DATA SAFE AND SECURE
In the largest leak of CIA documents,
Wikileaks recently disclosed the tools
that the agency allegedly uses to hack
computers, phones and smart TVs around
the world.
The agency's apparent ability to
compromise Apple and Android
smartphones with ease is especially
troubling, since spies can access private
information through these devices,
including photos, emails, texts and videos.
Further, a program called Weeping Angel
even uses Samsung smart TVs as secret
listening devices that operate even when
TV is turned off, recording the
conversations and sending them on
Internet to a covert CIA server.
While it's understandable that
governments do take advantage of the
new technologies in their operations, it's
also possible that newly disclosed CIA's
hacking methods will cause more harm
than benefit. The cyberweapons described
include programs that crash a targeted
computer or steal passwords, or malware
that can record keystrokes on a mobile
device without breaking encryption.
VULNERABLE TO ATTACK
"Since it seems that the government
deliberately targets smart devices, it is
possible their techniques might be
exploited by criminals, hackers and also
other governments," says Marty P. Kamden,
CMO of NordVPN, a Virtual Private
Network. "Our devices should be made
safer, not more vulnerable."
Unfortunately, the decline of digital
freedom and government surveillance is
not an isolated incident, but a rising trend.
According to Freedom House, Internet
freedom has been on decline for six
straight years, and there's no sign of it
stopping.
Recently, there have been huge Internet
liberty crackdowns around the world -
such as the introduction of strict data
retention laws (ie, in the UK, Poland etc)
and laws attacking communications apps
such as WhatsApp and Viber, as well as
blocking certain social media sites. "These
crackdowns on communications apps and
social media sites goes hand-in-hand with
attempts to limit citizen privacy and
increase mass surveillance. For example,
Americans fear that the new
administration might 'erode cyber privacy',
and the UK now has an unprecedented
surveillance law that allows for mass
hacking, among other things - which could
lead to massive data breaches," according
to NordVPN.
The good news is that, even though the
CIA can access and tinker with people's
devices, encryption is out of reach even
for government spies. It is highly
recommended to use secure privacy tools,
such as VPNs, which help hide the user's
true location (IP address) and encrypt all
the information that is being transferred
through the Internet. Such a user becomes
impossible to track. NordVPN points to
how it helps anonymise browsing the
Internet with its modern security protocols
and no logs policy. WhatsApp, Signal
and Telegram still remain encrypted
communication apps, and, for safe
emailing, there are such encrypted email
service providers as ProtonMail.
It is likely that CIA will not change its
hacking policies and that everyone's privacy
will be even more challenged in the future,
the company comments. "The only solution
for private citizens seems to be taking their
online privacy into their own hands."
NordVPN believes that, by taking the right
precautions, people can still guard their
privacy online. "In addition to using
encryption and safe communication apps,
Internet users need to be careful not to
click on strange emailed links, not to
download from unofficial app
marketplaces, to always have strong
06
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

privacy under siege
passwords and to be generally cautious
when sharing information online."
HEATH WARNING
All of which would have been excellent
advice for the many NHS Trusts across the
UK whose systems were so badly hacked
recently (see also page 5).
In light of the WannaCry ransomware
cyber-attack - which hit more than 150
countries in total - a new report from
SolarWinds MSP highlights what it
describes as businesses' over-confidence in
their cybersecurity defences. The report
reveals that 87% of UK and US businesses
consider their cybersecurity readiness
as robust, despite 71% having reported
breaches within the last 12 months. Some
77% of UK and US businesses also revealed
that they had suffered a tangible loss
as a result, such as monetary impact,
operational downtime, legal actions or
the loss of a customer or partner.
While Microsoft was quick to announce
a new software update to overcome the
WannaCry attack, the SolarWinds MSP
report shows that, by contrast, businesses
are somewhat complacent when it comes
to cybersecurity procedures, including in
their response to a breach. In fact, for UK
businesses, states the company:
Only 43% of businesses implemented
new security technology following a
breach
Only 29% enforce and audit security
policies. The rest either only do so
occasionally or without controls - or
not at all
Only 13% consider user training as a
priority, with the rest reinforcing this
at best once a year
23% have no mechanism in place for
reporting vulnerabilities.
SolarWinds MSP has also calculated
that, based on the number of personally
identifiable information typically held by
SMBs and enterprises, the typical cost of a
single data breach to a UK SMB is £59,000
and £724,000 to enterprises.
PATCHING SYSTEMS
While it's been universally acknowledged
that there's very little hospitals can really
do to prevent ransomware and other
cyberattacks outright - due to user error
and susceptibility to phishing attacks -
there's been much conversation around
mitigating these types of attacks by
patching systems. "Patch early and patch
often is good advice," comments Imprivata,
"and should always be observed.” But adds
the caveat that, when it comes to these
types of cyberattacks, patching alone
doesn't stop the problem. “It only stops
the propagation of the malware."
Why? Because the real source of the
problem isn't the systems; it's the users
who initially downloaded them onto their
computers, it states. So, if you have to
make the assumption that your systems
are going to get compromised, how do
you build resiliency around your users?
How, as a healthcare industry, do we focus
beyond keeping the bad guys out, to
keeping our systems running?
"First, and as part of a best-practices
systems hardening approach, we've got to
manage user-system privileges," advises
Imprivata. "The majority of users in clinical
settings have full admin rights to their
systems. In many cases, admin access is
necessary in order for users to access
legacy applications. But, if a user can't
control software or run software that's not
vetted by IT, why should they have admin
level privileges? It's too easy for a user in
a rush to click on a link and download
malware hidden in an attachment."
The company says that it has learned
from interactuion with its customers that
anywhere from 8-28% of users will click on
a malicious link in their email. "Phishing
exercises and other methods of user
education can be helpful tools to prevent
user error, but to truly manage user
vulnerability, hospital IT teams should
adhere to the principle of least privilege,"
Imprivata cautions. "Take steps to limit
admin rights or, at the very least, ensure
that machines with admin access can be
locked down or quarantined immediately,
in the event of a cyber incident."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
07

email security
NOWHERE TO HIDE
WITH EMAIL UNDER CONSTANT ATTACK, WHAT IS THE BEST WAY TO PROTECT YOUR ORGANISATION'S
COMMUNICATIONS? HOW DO YOU KEEP YOUR DATA VITAL AND EASILY ACCESSIBLE TO YOU AND YOURS,
YET USELESS TO ANYONE OUT TO ACCESS/STEAL IT?
on a laptop, which may not make it into
the office for weeks at a time."
SAFETY STEPS
Securing email is not for the fainthearted,
he adds. "If you want to go the whole hog,
there are a few things that could be done
to keep your information safe, including:
Use of email encryption end to end for
important communications (TLS, PGP
or S/MIME)
Use of Data Loss Prevention features to
monitor emails with sensitive data that
should not be left anyway (this goes
back to knowing whom has access to
what and where)
End-user training and awareness to
ensure employees are aware of things
to do and not do. For example, clicking
on attachments that emanate from
unknown senders, etc.
Regular backup of devices (ransomware,
flavour de jour with attackers, encrypts
all data on a device and this can be
painful for several months to restore, if
you have no backup).
Email is built into almost everything -
from phones and tables to traditional
computers to gaming devices, to your
car. And yet email was not designed with
any privacy or security in mind, making it
highly vulnerable to attackers out to
infiltrate your systems.
Keeping business email and data secure is
none too simple a matter. The security of
data depends on its importance, where it
is stored, and whom can access it. As we
learn more about public data breaches,
often the case proves to be that attackers
have had access to sensitive information for
weeks, months or even years. "Over the
years, many organisations have failed to
protect data and intellectual property,"
comments Jason Steer, solutions architect,
EMEA at Menlo Security. "The struggle to
keep track of where it all is, and who does
and doesn't have access to it, results in
difficulties in ensuring that it is adequately
monitored and protected. Email further
complicates this, as a lot of sensitive data is
stored in inboxes and other folders, perhaps
However, the challenge remains that,
despite all these guidelines, most of which
are already followed by large organisations,
employees will continue to be compromised
via email. Why? Because they both look and
seem so authentic.
"Phishers and spammers no longer send
tens of millions of the game message
anymore, which makes it much harder
to detect at the network and ISP level.
Indeed, even top level anti-phishing
gateway solutions cannot detect them
accurately every time," says Steer. "Many of
the low-level and professional phish mails
are truly unique, like snowflakes, called
08
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

email security
'patient 0' in the industry. This means that it
is impossible to create a rule to each unique
version of every phish mail without slowing
down email to such an extent that
employees are no longer able to do their
job via email."
Anti-phish vendors have to balance being
able to detect enough of the bad stuff
without blocking too much of the good.
This allows a grey area in which good
targeted phishing mails can safely 'play'
within. "Herein lies the problem - if my
solution catches the majority of bad stuff,
then it blocks too much of the good. But if
I turn the detection down, then employees
get inundated with junk and spam.
"The net result is that bad mails end up in
the inbox of an employee. Many employees
have been told that their mail has been
filtered for potentially unsafe content and
assume that they can click on most things.
Without thinking or questioning, they
assume that security is doing its job. If
we layer user education into this, then the
employee will remember their training,
hopefully."
As Steer points out, attackers will always
outsmart defensive layers. "Assume this.
Be prepared for bad things to happen via
email, because they will. With GDPR & NIS
EU legislation being enacted in 2018, the
time to start preparing is now."
FIGHTING BACK
According to David Peters, technical
director for ANSecurity, the more insidious
threats can be readily countered with
advanced anti malware, sandboxing and
URL analysis features on most modern
email security platforms.
"Correct configuration and deployment
of email and messaging security tools is as
important as always," he states. "A default
'out of the box' configuration will likely still
leave users frustrated with a reasonable
amount of spam and CISOs sleepless with
the quantity of malicious content still
arriving in corporate mailboxes.
"Authenticity can still be a real headache,
as in how to stop email spoofing and
security of messages during transport.
Thankfully, many additions to SMTP have
been made, such as the ability to use
SSL/TLS for transport security between
mail relays and many additional features
for verifying authenticity like SPF, DKIM
and DMARC."
However, these standards cannot be
deployed in isolation, he warns.
"Unfortunately, they require correct
deployment at both sender and recipient
email systems. Rarely are signed SSL
certificates deployed on gateways; relying
on self-signed or out of the box certs
means a recipient cannot verify the
authenticity of the sender. Likewise, if a
sender email domain has not configured
records for SPF or DKIM, a recipient cannot
use them to verify the sender."
An equally bad, but common, occurrence
is that many organisations do not maintain
these records after infrastructure changes,
leading to emails becoming incorrectly
blocked or quarantined. "In my experience,
it's not uncommon to see organisations
with SPF or DKIM records that are badly
misconfigured."
There is light at the end of the tunnel,
he adds, but email administrators need to
collaborate with their security counterparts
at their own organisations and with partner
companies to ensure all the right boxes are
ticked. "Finally, security and access to email
is no different to any other private resource,
and strong encryption and authentication
access methods should be deployed.
Administrators should ideally be required
to go further with such controls as multifactor
authentication, along with the ability
to remotely wipe corporate content from
mobile devices, should they be stolen or
misplaced."
Jason Steer, Menlo Security: securing
email is not for the fainthearted.
Sam Elsharif, Echoworx: nothing beats
the application of common sense.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
09

email security
LOGICAL SOLUTION
Without protections in place, "email is
a postcard, not a sealed letter", cautions
Jacob Ginsberg, senior director of products
for email encryption software company
Echoworx. He says people often don't
understand the permanence of data and
how it can exist on servers long after
they've forgotten about it.
Sam Elsharif, the company's vice president
of software development, reiterates how
email is one of the most common ways for
hackers to infiltrate a company's systems.
He also cites the ruse of using phishing
scams, sending out emails that appear to
come from a legitimate source, asking
recipients to click on a link that then directs
them to provide credit card or password
information.
How do they both believe organisations
can protect their email communications?
Ginsberg points to how encryption is a
logical solution and provides effective
protection. And even small and medium
size businesses should consider encryption,
he says, especially if they deal with data
such as intellectual property and customer
credit card information.
"There are old holdover misconceptions
about encryption - it must be difficult to
use, only IT experts can understand it, it
slow things down - but those are no longer
valid," states Ginsberg. "The tools are simple
to use and I encourage encryption."
With encryption, only users and intended
recipients can see the data. For added
security - and a tool that addresses phishing
- users might want to add a digital
signature (a coded message associated
with a specific person).
Educating staff about email use is critical.
Hold regular training, in order to make
employees aware of the rules and practices
surrounding email, suggests Elsharif. Do
your due diligence: research threats and
solutions, and review how your
organisation stores data, how you email
data and how you deal with credit card
information. Ensure your company is
complying with current regulations.
He also advises organisations to consult
more than one vendor, depending on their
needs. "Everyone needs firewalls and antivirus
software. Do you allow employees to
access your network from the outside?
You may have to look at a VPN (Virtual
Private Network). Don't be afraid to check
with multiple providers. No one company
can do it all."
The final message is that technology can
be effective in mitigating email threats, but
it is important not to rely solely on it.
"Nothing beats human common sense,"
cautions Elsharif. "As a user, try to follow
best practices and don't be sloppy when
dealing with your data."
OUTSIDE IN: BEWARE THOSE SNEAKING BENEATH THE RADAR
Clearly, users are highly susceptible to emails that purport to be from 'inside the
business' - ie, from the IT team, HR etc - as these seem to come from a recognised
user. So, although phishing is now recognised as a well-known technique, time and
again users are executing content and disclosing credentials.
"One way to solve this issue is to add a simple 'EXT' tag to the subject line of emails,
so that those from an outside source can be easily identified," advises Chris Pickering,
security consultant at Pen Test Partners, the ethical hacking company. "That way, even
if an attacker registers a similar domain name to the organisation's and then tries to
impersonate an employee or internal group, the end user will be able to quickly
identify that it is not from an internal source and report it."
This, he says, can be easily implemented with transport rules and rule actions.
"However, bear in mind that unauthenticated emails sent by equipment and software
on your network will be classified as external email and will also have their subjects
prefixed with EXT. Examples include routers, firewalls, UTM, printers, networking
monitoring software and backup software.
"To prevent messages from those services and devices being classified as EXT, you
need to configure those services and devices to send their messages authenticated. In
most cases, this is straightforward, but you may experience issues configuring some
Linux software."
Chris Pickering, Pen Test Partners:
emails from an outside source can be
easily identified.
10
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

Weleverageinnovativetechnology,automationandapplicationstodeliverrealtimecyber
threatinteligencetoourcustomersworldwide.
Wecombinetheinteligentuseofourtechnologyandtheindustry'sfinestanalyticalminds
toprovideaplatform thatalowsyoutoeasilyandquicklybuildameaningfulcyberthreat
inteligencecapabilityidentifyingthedigitalriskstoyourorganisation.
REQUESTAFREEDEMONSTRATIONANDTRIALOFTHE CYAX J
CYBERTHREATINTELLIGENCEPLATFORM NOW.
www.cyjax.com +44(0)2070960668
trial@cyjax.com

encryption in transit
MASS DATA BREACHES ELIMINATED
PANOPTEX TECHNOLOGIES IS A SOFTWARE COMPANY OUT OF THE U.S. THAT'S MAKING WAVES BY
PROVIDING AN INDUSTRY FIRST: A MASSIVE SCALE NOSQL DATABASE THAT ACTS AS THE LAST LINE OF
DEFENCE AGAINST MASS DATA BREACHES BY PROVIDING ENCRYPTION IN TRANSIT, AT REST AND IN USE.
WE INTERVIEWED PANOPTEX'S CHIEF TECHNOLOGY OFFICER JOSEPH YANNACCONE TO GET A BETTER
UNDERSTANDING ON OLFACTEX AND WHY IT'S A GAME-CHANGER. HERE'S WHAT HE HAD TO SAY
Q. Computing Security: We've heard
a great deal about your Olfactex
solution. How exactly does it work?
Joseph Yannaccone: Olfactex is a massively
scalable NoSQL hybrid DBaaS that provides
unprecedented protection against mass
data breaches and privacy violations,
while delivering the ability to perform
sophisticated in-cloud queries and analytics.
Olfactex encrypts all data using an
enterprise gateway before sending it to
the cloud for storage and data remains
encrypted while it is in the cloud, even
during query and analysis. Data is only
decrypted after being returned to the
enterprise gateway as results for a query
operation or analysis routine. Olfactex
achieves this powerful capability by
combining a unique transformation process
with strong industry-accepted encryption
algorithms.
Q
. Can you tell us more about how
you prevent mass data breaches?
Olfactex employs a variety of safeguards to
protect against internal and external threats,
regardless of whether they originate
accidentally or intentionally. This includes
division of data and key information into
separate administrative domains, finegrained
policy-based data access rules,
integrated non-repudiated audit reporting
to an administratively separate security team
and, of course, always-on data encryption
while data is in the cloud, even while it is
being queried or analysed. This combination
of security, privacy, auditing and advanced
query capabilities is absolutely
unprecedented for database solutions.
Q
. Aren't there already encrypted
databases available on the market?
Existing database solutions employ a variety
of encryption technologies, but they all
suffer from the same fundamental
weakness: they must decrypt the data,
in order to perform query operations or
return results. This provides database
administrators with direct access to
unencrypted data and the unrestricted
ability to manipulate or exfiltrate data.
12
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

encryption in transit
While a variety of add-on solutions exist to
help detect or prevent such activity, none of
them is integral to the database system itself
and therefore has the risk of being
circumvented.
Q
. How can organisations use Olfactex
to protect their sensitive data?
We are currently working with organisations
that are investigating it for a variety of
applications, including as a backend for new
applications that house sensitive data, as a
means to migrate data and applications to
the cloud that would otherwise have to be
kept in-house for compliance reasons and
even as a secure online disaster recovery
solution to protect against everything from
catastrophic failures to ransomware events.
Q
. What about emerging solutions that
use homomorphic encryption?
Most security and privacy standards exclude
the loss or leakage of encrypted data from
the definition of a breach, as long as the
encryption is an accepted standard. This
means that, if a hacker obtained full
administrative access to an Olfactex
persistence engine, it would still not be
considered a breach and, in most cases,
would not need to even be reported,
because Olfactex employs only proven
and accepted strong encryption algorithms.
Unfortunately, there is no accepted standard
for homomorphic encryption. In fact, there
isn't even one in progress. This means
it would be years before homomorphic
encryption could be accepted as a
compliant means of securing sensitive data.
Q
. Does Olfactex support SQL?
Not directly. Olfactex is a NoSQL database
that employs its own rich query language to
deliver its advanced analytical capabilities on
encrypted data. However, many applications
can be mapped from SQL to the Olfactex
query language and we have a Panoptex
team that can perform that translation
work for solution integration projects.
Q
. You mentioned that Olfactex
can secure sensitive data for new
applications. What type of applications
do you have in mind?
Olfactex could support a wide range of
possible applications, including IoT (Internet
of Things) and mobile applications, as many
of them collect large volumes of private data
regarding users. We are also seeing very
positive responses regarding upcoming
applications in the health and financial
industries, as Olfactex is the only database
solution that can secure their data in the
cloud using compliant encryption algorithms
while retaining the ability to query and
analyse that data.
Q
. How can you prevent ransomware
attacks?
Ransomware depends on the ability for an
attacker to directly access an organisation's
data, encrypt it and then threaten to destroy
the key, if a ransom is not paid. Olfactex
distributes data across many systems with
multiple replicas of every data object. Further,
data from many companies is distributed
across the same infrastructure. Only the
owner of the data is able to generate the
index values necessary to identify their
information from among the masses.
Q
. If companies are storing their sensitive
data in Olfactex, reliability will be an
important requirement. How does Olfactex
ensure that data is stored reliably?
Olfactex stores data in a distributed manner
by spreading it across hundreds or even
thousands of systems with multiple replicas
of every data object. Further, these systems
may be distributed across geographically
diverse data centres to provide protection
against localised disasters.
Q
. Explain why Olfactex is more secure
than in-house data storage
Olfactex divides system functionality into two
distinct administrative domains to ensure that
no single breach can yield any unencrypted
data. In-house database systems are often
wide open to DBAs, even with significant
security measures in place. The root problem
with these systems is that they were not
designed from inception to address today's
threat landscape. Every additional layer
of security introduces more cost and
complexity, restricts capability and
introduces new opportunity for human
error. This is analogous to putting a bandaid
over a deep wound; it simply hides it
from view and it doesn't address the actual
problem. Additionally, this often results in
the secret keys and bulk data being present
in the same security domain. This presents
an opportunity for an attacker to obtain the
keys and bulk data from a single infiltration.
Q
. You mentioned privacy - how do you
protect this?
Fine grained access control policies define
rules for what data a user can access and
how it may be presented. Each user can
have different rules for queries and results.
This makes it possible to define rule sets that
allow a user to include restricted data in a
secure analysis pipeline without granting
them the ability to actually view any
restricted data. This could have significant
benefits for industries where fraud detection
and prevention are presently hampered by
privacy regulations.
Q
. How is the Olfactex system being
made commercially available in the UK?
We are launching our service in the UK and
throughout the EU with our Cloud partner
SURE from the Channel Islands. We will
be commercialising the software via the
Panoptex and Sure direct sales teams,
as well as via key industry agents and
consultants.
Q
. This all sounds really interesting and
engaging. Where can our readers can
go to get more information?
They can go online to our web site at
www.panoptex.com either to schedule a
meeting with a sales representative or
schedule a demo.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
13

encryption
BEWARE THE DOUBLE-EDGED SWORD
ENCRYPTION PLAYS A VITAL ROLE IN PROTECTING VALUABLE INFORMATION FROM BEING STOLEN
OR ALTERED. BUT IT CAN BE USED BY YOUR ENEMIES JUST AS READILY
How do you stay one step ahead of the
attackers, when it comes to employing
the latest encryption technology?
What is the right solution for your
organisation? How do you make sure your
systems aren't breached? In the wake of
constant breaches, the time to focus on
encryption has never been more urgent.
As Mark Hickman, chief operating officer,
WinMagic, points out, encryption is the last
line of defence against any data breach, such
as an external hacker. "But it is often forgotten
that the role of security is to protect against
problems on the inside, as much as the
outside, whether an accidental breach of data
or a rogue employee. Sensitive data, whatever
it is, should always be encrypted and be kept
in that state. A simple rule is that, if you don't
want just anyone to see it, then it should be
encrypted. That way, encryption becomes
embedded in the organisation from a
technology and process perspective."
QUESTION TIME
Starting from that premise, we can then ask
the following, he says: “What do I need to
encrypt? How will that data be used and
shared? Where will it be stored? Who needs
access to it? These questions help you identify
the scope of your encryption needs - for
example, whether you need to be able to
encrypt in the cloud.
Any data that you would fear losing, or that
is sensitive in any way, should always be
encrypted at the end point in the
organisation, he adds. "This can also be used
to ensure that, when data leaves the
organisation, it remains encrypted wherever
it goes by enforcing a security policy that
requires it. The only way to make this work
over modern infrastructures, which are
diverse and multi-layered, is through
centralised key management."
Since you own and control the encryption
keys on a centrally controlled key server,
access to the files remains completely under
your control - wherever it goes, on any device.
With centrally controlled encryption, it is also
possible to ensure that files are only readable
by certain individuals, thus helping a
company enforce both regulatory and
governance requirements.
But there are other examples where it is
helpful, Hickman points out. "If an employee
leaves the company, or you stop working with
a specific partner organisation, access can be
instantly terminated. Without encryption,
users would retain access to those files and
the practice would have no way of removing
them from devices. Using centrally managed
encryption, access can be removed in the
policy engine; the user instantly loses the
ability to decrypt and read the files."
If your company wants to use third party
cloud storage services, it is critical to use
solutions where encryption keys are always in
the control of the organisation, rather than
the cloud service, he says. "This adds yet
another level of protection, should a breach
of usernames/passwords occur at a thirdparty
cloud service provider. A hacker will not
be able to read the files they can see."
This type of cloud-based approach to
encryption, does not just protect from
hackers, he continues, but equally it protects
against anyone, accidentally or otherwise,
sharing data with those that should not have
access to it.
RANSOMWARE ATTACKS
Although encryption forms one layer of
a cyber security policy by providing a
mechanism to protect access to data by
unauthorised individuals, whether at rest or
in-transit, that is far from the whole picture.
"Unfortunately, we also see encryption used
as a tool against us in Ransomware attacks,
where our data is encrypted by a third-party
preventing our access to it," says Brian
Chappell, senior director, Enterprise &
Solutions Architecture from BeyondTrust.
"Given that Ransomware will encrypt any data
a user has access to write to, it makes it very
hard to protect against. The rapid evolution
of Ransomware means that signatures,
14
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

encryption
hashes etc are quickly out of date and it's
difficult to uniquely identify the activity of
Ransomware before it's already too late."
It should be clear that the key here is the
data that users have access to and how that
access is provided. "Administrative access
should be limited to accounts that are only
used for that purpose; no-one should be
using an account with super-user rights for
daily work," adds Chappell. "The risk is too
high to allow that; clicking on the wrong
attachment or file could be catastrophic,
as the super-user has access to everything.
Making sure that users have limited access
to file shares, if they only need to view files,
then make the access read-only and
Ransomware is rendered impotent. If users
do need to update and/or write to files, then
ensure it's only the files they absolutely need
access to."
Wherever possible, move data into more
structured repositories, such as document
management systems, databases etc, he
further advises. "This may seem like a lot of
effort and cost for a small to medium
business, but losing access to all your data
will make a £5,000 extortion payment seem
like a reasonable option. By ensuring that
users aren't directly accessing your data
stores, even for administrative work, you
present Ransomware with the least
opportunity to impact your business and
keep encryption as a tool that gives you
benefits, rather than pain," he says.
LAST LINE OF DEFENCE
In itself, data encryption isn't a silver bullet.
However, when properly embedded within
an holistic information security plan, it will
provide the most effective last line of defence.
"If bad actors manage to break through
gateway defences to access internal servers,
or data is intercepted whilst being transferred
electronically or, for that matter, physically on
removable media, as long as the bits and
bytes recovered are unintelligible to an
unauthorised recipient, the last line of
defence has held firm," states Jon Fielding,
managing director, EMEA Apricorn.
"Granted, the encryption must be correctly
implemented with sufficiently strong
encryption keys, ideally protected in
hardware, so that the only method of attack
is brute force. If you can also manage the
number of unsuccessful brute force attempts
before determining the device holding the
data is being attacked and act, you build in
another layer of protection."
Encryption is necessarily complicated with
tales of Bob and Alice, primary numbers,
multiple algorithms, symmetric and
asymmetric keys and a plethora of three-letter
acronyms, he concedes. "However, to the
average user, there is no need to understand
this. Encryption should be automatic and
invisible. The user shouldn't be left with a
decision to encrypt or not. The organisation's
information security policy should be
enforced through technology, where possible,
by locking USB ports to only accept
corporately approved hardware encrypted
USB devices, for example."
Encrypting valuable or sensitive data enables
organisations to manage their risk. In a
commercial world where mobile working is
increasingly becoming the norm against a
back drop of stronger regulatory powers,
encryption is a critical piece of the armoury.
"For example, let's look at the General Data
Protection Regulation (GDPR), which serves to
harmonise a common legal framework in
support of protecting EU citizen data and
comes into effect in May of next year,"
suggests Fielding. "There are various articles
that cover consent and EU citizen rights
amongst others, but there are clear mandates
for data encryption: first, for compliance
(Article 32); secondly, to mitigate the impact
on any organisation that suffers a breach.
Article 34 also removes the obligation to
individually inform each citizen affected, if
the data remains unintelligible. Article 83
suggests that fines (which can be as high as
4% of global turnover or 20 million euros)
Ed Kidson, Wick Hill: many organisations
are left clueless as to which of their data is
encrypted and which isn't.
Jacob Ginsberg, Echoworx: always
monitor your network and follow best
practices.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
15

encryption
Mark Hickman, WinMagic: sensitive data
should always be encrypted at the end
point in the organisation.
Brian Chappell, BeyondTrust: wherever
possible, move data into more structured
repositories.
will be moderated where the company has
been responsible and mitigated any damage
suffered by data subjects."
Worryingly, a recent survey by Apricorn
found that 24% of surveyed companies
are not even aware of the GDPR and its
implications, he adds. "On top of this, 17%
are aware of the regulations, but don't have a
plan for ensuring compliance. Organisations
should analyse their data, identify everything
that should be protected, understand where
it exists and how it is transported, and ensure
that it is encrypted at all stages of its lifecycle."
GAPING HOLES
With high-profile malware breaches
continuing to make headlines, organisations
are acutely aware of the dangers of leaving
themselves vulnerable to attack. Against that
backdrop, encryption technology can and
should play a pivotal role in any organisation's
IT security strategy, points out Ed Kidson,
product manager at Wick Hill (part of the
Nuvias Group).
"However, a problem exists when companies
believe they are shielded from attack by
encryption software, but without realising it
are susceptible to attack. Encryption isn't a
new thing, which is part of the difficulty. It's
likely that different, disparate encryption
policies may have been implemented over
several years with numerous vendors, leaving
organisations clueless as to which of their
data is encrypted, and which isn't - creating
gaping holes in their defences in 2017."
So how do you stay one step ahead of the
attackers, when it comes to employing the
latest encryption technology? "It usually isn't
practically or financially viable to encrypt
everything, so the first step is to conduct an
audit of your data and decide what is
sensitive," he says. "Look at where you need
encryption - on endpoints such as mobile
phones, laptops or tablets; or for data
that's stored on servers or in datacentres.
Regardless of which solution you choose
thereafter, it is just as important to keep your
encryption key secured and managed
properly. Some companies will encrypt their
database, for example, but their encryption
key might be sat on the same server as the
database - it is comparable to locking your
car and leaving your keys on the bonnet!"
Best practice involves implementing a key
management policy, putting the keys into
a Hardware Security Module (HSM) and
recycling the key regularly. If all these
safeguards are in place and you are breached,
the chances of your data leaking are vastly
reduced.
"Most hackers will discover encrypted files
and move on - they tend to go for the 'open
window' approach to theft," adds Kidson.
"As such, encryption should form part of
a traditional layered security approach,
alongside endpoint and gateway defences."
With ransomware attacks on the rise and
forthcoming regulations like GDPR meaning
any data breach is financially ruinous for a
business, it has never been more important to
make sure you have a watertight encryption
policy in place, he concludes.
TOP PROTECTION
"If you're a system administrator, make sure
you're using the best tools to protect your
system, including the latest patches and fixes
given by your service providers," comments
Jacob Ginsberg, senior director of products
for email encryption software company
Echoworx. "Always make sure your systems
are up to date and run scans, monitor your
network and follow your best practices."
Best practices include following compliance
rules, knowing how to properly dispose of
and store data, determining who can have
access to the network and learning how to
detect breeches. Ginsberg advises consulting
with vendors, to be aware of the latest
advances in encryption software, keeping
updated about networking and security, and
reading the news to learn about what new
areas hackers are targeting.
16
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

Recalls happen and you need to be
prepared if you’re faced with one.
The Sims Asset Return Management Portal makes product recalls and returns
quick and easy to administer. Online, efficient and straightforward, the portal
ensures products are returned to your store or our processing facility with
minimal hassle for your customers. Let Sims help you prepare to protect your
bottom line and brand reputation at a critical time.
ASSET
RETURN
MANAGEMENT
PORTAL
+44 (0)800 6526 100
srsuk.info@simsmm.com
www.simsrecycling.com

Infosecurity Europe
IT'S SHOW TIME ONCE AGAIN!
INFOSECURITY EUROPE 2017 IS NOT FAR OFF NOW, WHERE YOU CAN SEE THE LATEST TECHNOLOGIES
AND SOLUTIONS TO TAKE YOUR BUSINESS FORWARD. THE SHOW PLACES THE EMPHASIS FIRMLY ON
INTERACTIVITY, BRINGING PRODUCTS TO LIFE THROUGH A SERIES OF AREAS, ZONES AND PRESENTATIONS
The theme of this year's Infosecurity
Europe is ‘Cybersecurity at the
Speed of Business’. Against a
backdrop of global economic and
political uncertainty, organisations
are rapidly transforming and taking
advantage of new technologies and
working practices. Featuring a host of
inspirational thought-leaders and expert
practitioners, Infosecurity Europe's
Keynote Stage seminars will focus on the
challenges of developing an agile security
strategy that can keep pace with both
business transformation and the
evolution of the cyber threat landscape.
Speakers will include representatives from
companies and organisations including
Camelot, Centrica, Costa Coffee,
Department of Work & Pensions (DWP)
Hargreaves Lansdown, HSBC, KPN
Telecom, Metropolitan Police Service,
Network Rail, Skyscanner, Telefónica UK,
The Economist Group and UCL.
Also within the Conference Programme
will be a series of 25-minute long
vendor-led presentations in Tech Talks
and Strategy Talks addressing the latest
challenges in information security and
cyber security, and the latest infosecurity
VENUE, DATES AND OPENING TIMES
business challenges respectively. Both
theatres are located on the ground floor.
The Technology Showcase, also located
on the ground floor, will see exhibitors
take to the stage to demonstrate the
capabilities of their products and
technologies, and take questions.
Intelligent Defence, a one-day technical
conference stream, takes place within
Olympia London, Hammersmith Road, London, W14 8UX
Tuesday 6 June 2017: 09:30-17:30
Wednesday 7 June 2017: 09:30-17:30
Thursday 8 June 2017: 09:30-16:00
Registration is free until midday, Monday 5 June. After this, onsite registration costs £35.
To register, visit www.infosecurityeurope.com
18
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

Infosecurity Europe
Infosecurity Europe on Tuesday, 6 June.
The sessions will focus on the latest
research, including insights into key
vulnerabilities and exploits, and how
to defend against them. Presentations
include: Barbarians in the Throne Room;
The IP Address Black Market - A Primer;
Adversarial Machine Learning: The Pitfalls
of Artificial Intelligence-based Security
and Behavioural Analysis Using DNS &
Network Traffic.
NEW EXHIBITORS
New exhibitors to Infosecurity Europe will
be located in the upstairs Gallery in the
Discovery Zone and the Cyber Innovation
Zone, featuring over 100 companies with
something new to show. In the Discovery
Zone, you can tune in to a series of
presentations throughout the day on the
Cyber Innovation Showcase theatre.
HALL OF FAME
This year, Professor Mary Aiken will be
inducted into Infosecurity Europe's Hall
of Fame, recognising her long-term
contribution to the information security
sector as the world's leading expert in
forensic cyberpsychology, her work as an
advocate and educator in information
security, and her role in raising the profile
of the information security sector.
She has written and spoken extensively
on issues relating to the intersection
between people and technology - or, as
she describes it, "where humans and
technology collide". An adjunct associate
professor at University College Dublin,
Geary Institute for Public Policy, and
Academic Advisor (Psychology) to the
European Cyber Crime Centre (EC3) at
Europol, she has conducted research and
training workshops with multiple global
agencies, from INTERPOL to the FBI and
the White House.
Aiken will be officially inducted into the
Infosecurity Europe Hall of Fame on the
Keynote Stage on Thursday, 8 June,
13.45-14.30. During the session, she
will discuss her career as a forensic
cyberpsychologist, her current research
projects and will share insights on future
threats, and the importance of human
factors in information security.
INFOSECURITY WEEK
New for 2017 is Infosecurity Week,
sponsored by the Security Serious Unsung
Heroes Awards - a seven-day, city-wide
landmark event bringing Infosecurity
professionals together to learn, explore
and have fun in and around London
during the week of 5-11 June 2017.
Planned around Infosecurity Europe,
Infosecurity Week will be providing a
central portal listing all the many events,
parties, conferences, training and other
activities which have been organised for
all of the Infosecurity professionals in
London that week. Events taking place
during Infosecurity Week, include:
Monday, 5 June, 09:00-17:30:
Securing the Converged Cloud,
Olympia Conference Centre, London
This year's Cloud Security Alliance Summit
welcomes world leading security experts
INFOSECURITY EUROPE IN NUMBERS
and cloud providers to discuss global
governance, the latest trends in
technology, the threat landscape,
security innovations, best practices and
global governance in order to help
organisations address the new frontiers
in cloud security.
Wednesday, 7 June, 08:30-11:00,
Women in Cybersecurity Networking
Event, Olympia Conference Centre
A Keynote speech will be followed by a
panel discussion on ‘How to Sell Your
Professional Self in a Male-Dominated
Industry’. The session will consider (and
dispel) gender stereotypes, offer tips and
advice on how to gain credibility and
change employers perceptions, while the
panel of speakers will share their
experiences overcoming challenges and
driving their career forwards. The event
will end with a 45-minute networking
session. To book tickets, browse the lineup
of events at the show and much
more, just go to the following:
www.infosecurityeurope.com/en/Infosecurity
Computing Security will have a strong
presence at InfoSec and we look forward
to seeing you there.
The show offers a great experience in so many ways:
2 Networking Bars - on both the ground floor and gallery levels
8 theatres
140 hours of free accredited education
240 speakers
360 global vendors
18,000 infosecurity professionals, showcasing and debating the latest innovations and
challenges in cybersecurity
DOWNLOAD THE EVENT APP
Make the most of your visit and download the Mobile App before you arrive to connect with
peers and set up meetings. It will provide all the key information you need to make the most
of your time at the event, including speaker, exhibitor and sponsor profiles; activity feed
that features onsite polls and discussions; plus an interactive floorplan - and much more:
http://www.infosecurityeurope.com/visit/whats-on/mobile-app
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
19

product review
ACUNETIX 11
With web sites now under a daily
onslaught of attacks, businesses
can't afford to be lax about
security. Their very survival may depend on it
when the EU GDPR (General Data Protection
Regulations) come into force in May 2018, as
any business that falls foul of these will be hit
with punishing fines.
Acunetix specialises in automated web
application security and its latest web
vulnerability scanner Acunetix 11 seems to be
the perfect solution, as it offers some of the
industry's highest detection rates. Available as
both an on-premises and an online edition, it
subjects your web sites and webapps to its
advanced scanning techniques, tests for over
3,000 web vulnerabilities and prioritises them
for simplified resolution.
Along with a slick new web interface, the
Enterprise edition introduces role-based users
for enhanced vulnerability management.
Multiple users can be assigned one of three
roles, allowing security assessments and
report generation tasks to be delegated
across different divisions.
We found the new web console very easy to
use, with its dashboard presenting a clear
overview of high, medium and low severity
vulnerabilities. Beneath is a table showing
your five most vulnerable targets, a listing
alongside for the most common detected
vulnerabilities and yearly trending views
below.
Basic web site scans take seconds to start as
we entered the target URL, assigned one of
four business criticality levels, chose from
four scan speeds, picked a report type and let
it go. We could also set the scan to run
continuously, schedule it for regular daily,
weekly, monthly or yearly intervals and add
login credentials, if the web site required
them.
During the scan process, Acunetix'
DeepScan technology crawls the web site,
analyses all discovered links and builds a
complete map of its structure. We used our
own live sites for testing and found it
returned a perfect view of our site structures.
The scanner tests the web site by emulating
a series of hacker attacks, and Acunetix'
AcuSensor technology offers deeper
scanning techniques for ASP .NET and PHP.
Enabled on selected scan jobs, the console
provides links for downloading the
appropriate AcuSensor agent and installing it
on the web site host.
Once loaded, it retrieves a list of web sites
on the target and, from its local Manager
interface, you select which ones to use it on.
Security is tight, as the agent is uniquely
generated for the target host and password
protected so it can only communicate with
your console.
The console's Target view lists all scanned
web sites, along with a colour-coded grading
system, so we could see at a glance which
were safe or had low, medium or high risks
associated with them. Clicking on the
relevant colour block took us straight to the
vulnerabilities page where Acunetix provided
an in-depth explanation of the problem.
It included a full impact assessment that
highlighted precisely where the vulnerabilities
were found. More importantly, it offered
sage advice on how to close the security
hole, with links to helpful tutorials and
videos.
Reporting is another key feature as, along
with developer and executive summary
options, you can configure the scan to
produce detailed compliance reports for ISO
27001, HIPAA, SoX and many more.
Selected targets can also be linked to the
GitHub, Microsoft TFS and Atlassian JIRA
issue trackers, allowing vulnerability alerts to
be passed directly to development teams for
swift resolution. Acunetix can also integrate
into new and existing Jenkins Continuous
Integration (CI) and Continuous Delivery
workflows via its Jenkins plugin.
With data protection regulations getting
ever stricter, Acunetix' Web Vulnerability
Scanner could be all that stands between
business success and disaster. It delivers the
toughest vulnerability scan technologies on
the market, amalgamates them neatly into a
single management console and delivers
them all at a very affordable price. CS
Product: Acunetix 11
Supplier: Acunetix UK
Web site: www.acunetix.com
Telephone: +44 (0)330 202 0190
Price: Pro Edition, 1 year subscription, €2,995
(euros)
20
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

VISIT THE WEBSITE TO
DOWNLOAD THE AGENDA
11 -12 july, 2017 -
hilton syon park hotel,
london
THE CYBER SECURITY EXCHANGE WILL BRING TOGETHER SENIOR INFORMATION SECURITY LEADERS FROM
A NUMBER OF INDUSTRIES SUCH AS; FINANCIAL SERVICES, PHARMACEUTICALS, HEALTHCARE,
AUTOMOTIVE AND RETAIL TO SEE WHAT BUSINESS CONTINUITY STRATEGIES ARE IN PLACE AND HOW
SECURITY AWARENESS IS BEING PROMOTED ACROSS THEIR ORGANISATIONS.
CHECK OUT SOME OF THE SPEAKERS:
HEAD OF INFORMATION
DEPUTY DIRECTOR, CYBER &
GROUP DATA PRIVACY &
SECURITY CONSULTANCY
GOVERNMENT SECURITY
INFORMATION SECURITY OFFICER
WE'VE SURVEYED OUR NETWORK OF CISOS AND HEADS OF INFORMATION SECURITY TO DISCOVER WHAT
THEIR KEY CHALLENGES AND PROJECTS ARE FOR THE UPCOMING 6 TO 12 MONTHS, PLUS WHAT SOLUTIONS
AND SERVICES THEY ARE PLANNING TO INVEST IN TO HELP THEM OVERCOME THEIR CHALLENGES AND MEET
THEIR GOALS.
HERE ARE SOME OF THEIR PRIORITIES:
IF YOUR CHALLENGES AND PRIORITIES ALIGN WITH ANY MENTIONED ABOVE, YOU'RE IN LUCK!
COMPUTING SECURITY MAGAZINE READERS QUALIFY FOR A 20% DISCOUNT BY QUOTING
CSCYBER17 CONTACT EXCHANGEINFO@IQPC.COM TO SECURE YOUR PLACE TODAY!
*20% DISCOUNT ONLY APPLICABLE TO QUALIFYING DELEGATES AND YOU MUST BE A READER OF COMPUTING SECURITY MAGAZINE
WWW.CYBERSECURITYEXCHANGEEUROPE.IQPC.CO.UK

IT asset management
THE CLOCK IS TICKING…
WITH THE NEW EUROPEAN GENERAL DATA PROTECTION REGULATIONS
SOON DUE TO BECOME LAW, MANY BUSINESSES WILL NEED TO LOOK
CLOSELY AT HOW THEY PROTECT THEIR DATA THROUGHOUT THE
COURSE OF ITS LIFECYCLE
Any business that stores data on EU
citizens will become subject to the
new European General Data Protection
Regulations (GDPR), to take effect by early
2018. Even the UK, post-Brexit (voting wise, at
least), must comply. This has the potential to
impact a broad spectrum of both EU and
international companies. With the potential
for huge fines (up to 4% of global turnover)
will this see companies becoming more
mature in their attitudes towards data
protection and, if so, what methods will
they need to adopt to achieve regulatory
compliance?
Richard Brown, director EMEA Channels
& Alliances at Arbor Networks, says that the
main barrier with the EU GDPR lies in the
understanding of this new legislation.
"Changes to the definition of what is and
is not personal data, the need for 'explicit'
consent for data collection and different
documentation requirements all need to be
interpreted and any relevant changes made.
It will also require process documentation to
be regularly audited and updated, as in many
cases documentation is created, 'put on the
shelf' and then forgotten about. Finally, there
will need to be a process put in place for the
notification of any breach to the relevant
authorities and customers."
Some of these changes, he points out,
may incur additional costs to business, while
others may reduce overall costs, such as the
unification of regulation, but getting a good
understanding of this is still a work-inprogress
for many organisations. "For
providers outside of the EU who currently
handle personal data on EU citizens, this
will be more complex, as they will have to
ascertain whether their local data-protection
legislation is compatible with the GDPR. With
appropriate assistance from national
governments, organisations should be able
to comply with the legislation.
"As with all regulations, it is important that
organisations maintain their focus on the
'goal', rather than purely on compliance,"
Brown adds. "The impact of data breaches
to both business and the end user can be
significant, and businesses need to invest
appropriately to protect themselves and their
customers, not just comply with the
legislation."
MANY UNPREPARED
According to Rob Norris, director of enterprise
and cyber security in EMEIA at Fujitsu,
the majority of organisations are not yet
preparing for the new legislation. "GDPR
readiness will oblige organisations to carry
out thorough preparation, to set up the
processes necessary for compliance, as well as
supporting alignment of their systems and
services with GDPR's requirements. That's why
we recently announced a comprehensive
portfolio of services to help organisations
comply with the new legislation. This includes
implementing contingency measures, as well
as establishing both GDPR-related strategies
and clearly defined processes in how to detect
and react to data breaches, he says.
"GDPR will apply to organisations of all sizes
and in all industry sectors, and not just those
within the EU, so it's important companies
"Businesses need to invest appropriately to protect
themselves and their customers, not just comply
with the legislation."
22
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

IT asset management
take the first step and conduct data inventory
scans to help discover the relevant data held
today and where it resides.
"As well as this, organisations must take
responsibility, whether they are private or
public sector, and take the fight to cyber
criminals before they can act," Norris advises.
"This should be done through real-time threat
reporting, a clear and well-rehearsed incident
management plan, and addressing internal
and external communication, in addition to
containment and recovery activities. This will
allow businesses to identify threats as soon as
they hit the network and rectify them
immediately."
"Now is the time for businesses to stop being
hunted and instead become the hunter when
it comes to cyber security," he adds. "Ensuring
a compliant business environment, that will
help protect the company and its employees,
needs to be the number one priority."
MAJOR CULTURE SHIFT
GDPR is forcing a culture shift in the industry
as it puts the responsibility firmly on the
businesses that hold customer data,
comments Alex Guillen, go-to-market
manager at Insight. "There are two sides
to what will engineer this shift - the first is
prevention, which will be shaped in the
preparation phase before the regulations
come into play. For most organisations of all
sizes, this will mean establishing the critical
data they need to protect and identifying
where it resides and the value it holds. Once
established, we'll see organisations creating
security strategies and policies for the end-toend
management of this data, with a
particular focus on governance.
"When it comes to securing the data
itself, we expect organisations to lean on
consultancy services to help them navigate
the best provider in what we know is a
crowded market. A priority for businesses
should be to look for holistic solutions that
can ensure the integrity of the data, rather
than throwing money at the problem and
creating a patchwork of ineffective tools, as
has been done in the past."
There are a number of hurdles that
organisations will need to overcome,
including the significant problem of dark
data. According to Veritas' 2016 Databerg
Report, dark data will prove the biggest
challenge for most businesses preparing for
the new GDPR. Why? "On average, 54% of
the data held by organisations in Europe is
considered 'dark data' - that is, operational
data that isn't being used by an organisation,"
explains Guillen. "It's a tough one to prepare
for, because organisations don't tend to
understand the nature of their data and we
expect, or hope, to see businesses using the
time before 2018 to get to grips with it."
RISK APPETITE
Once the regulations are in force, it will take
a few cases to build up case law and assess
how various aspects are interpreted before
there is a full understanding of the
implications, suggests Graham Mann,
managing director, Encode Group UK.
"Depending on the severity of the fines,
organisations will be better positioned to
assess their 'risk appetite'; but, given the
potential fines, it could be a risky strategy.
Punitive fines are only one of the powers
wielded by the supervisory authorities: they
can undertake audits, issue warnings or
demand myriad corrective action. In short,
they have the power to seriously disrupt your
business and leave you with a rap sheet."
'It wasn't me, guv' is no defence, he adds.
"Data controllers and processors have dual
liability under GDPR and so there's nowhere to
hide. Therefore, it's vital that data controllers
vet their processors carefully. Corporations will
now have to define and implement a data
strategy throughout the organisation. More
importantly, they must think carefully about
whether they need to store certain data,
because there is now a defined cost. This will
avoid consumer data being held unnecessarily
Graham Mann, Encode Group UK:
Punitive fines are only one of the powers
wielded by the supervisory authorities.
Michael Hack, Ipswitch: two areas to
focus on are technology and training.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
23

IT asset management
"Key technologies businesses said they needed to invest in are encryption,
analytics and reporting, perimeter security, file sharing and mobile device
management"
with all the accompanying security risks.
GDPR has been a long time coming," he
continues. "Its implications are far from being
known, but self-governance simply isn't
working, as evidenced by the millions of
people globally who have been impacted
through no fault of their own."
DATA ERASURE
Clearly, with the advent of GDPR, it's critical
and urgent for organisations to understand
data lifecycle management and the processes
and systems required at each stage - from
creation of data to when it reaches end-of-life
- before it becomes unmanageable.
"In particular, it's important to factor in data
erasure, which is one small piece of the puzzle
that is frequently overlooked," cautions
Richard Stiennon, chief strategy officer at
Blancco Technology Group. "What companies
really need is an enterprise-class, certified data
erasure solution that employs legally required
overwriting standards, is approved by
governing bodies and provides physical proof
that all data is permanently gone. If a solution
doesn't meet all three of these criteria,
then companies might find themselves in a
situation where they are unable to verify that
data has been removed - and could face
serious legal action and fines from governing
bodies such as the FCC, FTC and EU GDPR
Supervisory Authorities.
"I also think companies need to stop
compartmentalising data management and
customer experience into separate categories,"
he says. "It's not the best strategy and the two
can't flourish without each other.
Organisations will need to change their way
of thinking about data management across
the entire lifecycle so that this kind of
compartmentalisation doesn't keep
happening. They need to proactively plan for
the secure removal of data at the same time
as they're collecting, storing and analysing
data."
STARK FINDINGS
Meanwhile, Ipswitch conducted a survey of IT
professionals from the UK, France and
Germany and found that one in three
businesses reported not knowing how the
GDPR will apply to them, while 55% claimed
they were not ready as they recognised a need
"Self-governance simply isn't working, as evidenced
by the millions of people globally who have been
impacted through no fault of their own."
to invest in new technologies. In the UK, that
picture is even starker - less than one in five
say they are ready for the GDPR.
FOCUS AREAS
There are two areas that need to be focused
on ahead of the implementation of the GDPR
- technology and training - with 55% of those
surveyed by Ipswitch saying they would need
to invest in new technologies or services,
according to Michael Hack, head of the
company’s EMEA Field Operations. "The key
technologies that businesses said they needed
to invest in are encryption, analytics and
reporting, perimeter security, file sharing and
mobile device management, with encryption
being mentioned by the most (50%)."
Transferring data in motion, in use and at
rest needs special consideration with GDPR,
Hack adds. "Companies should allow for
flexibility when deciding on the right solutions
for their needs. Risk assessment is a key
strategy and covers all areas of the business."
One important technology for mitigating risk
and ensuring compliance is managed file
transfer, which manages the entire process
both within and outside the business.
“A comprehensive managed file transfer
solution not only provides secure routes for
assets, it also adds value with tools for the end
users for tasks such as managing attachments
and working in local folders,” states Hicks.
“A managed file transfer solution also
streamlines processes by automating
workflows, managing performance and
security, and providing reporting and
analytics, so that the business is always on
top of data and documents as they move
through, out of and back into the business."
NOT AN OPTION
One of the biggest misconceptions is that
non-EU based companies do not have to
comply with the GDPR. "I hate to break it to
them, but, if they're a global organisation
that collects EU citizen data, then they must
comply," says Matt Lock, director of sales
engineers, Varonis. "If a US company collects
data from EU citizens, it would be under
the same legal obligations as though the
company had headquarters in, say, France,
the UK or Germany - even though they don't
have any servers or offices there! This may be
hard for the EU regulators to enforce, but,
if you're large enough or a high-profile
multinational organisation, our guesstimate
is that the EU authorities will likely go after
any violations. In order to meet these new
regulations or even determine if they have to
24
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

IT asset management
"Organisations haven't taken privacy and cyber
security seriously enough until now."
be met, every organisation, regardless of
location, should create an asset register of
sensitive files, understand who has access and
who is accessing them, and determine when
data can and should be deleted."
ADAPTING PRACTICES
Clearly, companies must look to adapt their
practices ahead of schedule, given the
complexity and scope of the new regulation.
"While it is billed as European legislation, the
nature of networks and the digital economy
imply that it will be far more wide-reaching
than that," comments John Madelin, CEO at
Reliance acsn.
"Organisations must take a holistic approach
to privacy and security, with their most
sensitive information at the heart of it, in
order to adhere to the stringent guidelines
more easily, as well as manage its downfalls.
"Businesses haven't taken privacy and cyber
security seriously enough until now, and these
higher levels of 'parental controls' will help
security experts hold business leaders up to
board level more accountable. Perhaps the
most significant change is in notification.
"In the past, a company only had a problem,
if there was a breach," says Madelin. "The
new legislation will require companies to
demonstrate that they will detect and report
a breach. Companies will have to invest in
creating 24/7 alarming and reporting
capabilities, integrated with their security
infrastructure, which will allow them to
adequately understand where the data is and
protect it. At the moment, the majority of
systems deployed are not fit for purpose."
MASSIVE UNDERTAKING
Preparing for GDPR is likely to be a crossfunctional
exercise, as legal, risk and
compliance, IT and security all have a part to
play in its implementation. "As it is not a small
amount of regulation to comprehend, with
99 Articles and 173 Recitals to trawl through,
there will be numerous processes, procedures,
and training required, in addition to the need
for technology and services, in order to
demonstrate compliance," states Samantha
Humphries, international solutions marketing
manager at Rapid7.
"For some organisations, changes to roles
and responsibilities will be required, too, such
as appointing a data protection officer and
nominating representatives within the EU to
be necessary points of contact. Completing
Privacy Impact Assessments and
implementing processes for access control,
incident detection and response, and breach
notification will all be crucial in ensuring
compliance. By introducing such processes,
businesses can show that they understand
where personal data physically resides, the
categories of personal data they control
and/or process, how and by whom it is
accessed, and how it is secured," she adds.
Disaster recovery should also be high on any
organisation's list. "Being able to detect
attackers early can ease this process. User
Behaviour Analytics can provide businesses
with the capabilities to detect anomalous user
account activity within their environment, so
they can investigate and remediate quickly."
Recognising weak spots in systems and
networks can also help businesses find focus.
"By attacking their own systems through pen
tests to demonstrate real-world scenarios,
businesses can highlight potential failures and
weaknesses that can be rectified to avoid the
threat of a real attack," Humphries concludes.
"This will aid compliance with Article 32,
which states the need to have a process for
regularly testing, assessing and evaluating the
effectiveness of security measures."
Richard Brown, Arbor Networks:
documentation is often created, 'put on
the shelf' and then forgotten about.
Rob Norris, Fujitsu: now is the time to
stop being hunted and instead become
the hunter.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
25

mobile management
AFTER THE FLOOD
WITH MOBILE DEVICES NOW IN THEIR MULTI-BILLIONS GLOBALLY,
AND MORE AND MORE APPLICATIONS FLOODING THE MARKET, THE
NEED FOR MOBILE MONITORING AND DEVICE MANAGEMENT HAS
NEVER BEEN GREATER OR MORE URGENT
Anew report, 'On the Radar', from
leading research company Ovum
shines a light on the extent of
the mobile security problem affecting
businesses of every size around the globe.
It exposes "the inadequate level of mobile
device protection offered by most
mainstream endpoint security providers
who have failed to keep pace with market
requirements and the subsequent threat
this has created for businesses who are
unwittingly exposed to cybercriminals".
The report has turned the spotlight on
an area of great concern - and one that
needs to be addressed urgently.
"Corporate mobile devices are inherently
personal," states Michael Covington,
VP Product Strategy, Wandera. "When it
comes to BYOD, it should be understood
that the end user has more control over
the day-to-day running of the device.
Unfortunately, this means more risk is
introduced to the platform. There is a
general notion amongst businesses and
end users that mobile platforms are
secure. For example, there are few
security tools out there for Apple devices
and not many news headlines around iOS
vulnerabilities. The first thing people need
to understand is these devices are not
secure and, with the rise of mobile
devices, hackers will only continue to
attack them."
Not only do people believe device
platforms are secure, but also the apps
themselves, he adds. "In reality, app
developers are rushing to deliver their
apps to the market and security is often
an afterthought in the process. From
a regulatory perspective, companies
are obligated to protect credit card
information. However, sometimes their
apps haven't gone through secure
development processes." Mobility has not
been treated the same way that classic
end-point has within the enterprise, says
Covington. "Laptops and desktops have
layers of defences, with a variety of
different tools. On the mobile platform,
enterprises are unlikely to have invested
in even one tool, let alone multiple, to
control multiple threat factors."
One threat vector which is often
ignored are the users themselves.
"Investing in educating an individual is
not normally something a business would
do. However, if the individual is putting
themselves or their data ta risk on a
device that holds company data, they
become the weak link in the chain.
Employees often go around existing
security policies using mobile devices.
There have been instances of staff
26
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

mobile management
tethering their mobile device when
they're in the office, because they want
to go to websites that are blocked on
the corporate gateway." This is once
again opening up security issues for
businesses, he warns.
"Both the enterprise and the end user
have an interest in making sure their
sensitive mobile data is secure. But end
users also don't want to feel like a 'Big
Brother' is watching their every move
on their BYOD devices; which is why a
solution that simultaneously protects end
user privacy, without compromising
business-critical reporting, traffic control
or device management, is so important,"
adds Covington.
KEY ATTACK POINTS
Michael Shaulov, head of mobility
solutions, Check Point, believes there
are five major categories of attack and
vulnerabilities that organisations need to
protect their mobile fleets against, which
demand multiple mobile security
capabilities.
The first is system vulnerabilities. "Each
version of a mobile operating system will
contain vulnerabilities that criminals can
use to launch attacks. Devices need
to be continually analysed to uncover
vulnerabilities and the behaviours that
cyber criminals use to attack them. When
a threat is identified, the solution must
automatically mitigate any risk until the
threat is eliminated," he states.
Next comes root access and
configuration channels. "Root access
enables a wide range of customisations
and configurations, and gives criminals
greater access, which exposes devices
and data to risk," Shaulov points out.
"Criminals can even bypass MDMs using
relatively simple techniques, so it's
necessary to monitor all configuration
changes and use behavioural analysis to
detect unexpected system behaviour."
Then there are repackaged and fake
apps. "Malicious apps can take complete
control of mobile devices. It is remarkably
easy for criminals to reverse-engineer
popular apps or to create seemingly
authentic copies of existing ones. In turn,
these apps can be used to gain remote
access to the device or download
malicious payloads. Apps' installation
processes should be monitored and run
in a quarantined 'sandbox' environment
to analyse their behaviour."
Fourth on his list are Trojans and
malware. "An app's code is huge and
complex, making it difficult to identify
a Trojan's malicious activity. A security
solution should capture apps and
automatically reverse-engineer them,
enabling analysis that identifies
suspicious patterns and behaviours."
Fifth, Man-in the-middle attacks. "Manin-the-middle
attacks can eavesdrop,
intercept and alter traffic between two
devices," he says. "Enterprises need
behavioural analysis that can detect
rogue hotspots and malicious network
behaviour and conditions, and
automatically disable suspicious networks
to keep devices and data safe."
Finally, he advises that this system of
mobile security components must work
together cohesively to identify a wide
variety of threats, protect data and
address employee privacy concerns,
rather than being a loosely-integrated
mix of point products. "The solutions
have to be able to analyse behaviour
across all possible vectors for indicators
of attack, to keep mobile devices safe."
SECURITY HEADACHE
According to Mark Noctor, VP EMEA at
Arxan Technologies, "a mobile-ready
workforce can deliver some powerful
advantages, in terms of flexibility and
Dave Williams, 3M: another factor to
consider is the 'low tech' one of prying
eyes.
Michael Covington, Wandera: both the
enterprise and the end user have an
interest in making sure their sensitive
mobile data is secure.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
27

mobile management
responsiveness, but can also be a major
security headache without strict
management. The network's attack
surface is increased with each new
mobile device, and many organisations
quickly lose track of what devices are
connected and how they are being used".
The BYOD approach, in particular, can
expose companies to a much greater level
of risk, as a mobile that is also used as
personal device will be more likely to be
hit by threats such as mobile malware
and fake or corrupted apps.
A compromised device can then be used
to infect the rest of the corporate
network or access confidential emails and
other data. "Any company with a mobilecentric
workforce should ensure it has a
strict Mobile Device Management (MDM)
strategy to secure emails and corporate
documents, segregate corporate data,
and enforce security policies," states
Noctor. "However, MDM is not always
applicable and can be difficult to
combine with BYOD or apply to
individuals such as contractors and others
who have access to corporate resources,
but are not full employees."
Mobile Application Management (MAM)
is a more flexible and secure approach for
this more diverse workforce, he suggests.
"This approach places security and app
management policies around the
individual business applications, so they
are protected without the need to enrol
the device in MDM. Workers are provided
access to officially sanctioned and
secured mobile apps via a private
enterprise app store. This ensures that
employees are able to easily access the
best apps for the job, while also enabling
the organisation to keep track of what
applications are being used." Managing
mobile apps in this way can also help
enterprises ensure the highest levels of
security even without requiring MDM.
"Powerful app-level policies can be used
to enforce security policies, such as
detecting jailbroken devices and applying
run-time integrity checks, as well as
ensuring that all apps are kept updated,"
he adds.
INADEQUATE PROTECTION
Despite the publicity around mobile
security, research seems to suggest that
many organisations are not adequately
protecting workers and devices when on
the move or in public spaces, comments
Dave Williams, business manager - UK
Electronics Market, 3M. "As well as more
robust software-based measures, another
factor to consider is the 'low tech' one of
prying eyes. Just looking over someone's
shoulder, he cautions, is "one way to
obtain confidential information. Security
breaches are not confined to savyy
hackers".
In the recent Public Spaces Survey
commissioned by 3M and conducted by
the Ponemon Institute, nine out of 10
people questioned had noticed someone
looking at data on their laptops in public,
according to Williams. "Seventy-six per
cent had also inadvertently seen
something on someone's screen that they
should not have done. However, just over
50% confirmed they had not taken any
preventive steps to protect their own
screens from onlookers in public."
VISUAL HACKING
Other research also demonstrates just
how easy it is to carry out a 'visual hack',
whether inside or outside the office," he
continues. "In the Global Visual Hacking
Experiment, also carried out by the
Ponemon Institute on behalf of 3M,
involving a 'white hat' hacker, more than
90% of visual hacking attempts were
successful, with 49% of breaches taking
less than 15 minutes, with an average of
3.9 pieces of sensitive data obtained per
attempt.
"The reality is that, while visual hacking
is fast and easy to achieve, it is also fast
and easy to prevent, using techniques
such as installation of privacy filters,
which stop on-screen information from
being viewed, unless straight-on and
close-up; angling screens, so they cannot
easily be seen; plus educating employees
about their responsibility to prevent
sensitive data being visible to others,
particularly when they are working in
public spaces."
28
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

purchasing strategies
REAL PRICE OF SECURITY SOLUTIONS
THE IMPORTANCE OF MAKING PURCHASING DECISIONS FOR SECURITY SOLUTIONS BASED ON QUALITY,
RATHER THAN INITIAL PURCHASE PRICE ALONE, IS NOW BEING HAMMERED HOME
Astark warning has been laid down in
a new white paper concerning the
challenges involved in buying and
selling high-quality security solutions.
The paper aims to explore the price versus
quality debate from the perspectives of both
buyers and sellers of security solutions, in
order to identify the relative advantages and
disadvantages between low-priced and highquality
solutions. The main findings of the
paper clearly suggest that end users would
find it far more beneficial to consider and
deploy high-quality security solutions. The
findings also reveal that there are many
advantages for security providers who offer
high-quality solutions to their customers,
rather than merely competing with each
other on the basis of price. Security providers
would be much better off collaborating with
their customers and developing a good
understanding of buyers' needs in order to
provide suitable solutions that meet those
requirements and perform well over time.
Commissioned by the British Security
Industry Association, the white paper, which
is titled 'The (Real) Price of Security Solutions',
has been authored by Dr Terence Tse,
an Associate Professor of Finance at ESCP
Europe Business School, and sponsored by
BSIA member companies Securitas and
ATEC Fire and Security.
The research was driven by immediate past
chairman of the association, Pauline
Norstrom, during her time as chairman.
"I have been in the industry some 16 years,
before that in tech marketing across a broad
spectrum of industries," she commented.
"During that time, I have watched and
experienced the manufacturers within
our industry race to the lowest price,
compromising on materials and functionality
in order to do so and often at the expense of
UK jobs in the process.
"I have seen the industry rush to the cheapest
price to win the bid, with companies offering
solutions at very low margins being left with
substantial additional costs they cannot cover.
In addition, end users are often provided with
an inferior solution which does not solve their
problems," she added.
"Essentially, I hope that the paper will
educate the security buyer as to the art of
buying a specialised security solution, rather
than a bunch of part numbers or just cost per
hour; and instead to consider the value of the
sum of the parts bringing a larger benefit
than those parts working in isolation."
The paper sets out recommendations for
both security providers and security buyers
through checklists that aim to help security
buyers make better informed purchase
decisions and security providers to better
demonstrate the value of their offering,
rather than compete on price alone.
Pauline Norstrom: "I have seen the
industry rush to the cheapest price
to win the bid."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
29

DDoS attacks
PRESSURE MOUNTS ON ISPS
MORE AND MORE SECURITY PROFESSIONALS ARE DEMANDING ADDITIONAL HELP FROM THEIR ISPS TO
BLOCK DDOS TRAFFIC BEFORE IT REACHES THEM
Ashley Stephenson, Corero Network
Security: important crossroads ahead.
DDoS attacks are a greater security
threat to businesses in 2017 than ever
before and Internet service providers
(ISPs) need to do something about it now.
That is one of the findings in a new survey
of IT security professionals and network
operators from Corero Network Security.
The 'Corero DDoS Impact Survey 2017',
polled top technology decision makers and
security experts and found that the majority
(56%) view DDoS attacks as a greater and
graver concern than in previous years.
This elevation of risk comes at a time
when DDoS attacks continue to increase in
frequency, scale and sophistication over
the last year. Some 31% of IT security
professional and network operators in the
survey experienced more DDoS attacks than
usual in recent months, with 40% suffering
attacks on a monthly, weekly or even daily
basis. To alleviate this problem, 85% are
demanding additional help from their ISPs
to block DDoS traffic before it reaches them.
The findings follow reports in the UK that
Britain's National Cyber Security Centre
(NCSC) is putting pressure on ISPs to rewrite
Internet standards around spoofing, in order
to reduce the volume of DDoS attack traffic
on their networks. Dr Ian Levy, technical
director at NCSC, has called for ISPs to make
changes to the Border Gateway Protocol
(BGP) and Signalling System 7 (SS7)
standards to halt the rerouting of traffic
used in simple, volumetric DDoS attacks.
"As new, large-scale attacks have come
online, leveraging IoT devices, the DDoS
threat has become top of mind for CISOs,"
said Rob Ayoub, research director at IDC.
"This shift in precedence puts increased
pressure on Internet and cloud providers
to enable this protection for their customers
and also to eliminate DDoS threats closer to
the source."
Ashley Stephenson, CEO at Corero
Network Security, added: "Providers will
likely find themselves at an important
crossroads during the next year, as pressure
builds on them from both customers
and governments to address the growing
DDoS problem. By accepting a greater
responsibility for defending their customers
and networks against DDoS attacks, ISPs
could modernise their security service
offerings and increase customer satisfaction
- in contrast, ignoring this call to action
could open up the possibility of future
regulatory controls related to DDoS
protection."
The Corero study found that a worrying
58% of security professionals are still relying
on 'home grown' open source solutions,
or traditional security infrastructure like
firewalls, to protect themselves against
DDoS attacks. Just more than a third
(36%) are adopting cloud-based solutions,
including scrubbing centres, and a further
35% are employing on-premises DDoS
mitigation products.
While the vast majority (85%) believe their
ISP should be dealing with the DDoS
problem for them, as part of their service,
almost half (46%) indicated they would be
prepared to pay an additional fee to have
DDoS traffic removed before it reaches their
network. Of those who were willing to pay
their ISP for such a premium service, almost
three quarters (74%) said they would
consider spending up to a quarter of their
total ISP spend to eliminate this threat.
30
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

sustainable solutions
MANY HAPPY RETURNS!
RECALLS HAPPEN AND, WHEN THEY DO, ORGANISATIONS COME UNDER PRESSURE TO PROTECT THEIR
BRAND AND ENSURE THEIR CLIENTS HAVE A POSITIVE PRODUCT RETURNS EXPERIENCE
With commerciality, brand
reputation and data security at
the forefront of everyone's
minds, it's easy for sustainable solutions
to slip down the priority list. But ignoring
sustainability can further damage a
brand's reputation. Some high-profile
manufacturers have publicly come under
pressure for not keeping sustainability
front and centre when managing
defective product recalls.
Yet this is not an either/or situation, as
Anand Narasimhan, managing director,
Sims Recycling Solutions, EU, India,
points out. "Simple solutions exist to help
companies demonstrate their desire to
protect the environment, conserve natural
resources and participate in the circular
economy, all at the same time as
delivering a truly effective IT product
recall," he says.
"Corporate participation in the circular
economy is becoming increasingly
important, as the public and press
continually scrutinise corporate ethics
and social responsibility efforts. More
than previous generations, millennials
consistently rank a company's positive
impact on the world as a key
consideration when choosing an
employer, according to research carried
out by consultancy Global Tolerance.
Corporations are regularly ranked on their
environmental credentials, including the
level of sustainability built into their
supply chain and processes. At times
when a company is under scrutiny, such
as managing a global product recall,
these standards come under pressure.
"It is vital, therefore, that returned
products are handled appropriately.
Working with a certified, credible and
auditable vendor to manage your
returned IT product gives an organisation
this peace of mind and reassurance.
The 'Waste Hierarchy' developed by the
European Union provides useful
guidelines on the right way to approach
sustainability - reuse, recycle and
recovering energy to avoid landfill."
These considerations do not just apply
to recalls, he points out. "As products
become more robust and long-lasting,
many manufacturers are introducing
trade-in and trade-up schemes to
encourage the purchase of new products.
These programmes necessitate returned
products be recycled, thereby reducing
the grey market for their products."
Reuse might not seem like a viable
option when dealing with defective IT
product recalls, but that is not necessarily
the case. "Even when reusing an entire
asset isn't possible, circular economy
practices can be followed and
considerable value can still be recovered
through parts harvesting," says
Narasimhan. "IT assets likely still contain
valuable component parts that can be
used to refurbish or remanufacture other
devices, or can be sold on their own.
These efforts deliver value back to a
business to help offset the cost of the
recall, while increasing the lifecycle of a
product and minimising harmful waste."
Perhaps parts recovery is not feasible and
recycling is the only option. "Vendor
selection might not be at the forefront of
your mind when managing priorities
during your recall, but a recycling provider
needs to be thoroughly vetted," he adds.
"Many different services are marketed
under the term 'recycling', so you need to
carefully consider a vendor's capabilities
and their sustainability credentials. Truly
sustainable recycling providers have a few
common characteristics. The best recyclers
actively innovate to improve material
recovery levels. They work closely with
manufacturers to ensure they are fully
capable of processing new products and
materials. Best-in-class technology and
processes allow many materials to be
recovered and separated to a level
suitable for remanufacturing back to
usable products. This reduces the demand
for scarce and limited raw materials.
"Though not necessarily welcome, a
thoughtfully managed global product
recall offers businesses the opportunity
to be put their best sustainable foot
forward," he concludes.
Anand Narasimhan, managing director,
Sims Recycling Solutions, EU, India
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
31

online threats
THE SMELL OF FEAR: THREAT DE TOILETTE
GLOBAL CYBER-SECURITY COMPANY KASPERSKY LAB HAS LAUNCHED WHAT IT CLASSIFIES AS "TWO
THREATENING, YET PROVOCATIVE, SCENTS". WILL THAT HAVE THE BIG FRAGRANCE AND PERFUME PLAYERS
WORRIED, THOUGH?
my business and my ability to grow my
channel. My audience's experience would
also be disrupted, because they wouldn't
have any new content to watch."
Kaspersky Lab is aware that there are
many virtual threats facing consumers and,
in order to address this, has additional
scents in the Threat range:
Kaspersky Lab has launched its Threat
de Toilette pour femme and pour
homme fragrances onto the market -
but whether they will ever compete with
the likes of Yves Saint Laurent, Versace and
Chanel is most doubtful.
Then again, the new perfumes have a
somewhat different purpose to making
you feel good in your own skin. In fact,
quite the reverse. They are, instead, part of
a campaign whose aim is to "educate
today's modern man and woman about
the virtual threats we face daily". Threat de
Toilette contains all the perfectly coded
base notes of cybercrime; hints of spam
and drops of ransomware that, according
to Kaspersky Lab, will "ensnare your love
affair and cast a love virus".
Says David Emm, Kaspersky Lab's principal
security researcher and face of the new
scent: "The men and women who wear
Threat de Toilette understand today's
online threats and protect themselves
against them. Fear is no longer felt only in
the physical world - it's all around us in our
connected lives, too, and we need to make
sure we're constantly protected."
Scarlett London, the well-known UK
beauty blogger, attending the event to
illustrate how cybercrime poses a constant
threat to her online livelihood, says, "I don't
feel that we discuss cyber-security enough
- or that enough attention is given to it,
especially considering how much of our
time and life is spent online. My business
and livelihood is based online - so, if a
hacker was to be able to get in and steal
content or wipe files from my computer,
channel or feeds, it would severely disrupt
RANSOM
Reassuringly expensive
Ransomware is the theft of confidential
data, with a cost (ransom) to regain access
to the encrypted files. This could be
priceless items, such as family photos, or
financial details, such as banking
documents. Imagine someone removing all
your prized possessions from your
bedroom and then requesting money for
the safe return of them - this is the real life
equivalent to ransomware.
MAL-WEAR
The wicked way to pierce the heart
Malware (Malicious Software) are the
programs that sneak onto your computer
without permission, with the intent to
steal your personal data or capture your
passwords and other sensitive information.
The term covers all sorts of viruses, worms,
Trojans and spam. It's like somebody
dipping into your bag unnoticed, stealing
all your keys and using them to get access
to all your stuff.
SOCIAL ENGINOIR
Lure them in
One word to use when thinking of social
engineering is manipulation. When using
this attack method, a cybercriminal will
often trick their victim into breaking their
32
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

online threats
usual security procedures, for example
giving away passwords, so they can gain
access to the computer. It's as if you hand
over your keys to someone you think is
your best friend - but they're a thief
masquerading as your best friend.
PHISH
Catch your deepest love
Phishing emails are the electronic
equivalent of the 'junk mail' that arrives on
your doormat. These can be dangerous -
posing as a tailored, credible email with
the purpose being to steal financial
information. These emails are designed to
grab your attention, making you drop
your guard, for example, they may include
information on an event you've just
attended. Trust us, it's not a coincidence.
Meanwhile, Emm offers the following top
tips to stay safe online:
Get protected. This may seem obvious,
but security software is the new 'black'.
Its helps you stay fully protected
against malware, spyware, hackers and
identity theft at all times.
Keep up to date. Make sure all your
devices are up to date with all the
latest security and firmware updates.
Practise safe online shopping and
banking. Always shop and bank on a
secure site. Look for a URL that starts
with 'https' and has the lock symbol
when entering your credit card details
or other personal information.
Privacy is key. Avoid using public Wi-Fi
to access any web sites that need a
login and password to access them or
that involves typing in confidential
information.
Socialise safely. By now, we've all had a
bad link or two sent to us over our
favourite social network. Utilise your
social network's security settings to
their optimum level. Do you really
need to display every detail about your
life?
Safe passwords. Use secure passwords
- a different one for each Internet
service. Set passwords to include 12 or
more upper and lower case characters
and numbers.
Stomp out spam. Most Internet Service
Providers and security software
programs have anti-spam
technologies. The spam blocker will
help prevent fraudulent emails from
showing up in your Inbox. Fake lottery
wins or chances to win the latest
gadget can be very tempting!
And if all of this alerts you and your
organisation to be better prepared against
the threats that are escalating all around,
then you would have to say the Kaspersky
campaign could be heaven scent!
BLACKOUT BLUES
Meanwhile, Eugene Kaspersky, founder
and CEO, Kaspersky Lab, has warned that
a blackout such as the one recently
experienced in Ukraine could have deep
and worrying ramifications on a much
wider scale. During a blackout, none of
the devices connected to the lauded
Internet of Things would be able to 'talk'
to each other. "By a cyberattack on critical
infrastructure taking control of a country's
power grid, simply nothing would work,"
he warns. "No urban facilities, no water,
no air conditioning, no elevators, no
Internet, no mobile network.
Far-fetched sci-fi? "Unfortunately, this
scenario is very real," he adds. "The world
we live in is based upon technologies and
ideas which were made 50 years ago.
Many of them rely upon an architecture
that predates the era of cybercrime. The
hackers simply didn't exist then. As we
increasingly depend on technology as the
backbone of our civilisation, we need to
ensure our critical infrastructure is built
upon a robust architecture that is not only
secure, but immune. If we don't adopt a
security-first approach, we will face a very
uncertain future."
Eugene Kaspersky: without a security-first
approach, we will face a very uncertain
future.
David Emm: fear is all around us in our
connected lives.
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security
33

product review
THE AEGIS SECURE KEY 3Z FROM APRICORN
With the EU GDPR (General Data
Protection Regulation) active
early in 2018, businesses of all
sizes must start work on full compliance
now. This legislation is very specific
concerning loss of personal data and
any business falling foul will be punished.
All businesses have a legal duty to
protect sensitive and personal data
while it's in transit - and that means
encryption. Apricorn has the perfect
answer: its latest Aegis Secure Key 3z
USB flash drive delivers military-grade
256-bit AES XTS hardware encryption
at a very tempting price. Its available in
capacities from 8GB up to 64GB and
the 3z is FIPS 140-2 Level 3 certified
for added confidence. This means it
will meet stringent US government
requirements, such as physical security,
cryptographic key management and
authentication.
Apricorn hasn't left anything to chance.
Our 8GB model arrived in a tamper-proof
package with a large security seal.
Enclosed in a tough aluminium shell,
the 3z provides a small, but easily
accessible, keypad and is powered by
a rechargeable Li-Ion battery.
Setup was simple: press a couple of
two-key combinations and enter an
admin PIN of between 7 and 16 digits.
Next, you can enter a user PIN yourself
or activate the enforced enrolment state
and let your staff select their own PIN.
If they should forget their user PIN, an
administrator can enter admin mode and
reset it. To unlock the 3z, simply press
the green padlock key, enter the PIN
and insert it in the recipient device.
Data on the 3z can be further
protected from malware by setting it to
read-only mode. The administrator can
enforce read-only or it can be delegated
to the user to decide when to apply this
mode.
For forgetful users, you can create up
to four one-time recovery PINs that will
set it back to the enrolment state. The
entire drive can also be reset to factory
defaults where it performs a crypto-erase
and randomly generates new encryption
keys.
The 3z also protects itself from bruteforce
attacks, as after three unsuccessful
PIN entries it adds an extra delay after
each subsequent attempt, up to a
maximum of ten. You can unlock it and
try again, but after the requisite number
of attempts is reached, the 3z assumes it
is under attack and destroys all of its data.
It comes pre-formatted as NTFS, but you
can reformat it to FAT, FAT32 or Mac OS
compatible. While unlocked, it functions
no differently to any other USB flash
device and we noted that, whenever the
3z was removed from its USB port, it
automatically locked itself for added
safety.
The 3z has a high-speed USB 3.1
interface with Apricorn claiming top
read and write speeds of 190MB/sec
and 80MB/sec. The majority of users
will probably have slower USB 3 ports,
where our copy tests of a 5GB file
returned read and write speeds of
135MB/sec and 29MB/sec.
Support staff managing large numbers
of flash drives and PINs will
love the Configurator. Costing around
£80, it teams up a 10-port USB docking
station with the Apricorn Aegis
Configuration software.
From the intuitive interface, we created
a master profile with admin, user,
recovery and self-destruct PINs, along
with a permitted number of brute-force
attempts and the auto-format file system.
The profile could then be applied in
seconds to all devices inserted in the
docking station. Being software free,
there is nothing to install and the
encryption and authentication
functionality resides on the device.
With Apricorn, businesses no longer
have an excuse at all for failing to protect
personal data in transit. The Aegis Secure
Key 3z teams up the toughest encryption
with plenty of security measures and is
one of the best value solutions that we
have yet seen.
Product: Aegis Secure Key 3z
Supplier: Apricorn Europe
Web site: www.apricorn.com
Tel: +44 (0)161 870 76369
Price: 8GB - £65, excluding VAT
34
computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

MEET THE
INFOSEC
WORLD, ALL
UNDER ONE
ROOF
REGISTER
NOW
CONNECT
WITH PEERS,
PARTNERS AND
THOUGHT-
LEADERS
FIND
SOLUTIONS
AND PRE-EMPT
PROBLEMS
Everyone and everything you need
to know about information security
ENHANCE
YOUR
KNOWLEDGE
& EARN CPE/CPD
CREDITS
FIND NEW
OPPORTUNITIES
TO FURTHER
YOUR
CAREER
“InfoSecurity Europe
is the highlight of
the security event
calendar, given the
scale of the event,
the vibrancy and buzz
surrounding the show
and the attendance
of industry leading
vendors and the world
class speakers.”
Join the region’s premier information security event
featuring 360+ of Europe’s most established players
& newest cybersecurity talent. Learn from our most
comprehensive conference programme yet with over
160 hours of complimentary thought-leader seminars.
In 2016 we opened our doors to more than 17,500
professionals all under the beautiful domed roof of
Olympia, London. Can you afford not to be
there in 2017?
@infosecurity
Mark Shutt
IT Security and Assurance Manager,
Secure Trust Bank
REGISTER TO
ATTEND AT
www.infosecurityeurope.com

2013