CS Mar-Apr 2020

More documents

Recommendations

Info

expert view CEOS IN THE FIRING LINE WHY YOU CAN'T RELY ON OTHERS TO GET YOUR PUBLIC KEY INFRASTRUCTURE IN ORDER - AND WHAT HAPPENS IF YOU DON'T. ANDREW JENKINSON, GROUP CEO, CYBERSEC INNOVATION PARTNERS, OFFERS HIS INSIGHTS In the past months, no fewer than three US government agencies have put out warnings about the Microsoft Windows 10 vulnerability and still no one seems to be aware how long the vulnerability was there before those alerts were issued. CVE-2020-0601 can exploit and undermine Public Key Infrastructure (PKI) trust. According to Neal Ziring, technical director of the NSA Cybersecurity Directorate, "this kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them". The problem that creates such a weakness with Windows 10 is that attackers are able to disguise a malicious executable binary, so that it appears like a Windows system binary; worryingly, it could remain undetected by anti-virus and other perimeter defences. This allows attackers to install it, and potentially achieve command and control. Unequivocally, PKI can never be assumed to be trustworthy. Without constant and continuous monitoring, it will unquestionably cause business continuity issues, and enable infiltration and nefarious activities. Service outages, malware and data breaches are as a result of weaknesses in PKI management and controls, and used as easy access. The Windows 10 situation is serious, due to its magnitude and the ubiquitous use of the software. It has been a shocking start to the new decade for Microsoft, as one global issue is disclosed by the NSA and now hot on its heels is a second, in the form of a critical browser Zero Day issue identified by the CISA. The CISA warning is of a zero-day vulnerability that is being exploited without a fix in Microsoft's Internet Explorer and, although IE represents a small percentage of overall internet use, it can corrupt memory, so that an attacker can gain the same user rights as the owner - ie, take over command and control. And it doesn't stop there. This gives rise to huge opportunities for cyber criminals. 14 computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk
expert view The past, and a possible future, of cybercrime: 1978 Ralph Merkle develops Public Key Infrastructure 1990s PKI is adopted as global core security for digital communication 2000s various 'agencies' manipulate and 'encourage' back doors to enable spoofing 2000s various agencies develop cyber intelligence and cyber warfare this included Malware such as Flame and Stuxnet 2000s cyber warfare and Malware is obtained by criminal and create a new wave of criminal activity (cyber criminals) 2010s various agencies develop Cloud technology to enable secure access to the mothership 2010s Numerous Tier 1 Tech firms develop cloud technology in conjunction with the agencies and start to roll out to global clientele 2010s Cloud providers see more attacks and vulnerabilities on a larger scale 2010s GDPR is announced and massive fines are levied for cyber and privacy breaches 2010s Ransomware increases in line with the rise of cryptocurrency as it is easy to pay ransom monies without being traced 2020s Quantum computing becomes more widespread with faster and greater computing capability 2020s Quantum computing is used by cyber criminals for greater and faster cyber-attacks and breaches. We can see that technological advancement is quickly followed by, and used by, the new breed of criminal, the cybercriminal, be they State Nation or otherwise. Equally, the very same governments that conceived backdoors and developed malware to attack their enemies are the very same governments that levy massive fines for being breached with a strain of the viruses they created in the first place. One could say the writing is on the wall, unless a massive realignment occurs between all parties at the very top level. It seems completely unreasonable that the creation of backdoors and malware that is blighting all organisations, creating massive global losses, funding and fuelling further criminal activities to the further detriment of the world socially, can then be used to penalise these organisations with massive fines, jeopardising not just their profitability, but their survival. In the past three decades, we have witnessed a situation that has simply got out of control and we are suffering at ground level with the lack of privacy and threat of our personal details being stolen, lost, manipulated or worse. So, what could happen, if you suffer a breach? Let's look at a typical scenario. Your organisation is going really well, business is great, your parent owners recently undertook an IPO on the back of the success of the business, share prices have continued to increase, as have the revenues and profits, everyone is delighted. Then, BANG, your entire systems are bought to their knees from an unknown infiltration that has been going on for months, culminating with a ransomware demand. To make matters worse, numerous partnered banks have also been affected; lawyers will be looking at liability and seeking damages and compensation. Your company has fallen, and from a pretty great height, in the space of weeks. There's clearly been a disconnect between the cyber team, the risk appetite of the business and you. No one could foresee this happening - or could they? Preparation for such events are typically lax and aren't rehearsed as they should be. The chairman is pacing up and down and looking for answers to the potential loss of Andrew Jenkinson, Cybersec: PKI can never be assumed to be trustworthy. several hundred million, massive brand and reputation damage and litigation, and all because of being ill-informed, poor decisions, incorrect risk profile and inadequate cyber posture. Heads will, of course, roll. As the CEO, there's no chance of you avoiding being in the firing line. This has happened under your watch and your control; and no matter what your trusted advisers and security provided you with, you are ultimately responsible. Tough it may be, but that's reality. If this seems hard hitting and resonates with you, it's meant to. This is happening all around us and in far too many organisations. Protecting the business, the staff and shareholders is your responsibility as a CEO. Being ignorant of the facts and relying on experts, who may not be as expert as you think, is no excuse. CEOs need to ask better questions about the security of their businesses. And they need to do it now. www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security 15
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6 and 7: editor's focus RICH VEIN OF POSSIBI
Page 8 and 9: expert insights WHY CYBERSECURITY P
Page 10 and 11: 2020 predictions MORE 20/20 VISIONS
Page 12 and 13: 2020 predictions Mike Riemer, Pulse
Page 16 and 17: data management THE PLOT THICKENS W
Page 18 and 19: data management All of this potenti
Page 20 and 21: cybersecurity and ISPs WORLD-WIDE M
Page 22 and 23: fraud & cybercrime CYBERCRIME FIGUR
Page 24 and 25: Coronavirus scam SPOOF ATTACK UNLEA
Page 26 and 27: GDPR BREACHED - AND TOTALLY UNAWARE
Page 28 and 29: encryption systems THE QUANTUM CRYP
Page 30 and 31: expert insights THE INTELLIGENT APP
Page 32 and 33: product review CLOUD PROTECTION FOR
Page 34 and 35: expert insights ESSENTIAL BUILDING
Page 36: Shearwater Group plc is an award-wi

CS Mar-Apr 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?