CS1901
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
EYE ON THE FUTURE<br />
What challenges await in 2019?<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
THORNY ISSUES<br />
Not everything is rosy<br />
on the passwords front<br />
HEALTH WARNING<br />
Sports and leisure clubs<br />
come under attack<br />
FLIGHTS OF FANCY<br />
Hackers seize<br />
BA client data<br />
Computing Security January/February 2019
Dates for your diary<br />
CDL will be exhibiting<br />
at the following events<br />
20-21 Feb ‘19<br />
5th Mar ‘19<br />
21 Mar ‘19<br />
in 2019...<br />
Come along and see<br />
3-4 Apr ‘19<br />
16 May ‘19<br />
4-6 Jun ‘19<br />
what we can do for<br />
your business.<br />
19-20 Jun ‘19<br />
11-12 Sep ‘19<br />
9-10 Oct ‘19<br />
Secure IT Disposal<br />
from an award winning service provider<br />
• Secure disposal of IT and WEEE<br />
• Data sanitised to the highest<br />
recognised standards<br />
• Collections using only CDL vehicles and<br />
drivers<br />
• ISO 9001, 14001, 18001 & 27001<br />
• ADISA accredited with distinction<br />
• On site media destruction<br />
• EU GDPR compliant service<br />
• Full UK coverage<br />
CDL House, Davy Road, Runcorn, Cheshire, WA7 1PZ.<br />
www.computerdisposals.com<br />
T: 01925 730033
comment<br />
HACKERS EXPLOITING SIMPLE OVERSIGHT<br />
Security web scans and analysis on over 80,000 European Magento websites - the most<br />
popular e-commerce platform globally - reveal 80% are at risk from cyber criminals. That<br />
is a startling and worrying figure, and should leave those at the sharp edge deeply<br />
concerned for their own safety.<br />
Recent research by global cybersecurity experts Foregenix examined more than 170,000<br />
Magento websites in total, revealing that 1.5% of these (2,548) were infected with malware.<br />
Some 1,591 were compromised by credit/debit card stealing malware, actively harvesting their<br />
customers' sensitive data for subsequent sale and/or fraud<br />
A further 2.3% of all websites were found to be susceptible to Magento Shoplift. What is<br />
particularly concerning is that this vulnerability was disclosed, and patches made available, way<br />
back in January 2015. Effectively, Magento Shoplift allows hackers to completely administer<br />
the website remotely, steal sensitive data and even order items for free through a single exploit<br />
command - something that is publicly available.<br />
The cybersecurity company, which is renowned globally for its work on payment security, has<br />
an active threat intelligence team researching and analysing attack trends, with a strong focus<br />
on the e-commerce sector.<br />
Unveiling the research, Foregenix's CEO Andrew Henwood said: "The issues highlighted are<br />
a truly global problem, which threatens to undermine confidence in e-commerce, especially<br />
in markets leading the way in online sales, such as the UK. Repercussions as a result of<br />
compromises are heavy penalties by card providers and these put many smaller traders at risk.<br />
Magento and other e-commerce platforms release regular software updates in response to<br />
vulnerabilities. These security patches, if not used, can leave websites highly vulnerable to<br />
hacking and loss of sensitive data."<br />
Online businesses often assume web developers, agencies and hosting providers take care of<br />
security, he adds, cautioning. "Design agencies are great at producing beautiful, transactional<br />
websites that sell their wares, but their expertise on security issues generally isn't as well<br />
developed. Agencies and their clients need to be aware of e-commerce security issues, as<br />
even a single breach can be devastating for a small business."<br />
The simple fact is that simple precautions can make a real difference to reducing a company's<br />
risk from criminals, such as regularly patching, changing default settings on the administration<br />
interface and using stronger passwords with multi-factor authentication.<br />
"Risk can never be entirely eliminated," concedes Henwood, "so companies should also<br />
consider investing in a partnership with a cybersecurity specialist organisation and cyber<br />
insurance policy."<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
PRODUCTION: Abby Penn<br />
(abby.penn@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Louise Hollingdale<br />
(louise.hollingdale@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© 2018 Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk Jan/Feb 2019 computing security<br />
@CSMagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security January/February 2019<br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
EYE ON THE FUTURE<br />
What challenges await in 2019?<br />
HEALTH WARNING<br />
Sports and leisure clubs<br />
come under attack<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
THORNY ISSUES<br />
Not everything is rosy<br />
on the passwords front<br />
FLIGHTS OF FANCY<br />
Hackers seize<br />
BA client data<br />
COMMENT 3<br />
Hackers exploiting simple oversight<br />
EDITOR’S FOCUS 6-7<br />
Is it possible that Cloud is sinking down<br />
2019: WHAT MAY LIE AHEAD 12<br />
the popularity charts and losing its grip?<br />
Computing Security asked those in the<br />
ARTICLES<br />
know to do some future-gazing and give<br />
us their top predictions for cybersecurity in<br />
TRACKING DOWN THE WEAK LINKS 8<br />
2019. Here's what they had to say<br />
Sometimes it's just basic human error<br />
that can result in a costly breach<br />
DRIVING UP THE MARKET 10<br />
Mergers and acquisitions are on the up,<br />
much of it driven by security issues<br />
POWERFUL ALLIANCE 18<br />
CYJAX has been working closely for some<br />
THE LURKING THREAT 20<br />
time now with Oxford University and<br />
Quantum computing's ability to work<br />
the Centre for Doctoral Training in Cyber<br />
outside the linear processes that we are<br />
so familiar with can also pose a threat<br />
Security - and these 'Deep Dive Days' are<br />
really paying off for all involved<br />
MASTERCLASS 22<br />
Cloud can still be the most secure<br />
environment for business, argue Nigel<br />
Hawthorn, data privacy expert at McAfee,<br />
DO NOT PASS GO! 24<br />
and Charlotte Gurney, marketing manager<br />
at Brookcourt Solutions<br />
Passwords are a never-ending headache for<br />
most organisations and a boon for hackers<br />
SPORTING CHANCE 23<br />
looking for easy access to someone's data.<br />
On-line attacks on volunteer-run sports<br />
and leisure clubs appear to be soaring<br />
THE CYBER KILL CHAIN MODEL 29<br />
BROUGHT DOWN TO EARTH 26<br />
Advanced Persistent Threats (APTs) have<br />
been wreaking serious damage. But how<br />
Cybercriminals who carried out a hack on<br />
do you detect and prevent them?<br />
British Airways compromised the data of<br />
around 380,000 passengers, seizing billing<br />
TIPS FOR MANUFACTURERS 30<br />
details and addresses, bank and credit card<br />
Here are three top tips for manufacturers<br />
numbers, and CVV codes.<br />
that will help to keep their sensitive data<br />
out of grasping hands<br />
INCIDENT RESPONSE PLANNING 31<br />
Why do organisations use processes and<br />
procedures for incident response<br />
PRINTER HACKING IN IOT AGE 32<br />
planning? So that everyone knows exactly<br />
Analyst and research firm Quocirca have<br />
what to do and when to do that<br />
released findings that show more than<br />
60% of organisations have experienced at<br />
PRODUCT REVIEW 17<br />
least one data breach, due to insecure<br />
AlienVault USM Anywhere<br />
printing practices<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk<br />
4
Brookcourt sell leading high-end technology and services within<br />
the Security, Monitoring, Network Management and Compliance<br />
marketplace for leading Fortune 500 companies – including the<br />
largest telecommunications providers within the UK, high street<br />
banks, global retail enterprises and the largest oil companies<br />
across the world.<br />
Brookcourt can help defend your business against todays<br />
advisories and cyber threats whilst helping you with your data<br />
protection and control. Our leading-edge cyber threat intelligence<br />
technologies are provided to leading global institutions as well<br />
as smaller enterprises as a complete managed service.<br />
Get in touch today: contact@brookcourtsolutions.com<br />
C y b e r S u r v e i l l a n c e • S e c u r i t y • N e t w o r k i n g • C o n s u l t a n c y • M a n a g e d S e r v i c e s<br />
Multi Award Winning<br />
Trusted Partner of the Cyber Defence<br />
Alliance (CDA). Working collaboratively<br />
to fight cyber threats and crime<br />
ISO 9001 • ISO 14001 • ISO 22301 • ISO 27001 • OHSAS 18001<br />
For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com
editor's focus<br />
CLOUD SINKS LOWER<br />
'CLOUD' HAS BEEN ALL THE RAGE FOR SOME TIME NOW, BUT ITS PREDOMINANCE HAS<br />
BEEN CHALLENGED OF LATE. MIGHT ITS STATUS HAVE TO BE RE-EVALUATED SOMEWHAT?<br />
"To meet increased demand and evolving<br />
expectations of citizens for effective and<br />
efficient services, government must continue<br />
to enhance its digital maturity," Howard<br />
states. "Government CIOs clearly recognise<br />
the potential of digital government and have<br />
started developing new digital services, but<br />
now need to take digital beyond a vision to<br />
execution through digital leadership."<br />
Data analytics and cybersecurity pushed<br />
cloud out of the top spot for increased<br />
technology investment by government<br />
CIOs in 2019, according to a survey from<br />
global research organisation Gartner. This<br />
increased focus on data reflects CIOs'<br />
acknowledgment that artificial intelligence<br />
(AI) and data analytics will be the top "gamechanging"<br />
technologies for government in<br />
2019.<br />
Gartner's 2019 CIO Agenda Survey gathered<br />
data from a total of 3,102 CIO respondents<br />
in 89 countries and across major industries,<br />
including 528 government CIOs. Government<br />
respondents are segmented into national or<br />
federal; state or province (regional); local; and<br />
defence and intelligence, to identify trends<br />
specific to each tier.<br />
"Taking advantage of data is at the heart of<br />
digital government - it's the central asset to<br />
all that government oversees and provides,"<br />
says Rick Howard, VP analyst at Gartner.<br />
"The ability to leverage that data strategically<br />
in real time will significantly improve<br />
government's ability to seamlessly deliver<br />
services, despite increased strain on finite<br />
resources."<br />
DIGITAL MATURITY ADVANCING<br />
When it comes to strategic business priorities,<br />
the survey found that 18% of CIOs across all<br />
levels of government have prioritised digital<br />
initiatives again this year as key to achieving<br />
mission outcomes, compared with 23% from<br />
all other industries. The next three business<br />
priorities for government are industry-specific<br />
goals (13%), operational excellence (13%)<br />
and cost optimisation/reduction (8%).<br />
The survey data indicates that governments<br />
are making deliberate progress toward<br />
designing and delivering digital services,<br />
achieving comparable maturity to other<br />
industries overall. When asked what stage<br />
their digital initiative was at, 29% of<br />
government respondents say their<br />
organisations are scaling and refining their<br />
digital initiatives - the tipping point at which<br />
a digital initiative is considered mature. This is<br />
up from 15% in the 2018 survey. However,<br />
government is still lagging other industries<br />
(33% overall) in scaling and refining digital<br />
initiatives. The gap is particularly marked in<br />
defence and intelligence, where just nine<br />
percent of respondents have scaled digital<br />
initiatives.<br />
Despite the focus on digital, only 17% of<br />
government CIOs plan to increase their<br />
investment in digital business initiatives,<br />
compared with 34% of CIOs in other<br />
industries. While government CIOs<br />
demonstrate clear vision in the potential<br />
for digital government and its emerging<br />
technologies, 45% report they lack the IT<br />
and business resources required to execute.<br />
AI JUMPS AHEAD<br />
AI has taken the lead as the top gamechanging<br />
technology for government CIOs<br />
for 2019. AI (27%) is followed by data<br />
analytics (22%) and cloud technologies<br />
(19%). Cloud dropped from first across all<br />
levels of government last year, to third overall<br />
in this year's survey. "AI introduces new<br />
insights and delivery channels that will enable<br />
governments to scale in magnitudes not<br />
previously possible," Howard adds. "This<br />
will allow reallocation of valuable human<br />
resources to more complex processes and<br />
decisions."<br />
Among government respondents, 10% have<br />
already deployed an AI solution, 39% intend<br />
to deploy in the next one to two years, and<br />
an additional 36% intend to deploy an AI<br />
solution within the next two to three years.<br />
Among all levels of government, business<br />
intelligence (BI) and data analytics (43%),<br />
06<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
editor's focus<br />
cyber/information security (also 43%)<br />
and cloud services/solutions (39%)<br />
are the most common technology<br />
areas for increased technology<br />
investment in 2019. Cloud dropped<br />
from first place last year to second<br />
overall for 2019.<br />
According to Howard, the fact that<br />
cybersecurity remains an area of<br />
projected increased spending reflects<br />
government's recognition of its role<br />
as the steward of public data, with<br />
secure transactions now table stakes for<br />
governments in a digital world.<br />
"In today's digital world, cyberattacks are<br />
highly visible, increasingly malicious and<br />
costly, and they erode the public's trust," he<br />
states. "Government CIOs have steadily<br />
increased their prioritisation of cybersecurity<br />
over the years and have gained executive<br />
commitment to vigilance in ensuring that<br />
ever-evolving malicious attacks and threats<br />
are mitigated to the greatest extent possible."<br />
According to McAfee: "Cloud computing<br />
presents many unique security issues and<br />
challenges. In the cloud, data is stored with<br />
a third-party provider and accessed over the<br />
internet. This means visibility and control over<br />
that data is limited. It also raises the question<br />
of how it can be properly secured. It is<br />
imperative everyone understands their<br />
respective role and the security issues<br />
inherent in cloud computing.<br />
SHARED RESPONSIBILITY<br />
Cloud service providers treat cloud security<br />
risks as a shared responsibility, it points out.<br />
"In this model, the cloud service provider<br />
covers security of the cloud itself and the<br />
customer covers security of what they put in<br />
it. In every cloud service - from software-as-aservice<br />
(SaaS) like Microsoft Office 365 to<br />
infrastructure-as-a-service (IaaS) like Amazon<br />
Web Services (AWS) - the cloud computing<br />
customer is always responsible for protecting<br />
their data from security threats and<br />
controlling access to it."<br />
Most cloud computing security risks are<br />
related to data security. Whether a lack of<br />
visibility to data, inability to control data, or<br />
theft of data in the cloud, most issues come<br />
back to the data customers put in the cloud.<br />
Taking software-as-a-service (SaaS) as just one<br />
instance, McAfee offers 10 cloud security<br />
issues:<br />
Lack of visibility into what data is within<br />
cloud applications<br />
Theft of data from a cloud application by<br />
malicious actor<br />
Incomplete control over who can access<br />
sensitive data<br />
Inability to monitor data in transit to and<br />
from cloud applications<br />
Cloud applications being provisioned<br />
outside of IT visibility (eg, shadow IT)<br />
Lack of staff with the skills to manage<br />
security for cloud applications<br />
Inability to prevent malicious insider theft<br />
or misuse of data<br />
Advanced threats and attacks against the<br />
cloud application provider<br />
Inability to assess the security of the cloud<br />
application provider's operations<br />
Inability to maintain regulatory<br />
compliance.<br />
GARTNER DATA & ANALYTICS SUMMIT<br />
As McAfee goes on to conclude:<br />
"Developments such as the rise of<br />
XcodeGhost and GoldenEye<br />
ransomware emphasise that<br />
attackers recognise the value of<br />
software and cloud providers as a<br />
vector to attack larger assets.<br />
“As a result, attackers have been<br />
increasing their focus on this<br />
potential vulnerability. To protect<br />
your organisation and its data,<br />
make sure you scrutinise your cloud<br />
provider's security programs,” it advises. “Set<br />
the expectation to have predictable thirdparty<br />
auditing with shared reports and insist<br />
on breach reporting terms to complement<br />
technology solutions."<br />
Rick Howard, Gartner: Government CIOs<br />
now need to take digital beyond a vision<br />
to execution through digital leadership.<br />
Gartner analysts will provide additional analysis on data and analytics trends at the<br />
Gartner Data & Analytics Summit 2019, taking place 18-19 February in Sydney, 4-6<br />
March in London, 18-21 March in Orlando, 29-30 May in Sao Paulo, 10-11 June in<br />
Mumbai, 11-12 September in Mexico City and 19-20 November in Frankfurt.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
07
cardwave<br />
ARE YOUR EMPLOYEES THE WEAKEST LINK<br />
WHEN IT COMES TO YOUR DATA SECURITY?<br />
By Emma Charlton -<br />
Security & Authentication<br />
Division Lead<br />
Cardwave Services Ltd<br />
Data security has always been a hot<br />
topic, but things got even hotter<br />
last year thanks to the GDPR.<br />
Despite new legislation and hefty fines,<br />
breaches continue to be a daily<br />
occurrence. Businesses invest significant<br />
time and money implementing<br />
sophisticated security measures, but<br />
sometimes it's basic human error that<br />
can result in a costly breach.<br />
We all know the importance of creating<br />
and protecting complex passwords, but<br />
with the average person needing to<br />
remember around 20 account passwords<br />
per day, it's no surprise that corners get<br />
cut and mistakes are made.<br />
Passwords get written down, shared,<br />
simplified. Workstations get left<br />
unlocked when someone just 'nips' to<br />
the photocopier to grab something, only<br />
to be abducted into an impromptu<br />
meeting. Our intentions are good, and<br />
we don't mean to put valuable company<br />
information at risk, but it happens and<br />
the ramifications of a data breach go<br />
beyond a monetary fine. Business<br />
disruption, reputational damage, staff<br />
and customer churn…<br />
PROXIMITY-BASED IDENTITY AND<br />
ACCESS MANAGEMENT TO<br />
MITIGATE INSIDE SECURITY THREATS<br />
Cardwave launches GateKeeper<br />
Enterprise to the UK market<br />
Break free from insecure practices and<br />
move beyond passwords with<br />
GateKeeper Enterprise<br />
GateKeeper Enterprise brings security<br />
and convenience to employees by using<br />
wireless keys to simplify the login<br />
8<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
cardwave<br />
process, remove the need to remember<br />
complex passwords, and enable access to<br />
computers and websites based on their<br />
physical presence.<br />
Furthermore, the GateKeeper Enterprise<br />
wireless authentication system allows<br />
organisations to enhance workflow and<br />
achieve higher levels of security without<br />
inconveniencing the user.<br />
From five workstations to 5,000,<br />
GateKeeper Enterprise provides pain-free,<br />
centralised management of every person,<br />
password and computer on your<br />
network.<br />
Wireless auto lock and unlock<br />
2-factor authentication<br />
Military grade AES-256 encryption<br />
Centralised password management<br />
Eliminates internal breaches<br />
Easy installation and support<br />
Audit logs and reporting<br />
Increase user productivity<br />
We've all experienced the frustration of<br />
needing to quickly access a document<br />
or some data, only to be scuppered by<br />
a bout of 'fat-finger' syndrome or an<br />
inability to remember a password that<br />
you've entered a million times already.<br />
And if you're really unlucky after<br />
numerous failed password attempts,<br />
you'll be locked out of the system and<br />
end up in a queue waiting for assistance<br />
from IT support. With GateKeeper<br />
Enterprise your workstation automatically<br />
unlocks as you approach, and locks again<br />
as you move out of range.<br />
All GateKeeper Enterprise users can be<br />
managed via the Enterprise Hub, through<br />
which security policies can be deployed,<br />
access rights managed, and usage<br />
tracked and audited.<br />
To find out more or to become<br />
a reseller, please contact Emma at<br />
sales@cardwave.com / 01380 738395<br />
or visit www.safetogosolutions.com<br />
Emma Charlton - Security &<br />
Authentication Division Lead<br />
Cardwave Services Ltd<br />
Interesting facts:<br />
On average, a user spends 6-8 hours<br />
a year typing passwords at different<br />
places.<br />
Gatekeeper Enterprise eliminates<br />
the need to remember complex<br />
passwords and allows employees to<br />
work without interruption.<br />
81% of office employees have access<br />
to sensitive workplace information<br />
through unlocked computers.<br />
Gatekeeper Enterprise prevents<br />
workstations from being left unlocked<br />
when unattended.<br />
80% of IT support requests stem from<br />
passwords. The average business<br />
employee must keep track of<br />
191 passwords.<br />
Gatekeeper Enterprise eradicates the<br />
requirements to remember any<br />
passwords - even domain access -<br />
freeing up valuable IT resources.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
9
mergers & acquisitions<br />
WAGING WAR AGAINST CYBERATTACKS<br />
IDENTITY AND ACCESS MANAGEMENT, ANTI-MALWARE SOFTWARE, NETWORK AND MOBILE SECURITY, IT<br />
SECURITY SERVICES AND FINANCIAL TRANSACTION SECURITY - THESE ARE ALL DRIVING SECTOR<br />
GROWTH<br />
The Cybersecurity M&A Market<br />
Report from international<br />
technology mergers and acquisitions<br />
advisors Hampleton Partners outlines<br />
how high-profile hacks, the global<br />
digitisation of business and new<br />
regulations are driving record transaction<br />
volumes and valuations, with 141<br />
completed transactions by October this<br />
year, surpassing 2016 and 2017 levels.<br />
"2018 saw nine big ticket deals in excess<br />
of $500m from buyers such as Thoma<br />
Bravo, Cisco, RELX, AT&T and Francisco<br />
Partners, which have generated attention<br />
to the sector, helping overall market<br />
valuations reach a new record of 5.6x<br />
sales (trailing 30-month median)," states<br />
Hampleton Partners. "There have been<br />
426 acquisitions in the cybersecurity<br />
sector since 2016. Of the top 40<br />
transactions since 2016, 27% were<br />
made by private equity buyers. A median<br />
consensus of industry analysts forecasts<br />
that the overall cybersecurity market will<br />
grow from $132 billion in 2018 to £212<br />
billion by 2022."<br />
Identity and access management<br />
continues to grow and remains the<br />
cybersecurity subsector with the highest<br />
total disclosed deal value, says the firm.<br />
"One key example of this was Cisco<br />
Systems' big bet on the two-factor<br />
authentication provider Duo Security<br />
for $2.35b at 18.8x sales. As the threat<br />
of security breach through weak user<br />
passwords continues to grow, Cisco sees<br />
a user-friendly dual authentication<br />
solution as a growth opportunity.<br />
"As for the anti-malware sector, we see<br />
that government and defence agencies<br />
tend to fall victim to phishing scams, as<br />
they are highly valuable targets. They<br />
also make attractive clients for companies<br />
like Watchguard Technologies, which<br />
acquired Percipient Networks, to increase<br />
its expertise in preventing email phishing<br />
attacks through DNS."<br />
Henrik Jeberg, director, Hampleton<br />
Partners, further comments: "Hacking<br />
is the newest form of warfare against<br />
businesses, as well as nation states. The<br />
average cost of a single data breach is<br />
now 3 million, up by six per cent in<br />
a year, plus the reputational damage,<br />
which can be catastrophic. Given the<br />
increasing market demand for<br />
cybersecurity solutions due to regulation,<br />
digitisation, high-profile hacks and new<br />
technologies requiring security, we are<br />
not surprised to see a highly active M&A<br />
market for cybersecurity assets at high<br />
valuations. I expect cybersecurity to<br />
remain a hot topic in M&A, even if we<br />
go into a period of more volatile financial<br />
markets."<br />
RANSOMWARE ATTACK<br />
In one high-profile example that is cited<br />
of a cyberattack, container shipping<br />
company Maersk was forced to reinstall<br />
4,000 servers and 45,000 computers<br />
after a 'NotPetya' ransomware attack.<br />
The company reported an indirect cost<br />
through profit loss of over 300 million.<br />
When it comes to the prospects for<br />
cybersecurity in the days ahead, Jeberg<br />
has this to say: "Game-changing<br />
cybersecurity technology is now entering<br />
newer verticals, such as connected and<br />
autonomous vehicles, cryptocurrencies<br />
and digital payment services, presenting<br />
new challenges and major opportunities<br />
for start-ups and scale-ups that can help<br />
businesses protect their valuable IP and<br />
customer data."<br />
10<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
04-06 JUNE 2019<br />
THE LEADING EVENT<br />
IN EUROPE FOR INFORMATION<br />
AND CYBER SECURITY<br />
SECURE YOUR PASS NOW<br />
“Walking through the halls<br />
of innovation to shape<br />
what I do for the next year,<br />
amazing! If you work in<br />
tech and you weren’t<br />
there, you missed out”<br />
Infosecurity Europe 2018<br />
Visitor<br />
KEEP IN TOUCH WITH<br />
EVERYTHING INFOSECURITY<br />
@Infosecurity #infosec19
2019 predictions<br />
THE CERTAINTY OF UNCERTAIN TIMES AHEAD<br />
COMPUTING SECURITY ASKS THOSE IN THE KNOW TO DO SOME FUTURE-GAZING AND GIVE US<br />
THEIR TOP PREDICTIONS FOR CYBERSECURITY IN 2019. HERE'S WHAT THEY HAVE TO SAY<br />
Most of us start a new year with a<br />
number of resolutions - maybe to<br />
drink less, be healthier, go to the<br />
gym more often, be nicer to our fellow<br />
beings etc. For many, those good intentions<br />
have already been abandoned by the end<br />
of January. But at least some kind of effort<br />
has been made, hopefully, before that<br />
happens. We also tend to wonder what the<br />
next 12 months might hold in store for us.<br />
In the world of security, similar thoughts<br />
have probably been going through the<br />
minds of those whose goal is to protect<br />
their organisations from the ravages of the<br />
attackers, as they seek to breach their<br />
defences and steal their most precious<br />
data. The big question to which everyone<br />
will want an answer is: "Will I be hit by<br />
a damaging attack in the months ahead?"<br />
The truth is that far too many organisations<br />
suffered a harmful event in 2018 - see page<br />
26 - and the prospect of even more cyberattacks<br />
in 2019 is in the minds of most<br />
businesses. Here are the thoughts of a<br />
number of people whom we asked to<br />
pinpoint what the threat landscape might<br />
look like as we weave our way warily<br />
through the coming months.<br />
NUVIAS GROUP<br />
GDPR - the pain still to come. The GDPR<br />
deadline has come and gone, with many<br />
organisations breathing a sigh of relief that<br />
it was fairly painless. "They've put security<br />
processes in progress and can say that they<br />
are en route to a secure situation - so<br />
everything is okay?" queries Ian Kilpatrick,<br />
EVP Cyber Security, Nuvias. "We are still<br />
awaiting the first big GDPR penalty. When<br />
it arrives, organisations are suddenly going<br />
to start looking seriously at what they really<br />
need to do. So GDPR will still have a big<br />
impact in 2019."<br />
Cloud insecurity - it's your head on the<br />
block. "Cloud insecurity grew in 2018 and,<br />
unfortunately, will grow even further in<br />
2019," says Kilpatrick. "Increasing amounts<br />
of data are being deployed from disparate<br />
parts of organisations, with more and more<br />
of that data ending up unsecured. Despite<br />
the continual publicity around repeated<br />
breaches, the majority of organisations do<br />
12<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
2019 predictions<br />
not have good housekeeping deployed and<br />
enforced across their whole data estate in<br />
the cloud."<br />
Single factor passwords - the dark ages.<br />
Single-factor passwords are one of the<br />
simplest possible keys to the kingdom and<br />
are the key tool for attack vectors, from<br />
novice hackers right the way up to nationstate<br />
players, he comments. "And yet they<br />
still remain the go-to security protection for<br />
the majority of organisations, despite the<br />
low cost and ease of deployment of multifactor<br />
authentication solutions. Sadly,<br />
password theft and password-based<br />
breaches will persist as a daily occurrence in<br />
2019."<br />
IOT - an increasing challenge. "The<br />
technology is being increasingly deployed<br />
by organisations, with minimal thought by<br />
many as to the security risks and potential<br />
consequences," Kilpatrick points out.<br />
"Because some IoT deployments are well<br />
away from the main network areas, they<br />
have slipped in under the radar. IoT will<br />
continue to be deployed, creating insecurity<br />
in areas that were previously secure. For the<br />
greatest percentage of IoT deployments, it<br />
is incredibly difficult or impossible to<br />
backfit security."<br />
CYJAX<br />
One of the key developments in 2018 was<br />
the ascendance of cryptomining malware<br />
to the top of the threat tree. Numerous<br />
security researchers believed that it all but<br />
heralded the end of the road for<br />
ransomware. "However, as we noted in a<br />
blog post earlier in 2018, this was not the<br />
case," states Cyjax. "Instead, the emergence<br />
of cryptomining malware merely<br />
precipitated a recalibration of the malware<br />
environment, in which ransomware was<br />
still a prominent threat. A good example<br />
of this is the GandCrab ransomware which,<br />
over the course of 2018, evolved at least<br />
five times to ensure it could stay ahead of<br />
cybersecurity defences.<br />
Cryptominers are arguably the story of<br />
2018. In January, a series of pool-based<br />
miners emerged, many of which had<br />
botnets of millions of infected systems<br />
that could have been used to generate<br />
many millions of dollars a year. While an<br />
organisation hit by cryptomining malware<br />
would not lose any precious data, they<br />
would nonetheless be at risk from<br />
significantly decreased computing power.<br />
"Perhaps the other most significant trend<br />
in the malware landscape has been the rise<br />
of mobile malware," adds Cyjax. "This threat<br />
has grown, as more and more consumers<br />
have turned to their mobile devices, instead<br />
of desktops, for shopping, email and other<br />
tasks. In most cases, threat actors have<br />
looked to distribute malicious apps, with<br />
a focus on stealing data from banking apps<br />
or retail apps. The Google Play Store has<br />
been plagued by these fake apps, which<br />
users download believing them to be<br />
legitimate."<br />
This year will see significant developments<br />
in the mobile malware sphere, Cyjax<br />
believes - a 'professionalisation' of the kind<br />
that was seen a decade ago in PC malware.<br />
"This will see the threats become more<br />
sophisticated as defences improve and<br />
greater targeting is made necessary.<br />
Cryptominers will continue to plague users<br />
around the world, though their meteoric<br />
rise will not be matched in 2019. And more<br />
traditional malware, such as ransomware<br />
and banking Trojans, while appearing to<br />
have been eclipsed by cryptomining threats<br />
in 2018, will nonetheless remain a serious<br />
issue for the foreseeable future."<br />
WEBROOT<br />
As we prepare for what may lie ahead,<br />
Webroot has been taking a look back at the<br />
worst instances of malware and payloads<br />
that hit users in 2018. "Botnets and<br />
banking Trojans are the most commonly<br />
seen type of malware, with Emotet being<br />
the most prevalent and persistent seen to<br />
date," says the company, before going on<br />
to list the "three nastiest":<br />
Emotet is this year's nastiest botnet that<br />
delivers banking Trojans, states<br />
Webroot. "It aspires to increase the<br />
number of zombies in its spam botnet,<br />
with a concentration on credential<br />
gathering. Threat actors have recently<br />
developed a universal plug and play<br />
(UPnP) module that allows Emotet to<br />
turn victims' routers into potential proxy<br />
nodes for their command-and-control<br />
infrastructure."<br />
Trickbot follows a similar attack plan,<br />
"but contains additional modules (with<br />
more added each day) and has even<br />
been seen dropping ransomware.<br />
Imagine all of the machines in your<br />
network being encrypted at once!"<br />
Zeus Panda has similar functionality to<br />
Trickbot, "but has more interesting<br />
distribution methods including macroenabled<br />
Word documents, exploit kits<br />
and even compromised remote<br />
monitoring and management services".<br />
Webroot also cites cryptomining and<br />
cryptojacking, saying that criminals are<br />
quickly moving to these for faster, less risky,<br />
ways of netting cryptocurrency. "However,<br />
what some may call a victimless crime has<br />
a significant impact for businesses and<br />
consumers alike." The three nastiest it<br />
highlights:<br />
"GhostMiner's distribution method is the<br />
scariest part for its victims, because they<br />
don't know its entry point, similar to a scary<br />
movie where you know someone's in the<br />
house, but you don't know where.<br />
GhostMiner is most commonly seen being<br />
distributed via an exploit in Oracle<br />
WebLogic (CVE-2018-2628).<br />
"WannaMine's Windows management<br />
instrumentation (WMI) persistence<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
13
2019 predictions<br />
Jeremy Rowley, DigiCert: an area that is<br />
likely to see more adoption is encryption.<br />
Scott Gordon, Pulse Secure: a major change<br />
for 2019 onwards is focused on the bigger<br />
picture issue of trust.<br />
technique is extremely nasty, allowing it to<br />
remain stealthy and difficult to find and<br />
remove.<br />
"Coinhive, initially innocent, was quickly<br />
added to the standard toolkit for attackers<br />
compromising websites. Even legitimate<br />
website owners are using Coinhive without<br />
knowing the impact it will have on their<br />
visitors. If your computer processing power<br />
(CPU) spikes to 100 percent when simply<br />
visiting a website, it might be Coinhive."<br />
Ransomware, meanwhile, has taken a<br />
backseat to the top threats in 2018, due<br />
to the rise of cryptomining. "However,<br />
ransomware has become a more targeted<br />
business model for cybercriminals, with<br />
unsecured remote desktop protocol (RDP)<br />
connections becoming the focal point of<br />
weakness in organisations and a favourite<br />
port of entry for ransomware campaigns,"<br />
adds Webroot.<br />
Tyler Moffitt, senior threat research<br />
analyst, Webroot, concludes: "In 2018, we<br />
saw cyberattacks changing faster than ever,<br />
evading traditional defences and wreaking<br />
havoc on businesses and everyday internet<br />
users alike. From gaping security holes,<br />
such as unsecured RDP, to tried-and-true<br />
tactics like phishing and exploits, to<br />
stealing crypto in the form of CPU power,<br />
cybercriminals are exploiting vulnerabilities<br />
in increasingly malicious ways. Businesses<br />
and individuals must be vigilant, stay<br />
informed and focus on improving their<br />
overall cyber hygiene to avoid the<br />
devastating effects of these attacks."<br />
GEMALTO<br />
"2019 will see the emergence of the future<br />
of security - crypto-agility," states Jason<br />
Hart, CTO, Data Protection at Gemalto.<br />
"As computing power increases, so does<br />
the threat to current security protocols.<br />
But one notable example is encryption, the<br />
static algorithms of which could be broken<br />
by the increased power. Crypto-agility will<br />
enable businesses to employ flexible<br />
algorithms that can be changed, without<br />
significantly changing the system<br />
infrastructure, should the original<br />
encryption fail. It means businesses can<br />
protect their data from future threats<br />
including quantum computing, which is<br />
still years away, without having to tear up<br />
their systems each year as computing<br />
power grows."<br />
When it comes to AI, Hart has this to say:<br />
"Up until now, the use of AI has been<br />
limited, but as the computing power<br />
grows, so too do the capabilities of AI<br />
itself. In turn this means that next year will<br />
see the first AI-orchestrated attack take<br />
down a FTSE100 company. Creating a new<br />
breed of AI powered malware, hackers will<br />
infect an organisations system using the<br />
malware and sit undetected gathering<br />
information about users' behaviours, and<br />
organisations systems.<br />
"Adapting to its surroundings, the<br />
malware will unleash a series of bespoke<br />
attacks targeted to take down a company<br />
from the inside out. The sophistication of<br />
this attack will be like none seen before,<br />
and organisations must prepare themselves<br />
by embracing the technology itself as a<br />
method of hitting back and fight fire with<br />
fire."<br />
Adds Gary Marsden, Cloud Security<br />
Solutions, Data Protection at Gemalto:<br />
"As organisations embrace digital<br />
transformation, the process of migrating<br />
to the cloud has never been under more<br />
scrutiny; from business leaders looking to<br />
minimise any downtime and gain positive<br />
impact on the bottom line, to hackers<br />
looking to breach systems and wreak<br />
havoc. As such, 2019 will see the rise of<br />
a new role for the channel - the Cloud<br />
Migration Security Specialist.<br />
“As companies move across, there is an<br />
assumption that they're automatically<br />
14<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
2019 predictions<br />
protected as they transition workloads to<br />
the cloud. The channel has a role to play<br />
in educating companies that this isn't<br />
necessarily the case and they'll need help<br />
protecting themselves from threats. It's<br />
these new roles that'll ensure the channel<br />
continues to thrive."<br />
INVINSEC<br />
As many of us look ahead into 2019,<br />
identifying what developments may<br />
impact our personal and business<br />
security, and how we can best prepare<br />
for them, is essential, says CEO of<br />
Invinsec, Andy Samsonoff, as he<br />
pinpoints some key areas to keep a close<br />
watch on:<br />
Cloud application and<br />
data centre attacks<br />
"The ability of having faster and more<br />
reliable internet connections has allowed<br />
for the growth and expansion of cloud<br />
applications and cloud data centres,"<br />
states Samsonoff. "With every new<br />
application that moves to the cloud, it<br />
requires you to trust another vendor, their<br />
software and their security to protect<br />
your information. The inherent risk is that<br />
users can access applications, as well as<br />
your data from almost anywhere, as long<br />
as they have the user's credentials. It<br />
becomes a bigger risk when those users<br />
connect to free or public wi-fi."<br />
Shadow IT applications<br />
"We are going to see an increase in<br />
shadow IT applications being used.<br />
We can see that over the next few years<br />
these applications are going to cause<br />
serious damage. Industry professionals<br />
sometimes refer to them as renegade<br />
applications, where employees download<br />
non-corporate-approved (and potentially<br />
insecure) applications to the same devices<br />
used to access company data. Companies<br />
should consider whitelisting applications<br />
and restricting the ability to download<br />
new software."<br />
And one for 2020: AI<br />
"Predicted security trends for 2019/20<br />
show that AI is poised to help forecast,<br />
classify and potentially block or mitigate<br />
cyber threats and attacks," adds<br />
Samsonoff. "One fundamental idea to AI<br />
is machine learning. Over the past few<br />
years it is being incorporated into many<br />
security applications. Machines will<br />
battle machines in an automatic and<br />
continuous learning response cycle and<br />
this is will continue to enhance security<br />
postures."<br />
PULSE SECURE<br />
"Although we are at a point where new<br />
technologies such as AI and ML are<br />
grabbing a lot of the headlines, a major<br />
change for 2019 onwards is focused on<br />
the bigger picture issue of trust," advises<br />
Scott Gordon, (CISSP), CMO for Pulse<br />
Secure. "While there has been an<br />
ongoing shift towards the acceptance<br />
of a Zero Trust model becoming the de<br />
facto standard for security architecture,<br />
the next 24 months will see it accelerate<br />
into the practice of many more<br />
organisations."<br />
Zero Trust moves away from the<br />
traditional perimeter-based architecture<br />
that assumed that anybody inside or<br />
getting remote access to the internal<br />
corporate network were trusted. "With the<br />
rise of hybrid IT, employees, privileged<br />
users, partners, guests and even customers<br />
can and will be requesting access to<br />
applications and resources that can be in<br />
the data centre and/or the cloud," he adds.<br />
"As such, the conventional perimeter<br />
defence is more limiting, in terms of<br />
ensuring protected access, as well as more<br />
complex to provision and manage. Getting<br />
a perimeter approach wrong can cause<br />
frustration for users or leave potential gaps<br />
in defences that attackers can exploit."<br />
Zero Trust works on the principle of 'never<br />
trust, always verify'. "With this method,<br />
David Peters, ANSecurity: 2019 may well<br />
bring another Wannacry-scale attack.<br />
Jason Hart, Gemalto: 2019 will see the<br />
emergence of the future of security -<br />
crypto-agility.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
15
2019 predictions<br />
organisations can dynamically establish<br />
secure connectivity and compliant access<br />
between the users, devices and the<br />
targeted resource and applications, using<br />
a least-privileged security strategy," says<br />
Gordon. "In this approach, access is granted<br />
based on satisfying pre- and post-connect<br />
policy associated with user, device and<br />
security state. By adding microsegmentation,<br />
one can further limit<br />
unauthorised means to discover and exploit<br />
resources."<br />
DIGICERT<br />
One area that is likely to worsen is phishing<br />
attacks, predicts Jeremy Rowley, chief of<br />
product at DigiCert. "In 2016, less than five<br />
per cent of phishing websites were found<br />
on HTTPS. One year later, nearly one third<br />
of phishing attacks were hosted on<br />
websites with HTTPS and almost twenty per<br />
cent were found on HTTPS-protected<br />
domains. There are a couple of reasons<br />
for the change in the way phishers host<br />
their malicious content. First, there are<br />
many more HTTPS websites, which means<br />
there are more websites that can be<br />
compromised. Secondly, browser security<br />
messaging is ambiguous, and now there<br />
are a significant number of HTTPS websites<br />
hosted on domains registered by phishers.<br />
"Hackers are also taking advantage of the<br />
HTTPS designation, because the perception<br />
is that the website is legitimate. While<br />
standards groups, like the anti-phishing<br />
working group, have acknowledged the<br />
problem, they're not coming up with new<br />
solutions to combat the issue. It's a case of<br />
dodgeball, while the problem continues to<br />
grow," he continues.<br />
Another area that will see improvement<br />
in some regions and decline in others is<br />
privacy, Rowley suggests. "Some of the<br />
factors that have led to improvement are<br />
the EU's GDPR, which imposes fines of up<br />
to 20 million euros, and the fact that there<br />
is a strong recognition of the problem<br />
among other countries. The United States<br />
is considering similar laws. Some of the<br />
factors that contribute to the worsening<br />
conditions for privacy have to do with the<br />
value of search data.<br />
"Companies are willing to expose<br />
themselves to fines, because the profit for<br />
this data is worth much more than the<br />
fines. For example, Google has a ninety<br />
per cent share in the search market and<br />
over 50 million user accounts. Google<br />
discovered a flaw in its Google+ API,<br />
with the potential to expose the private<br />
information of hundreds of thousands<br />
of users. Yet the company chose not to<br />
disclose the vulnerability to its users or the<br />
public. It's hard to solve a problem when<br />
the problem itself is so profitable."<br />
However, an area that is likely to see more<br />
adoption is encryption, he adds. "There are<br />
several reasons behind this prediction,<br />
such as Google now requiring HTTPS<br />
everywhere and the industry's commitment<br />
to developing better post-quantum crypto<br />
algorithms. NIST, Microsoft and the IETF<br />
are all coming out with better encryption<br />
technologies, and there are new regulatory<br />
compliance requirements on the horizon.<br />
The rapid increase in the adoption of<br />
encryption is having a positive impact, with<br />
approximately eighty per cent of all traffic<br />
and half of all websites now encrypted,<br />
with further growth expected during 2019."<br />
ANSECURITY<br />
"There is often a sense of déjà vu in the<br />
world of cyber security and 2019 may well<br />
bring another Wannacry-scale attack,"<br />
warns David Peters, technical director,<br />
ANSecurity. "Maybe not ransomware, but<br />
a self-propagating malware that escalates<br />
exponentially. In terms of attack vector, a<br />
possible route could be via Remote Desktop<br />
Protocol, as too many organisations still<br />
expose Remote Desktop Services direct to<br />
the internet, which are still commonly hit<br />
with password stuffing and brute force<br />
attacks that may become a surface area<br />
to be exploited more efficiently with a<br />
network worm."<br />
Peters also feels that this year could be<br />
the point where regulators or class action<br />
lawsuits start to hit companies with<br />
massive legal penalties, which may force<br />
a wake-up call that will prompt more<br />
investment in security technologies, human<br />
resources and training. "Speaking of<br />
which,” he adds, “user security awareness<br />
training will need to become the norm for<br />
most organisations; phishing simulation<br />
and evaluation solutions have seen massive<br />
growth in recent years, with great success<br />
in educating users to evaluate email links<br />
and attachments independently from IT<br />
and security teams."<br />
Microsoft's 14-hour outage within its<br />
Multi-Factor Authentication (MFA) service<br />
highlights the challenges major cloud<br />
providers appear to be having with security<br />
availability, he points out. "Although<br />
multiple factors of authentication will<br />
continue to grow, uptake is still a very low<br />
percentage," he says. "As a result, 2019 will<br />
see more vendors incentivising customers<br />
to enable MFA by offering discounts.<br />
Universal 2nd Factor (U2F) or FIDO2 may be<br />
a popular choice, but issues still arise with<br />
legacy apps and operating systems that<br />
won't support SAML or other federated<br />
authentication methods."<br />
Botnets will continue to be a threat this<br />
year, as the deployment of IoT increases,<br />
making it a major challenge for information<br />
security professionals. "IoT is becoming<br />
a huge surface area for attack and 'hijack'<br />
by attackers and we'll see lots of new<br />
vulnerabilities being exploited to<br />
compromise IoT devices," Peters concludes.<br />
"Thankfully, traditional network segregation<br />
for most enterprises limits compromise and<br />
lateral movement, but this may not be a<br />
scalable solution and is still not widely<br />
deployed in the consumer space."<br />
16<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
product review<br />
ALIENVAULT USM ANYWHERE<br />
Organisations that want their threat<br />
detection, incident response and<br />
compliance management centralised<br />
in one place need look no further than<br />
AlienVault, an AT&T company. Deployed as<br />
a SaaS (software as a service) solution, its<br />
USM Anywhere delivers everything they<br />
could possibly need, all easily accessible<br />
from a single web portal.<br />
USM Anywhere provides a wealth of<br />
security measures, including automatic asset<br />
discovery, IDS, vulnerability assessment, event<br />
correlation, endpoint detection and response<br />
(EDR), compliance reporting and much more.<br />
Its scalable, distributed architecture is built<br />
around on-premises and cloud sensors, so<br />
no network is beyond its reach, and it can<br />
continuously monitor Amazon Web Services<br />
(AWS) and Microsoft Azure cloud<br />
environments.<br />
AlienVault provides purpose-built sensors<br />
for Hyper-V, VMware, AWS and Azure.<br />
These collect data from on-premises and<br />
cloud environments, and securely pass it to<br />
the USM Anywhere cloud-hosted service,<br />
which provides a centralised collection and<br />
management point.<br />
Deployment is simple, as we tested the<br />
Hyper-V version and had our sensor VM<br />
ready for action inside 30 minutes. The VM<br />
requires five virtual network interfaces, with<br />
the first used for management and internet<br />
access, while the other four are assigned to<br />
dedicated vSwitches, so they can passively<br />
monitor network traffic from mirrored switch<br />
ports to perform IDS.<br />
An installation wizard quickly sorted out<br />
the sensor connection to our secure cloud<br />
account, created our first network scan for<br />
asset discovery and offered to scan our<br />
Active Directory server. It presented a status<br />
view of the VM network ports to confirm<br />
they were operational and provided details<br />
for Syslog-enabled devices to send logs to<br />
the sensor.<br />
In under an hour, we were logged in to<br />
our cloud portal and viewing all discovered<br />
assets. Identification is accurate, as the scans<br />
correctly surmised we were running<br />
Windows Server 2012 R2 and Server 2016<br />
hosts, had HPE ProCurve networking<br />
switches and multiple storage devices<br />
running various flavours of Linux.<br />
USM Anywhere's dashboard puts everything at<br />
your fingertips, with a default set of graphs<br />
and charts organised neatly into sections for<br />
SIEM alarms and events, asset discovery and<br />
vulnerability assessment. These team up to<br />
provide an instant readout on your security<br />
posture and you can create multiple custom<br />
dashboards from a big list of widgets.<br />
The service runs scheduled standard and<br />
authenticated asset scans where the former<br />
probes network services, looking for<br />
vulnerabilities. Authenticated scans require<br />
administrative access to assets and provide<br />
more accurate information about running<br />
software and its configuration.<br />
The AlienVault Agent can be deployed on<br />
selected assets to gather more detail and<br />
we used the predefined PowerShell script<br />
to download the Windows agent to our<br />
Server 2016 hosts. This also enabled the<br />
EDR feature for continuous asset security<br />
monitoring and compliance, plus file<br />
integrity monitoring.<br />
Alert fatigue is avoided, as rules analyse all<br />
events for behavioural patterns and issue<br />
alarms when the correlation engine has<br />
established patterns, such as cyber-attacks.<br />
Alarms provide a wealth of information<br />
about associated events and the portal also<br />
offers sage advice on remedial action.<br />
USM Anywhere's correlation rules are written<br />
and updated by AlienVault Labs Security Research<br />
Team: through the crowd-sourced Open Threat<br />
Exchange (OTX) community, according to<br />
emerging and evolving threats they see in the<br />
wild, and they use machine learning and human<br />
intelligence to analyse and expand threat<br />
scenarios. Along with extensive alerting facilities,<br />
USM Anywhere provides great reporting features,<br />
including templates for the PCI, HIPAA, NIST and<br />
ISO 27001 security standards.<br />
AlienVault's USM Anywhere is one of the<br />
most complete security solutions on the<br />
market, which we found surprisingly easy to<br />
deploy and use. This all-in-one SaaS platform<br />
presents all the information you need to<br />
pinpoint cyber-threats or asset vulnerabilities<br />
and represents excellent value for businesses<br />
of all sizes.<br />
Product: USM Anywhere<br />
Supplier: AlienVault<br />
Telephone: 353 21 206 3716<br />
Web site: www.alienvault.com<br />
Price: From £832 per month (ex VAT)<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
17
deep dive days<br />
Students at the Centre for Doctoral<br />
Training, Oxford University.<br />
POWERFUL ALLIANCE<br />
CYJAX HAS BEEN WORKING CLOSELY FOR SOME TIME NOW WITH OXFORD UNIVERSITY AND THE CENTRE<br />
FOR DOCTORAL TRAINING IN CYBER SECURITY - AND THESE 'DEEP DIVE DAYS' ARE REALLY PAYING OFF<br />
Mark Pearce, CYJAX: Deep Dive Days<br />
breathe life into the real-world challenges<br />
that students will be facing.<br />
Over the last seven years, CYJAX<br />
has been at the forefront of the<br />
Cyber Threat Intelligence sector,<br />
innovating and developing highly<br />
advanced technology that serves to<br />
protect governments and enterprise<br />
alike. More recently, the CYJAX team's<br />
association with Oxford University and<br />
the Centre for Doctoral Training (CDT) in<br />
Cyber Security has been proving a highly<br />
regarded relationship on both sides.<br />
Indeed, the programme that has<br />
emerged during the last three years<br />
has seen CYJAX take an active role,<br />
alongside major industry players, in<br />
shaping the future curriculum and<br />
influencing the direction of those<br />
studying for their PhDs. This is now<br />
producing some of the world's leading<br />
talents, as well as addressing the skills<br />
gaps in one of the most important<br />
facets of cyber security.<br />
REAL-WORLD CHALLENGES<br />
"Working closely with the University, CYJAX<br />
has been able to produce a series of Deep<br />
Dive Days, which breathe life into the realworld<br />
challenges the students will be<br />
facing," confirms Mark Pearce, chief<br />
marketing officer, CYJAX. "The sessions have<br />
evolved into highly proactive knowledge<br />
exchanges and see students pitched into live<br />
situations where they get the opportunity<br />
not only to apply their own intellects, but<br />
also 'flex the tech', utilising the most<br />
advanced cyber threat intelligence tools<br />
from CYJAX."<br />
The sessions also bring together case<br />
studies from major UK businesses and give<br />
leading cyber security practitioners the<br />
opportunity to share their experiences in<br />
dealing with what is now an all too<br />
common occurrence. As Pearce points out:<br />
"The sessions throw away the text books and<br />
get students to really apply what they know,<br />
18<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
deep dive days<br />
CYJAX Deep Dive Day in progress at Oxford University.<br />
Katherine Fletcher, entering the Robert<br />
Hooke Building, Oxford University.<br />
and to think about creative solutions, rather<br />
than just theories or some vague hypothesis.<br />
"The whole idea of these sessions is to<br />
get humans thinking about how they can<br />
combine high intellect with advanced<br />
technological tools to address what will<br />
be facing them in the coming years."<br />
As these sessions continue to evolve, the<br />
need for innovation and the need for greater,<br />
more cohesive, skills sets will see CYJAX and<br />
the academic world striving to match the<br />
pace and continue the battle against the<br />
next generation of nefarious threat actors.<br />
MULTIPLE BENEFITS<br />
Katherine Fletcher, CDT industry liaison<br />
officer at Oxford University, adds that<br />
interaction with firms like CYJAX are hugely<br />
important for the CDT, for several reasons.<br />
"First and foremost, it helps us ensure that<br />
our students are learning about the current<br />
state of the field, from experts working<br />
at the cutting edge. But there are other<br />
benefits: helping our academics and<br />
students build up networks of contacts,<br />
building trust between the university and<br />
the companies, which may turn into future<br />
research projects, and generally keeping us<br />
up to date.<br />
"We integrate industrial connections into<br />
our CDT course with a number of Deep Dive<br />
days each year, as well as research seminars<br />
given by industry practitioners. Some of<br />
these develop into mini projects (short<br />
standalone projects, undertaken in the first<br />
year of the programme) or even a full thesis<br />
project, and, in the case of CYJAX, it has also<br />
led to several of our students doing freelance<br />
work as analysts."<br />
Every firm has different things to offer, but<br />
CYJAX is always a highlight, she states. "They<br />
make a real effort to tailor their Deep Dive<br />
day to be useful for our students - including,<br />
for example, an open discussion of career<br />
progression and life as a CISO. They have<br />
even taken the step of bringing along their<br />
collaborators and customers to discuss their<br />
perspectives, which is a real show of trust<br />
and adds value to the discussion for all<br />
participants."<br />
INNOVATIVE TECHNIQUES<br />
Often, it is the unguarded, off-the-record,<br />
conversations that are most interesting,<br />
she comments. Why is that? "Because this<br />
is where we come across the tacit<br />
knowledge about how the world works:<br />
we can teach ourselves the innovative<br />
techniques and latest systems; what we<br />
really need is the understanding of how<br />
real collaborations run and why X is<br />
favoured over Y in the real world.<br />
"The most successful Deep Dives happen<br />
when the discussion goes both ways: our<br />
students learn from the practitioners and<br />
are also able to give something back.<br />
One of my favourite examples of this was<br />
at the 2017 CYJAX Deep Dive, where the<br />
students were given some sample<br />
exercises to learn how to conduct an<br />
investigation. The cohort went through<br />
the examples so quickly that the CYJAX<br />
team decided to give them a live puzzle<br />
to work on, which their own analysts had<br />
not yet had time to crack, and the<br />
students managed to find the answer<br />
within a few minutes."<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
19
critical response<br />
THE QUANTUM THREAT TO CYBERSECURITY<br />
BY RODNEY JOFFE, SVP AND FELLOW, NEUSTAR, AND CHAIRMAN OF THE NEUSTAR INTERNATIONAL<br />
SECURITY COUNCIL (NISC)<br />
Jeremy Rowley, DigiCert: an area that is<br />
likely to see more adoption is encryption.<br />
Imagine being handed a phonebook<br />
with 10 million entries and a slip of<br />
paper with one phone number on it.<br />
How long would it take you to match the<br />
number on the slip to the entry in the<br />
phonebook? For a human being - as for a<br />
classical search algorithm on a traditional<br />
computer - it would take an average of 5<br />
million attempts to find the right entry. A<br />
traditional computer, of course, can make<br />
each attempt much faster than a person<br />
could, but a search algorithm on a<br />
quantum computer (which can hold vastly<br />
more information at one time) could<br />
perform the same feat 5,000 times faster<br />
than a traditional computer, in just 1,000<br />
operations.<br />
This ability to work with huge datasets at<br />
unheard-of speeds is why quantum<br />
computing has long been held as a major<br />
stepping stone for all kinds of sectors.<br />
Medical breakthroughs, new frontiers in<br />
chemistry and manufacturing innovations<br />
might all be leveraged through the ability<br />
to work with lots of information, all at<br />
once - and the race is on to build the<br />
machine capable of the task. In the last<br />
budget, Chancellor Philip Hammond<br />
announced £325 million of funding for<br />
quantum computing research, contributing<br />
to a global budget of billions coming from<br />
governments and private industry.<br />
However, amidst the excitement,<br />
quantum computing's ability to work<br />
outside the linear processes we are familiar<br />
with also poses a key threat to the<br />
cryptographic tools we rely on for our IT<br />
security: in short, if it can find a phone<br />
number, it can find a password.<br />
THE POST-QUANTUM THREAT<br />
At the moment, we rely on encryption,<br />
which is possible to crack in theory, but<br />
impossible to crack in practice, precisely<br />
because it would take so long to do so,<br />
over timescales of trillions or even<br />
quadrillions of years. Without the<br />
protective shield of encryption, a quantum<br />
computer in the hands of a malicious actor<br />
could launch a cyberattack unlike anything<br />
previously seen.<br />
Of course, a fully functioning and<br />
practical quantum computer capable of<br />
that kind of operation does not yet exist -<br />
and there is no consensus over how long it<br />
will be before it does. Nonetheless, we<br />
have already started to see small-scale<br />
quantum attacks in the wild, being used in<br />
conjunction with more traditional attack<br />
vectors, botnets and ports.<br />
On a typical contemporary system, being<br />
used by a company to run various<br />
applications in the cloud, a traffic anomaly<br />
of 300 Mbps would probably not be<br />
noticed and therefore would not trigger<br />
cloud failover. Clever attacks might exploit<br />
this fact to open a window to the system,<br />
bypassing security endpoints, without<br />
triggering the system's mitigation<br />
methods.<br />
PLAN FOR TOMORROW'S QUANTUM<br />
TODAY<br />
For both today's small-scale threats and the<br />
major attacks looming on the horizon, it is<br />
vital that IT professionals begin responding<br />
to quantum immediately. The security<br />
community has already launched a<br />
research effort into quantum-proof<br />
cryptography, but information<br />
professionals at every organisation holding<br />
sensitive data should have quantum on<br />
their radar.<br />
As ever, an up-to-date security strategy is<br />
key: systems must be updated and any<br />
unnecessary services operating in the<br />
infrastructure could provide a window for<br />
quantum attacks and so should be<br />
removed.<br />
Beyond this, quantum computing's ability<br />
to solve our great scientific and<br />
technological challenges will also be its<br />
ability to disrupt everything we know<br />
about computer security. IT experts of<br />
every stripe will need to work to rebuild<br />
the algorithms, strategies, and systems<br />
that form our approach to cybersecurity.<br />
20<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
over 150 providers offering leading<br />
covering key topics and meet<br />
www.cloudsecurityexpo.com/ComputingSecurity1<br />
and solutions at the UK’s largest cloud<br />
cloud and cyber security services<br />
200 expert speakers<br />
Hear from over<br />
and cyber security event.<br />
Register for your free ticket today:<br />
SECURING<br />
DIGITAL<br />
TRANSFORMATION<br />
Security is not just for the IT team: it now impacts everyone, and is an imperative<br />
consideration for the entire business. Join us on 12-13 March 2019 to gain<br />
knowledge and insight from industry leading security experts on emerging<br />
trends, tech deep dives, lessons learned and market forecasts.<br />
Our 2019 speakers include:<br />
JOHN<br />
MEAKIN<br />
Group Chief<br />
Information<br />
Security Officer<br />
GSK<br />
CHI<br />
ONWURAH<br />
Shadow Minister<br />
of Industrial<br />
Strategy, Science<br />
and Innovation<br />
UK<br />
Parliament<br />
JON<br />
TOWNSEND<br />
CIO<br />
National<br />
Trust<br />
DAVID<br />
DEIGHTON<br />
Chief Architect<br />
and CISO<br />
University of<br />
Birmingham<br />
EMERIC<br />
MISZTI<br />
CISO<br />
Motor<br />
Insurers<br />
Bureau<br />
RAZVAN<br />
TUDOR<br />
Chapter Lead<br />
ING<br />
For more information contact<br />
the team today on +44 (0)207 013 4997<br />
CO-LOCATED<br />
WITH:
masterclass<br />
CLOUD ADOPTION: A BLESSING, NOT A CURSE, FOR IT SECURITY<br />
NIGEL HAWTHORN, DATA PRIVACY EXPERT AT MCAFEE, AND CHARLOTTE GURNEY, MARKETING MANAGER AT<br />
BROOKCOURT SOLUTIONS, CONSIDER HOW CLOUD CAN BE THE MOST SECURE ENVIRONMENT FOR<br />
BUSINESS, DESPITE INCREASINGLY SOPHISTICATED THREATS AND GROWING CYBERCRIMINAL INTEREST<br />
Charlotte Gurney, Marketing Manager,<br />
Brookcourt Solutions.<br />
Modern IT architecture is rapidly<br />
evolving, with the cloud and a<br />
range of connected devices<br />
becoming the new anchors for enterprise<br />
data. Organisations are recognising that<br />
moving to Office 365 enables rapid<br />
collaboration, while the likes of Amazon Web<br />
Services (AWS) and Microsoft Azure can help<br />
their IT infrastructure become more<br />
responsive and flexible to drive further<br />
innovation. However, theft of data or an<br />
attacker gaining entry to corporate cloud<br />
infrastructure can stop innovation in its<br />
tracks.<br />
VALUABLE DATA IN THE CLOUD<br />
McAfee's recent Cloud Adoption and Risk<br />
Report found that 21% of data stored in the<br />
cloud is sensitive, such as intellectual property<br />
or customer data. Today, cybercriminals are<br />
turning their attention to this valuable data.<br />
Possible threat scenarios include password<br />
reuse from consumer to business cloud<br />
services, cloud-native attacks targeting weak<br />
APIs, hunting for poor cloud security<br />
configurations, and using the cloud as a<br />
springboard for cloud-native man-in-themiddle<br />
attacks to launch cryptojacking<br />
malware.<br />
With the increased adoption of services like<br />
Office 365, McAfee has pinpointed a surge of<br />
attacks on the service - especially attempts to<br />
compromise email. As just one example,<br />
McAfee uncovered the KnockKnock botnet,<br />
designed to target system accounts that<br />
typically do not have multifactor<br />
authentication.<br />
We have also seen many high-profile data<br />
breaches attributed to misconfigured<br />
Amazon S3 buckets. This is clearly not the<br />
fault of AWS. Based on the shared<br />
responsibility model, the onus is on the<br />
customer to configure IaaS/PaaS<br />
infrastructure properly. However, many of<br />
these misconfigured buckets are owned by<br />
vendors in their supply chains, not the target<br />
enterprises. This complicates matters for them<br />
and makes it simple for bad actors to find<br />
easy pickings amongst the thousands of<br />
available open buckets.<br />
Happily, the cloud can be managed and<br />
controlled, and many policies, in place for<br />
years on endpoints and on-premises servers<br />
for example, can be migrated to the cloud, so<br />
functions such as DLP, user behaviour<br />
analytics, access control, integration with<br />
global authentication systems can all be put<br />
in place. The difficulty for organisations is that<br />
this is not delivered by the security systems<br />
already installed - a new computing system<br />
needs new security tools, such as CASB<br />
(Cloud Access Security Brokers). In addition,<br />
cloud brings in new functionalities that need<br />
managing - the ease of collaborating in the<br />
cloud with external 3rd parties and cloud-tocloud<br />
traffic. These can also be addressed but<br />
not with the old-school network-based<br />
security systems we have relied on in the past.<br />
SECURING THE CLOUD<br />
For organisations to adopt the cloud with<br />
peace of mind, they not only need visibility<br />
into data and applications, but consistent<br />
data and threat protection policies across<br />
their data and applications wherever they<br />
reside. When managed correctly, the cloud<br />
can be the most secure environment for<br />
business.<br />
Brookcourt Solutions delivers products and<br />
professional services based around McAfee<br />
MVISION cloud-native solutions - designed to<br />
protect data, detect threats and correct any<br />
new vulnerabilities quickly. With McAfee's<br />
MVISION portfolio, the enterprise can mount<br />
a powerful threat and data-centric defence,<br />
spanning from device to the cloud. In this<br />
way, IT security teams can unify threat<br />
defence and data protection as well as<br />
eliminating the silos that inhibit their ability to<br />
manage and adjust security controls in<br />
response to a changing operating<br />
environment.<br />
Security concerns should not be a barrier to<br />
cloud adoption. Together with the native<br />
security delivered by cloud providers such as<br />
AWS, Microsoft Azure and Microsoft Office<br />
365, McAfee aims to make cloud as secure or<br />
more secure than on-premises alternatives.<br />
With McAfee, organisations can securely<br />
harness the power of the cloud to accelerate<br />
business, drive innovation and gain a<br />
competitive edge.<br />
22<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
sports and leisure<br />
SPORTING CHANCE<br />
RECENT FIGURES SUGGEST THAT OVER THE LAST YEAR THERE HAS BEEN A 50% INCREASE<br />
IN ONLINE ATTACKS ON VOLUNTEER-RUN SPORTS AND LEISURE CLUBS<br />
Aspate of recent targeted attacks on<br />
line against sports and leisure clubs<br />
has put the industry on red alert.<br />
The cyber-crimes are said to have cost the<br />
clubs an average of £10,000 each.<br />
Why have they been singled out? Sports<br />
and leisure clubs hold a high volume of<br />
data and are often too small to have a<br />
dedicated team in place to look after their<br />
online security. That makes them an ideal<br />
target for hackers. According to cyber<br />
security specialists DeCyber, cyber-security<br />
products currently available on the market<br />
tend to be structured in a way that large<br />
organisations can adopt and afford, but to<br />
smaller businesses, such as sports clubs,<br />
are not as accessible.<br />
The level of risk these organisations face is<br />
what prompted DeCyber to partner with<br />
international product innovation business<br />
CPP Group UK, a leading cyber training<br />
provider, CybSafe, and Lloyd's of London<br />
(for the provision of cyber insurance) to<br />
launch a suite of products that aims to<br />
transform how clubs manage their online<br />
security and that adapts to their needs.<br />
BESPOKE SOLUTIONS<br />
Given their limited IT infrastructure and<br />
lack of specialist resource, clubs need<br />
software packages that are easy to install<br />
and manage, as well as being inexpensive,<br />
they point out. For its part, DeCyber creates<br />
bespoke packages to suit the requirements<br />
of such organisations.<br />
The partnership between DeCyber and<br />
CPP Group UK has resulted in three new<br />
products that are aimed specifically at<br />
sports and leisure clubs:<br />
Checking for online cyber risks often<br />
involves users having to give specialists<br />
access to their networks and systems.<br />
With KYND, cyber risks can be checked<br />
via a domain name and the results are<br />
said to be instant, saving users valuable<br />
time. A universal traffic light system of<br />
red, amber and green is also a useful<br />
quality to help monitor and explain<br />
cyber risk through an easy-tounderstand<br />
method<br />
OwlDetect scans the web (including the<br />
dark web) to detect if information<br />
appears in places it shouldn't, as well as<br />
highlighting the level of risk it poses<br />
and advising next steps to ensure the<br />
information isn't compromised<br />
The third product, WardWiz, is<br />
described as a comprehensive anti-virus<br />
software, providing real-time<br />
protection from online threats. As well<br />
as detecting and removing threats from<br />
a device, it can repair any damage<br />
caused and mitigates against future<br />
risks.<br />
All three products can be packaged with<br />
cyber insurance and training to provide<br />
a complete solution, it is stated. DeCyber<br />
was in the process of enabling the online<br />
purchase of these products through its<br />
health check process as Computing<br />
Security went to press.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
23
inside view<br />
DON'T PASS GO!<br />
PASSWORDS ARE A NEVER-ENDING HEADACHE FOR ORGANISATIONS EVERYWHERE - AND A BOON FOR<br />
HACKERS LOOKING FOR EASY ACCESS TO SOMEONE'S DATA. SAMANTHA HUMPHRIES OF RAPID7 OFFERS<br />
HER INSIGHTS INTO THIS THORNY TOPIC<br />
Samantha Humphries: we should be<br />
using unique passwords/phrases across<br />
the accounts that have the most risk<br />
associated with them.<br />
Last summer, as part of a company 'give<br />
back' initiative, a group of us went into<br />
a local secondary school to run a STEM<br />
day. The room I helped with focused on<br />
phishing - we took the students through a<br />
game of phish spotting, which they were<br />
unsurprisingly great at, given that schools<br />
are teaching cybersecurity pretty early on<br />
these days. Every single group scored a false<br />
positive, though, picking up on Facebook's<br />
head office address as a red flag. Ironies<br />
aside, it was a fun day, and very pleasing to<br />
see how switched-on the groups were when<br />
it came to staying safe online.<br />
Mostly for purposes of getting a cheap<br />
laugh, I'd brought along a prop: security<br />
underpants (https://amzn.to/2H2G8uX) to<br />
help thematically cover recommendations<br />
around passwords: don't share them, don't<br />
leave them lying around, change them<br />
frequently. We then got into the<br />
conversation about re-use, which did go a<br />
little sideways from an underpants analogy<br />
standpoint, but we hit on something that is<br />
true the world over. We asked the students<br />
to put their hands up if they ever re-used<br />
their passwords across different websites.<br />
There was a lot of looking around the room,<br />
to check if their friends were going to admit<br />
to it. Slowly, hands started to go up, until a<br />
full house was reached. Every. Single. Time.<br />
Including the teachers. Followed by some<br />
nervous giggling, some embarrassed faces,<br />
and then something of a relieved silence<br />
when everyone realised 'It Wasn't Just Them'.<br />
Everybody does it. And I'll say it out loud<br />
right now, I do it, and I've been in the<br />
security industry longer than some of our<br />
current interns have been alive. We all know<br />
the rules, we hopefully all know the risks,<br />
but we do it anyway. Why? Humans are,<br />
well, human. It's pretty much impossible to<br />
remember unique passwords for each<br />
individual online account. At the very least,<br />
24<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
inside view<br />
we should be using unique<br />
passwords/phrases across the accounts that<br />
have the most risk associated with them:<br />
banking, health info, work accounts, gmail,<br />
social media, password managers etc.<br />
Ideally combined with two-factor<br />
authentication where it's available.<br />
Some of us devise systems to help us<br />
remember all the things. Horror story alert: I<br />
recall once hearing a senior security<br />
executive proudly announce that they<br />
prepend their password with the name of<br />
the website, eg: haveibeenpwnedpassword.<br />
Guess what, Donald, this really isn't a great<br />
system, if your credentials are harvested<br />
from a breach, it doesn't take a '1337<br />
h4ck3r' to determine what your gmail<br />
password is, and every other account you<br />
have for that matter, plus I would hazard a<br />
guess that 2FA hasn't made it to your radar<br />
just yet either. This is the physical security<br />
equivalent of having identical locks for every<br />
door in your house, your office, your car<br />
and your safe, but using a different<br />
coloured keyfob for each one. Please don't<br />
do this.<br />
So, let's assume you like your job enough<br />
to use a unique password at work and your<br />
IT/Security folks are enforcing some sort of<br />
password policy. For a lot of organisations,<br />
it goes like this: change your password every<br />
90 days, passwords must include one<br />
uppercase character, one lowercase<br />
character, four numbers, one special<br />
character, minimum password length of ten<br />
characters, don't reuse the last sixteen or so<br />
passwords. There are possibly rules around<br />
not using repeated characters, or passwords<br />
similar to previous ones, and ideally lasers<br />
come out of the ceiling, if you include the<br />
actual word 'password'. Sound familiar?<br />
Okay, maybe not the lasers part, but I expect<br />
at least some of the above is true for your<br />
organisation. And I can guarantee you this:<br />
some users have developed a system for<br />
this, too, and it's not as foolproof as they'd<br />
hope.<br />
Arguably, the biggest problem lies with<br />
one of the underpants rules - change them<br />
regularly. I'm not saying this is a bad thing<br />
per se, but where the policy often falls<br />
down is around the 90-day part, because<br />
it tends to drive a particular behaviour. In<br />
many parts of the world, the seasons<br />
change four times a year, so when pushed<br />
to think up a new password at change<br />
time, users pretty frequently include the<br />
season, combine it with the current year<br />
and everyone's favourite special character:<br />
the exclamation mark! Ending up with a<br />
variation on a theme of this: Spring2019!<br />
You may just have experienced the horror<br />
of reading your password in an article. If<br />
that's you, please make sure to include a<br />
password change on your to-do list today.<br />
But don't feel too bad. I promise you that<br />
you aren't alone. Many other people have<br />
come up with the exact same system.<br />
Despite what my kids sometimes think,<br />
Sam isn't psychic, so how does she know<br />
this truth exists?<br />
Every year, Rapid7 produces a research<br />
report on our learnings from the hundreds<br />
of penetration testing engagements, the<br />
wonderfully named 'Under The Hoodie'<br />
https://www.rapid7.com/info/under-thehoodie.<br />
It's a great read, whether you're on<br />
the hook for security or not, and includes<br />
some fascinating real-life stories from the<br />
field.<br />
Compromised credentials are an<br />
attacker's favourite, used to gain access to<br />
systems and to move around networks<br />
undetected, therefore it's often that we're<br />
SAMANTHA HUMPHRIES<br />
asked to try and harvest credentials during<br />
an engagement. We use various methods<br />
to harvest passwords, one of which is the<br />
very quick and very dirty option of<br />
guessing. Not-shockingly, the dreaded "P"<br />
word comes up a lot, sometimes with<br />
numbers at the end, sometimes with a<br />
zero instead of an o, but not exactly rocket<br />
science either way. Variations of the<br />
company name with the same devilish<br />
trickery are fairly common too<br />
(C0mpanyname1234). And time and time<br />
again, when we're hunting around for user<br />
accounts, we find they've set their<br />
password to SeasonYear!<br />
How to be (even!) better at passwords:<br />
Include a rule in the password policy<br />
disallowing the format of SeasonYear!<br />
because it's all too commonplace. Get<br />
creative about formatting and periodic<br />
changes too<br />
Implement a corporate identity<br />
manager / single sign-on tool in your<br />
organisation. There are plenty of good<br />
ones available on the market - they<br />
make life simpler for the users whilst<br />
improving your security posture.<br />
Password managers, although not<br />
necessarily complete security nirvana, are<br />
good practice in real life. They'll help you<br />
avoid being 'Donald', with the horrible<br />
websitepassword combo.<br />
Also, please do check out the Under The<br />
Hoodie videos at the bottom of the<br />
research website to learn more about<br />
what goes on in the world of pen testing.<br />
Samantha Humphries is the senior product marketing manager for Global<br />
Consulting Services at Rapid7. She has nearly 20 years' experience in infosec and<br />
has worked in a plethora of areas, including product management, threat research<br />
and incident response. She has helped hundreds of organisations of all shapes,<br />
sizes and geographies recover and learn from cyberattacks.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
25
airline attack<br />
BROUGHT DOWN TO EARTH<br />
CYBERCRIMINALS WHO CARRIED OUT A HACK ON BRITISH AIRWAYS COMPROMISED THE DATA OF AROUND<br />
380,000 PASSENGERS<br />
The recent major hack on British<br />
Airways' website and mobile<br />
applications, putting at grave risk the<br />
personal information and bank and/or credit<br />
card data of some 380,000 passengers,<br />
netted a haul that included passengers'<br />
names, billing addresses, email addresses,<br />
bank card numbers, credit card numbers,<br />
expiration dates and CVV codes.<br />
As Armor's Threat Research Unit (TRU)<br />
team revealed in their 6 September Threat<br />
Report, stolen credit cards are one of the<br />
most highly sought-after products in the<br />
underground hacker markets. Armor was<br />
quick to track down nine separate hackers,<br />
on both English-speaking and Russianspeaking<br />
markets, who are selling the<br />
credentials for hundreds of stolen credit<br />
cards from the UK, Europe and the US.<br />
And the price at which these are being sold<br />
off might come as a shock to the BA victims<br />
whose personal details were compromised<br />
by a company in whom they had placed<br />
such trust.<br />
BATTERED AND BARTERED<br />
"Current prices for UK credit cards (Visa,<br />
Mastercard and American Express), with<br />
corresponding CVV data and expiration<br />
dates (similar to the data compromised at<br />
BA), runs at $35 each, $30 for a European<br />
Visa, Mastercard or American Express card,<br />
and $15 for a single US Visa or Mastercard<br />
and $18 for an American Express card,"<br />
reveals Armor. Such are the bare statistics<br />
to which personal, highly sensitive data is<br />
reduced.<br />
British Airways' boss Alex Cruz was quick<br />
to apologise in the wake of the attack -<br />
which took place between 21 August and<br />
5 September last year - for what he said was<br />
a "sophisticated breach" of the firm's security<br />
systems. "We are 100% committed to<br />
compensate them, period," Cruz told the<br />
BBC's Today programme. "We are committed<br />
to working with any customer who may have<br />
been financially affected by this attack and<br />
we will compensate them for any financial<br />
hardship that they may have suffered."<br />
Of course, apologies are one thing - being<br />
hacked in the first place is really the problem.<br />
It's all very well to refer to the hack as a<br />
"sophisticated breach" of the firm's security<br />
systems, but the difficulty with that statement<br />
is, consciously or unconsciously, it could be<br />
taken to harbour some underlying implication<br />
that this level of complexity made the breach,<br />
if not excusable, hard to defend against.<br />
If that is true, what hope is there for<br />
organisations when it comes to protecting<br />
themselves? Was BA's security technology up<br />
to the task? Ultimately, is there any solution<br />
out there that can defend against ALL attacks,<br />
known and unknown?<br />
THE BOTTOM LINE<br />
In some instances, breaches occur because<br />
defences are lax and/or inadequate - although<br />
this is in no way to suggest BA's defences<br />
were not robust. In other instances, the<br />
breached business believes that it had every<br />
reason to assume it will not, even cannot, be<br />
breached. Which begs the question: have we<br />
all but reached the point where no one is safe<br />
26<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
airline attack<br />
and no solution can stop successful attacks<br />
by the most determined and best armed?<br />
These are issues that the industry - and<br />
those who use their solutions - must be<br />
pondering, openly or behind closed doors;<br />
which is actually the right thing to do. It<br />
has become the mantra of every solutions<br />
provider to warn enterprises that a breach is a<br />
matter of when, not if, but can they do more<br />
than make a potential hacker look elsewhere<br />
for easier prey? In which case, it is true that<br />
no one is safe; just 'relatively' safe.<br />
"It is inconceivable that British Airways did<br />
not have significant cyber security systems in<br />
place, and certainly they would have spent<br />
a substantial amount of money to stop such<br />
incidents occurring," insists Phil Beckett,<br />
managing director at consulting firm Alvarez<br />
and Marsal. "However, due to the increased<br />
sophistication of attacks, traditional<br />
approaches to cybersecurity have been found<br />
wanting and, as a result, even the biggest<br />
and most sophisticated of organisations can<br />
be hit.<br />
"As seen in this case, and many others<br />
before it, the risks for organisations go well<br />
beyond the fines regulators might issue.<br />
Nonetheless, these fines could be hefty -<br />
up to 4% of annual global revenue - under<br />
the new GDPR regime. It is imperative that<br />
cybersecurity is seen as a strategic business<br />
priority and something no CEO can ignore,"<br />
Beckett adds.<br />
STEPPING UP<br />
Mark Adams, regional vice president of UK<br />
& Ireland, Veeam, credits British Airways for<br />
reporting the breach so quickly, saying that<br />
many others could learn from the handling of<br />
this. "Unfortunately, breaches can happen to<br />
any business and, while BA remain on the<br />
backfoot to ensure this doesn't happen again,<br />
it's important to highlight why all businesses<br />
need to be far more proactive in managing<br />
data and systems, and getting security and<br />
monitoring of data right up front.<br />
"To reduce the chances of breach complaints<br />
and payment of heavy fines, businesses have<br />
several steps they can take. First and<br />
foremost, work to deliver a company-wide<br />
employee training programme on data<br />
protection and phishing attacks. Human-led<br />
errors are still the weakest link in the security<br />
chain for a business. No matter who you are<br />
or who you work for, this must be right.<br />
When the stakes are so high, employees have<br />
to be more aware of their actions.<br />
“From a technology standpoint,” Adams<br />
points out, “implementing intelligent data<br />
management tools that can monitor,<br />
automatically spot irregularities and act<br />
accordingly is critical, he adds. "Data collected<br />
by an organisation the scale of an airline is<br />
vast; and they are a prime example of the<br />
type of business that needs to move from<br />
a policy-based mindset of security and data<br />
management to an automated, behaviour-led<br />
approach that scan spot inaccuracies and<br />
obscure patterns in data usage.<br />
"For organisations of any scale, the old<br />
school way of manually checking and<br />
monitoring is no longer sufficient, especially<br />
not for businesses of this size," cautions<br />
Adams. "And, while it's near impossible to<br />
prevent all data leakage and data thefts,<br />
an intelligent data management approach,<br />
combined with a strong and versatile incident<br />
response process, can help significantly<br />
reduce the complaints that naturally would<br />
follow."<br />
TOTAL VISIBILITY<br />
The bigger the company name, the louder<br />
the howls of protest after a breach, of course.<br />
They are the ones expected to invest more<br />
time, money and strategic thinking into<br />
ensuring they keep our precious data out of<br />
the hands of hackers. Yet too many are failing<br />
in this regard.<br />
"Large-scale data breaches seem to be<br />
becoming all-regular-occurrence, and British<br />
Airways is just the latest in the long line of<br />
Randy Abrams, Webroot: mobile access<br />
from a 'trusted' device, from an expected<br />
location, can defeat certain types of<br />
heuristics that otherwise would have<br />
raised alarm.<br />
Mark Adams, Veeam: businesses need to<br />
be far more proactive in managing data<br />
and systems, and getting security and<br />
monitoring of data right up front.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
27
airline attack<br />
Simon Cuthbert, 8MAN by Protected<br />
Networks: personally affected, he has<br />
issues with how the airline handled the<br />
initial response to customers.<br />
British organisations to fall victim," say Adams.<br />
"As sophisticated and well-funded threat<br />
actors adapt quickly to new security<br />
measures, trying to protect customer data has<br />
become an exhausting process. But the best<br />
defence in cybersecurity is a proactive one. It's<br />
simply not acceptable that any organisation,<br />
especially one of this size, was not protecting<br />
all of its data, so that it was secured against<br />
any kind of attack, even one via third party<br />
software.<br />
"To protect customers, and their valuable<br />
personal data, businesses must have<br />
complete visibility and control over exactly<br />
where their data resides, and adopt an<br />
encrypt-everything approach, particularly in<br />
this case when precious financial information<br />
was involved. Data that is fully encrypted is<br />
useless to hackers, after all."<br />
With the GDPR in full force, he adds, it's no<br />
longer just a lack of customer trust and a<br />
tarnished reputation that organisations need<br />
to be worried about. "…the risk of weighty<br />
financial penalties means the perils of a data<br />
breach have got a lot more serious."<br />
NOT THE ONLY ONE<br />
While British Airways has taken most of the<br />
recent flak, this, as Randy Abrams, senior<br />
security analyst, Webroot, points out, is not<br />
the whole story. "Air Canada was hacked and,<br />
between August 22 and August 24,<br />
customer's passport details may have been<br />
compromised. The overlapping dates are<br />
probably a blessing, as the odds are small<br />
that the same customers booked both airlines<br />
in the two-day window of overlap."<br />
He goes on to reveal: "In the case of Air<br />
Canada's breach, customer's data, potentially<br />
including passport numbers and expiry date,<br />
passport country of issuance, NEXUS<br />
numbers for trusted travelers, gender, dates<br />
of birth, nationality and country of residence,<br />
may have been compromised. In both cases,<br />
this is data that now may be available to<br />
cybercriminals to aggregate and correlate to<br />
build significantly comprehensive profiles."<br />
A commonality of the breaches is that they<br />
both affected mobile app users. "While no<br />
mention was made of iOS or Android, the<br />
security of mobile apps financial, especially on<br />
Android is questionable at best. Although<br />
great efforts are made to secure the mobile<br />
apps, credential theft is not uncommon,"<br />
adds Abrams.<br />
"In this case, mobile access from a 'trusted'<br />
device from an expected location can defeat<br />
certain types of heuristics that otherwise<br />
would have raised alarm. The wisdom of<br />
conducting financial transactions on an<br />
Android device, in particular, is of question.<br />
Mobile security products can be used to help<br />
prevent malicious apps from compromising<br />
devices. If a consumer chooses to conduct<br />
financial transactions on a mobile device, the<br />
additional security is effectively mandatory."<br />
While BA notified affected customers, he<br />
warns that the estimated number of affected<br />
individuals may grow over time. "It is probably<br />
best for all of the customers who booked<br />
during this timeframe to talk to their banks<br />
and set up 2-factor authentication."<br />
TRUSTED BRANDS<br />
Undoubtedly, the British Airways attack will<br />
have been causing serious problems for many<br />
affected customers, including damage to<br />
their finances and credit ratings. "This<br />
incident, the latest in an ever-growing string<br />
of breaches of trusted brands, is likely to add<br />
to a feeling that consumers are losing control<br />
of their personal data," states Gerald Beuchelt,<br />
CISO, LogMeIn. "Customers should also<br />
mitigate any damage by changing their<br />
passwords to something unique across all<br />
accounts and turning on multi-factor<br />
authentication where possible. Individuals<br />
and businesses should also be extra vigilant to<br />
phishing emails, as attacks like this provide<br />
the perfect opportunity for scammers to use it<br />
to their advantage."<br />
However, there is another view of BA's<br />
handling of the breach, other than<br />
acknowledgement of its swift action in<br />
revealing that it had been discovered. Simon<br />
Cuthbert, head of international, 8MAN by<br />
Protected Networks, was one of those BA<br />
customers personally affected and he has<br />
issues with how the airline handled the initial<br />
response to its customers.<br />
"The email received [from BA] was not well<br />
written, nor did it give me as a customer any<br />
comfort in the actions they claim to have<br />
taken. I am sure I am not alone in reading the<br />
email as 'Oops, someone broke in and stole<br />
your personal information, but oh well, we<br />
will try to stop it happening again. Go and<br />
speak to your bank, they know what to do!'<br />
Adds Cuthbert: “This should be seen as a<br />
warning that no business, large or small, is<br />
exempt from being a target to hackers and<br />
they should ensure they have the necessary<br />
strategies in place, not just to protect from<br />
the risk of a breach, but also in how to handle<br />
one, should it occur."<br />
28<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
targeted attacks<br />
UNDERSTANDING CYBER KILL CHAIN MODEL<br />
TO STOP ADVANCED PERSISTENT THREATS<br />
ALTUG ASIK, SENIOR SOFTWARE SPECIALIST, ICTERRA INFORMATION AND COMMUNICATION TECHNOLOGIES,<br />
LOOKS AT APTS AND HOW TO DETECT AND PREVENT THEM<br />
Altug Asik: automation and speed are of<br />
the essence.<br />
The term 'Advanced Persistent Threat'<br />
(APT) was used to describe statesponsored<br />
cyberattacks designed to steal<br />
data and exploit infrastructures. Today, the<br />
term is used to describe the attacks targeted<br />
at organisations for monetary gain or<br />
espionage.<br />
Advanced Persistent Threat is a sophisticated<br />
attack with the following characteristics:<br />
Advanced: The techniques used to conduct<br />
the stealthy attack require advanced skills and<br />
knowledge in order to exploit the<br />
vulnerabilities of victim organisation's systems.<br />
Social engineering techniques are frequently<br />
used to attack and infiltrate the organisation.<br />
Persistent: Duration of the attack is rather<br />
long (up to months), whereas the attack<br />
involves an external command and control<br />
server that monitors and extracts data from<br />
the victim organisation.<br />
Threat: The process is managed by people<br />
rather than automated code. Organised and<br />
well-funded attackers have specific objectives<br />
and motives.<br />
CYBER KILL-CHAIN<br />
The attackers execute the following steps to<br />
carry out their vicious plans:<br />
Reconnaissance: Information is gathered<br />
studying targets through their public<br />
websites, following their employees on social<br />
media and using other OSINT (Open Source<br />
Intelligence) techniques.<br />
Weaponisation: Attackers analyse the<br />
information they have gathered and<br />
determine their attack methods.<br />
Delivery: Delivery is accomplished through<br />
drive-by download from a website, targeted<br />
phishing attack or infection through an<br />
employee-owned device through a secure<br />
VPN.<br />
Exploitation: Once delivered, the malicious<br />
code is triggered to start exploiting<br />
organisation's systems.<br />
Installation: Once a single system is infected,<br />
the malicious activity has the potential to<br />
spread rapidly and hide its existence from<br />
security devices through a variety of methods,<br />
including tampering with security processes.<br />
Command and Control (C&C): To<br />
communicate and pass data back and forth,<br />
attackers set up command and control<br />
channels between infected devices and<br />
themselves.<br />
Exfiltration: Captured information is sent to<br />
attacker's home base for analysis, further<br />
exploitation or fraud.<br />
THE PROBLEM<br />
The attack should be detected and prevented<br />
before spreading over the whole<br />
organisation. Starting with the initial<br />
infection, attackers tend to leave tracks at<br />
every single step, such as malicious<br />
documents and executable files, which can<br />
be found in the filesystem or several other<br />
tracks in memory and registry in case of<br />
fileless malware attacks. Anomalies in<br />
network traffic can be detected while the<br />
attackers are communicating with their C&C<br />
servers as well. Following these tracks during<br />
the attack and employing effective<br />
protection, various attack methods can be<br />
blocked. The key is using fast, machine<br />
learning based security platforms that is<br />
trained with parameters like these trails, as<br />
early as possible in the cyber kill chain.<br />
The problem here is to integrate detection,<br />
prevention and removal phases of the attack.<br />
The detection process can be achieved by<br />
machine learning based platforms. However,<br />
these platforms are not smart enough to<br />
accomplish prevention and full removal of<br />
the damage yet. Experienced human security<br />
professionals are still needed for incident<br />
response and recovery.<br />
Automation and speed are required to cope<br />
up with APT attacks. Therefore, security<br />
systems are required which are not only<br />
capable of detecting attack information in<br />
automated fashion, but also capable of using<br />
this intelligence to generate the right<br />
response to stop malicious actions before<br />
they cause substantial damage. Fully<br />
integrated automation for detection and<br />
handling is essential to enhance defence<br />
against advanced persistent threats.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
29
industry insights<br />
THREE CYBERSECURITY TIPS FOR MANUFACTURERS<br />
ADRIAN JONES, CEO OF SWIVEL SECURE, OFFERS THREE ESSENTIAL TIPS FOR MANUFACTURERS THAT<br />
WILL HELP TO KEEP THEIR SENSITIVE DATA OUT OF GRASPING HANDS<br />
Adrian Jones, Swivel Secure:<br />
unauthorised access could have<br />
catastrophic consequences.<br />
The last few decades have seen<br />
numerous incidents where access<br />
controls to sensitive data have been<br />
compromised. Stolen consumer data has<br />
been used by hackers for crimes ranging<br />
from credit theft through to fraud and<br />
blackmail and is well reported. However, the<br />
scale and depth of corporate hacking activity<br />
in manufacturing is less documented.<br />
Here are three tips for manufacturers that<br />
could make the difference between<br />
protecting intellectual property and<br />
unwittingly inviting unauthorised access that<br />
could have catastrophic consequences.<br />
1. Use a jump host<br />
Due to the connected nature of<br />
manufacturing supply chains, manufacturers<br />
need to include security points to prevent<br />
hackers gaining access to multiple systems.<br />
For example, PLCs (programmable logic<br />
controllers), which control hardware for<br />
manufacturing, such as pick-and-place<br />
machines and other automated machines in<br />
manufacturing including computer<br />
numerical control (CNC) machines, can easily<br />
be hacked, if they aren't protected on the<br />
network. PLCs need to be protected from<br />
unauthorised access. A Jump Box or Jump<br />
Server can help protect them from external<br />
threats. This uses a computer on an<br />
insulated network, which allows the PLC to<br />
be accessed by authorised personnel. The<br />
PLC and computer are linked externally when<br />
it needs updating, but is protected at all<br />
other times - closing the connection to<br />
attackers.<br />
The insulated network could also be<br />
secured with multifactor authentication<br />
(MFA). In addition, if your PLCs also support<br />
RADIUS protocol, adding 2FA or MFA to the<br />
RADIUS authentication can further protect<br />
all the PLCs from cyberattacks.<br />
2. Apply single sign-on to access your<br />
separate networks<br />
An infrastructure where hardware such as<br />
PLCs sit on insulated networks, and are<br />
separate to any external facing networks,<br />
will help to prevent hackers gaining access<br />
to the whole network.<br />
But manufacturers may regularly need to<br />
access systems seamlessly and without<br />
compromising security. With so many<br />
systems to keep separate, employees may<br />
require separate log-ins for each, meaning<br />
there's a multitude of usernames and<br />
passwords to remember. This can slow<br />
down or complicate working processes.<br />
Although single sign-on (SSO) can provide<br />
greater efficiency, giving employees access to<br />
all platforms and systems (even if they are<br />
on different networks), it's imperative that<br />
risk-based authentication is utilised with SSO<br />
functionality to ensure continued security.<br />
3. Use multi-factor authentication<br />
But it's not just enough to have a password<br />
for SSO. All the applications, systems and<br />
more on your network could also be secured<br />
with multi-factor authentication (MFA). This<br />
asks the user for a few pieces of evidence,<br />
like a password and a numerical code,<br />
before giving them access to the network.<br />
Choose your MFA supplier wisely and be<br />
aware that some two-factor authentication<br />
applications can be prone to credentials<br />
theft - they only update the code every 40<br />
seconds, during which time a hacker can use<br />
the code to access the network.<br />
Dedicated MFA platforms offer more<br />
secure authentication and are updated<br />
frequently to stay one-step ahead of cyber<br />
criminals, such as delivering a new security<br />
string for each access request. Ensuring the<br />
MFA solution integrates with hundreds of<br />
applications will provide the flexibility for the<br />
fluidity required in architecture to evolve and<br />
grow, while staying protected.<br />
Demanding a comprehensive range of<br />
authentication factors will provide maximum<br />
adoption throughout the organisation and is<br />
a realistic request from any established MFA<br />
provider in 2019.<br />
30<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
incident response<br />
THE IMPORTANCE OF EFFECTIVE INCIDENT<br />
RESPONSE PLANNING<br />
BY DAVID GRAY, SENIOR MANAGER INCIDENT RESPONSE PRACTICE LEAD EMEA, NTT SECURITY<br />
David Gray, NTT Security.<br />
Planning for Incident Response…. why<br />
do we use processes and procedures? In<br />
short, so that all our staff know what to<br />
do, and when. Let's begin with an example.<br />
John Volanthen famously and successfully led<br />
the cave rescue of a Thai boys' football team<br />
in July 2018. He recently gave a keynote at<br />
NTT Security's ISW2018 conference in<br />
London. He talked at length about the<br />
importance of having procedures in place to<br />
ensure that all of his team knew what it was<br />
doing and to ensure that safety, which was of<br />
the highest importance here, was achieved.<br />
An example of just how effective prior<br />
planning was in this situation can be seen in<br />
the picture on this page, which shows all<br />
John's personal dive equipment at Heathrow,<br />
waiting to be boarded onto the aircraft. He<br />
and the team received just two hours' notice<br />
before leaving for the airport! Without<br />
planning what would be required (including<br />
equipment and permissions for gas tanks<br />
etc), a two-hour turnaround would have<br />
been impossible. This, albeit in a less dramatic<br />
fashion, directly relates to what incident<br />
response (IR) staff must do on a daily basis.<br />
In information security, an incident response<br />
plan is the high-level schedule that dictates<br />
the actions to be taken, should an<br />
information security incident occur. The NTT<br />
Security 2018 Risk:Value Report highlighted<br />
the lack of preparedness we continue to see<br />
from companies across the board in<br />
developing incident response plans, with less<br />
than half (49%) saying that they had<br />
implemented such a programme. An IR plan<br />
should comprise, at a minimum, the<br />
following:<br />
Workflows - these are typically swim lanes<br />
showing areas of responsibilities and decision<br />
points for escalation, involving external<br />
agencies, declaring breaches, gathering<br />
intelligence and closing down completed<br />
incidents.<br />
Communication - quite simply, who to talk<br />
to when something happens. This can be to<br />
other members of the Security Operations<br />
Centre (SOC) team, but more typically<br />
involves IT operations (server team, gateway<br />
team, architects etc), physical security, human<br />
resources, the media team and, via the SOC<br />
manager, senior management. There is<br />
nothing worse than being in the middle of a<br />
major incident and not knowing who to talk<br />
to!<br />
Sharing - any security team is going to be<br />
constrained by the nature of the information<br />
it is protecting, especially in the new world of<br />
GDPR, so it is important that decisions are<br />
made about what information (if any) the<br />
response team wants to share with peer<br />
groups, national agencies or other<br />
organisations. Defining what information can<br />
be shared and who is authorised to do so<br />
ahead of time removes the risk of leaking<br />
confidential data.<br />
Incident response procedures (IRP) - when a<br />
security incident happens, the response staff<br />
have to know what to do at each point of an<br />
investigation. An appropriate IRP gives the<br />
analyst guidance for what steps they should<br />
be taking to ensure that nothing is missed,<br />
actions are taken rapidly, and all containment<br />
and remediation activities are followed for a<br />
given threat.<br />
In addition, the IR team has to consider<br />
additional components as well - related to<br />
the deployment of equipment, visas, flights,<br />
SLAs, site plans for customer<br />
environment/network and, from a managerial<br />
perspective, ensuring that enough staff are<br />
located in geographical positions to support<br />
ongoing IR activities.<br />
So, stop and look to your processes. Do you<br />
have everything covered? And do you have a<br />
plan in place should an incident happen? If<br />
not - what are you waiting for?<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
31
analyst insights<br />
PRINTER HACKING IN THE AGE OF THE IOT<br />
PRINT AND BE DAMNED? IF THE RIGHT SECURITY MEASURES AREN'T IN PLACE,<br />
THAT COULD WELL BE AN ORGANISATION'S FATE<br />
Louella Fernandes, Quocirca: while<br />
connected printers and MFPs bring<br />
convenience and productivity, they<br />
also bring potential security risks.<br />
Analyst and research firm Quocirca<br />
released findings last year that showed<br />
over 60% of organisations had<br />
experienced at least one data breach, due<br />
to insecure printing practices. Over the past<br />
few years, there have been some widely<br />
publicised network printer hacks, usually<br />
pranks and in themselves not particularly<br />
harmful, but they underline the potential<br />
vulnerability of networked printers in the<br />
age of the IoT.<br />
It comes as no surprise, therefore, that 95%<br />
of businesses surveyed by Quocirca reported<br />
that print security was an important element<br />
of their overall information security strategy<br />
(55% said it was very important, while 40%<br />
rated it fairly important). However, only 25%<br />
reported that they are completely confident<br />
that their print infrastructure is protected<br />
from threats.<br />
"While connected printers and MFPs bring<br />
convenience and productivity, they also<br />
bring potential security risks," says Louella<br />
Fernandes, director, Quocirca. "These devices<br />
capture, process, store and output<br />
information, and run embedded software.<br />
Information is therefore susceptible at a<br />
device, document and network level. As well<br />
as putting confidential or sensitive data at risk<br />
of being accessible by unauthorised users,<br />
network connectivity makes vulnerable print<br />
devices potential entry points to the<br />
corporate network."<br />
Open network ports present a security risk,<br />
enabling the MFP to be hacked remotely via<br />
an internet connection, she adds. "Printers<br />
can therefore be prime targets for DDoS<br />
attacks. Hackers may install malware on<br />
poorly protected printers and use them as<br />
ingress points for broader network access or<br />
recruit them to botnets." Indeed, when asked<br />
what aspects about printers as IoT devices<br />
concerned them most, the businesses<br />
surveyed by Quocirca found that external<br />
hacker threats came out top (52% said a<br />
critical or big concern), followed by DDoS<br />
attacks to print devices (44%). Internal<br />
hacker, firmware updates and third-party<br />
collection of data tied for third place (41%).<br />
LONG LIVE PRINT<br />
Nor is use of printers going away any time<br />
soon," insists Fernandes. "Quocirca's<br />
Print2025 study found that 64% of<br />
32<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
analyst insights<br />
businesses surveyed across France, Germany,<br />
The Netherlands, the US and the UK expect<br />
printing to still be important in 2025. That<br />
number rises to approximately three-quarters<br />
of millennials who expect it to be more<br />
important than it is today (that may say<br />
something about the current resurgence of<br />
printed books over ebooks and reflect how<br />
millennials' attitudes differ from their<br />
predecessors in the workplace).<br />
"While printing volumes will ultimately<br />
decline, there are also some 'sweet spots' in<br />
printer growth, most notably mobile printing.<br />
Over half of the companies surveyed expect<br />
mobile printing to increase by 2025 and over<br />
40% have already implemented mobile<br />
printing to one extent or another."<br />
Clearly, as networked print devices continue<br />
to be central to the way most organisations<br />
operate, they need to have robust security<br />
protection. "While more printer<br />
manufacturers are embedding security in<br />
their new devices, it only takes one rogue,<br />
unsecured device to weaken security," she<br />
points out. "Most businesses using printers<br />
have a mixed fleet of printing devices - old<br />
and new - and from different manufacturers.<br />
This is why businesses need to include<br />
printers within their wider enterprise-wide<br />
security strategies, integrated into an overall<br />
security policies and procedures, using a<br />
proactive and multifaceted approach."<br />
How can you step up your printer security?<br />
Quocirca offers these seven steps:<br />
A unified security policy for all printers -<br />
should a date breach occur, an<br />
organisation needs to be able to<br />
demonstrate that appropriate measures<br />
were taken to protect all networked<br />
devices, so it is important to be able to<br />
monitor, manage and report on the<br />
entire printer fleet, regardless of age,<br />
brand or model<br />
Secure printer-network access - multifunctions,<br />
like any other device connected<br />
to the network, need controls that limit<br />
access, manage the use of network<br />
protocols and ports, plus take steps to<br />
prevent potential viruses and malware<br />
Secure the device itself - to secure data,<br />
whether actively in use, sitting idle or<br />
used by the device in a previous job, use<br />
hard disk encryption as an extra security<br />
layer. When the printer is moved or<br />
reaches end-of-life, data overwrite kits<br />
make sure that all scan, print, copy and<br />
fax data stored on the hard disk drive is<br />
destroyed<br />
Secure who can do what - in common<br />
with many other forms of Infosecurity,<br />
user authentication helps to eliminate<br />
the risk of unclaimed output being left<br />
in trays. 'Pull printing' makes sure that<br />
documents are only released physically at<br />
the printer to the authorised recipient<br />
Secure the document itself - digital rights<br />
management (DRM) discourages<br />
unauthorised copying or transmission<br />
of sensitive or confidential information,<br />
using features such as secure<br />
watermarking, digital signatures and<br />
PDF encryption.<br />
Monitor and manage print security ongoing<br />
- organisations need a centralised<br />
and flexible way to monitor usage across<br />
all print devices, at document and user<br />
level, which can be achieved using either<br />
MFP audit log data or third-party tools.<br />
These provide a full audit trail that logs<br />
the identity of each user, the time of use<br />
and details of the specific functions that<br />
were performed<br />
Seek expert guidance - security<br />
assessment services are something that<br />
managed print service (MSP) providers<br />
offer as part of the customer<br />
relationship. Not all are equal. Obviously,<br />
it makes sense to ensure that the risk<br />
assessor has the credentials and<br />
capabilities to fully evaluate the security<br />
risks across device, data and users.<br />
In addition, the most sophisticated<br />
security assessments not only make<br />
recommendations for device<br />
replacement and optimisation, but also<br />
offer ongoing and proactive monitoring<br />
of devices to identify potential malicious<br />
behaviour.<br />
"The bottom line is that printers are no<br />
longer dumb devices, but sophisticated<br />
ingress and egress points in a connected,<br />
increasingly IoT-centric world," Fernandes<br />
concludes. "Businesses clearly need to<br />
incorporate print into their overall security<br />
strategies, help users to use printers safely<br />
and also to work with their printer service<br />
providers. After all, print will continue to<br />
be part of the workplace for some time to<br />
come and, while just one element of a multifaceted<br />
threat landscape, print is an area of<br />
risk that deserves more focus."<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2019 computing security<br />
33
fingerprint recognition<br />
BIOMETRIC BREAKTHROUGH<br />
BANK OF CYPRUS CUSTOMERS ARE SET TO BE FIRST TO ENJOY BIOMETRIC CONVENIENCE ON<br />
A CONTACTLESS PAYMENT CARD, WHILE PROTECTING USERS’ DATA PRIVACY AT THE SAME TIME<br />
biometrics for contactless payments is a<br />
natural move, as it fits in naturally with the<br />
gesture used to pay. It allows a better user<br />
experience, enabling higher transaction<br />
amounts without entering a PIN, while<br />
benefiting from the convenience of<br />
contactless."<br />
Adds Stelios Trachonitis, card centre<br />
manager from Bank of Cyprus: "In order to<br />
bring seamless authentication to the<br />
banking sector, Gemalto has leveraged its<br />
extensive expertise from secure government<br />
documents and leadership in biometric<br />
applications. Our customers will benefit<br />
from this innovative payment solution with<br />
the peace of mind that their biometric data<br />
never leaves their hands."<br />
Gemalto has been selected by Bank of<br />
Cyprus to supply what is said to be<br />
the world's first EMV biometric dual<br />
interface payment card for both chip and<br />
contactless payments.<br />
Using fingerprint recognition, instead of a<br />
PIN code, to authenticate the cardholder,<br />
the card is said to be compatible with existing<br />
payment terminals that are already installed<br />
in the country. When customers place their<br />
fingerprint on the sensor, a comparison is<br />
performed between the scanned fingerprint<br />
and the reference biometric data securely<br />
stored in the card.<br />
The biometric sensor card is powered by the<br />
payment terminal and does not require an<br />
embedded battery; this means there is no<br />
limit from battery life nor on the number of<br />
transactions.<br />
Gemalto's bionic sensor payment card is<br />
based on the principle that biometric data<br />
should always remain in the hands of end<br />
users. Bank of Cyprus' customers will<br />
complete the swift enrolment process at the<br />
bank's branches, using Gemalto's tablet<br />
designed for the solution. The biometric<br />
personalisation and card activation process<br />
has been designed to avoid transmission<br />
of biometric data over the air to ensure<br />
that users' data privacy is protected. The<br />
fingerprint template captured during the<br />
enrolment process is stored only on the card.<br />
"Bank of Cyprus customers will be first in<br />
the world to enjoy biometric convenience<br />
on a contactless payment card. Gemalto's<br />
biometric sensor payment card is designed to<br />
provide maximum security and data privacy,"<br />
claims Bertrand Knopf, Gemalto's executive<br />
vice president Banking and Payment. "Using<br />
Biometrics, such as fingerprints verification<br />
or facial recognition, are massively used<br />
today by government bodies; for electronic<br />
ID and ePassport border control, for<br />
example. Biometrics sources such as DNA<br />
are also used for criminal investigations,<br />
as they allow accurate identification and<br />
can't be forged. Since 2013, with the<br />
introduction of the first iPhone 5 with<br />
TouchID fingerprint verification, commercial<br />
biometrics entered into a new dimension,<br />
with hundreds of millions of smartphones<br />
equipped with fingerprint sensors.<br />
The very first use case for fingerprint<br />
technology was to unlock the phone. It is<br />
also used to log in onto mobile apps and<br />
perform mobile NFC payment at the store.<br />
"Thanks to biometric CVM, contactless can<br />
cover the full payments amount range and<br />
offer an identical customer experience for<br />
contact, contactless, for all amounts,"<br />
comments Gemalto.<br />
34<br />
computing security Jan/Feb 2019 @CSMagAndAwards www.computingsecurity.co.uk
ster<br />
REGISTER<br />
FREE<br />
ipexpomanchester.com<br />
manchester<br />
3-4 April 2019,<br />
Manchester Central<br />
CO LOCATED AT<br />
DIGITALTRANSFORMATIONE PO<br />
INCORPORATING<br />
CYBER SECURITY<br />
AI-ANALYTICS<br />
ster<br />
manchester 120+<br />
SPEAKERS<br />
CO LOCATED AT<br />
DIGITALTRANSFORMATIONE PO<br />
10<br />
THEATRES<br />
100+<br />
EXHIBITORS<br />
LIVE<br />
DEMOS<br />
The North’s number ONE Enterprise IT event<br />
> Stay up to date with trends & future predictions.<br />
> Explore & experience new & emerging tech.<br />
> Expand your professional network.<br />
> Save time & meet with your existing & new suppliers all in one day.<br />
Register FREE and find out more at ipexpomanchester.com
Lorem ipsum<br />
or contact us<br />
+44 (0)1784 448 444<br />
Euroinfo@neustar.biz