CS Mar-Apr 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Nightmare Visions<br />
<strong>2020</strong> in deeper focus<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
Outmanoeuvred!<br />
Breached and unaware<br />
No ducking the issues<br />
CEOs in the firing line<br />
Enigma variations<br />
Film plots with a powerful twist<br />
Computing Security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2020</strong>
comment<br />
COVID-19: A NEW LEVEL OF THREAT<br />
We are all well aware of the 'enemies at the gate': the hackers and attackers looking<br />
for every opportunity to seize data by exploiting weaknesses in your defences. Breaches<br />
have reached new heights, with no organisation, however large or small, immune from<br />
such assaults.<br />
Now the cybercriminals have been joined by a powerful ally in the quest to drive<br />
home their advantage - COVID-19. With more and more people working from<br />
home/remotely, the threat that the Coronavirus poses has also become a double-edged<br />
sword. Isolation helps to limit the virus's impact, but also opens the doors to the<br />
cybercriminals intent on getting through poor security systems.<br />
"Cybercriminals are taking advantage of this pandemic, especially when people are at<br />
their most scared and vulnerable," says Thorsten Kurpjuhn, European security market<br />
development manager at Zyxel. "Your computers become the most obvious target."<br />
He advises three steps that should be taken, in order to safeguard your organisation<br />
and employees:<br />
Block it. "Multi-Layer Protection from a default bundled security service can block<br />
malicious and suspicious traffic, ensuring the well-being of your business network."<br />
Learn it. "Cloud Intelligence identifies every incoming threat, so the Cloud Threat<br />
Database keeps learning, evolving and growing stronger after each attack."<br />
Prevent it. "Cloud Intelligence extracts top-ranked threat information and gives all ATP<br />
firewalls constant updates. This global-sharing synergy empowers ATP firewalls to<br />
prevent all hidden threats."<br />
In ordinary times, staying safe is challenging enough. In these extraordinary times,<br />
only constant vigilance, with the appropriate defences in place, will get you through.<br />
Meanwhile, we hope that all of our readers, along with their families and friends,<br />
stay safe and secure, in every sense, during these challenging times.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
PRODUCTION: Abby Penn<br />
(abby.penn@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2020</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2020</strong><br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
Nightmare Visions<br />
Outmanoeuvred!<br />
Breached and unaware<br />
<strong>2020</strong> in deeper focus<br />
No ducking the issues<br />
CEOs in the firing line<br />
Enigma variations<br />
Film plots with a powerful twist<br />
COMMENT 3<br />
COVID-19: A NEW LEVEL OF THREAT<br />
ARTICLES<br />
EDITOR’S FOCUS 6<br />
Big moves on finger vein recognition and<br />
Identity-as-a-Service technologies.<br />
CYBERSECURITY & GDPR UNITE 8<br />
Regulation and technology will underpin<br />
data security in the years ahead, argues<br />
Robert Allen of Kingston Technology<br />
CEOs IN THE FIRING LINE 14<br />
You can't rely on others to get your Public<br />
Key Infrastructure in order, states Andrew<br />
Jenkinson, Cybersec Innovation Partners<br />
THE PLOT THICKENS 16<br />
CORONAVIRUS SPOOF ATTACKS 24<br />
What are the chances that secure data<br />
Coronavirus outbreak fuels new levels of<br />
cyber-attacks and defence breaches<br />
management might have changed the<br />
outcomes of several landmark films?<br />
BREACHED - AND UNAWARE 26<br />
Charlotte Williams, marketing & PR<br />
47.6% admit they wouldn’t know, were a<br />
manager at total information management<br />
breach to occur within their organisations,<br />
company Shredall SDS Group, offers her<br />
QUANTUM CRYPTO REVOLUTION 28<br />
thoughts from the front row<br />
Encryption systems offer huge promise,<br />
despite many issues still to be overcome<br />
BATTLING THE BREACHES 29<br />
A glut of breaches is prompting many to<br />
seek Cyber Essentials audits<br />
WORLD-WIDE MALICE 20<br />
The impact of indiscriminate malicious<br />
CYBER THREAT INTELLIGENCE 30<br />
activity online is soaring and estimated to<br />
Thornton-Trump, Cyjax, on vulnerability,<br />
hit a global price tag of $6 trillion by next<br />
exploitation and attacker motivation<br />
year. Four actionable principles have been<br />
HOMING IN ON COVID-19 31<br />
identified as successful in preventing<br />
More and more employees are working<br />
malicious activities reaching their targets<br />
from home. But dangers lurk there as well<br />
A CYBERSECURITY EDUCATION 32<br />
Despite the GDPR, businesses may still not<br />
be taking cybersecurity seriously enough<br />
ATTACK STATS 'TIP OF ICEBERG’ 22<br />
ESSENTIAL BUILDING BLOCKS 34<br />
New figures that report a fall in 'computer<br />
A more secure network architecture is<br />
misuse' and a rise in fraud show the<br />
vital, states Myles Bray, Forescout<br />
authorities are failing to grasp the true<br />
PRODUCT REVIEWS<br />
impact of cybercrime, according to a<br />
• Cloud Protection for Salesforce<br />
leading cybersecurity expert.<br />
from F-SECURE 32<br />
• Flowmon ADS 33<br />
computing security <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4<br />
MORE 20/20 VISIONS 10<br />
As cyber anxiety shows itself everywhere,<br />
Part 2 of our top predictions for <strong>2020</strong><br />
looks at the many challenges that lie<br />
ahead. Now, with the emergence and<br />
global impact of COVID-19, that task has<br />
been made a whole lot tougher
Ransomware: Are you aware<br />
of the cost of an outbreak?<br />
Ransomware is the most expensive form of malware to hit organisations worldwide<br />
IT-professionals understand the productivity,<br />
revenue loss and disruption that a ransomware<br />
outbreak can cause, when it passes the<br />
perimeter and Endpoint Protection Platforms<br />
(Anti-Virus).<br />
However, it can be a struggle for professionals<br />
to communicate and visualise the critical<br />
nature of this threat at decision making- and<br />
board level, particularly when several solutions<br />
have already been purchased to mitigate this<br />
threat.<br />
In past years we have all seen several large<br />
organisations with large IT and security teams<br />
and sizable security budgets, invest in several<br />
best-of-breed solutions at perimeter and<br />
endpoint level, only to still be penetrated and<br />
hit by a ransomware outbreak.<br />
Not many organisations understand the<br />
full financial and organisational impact of a<br />
ransomware outbreak. To aid organisations we<br />
have made it easy to overcome this struggle and<br />
justify why a ‘Last Line of Defence’ is needed.<br />
Historically, the Cybercriminals have always<br />
been one step ahead, resulting in prevention<br />
solutions not being able to cope with all threats<br />
and having the inherent weakness of not<br />
fully protecting, particularly against the latest<br />
threats.<br />
When ransomware has already by-passed all<br />
other defenses, there is nothing left in your<br />
environment to stop it from encrypting 7.000<br />
files per minute.<br />
The solution is Bullwall’s Last Line of Defence<br />
- RC, which is a 24/7 automated containment<br />
solution, which is laser-focused on stopping a<br />
ransomware outbreak immediately, thereby<br />
minimising any disruption, downtime, and cost<br />
to the business to an absolute minimum.<br />
Schedule a demo with Brookcourt Solutions to learn<br />
about our Last Line of Defence solution, which has a<br />
proven record of stopping Ransomware outbreaks.<br />
contact@brookcourtsolutions.com<br />
You can try our Cost of Downtime<br />
calculator based on your numbers:<br />
Please visit bullwall.com/cod<br />
www.brookcourtsolutions.com
editor's focus<br />
RICH VEIN OF POSSIBILITIES<br />
HITACHI AND UBISECURE ARE JOINING FORCES TO INTEGRATE THEIR FINGER VEIN RECOGNITION<br />
AND IDENTITY-AS-A-SERVICE (IDAAS) TECHNOLOGIES. WILL SIMILAR COLLABORATIONS FOLLOW?<br />
Isee that the move into the deeper levels<br />
of recognition technology is showing<br />
no signs of letting up. Indeed, two of<br />
industry's heavyweights are stepping into<br />
that ring as a formidable 'tag team', looking<br />
to deliver a knock-out blow to any other<br />
contenders, if they can.<br />
The twosome are Hitachi and Ubisecure,<br />
with the former looking to integrate its<br />
finger vein recognition technology as a<br />
biometric authenticator within Ubisecure's<br />
Identity-as-a-Service (IDaaS) solution.<br />
According to the new alliance, the new<br />
partnership will provide "an unrivalled<br />
frictionless biometric experience that delivers<br />
high quality usability and reduces the risk of<br />
data breach - making it ideal for customerfacing<br />
use cases". So, what's it all about? In<br />
a nutshell, Hitachi's finger vein biometrics<br />
solution, Hand Gesture Technology, can be<br />
used at the user authentication stage for<br />
onboarding and subsequent logins. It can<br />
be activated quickly and easily, it is reported,<br />
through Ubisecure IDaaS, an SaaS product<br />
that allows developers to plug in the latest in<br />
identity management functionality - such as<br />
single sign-on and multifactor authentication<br />
- to apps and services.<br />
What Hand Gesture Technology does is to<br />
enable fast and secure user identification<br />
through the unique vein patterns in fingers.<br />
This way, identity can be verified via a simple<br />
hand gesture to a camera in a standard<br />
laptop or desktop.<br />
By delivering the benefits of biometric<br />
authentication, while sidestepping the usual<br />
requirements for specialised and expensive<br />
reader equipment, the offering is seen as<br />
especially suitable for mass adoption.<br />
According to Simon Wood, CEO at<br />
Ubisecure: "We're committed to providing<br />
customers with a range of secure<br />
authentication options, including biometric<br />
technology. For biometrics to be adopted<br />
at scale, they must be easy to use and,<br />
preferably, require no additional hardware.<br />
"In this sense, Hand Gesture Technology is an<br />
ideal way of implementing the security and<br />
convenience of biometrics without the<br />
common deployment challenges."<br />
For his part, Ravi Ahluwalia, general<br />
manager, Security Business Group at Hitachi<br />
Europe, identifies one clear advantage: finger<br />
veins are non-replicable and cannot be lost<br />
or stolen. He cmments: "While the solution<br />
is now pervasive in the banking sector, our<br />
collaboration with Ubisecure will help us to<br />
expand that reach into other verticals."<br />
06<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
editor's focus<br />
ACTIVE BREACHESCHES<br />
Elsewhere, all has not been as it should be at<br />
the offices of the United Nations. In fact, the<br />
UN's offices in Geneva and Vienna came<br />
under attack recently, compromising more<br />
than sixty of their servers. Interestingly, we<br />
know that the attack was explicitly aimed<br />
at the Active Directory component; and<br />
worryingly, the sophistication of the attack<br />
indicates it may have been state sponsored.<br />
The Active Directory is a known weak point<br />
in most organisations' security stance, plus it's<br />
essentially the only way a hacker can move<br />
around an organisation once inside - as they<br />
did in this hack. In fact, as Jérôme Robert,<br />
a director at Active Directory cybersecurity<br />
specialist Alsid, points out, it's pretty much<br />
the Holy Grail of access. And he is fairly<br />
sanguine about this particular breach.<br />
"No less an authority than the UN is the latest<br />
organisation to fall victim to a serious cyberattack,<br />
proving that it really can happen to<br />
anyone. We don't know how long they were<br />
in the UN's systems, but we do know that<br />
a total of 67 servers were deemed as<br />
compromised or suspicious by the UN's<br />
security team.<br />
"That volume points to some serious lateral<br />
movement over a chunk of time, which is<br />
how we can be certain the Active Directory<br />
was compromised in this case. The attackers<br />
would have used AD access to jump from<br />
machine to machine, looking for data<br />
and access to further internal systems to<br />
strengthen and prolong the attack while<br />
they hunted for their targets."<br />
No one can say with any real accuracy how<br />
long the attackers were 'active' in the UN's<br />
systems, but with 67 servers in the equation,<br />
that suggests serious lateral movement over<br />
a chunk of time, "which is how we can be<br />
certain the Active Directory was compromised<br />
in this case", Robert continues. "This attack<br />
reinforces that security teams have to<br />
win every time they are attacked and<br />
cybercriminals only need to get lucky once<br />
to gain access to the AD, at which point they<br />
already have their hands in the cookie jar and<br />
you're in big trouble."<br />
For anyone who thinks bitcoin might be<br />
losing its appeal, not a word of it. A Dutch<br />
university has paid nearly 200,000 euros<br />
worth of the cryptocurrency to Russian<br />
hackers after 267 servers were compromised<br />
in December last year. "Ransomware is certain<br />
to remain a key threat to all organisation's<br />
networks globally throughout <strong>2020</strong>," warns<br />
Carl Wearn, head of E-Crime at Mimecast.<br />
"The latest indication from Mimecast's data is<br />
that threat actors are now almost certainly<br />
re-concentrating their efforts to focus on<br />
ransomware attacks and have been doing<br />
so since last year." As research from the<br />
Netherlands' National Cyber Security Center<br />
illustrated last year, something like 1,800<br />
organisations globally were thought at that<br />
time to have been subject to ransomware<br />
attacks. "As with any piece of crime-related<br />
research, we should expect that this is in fact<br />
a gross undercounting of the problem as it is."<br />
Ransomware is making criminals a lot of<br />
money. "Ransomware can be delivered by<br />
electronic communication, exploit kit or other<br />
means," Wearn continues. "Ensuring nonnetworked<br />
backups are in place, and that a<br />
comprehensive solution to provide fallback<br />
email and archive capabilities is in place, are<br />
the key solutions to ensuring business can<br />
continue as uninterrupted as possible, should<br />
a ransomware attack take place.<br />
Relying on the threat actors to restore your<br />
data in the case of attack is obviously riddled<br />
with issues, not least of which is that they are<br />
prone to errors themselves and may not even<br />
be able to restore your data once they've<br />
encrypted it. Paying any ransom is also likely<br />
to make you a future target of choice,<br />
through proven willingness to pay. I would<br />
urge all organisations to plan for this threat<br />
to be realised, if adequate steps are not taken<br />
to provide a suitable fallback or recovery<br />
solution now."<br />
Carl Wearn, Mimecast: paying any<br />
ransom is likely to make you a future<br />
target of choice.<br />
Jérôme Robert, Alsid: cybercriminals only<br />
need to get lucky once to gain access to<br />
the Active Directory.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
07
expert insights<br />
WHY CYBERSECURITY POLICY & GDPR<br />
COMPLIANCE AREN'T SO DIFFERENT<br />
THE COMBINED FORCES OF FURTHER REGULATION AND NEW<br />
TECHNOLOGY WILL UNDERPIN DATA SECURITY IN THE YEARS AHEAD,<br />
ARGUES ROBERT ALLEN - EUROPEAN DIRECTOR OF MARKETING<br />
& TECHNICAL SERVICES AT KINGSTON TECHNOLOGY<br />
Over the last decade, data has<br />
become the world's most precious<br />
commodity. The largest technology<br />
organisations have grown into empires and,<br />
following this shift, regulators and<br />
governments have now awoken to the value<br />
of data and begun to treat it accordingly.<br />
New data security laws, such as GDPR,<br />
affect companies and individuals across the<br />
world. And as organisations adopt further<br />
digital technology, the cybersecurity threat<br />
has grown, as the rewards for gaining<br />
unlawful access to data become more<br />
lucrative. Historically, the emergence of new<br />
technology in other industries has always<br />
been followed by regulation, usually<br />
because it quickly becomes obvious that<br />
without clear standards, those industries can<br />
create products that could cause serious<br />
risks. But until only recently (arguably, still)<br />
there has been a 'wild west' attitude to<br />
digital technology. Risk is still tricky to<br />
quantify, let alone manage, and many<br />
companies still do not treat data security<br />
seriously, even with the threat of regulatory<br />
fines in place.<br />
Cybersecurity threats are similarly not<br />
taken seriously or even well understood in<br />
companies. If they were, password reuse<br />
wouldn't be prevalent, nor would reliance<br />
on outdated software or the widespread use<br />
of unencrypted devices. We all know there<br />
are multiple threats to digital security that<br />
require multiple solutions. But it's clear the<br />
companies that consistently maintain a clear<br />
approach to data management have been<br />
able to meet regulatory compliance better<br />
than those who had to scramble to meet<br />
the 2018 regulation date. GDPR has<br />
demonstrated that, by long-term prioritising<br />
of data security and data protection,<br />
a firm will be in a better shape to meet the<br />
regulation that will surely follow further<br />
down the line. Prioritising and investing<br />
in both together is simply good business<br />
practice.<br />
A combination of further regulation and<br />
new technology will drive data security<br />
over the next decade. David Clarke, CTO<br />
at GDPRUK.EU and founder of the GDPR<br />
Technology Group on Linkedin, agrees.<br />
"Cybersecurity technology will need to adapt<br />
to the many global regulatory environments<br />
to protect data and manage the appropriate<br />
and fair use of personal data, protect the<br />
vulnerable in our society, from managing<br />
dataveillance and preventing online harms.<br />
Data is already regulated; the next big<br />
challenge is the regulation needed to<br />
manage and monitor behaviours in a<br />
world of zero-knowledge identification."<br />
With a workforce as likely to be working<br />
with sensitive company data when travelling<br />
or at home as in the office, transporting<br />
data to and from these locations is a key<br />
security weak point. But when a business<br />
deadline needs to be met, it's all too easy to<br />
quickly transfer crucial documents to the<br />
first USB stick you find in a drawer. Rather<br />
than outright banning USB storage, there<br />
are secure products, such as Kingston<br />
Ironkey D300, that can mitigate this risk,<br />
with on-device hardware encryption that<br />
ensures that, if a device is lost or stolen,<br />
the thief will not have access to any of the<br />
data, which may be more valuable than the<br />
hardware itself. Designed from the ground<br />
up with security in mind, attack vectors<br />
have been carefully considered, from<br />
tamper-evident materials to a secure<br />
password input method designed to foil<br />
key loggers.<br />
However, it seems that even our own<br />
government isn't sending the right message<br />
on security. Recently, it was revealed that<br />
the UK government lost 2,004 mobiles<br />
and laptops in 12 months 1 , from critical<br />
government departments. Many were stolen<br />
and 200 of these devices were unencrypted,<br />
with potentially sensitive data accessible to<br />
all. If security is best led by example, then<br />
more joined-up thinking from above would<br />
encourage better practices across the board.<br />
1 https://www.bbc.com/news/technology-51572578<br />
8<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Cyjax constantly monitors the internet looking for data<br />
relevant to your organisation’s security posture and<br />
reputation.<br />
ADVANCED THREAT INTELLIGENCE<br />
Accurate, Timely and Actionable. Our threat<br />
information is augmented and processed by security<br />
cleared analysts. Bespoke information on the risks<br />
unique to your business displayed in a comprehensive<br />
threat intelligence dashboard.<br />
Put our eyes on your risks. Speak to us today.<br />
+44 (0)20 7096 0668 info@cyjax.com www.cyjax.com
<strong>2020</strong> predictions<br />
MORE 20/20 VISIONS<br />
AS CYBER ANXIETY MANIFESTS ITSELF EVER MORE WIDELY, PART 2 OF OUR<br />
TOP PREDICTIONS FOR <strong>2020</strong> LOOKS AT THE MANY CHALLENGES THAT LIE AHEAD<br />
With four generations working<br />
alongside each other for the first<br />
time, organisations will need a new<br />
approach to protecting data in <strong>2020</strong> and<br />
beyond, advises Jon Fielding, managing<br />
director, EMEA <strong>Apr</strong>icorn. "They'll be dealing<br />
with a range of different attitudes to security,<br />
as well as evolving working practices - in<br />
particular a continued increase in mobility and<br />
flexibility. A complex security strategy that<br />
attempts to address this diverse workplace<br />
with copious models and technologies will<br />
only create more risk."<br />
There's no 'one size fits all' when it comes to<br />
securing the multi-generation enterprise - but<br />
encrypting all data as standard, both at rest<br />
and on the move, will bring us as close as it's<br />
possible to get, he suggests. "Encrypting data<br />
end-to-end renders it unintelligible to anyone<br />
not authorised to access it. This is especially<br />
valuable when employees are mobile working<br />
- and the use of hardware encrypted storage<br />
devices will eliminate an element of the<br />
'human risk' of data loss entirely." With the<br />
cybersecurity skills shortage biting hard, and<br />
an increasing expectation that IT will help<br />
drive the goals of the business, enterprises<br />
must look outside the industry to recruit<br />
the right people. "The most effective way to<br />
defend a modern business against cyber<br />
threats is to build a diverse security team,<br />
equipped with a range of different skillsets<br />
and experience - including business acumen,<br />
and the ability to communicate, collaborate<br />
and lead," adds Fielding.<br />
"It may seem counter-intuitive to recruit<br />
non-specialists to a specialist role, but, when<br />
it comes to cybersecurity, an understanding<br />
of the basic, best-practice fundamentals is<br />
most important. If somebody has a solid<br />
foundation in good security hygiene,<br />
and they're willing to learn, the technical<br />
knowledge they need can be built from there."<br />
NEW MINDSET<br />
Richard Walters, CTO of Censornet, points out<br />
that every year Artificial Intelligence (AI) bags<br />
a top spot in the list of security trends and<br />
predicts that this year will be no different.<br />
"However, whereas 2019 was heralded as the<br />
year of AI, <strong>2020</strong> will see businesses take a<br />
shrewder approach towards the technology.<br />
The widespread hype around AI in the<br />
industry has made it harder to determine just<br />
what it can and can't deliver. While projections<br />
indicate budgets for AI in cyber security will<br />
increase, the industry itself will have a much<br />
more critical role in deciding how AI will be<br />
applied."<br />
The industry is shifting away from the<br />
mindset that AI will be the silver bullet in the<br />
war against cybercrime, he adds. "As with<br />
any technology, AI has its limitations. It also<br />
won't be viewed as a 'crystal ball', capable<br />
of foretelling every single attack before it<br />
happens. Despite exaggerated claims, no<br />
AI tool can predict a Black Swan event; a<br />
completely unknown attack. That's not to say<br />
that AI has no role in cyber security, as long<br />
as the tool itself is well suited to the task at<br />
hand.<br />
"Using AI to address some of the more<br />
common information security problems is like<br />
taking a sledgehammer to crack a walnut,"<br />
he comments, "so it should only play a part<br />
where the situation dictates. A company's<br />
security posture should be judged by how<br />
10<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
<strong>2020</strong> predictions<br />
effectively its strategy is aligned with its<br />
objectives, rather than how much of the latest<br />
technology it has."<br />
BEWARE MALWARE<br />
Stuart Reed, VP cyber - redesign - malware &<br />
CISO roles, Nominet, believes this year will see<br />
the cyber industry redesigned in some key<br />
areas. "Malware will undoubtedly evolve and<br />
ransomware will become more sophisticated,<br />
potentially even teaching businesses new<br />
ways to take payments and create customer<br />
service that encourages the victim to part<br />
with their money. That said, it will still be the<br />
simple attacks that cause the most damage,<br />
because organisations have a lot of work to<br />
do on ensuring they are utilising every layer of<br />
defence within their reach.<br />
"We'll also see the role of the CISO<br />
redesigned in <strong>2020</strong>, as the imbalance of their<br />
work-life worsens and the role needs to<br />
change to meet the demands of the modern<br />
cyberscape; for example, becoming more of<br />
a strategic resource for the business on<br />
mitigating risk and facilitating business<br />
transformation safely," he says.<br />
<strong>Mar</strong>k Burdett, Nominet's head of product<br />
delivery - ML & AI enhanced cyber-attacks,<br />
believes machine learning and artificial<br />
intelligence will be used to create distributed<br />
and targeted malware and attacks. "An<br />
attacker using machine learning algorithms<br />
can create a suite of botnets or worm-style<br />
malware that gathers data from multiple<br />
attempts to breach commercial sites,<br />
ultimately generating more sophisticated<br />
attacks that could be targeted at critical<br />
national infrastructure or governments,"<br />
he warns. "Using data from breaches,<br />
vulnerabilities, successful and failed attacks -<br />
the 'next generation' of malware can be<br />
created. It will make fewer obvious attacks,<br />
but be more successful by using tactics<br />
proven to work. This would make pattern<br />
matching or DOS/brute-force security<br />
measures less and less effective." Protecting<br />
against this style of attack requires analysis of<br />
network patterns, command and control, and<br />
a large-scale dataset of attacks to see these<br />
attempts happening across multiple sites and<br />
networks, rather than a single instance or<br />
victim, he concludes.<br />
AREAS OF CONCERN<br />
Dean Coclin, senior director, Business<br />
Development at DigiCert, highlights several<br />
areas of concern for businesses this year:<br />
Certificate Automation - with shorter<br />
validity periods on the horizon for TLS<br />
certificates, organisations will need to<br />
start embracing automation in order to<br />
make cert management easier<br />
Consumers will have to heighten their<br />
security awareness, as threat actors take<br />
advantage of free Domain Validated TLS<br />
certificates to show the padlock on their<br />
websites. It's no longer sufficient to "look<br />
for the lock", one must look "beyond the<br />
lock"<br />
IoT Security - hackers will continue to find<br />
vulnerabilities in consumer devices, since<br />
security is not top of mind when these<br />
devices are developed. Industrial IoT<br />
security has improved, especially for<br />
critical systems such as automotive,<br />
SCADA and healthcare.<br />
"This year, we have seen the adoption of the<br />
CCPA (California Consumer Privacy Act) and<br />
the failed NYPA (NY Privacy Act)," states Coclin<br />
"There is impetus for a national privacy act,<br />
similar to GDPR, but the likelihood of that<br />
happening in the current administration<br />
is low. Nonetheless, consumers are very<br />
concerned about recent privacy breaches.<br />
States are filling the hole by adopting their<br />
own acts, but this will make compliance very<br />
difficult for companies, due to the patchwork<br />
nature of adoption," he cautions.<br />
PROTECTION TO BE RAMPED UP<br />
"After years of haplessly watching technology<br />
race ahead of regulation, governments<br />
around the world have started to enact<br />
regulations to protect consumers and<br />
mitigate security risk, says Mike Riemer, chief<br />
Jon Fielding, <strong>Apr</strong>icorn: to defend a<br />
modern business against cyber threats,<br />
you must build a diverse security team.<br />
Azeem Aleem, NTTS: Security<br />
Orchestration, Automation and Response<br />
(SOAR) will rocket as attacks demand an<br />
AI-based approach to security.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
11
<strong>2020</strong> predictions<br />
Mike Riemer, Pulse Secure: A big focus<br />
will be the increase in regulatory<br />
requirements around IoT and IIOT<br />
devices.<br />
Stuart Reed, Nominet: this year will see<br />
the cyber industry redesigned in some key<br />
areas.<br />
security architect at Pulse Secure. "A big focus<br />
for <strong>2020</strong> will be the increase in regulatory<br />
requirements around IoT and IIOT devices as<br />
they proliferate in corporate networks and OT<br />
systems. When organisations do not know<br />
where a device is on their network, or who it<br />
is communicating with, that poses severe<br />
security risks."<br />
And, as more organisations adopt IoT and<br />
IIoT devices in the workforce, there need to be<br />
security policy and controls in place. "In the<br />
United States, much of this regulatory reform<br />
has been spearheaded by the state of<br />
California, which recently passed SB-327, the<br />
first law to cover IoT devices. It took effect on<br />
January 1 and regulators around the world<br />
will certainly be watching to see how effective<br />
the legislation is at minimising security risks<br />
from IoT devices," he adds. "Since the<br />
regulatory laws often have a cascading effect,<br />
we can certainly expect to see similar bills<br />
appearing across the country and eventually<br />
at a federal level. Organisations will need to<br />
make sure they, or any third-party security<br />
vendors, are compliant to protect IoT devices<br />
and the information they contain."<br />
SOAR POINT<br />
In terms of trends that will shape the<br />
cybersecurity landscape in <strong>2020</strong>, Security<br />
Orchestration, Automation and Response<br />
(SOAR) will rocket as attacks demand an AIbased<br />
approach to security, believes Azeem<br />
Aleem, VP Consulting Security, NTT. "Cyberattacks<br />
are happening at machine speed,<br />
not human speed. To keep up, organisations<br />
will need the help of machines - and data<br />
scientists - and SOAR will be the hottest area<br />
in cybersecurity. It enables organisations to<br />
predict when an attack is going to happen -<br />
and fast. We don't talk about proactive<br />
security anymore, but predictive security,<br />
which will become essential for delivering an<br />
active cyber-defence in <strong>2020</strong>."<br />
There are four other key trends that Aleem<br />
identifies for the security industry in <strong>2020</strong>:<br />
Applications are becoming the new attack<br />
vector: Application-specific and webapplication<br />
attacks now account for a third<br />
(32%) of hostile traffic - according to the NTT<br />
2019 Global Threat Intelligence Report (GTIR).<br />
"Now that infrastructure is more cloud-based<br />
and software-defined, we're entering a world<br />
where the application is the easiest way to<br />
compromise data," he states. "The number<br />
of attacks on applications will increase, so<br />
organisations need to regularly evaluate the<br />
security hygiene of applications across their<br />
business and apply necessary patches - an<br />
exercise that can no longer be neglected."<br />
Security goes to the cloud: "While<br />
organisations still buy on-premises<br />
equipment, largely for compliance reasons,<br />
more is being created and hosted in cloud<br />
environments," says Aleem. "However, if<br />
organisations are using multiple hosting<br />
centres or hyperscalers, it's more difficult to<br />
apply standardised, software-based security<br />
controls across the entire infrastructure.<br />
Applying security to the application or<br />
workload will enable them to monitor and<br />
implement the appropriate controls."<br />
Hyperscaler patterns continue to be elusive:<br />
Fixed infrastructure tends to have standard<br />
traffic patterns that make it relatively easy to<br />
identify anomalies. "This is not the case with<br />
hyperscalers, which also make hundreds of<br />
thousands of high-speed updates to their<br />
platform on any given day. This will make it<br />
very difficult for organisations to monitor the<br />
interactions between humans, machines, data<br />
and applications in order to identify patterns<br />
and anomalies. Information, context and<br />
intelligence therefore need to be applied for<br />
a robust security posture."<br />
Data lakes and data wallets: Data lakes will<br />
enable new models of predictive analytics, he<br />
says. "What's more, we will see data wallets<br />
that put data in the hands of the person who<br />
owns it and making it completely secure for<br />
them. Nobody can access that data without<br />
certain permissions being in place and, if the<br />
user is under threat, can be locked down."<br />
12<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Maintaining secure access during an emergency<br />
When freak weather hits, transport strikes disrupt commuters, or a global health pandemic<br />
ensues; the need for secure, immediate access is at its greatest. Users need to maintain access<br />
to business-critical data and applications in a secure environment; providing access with a<br />
password alone simply is not secure enough.<br />
In the event of an emergency, many organisations allow remote users to authenticate with a<br />
standard username and password. But this is when the need for secured access is at its<br />
highest: during emergency situations corporate defences are often at their weakest and the<br />
threat from attack at its greatest.<br />
SecureIdentity SecurICE<br />
SecurICE from SecurEnvoy is a revolutionary approach to the<br />
age-old problem of providing secure access to corporate<br />
systems in the event of an emergency - without the need for<br />
fobs, tokens or smartcards.<br />
SecurICE provides clients with the ability to turn on robust,<br />
multi-factor authentication for users in the event of an<br />
<br />
factor, and a passcode sent to the user’s mobile phone is the<br />
second. There is no need for the user to enrol and<br />
remember an additional PIN, and no need for extra tokens or<br />
smartcards - the ideal, emergency two-factor authentication<br />
system.<br />
Part of the new<br />
SecureIdentity<br />
Platform by<br />
SecurEnvoy<br />
<br />
passcodes, can be sent via SMS to an entire organisation, or a<br />
<br />
Why use our SecurICE solution<br />
• Rapidly deploy multi-factor authentication in an emergency<br />
• Keep users informed with status updates<br />
• Provide users with instructions of what to do during an emergency<br />
• Users are free to select their preferred authentication<br />
• Enhance your business continuity strategy<br />
Identity Beyond Boundaries<br />
T: 44 (0) 845 2600010 E: info@securenvoy.com<br />
www.securenvoy.com/en-us/securice
expert view<br />
CEOS IN THE FIRING LINE<br />
WHY YOU CAN'T RELY ON OTHERS TO GET YOUR PUBLIC KEY<br />
INFRASTRUCTURE IN ORDER - AND WHAT HAPPENS IF YOU<br />
DON'T. ANDREW JENKINSON, GROUP CEO, CYBERSEC<br />
INNOVATION PARTNERS, OFFERS HIS INSIGHTS<br />
In the past months, no fewer than three<br />
US government agencies have put out<br />
warnings about the Microsoft Windows<br />
10 vulnerability and still no one seems to<br />
be aware how long the vulnerability was<br />
there before those alerts were issued.<br />
CVE-<strong>2020</strong>-0601 can exploit and<br />
undermine Public Key Infrastructure (PKI)<br />
trust. According to Neal Ziring, technical<br />
director of the NSA Cybersecurity<br />
Directorate, "this kind of vulnerability<br />
may shake our belief in the strength of<br />
cryptographic authentication mechanisms<br />
and make us question if we can really<br />
rely on them". The problem that creates<br />
such a weakness with Windows 10 is that<br />
attackers are able to disguise a malicious<br />
executable binary, so that it appears like<br />
a Windows system binary; worryingly, it<br />
could remain undetected by anti-virus<br />
and other perimeter defences. This allows<br />
attackers to install it, and potentially<br />
achieve command and control.<br />
Unequivocally, PKI can never be assumed<br />
to be trustworthy. Without constant<br />
and continuous monitoring, it will<br />
unquestionably cause business continuity<br />
issues, and enable infiltration and<br />
nefarious activities. Service outages,<br />
malware and data breaches are as a result<br />
of weaknesses in PKI management and<br />
controls, and used as easy access.<br />
The Windows 10 situation is serious, due<br />
to its magnitude and the ubiquitous use of<br />
the software. It has been a shocking start<br />
to the new decade for Microsoft, as one<br />
global issue is disclosed by the NSA and<br />
now hot on its heels is a second, in the<br />
form of a critical browser Zero Day issue<br />
identified by the CISA.<br />
The CISA warning is of a zero-day<br />
vulnerability that is being exploited<br />
without a fix in Microsoft's Internet<br />
Explorer and, although IE represents a<br />
small percentage of overall internet use,<br />
it can corrupt memory, so that an attacker<br />
can gain the same user rights as the owner<br />
- ie, take over command and control.<br />
And it doesn't stop there. This gives rise<br />
to huge opportunities for cyber criminals.<br />
14<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
expert view<br />
The past, and a possible future, of<br />
cybercrime:<br />
1978 Ralph Merkle develops Public Key<br />
Infrastructure<br />
1990s PKI is adopted as global core<br />
security for digital communication<br />
2000s various 'agencies' manipulate<br />
and 'encourage' back doors to enable<br />
spoofing<br />
2000s various agencies develop cyber<br />
intelligence and cyber warfare this<br />
included Malware such as Flame<br />
and Stuxnet<br />
2000s cyber warfare and Malware is<br />
obtained by criminal and create a new<br />
wave of criminal activity (cyber criminals)<br />
2010s various agencies develop Cloud<br />
technology to enable secure access to<br />
the mothership<br />
2010s Numerous Tier 1 Tech firms<br />
develop cloud technology in conjunction<br />
with the agencies and start to roll out<br />
to global clientele<br />
2010s Cloud providers see more attacks<br />
and vulnerabilities on a larger scale<br />
2010s GDPR is announced and massive<br />
fines are levied for cyber and privacy<br />
breaches<br />
2010s Ransomware increases in line with<br />
the rise of cryptocurrency as it is easy to<br />
pay ransom monies without being traced<br />
<strong>2020</strong>s Quantum computing becomes<br />
more widespread with faster and greater<br />
computing capability<br />
<strong>2020</strong>s Quantum computing is used by<br />
cyber criminals for greater and faster<br />
cyber-attacks and breaches.<br />
We can see that technological<br />
advancement is quickly followed by, and<br />
used by, the new breed of criminal, the<br />
cybercriminal, be they State Nation or<br />
otherwise. Equally, the very same<br />
governments that conceived backdoors<br />
and developed malware to attack their<br />
enemies are the very same governments<br />
that levy massive fines for being breached<br />
with a strain of the viruses they created in<br />
the first place.<br />
One could say the writing is on the wall,<br />
unless a massive realignment occurs<br />
between all parties at the very top level. It<br />
seems completely unreasonable that the<br />
creation of backdoors and malware that is<br />
blighting all organisations, creating massive<br />
global losses, funding and fuelling further<br />
criminal activities to the further detriment<br />
of the world socially, can then be used to<br />
penalise these organisations with massive<br />
fines, jeopardising not just their profitability,<br />
but their survival.<br />
In the past three decades, we have<br />
witnessed a situation that has simply got out<br />
of control and we are suffering at ground<br />
level with the lack of privacy and threat of<br />
our personal details being stolen, lost,<br />
manipulated or worse.<br />
So, what could happen, if you suffer a<br />
breach? Let's look at a typical scenario.<br />
Your organisation is going really well,<br />
business is great, your parent owners<br />
recently undertook an IPO on the back of<br />
the success of the business, share prices<br />
have continued to increase, as have the<br />
revenues and profits, everyone is delighted.<br />
Then, BANG, your entire systems are<br />
bought to their knees from an unknown<br />
infiltration that has been going on for<br />
months, culminating with a ransomware<br />
demand. To make matters worse, numerous<br />
partnered banks have also been affected;<br />
lawyers will be looking at liability and seeking<br />
damages and compensation. Your company<br />
has fallen, and from a pretty great height,<br />
in the space of weeks.<br />
There's clearly been a disconnect between<br />
the cyber team, the risk appetite of the<br />
business and you. No one could foresee<br />
this happening - or could they?<br />
Preparation for such events are typically<br />
lax and aren't rehearsed as they should be.<br />
The chairman is pacing up and down and<br />
looking for answers to the potential loss of<br />
Andrew Jenkinson, Cybersec: PKI can<br />
never be assumed to be trustworthy.<br />
several hundred million, massive brand<br />
and reputation damage and litigation,<br />
and all because of being ill-informed, poor<br />
decisions, incorrect risk profile and<br />
inadequate cyber posture.<br />
Heads will, of course, roll. As the CEO,<br />
there's no chance of you avoiding being in<br />
the firing line. This has happened under your<br />
watch and your control; and no matter what<br />
your trusted advisers and security provided<br />
you with, you are ultimately responsible.<br />
Tough it may be, but that's reality.<br />
If this seems hard hitting and resonates<br />
with you, it's meant to. This is happening<br />
all around us and in far too many<br />
organisations. Protecting the business, the<br />
staff and shareholders is your responsibility<br />
as a CEO. Being ignorant of the facts and<br />
relying on experts, who may not be as<br />
expert as you think, is no excuse.<br />
CEOs need to ask better questions about<br />
the security of their businesses. And they<br />
need to do it now.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
15
data management<br />
THE PLOT THICKENS<br />
WHAT CHANCE SECURE DATA MANAGEMENT MIGHT HAVE ALTERED THE OUTCOMES OF CERTAIN LANDMARK<br />
FILMS? CHARLOTTE WILLIAMS, MARKETING & PR MANAGER AT TOTAL INFORMATION MANAGEMENT COMPANY<br />
SHREDALL SDS GROUP, OFFERS HER INSIGHTS<br />
What would have happened to<br />
the Allies, if Alan Turing had<br />
failed to crack the Enigma code<br />
in 'The Imitation Game'? And would the<br />
National Security Agency's nefarious<br />
schemes have been exposed, had it<br />
protected its sensitive data and<br />
prevented Edward Snowden from<br />
publishing its secrets through WikiLeaks?<br />
Based on real-life stories of data<br />
infiltration, these films could have ended<br />
very differently, if more effective data<br />
protection measures had been put in<br />
place. But before you dismiss this as<br />
nothing more than a light-hearted<br />
exercise in procrastination, just think:<br />
what can we learn from the cinematic<br />
universe about secure data management<br />
practices?<br />
We'll cover a range of films - fiction and<br />
non-fiction - over the course of this<br />
article. As well as dissecting their plots<br />
to determine how they might have been<br />
changed with proper data management,<br />
this feature will also provide practical<br />
tips on how you can avert similar data<br />
mismanagement mishaps in the future.<br />
THE HOBBIT &<br />
THE LORD OF THE RINGS<br />
Admittedly, these two film series are<br />
unlikely candidates for the first item on<br />
a list of data misman-agement movie<br />
plots. As you're probably aware, the<br />
story centres on the One Ring, a<br />
mysterious artefact created by the Dark<br />
Lord Sauron that grants the wearer the<br />
power of invisibility. Bilbo steals the ring<br />
from Gollum during a fateful turn of<br />
events in 'The Hobbit: An Unexpected<br />
Journey'.<br />
Following his adventures over the<br />
course of the next two films, Bilbo<br />
returns to the Shire with the ring still in<br />
his possession. At a later point, Gollum<br />
is captured by the minions of Sauron,<br />
revealing the name and location of the<br />
unfortunate hobbit. This sparks the chain<br />
of events that makes up the rest of the<br />
16<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
data management<br />
trilogy, with Sauron's forces attempting<br />
to return the ring to their master, as<br />
Frodo embarks on a journey to destroy<br />
it in the fires of Mount Doom. Had<br />
Gollum kept the ring in a secure location<br />
or protected the vital information of<br />
Bilbo's whereabouts more carefully, the<br />
rest of the series could have turned out<br />
differently.<br />
But what can we learn from Gollum's<br />
critical act of data mismanagement?<br />
The key takeaway is this: if your business<br />
holds sensitive commercial data, then it's<br />
vital - in the immortal words of Gandalf<br />
the Grey - to "keep it secret, keep it safe".<br />
Hard copies of files should be stored<br />
in a secure location, whether you keep<br />
them on-site or employ a third-party to<br />
look after them. Some companies even<br />
choose to store their critical legal<br />
business files in a high-security vaults<br />
with specialised access mechanisms!<br />
Digital copies are even more susceptible<br />
to interception and should be stored<br />
using a secure data management<br />
platform. It's best to look for data<br />
storage software that requires multifactor<br />
verification before allowing users<br />
to access files.<br />
SNOWDEN<br />
Based on the true story of Edward Snowden,<br />
this film follows the protagonist as he works<br />
for the NSA and finds out disreputable<br />
government agency secrets. One shady<br />
secret he discovers is that the NSA has<br />
planted malware in the computer systems<br />
of foreign governments, allowing them to<br />
be disabled in the event that these foreign<br />
nations were to oppose the US.<br />
Eventually, Snowden, pictured below left,<br />
becomes disenchanted with his work at the<br />
NSA. He smuggles sensitive data out of the<br />
agency in a microSD card hidden inside a<br />
Rubix cube and releases it to the press. Had<br />
the NSA protected this information in a<br />
more secure manner, Snowden would not<br />
have been able to expose their perverse<br />
practices to the world.<br />
Although the details of how Snowden<br />
actually managed to produce a copy of the<br />
NSA data are not known, it's somewhat<br />
astonishing that he was able to extract data<br />
from the NSA system using nothing more<br />
than a microSD card in the film.<br />
In reality, data breaches of this kind are<br />
completely preventable with the right<br />
software. There are many programs out<br />
there that can stop users from copying data<br />
to any form of external device, unless they<br />
are given explicit authorisation. If your<br />
business holds sensitive data and isn't already<br />
using some data loss protection software,<br />
you should really look into this.<br />
It's also worthwhile having policies in place<br />
regarding remote workers. Businesses should<br />
specify that work laptops are only to be used<br />
while connected to a secure network - using<br />
an unsecured network opens you up to data<br />
breaches that could potentially be costly.<br />
Monitoring the activity of remote workers is<br />
also advisable.<br />
JURASSIC PARK<br />
Jurassic Park is another film that could<br />
potentially be deemed an unusual choice on<br />
this list. Data security may not be the first<br />
thing that comes to mind when you think of<br />
Jurassic Park and indeed the data security<br />
element in this film is more subtle than in<br />
the other examples.<br />
Yet one plotline involves Dennis Nedry -<br />
pictured below - a computer programmer<br />
employed by the Park, using his hacking skills<br />
to disable the security systems and steal<br />
dinosaur embryos. He intends to sell these<br />
on to the highest bidder - with potentially<br />
disastrous consequences - but never makes it<br />
out of the park and is eaten by a dinosaur.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
17
data management<br />
All of this potential danger could have been<br />
averted, if Jurassic Park's cybersecurity system<br />
had been better protected against this kind<br />
of attack. The take-home data security<br />
message from this film is clear: even if your<br />
data doesn't pose the same threat as stolen<br />
dinosaur embryos, invest in decent<br />
cybersecurity systems or prepare to be<br />
infiltrated! Protecting your systems should<br />
start with doing the basics right - ensure that<br />
employees set secure passwords that are<br />
different for each type of software they use.<br />
Your company should also invest in<br />
sophisticated anti-malware software. If your<br />
resources allow, you could even think about<br />
hiring a hacker to test your defences and<br />
ensure your cybersecurity is up to scratch.<br />
THE GIRL WITH THE DRAGON TATTOO<br />
The frequent cyber-attacks and data<br />
breaches that occur throughout this film<br />
make it one of the more obvious choices<br />
for this list. The film focuses on Mikael<br />
Blomkvist, a former journalist who was<br />
disgraced by the corrupt media mogul<br />
Hans-Erik Wennerström after failing to make<br />
libel accusations against him. Blomkvist<br />
temporarily retires from journalism and<br />
decides to help Henrik Vanger discover the<br />
murderer of his granddaughter, Harriet.<br />
During the course of the film, Lisbeth<br />
Salander, a talented computer hacker<br />
(pictured top right) and the eponymous 'Girl<br />
With The Dragon Tattoo', helps Blomkvist to<br />
get to the bottom of the mystery. Once the<br />
murder case has been solved, Salander uses<br />
her hacking skills to acquire sensitive<br />
information about Wennerström.<br />
This information enables Blomkvist to get<br />
revenge against Wennerström, publishing<br />
an exposé article and book to destroy his<br />
reputation. Blomkvist's magazine, Millenium,<br />
becomes popular and well respected as<br />
a result. If Wennerström had succeeded<br />
in protecting his data from Salander's<br />
cybersecurity attack, then Blomkvist might<br />
never have got his revenge.<br />
The data protection lesson to take from<br />
'The Girl with the Dragon Tattoo' is similar to<br />
that of Jurassic Park. While your company's<br />
computers won't contain data that's sensitive<br />
in quite the same way as Wennerström's,<br />
it's important that you put money into your<br />
cybersecurity systems and prioritise the hiring<br />
of skilled cybersecurity personnel.<br />
THE IMITATION GAME<br />
Now we come to the final instalment in<br />
this list of data mismanagement films.<br />
'The Imitation Game' (shown directly above)<br />
is based on the true story of Alan Turing<br />
cracking the German Enigma code. As such,<br />
the data infiltration at the heart of this film<br />
has implications for 20th-century history.<br />
If Turing had failed to crack the Enigma<br />
code with his machine, then German military<br />
messages could not have been decoded and<br />
the outcome of the war might have been<br />
different. The British would have been<br />
unable to divert supply convoys around<br />
German U-boats by cracking their naval<br />
communications, which could have had<br />
catastrophic consequences for the war<br />
effort as a whole.<br />
Of course, your business doesn't rely<br />
on a system of encoded messages to<br />
communicate. There are, however, modern<br />
parallels. It's likely that emails and messages<br />
are sent between members of staff that<br />
contain data which would be of interest to<br />
your competitors - your business can't afford<br />
for these to be intercepted.<br />
Particularly for high-level business<br />
discussions that refer to commercially<br />
sensitive information, it's wise to utilise a<br />
secure, encrypted messaging platform. Many<br />
of these are freely available, so there's really<br />
no excuse for a lax approach when it comes<br />
to securing your business communications.<br />
18<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Automate your<br />
most critical<br />
PCI DSS checks<br />
with Nipper<br />
Firewalls | Switches | Routers<br />
Evidence PCI DSS<br />
compliance<br />
Perform best practice<br />
security checks<br />
Detect & analyse<br />
vulnerabilities<br />
Get your 30 day free trial today<br />
titania.com/trial
cybersecurity and ISPs<br />
WORLD-WIDE MALICE<br />
THE IMPACT OF INDISCRIMINATE MALICIOUS ACTIVITY ONLINE IS SOARING<br />
AND ESTIMATED TO HIT A GLOBAL PRICE TAG OF $6 TRILLION BY NEXT YEAR<br />
While certain cyberattacks focus on<br />
specific organisations, the majority<br />
actively target the largest number<br />
of internet users possible. Such attacks are<br />
often relatively easy for cybercriminals to<br />
undertake and can cause serious harm. The<br />
impact of indiscriminate malicious activity<br />
online can be significant and carries an<br />
estimated global price tag of $6 trillion in<br />
2021 (see panel text).<br />
The World Economic Forum Centre for<br />
Cybersecurity brought together a group of<br />
leading ISPs and multilateral organisations to<br />
develop new ways to protect and prevent<br />
these attacks from reaching consumers.<br />
Following a year of development and testing,<br />
four actionable principles were identified as<br />
successful in preventing malicious activities<br />
from getting "down the pipes" to consumers,<br />
set out in the report, 'Cybercrime Prevention:<br />
Principles for Internet Service Providers'. With<br />
a collective aim to protect up to 1 billion<br />
consumers in 180 countries in the process,<br />
BT, Deutsche Telekom, Du Telecom, Europol,<br />
Global Cyber Alliance, Internet Society, Korea<br />
Telecom, Proximus, Saudi Telcom, Singtel,<br />
Telstra and ITU all endorsed those principles,<br />
namely to:<br />
Protect consumers by default from<br />
widespread cyberattacks and act<br />
collectively with peers to identify and<br />
respond to known threats<br />
Take action to raise awareness and<br />
understanding of threats and support<br />
consumers in protecting themselves<br />
and their networks<br />
Work more closely with manufacturers<br />
and vendors of hardware, software and<br />
infrastructure to increase minimum levels<br />
of security<br />
Take action to shore up the security of<br />
routing and signalling to reinforce<br />
effective defence against attacks.<br />
"Cybersecurity is becoming a public safety<br />
issue," says Amy Jordan, delivery lead,<br />
Platform for Shaping the Future of<br />
Cybersecurity and Digital Trust, World<br />
Economic Forum. "As more and more devices<br />
are connected and physical infrastructure<br />
becomes increasingly connected, no one<br />
company can do it alone. The community<br />
needs to come together, and these principles<br />
can accelerate and scale impact."<br />
In the report, each principle is considered<br />
from the perspective of the challenges it is<br />
seeking to address, as well as providing<br />
demonstrable evidence from service providers<br />
of the benefits of implementation. Further,<br />
more technical detail on how each principle<br />
could be implemented is also provided in<br />
related recommendations.<br />
"This initiative represents a fantastic example<br />
of the World Economic Forum's ability to<br />
20<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cybersecurity and ISPs<br />
convene public and private sector<br />
stakeholders to share and implement<br />
industry best practice that helps not only the<br />
organisations involved, but also the users<br />
of the internet at large," says Kevin Brown,<br />
managing director, BT Security. It's a view<br />
that is backed in full by many of those<br />
involved in the report. "EUROPOL<br />
wholeheartedly supports the adoption of<br />
these principles by Internet Service Providers<br />
worldwide, because they have the potential<br />
to significantly limit the harm caused by<br />
malicious cybercrime actors," states its<br />
executive director Catherine de Bolle.<br />
Equally committed to the cause is Joseph<br />
Lorenzo Hall, senior vice president, Strong<br />
Internet, Internet Society. "The World<br />
Economic Forum's ISP Principles are a superb<br />
collection of actionable measures that<br />
providers can use to reduce malicious<br />
activity online," he comments, while Stefaan<br />
De Clerck, chairman, Proximus Board,<br />
believes that "by adopting these bestpractice<br />
principles and working with<br />
governments in a public-private partnership<br />
to create a supportive policy framework,<br />
RISKY TIMES<br />
we will collectively boost trust in the digital<br />
economy and significantly reduce<br />
cybercrime".<br />
Finally, Nasser Suliaman Al Nasser, Saudi<br />
Telecom Group (stc) CEO, adds: "As a nation,<br />
and as the digital-enabling company, we are<br />
exposed to all sorts of attacks, which forced<br />
us early on to heavily invest and build worldclass<br />
cyber capabilities to become fully<br />
resilient. Guided by these four principles,<br />
we encourage other ISPs to leverage them in<br />
defining their strategies and gain confidence<br />
by joining other global partners."<br />
The World Economic Forum will now use<br />
its 'Platform for Shaping the Future of<br />
Cybersecurity and Digital Trust' to drive<br />
adoption of the principles and seek to<br />
initiate a dialogue between public- and<br />
private-sector stakeholders on how<br />
governments can incentivise uptake and<br />
establish clearer policy frameworks and<br />
expectations. By working collaboratively,<br />
it is argued, ISPs will be better placed to<br />
protect their customers and defend their<br />
own networks than if they work alone.<br />
Amy Jordan, World Economic Forum: the<br />
ISP community needs to come together<br />
and the WEF's four principles can<br />
accelerate and scale impact.<br />
Kevin Brown, managing director, BT<br />
Security: initiative shows WEF's ability<br />
to convene public and private sector<br />
stakeholders to share and implement<br />
industry best practice.<br />
The 'Global Risks Report 2019' - part of the World Economic Forum's wider 'Global<br />
Risks' initiative, was published against a backdrop of what it described as worrying<br />
geopolitical and geo-economic tensions. "If unresolved, these tensions will hinder<br />
the world's ability to deal with a growing range of collective challenges, from the<br />
mounting evidence of environmental degradation to the increasing disruptions of<br />
the Fourth Industrial Revolution," states the WEF. The report presents the results of<br />
its latest Global Risks Perception Survey, in which nearly 1,000 decision-makers from<br />
the public sector, private sector, academia and civil society assessed the risks facing<br />
the world. Nine out of 10 respondents expected worsening economic and political<br />
confrontations between major powers this year. Over a 10-year horizon, extreme<br />
weather and climate-change policy failures are seen as the gravest threats.<br />
This year's report includes another series of 'what-if' Future Shocks that examine<br />
quantum computing, weather manipulation, monetary populism, emotionally<br />
responsive artificial intelligence and other potential risks. The theme of emotions is<br />
also addressed in a chapter on the human causes and effects of global risks, with a<br />
call for greater action around rising levels of psychological strain across the world.<br />
To download a PDF copy of the report,go to: https://bit.ly/2VbSjuG<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
21
fraud & cybercrime<br />
CYBERCRIME FIGURES 'TIP OF THE ICEBERG'<br />
A REPORTED FALL IN 'COMPUTER MISUSE' DISGUISES A LINK WITH THE RISE IN FRAUD, IT IS CLAIMED<br />
New figures that report a fall in<br />
'computer misuse' and a rise in fraud<br />
show the authorities are failing<br />
to grasp the true impact of cybercrime,<br />
according to a leading cybersecurity expert.<br />
Tim Thurlings, of bluedog Security<br />
Monitoring, a former 'ethical hacker' who<br />
helped to develop the European TIBER threat<br />
intelligence framework, says that the current<br />
figures fail to show the full extent of the<br />
problem and demonstrate the need for more<br />
accurate ways to measure cybercrime.<br />
The figures released by the Office of<br />
National Statistics show that, according<br />
to the National Fraud Intelligence Bureau<br />
(NFIB), 'computer misuse crime' fell by 11%<br />
in the year ending September 2019 to<br />
21,471 offences, following rises in the<br />
previous two years. The NFIB figures include<br />
cases reported by businesses and other<br />
organisations. Meanwhile, the Crime Survey<br />
for England and Wales (<strong>CS</strong>EW) estimates<br />
that, amongst the population as a whole,<br />
there were just over a million offences -<br />
unchanged from last year.<br />
However, both sets of figures also show<br />
significant rises in fraud over the same<br />
period. According to the NFIB, the number<br />
of reported cases rose by 19% in the year<br />
ending September 2019 to 743,413<br />
offences. At the same time, fraud offences<br />
experienced by adults in England and Wales<br />
increased by 9% to 3.8 million, according<br />
to CFEW. The increase was driven mainly by<br />
a rise in 'bank and credit account fraud',<br />
which totalled 2.7 million offences.<br />
"These figures demonstrate the difficulties<br />
the authorities face in defining cybercrime,"<br />
says Thurlings. "At present, we are failing to<br />
capture the true extent of the problem. Socalled<br />
'computer misuse' is just the tip of the<br />
iceberg. I expect that cybercrime plays a role<br />
in many of the fraud cases, even though they<br />
may not be classed as such. For example, a<br />
lot of payment card fraud is now caused by<br />
attackers penetrating retailers' IT networks<br />
and putting malware on their point of sale<br />
systems to capture customers' card details.<br />
"Meanwhile, 'authorised push payments' -<br />
where victims are tricked into paying money<br />
into a criminal's account - are often the result<br />
of phishing emails or phone calls and are a<br />
type of social engineering which is very much<br />
part of cybercrime. It is clear that the police<br />
and finance industry are lacking know-how<br />
on what computer misuse is, and how these<br />
attackers operate.<br />
However, as cybercrime has become<br />
complex and sophisticated, it is also very<br />
difficult to place offences in one category or<br />
another. In many cases, cybercrime is part of<br />
the mix: for example, criminals may also use<br />
phone calls to victims as part of the scam.<br />
"Certainly, we need better ways to measure<br />
cybercrime, and understand its impact on<br />
business and society as a whole. Companies<br />
need to be aware of the growing threat and<br />
understand that security should not be left<br />
22<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
fraud & cybercrime<br />
to the IT department. "It is now everyone's<br />
responsibility," he concludes.<br />
MANY FACES OF FRAUD<br />
Fraud has many faces, of course, as Rob<br />
Otto, EMEA Field CTO, Ping Identity, points<br />
out, "It is a broad category of crime that<br />
includes fraud by false representation, fraud<br />
by failing to disclose information, and fraud<br />
by abuse of position. In all three classes<br />
of fraud, it requires that, for an offence to<br />
have occurred, the person must have acted<br />
dishonestly and that they had to have<br />
acted with the intent of making a gain for<br />
themselves or anyone else, or inflicting a<br />
loss [or a risk of loss] on another. One of the<br />
fastest growing areas is cyber-related fraud."<br />
According to The City of London Police<br />
'Action Fraud" unit, £34.6 million was<br />
reported to be stolen from victims between<br />
<strong>Apr</strong>il and September 2018, while around<br />
a third of victims in that period fell prey<br />
to the hacking of social media and email<br />
accounts, he adds. "Cyber fraud can fall into<br />
two broad categories. The first is fraud that<br />
uses an electronic means, such as email,<br />
website or even telephone calls that<br />
attempt to trick a victim into paying for<br />
something fake. Overdue TV licences bills,<br />
software to 'fix' a hacked computer and<br />
forged company invoices are a common<br />
trio from a seemingly endless list of scams.<br />
Identity theft is another common fraud<br />
component that can lead to more complex<br />
fraudulent purchases or financial<br />
agreements," Otto continues.<br />
In both instances, identity has a significant<br />
role to play, he states. "The telephone call,<br />
email or website claiming to be a 'Microsoft'<br />
[or equally well-known tech company]<br />
employee contacting you with a request for<br />
payment may seem legitimate - but being<br />
able to validate this identity can be difficult.<br />
On the other hand, e-commerce payment<br />
processors with a 'card not present'<br />
transaction need to validate a purchaser's<br />
identity beyond just a legitimate credit card<br />
number." Assuring identity is the challenge,<br />
he adds. "In the case of payment fraud,<br />
many checks are happening in the<br />
background that assess risk through<br />
analytics, such as spending habits, geolocation<br />
and merchant trustworthiness.<br />
Banks are also instigating MFA [Multi Factor<br />
Authentication] through one-time pass<br />
codes to card owners' smartphones - and,<br />
as a result, these types of 'card not present'<br />
frauds are either not rising as fast or on the<br />
decline in most markets."<br />
However, the more challenging issue<br />
remains around how individuals can assure<br />
the identity of organisations they deal with<br />
electronically. "Part of the issue is the need to<br />
raise consumer awareness around cyber<br />
security 'hygiene', but this must also extend<br />
to how organisations legitimately contact<br />
customers via digital means. We are<br />
encouraging organisations to use modern<br />
technology, such as smartphone apps<br />
with strong authentication capabilities, to<br />
establish secure communication channels<br />
with their customers. This can help both<br />
the organisation and the end consumer<br />
to recognise a legitimate interaction and<br />
mutually authenticate one another."<br />
INTERNATIONAL BACKING<br />
At a national level, several countries have<br />
instigated government-backed platforms<br />
that can help to assure digital identity, such<br />
as Estonia's digital ID card, which is used for<br />
securely accessing health and tax services<br />
and, increasingly, third party providers.<br />
"However, government-issued ID cards have<br />
been politically toxic, so it's likely that, in the<br />
future, banks may well offer this type of ID<br />
assurance services," he concludes. "This will<br />
become more likely, if a common standard<br />
can be agreed and implemented. Initiatives<br />
such as Open Banking can help to facilitate<br />
dialogue between banks, but at present<br />
the best advice is to use caution and use<br />
secondary methods such as contacting the<br />
listed details on a valid website, if an email<br />
for payment arrives out of the blue."<br />
Rob Otto, Ping Identity: modern<br />
technology can help to establish secure<br />
communication channels with customers.<br />
Tim Thurlings, bluedog Security<br />
Monitoring: we are failing to capture<br />
the true extent of cybercrime.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
23
Coronavirus scam<br />
SPOOF ATTACK UNLEASHED<br />
THE CORONAVIRUS IS CONSTANTLY IN OUR THOUGHTS, AS ITS GLOBAL IMPACT SPREADS. AND IT'S PROVING<br />
ANOTHER MEANS FOR HACKERS AND ATTACKERS TO GET INSIDE ORGANISATION'S SECURITY DEFENCES<br />
Dr Hayleigh Bosher, Lecturer in<br />
Intellectual Property Law at Brunel<br />
University London. @BosherHayleigh<br />
Sam West, Security Engineer, Libraesva.<br />
@smljsphwst<br />
The Coronavirus has received extensive<br />
media attention, much of which has<br />
been seen to strike fear and panic.<br />
Now hackers, spammers and fraudsters<br />
have used this as an opportunity to launch<br />
new attacks. This article - authored by<br />
Dr Hayleigh Bosher, a lecturer in Intellectual<br />
Property Law at Brunel University London,<br />
and Samuel West, a security engineer for<br />
Libraesva - walks readers through a real-life<br />
attack to show how and why they work,<br />
what to look out for and what can be done<br />
to stop the hackers.<br />
Libraesva, a UK- and Italy-based security<br />
software vendor, recently discovered<br />
targeted phishing and whaling campaigns<br />
based around the Coronavirus outbreak.<br />
Phishing is, of course, the fraudulent<br />
practice of sending emails that pretend<br />
to be from recognisable companies, in<br />
order to get individuals to reveal personal<br />
information, such as passwords or credit<br />
card numbers, and then siphon funds from<br />
an organisation. Whaling, meanwhile, is a<br />
specific type of phishing attack that targets<br />
high-profile employees, such as the CEO<br />
or CFO.<br />
An email spoof, purporting to be a letter<br />
written by the director of Milan University,<br />
and sent from a University of Bologna<br />
compromised account, is a clear example<br />
of a whaling email received and blocked<br />
by Libraesva. The email reveals how the<br />
attackers pretended to be the director,<br />
warning internal users of the outbreak<br />
of Coronavirus and what steps to take to<br />
prevent further spread. In this case, the<br />
hacker was able to change the code of the<br />
email to make it appear to be sent from<br />
a trusted sender - the director himself.<br />
Unlike a typical whaling attack that asks<br />
immediately for transfer or funds, this<br />
hacker, taking advantage of the fear around<br />
Coronavirus, asks readers to download<br />
a guide to stop the disease.<br />
TRUSTED SOURCE<br />
The interesting thing about this attack is<br />
that the underlying sender of the email<br />
is trusted by the university, gaining the<br />
confidence of the receiving email server<br />
technology. The email states, on many<br />
occasions, the dangers of the virus 2019-<br />
nCoV as a respiratory epidemic and makes<br />
a call to action for readers to quickly look at<br />
the attached document, which is a simple<br />
docx file with a link. However, once a reader<br />
clicks to access the document, the hacker<br />
has set up a fake Office 365 login page,<br />
which requires users' login and passwords<br />
to see the document.<br />
Once 'Download File' is selected, the<br />
motivation of the hacker and the scam<br />
becomes clear, asking for university user<br />
login details and passwords.<br />
The risks are very high. Hackers can sell the<br />
credentials that they obtain or use them to<br />
ex-filtrate even more data. They could also<br />
log in as a staff member and use that to<br />
send further malicious emails, which is how<br />
this email was able to be sent in the first<br />
place.<br />
BUT ISN'T THIS ILLEGAL?<br />
Yes, of course, this type of activity is illegal.<br />
Most countries around the world have laws<br />
against this type of cybercrime. In the EU,<br />
there is the convention of Cybercrime and,<br />
in the UK, we have the Computer Misuse<br />
Act. These regulations make it illegal to<br />
24<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Coronavirus scam<br />
interfere with the functioning of a<br />
computer. There are also laws against fraud<br />
and the GDPR, which protects data, and this<br />
would come into play because of the data<br />
the hackers obtained illegally. The problem<br />
is that these hackers are difficult to locate,<br />
as they often use technological measures<br />
to ensure that they are not traceable.<br />
WHAT ELSE CAN WE DO ABOUT IT?<br />
This example was located and prevented<br />
through Libraesva's email security software<br />
and management. It was observed that<br />
the spoofed sender of the email was on<br />
a compromise protection list, known<br />
in the industry as 'BEC - Business Email<br />
Compromise', so additional checks were<br />
undertaken.<br />
The email was sent using an email address<br />
of another university, after that person<br />
was successfully hacked. Using Libraesva's<br />
Adaptive Trust Engine's relationship<br />
monitoring, we saw that the trust between<br />
these two universities was quite high. But<br />
the trust between the two individual users<br />
was low; we didn't let the organisational<br />
trust get in the way of understanding the<br />
true nature of the email.<br />
The third indicator was that the email<br />
came externally to the Milan University<br />
users, which doesn't make any sense, as all<br />
emails from the director will 99% of the<br />
time come via the internal route, meaning<br />
this is obviously fake.<br />
The coronavirus is an opportunity for<br />
hackers to take advantage of the fear to<br />
scam people, business and universities. It is<br />
important to be aware of these risks and<br />
take the necessary precautionary action.<br />
Using the above indicators, Libraesva has<br />
built a dedicated technology to halt these<br />
kinds of attacks and make sure your IT team<br />
employ some Email Security, as this is the<br />
main way that threats and malicious activity<br />
can get into your organisation.<br />
Growth of the virus in China and<br />
other countries (graph courtesy of<br />
the World Health Organisation)<br />
EMAIL LANDSCAPE AND THE CORONA VIRUS<br />
Since 17 February, Libraesva have been carefully monitoring the situation with the<br />
Coronavirus and the effect it is having on email, looking into the change of the<br />
email content, the behaviour of users and even the changing threat landscape.<br />
In the top graph, right, supplied by the World Health Organisation, can be seen<br />
the growth of the virus in China and other countries. By paying close attention to<br />
the ‘Other Countries’ graph, it is possible to compare the infection rate to the<br />
second graph, showing the amount of legitimate communication around the virus<br />
in a similar timeframe. When comparing the two data sets, it can be seen that the<br />
curve is almost identical, with the more legitimate communication growing at the<br />
same rate as the infections are. This clearly indicates that the concern and<br />
communication between organisations is effectively rising at the same rate as the<br />
infections are growing.<br />
After looking at the clean email, in comparison to the infections, it's possible to<br />
see how the malicious email and threat attempts are changing, too. The graphic,<br />
bottom right, demonstrates how the malicious attempts on Libraesva users have<br />
increased at the same rate, meaning not only are the threat actors using the<br />
virus to their advantage, but also that end users are discussing the issue more.<br />
One of the key aspects of a successful attack is the degree to which such incidents<br />
are talked about and the anxiety they generate amongst other users - and this is<br />
the perfect example of that happening.<br />
Shown here is the growing communication<br />
taking place, by email, about the Coronavirus.<br />
Rising number of malicious attempts on<br />
Libraesva users, as threat actors seek to<br />
use the virus to their advantage.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
25
GDPR<br />
BREACHED - AND TOTALLY UNAWARE<br />
IF A CYBER BREACH WERE TO TAKE PLACE WITHIN ORGANISATIONS THAT TOOK PART IN A RECENT POLL,<br />
A STAGGERING 47.6% CONCEDED THEY SIMPLY WOULD NOT KNOW IT HAD ACTUALLY HAPPENED<br />
states Holt, with 30.7% stating they had<br />
'some' - and only 24.7% said their grasp was<br />
'comprehensive'.<br />
Bev Allen, head of Information Security<br />
Assurance, CISO, Quilter, says: "Many<br />
companies don't know what or where all their<br />
information assets are. They may think they<br />
do; but, if they're wrong, this leaves them<br />
vulnerable to breaches. Consistent knowledge<br />
of your assets takes effort; you need tools and<br />
systems to record what you have, you need<br />
people to follow appropriate processes, and<br />
you need to search to find out what you don't<br />
know about and where it is. This search must<br />
be done regularly."<br />
Almost half of respondents to a recent<br />
Twitter poll run by Infosecurity Europe,<br />
Europe's number one information<br />
security event, admit they would be<br />
completely unaware, if a cyber breach<br />
occurred in their organisation. The poll was<br />
designed to explore incident response, an<br />
area that has come under much scrutiny<br />
following Travelex's reaction to its New Year's<br />
Eve cyber-attack, which resulted in many of<br />
its systems going down and impacted travel<br />
currency sales.<br />
In answer to the question, 'If a cyber breach<br />
occurred, how quickly could you discover it?',<br />
31.5% of respondents said they would<br />
unearth the breach immediately, 14.3%<br />
within 30 days and 6.6% within 200 days.<br />
However, a shocking 47.6% conceded they<br />
simply would not know.<br />
According to Maxine Holt, research director<br />
at Ovum, this reflects a widespread issue.<br />
"Discovering a breach well after the event is<br />
usual. Uncovering breaches is not easy, but<br />
proactive threat hunting is an approach being<br />
increasingly used by organisations. Regularly<br />
scanning environments to look for anomalies<br />
and unexpected activity is useful, but it can be<br />
difficult to deal with the number of resulting<br />
alerts. Ultimately, effective cyber hygiene<br />
involves having layers of security to prevent,<br />
detect and respond to incidents and<br />
breaches."<br />
GOOD RISK INSIGHT<br />
Good incident response demands good risk<br />
insight. The poll examined this by asking,<br />
'What understanding do you have of your<br />
information assets?' A worrying 44.7%<br />
revealed they had 'very little' understanding,<br />
Steve Trippier, CISO of Anglian Water,<br />
believes the 'knowledge gap' is due to a lack<br />
of awareness of the need for effective asset<br />
management. "It often falls behind other<br />
processes, in terms of priorities, as its value<br />
can be less immediately obvious. As more<br />
companies introduce automated vulnerability<br />
discovery and management, the need for<br />
effective asset management will become very<br />
obvious, especially as cyber teams highlight<br />
vulnerabilities on assets that the organisation<br />
forgot it even had!"<br />
The poll also uncovered potential evidence<br />
of skewed priorities around post-breach<br />
actions. Travelex released a series of<br />
statements after its December 2019 attack,<br />
but received criticism from customers for a<br />
lack of information about when service would<br />
return to normal and whether sensitive<br />
customer data had been accessed, as the<br />
gang behind the attack claimed.<br />
REFOCUS NEEDED<br />
In response to the question, "What is the key<br />
priority when dealing with the fall-out of a<br />
26<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
GDPR<br />
major cyber-attack?", getting back to business<br />
topped the list for 42.4% of respondents,<br />
followed by customer communications and<br />
PR (23.6%), engaging law enforcement<br />
(19.4%) and ensuring compliance (14.6%).<br />
This indicates that more time and energy<br />
might need to be refocused on the<br />
communication side of incident response.<br />
"PR can make or break a breach," agrees<br />
Maxine Holt. "Arguably, British Airways did<br />
a decent job, whereas Equifax did not.<br />
Ultimately, the 6-Ps mantra should be at the<br />
forefront of organisations' minds: 'proper<br />
preparation and planning prevents poor<br />
performance'. Being ready for a cyber-attack,<br />
security incident or data breach, in general,<br />
means the organisation has a much better<br />
chance of emerging out of it in a reasonable<br />
state."<br />
Becky Pinkard, chief information security<br />
officer with Aldermore, also highlights the<br />
need for proper planning. "Good incident<br />
response requires attention across all areas -<br />
from public relations management to deep<br />
technical expertise, and everything in<br />
between. However, companies largely fail, due<br />
to two reasons: they lack any documented<br />
incident response plan; and, if they do have<br />
a plan, they've not 'stress tested' it."<br />
Incident response is set to be a key<br />
cybersecurity theme for <strong>2020</strong> and will be<br />
covered extensively as part of the programme<br />
at Infosecurity <strong>2020</strong> (2-4 June, Olympia,<br />
London).<br />
Nicole Mills, senior exhibition director at<br />
Infosecurity Group, comments: "Working to<br />
prevent breaches will always be imperative,<br />
but the cybersecurity industry is increasingly<br />
recognising that this is not always possible,<br />
and that how organisations respond to and<br />
recover from a breach is incredibly important.<br />
The results of our poll indicate that<br />
improvements need to be made in areas<br />
including breach detection, the thorough<br />
preparation and rehearsal of response plans,<br />
and the discovery and classification of<br />
information assets.<br />
"They also highlight that, while having a<br />
clear strategy to restore 'business as usual'<br />
as quickly as possible, immediate and<br />
transparent communication with customers -<br />
and also partners, suppliers and regulators -<br />
is necessary to preserve trust and protect<br />
the brand's reputation. This means PR<br />
departments should be part of the incident<br />
response team."<br />
Attracting 6,568 responses, the Infosecurity<br />
Europe Twitter poll was conducted during the<br />
week of 13 January. Infosecurity Europe also<br />
asked its community of CISOs and analysts<br />
for their views on incident response in<br />
cybersecurity.<br />
Maxine Holt, Ovum: layers of security<br />
needed to prevent, detect and respond to<br />
incidents and breaches.<br />
Nicole Mills, Infosecurity Group: PR<br />
departments should be part of the<br />
incident response team.<br />
A 'MUST BE THERE' EVENT<br />
Infosecurity Europe, now in its 25th year,<br />
takes place at Olympia, Hammersmith,<br />
London, from 2-4 June <strong>2020</strong>. The show<br />
attracts more than 19,500 unique<br />
information security professionals,<br />
attending from every segment of the<br />
industry, as well as 400-plus exhibitors<br />
showcasing their products and services,<br />
industry analysts, worldwide press and policy experts. More than 200 industry<br />
speakers are lined up to take part in this year's free-to-attend conference, seminar<br />
and workshop programme. To register, go to: https://bit.ly/2wodvDs<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
27
encryption systems<br />
THE QUANTUM CRYPTO REVOLUTION<br />
COMMERCIALLY AVAILABLE ENCRYPTION SYSTEMS ARE ALREADY WITH US AND THEIR POTENTIAL<br />
IS HUGE, ALTHOUGH THE TECHNOLOGY STILL HAS MANY ISSUES THAT MUST BE OVERCOME<br />
Imran Shaheem, Cyberis: quantum<br />
computers provide benefits in<br />
cryptographically significant ways.<br />
Quantum computing technology will<br />
"force a change to the landscape of<br />
cryptography," according to Imran<br />
Shaheem, cyber security consultant at Cyberis.<br />
It has come a long way since scientific and<br />
mathematical interest erupted in the 90s.<br />
"Quantum computers have serious<br />
consequences for classical cryptography<br />
and the future standards for secure<br />
communication," he states.<br />
Successful trials of quantum cryptography<br />
to secure communication through quantum<br />
physics have been undertaken already and<br />
progress in quantum technologies has been<br />
swift over the last decade, he points out.<br />
"Quantum Key Distribution (QKD) systems<br />
have been tested by banks and governments,<br />
while similar systems were deployed as far<br />
back as the 2010 FIFA World Cup in South<br />
Africa. In 2017, researchers held a QKDprotected<br />
video conference between China<br />
and Austria, using the quantum satellite<br />
Micius."<br />
Admittedly, while quantum computers won't<br />
be able to change everything, they provide<br />
benefits in cryptographically significant ways.<br />
One of these is factoring large numbers.<br />
"This is a technique central to the security<br />
of several algorithms, such as RSA, in which<br />
prime factors of large numbers underpin the<br />
encryption. As a consequence, RSA's security<br />
and other algorithms employing similar<br />
techniques, will be compromised by<br />
introducing disruptive quantum computers.<br />
This leaves a space within classical<br />
cryptography that its quantum counterpart<br />
attempts to solve," adds Shaheem.<br />
The benefits are numerous. "Information<br />
cannot be unknowingly intercepted, due to<br />
quantum principles, including the 'no cloning'<br />
theorem and quantum superposition, which<br />
provides natural resistance to eavesdropping.<br />
The security provided stems from underlying<br />
physical properties. It's baked into the universe<br />
and therefore isn't something that can be<br />
cracked through quantum computing power.<br />
As security is on the physical layer, quantum<br />
cryptography can secure the end-to-end<br />
connection, without needing an SSL or VPN,"<br />
he points out.<br />
However, there are some issues, the cyber<br />
security consultant concedes. "It's expensive,<br />
because this is at cryptography's cutting edge.<br />
R&D costs are high, as are the fabrication<br />
costs of specialist components. There is also<br />
a costly requirement for an independent<br />
infrastructure capable of supporting quantum<br />
cryptography. Many of these issues will be<br />
overcome in time as the technology matures."<br />
It's easy to think that quantum technology<br />
and its effect on current infrastructure<br />
is distant. However, there are already<br />
commercially available encryption systems,<br />
including ID Quantique's Cerberus3 system for<br />
key distribution. Many of these systems are<br />
based on the popular protocol, BB84. "Whilst<br />
there is still life in classical methods, the focus<br />
is shifting to next-generation technologies<br />
addressing solutions to tomorrow's problems.<br />
These don't always come with a quantum<br />
flavour, but post-quantum cryptography is<br />
seen as the answer to quantum computers'<br />
potential for massive changes and the<br />
associated cryptographic problems.<br />
"With the solutions we have now, quantum<br />
or classical, the biggest hurdle is their<br />
deployment," says Shaheem. "Poorly thoughtthrough<br />
implementations leave these systems<br />
vulnerable, as seen through the light injection<br />
attack, for example, which can defeat certain<br />
applications of BB84. Like modern-day<br />
systems, testing surrounding configuration<br />
will be crucial against inherent and<br />
implementation flaws."<br />
Companies should think seriously about how<br />
the transitionary process to quantum-secure<br />
systems will affect their business, he advises.<br />
"The time is now to look to the future and<br />
ensure tomorrow's world doesn't break today's<br />
encryption and expose sensitive data."<br />
28<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
masterclass<br />
BATTLING THE BREACHES<br />
A GLUT OF BREACHES ACROSS THE UK IS PROMPTING MANY ORGANISATIONS TO SEEK CYBER ESSENTIALS AUDITS<br />
According to the 2019 DCMS Cyber<br />
Security Breaches Survey, around a<br />
third of UK businesses fell victim to a<br />
cyber breach or attack over the previous year<br />
and, of those, nearly half had identified at<br />
least one breach or attack per month. This<br />
persistent threat may explain the surge in<br />
companies asking Xcina IS, an information<br />
services company based near Cardiff, for<br />
Cyber Essentials audits.<br />
Instigated by the UK Government's National<br />
Cyber Security Centre, the Cyber Essentials<br />
scheme evaluates participants' processes<br />
against five cyber security controls: boundary<br />
firewalls and internet gateways, secure<br />
configuration, access control, malware<br />
protection and patch management. Correctly<br />
deployed, these will protect against most<br />
common cyber threats, based on commodity<br />
capabilities available on the internet.<br />
Cyber Essentials certification has, since<br />
2014, been mandatory for suppliers bidding<br />
for public sector contracts involving the<br />
handling of sensitive and personal<br />
information, and provision of certain<br />
technical products and services. It also<br />
reassures clients, both current and<br />
prospective, that security considerations<br />
have been built into systems and processes.<br />
Certification is awarded on successful<br />
completion of a verified self-assessment<br />
questionnaire, but Xcina IS also offers an<br />
assisted version, as many SMEs lack the<br />
technical expertise to complete the process<br />
on their own.<br />
According to Chris Benson, Technical<br />
Director at Xcina IS: "A lot of people just<br />
don't realise that security patching needs to<br />
go beyond desktops and servers, for example.<br />
Hackers can exploit any device that provides a<br />
link between your network and the internet.<br />
That could include printers, VPN appliances,<br />
firewalls, switches, access points - anything<br />
that can run code, basically. And once<br />
someone has found a way into your network<br />
through one of these, they can exploit other<br />
internal security issues and, before you know<br />
it, you've got a ransomware attack on your<br />
hands," he says.<br />
Benson and his experienced team of<br />
engineers also conduct site visits to run the<br />
system scans required for clients wishing to<br />
take the next step: Cyber Essentials Plus<br />
certification. This more stringent audit builds<br />
on the foundations of Cyber Essentials and<br />
includes both internal and external scans to<br />
identify any areas requiring attention, as well<br />
as a series of on-site malware tests and an<br />
inspection of handheld devices.<br />
As an IASME-accredited certification body,<br />
Xcina IS also works with companies looking<br />
to achieve the IASME Standard, an<br />
information-security standard designed for<br />
SMEs. Two levels of assessment are offered:<br />
IASME Verified Self-Assessment, involving<br />
a questionnaire relating to cyber security,<br />
security governance and GDPR compliance,<br />
and IASME Gold, which requires an<br />
additional onsite audit.<br />
The increase in requests for these services<br />
may arise from increased awareness of the<br />
risks of lax cyber security. Media stories about<br />
the latest big name to suffer a data breach<br />
come thick and fast. Maybe the penny is<br />
finally dropping. The number of companies<br />
reporting breaches or attacks in the DCMS<br />
survey is still significant, but it does represent<br />
a considerable drop on numbers in previous<br />
years. The survey also indicates that<br />
companies are increasingly prioritising cyber<br />
security, with more written cyber security<br />
policies, greater provision of cyber security<br />
training for staff and regular updates to<br />
senior management on actions taken around<br />
cyber security.<br />
Organisations which understand that cyber<br />
security complements existing strategic<br />
priorities (by protecting reputation and<br />
finances, and keeping key services running,<br />
for example), rather than competing with<br />
them, are likely to be in a far better position<br />
to anticipate, identify, prevent and deal with<br />
potential attacks. As Benson says: "Ultimately,<br />
if you're serious about protecting your assets,<br />
you'll employ a company like us."<br />
For further information about Cyber<br />
Essentials, Cyber Essentials Plus and the<br />
IASME Standard, call Xcina IS on 02922<br />
671564 or visit https://is.xcina.co.uk/<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2020</strong> computing security<br />
29
expert insights<br />
THE INTELLIGENT APPROACH TO CYBER THREAT INTELLIGENCE<br />
SEEKING SOMEONE WHO CAN UNDERSTAND VULNERABILITY, EXPLOITATION AND ATTACKER MOTIVATION?<br />
IAN THORNTON-TRUMP, CHIEF INFORMATION SECURITY OFFICER FOR CYJAX, MAY HAVE THE ANSWER<br />
Ian Thornton-Trump, Cyjax.<br />
As soon as you say the word<br />
'Intelligence', everyone seems to<br />
think 1960s East Germany. I don't<br />
know why everyone seems to think that<br />
the words 'Intelligence Analyst' are<br />
exclusively reserved for nation states or<br />
large organisations. I'm here to tell you<br />
that tactical intelligence and strategic<br />
intelligence are easily within the reach<br />
of most organisations - no trench coats<br />
required.<br />
The reality is that an 'intelligence<br />
Analyst Skill' is not learned in university;<br />
it's generally the domain of law<br />
enforcement, military or government<br />
agency service. That's a travesty that<br />
I am going to fix right now. It does not<br />
require some sort of special person,<br />
special forces qualified and of<br />
exceptional intelligence. It does require<br />
a person to be able to embrace a<br />
different way of thinking and writing,<br />
which moves beyond traditional<br />
academic writing or journalism.<br />
Intelligence analysis and the products<br />
that process produces are all about<br />
timely, accurate and actionable content -<br />
a marked departure from 5,000 words<br />
on the fall of the Prussian Empire or an<br />
attempt to sensationalise the latest<br />
celebrity misstep.<br />
When you stick the Cyber word in front<br />
of 'Intelligence Analysis', one may think<br />
that this is even more esoteric profession,<br />
but it is actually applying the 'world's<br />
second oldest profession's' thinking to<br />
a relatively new problem. Despite the<br />
Hollywood and media stereotypes of<br />
excessive gym-based activity 'Blackhat'<br />
or nerdy computer skills '<strong>CS</strong>I Cyber', the<br />
actual "Cyber Threat Intelligence Analyst"<br />
needs none of those marksmanship or<br />
hacking skills - it's not to say they may<br />
not help, but realistically it's unlikely to<br />
be needed in day-to day-activity.<br />
So, the question is: What is a Cyber<br />
Threat Intelligence Analyst? An oracle?<br />
A fortune teller? In simple terms,<br />
it's someone that can understand<br />
vulnerability, exploitation and attacker<br />
motivation. An expert at threat<br />
modelling with gifted communication<br />
skills. Folks that have had to stand in<br />
front of a class or defend a dissertation<br />
are generally superior recruits for<br />
executing analysis tasks to protect<br />
organisations. If Park Rangers look for<br />
fires through binoculars, Intelligence<br />
analysts tell them where to look and why<br />
they need to look. That's the essence of<br />
the job.<br />
One can easily understand that, if you<br />
know where to look and why you need<br />
to look, this is a huge cost savings and<br />
a huge time saving - that's the value<br />
of intelligence when it comes to your<br />
organisation. Imagine if a person was<br />
able to look at what you have and tell<br />
you what bad guys have that may take it<br />
away, and what you could do to thwart<br />
them. A 'win', then, is getting in front of<br />
an attack by knowing when, where and<br />
how the attack might come.<br />
Now, truth be told, I've had a lot of<br />
training as an intelligence analyst<br />
(Canadian Forces & RCMP - I was actually<br />
trained by a ex-CIA instructor) and, in the<br />
case of 'Eternal Blue', 'Blue Keep' and the<br />
registration of a fraudulent typosquating<br />
domain, along with issue of a certificate<br />
for that typosquating domain, I'm<br />
very confident that an attack on an<br />
organisation is forthcoming - as that's<br />
what bad guys do. My prediction based<br />
upon analysis comes from experience,<br />
but how I reach that conclusion is an<br />
intellectual process - easily taught and<br />
more accurate over time with analyst<br />
experience.<br />
Good intelligence can help direct a<br />
spoiling attack - something that disrupts<br />
the bad guys from successfully executing<br />
an exploit against you. The information<br />
to protect your organisation is out there<br />
- you just need someone that is trained<br />
in the art of listening and direct your<br />
organisation to take action.<br />
30<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
COVID-19<br />
HOMING IN ON COVID-19<br />
AS THE IMPACT OF THE COVID-19 VIRUS ESCALATES, MORE AND MORE EMPLOYEES ARE WORKING<br />
FROM HOME. BUT DANGERS LURK THERE AS WELL AND URGENT ACTION NEEDS TO BE TAKEN<br />
As the UK begins to embark on its<br />
biggest ever deployment of homeworking<br />
due to the spread of COVID-<br />
19, there is a real risk of an imminent largescale<br />
cybersecurity crisis, warns Phil Chapman,<br />
Senior Cybersecurity Instructor at Firebrand<br />
Training.<br />
"Hundreds of thousands of people will soon,<br />
if not already, be working from home for an<br />
unspecified period of time, putting a huge<br />
strain on IT departments who hold a lot of<br />
the responsibility for keeping the business up<br />
and running during this period. For many<br />
companies and employees, it will be the first<br />
time they have experienced home working<br />
on such a magnitude and many will not be<br />
sufficiently prepared for the security risks."<br />
Three pieces of advice that Chapman offers<br />
to organisations that are seeking to mitigate<br />
the risk they face during what are challenging<br />
times are:<br />
Advise your employees to avoid using their<br />
Wifi connection at home and rather connect<br />
their laptops or workstations to the router<br />
with a network cable. "Not only does this<br />
provide a more secure connection, but it also<br />
enhances speed, as it will be quicker than<br />
wireless."<br />
Make sure employees are using a VPN<br />
[Virtual Private Network], with appropriate<br />
encapsulation and authentication to the data<br />
they are accessing. "If possible, use IPSEC or<br />
SSTP (Secure Socket Tunnelling Protocol) as a<br />
connection. You can suggest split tunnelling,<br />
which allows a user to establish a secure VPN<br />
for work-related connections, but use their<br />
own Internet connect to do 'non-work' related<br />
activities.<br />
The most important thing is to ensure your<br />
staff have sufficient cybersecurity awareness.<br />
"At this time, there should be no reason why<br />
a user is connecting to corporate resources in<br />
public spaces as they should be at home," he<br />
adds. "But they must be aware that other<br />
people can still access their screens - although<br />
the risk is smaller at home, users should lock<br />
their devices when not in use. They should<br />
behave as if they were in the office, applying<br />
the same security mechanisms as they would<br />
do at work. Acceptable usage policies [for<br />
corporate and BYOD devices] should be robust<br />
and apply at home equally as at work. This<br />
also includes telephone calls and online<br />
meetings."<br />
MANAGING RISK<br />
There are several things organisations can do<br />
to better protect their corporate environment<br />
from threats as they adapt to a remote and<br />
distributed workforce, states Matt Shelton,<br />
director, Technology Risk and Threat<br />
Intelligence, FireEye. "Accessing corporate<br />
resources remotely creates an opportunity<br />
for attackers to blend in with the workforce.<br />
Implementing multi factor authentication<br />
(MFA) on all external corporate resources<br />
significantly reduces this risk."<br />
But organisations should not stop at MFA,<br />
he adds. "Implement a single sign on (SSO)<br />
platform to tie corporate and cloud resources<br />
together with a common authentication<br />
source. Employees will appreciate a common<br />
set of credentials, while providing<br />
administrators with the ability to centralise<br />
credential management and monitor for<br />
abuse." No one yet knows the likely scale of<br />
the virus's impact or how long the pandemic<br />
may last. Keeping safe from COVID-19 and<br />
staying secure at home when working on-line<br />
may become a long-term challenge that<br />
most of us will have to face in the weeks and<br />
months that lie ahead.<br />
Phil Chapman, Firebrand Training:<br />
ensure your staff have sufficient<br />
cybersecurity awareness.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2020</strong> computing security<br />
31
product review<br />
CLOUD PROTECTION FOR<br />
SALESFORCE FROM F-SECURE<br />
Cloud-based services have caught on<br />
fast, offering a range of benefits to<br />
organisations of every kind. Adding<br />
security to these services has not always<br />
been as swift and this is compounded by<br />
the increased attack surface that cloud<br />
deployments create, especially when<br />
files and URLs are being frequently and<br />
routinely exchanged within what is<br />
considered to be a trusted community.<br />
Cloud-based services increasingly means<br />
that organisations place some of their<br />
most valuable and critical data assets in<br />
the cloud and this requires a focused and<br />
highly tactical response, if data loss is to<br />
be prevented, and legislative and<br />
regulatory penalties avoided.<br />
There is a generic way to deal with this;<br />
Cloud Access Security Brokers (CASBs).<br />
But, because this in essence imposes<br />
additional network hops between service<br />
providers and consumers, it won't suit all<br />
use cases. F-Secure has addressed this<br />
challenge specifically for CRM provider<br />
Salesforce. Developed initially as an<br />
internal solution to protect its use<br />
of Salesforce, it has been well tested.<br />
F-Secure is a Salesforce ISV partner<br />
and Cloud Protection is an embedded<br />
service, available from the Salesforce<br />
AppExchange. Because it is an embedded<br />
service, its deployment and operation<br />
is Salesforce native, without external<br />
network hops: installation is trivial.<br />
The solution uses multiple AV engines,<br />
Machine Learning and Artificial<br />
Intelligence to scan files and URLs before<br />
they can be opened and connected.<br />
For Salesforce community users, this is<br />
unlikely to be noticeable; that is, unless<br />
an infected payload is intercepted,<br />
in which case they will be prevented<br />
from proceeding, keeping them and<br />
the data safe.<br />
Installing from AppExchange was<br />
uneventful, with licence purchase<br />
complete. Our first stop was the<br />
Protection Dashboard to examine the<br />
default settings for File Protection,<br />
Notification, Exclusions and Advanced<br />
options. As you would imagine, Cloud<br />
Protection is working straightaway, using<br />
its default settings, and one strategy is<br />
to run this way, adjusting as required,<br />
based on results.<br />
To test and experience the solution in<br />
action, we sent an infected attachment<br />
from a bona fide account. On reception,<br />
we could see the attachment from our<br />
Salesforce account and clicked on it<br />
when we received a standard message<br />
(it can be tailored), announcing that<br />
harmful content had been blocked.<br />
This file would have been identified<br />
by its signature as a known risk, but, if<br />
required, files with no known reputation<br />
are sent for Advanced Scanning by<br />
F-Secure. This is, in turn, used to<br />
community benefit, with the delivery<br />
of a new signature into the eco system.<br />
This may increase turnaround time, but<br />
it's unlikely that the user will notice.<br />
With the user alerted, a member of the<br />
Security team can now consult the logs<br />
and analytics to establish more. Based<br />
on our test, we could see the attempt<br />
to open the file and that it was blocked.<br />
We could consult known data about<br />
the payload, and as it was quarantined<br />
(a default), we could manually delete it,<br />
which could also be automated. A similar<br />
test using a known bad URL produced<br />
a comparable outcome.<br />
User interaction with Cloud Protection<br />
is minimal and, in fact, once set up to<br />
suit organisational requirements, it seems<br />
low on admin overhead. As you would<br />
expect, alerts can be set so that user<br />
support can be quick and insightful, and<br />
reports can be produced both manually<br />
and automatically. Because the solution<br />
saves data into salesforce as custom<br />
objects, salesforce reporting tools can<br />
be used, which are by design more<br />
extensive.<br />
When combined with the appropriate<br />
point solutions, real-time anomaly<br />
detection and advanced cloud service<br />
protection such as this, the attack<br />
surface is reduced, risk contained and<br />
the community of users can be left to<br />
carry out its work with confidence.<br />
Product: Cloud Protection for Salesforce<br />
Supplier: F-Secure<br />
Web site: www.f-secure.com<br />
Email: cloudprotection@f-secure.com<br />
Telephone: +44 845 890 3300<br />
Price: From £2.35 per user, per month<br />
32<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
product review<br />
FLOWMON ANOMALY DETECTION SYSTEM<br />
Traditional security tools, often<br />
signature based, can be very effective<br />
in defending against specific threats,<br />
but many focus exclusively on North/South<br />
network traffic. Thoughtfully deployed, they<br />
can reduce, even eradicate, a threat vector<br />
and reduce the attack surface. However<br />
small, the residual attack surface - in<br />
particular the zero-day element - remains<br />
a significant risk, and successful attackers<br />
will use it, relying on East/West movement.<br />
With time on their side, they will exfiltrate<br />
data in small, slow, undetectable stages.<br />
NetOps have long since used monitoring<br />
tools to examine network traffic, while, in<br />
another silo far away, SecOps rely upon<br />
specialist security tools. But network data<br />
has been a problem for SecOps, as there is<br />
so much of it, despite the fact that every<br />
compromise is guaranteed to be detectable<br />
from analysing network flow - if you can<br />
only find the offending needle in that giant<br />
haystack. This challenge has been ratcheted<br />
up as networks become hybridised, on- and<br />
off-premise, and at the network edge.<br />
Flowmon Anomaly Detection System (ADS)<br />
tackles this head on. With strategically sited<br />
network probes collecting data and the<br />
Flowmon Monitoring Centre analysing it,<br />
ADS uses a range of techniques, including<br />
signatures, AI and ML, to identify and rank<br />
information of interest. The most effective<br />
and scalable way of monitoring traffic relies<br />
on NetFlow (layer 3), but Flowmon uses<br />
enhanced NetFlow in the shape of IPFIX<br />
(NetFlow v10), with visibility up to layer 7.<br />
IPFIX is central to this solutions scalability<br />
and avoids the problems associated with<br />
Packet Analysis and SNMP. Flowmon is<br />
confident that, when using a TAP/SPAN<br />
connection, the 100 per cent of flow will<br />
be captured on a 100GbE network.<br />
Access to ADS functionality is browser<br />
based, and a configuration wizard gets it<br />
up and running in about 30 minutes.<br />
Clearly, it takes time for flows to be<br />
gathered and analysed, but we could<br />
soon see events over time with a ranking<br />
of severity (critical, high, medium, low),<br />
which helps analysts to prioritise their<br />
valuable time.<br />
The dashboard can be customised<br />
using standard (eg, top ten events) and<br />
customised widgets to create a view<br />
to suit a role and its objectives. A<br />
combination of tabs displaying graphical<br />
and tabular data, filters and drill down<br />
allow rapid navigation to important flow<br />
data, meaning that event visualisation<br />
and evidence are never far away.<br />
Some organisations will worry about<br />
encrypted traffic and Flowmon suggest<br />
this can be as high as 85%. Because<br />
ADS is observing network behaviour,<br />
an unusual event relating to encrypted<br />
traffic can be alerted without examining<br />
the content: exfiltration is exfiltration.<br />
Use of the Flowmon suite and ADS<br />
specifically can be tailored to suit team<br />
structure, network and security focus, and<br />
operational objectives to enable more<br />
relevant alerting to traffic of interest.<br />
NetOps and SecOps can carry out<br />
their work from a consolidated tool<br />
and common data: it might just break<br />
down another unhelpful silo.<br />
Flowmon does not claim to replace<br />
traditional security measures, such as<br />
NAC, Firewall or SIEM. In fact, for those<br />
with a SIEM investment, the open API<br />
can help it to work more efficiently, as<br />
Flowmon can pass it processed data to<br />
work on. It is in this way that ADS is able<br />
to focus on narrowing and restricting the<br />
attack surface and, critically, to reduce<br />
threat actor dwell time in the network.<br />
The contemporary, constantly changing,<br />
mission-critical network cannot exist<br />
without effective network monitoring<br />
and security that offers 100% visibility of<br />
every connection, at any time, along with<br />
continual benchmarking.<br />
ADS enables organisations to regain<br />
real-time control of their networks and<br />
identify information of interest, using<br />
behavioural patterns, while they travel<br />
through the constant and challenging<br />
process of digital transformation.<br />
Product: Flowmon ADS<br />
Supplier: Flowmon<br />
Web site: www.flowmon.com<br />
Email: sales@flowmon.com<br />
Telephone: 0203 858 6868<br />
Price: Starting from £10k<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> computing security<br />
33
expert insights<br />
ESSENTIAL BUILDING BLOCKS<br />
FROM NETWORK ACCESS CONTROL (NAC) TO NETWORK SEGMENTATION, ADDRESSING THE NEED FOR<br />
A MORE SECURE NETWORK ARCHITECTURE IS VITAL, STATES MYLES BRAY, VP EMEA AT FORESCOUT<br />
Myles Bray, Forescout.<br />
Over the last 20 years, Network<br />
Access Control (NAC) has<br />
become a fundamental<br />
component for enterprises looking to<br />
ensure a resilient cyber strategy. The<br />
technique, which applies policy-based<br />
rules to grant or deny devices access<br />
to a network, allows for a general and<br />
somewhat basic level of network<br />
security: in simple terms, it's basically<br />
a 'you're in or you're out' approach.<br />
Recently, however, the volume and<br />
diversity of internet of things (IoT) and<br />
operational technology (OT) devices has<br />
increased so much that NAC now must<br />
provide a deeper level of insight into<br />
the posture of each device to correctly<br />
provide or deny access at varying levels.<br />
As diversification of devices continues,<br />
full visibility, classification and enforcing<br />
policies become more difficult.<br />
In brief, this increased diversity<br />
emerging technologies, such as IoT and<br />
OT devices, has exposed the limitations<br />
of the previous NAC models. Therefore,<br />
a threshold for innovation has been<br />
reached and many devices are now<br />
connected to networks ill-equipped<br />
to deal with the related risks.<br />
SEGMENTATION IS THE NECESSARY<br />
BARRIER TO CONNECTION<br />
For organisations with flat networks,<br />
the ease at which intruders can pivot<br />
laterally results in greater disruption<br />
of, and damage to, both property and<br />
reputation. For example, the WannaCry<br />
ransomware attack hit shipping<br />
company Maersk, resulting in it halting<br />
its entire operations to ensure the<br />
network was clear of the ransomware.<br />
This caused critical disruption across the<br />
business and could have been averted,<br />
had its network architecture limited<br />
mobility, once access was gained.<br />
Flat networks are unable to provide the<br />
same level of granularity that segmented<br />
networks achieve. When IoT and OT<br />
devices gain access to a flat network,<br />
they have the freedom to move laterally,<br />
if not properly segmented, limiting<br />
full visibility and creating blind spots<br />
that can later be exposed. Network<br />
segmentation, however, can be<br />
dynamic. For example, by providing<br />
a Zero Trust approach across all<br />
environments and to all devices, with<br />
different policies for the computer at<br />
the front desk and the CEOs laptop,<br />
the risk that is posed by attacks is<br />
automatically limited.<br />
CISOs are having a difficult time in<br />
providing this security. Maintaining<br />
close control of their networks and<br />
device ecosystem continues to become<br />
more difficult as IoT and OT devices<br />
increase. In order to achieve effective<br />
security, the full context of connected<br />
devices must be available to regain both<br />
visibility and control. From the data<br />
centre to cloud and OT environments,<br />
devices can be given appropriate access,<br />
rather than access to the entire network.<br />
eyeSegment product, Forescout's<br />
answer to the enterprise-wide network<br />
segmentation riddle, enables exactly<br />
these measures. By tying together siloed<br />
segmentation policies by fragmented<br />
enforcement technologies with a unified<br />
policy approach and enabling a Zero-<br />
Trust approach, granular security<br />
controls can be achieved.<br />
Attempting to implement new security<br />
controls across the extended enterprise<br />
is no easy task. Grappling with the<br />
growing number of attack vectors, while<br />
meeting more and more compliance<br />
directives, CISOs have their hands<br />
full. The advancements in network<br />
segmentation have been designed to<br />
allow businesses to automate threat<br />
detection and isolation without<br />
impacting operations. Through limiting<br />
risks, maximising control and assuring<br />
controls are effectively implemented<br />
across a network, enterprises can more<br />
effectively prepare and manage the<br />
inevitable next wave of cyber threats.<br />
34<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
GLOBAL LEADERS IN<br />
MANAGING RISK DURING<br />
ASSET RETIREMENT<br />
ADISA<br />
CERTIFIED<br />
ENTERPRISE<br />
ASSET<br />
RECOVERY<br />
CERTIFICATION<br />
WWW.ADISA.GLOBAL<br />
WWW.ADISARC.COM<br />
ADISA PRODUCT<br />
ASSURANCE<br />
INTRODUCING THE ADISA CERTIFIED ENTERPRISE (ACE)<br />
Listed on the N<strong>CS</strong>C’s guidance for secure disposal, ADISA operates the leading<br />
certification scheme for product and services for the IT Asset Disposal Industry and we<br />
are now delighted to launch our Certified Enterprise scheme.<br />
Our existing schemes provide assurance about the external and technical risk within<br />
asset retirement and with the addition of ACE, we can help organisations manage<br />
the final area of risk which is regarding their own internal performance. This scheme<br />
reviews policies, business operations and performance to ensure that risk is identified<br />
and mitigated before releasing assets. With a GDPR compliance oversight, ACE provides<br />
organisations with assurance that they are managing the risk of data breach during the<br />
asset retirement process in line with regulatory expectations.<br />
To find out more information contact<br />
ACE@adisa.global
Shearwater Group plc is an award-winning organisational resilience group<br />
that provides cyber security, advisory and managed security services to<br />
help assure and secure businesses in a connected global economy<br />
www.shearwatergroup.com