2016 q4 infosecurity by Fabian Hachur

Q4 /// 2016 /// VOLUME 13 /// ISSUE 4

STRATEGY /// INSIGHT /// TECHNOLOGY

Securing Smarter Cities Addressing Privacy and Security Concerns in Connected Cities Around the World

PLUS: RANSOMWARE ECONOMICS /// BUG BOUNTY REGULATION /// INTERNET OF SERVICES

Do you work in Cyber Security or want to? Then join the UKâ&#x20AC;&#x2122;s largest online job board for cyber security professionals... Register now to receive job alerts tailored to your particular skill set Upload your CV now and be seen by companies that are hiring right now Relax Sit back and let us do all the hard work for you...

ETHICAL HACKER INTELLIGENCE

CYBER THREAT

MALWARE CISO TION

RISK

SECURITY C O N S U LTA N T

CRYPTO GRAPHER

BIOMETRICS

ARCHITECT SECURITY ANALYST

SECU RITY

VULNERABILITY

FRAUD PREVENTION COMPUTER CRIME CYBER SECURITY

INFOSEC

PENETRATION TESTING

INTRUSION DETECTION

IT SECURITY

COMPLIANCE SOURCE CODE AUDITOR

FORENSICS

VIRUS TECHNICIAN

INTELLIGENCE INFORMATION ASSURANCE LOSS PREVEN

@InfosecurityMag

Contents October/November/December COVER FEATURE 8

As companies monetize the Internet of Things, there will be some fallout for privacy and security advocates. Danny Bradbury examines an emerging problem

Securing the Smart City With the Internet of Things making smart city projects an everyday reality, Stephen Pritchard explores what steps are being taken to tackle the security and privacy issues that so often surround them

Redefining Security in the Internet of Services

Ransomware Economics: Why the Threat is Here to Stay Ransomware has been hitting the headlines for the past few years, snaring new victims who face the dilemma on whether to stand strong. Dan Raywood looks at the rising cost of a ransom payment, and how much the size of the target affects the financial demand

FEATURES 18

Should C-Level Bonuses be Linked to Cybersecurity Success?

Making Bugs Bountiful: Should Bug Bounty Hunting be Regulated? With black hat brokers able to outbid even the likes of Google and Apple for vulnerabilities, Davey Winder explores whether the bug bounty model is fundamentally flawed

MPs suggested bonuses should be slashed for CEOs whose firms were hit by cyberattacks. Sooraj Shah asks whether thatâ&#x20AC;&#x2122;s fair

The Risk Avengers What do you get when you combine three talented and experienced cybersecurity professionals? Eleanor Dallaway met The Risk Avengers and found out

44 Skills Gap: How to Attract the Best Staff As the cybersecurity skills gap continues to plague the industry, it has never been more important for organizations to have a sound understanding of how to attract and retain the best staff. Michael Hill reports

www.infosecurity-magazine.com /// 3

OPINIONS

REGULARS

Medical Devices Need a Strong Dose of Cybersecurity

Back in the editor’s chair, Eleanor Dallaway examines the gender gap in the cybersecurity industry

Cybersecurity architect DJ Singh explains why the healthcare industry is victim to more cyber-attacks than any other sector

49 43

EDITORIAL

SLACK SPACE A round-up of tech’s most interesting, funny and bizarre tales

How to Get on the Right Side of the EU Data Regulations Richard Whomes outlines how organizations handling cross-border data can make sure they stay on top of the regulations

INTERVIEW 13

Interview: Jennifer Steffens Eleanor Dallaway spends an afternoon with the matriarch and CEO of research firm IOActive

PARTING SHOTS Michael Hill looks at what makes cybersecurity conferences so popular, well-attended and meaningful

INFOSECURITY EDITOR & PUBLISHER Eleanor Dallaway eleanor.dallaway@reedexpo.co.uk +44 (0)208 9107893 DEPUTY EDITOR Michael Hill michael.hill@reedexpo.co.uk +44 (0)208 4395643 ONLINE UK NEWS EDITOR Phil Muncaster philmuncaster@gmail.com ONLINE US NEWS EDITOR Tara Seals sealstara@gmail.com

CONTRIBUTING EDITOR Dan Raywood dan.raywood@reedexpo.co.uk PROOFREADER Clanci Miller clanci@nexusalliance.biz CONTRIBUTING EDITOR Stephen Pritchard infosecurity@stephenpritchard.com ONLINE ADVERTISING: James Ingram james.ingram@reedexpo.co.uk +44 (0)20 89107029

MARKETING MANAGER Rebecca Harper Rebecca.harper@reedexpo.co.uk Tel: +44 (0)208 9107861 DIGITAL MARKETING CO-ORDINATOR Karina Gomez karina.gomez@reedexpo.co.uk Tel: +44 (0)20 84395463 PRODUCTION SUPPORT MANAGER Andy Milsom ADVISORY EDITORIAL BOARD John Colley: Managing director, (ISC)2 EMEA

Marco Cremonini: Universita degh Studi di Milano Roger Halbheer: Chief security advisor, Microsoft Hugh Penri-Williams: Owner, Glaniad 1865 EURL Raj Samani: CTO, McAfee EMEA, chief innovation officer, Cloud Security Alliance Howard Schmidt: Former White House Cybersecurity Coordinator Sarb Sembhi: Past-president, ISACA London, editor of Virtually Informed W. Hord Tipton: Executive director, (ISC)2 Patricia Titus

ISSN 1754-4548 Copyright Materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites are protected by copyright law. Copyright ©2016 Reed Exhibitions Limited. All rights reserved. No part of the materials available in Reed Exhibitions Limited’s Infosecurity magazine or websites may be copied, photocopied, reproduced, translated, reduced to any electronic medium or machine-readable form or stored in a retrieval system or transmitted in any form or by any means, in whole or in part, without the prior written consent of Reed Exhibitions Limited. Any reproduction in any form without the permission of Reed Exhibitions Limited is prohibited Distribution for commercial purposes is prohibited.

Written requests for reprint or other permission should be mailed or faxed to: Permissions Coordinator Legal Administration Reed Exhibitions Limited Gateway House 28 The Quadrant Richmond TW9 1DN Fax: +44 (0)20 8334 0548 Phone: +44 (0)20 8910 7972 Please do not phone or fax the above numbers with any queries other than those relating to copyright. If you have any questions not relating to copyright please telephone: +44 (0)20 8271 2130.

Disclaimer of warranties and limitation of liability Reed Exhibitions Limited uses reasonable care in publishing materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites. However, Reed Exhibitions Limited does not guarantee their accuracy or completeness. Materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites are provided “as is” with no warranty, express or implied, and all such warranties are hereby disclaimed. The opinions expressed by authors in Reed Exhibitions Limited’s Infosecurity magazine and websites do not necessarily reflect those of the Editor, the Editorial Board or the Publisher. Reed Exhibitions Limited’s Infosecurity magazine websites may contain links to other external sites. Reed Exhibitions Limited is not responsible for and has no control over the

content of such sites. Reed Exhibitions Limited assumes no liability for any loss, damage or expense from errors or omissions in the materials or from any use or operation of any materials, products, instructions or ideas contained in the materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites, whether arising in contract, tort or otherwise. Inclusion in Reed Exhibition Limited’s Infosecurity magazine and websites of advertising materials does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. Copyright © 2016 Reed Exhibitions Limited. All rights reserved

Q4 /// 2016

@EditorInfosec

industry that truly makes the world a safer place, and we’re not selling that. Not only are we missing out on talent due to our own failure to market the industry, but women are missing out on the chance to work in cybersecurity. Personally, I want to forget about the statistics, and the negatives. We need to stop getting hung up on how few women there are and what the challenges may be. Instead, I’d like to see our industry championing the incredible women that are already in the industry, promoting them as role models, and talking about the success stories. It’s time to start backing ourselves as an industry. Before I sign off, I’d like to take this opportunity to say thank-you to Dan Raywood and the rest of the Infosecurity team for doing such a great job in my absence. Dan, I’m happy to report, is still part of the team, working on the inaugural

Run the World (Girls)

fter a year spent looking after my very tiny person, it feels weirdly normal, and wonderful, to be back in the editor’s chair bringing you the Q4 issue. Whilst I spent most of my maternity leave in coffee shops and parks, I did manage to engage my brain for long enough to write industry reports on the reformation of the computer science GCSE, and closing the gender gap in cybersecurity. The latter allowed me to spend time with representatives from across the industry; from government departments to recruiters to pen-testers to CISOs, and get to the bottom of why there is such a lack of women, and what can be done about it. At the Big Bang Careers Fair earlier this year, CREST, in partnership with the government, ran a digital defenders stand to try and encourage schoolchildren to consider careers in cybersecurity. Interestingly – and encouragingly – they welcomed to the stand just as many schoolgirls as schoolboys. That’s the good news. Yet, only 17% of computer science graduates are females, and only 10% of industry professionals are women. So what’s going wrong and why are we, as an industry, not converting those interested schoolgirls into graduates and then industry professionals? Does it even matter? Many industries have gender imbalance, so is it something we should even be worrying about? The answer is unequivocally yes. There are arguments that a diverse workforce increases productivity; that research shows increased profitability in companies with more women; and recruiters even say that women bring a loyalty and stability to the industry that male counterparts, on the whole, don’t. Whilst these arguments are all valid, it’s actually simpler than that. Cybersecurity is facing a frightening skills gap, with predictions that by 2020 there will be 1.5

million unfilled positions, so to put it simply, we need more people, so we need more women – it just makes sense. Recruiters are eager to point out that it’s not a case that female applicants to cybersecurity roles aren’t successful, but rather that less than 10% of applicants are women. So what’s putting women off? Some of the women I spoke to suggested, quite candidly, that it’s “all the men,” that the gender imbalance acts as a deterrent. Others point to gender stereotypes, that girls aren’t encouraged enough in STEM at school, or media representation of STEM roles as being predominantly male. I have no doubt that all of the above are contributing to the gender gap, but I think that there is another, perhaps less understood, problem: the industry is putting women off, or more We don’t do accurately, the perception of the industry is putting women off. ourselves any favors There is a total misconception of what the information security industry in the way we sell – is, perhaps a result of the language we or don’t sell – use which is often opaque, intimidating, and some argued “full of the industry male connotations.” All of the women I spoke to during this research agreed that while the cybersecurity industry has changed, the perception hasn’t changed Infosecurity Magazine conference, taking with it. We don’t do ourselves any favors in place in Boston in December this year (you the way we sell – or don’t sell – the industry. can find more information on the event on The reality is that women working in pages 24-27). cybersecurity agree it is an exciting and As part of the Infosecurity Group, home rewarding industry, and the fact that they also to Infosecurity Europe, we’ve got the are working in what is traditionally expertise to organize an event that can perceived to be a ‘man’s world’ is of no bring the industry together to learn and relevance or consequence to them. share experiences. I’m so excited about this One woman who works in the public new venture, and I hope to see many of you sector said to me: “The environment is not in Boston. poisonous to women; it just looks like that sometimes.” This is not only totally criminal, Enjoy the issue and take care. but completely heart-breaking. We have this incredible, fast-paced, well-paid, innovative

Eleanor Dallaway, Editor

www.infosecurity-magazine.com /// 7

Securing the

Smart City With the Internet of Things making smart city projects an everyday reality, Stephen Pritchard explores what steps are being taken to tackle the security and privacy issues that so often surround them

“

n a smart city, everyone knows your name.” This is how Gareth Jones, partner at law firm Bond Dickinson, describes the privacy issues around smart city projects. Jones' warning was issued at a recent conference on smart cities organized in London by the Westminster eForum, where he explored how security and privacy are emerging as two hidden challenges of smart city projects. As urban populations grow, public authorities are looking for new ways to deal with congestion, pollution and crime. Applying Internet of Things (IoT) technologies, sensors, and low-power, wide area (LPWA) networks, gives administrators a much more detailed and up-to-date picture of what is happening in the city. “IoT can address problems including parking and traffic, clean water, air pollution and landfill waste,” says Tony Judd, managing director for UKI & Nordics at Verizon. “We'll see a massive flow of information from IoT devices.”

Increasingly, these data flows are at the heart of urban planning, but connecting city systems brings risks. “Cybersecurity is a major challenge,” warns Cesar Cerrudo, board member of the Securing Smart Cities industry group and CTO of IOActive Labs. “Cities around the world are deploying technology without making sure it’s secure. We haven’t seen important attacks yet… but it’s just a matter of time until attackers target cities.” “Smart infrastructure requires cybersecurity,” agrees Dan Byles, vicepresident at Living PlanIT and chair of industry group SmartUK. “The idea that older infrastructure is not vulnerable to cyber-attack is a fallacy. Being smarter is fundamentally part of making the infrastructure more secure.”

A Matter of Scale Smart city technology has to communicate across networks and the public internet, and operate at a massive scale.

“You need to think of how to manage these [networks] at a scale with a hundred or a thousand-times more devices than the average enterprises run,” says Alex Bazin, vice-president and head of Internet of Things at IT vendor Fujitsu. “You could have tens of millions of users and hundreds of millions of devices, and they need to be maintained, managed, and serviced.” As Bazin warns, older hardware might not have been designed with security in mind, and offers no easy way to apply patches or updates. Updates might even need engineers to visit each device to apply a patch using a laptop. “There may not be a connection to a fixed network, and LPWA networks don't have a lot of bandwidth. A traditional patch management approach would be a challenge,” adds Bazin. Connecting together systems that are designed to operate in discrete silos, isolated from public networks, creates further risks.

@InfosecurityMag

“When you put systems together, the attack surface is larger,” cautions Aidan Jarvis, cybersecurity expert at PA Consulting. “Smart cities bring together operational technology and use data to make the city more efficient or to make services better, but by bringing it together you have more for the bad guys to misuse or abuse.” API security, and the interfaces between systems, are areas hackers are most likely to exploit, he adds. However, the real risk in smart city projects lies less in the potential to disrupt operational systems, and more in exploiting sensitive and often personal data.

De-anonymizing Data “Someone could turn traffic lights on or off, but there is not much value in stopping a car in the middle of the road,” says Jarvis. “I could make that point by going onto a bridge and dumping horse manure.” However, cities could store up problems by collecting and holding data, if they

COVER FEATURE

We haven’t seen important attacks yet… but it’s just a matter of time until attackers target cities Cesar Cerrudo

combine and analyze data sets that were originally meant to be separate. It could, for example, lead to individuals being identified from data that administrators thought was anonymized. CISOs must be sure they have full correct consent for any information gathered from the public.

“If you can link CCTV with other data sets that identify people as individuals, you are dealing with personal data, and that can be very dangerous territory,” says Bond Dickinson's Jones. “It's important that we map data flows, identify who has touch points with the data, who the controller and processor is, and ensure compliant agreements are in place.” PlanIT's Byles agrees: “Don't collect more data than necessary, and don't aggregate data unnecessarily, that will reduce the attack surface. Most data should be used close to where it’s gathered.” For smart city projects to succeed in improving our quality of life, they have to be ambitious, and often, bold. However, ignoring data security and privacy is not an option. Overcoming technical security challenges is the only way city leaders can ensure the future of urban areas is both efficient, and safe. (This article continues on page 10 with smart city case studies.)

Case Study: Milton Keynes, UK Milton Keynes is a ‘new town’ some 55 miles to the North West of London. It is home to around 230,000 people as well as the Open University, the UK's largest base for distance learning. Unusual for a British city, Milton Keynes is built on a street grid system. That, combined with the Open University's large academic presence, and its location equidistant from London, Birmingham, Oxford and Cambridge, means it is an ideal test bed for the city's MK:Smart initiative. MK:Smart is very much based around data sharing via the MK Data Hub. One example is Cloud Enabled Mobility (CEM), which brings public transport information together in one smartphone app. Another is the city's use of Data Hub to collect information on electric car usage and to help local people find the best place to site solar panels. MK:Smart board member Geoff Snelson describes the project as a “city scale data hub,” with 700 data sets. Its

Case Study: San Diego, USA The city of San Diego is one of the fastest-growing in the US; the San Diego county area reached 3.3 million people earlier this year. For urban San Diegans, this presents a suite of familiar problems: congestion, air quality, demand for water, energy and housing. However, as the city is home to some of the key names in technology – from Qualcomm to the US Navy's United States Navy Space and Naval Warfare Systems Command – there are also local solutions. Projects underway in San Diego include a $30m upgrade to install smart street lights, and fitting HD cameras to traffic signals, supported by a fiber data network. Cities are increasingly aware of the security issues surrounding these technologies, says David Graham, deputy COO for Neighboring Services at San Diego. “The roadmap for infrastructure depends on having security and interoperability,” he says. San Diego started its journey with a risk assessment of all its smart city projects, and now uses the NIST Cyber Security Framework (CSF) for security controls. “The issue from a cyber-perspective is city networks have a disparate mix of technologies,” says Gary Hayslip, CISO for

design allows data to have individual policies and terms and conditions, so some sets are available freely, but others can be used commercially. “The MK:Smart project is designed to enable data aggregation from multiple sources, allowing the development of new applications and service efficiencies to benefit local enterprises and citizens,” explains Snelson. “Our engagement with local citizens has shown they understand the potential benefits of data sharing for themselves and their communities and are prepared to share under certain conditions.” These include ensuring that citizens' data are used only for specific purposes and that citizens also keep some degree of control. “Public confidence in security and privacy is a pre-requisite if we are to realize fully the opportunity of big data,” notes Snelson.

the City of San Diego. “We have had to understand not only how to implement and install these new smart technologies, but how to update them, and what they look like when you do security scans.” “Many of our concerns with these technologies have been that they are so new that from a risk perspective you are not sure of the impact if they are compromised.” To bolster security, the city hired Hayslip as CISO and built both cyber operations and cyber engineering teams. The city is working on PCI DSS certification and is building a security operations center (SOC). The city also has clear policies for buying smart city technology. “When talking to vendors or partners, I am looking for what regulatory regimes they follow,” Hayslip explains. “We are now asking as part of contracts that we see the results of [vendors'] regulatory assessments. We require all vendors and partners who access city networks or use city data to notify the city CISO if there is a security incident. Failure to do so would result in breach and possible legal ramifications.” Our number one concern is protecting citizens' data, adds Graham. “The public understands we need to provide services, but we have to respect privacy, and preserve public trust.”

Q4 /// 2016

@InfosecurityMag

COVER FEATURE

Case Study: Singapore

Case Study: Bristol, UK Bristol's history as a trading post and port has made it open to new ideas. Today the city is a technology hub, with HP's largest lab outside the US, one of the UK's leading robotics labs at the University of Western England, and a strong history in communications technologies. This, says Rick Chapman, specialist adviser to Invest Bristol and Bath, is one reason why the city is at the forefront of smart technology. A strong security culture – developed through years of experience in fields such as telecoms and defense – makes Bristol a trusted location for new projects. The ‘Bristol is Open’ project effectively turns the city into a living lab for emerging technologies. The organization describes itself as an “open programmable city,” based around both fiber and a city-wide mesh network. Data privacy is high on the list of the project's priorities and data is anonymized before being shared through the open data portal. Strict privacy and security are essential if commercial partners are to contribute to the project, says Chapman. “If we want to reduce congestion by directing drivers to car parks with empty spaces, we can monitor cars coming down the M32 motorway via cell towers, but that means we are extending our trust to the mobile operators, and they have to make sure all data are anonymized.”

As a city state, Singapore's smart city security and national security are closely linked. In fact, Singapore calls its work its Smart Nation initiative. “Smart Nation is a whole-of-nation effort to support better living, create more opportunities, and support stronger communities by harnessing technology, networks and data,” says Jacqueline Poh, chief executive, Government Technology Agency (GovTech). The Smart Nation Program Office in the Singapore prime minister's office acts as coordinator. Projects span housing, mobility and transport, and the digital economy, with the new GovTech, responsible for building infrastructure and technological capabilities to support Smart Nation initiatives. For security, the Cyber Security Agency of Singapore (CSA) is also closely involved in Smart Nation work. Its role includes guidelines-based architecture and pilot cybersecurity solutions for smart city platforms. “Cybersecurity is a key enabler in our Smart Nation initiatives,” says Ms Poh. “In a world where cyber-attacks are increasing in frequency, scale and sophistication, we need to take data protection seriously. “The government is constantly reviewing its security protocols in response to the changing threat environment. Like most governments, we are constantly being challenged and there is a need to build up our capability in terms of hardware and software. To guide public servants and prospective IT vendors, we are constantly updating our security and usage policies.” In Singapore, data protection by the private sector is managed through the Personal Data Protection Act (PDPA) and for government through internal regulations. “We are constantly reviewing our approaches to data protection as the space is always evolving,” says Ms Poh. “One principle that we have used is that when providing services, we want citizens to ‘opt-in’ as far as possible, such as in the recently launched MyInfo portal. MyInfo is a consent-based platform that allows citizens who choose to use this feature to provide their personal data to the government one-off instead of doing it repeatedly for every electronic transaction. “We are fortunate that in Singapore, citizen trust is high, but we must not take it for granted.”

www.infosecurity-magazine.com /// 11

@InfosecurityMag

INTERVIEW

Interview:

Jennifer Steffens Jennifer Steffens, CEO of IOActive, loves sailing. She also loves live music and snowshoeing, but above all, she loves her job. In a suite overlooking Las Vegas Boulevard, Eleanor Dallaway spends an afternoon with the matriarch of the research firm

www.infosecurity-magazine.com /// 13

know that Steffens loves her job above all because it’s almost impossible to get her talking about anything that she doesn’t ultimately refer back to IOActive. Either she’s the definitive PR machine, or she is genuinely truly enamored with the research firm that she heads up. After spending an afternoon with Jennifer Steffens, I am confident in declaring it the latter. Her PR skills aren’t too shabby either, skirting around questions she doesn’t want to answer with the precision of a politician. Her age, for example, is “young at heart.” It’s all part of her charm. Steffens was hired as senior manager at IOActive in 2008, and within six months was promoted to CEO. “How could I not be daunted by something like that?” she says candidly. “Even at the time, I put IOActive on a pedestal. I always loved the team and what they were accomplishing, so the fact that I got to run it and help make it into something bigger, and that Josh [Joshua Pennell, founder and president, who Steffens describes as a “great visionary, always a part of the heart and soul of the company”] would trust me with such an amazing position, was exciting, but widely daunting.” With the company already healthy and growing thanks to the “blood, sweat and tears” of Pennell, Steffens’ job was to expand on that and help evolve the US company into an international firm, growing the “kind of services – and companies – we worked with.” Steffens spent her first few months on the job mainly observing. “I learnt from an amazing CEO at Sourcefire that you can’t change something you don’t truly understand.” Her move to IOActive also forced a move to Seattle, and a new home in a place that has “great energy, outdoorsy pursuits, and so much water and mountains.” Equally important to Steffens is the great airports, which allow her to travel to IOActive offices around the world easily.

I love the idea of building things and getting to wear a lot of hats

Jedi Mind Tricks Steffens grew up and went to school in New York, and later, inspired by her dad’s PhD and passion for psychology, studied the social science at college in Virginia. Laughing about how that translated into a career in information security, Steffens grins, “It helps me hack people, and perform Jedi mind tricks.” After college, Steffens started out in sports marketing, with clients like the New York Yankees. “I loved it, but I was still young and curious, and thought that I should bounce around and see what else was out there.” It was this thirst for exploration that landed Steffens her first job in technology. “I loved the technology, but didn’t like the big company aspect.” She hit the bull’s-eye with her next job around the turn of the century. “It was a marketing role in a security start-up [Aurora Enterprise Solutions] and I was hooked from day one. It’s such an exciting space, and I lucked out because in all three of the startups I worked in, I had amazing, superpatient colleagues who would stay late at the office to teach me the technology.” A world away from sports marketing, Steffens describes information security as having “more energy, and changes a whole lot more. Every time you think you know something, another attack vector or threat vector pops up. It’s a lot of fun.” She describes her later tenures at NFR Security and then as director of product management at Sourcefire as “super-exciting,” and considers that by the time she arrived at Sourcefire, she had “made the clique.” Interestingly, Steffens talks with some trepidation about the cliques and elitist

Q4 /// 2016

aspects of the industry. “It’s not always allinclusive, but that’s true of almost any industry. There are a number of facets of the industry that are extremely welcoming and interactive, and we need to continue to try and break down any boundaries.”

Pirates for Life Steffens works hard at IOActive to integrate all of the things she loves about start-up culture into a company that, founded in 1998 and with more than 100 employees, is far from a start-up itself. “In small start-ups, I love the idea of building things and getting to wear a lot of hats. Everybody rolls up their sleeves and helps everyone else, rather than having a defined role, I like that.” So that energy and culture is something that Steffens emulates at IOActive. “Even with consultants and clients around the world, we want everybody to know each other, we’re a people company; I know everyone’s name. We work like a start-up, but with the history and financial backing of a strong company.” Steffens says, without hesitation, that the best part of her job is the people she works with, and literally gushes when she talks about them, a proud

Steffens loves Seattle because it allows her to enjoy “outdoorsy pursuits” including sailing and snowshoeing

matriarch leading “super smart amazing talent in all facets of the organization.” Company culture is so important to Steffens that they’ve even given it a name: Pirate culture. I ask her to expand. “So, in our industry, you’re either a pirate or a ninja, and we’re pirates. Josh [the founder] and I love sailing and the water, so it just works. We wanted something that would tie everybody together; we’re like a big pirate family. Being a pirate means you’re happy and at the top of your game.” As she tells me about how employees take photos with pirate pictures or signs wherever they go,

We work like a start-up, but with the history and financial backing of a strong company

and how they sometimes have eye patches and temporary pirate tattoos in the office, Steffens visibly lights up, clearly proud of her team and the culture she has created. It’s when she talks about her people that she is at her ‘sunniest’, which is apt because her friends and family all call her Sunshine. “Once you’ve been at IOActive, and you’ve been an IOActive pirate, no matter where you go, you’re still an IOActive pirate,” Steffens explains. “Consulting is not always the easiest lifestyle, so it’s very important to us that when it’s time for our employees to do something else, we want to help them find the right spot and keep them as part of the family. We have a high number of what I lovingly call ‘boomerangs’; they leave and come back. Once a pirate, always a pirate.” Pirates are hard to find, especially in Seattle where demand for talent adds a level of challenge to recruitment. “We focus

www.infosecurity-magazine.com /// 15

on not competing head-to-head with the competition. We have created a culture and an environment full of brilliant minds where hackers can express their creativity, carry out funded research, and work on some really amazing security challenges.” That is IOActive’s USP, she explains. Ultimately, brilliant minds want to work with brilliant minds, she says, so often the top of the class end up recruiting each other.

We love what we do, but it has to be making a literal impact on the industry, and the world as a whole

do see more female executives, speakers and researchers than ever before. I’d rather celebrate that, make role models out of them, and get to a place where it doesn’t seem unusual, rather than harping on trying to change the opinion of an individual who is set in their ways thinking that women aren’t executives.”

Make Impact not Money IOActive arms its pirates with the tools they need to carry out their independent research projects. It also has a technical advisory committee that looks at everything going on in the market, and ensures that the IOActive story maps to that. “One of our jobs is to stay ahead of the trend, and predict what’s going to be exciting. We were researching automotive security three years ago,” Steffens exclaims. “That research and demonstration led to the recall that consequently led to everybody caring about automotive security.” From connected cars to smart cities, IOActive researchers around the world have “proven that all [smart city] technology is broken,” says Steffens. “So please don’t make us hack a city to prove that it’s broken.” Instead, she advocates working with the research community from the start, and rolling things out in the most secure way, because “once it gets rolled out, it’s a whole lot harder to change.” IOActive’s whole mission is to make the world a safer place. “There’s nothing more important to us than protecting our clients,” insists Steffens. This perhaps explains why its policy on hiring reformed hackers is cautious. “We work with the Global 2000, we’re trusted with all their source code and corporate secrets, so we have to be careful. There is a level of professionalism that we must abide by, and we hold our team responsible for that.” On the flip side, she continues, “we firmly believe that people can be reformed.

Follow the IO Brick Road There are people who have made mistakes, or went into things with a certain level of ignorance, and we believe in second chances and reformation.” We can all read between these lines. Steffens says her commitment is to make an impact. “We love what we do, but it has to be making a literal impact on the industry, and the world as a whole. That’s how we pick what to focus on, what is actually going to make the world safer. We don’t focus on finances, we focus on the impact that we get to make.”

Oh Yeah, She’s a Woman “There’s an old boys club in infosec that will be regularly and openly surprised that I am a woman and also the CEO, and they’re not shy to tell me that,” she says rolling her eyes. “Being a woman in the industry definitely poses challenges, and probably opportunities too, right or wrong, it is what it is today.” I’d been cautious of asking Steffens about being a female CEO, because let’s face it, it’s sad that it’s extraordinary or relevant. She was, however, more than happy to discuss the topic. “I’m definitely an advocate for having more women in security, and am a big fan of trying to figure out how to get young women interested in cybersecurity, and making it exciting for them.” Steffens considers herself lucky to have been taught technology by female teachers. “I

So what does the future hold for Steffens? Well, the answer is unsurprisingly the same as the one she gives when I ask her greatest achievement: IOActive. “Ultimately, I don’t see myself leaving IOActive, so my ultimate career goal is to build it in such a way that it’s the same beyond me. “I have a strong no regrets policy. Right or wrong, everything I have done has made me stronger, and a better leader and industry advocate.” A firm believer in ‘love what you do and you never work a day in your life’, Steffens does concede that every once in a while, work does become work. Rarely, though, and the weekends in London, Croatia and Amsterdam, on top of the sailing trips, more than compensate. “I’ve got so much of the world to see, and I’m so lucky to have a job and lifestyle that affords me that.” Doing what you love is a mantra that Steffens lives by after a serious car crash she was in when she was 21. “I shattered part of my face, cracked my head, spun my car three and a half times on the highway.” It was a wake-up call that life is short, Steffens says, and you should spend it doing what you are passionate about. “So if I was giving my 21year-old self some advice, I would convince myself to dive headfirst into anything I cared about earlier. I’d be very Nike about it: Just do it.” Steffens’ messaging is so on point throughout the whole interview that it runs the risk of sounding disingenuous, but yet I believe every word. She may have PR skills that any politician would envy, but she’d still get my vote.

Q4 /// 2016

MEET THE INFOSEC WORLD, ALL UNDER ONE ROOF

CONNECT WITH PEERS, PARTNERS AND THOUGHTLEADERS

DISCOVER INTELLIGENT DEFENCE

Everyone and everything you need to know about information security

FIND SOLUTIONS AND PRE-EMPT PROBLEMS

ENHANCE YOUR KNOWLEDGE & EARN CPE/CPD CREDITS

FIND NEW OPPORTUNITIES TO FURTHER YOUR CAREER

“InfoSecurity Join the region’s premier information security Europe is the event featuring 360+ of Europe’s most highlight of the established players & newest cybersecurity security event talent. Learn from our most comprehensive calendar, given the conference programme yet with over 160 hours scale of the event, of complimentary thought-leader seminars. the vibrancy and buzz surrounding In 2016 we opened our doors to more than the show and the 17,500 professionals all under the beautiful attendance of industry domed roof of Olympia, London. Can you leading vendors afford not to be there in 2017? and the world class speakers.”

@infosecurity

Mark Shutt IT Security and Assurance Manager, Secure Trust Bank

www.infosecurityeurope.com

Should C-Level Bonuses be Linked to Cybersecurity Success?

MPs suggested bonuses should be slashed for CEOs whose firms were hit by cyberattacks. Sooraj Shah asks whether that’s fair

omputer scientist Gerald Weinberg once said that blame flowing upwards in an organization proves that superiors can take responsibility for their orders to their inferiors, while blame flowing downwards, from management to staff, indicates organizational failure. In an ideal organization, there would be no blame culture at all – but the responsibility Weinberg refers to would remain. With cybersecurity, that responsibility comes down to the CEO. A recent survey conducted by insurance provider Lloyds found that 55% of British CEOs drive the decisions regarding protection against, and planning for, a data security breach. Matthew Webb, group head of cyber at Lloyd’s syndicate Hiscox, believes this could be

almost treble the number of CEOs taking responsibility compared to five years ago. However, in a bid to increase the awareness and importance of cybersecurity in the boardroom further, MPs of the Culture, Media and Sport Committee have suggested that “a portion of CEO compensation should be linked to effective cybersecurity, in a way to be decided by the board.” The Committee’s recommendations were detailed in a report which was released just after TalkTalk CEO Dido Harding saw her performance pay slashed by more than a third to £220,000 as a result of the catastrophic data breach the company suffered last year. While it makes sense for organizations to take more interest and care over their cybersecurity operations, is it really feasible

The real challenge to implement something like this isn’t the spirit of it, but the practice of it Andy Boura

to link the pay packets of CEOs, or indeed any other employees that deal with IT security, to how well the cybersecurity operation is functioning?

Q4 /// 2016

@InfosecurityMag

One of the hardest aspects of such a strategy would be determining what a ‘good’ cybersecurity operation looks like. “How to demonstrate this may vary by organization – for some it would be relevant to show ISO 27001 compliance, whereas for others the standard might be simply to meet Cyber Essentials,” says Steven Furnell, professor of IT security at Plymouth University. However, as Andy Boura, senior information security architect at Thomson Reuters suggests, box-ticking exercises may not be deemed enough to ensure that a real security culture has been created within the organization. “The real challenge to implement something like this isn’t the spirit of it, but the practice of it; how on earth would you measure creating an effective security culture?”

blame culture automatically being instilled into the organization – something which Weinberg strongly opposed. CEOs could try to exonerate themselves from blame by advocating higher security budgets to CISOs and CIOs in order to deal with the issue. “Making a link to the CEO's pocket is certainly relevant, because it may increase the level of interest in security. Indeed, without the CEO’s buy-in, we could find the CISO being hand-tied due to a lack of wider support and investment, and then facing a personal penalty when the effect of not heeding their advice comes to pass,” says Furnell. Nonetheless, while throwing money at cybersecurity may increase the pressure on CISOs and CIOs to ensure security breaches don’t occur, it doesn’t mean that a company is automatically safe from being stung by a cyber-attack. “Cybersecurity isn’t something that can be solved purely with money; so linking it to a You’re Not Alone It could be argued that the CEO shouldn’t pay conversation could potentially drive the hold all of the responsibility; wrong behavior,” says Harding. particularly as organizations He suggests that many of his CIO peers should have a have been given “infinite amounts of dedicated senior IT money” to spend on cybersecurity, but security professional believes there is only so much money such as a CISO or CIO. that can be spent before other risks Capital One Europe start to become CIO Rob Harding more prominent. believes that the CEO One of the risks of and the board need to a blank cheque take a keen interest in policy could be security, in addition to the that employees whole management team. feel overly “It definitely needs conscious of everyone’s input or every tool they everyone’s vigilance so I use, thereby wouldn’t see it as purely a inhibiting their CEO thing,” he states. productivity. Boura adds that as it’s the If you target the pay or bonus of “If you target the C-level executives on data board’s role to hold the pay of C-level security, the behavior you will executives to account and executives on data incentivize is an incredibly highto ensure the risk tolerance security, the level of investment and scrutiny of the shareholders is behavior you will around security represented, it could be incentivize is an feasible to link the pay packets of those incredibly high level of investment and individuals to the welfare of the company’s scrutiny around security,” says Camden IT security function, but this could lead to a Council interim CIO Omid Shiraji.

S BONU

Cybersecurity isn’t something that can be solved purely with money; so linking it to a pay conversation could potentially drive the wrong behavior Rob Harding

“There has to be a security-usability balance – and although there may be some industries where it makes sense to incentivize that behavior, I think you get yourself into some tricky territory,” Shiraji adds.

Money Can’t Buy Perfect Security There will come a time when every company’s perimeter is breached by a cyber-attack. “The reality is you can invest as much money as you want but you cannot stop a data breach if you’re being targeted,” says Shiraji. Although some may disagree with that statement, there are areas which are outside the control of a CEO, CIO or CISO. “You can make all sorts of investments in perimeter defenses, but then you have an insider threat to worry about. You can certainly invest to mitigate risks in places, but there are other places where your pockets aren’t deep enough to mitigate all threats,” Harding argues. “Linking pay to security is a very blunt instrument; the main thing is investing in getting your board and your CEO up to speed with what the threats are in your business and industry, what you’re doing about them, what you could do more and explaining which risks just cannot be mitigated regardless of spend,” Harding adds.

www.infosecurity-magazine.com /// 19

The Legal View Mark O’Halloran, partner at law firm Coffin Mew, explains that the idea that MPs have conjured up is a performance-related bonus scheme, but unlike most schemes, it refers to negative measurements. “The immediate legal challenge for a company thinking of incorporating this kind of scheme [for all IT security employees] into its pay structure is whether its existing bonus scheme is contractual or discretionary, assuming it has one at all,” he says. The discretionary bonus scheme can usually be more easily varied by the employer than contractual schemes. If the scheme is contractual, it is likely that it can only be varied with the employee’s consent, unless the company undertakes a formal reorganization of its IT department. “While some contracts of employment include ‘flexibility clauses’ allowing the employer to vary some terms simply by giving notice, it is unlikely that kind of clause would allow the employer to make unilateral changes to contractual pay,” says O’Halloran. For C-level executives, the only difference is that it is more likely that the details will be negotiated with the executive directly. Employees could refuse a variation of a contract if it affected their existing pay entitlement, in which case the employer may consider dismissing them and offering to re-engage on the varied contract. However, this could constitute an unfair dismissal of any employee who has more than two years’ continuous service if the change cannot be justified by reference to an ‘economic, technical or organizational reason’. So what would happen if this kind of contract was in place for all security employees within an organization which was hit by a data breach? Would employees be able to appeal that they

So it may be unrealistic to hold C-level executives to a target of zero breaches or incidents, but if there are aspects that are the result of negligence, such as a lack of patching, then someone could be held accountable. “A good target would be a combination of being audited as security-compliant (implying that controls are in place and security is actively promoted to staff), and then avoiding preventable breaches,” says Furnell. However, the issue here is that even external organizations work on the basis of trust, and could be misled into thinking a company is secure, even if it isn’t. In which case, a bonus could still be paid to a company, if all it is required to do is be approved as security compliant.

In an ideal organization, there would be no blame culture at all

weren’t to blame for the breach and therefore receive their bonus pay? “That depends on whether the bonus is tied to individual contributions to cybersecurity or overall performance of the security team, or a mix of both,” says O’Halloran. “Provided the operation of the bonus scheme is nondiscriminatory, and the measurements by which it is paid or not paid are objective, there is no general reason why any particular employee would have an automatic right to appeal a decision not to pay a team-wide bonus,” he adds. The best approach, according to O’Halloran, from a legal and employee-incentive point of view, is to have a mixed bonus: part paid when the individual employee has personally met clear security objectives in their particular role, and part paid on a team-wide basis based on overall results.

The reality is you can invest as much money as you want but you cannot stop a data breach if you’re being targeted Omid Shiraji

Herein lies the issue: an organization wellequipped in cybersecurity may still be a victim of a cyber-attack, while another firm which is not, may never suffer from a data breach. The CEO of the former may not get paid their bonus, while the latter receives theirs in full. This is why it would be essential to have goals that are attainable for individual firms and personnel. While the process of implementing widesweeping contractual changes would raise the profile and appreciation of cybersecurity in organizations, if such changes were to take place, the key would be to ensure scrutiny on security personnel doesn’t go overboard, that expectations are realistic, and most importantly, that there remains accountability with a no-blame culture.

Q4 /// 2016

Protecting your data throughout its lifecycle

Classify content

Share securely

Manage access Analyse & report

…

a n all o

m r o f t a l p e l g sin

For more information

www.egress.com info@egress.com •

@EgressSwitch

OPINION

ices v e D l a c i d Me Dose g n o r t S a Need rity u c e s r e b y of C The healthcare industry is victim to more cybersecurity attacks than any other sector. DJ Singh explains why medical devices need a strong dose of security

ealthcare cybersecurity incidents have included ransomware infections, data breaches, medical device security issues and hefty regulatory fines. Technical innovations in the industry – the increasing adoption of electronic health records combined with an ever-increasing network of medical devices, healthcare apps and wearables – open up even more avenues for cyber-criminals to gain unauthorized access to sensitive data. The biggest danger? The same thing that is being heralded as the future of healthcare innovation: the rapidly expanding ‘Medical Internet of Things’ and its associated complexity of embedded software security. A recent security alert urged patients and healthcare providers to discontinue the use of a series of infusion pumps due to a flaw that could potentially allow an unauthorized remote user to alter the dose the devices deliver. While such safety-critical issues aren’t uncommon, most healthcare IoT security incidents are malware infections on network-connected medical devices and computers used to access patient data. Many large healthcare entities have a huge and highly diverse inventory of medical devices, some of which are decadesold legacy products not designed to handle modern security systems. The challenges involved with tracking and managing this massive array of devices contributes to the security risks posed by these products and their ancient operating systems. With a primary focus on quality of care and patient safety, healthcare organizations are more focused on ‘checking off compliance boxes’ and may lack the specific expertise to identify security risks.

Unlike IT systems, medical devices are highly diverse and, at times, without a common interoperable tool set, making even basic tasks such as scanning the network for an inventory of devices challenging. Furthermore, a vast majority of older devices have default, hard-coded passwords often used by service technicians – providing further ease of access to criminals. Given the long product development lifecycles involving complex regulatory approvals, medical devices are expected to be used for several years. To remain compliant to regulations, some devices are designed not to be altered in any way – including software updates. This makes it harder for device manufacturers to release security fixes to keep up with newer threats.

A Reasonable & Risk-based Approach

device manufacturers, healthcare providers and regulators – are working to create an environment that fosters collaboration and communication. This will encourage stakeholders to share actionable information and best practices related to the safety, integrity and security of the medical devices and healthcare IT infrastructure. The healthcare industry also needs to prioritize managing the emerging ‘Medical IoT.’ By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices. Protecting devices requires not only addressing technical issues but healthcare delivery and business issues as well.

Device manufacturers and healthcare providers should consider: 1. Limiting device access to trusted users via authentication 2. Ensuring secure data transfer to and from the device 3. Implementing alerts and logging features for security compromises 4. Maintaining vigilance in responding to security issues 5. Submitting cybersecurity risk assessments for both new products and legacy devices Medical device cybersecurity risks must be viewed as a public health and patient safety issue that requires a trusted informationsharing environment. To enable a coordinated response to cybersecurity vulnerabilities, industry bodies – including

AUTHOR PROFILE DJ Singh is a security architect focused on secure application development, integration architecture for enterprise security systems, mobile security and embedded system security.

Q4 /// 2016

@InfosecurityMag

Supporting Business Transformation with Agile Cybersecurity Infosecurity Magazine is proud to announce the inaugural, two-day Boston Conference, curated and brought to you by the Infosecurity Magazine editorial team. Bringing together 100+ information security end-users, analysts, policy-makers, vendors and service providers, the meeting connects the information security community, providing actionable information, practical case studies and strategic and tactical insight. An expert panel of speakers will share effective strategy and practical techniques to strengthen your organizationâ&#x20AC;&#x2122;s security posture. Speakers include: Arlette Hart, CISO, FBI

Jay Leek, CISO, Blackstone

Spencer Mott, Interim Chief Information Officer and CISO, Amgen

David Billeter, CISO, Staples

Richard Rushing, CISO, Motorola

Chris Pierson, EVP, Chief Security Officer & General Counsel, Viewpost

Ken Patterson, CISO, Harvard Pilgrim Healthcare

Gold sponsor:

Silver Sponsors:

www.infosecurity-magazine.com /// 23

Benefit from in-depth presentations and panel discussions and gain actionable insight that will enable you to implement agile security strategies to support business transformation whilst enhancing security posture

Day One: Tuesday 6th December 2016 8.00am-8.30am 8.30am-8.40am 8.40am-9.20am

9.20am-9.50am 9.50am-10.40am

10.40am-11.10am 11.10am-11.50am

11.50am-12.30pm

12.30pm-1.45pm 1.45pm-2.25pm

2.25pm-3.15pm

3.15pm-3.45pm 3.45pm-4.25pm

4.25pm-5.05pm

5.05pm-5.15pm 5.15pm-7.00pm

Registration and breakfast Opening remarks from the Chair Dan Raywood, Contributing Editor, Infosecurity Magazine and Eleanor Dallaway, Editor, Infosecurity Magazine Opening Keynote Presentation Implementing a Dynamic Security Strategy to Support Business Innovation & Digital Transformation Chris Pierson, EVP, Chief Security Officer & General Counsel, Viewpost Deploying Dynamic User Access Controls Across Traditional Networks, Cloud, and Virtualized Environments Leo Taddeo, Chief Security Officer, Cryptzone Panel Discussion Securing the Internet of Things: What is the Real Risk for Enterprise Cybersecurity? Panelists: Chad Dewey, Computer Science and Information Systems Instructor, Saginaw Valley State University Michigan Esmond Kane, Deputy CISO, Partners Healthcare Lassaad Fridhi, Senior Director, Compliance and Information Security, C Space Moderator: Steve Hoffenberg, director IoT and embedded tech, VDC Research Morning coffee break and opportunity to network Automotive Industry Case Study Keeping up with Next-Generation of Cyber Risks: Securing the Connected Car Jonathan Petit, Senior Director of Research, Security Innovation Presentation Securing Smart City Technology Adoption: Managing Privacy & Cyber Risk Suzanne Lightman, Senior Advisor for Information Security, National Institute of Standards and Technology (NIST) Lunch and opportunity to network Presentation Articulating Risk to Senior Management: Enabling Informed Decision-Making Bobbie Stempfley, Director Cyber Strategy Implementation, MITRE Corporation Panel Discussion Securing the User: Winning Hearts & Minds to Drive Cyber Secure Behavior Panelists: Thomas Skill, Associate Provost & CIO, Department of Communication, University of Dayton Spencer Mott, Interim Chief Information Officer and CISO, Amgen Jay Leek, CISO, Blackstone Moderator: Eleanor Dallaway, Editor & Publisher, Infosecurity Magazine Afternoon coffee break and opportunity to network Presentation Winning the Cybersecurity Talent War â&#x20AC;&#x201C; How to Successfully Attract, Recruit And Retain Top Talent David Billeter, CISO, Staples Presentation Effectively Connecting with Your Future Talent: Understanding the Profile of the New Cybersecurity Specialist Deidre Diamond, Founder and CEO, Cyber Security Network Closing remarks from the Chair Dan Raywood, Contributing Editor, Infosecurity Magazine Networking Drinks Reception Meet and mingle with your peers in a relaxed and informal setting

Q4 /// 2016

@InfosecurityMag

Day Two: Wednesday 7th December 2016 8.00am-8.30am 8.30am-8.40am 8.40am-9.20am

9.20am-10.00am

10.00am-10.25am

10.25am-10.50am

10.50am-11.15am

11.15am-11.45am 11.45am-12.25pm

12.25pm-1.05pm

1.05pm-1.15pm 1.15pm-2.30pm 2.30pm-4.30pm

Registration and breakfast Opening remarks from the Chair Dan Raywood, Contributing Editor, Infosecurity Magazine Presentation Managing & Mitigating 3rd Party Cyber Risk: Protecting Your Data Outside the Perimeter Richard Rushing, CISO, Motorola Presentation BYOD Economics: Balancing Risk & Reward Ken Patterson, CISO, Harvard Pilgrim Healthcare Presentation Detecting & Containing the Insider Threat Tony Pepper, CEO, Egress Software Case study Successfully Surviving a Ransomware Attack Dan Fein, Cyber Tech Specialist and Analyst, Darktrace Presentation Preventing & Responding to a Phishing Attack: Deploying Human & Technology Defences to Counter the Threat Speaker to be announced Morning coffee break and opportunity to network Presentation How Do You Know You've Been Breached? Detecting an Attack to Minimize Incident Impact Arlette Hart, CISO, FBI Panel Discussion Enterprise-Wide Cyber Incident Response: Proactive Tactics for Rapid Response Panelists: Spencer Mott, Interim Chief Information Officer and CISO, Amgen Erika Barber, Privacy Manager, Massachusetts General Hospital Garrett Schubert, Incident Response and Threat Intelligence Manager, Acquia Moderator: Rob Lee, Digital Forensics and Incident Response Lead, SANS Institute Closing remarks from the Chair and close of conference Lunch and opportunity to network Workshop Navigating EU GDPR and the EU-US Privacy Shield to Enhance Security, Achieve Compliance and Enable Multinational Business In May 2018, the General Data Protection Regulation will become law and enforce strong regulatory standards to protect personal data across Europe. This will not only affect businesses in Europe, but also organizations that work with business in Europe. Another introduction is the EU-U.S. Privacy Shield, replacing the Safe Harbour agreement which was declared invalid in October 2015 by the Court of Justice of the European Union following the leaks by Edward Snowden revealing the NSA’s mass surveillance of European citizen’s data. The purpose of the EU-US Privacy Shield is to safeguard EU citizens’ rights in relation to transatlantic data transfers for commercial purposes between the EU and the US. This in-depth workshop will evaluate the impact of the EU GDPR and EU-US Privacy Shield upon North American companies and will share what you need to know and do in order to achieve compliance. You will leave with practical insight into how to navigate the new standards and ensure that your multinational business is secure and compliant. • Gain an in-depth understanding of the principles of EU GDPR and Privacy Shield • Understand how the EU GDPR will impact the EU-US Privacy Shield • Evaluate the mechanics of implementing an effective Privacy Shield compliance program • Discover practical strategies to achieve compliance with the EU GDPR • Understand the impact of EU GDPR and Privacy Shield Compliance on your organization’s security posture • Understand how compliance will enable your multinational business

www.infosecurity-magazine.com /// 25

Why Attend? What Will Learn • Hear insight from information security experts: Gain fresh perspectives from a panel of expert speakers on how to improve your organization’s security posture and increase security maturity • Gain actionable advice during practical case studies: Hear directly from information security professionals who are at the sharp end of information security and find out how they are tackling the latest challenges • Register to attend the in-depth, separately bookable workshop: Navigating EU GDPR and the EU-US Privacy Shield to Enhance Security, Achieve Compliance and Enable Multinational Business

Network & Engage • Meet and network with your peers: Take advantage of a range of networking opportunities to make new business connections and strengthen existing relationships with your peers, suppliers and customers • Be part of the conversation: Take part in Q&A sessions and informal discussions and pose questions directly to the experts to gain up-to-the minute information on how to advance your information security strategy

You Learn? • Analyse the evolution of the IoT and connected devices and what this means for cybersecurity • Discover how to manage and mitigate complex risks, threats and vectors including ransomware, phishing and the insider threat • Find out how to develop an enterprise-wide incident detection and response strategy to contain, manage and recover from internal and external attacks • Understand how to build information security strategy to support enterprise innovation and transformation • Gain insight into how to cultivate, attract and retain the best talent • Identify appropriate risk metrics and KPIs to communicate information security performance and demonstrate ROI

Venue Find Solutions • Access new solutions to information security challenges: Meet vendors and service providers and learn about new tools and technologies that can help you solve information security challenges

OMNI PARKER HOUSE 60 School Street, Boston Massachusetts 02108 (617) 227-8600

Q4 /// 2016

The Risk

What do you get when you combine three talented and experienced cybersecurity professionals? Eleanor Dallaway met The Risk Avengers and found out

very now and then in this job I meet a person or a company and am instantly struck by what it is they're selling; be it an opinion, a product, a Toni Sless movement, or themselves. That's exactly what happened With a background in the public and private sectors when I rocked up in Waterloo to meet The Risk in fraud prevention, operational risk, incident management and physical security, Toni Sless Avengers; I stumbled upon some magic. specializes in insider threat, identity crime, fraud Perhaps that sentence evokes an image prevention and security training. of me in some cobbled back-lit alley coming face to face with a gang of heroes clad in colorful capes, brought r e k r a B together by a mission to make the world ica nd civic design, Dr Dr Jesd s logy a o ci a safer place? so f o in e d groun uman si With a back es in the h a liz ic ia Well that's not far from the truth, although forgive ss ec Je sp t, n rker consulta Jessica Ba dependent l in a n me for the poetic license. There were no capes, and the tr a n s ce A . ty panies, cybersecuri SE100 com lth, FT ea h y , b se back-lit alley was actually a theatre bar, but the part about the mission is absolutely true. ed en g a is eng ss the def ations SMEs acro iz d n n a a rg t o The Risk Avengers is a collaboration of three independent information security en se to advi governm while tail sectors fe re sa d n n o a l ti consultants who have joined forces, pooling their knowledge and experience in the fraud a a financi r inform n keep thei ca . it ey f o th t u w prevention, physical security, cybersecurity, social engineering and ho most o getting the penetration testing arenas. Let me introduce you to The Risk Avengers: Dr Jessica Barker, Sharon Conheady, and Toni Sless. Oh yeah, I forgot to mention, they’re all women. “We’ve not joined together because we’re women, but it’s a nice coincidence,” said Barker, who adds that future expansion of The Risk Avengers would not exclude men. “We don’t want the fact that we’re women to be our selling point, but we’re happy and we’re proud to be working together on this,” added Sless. What struck me about the Avengers is their chemistry. “We wanted to work with like-minded people that we could trust, and where our areas of specialties go hand in hand,” said Barker. The objective is to give the client maximum value, and the alliance created with The Risk Avengers means they can offer three-times the knowledge, experience and brain-power. Sharon I was so impressed by The Risk Avengers and what they have to Conhead offer that I asked them to write a regular blog on www.infosecuritySharon Con y heady is the magazine.com. Each of the Avengers will contribute articles, and the director of Fi Information rst Defence Security whe re she specia first is now live, so do check that out and follow their Infosecurity engineering, lizes in soci security aw al areness and testing. She blog series. penetration has a backgr ou nd an in d pr has delivered ofessional se You don’t need a cape to make the world safer, but a name like rvices security test ing and trai The Risk Avengers helps. ning both locally and internationa lly.

Redefining Security in the

Internet of Services As companies monetize the Internet of Things, there will be some fallout for privacy and security advocates. Danny Bradbury examines an emerging problem

It’s about how you can tie things together and put value-added services on top of that Vince Warrington

evices ranging from smartphones to home automation systems, smart lights fitness wearables and embedded vehicle sensors have created an incredible platform that we know as the Internet of Things (IoT), but this vast constellation of connected devices is only the first step in a longer journey. The next step involves creating services that run on top of it. This new layer – which we can call the Internet of Services (IoS) – brings its own security challenges. “Why would you have an internetconnected bed?” quips Vince Warrington, director of UK cybersecurity consulting firm Protective Intelligence, adding that the IoS can provide use cases for connecting many things. “It’s about how you can tie things together and put value-added services on top of that.” The internet-connected bed might monitor movement, while smart lights might report when they have been turned on and off. An online service could analyze that data and

alert relatives of the elderly when their sleeping and other patterns change, he says. Or connected cars could talk to parking meters and automatically book the closest parking spot as they near their destination. Smartphones, which are also part of the IoT, already use embedded location data to book cars via Uber, for example, making it another example of such a service.

Rethinking Our Computing Model Andy Mulholland, vice-president at technology advisory firm Constellation Research and former CTO at Capgemini Group, says that the IoS can use data from various IoT devices to fulfil our needs in often opaque ways. “Instead of having things based on fixed process with transacted outcomes, we have things based on interacted intentions or possibilities, and from that we get the insightful outcome,” he says. What does that look like in practice? It moves us away from the world of simple two-way

transactions (say a simple e-commerce purchase), in which a computer and operator collaborate to achieve a predictable result. Instead, these transactions are more holistic and complex. Take that IoS unicorn Uber, which is threatening traditional taxi firms all over the western world. Taxis represent the pre-IoS model, where customers request a car via a phone or website, and the dispatcher just sends them the closest one. It is a simplistic transaction following a well-defined process with perhaps two fixed data points – the customer and the taxi driver. Uber works the other way around, using an array of data points – including location and other data from that ultimate IoT-connected device, the smartphone, along with reputation or performance data from rider and driver – that are filtered through a complex algorithm to achieve a hazy result. “It’s where are you, what do you want, where’s the taxi that matches best for that, and then around it other circumstances, like what’s the weather, and what’s the demand for taxis?” says Mulholland. “Is there some kind of event on? It all calculates an outcome that wasn’t predicted or foreseen.” This mystical mechanism may quietly solve the user’s problems, or end up charging them hundreds of dollars for a cab ride. It’s difficult

The power will be with anyone who is able to seamlessly link up all these networks and their data Rob Kranenber

A Poison Exhaust to tell, because contrary to a straightforward e-commerce transaction with a predictable result, the murky, proprietary algorithm is the master, and the complex array of IoT data feeds is its servant. One effect of all these additional data points and algorithmic gymnastics is that the entire process becomes far more complex, making it more difficult to manage. “The way the data models work – which is fundamentally what people hack – is also very different,” says Mulholland. The data models themselves in this new IoS world are entirely different to the old one,

Uber uses an array of data points – including location, reputation or performance data from rider and driver – that are filtered through a complex algorithm

eschewing traditional relational databases with their long-established tables and indexes for graph databases and other NoSQL data storage structures designed to store vast amounts of data from different sources and document the relationships between them. “The data is created by the context of the event,” Mulholland says. To feed these data structures, IoT devices – including phones – are constantly triggered with contextual information relating to them. This ranges from your location to your movements in the home. All of this creates a footprint of that person’s movements, what he calls a “digital exhaust”.

This exhaust could poison user privacy. Sudha Jamthe is the author of the book IoT Disruptions and also teaches IoT business models for Stanford’s continuing studies program. She warns that the data generated about individuals from their daily interactions with the IoS can be damaging to privacy because no-one is focusing on how it is used. When her smart thermostat vendor wanted to work with her smart lock vendor to determine when individual people entered and left the house, it crossed a line for her. “They’re saying they won’t use that data for anything else, and just want to know when I go in and out of the house so that they can change the temperature setting, but that isn’t information that I want to share with anybody.” The IoT networks and the services atop of them are still highly fragmented, says Rob Kranenberg, chair of the IoT Hyper-connected Society at The European Research Cluster on the Internet of Things. This can create security issues in itself because different IoS vendors will have different levels of privacy and security. “All of their products are already gateways from one network into another. The power will be with anyone who is able to seamlessly link up all these networks and their data,” he says. “It’s about having access to vast data sets that you can aggregate into new services.” We can already see some scary privacy violations as IoS companies collect enough data of their own. Uber (which did not return our interview requests) has sparked

Q4 /// 2016

@InfosecurityMag

concerns over its plans to track its users’ locations even when they are not using the app, and to pester people in their phones’ contact lists with special offers. It tracked users’ one-night stands by collecting their ride data, and then documented them in a blog post. Executives also tracked reporters’ movements in real-time and then bragged about it. If one company blatantly infringes privacy in this way, then what could hackers do with that data?

Some Solutions There are some possible solutions to the privacy and security problems threatening the IoS that span the political and the technical. Regional politicians can impose their own data usage laws, as we’re seeing with the General Data Protection Regulation (GDPR) in Europe, which comes into force in May 2018. More specifically to the connected devices underpinning the IoS, the European Commission’s Communication on ICT Standards requires member states to develop standards that support trustworthy authentication across objects, devices and people. “The EU seems to have a better policy in place about telling us how they’ll use the data,” says Jamthe. “It’s nowhere near as transparent in the US, and vendors here don’t even want to have that conversation and freak out consumers.” Acknowledging that most individuals will be using IoT-based services owned largely by US firms, Rob van Kranenburg suggests instigating personal policies about data usage

Smart lights will report when they have been turned on and off, and an online service can analyze that data

in the IoT and associated services. He is working on a product, the Dowse Privacy Hub, which will be an open sourced hardware project enabling people to control what data they’re sending from their personal and private networks to other parties. Think of it as a privacy router. “We want to do this because we think that things are getting out of hand,” he adds.

Another Stack of Problems The security problems for the IoS don’t just rest at that layer of the IoT stack, however. Insecurities in the rest of the stack can render the services themselves vulnerable. These layers include the hardware devices that collect the data and the networks that enable them to transfer that information, explains Sanjay Khatri, director of product marketing for IoT services at Jasper, which Cisco purchased in March 2016. Jasper is an IoT ecosystem platform that helps IoS companies to manage their devices and monetize them with value-added services. Device vendors can make basic mistakes such as not requiring code signing, or making the devices low-powered enough that they can’t support encryption, for example. Badlyconfigured user interfaces can lead to loss of control in the cloud. “You want to have ways to mitigate the large-scale dangers of connected devices,” he says, adding that Jasper provides services including device authentication and detection of anomalous behavior in large groups of connected devices. Partners in the Jasper ecosystem also handle tasks such as data encryption, and the security of the transport layer. Khatri argues that partners who use SIMbased cellular connections for their devices rather than public Wi-Fi networks to communicate with Jasper naturally harden the transport layer of the IoT stack on which their services rest.

Cultural Issues Services may exist to help shore up security and privacy in the IoS, but ultimately, what’s needed is a cultural shift, warn experts. Traditional IT security professionals are used

to dealing with well-understood, linear processes relying on clearly-bounded inputs. Constellation’s Mullholland believes that the diverse, loosely-coupled IoS, with the nondeterministic algorithms and complex data sets that run atop it, are beyond the kinds of problems that these professionals are used to solving. “If you say that it starts with the event, and then serendipitously arrives at the output, you can imagine the look on their face,” Mullholland says. The same is true for those forced to deal with the IoS in the

The security problems for the IoS don't just rest at that layer of the IoT stack. Insecurities in the rest of the stack can render the services themselves vulnerable

enterprise space, who may have been used to programing embedded SCADA equipment that only ever spoke to particular devices in a closed network. “All of a sudden now they have a mandate to open it up,” Khatri says. Not just to internal staff but to third parties. “It’s overtaken a lot of these guys, and I don’t think that even the standard IT practices have really pervaded some of these areas.” The security and privacy challenges facing IoS companies and their users are broad and intricate. Companies are only just beginning to understand how the business models will work, and are shaping the technology to support it. If they want to bake privacy and security into those models, there’s an awful lot of talking – and learning – to do.

www.infosecurity-magazine.com /// 33

Friday 27 January 2017 at the Lancaster London, Hyde Park The White Hat Ball is the cyber security event of the year, in aid of Childline. Tables of ten start at £1,950 and new sponsor packages have just been released. This sell-out event is one not to be missed and is in aid of a great cause. In 2016 the White Hat Ball raised more than ever before for Childline; a record breaking £162,000. Join us for an amazing evening and help us to be there for children when they need us most. Your evening will begin with a champagne reception followed by a luxurious three-course dinner. There will be lots of entertainment including silent and live auctions where fantastic prizes will be won.

JOIN THE SPONSORS | RESERVE A TABLE 020 3772 9423

sarah.jeffery@nspcc.org.uk

Support the White Hat Ball Make a Difference #WHB17

@InfosecurityMag

Ransomware Economics:

Why the Threat is Here to Stay Ransomware has been hitting the headlines for the past few years, snaring new victims who face the dilemma on whether to stand strong. Dan Raywood looks at the rising cost of a ransom payment, and how much the size of the target affects the financial demand

he concept of extorting a victim for money is nothing new; in fact it’s older than the internet by many centuries. Over the years, however, malware has evolved from spying on users and harvesting information, to promoting malicious links for clickbait, to the current straightforward tactic of ‘give us your money’. Arguably, the most surprising factor of ransomware is that it took so long to appear

as mainstream malware. After all, the factors that enable ransomware exist openly: encryption; drive-by download; users clicking on attachments; and a willingness to pay when victims feel there is a genuine threat of losing their data. After the iCloud hacks of 2014, people are warier of backing up their data to the cloud. Ransomware can infect network-attached storage so that is not an option, and removable storage has shrunk in physical size

and is easy to lose. Perhaps this is why nobody backs up their data anymore, and why ransomware is a success for the attacker time and time again.

Nothing New Here Ransomware is nothing new though. Consultants were talking more than five years ago about ransomware infecting their clients’ networks, and just this year, reports were made of hospitals being hit by

www.infosecurity-magazine.com /// 35

The vast majority of attackers are indiscriminate in their target selection Jeremiah Grossman

ransomware and locking down their networks and access to patient data. According to a Freedom of Information Act request by NCC Group this year, 47% of NHS Trusts had been subject to a ransomware attack in the last 12 months. A total of 60 of 155 Trusts responded, and of those, 31 withheld information, 28 said they had been a victim and one said they had not. Research carried out by Andrew Hay, CISO of DataGravity, on the financial impact of ransomware upon five US hospitals, showed that the average revenue lost varied from $1000 up to $10,000. Hollywood Presbyterian Medical Center featured at the top end of the scale. Hay demonstrated that it had a total revenue of $970,317,733, a net income of $20,979,948, and an average revenue per day of $2,658,405. With the ransomware active for four days, the downtime cost was above $10,000. He also reported that the ransom demand was $17,000 due to a daily cost of $4250. Speaking to Infosecurity, Hay says that in the cases of the hospital infections he did not

believe it was a complete shutdown that prevented them from conducting business as usual, but rather a lack of access to required files. “For the case of the Hollywood Presbyterian Hospital, the affected data included patient files and electronic access to said files,” he adds. Can a business operate when hit by a ransomware infection, or does it mean a total shut down? “It depends entirely on their line of business,” Hay says. “For example, if the organization is a completely online business storefront, the inability to access customer, inventory and distribution information would likely grind all dealings to a halt. “There are businesses, however, that could fall back to pen and paper for some of their tasks. Though sub-optimal, the business could limp along for some time until a resolution can be found.”

To Pay or Not to Pay One of the interesting points about the FOI request was that it demonstrated that infected businesses were not always paying the ransom. Hay explains that as some ransomware variants are not able to provide the decrypted files, even after the ransom is paid, he is not surprised that some organizations are choosing not to take the risk.

“The simple act of paying the ransom, however, does provide an indicator to the attacker that the victim was willing to pay before and may pay again in the future.” According to research by Malwarebytes, 40% of 540 companies hit by ransomware paid the attackers in order to retrieve their data. Another poll of 300 UK businesses by Trend Micro found that 65% of companies infected with ransomware ended up paying out. The average amount of ransom requested in the UK was $722, although 20% of companies reported ransoms of more than $1300. Steven Malone, director of security product management at Mimecast, says: “The price point dilemma is at the heart of ransomware’s success. For smaller businesses, the ransom is often pitched at $400 to $1000. Yet organizations that get hit also face considerable employee downtime and productivity loss, the inability to service customers [results in] significant costs and time to recover.” Another Freedom of Information study by SentinelOne found that of 71 universities questioned, 60% had been hit by ransomware, of which 65% were targeted multiple times. Jeremiah Grossman, chief of security strategy at SentinelOne, tells Infosecurity that

The fluctuation of Bitcoin impacts the typical ransomware payment amount

Q4 /// 2016

@InfosecurityMag

people are making a lot more money from ransomware than before, and often the attackers do not discriminate about the target, sending ‘mass blast’ emails hoping to infect multiple victims, while others target to get a larger payout. “The target is dependent on the group and where they feel most confident,” he says. “It looks like the vast majority of attackers are indiscriminate in their target selection, where they are spamming everybody or using malvertising as it takes more effort to go after a single target. If there were larger payments being made for ransomware I think we would see it, but we don’t have that many cases of large ransomware payouts, or there are just not a lot of them being reported.”

The Role of Bitcoin The fluctuation of Bitcoin impacts the typical ransomware payment amount, says Grossman, who tells Infosecurity that a common payout for an average person was between $500 to $2000, or five bitcoins. “On the larger ones, it is probably more like $15,000 so there is a big jump there.” So how is the amount to be paid evaluated? Grossman argues it usually comes down to negotiation, as a lot of the time, the indiscriminate operators have no idea what data they have. They therefore aim for the maximum that they can get based on what the person is willing to spend. That is why you get those very low numbers, as everything is negotiable in that space. Recent research from Symantec suggested that the average ransom demand is now $679, up from $294 at the end of 2015, while Trend Micro figures suggested the average ransom demanded is $722 – although the payment is usually requested in Bitcoin. Hay adds: “Businesses are assessing the risk on a case-by-case basis. It really comes down to how much pain the business can endure by not paying...and for how long.” In terms of ransomware economics, the amount that is being paid is rising but not in large leaps. Kevin Epstein, vice-president of the threat operations center at Proofpoint, confirms that ransom amounts have tended to be relatively fixed between $300 and $1000

per machine, but ransoms typically need to be paid in a short timeframe so attackers can ask for differing amounts with each attack. “The amount attackers are demanding seems to correlate more closely to the value of decrypting individual machines,” Epstein says. “There is little evidence that attackers are basing their per-machine ransom demand on total perceived value per company divided by the likely infection rate. Big companies haven't yet been charged orders of magnitude per machine more than individuals.” So the money you need to spend when recovering from a ransomware infection is not massive, but it does depend on the size of your business, when the attacker realizes that they have caught a ‘big fish’ and how much they are willing to negotiate to extract the maximum cash.

It really comes down to how much pain the business can endure by

Defend to Survive

not paying...and for

A simpler solution, of course, would be to not get infected at all. Chris Hodson was a security leader at a number of large retailers, and is now EMEA CISO at Zscaler, and he advises organizations to get secure, and fast. “With cybercrime establishing itself as a profitable business, the bad guys get greedy quickly and seek to maximize revenue wherever possible,” he says. “However, in order to do this, the criminals need to make sure that their malware payloads evade controls. The most appropriate first step to take is to implement a defense-in-depth architecture, one which has the ability to provide dynamic and behavioral analysis of malware. I’d also advise businesses and CIOs in particular to no longer rely just on signatures.” Does that mean security teams should consider putting budget aside to potentially cover a ransomware payment, or is that a defeatist stance? “With ransomware so prominent in today’s cyber-space, it almost feels like organizations are waiting to get hit, rather than proactively seeking defense mechanisms,” says Hodson. “In terms of putting budgets aside to cover the damage, this is not something I would recommend. As ransomware matures, attacking more personal identifiable information, it is hard to put a figure on your data.

how long Andrew Hay

“At the end of the day, paying up or not depends entirely on a plethora of circumstances so such predications cannot be made. Instead of worrying about the financial damage, organizations and CIOs should be more concerned with getting their cyberdefenses tightened, ensuring such attacks do not happen in the first instance.” Protection methods which use people, processes and technology combined may be the best solution in the fight against ransomware, while initiatives like ‘No More Ransomware’ will enable decryption. The issue is that a lack of access to critical files can lead to a lack of productivity as a best case scenario, or loss of life as a worst. Businesses can do their best to protect and survive, but if the amount typically demanded for a ransomware payment doubled from 2015 to 2016, 2017 could bring worse news.

www.infosecurity-magazine.com /// 37

Making Bugs

Bountiful Should Bug Bounty Hunting be Regulated? With black hat brokers able to outbid even the likes of Google and Apple for vulnerabilities, Davey Winder explores whether the bug bounty model is fundamentally flawed

pple recently joined the growing number of corporates to launch a vulnerability reward program, better known as a bug bounty scheme. Initially limited to a couple of dozen researchers already known to Apple, it will pay as much as $200,000 for a critical security vulnerability, which sounds a lot, until you learn that a small private firm called Exodus Intelligence offers as much as $500,000 for zero-day vulnerabilities in iOS. While Exodus says its customers – who pay subscriptions starting from $200,000 per year to access intel on these vulnerabilities – are defensive rather than offensive, the security industry needs to consider whether bug bounty programs are a broken concept needing regulation.

Show Me the Money Apple isn’t alone in offering financial reward to bug hunters who uncover vulnerabilities, although its maximum

payout is at the upper end of the bounty program spectrum. The days of insulting researchers with t-shirts by way of reward (yes, Yahoo, we’re looking at you) are long gone, but what are the bounties out there, and how do they differ between large corporates and the smaller business? The US Department of Defense launched a pilot ‘Hack the Pentagon’ program through HackerOne earlier this year and paid out $70,000 in bounties to 58 researchers for 134 vulnerabilities. The first was found within just 15 minutes. Facebook launched a bounty program in 2011 and has paid out $4.3m to 800 researchers in 127 countries, with $1m of that being paid in 2015 alone. Microsoft offers a top bounty of $100,000, while Uber has a maximum payout of $10,000. Pornhub sits in the middle with a $25,000 cap, and HackerOne itself will pay $10,000 for severe vulnerabilities found.

Many SMEs donâ&#x20AC;&#x2122;t have the staff required to search for vulnerabilities quickly enough with the breadth of techniques David Gibson

Google, we have to ask if the bug bounty concept as it exists is therefore flawed.

A Broken Concept? David Gibson, VP of strategy & market development at Varonis, certainly doesn’t think bug bounty programs are pointless. “Many SMEs don’t have the staff required to search for vulnerabilities quickly enough with the breadth of techniques,” he explains. “It’s effective to crowdsource instead of, or in addition to, hiring a firm or penetration tester who typically charges a flat fee rather than you paying for what they find.” Cody Mercer, senior threat research analyst at NSFOCUS (International Business Division) tells Infosecurity about his experience of running a bug bounty program at a previous

Since launching its bug bounty program in 2010, Google has paid over $6m to security researchers

As Ken Munro, a partner at ethical hacking outfit Pen Test Partners, told us, “details of bug bounty programs are readily available on sites such as HackerOne and BugCrowd, and since launching its bug bounty program in 2010, Google has paid over $6m to security researchers. Rather than sit on its laurels, Google recently doubled the reward for its Chromebook from $50,000 to $100,000 with no maximum reward pool when it realized that no exploits had been found to further incentivize researchers.” The key is that companies offering bounty rewards generally do so based on the size of their business, so smaller companies will have lower caps. Unfortunately, zero-day brokers selling to the highest bidder will typically pay more than even the largest

When hackers submit company can justify, especially if the bug has a very high Common Vulnerability Scoring System (CVSS) score. The CVSS is the standard for assessing security vulnerability severity, calculated on a formula including metrics to approximate ease and impact of exploit. “Those with a very high CVSS score that impact a large number of devices, or have specific use-cases of interest to nation states, typically start at $100,000, and could be sold for many times that,” says Neil Cook, chief security architect at Open-Xchange. However, these kinds of vulnerabilities are pretty rare. “Individuals working entirely on the dark-side might spend a very long time before they find one”, Cook adds, “it’s not the gold-rush of popular imagination.” Even so, given that such brokers can typically outbid the likes of Apple and

valid reports and companies pay for them, we are all winning Marten Mickos

manufacturer. “We had a few findings discovered by researchers that led to a major flaw found in one of our product lines,” he says. “Had this vulnerability gone unnoticed, the potential could have been an APT that could have dire consequences if left unchecked. The ROI far exceeded the budget needed to run this program so it proved to be invaluable.” Also, as Gavin Millard, EMEA technical director with Tenable Network Security, reminds us: “by motivating researchers and developers through bug bounty programs, more issues will be discovered and dealt with, leading to a reduced attack surface.”

Q4 /// 2016

@InfosecurityMag

This type of practice is best self-regulated by the industry Ken Munro

Not everyone agrees that monetary-based bounty programs have a positive effect on responsible vulnerability disclosure though. “It sets the bar for the lowest available price for vulnerabilities and legitimizes the further selling of such vulnerabilities to other third parties that offer higher compensation,” argues Amichai Shulman, CTO at Imperva. While not agreeing that the concept is broken, Thomas Richards, senior security consultant at Cigital, says zero-day

brokers existed long before the current programs offered by companies, and as such they have “a long uphill battle to compete against the zero-day broker market.” Of course, whether brokers are a bad thing per se depends on your definition of a broker in the first place. Just because someone sits between bounty hunter and impacted vendor, party to a trade, that does not make him a bad guy. In fact it could be the very opposite, ensuring that both parties get a fair deal. Which begs a further question: does the bounty hunting industry need an official regulator?

Regulation Matters Neil Cook looks to the likes of HackerOne, a conduit between researchers and companies, as an argument for voluntary rather than compulsory regulation. “As part of the rules of the scheme, companies publish vulnerabilities found through a process of responsible disclosure; it’s an

open, transparent system.” Individual companies determine the bounty rates, not HackerOne, and researchers are well aware of the rules before choosing to sign up. What we do need, perhaps, is a change in the way disclosure happens as a country. In the US, where disclosure affecting customer data is mandatory in 47 out of 50 states, there is much less incentive to brush an incident under the carpet. “Disclosure practices there have fuelled bug bounty programs which is why so many American companies have them,” argues Munro. “Foster a more open culture here in the UK, which hopefully will happen when EU GDPR or its post-brexit equivalent comes into force in 2018, and we should see bug bounty programs receive far wider acceptance as a consequence.” Will these need to be adjudicated? “As a commercial undertaking”, he adds, “this type of practice is best self-regulated by the industry.”

Interview: Marten Mickos, CEO, HackerOne Created by former security leaders from Facebook, Google and Microsoft, HackerOne was the first vulnerability coordination and bug bounty platform. Infosecurity spoke to CEO Marten Mickos to find out more. Infosecurity: How much have HackerOne customers paid out? Marten Mickos: HackerOne customers have rewarded over $10,000,000 for 30,000 resolved issues. In the first 100 days, Uber’s public bug bounty program awarded $345,120.48. Google spent $1.5m on Chrome and Google bug bounties in 2014, and Facebook has paid more than $4m since launching in 2011. Companies on HackerOne are offering bounty rewards as high as $50,000 for a severe issue. The most active customers on HackerOne’s platform spend about $1m per year in bounties. Small customers get by with as little as $50,000 per year, and some programs run purely as vulnerability coordination programs where no bounties are paid for any type of submission. Infosecurity: So are the motivations of the bug bounty hunters purely financial? MM: Bug bounty programs are competitive but do not aim to compete with the black market directly. The vast majority of

hackers participate for recognition and purpose, as much as for financial reasons. HackerOne just released the ‘2016 Bug Bounty Hacker Report’ which found that while 72% reported they hack for money, 70% said they hack for fun, 66% reported hacking to be challenged, 64% hack to advance their career and 51% reported hacking to do good in the world. Money is a key driver in bug bounty programs but it is not everything, and this helps explain why 57% of bug bounty hackers reported participating in programs that do not offer bounty rewards. Infosecurity: What about regulation of the market? MM: The great thing with bug bounty programs is that it is a voluntary market. Companies set whatever bounties they like and hackers participate in whatever programs they like. The bug bounty market is a self-regulating system. It is in the interest of companies to maintain the trust and loyalty of every hacker so they will continue to find vulnerabilities. It is in the hacker’s best interest to maintain trust and loyalty with companies so their reputation grows, qualifying them for future bug bounty invitations. When hackers submit valid reports and companies pay for them, we are all winning. Any process or regulation that would slow down vulnerability disclosure and resolution has the potential to put all of us at risk.

www.infosecurity-magazine.com /// 41

TWITTER:

@INFOSECURITYMAG

LINKEDIN: INFOSECURITY MAGAZINE

FACEBOOK: INFOSECURITY MAGAZINE

GOOGLE+: INFOSECURITY MAGAZINE

WWW.INFOSECURITY-MAGAZINE.COM

@InfosecurityMag

OPINION

n the o t e G o t How the f o e d i S t Righ ns o i t a l u g e EU Data R Richard Whomes outlines how organizations handling cross-border data can make sure they stay on top of the EU General Data Protection Regulation and US-based Privacy Shield

ith an estimated $250 billion of transatlantic trade dependent on cross-border data transfers alone, data protection has become a major issue. If your organization holds data emanating from the EU, you need to make sure you’re on top of the regulations. EU privacy law forbids the movement of citizens’ data outside the EU to any location that is not deemed to have “adequate” privacy protection. Essentially, this means that if a non-EU country wants to hold EU data, its regulations have to conform to EU standards. US companies should concern themselves initially with the new Privacy Shield agreement, while those in the UK will soon need to adhere to the new EU General Data Protection Regulation (GDPR).

What is the EU-US Privacy Shield? The EU-US Privacy Shield was formally adopted by the European Commission on 12 July 2016, in response to a ruling that the existing Safe Harbor agreement was insufficient. The framework is designed to protect EU citizens and the data of individuals based in the EU against misuse by US-based companies.

Requirements for US Companies: • State clearly that you are participating in the Privacy Shield, how you are collecting information and what you are using it for • Take “reasonable” steps to ensure that any third-party contractors use the personal information in a manner that is consistent with the Privacy Shield • Collect only information that is specifically

relevant to the intended and disclosed use • Certify with the US government that you will continue to apply the principles of the Privacy Shield even if you leave the program • Establish a named individual to quickly respond to privacy-related complaints • Make public any compliance or assessment reports that you have been required to submit to the US Federal Trade Commission Regardless of Brexit, the new EU GDPR is on its way. Even when the country leaves the EU, the UK will need to prove “adequacy” of its privacy regulations.

• If you are using third-parties to process personal data, you will still be held responsible for its security The EU regulations, whether in the form of EU GDPR or the Privacy Shield framework, will no doubt be tested, challenged and adapted for several years to come. However, at their heart are some sensible precautions for the protection of the individual, and the implementation of these frameworks serves as a good reminder for all of us to treat customer data with respect.

Considerations for UK Companies: • It will be expensive to make mistakes. Fines for data breaches will be as high as €20 million, or up to 4% of global revenues • Everyone will have the “right to be forgotten.” This is a huge challenge for any organization. You’ll need to identify every instance of an individual record, and that includes backup and archive data • Data portability: People must be able to transfer their personal data from one electronic processing system to another, made available to them in a structured and commonly-used electronic format • If you’re handling large volumes of data, you’ll need to appoint a data processing officer to manage your security processes and provide advice to the senior management team • You must report any data breaches rapidly (within 72 hours)

AUTHOR PROFILE Richard Whomes has more than 30 years experience in senior management roles in manufacturing as well as software development and sales. Richard has been at Rocket Software for 14 years as a senior director with a focus on sales, goto-market strategies, partner development, business intelligence, performance and data management.

www.infosecurity-magazine.com /// 43

Skills Gap: How to Attract the Best Staff As the cybersecurity skills gap continues to plague the industry, it has never been more important for organizations to have a sound understanding of how to attract and retain the best staff. Michael Hill reports

he cybersecurity skills gap is one of the most commonly-discussed topics across the industry today. The simple fact is that, in an ever-evolving and demanding digital environment, there just aren’t enough individuals filling the plethora of security roles that are currently unfilled. Research from firms like (ISC)2 predicts a deficit of 1.5 million unfulfilled jobs in cyber globally by 2020; undeniable proof that the industry will continue to suffer greatly if the issue isn’t tackled head-on. “The skills shortage applies right across the security industry – in both the vendor and end-user domains,” explains Simon Hember, group business development director at Acumin Consulting. “There are certain technical skill sets where demand massively outstrips supply, such as web application security specialists, accredited penetration testers and enterprise security architects.” Government and education bodies do seem to be getting the message, with more being done to help cultivate a higher level of cybersecurity awareness in

the young than ever before, but this is only half the battle. Just as much an issue is exactly how organizations go about attracting, hiring and retaining the sort of talent they need. With so many companies desperately searching for new security professionals, there is an unprecedented level of competitive tension which can drive up candidate expectations and contract rates, lead to poor hiring processes, and result in rushed, ill-informed decisions. This can make it extremely difficult for organizations to recruit quality staff, and even harder to keep hold of them if they’re not fully prepared to take on the various challenges and intricacies that surround the employment process. So what are the key fundamentals that enterprises need to consider to make sure they attract the best staff?

Put Yourself in Control First, companies need to put themselves in the strongest possible position when they

Companies need to showcase themselves as an organization with a lot of opportunity for training, growth and development Ollie Hart

are looking to bring in new recruits, and in today’s employment culture, a great place to start is by forming a solid relationship with dedicated recruiters. “Always speak to a specialist agency or consultant who can offer sound advice to help mitigate against the possible pitfalls of under- or over-hiring, getting the

Q4 /// 2016

@InfosecurityMag

Recruiting people with the right attitude, mindset and potential is really important Dr Jessica Barker

In order to keep your staff happy, they need to feel valued by the organization, says (ISC)2's Adrian Davis

www.infosecurity-magazine.com /// 45

compensation level right, ensuring the job description is appropriate and the recruitment process is sufficiently rigorous. Getting it wrong can be very costly and so it pays to take good advice,” adds Hember. One of the most common reasons for losing out on talent tends to be a lack of control in the initial process of looking for a candidate, and a breakdown in communication between the candidates and employer. Working with a dedicated specialist means that applicants are engaged in a consultative process where concerns and risks are communicated both ways.

How you translate creativity into a curriculum is where we are lacking as an industry right now David Baker

What Do Security Pros Want? The next, and perhaps most important, thing to gain an understanding of is exactly what security professionals are looking for in a role. After all, you could sit down and interview the perfect candidate for the job, whose ability or potential is what you’re looking for, but if what you have to offer doesn’t appeal to them, they could slip through your fingers – and this often comes down to more than just financial gains. “Of course salary does play a part,” Ollie Hart, Fujitsu’s head of enterprise & cybersecurity, UK and Ireland, tells Infosecurity. “Experts in the field are

To attract the best industry talent, companies need to showcase themselves as an organization with a lot of opportunity for training, continued learning and development

extremely valuable and know it, so they will look to go to companies who recognize that and offer competitive packages. “That said, to attract the best industry talent, companies need to showcase themselves as an organization with a lot of opportunity for training, growth and development. People are looking for careers with longevity and progression rather than short-term contracts, and so companies need to demonstrate that they can provide that.” The reputation of a company comes into play too, Hart continues, with the

most attractive organizations having a good reputation as an employer, coupled with a team with strong capabilities and opportunities. Dr Adrian Davis, managing director at (ISC)2 EMEA , echoes these sentiments. He adds that the deciding factor in attracting staff is influence. Security professionals want to know they are making a difference; that they are successful, contributing to success and that they are appreciated, he says. “If cybersecurity individuals do not feel valued, believe they are to be blamed or fired when things go wrong, or that their opinions are not taken into account, then they will not stay long.” The best organizations don’t treat cybersecurity professionals any different than other employees, Davis continues. They ensure those professionals are tightly linked to the business and its operations, and reward expertise and business contributions. “This means that all employees should have influence across the organization in the areas where they are needed, not just those at a senior level.”

When the Grass is Greener This brings us onto the subject of staff retention. For CISOs, losing good employees is painful, especially when time and effort has been invested in them. The reality is, however, that people are often on the lookout for their next role, particularly if they believe the grass is greener on the other side. “It’s a hot market and therefore people do move around to capitalize on their skills and progress their careers,” Hember says. “We tend to find that even amongst the most passive of candidates over the last couple of years, few are truly ‘off-market’. Companies are now doing much more to gain employee buy-in and retain their services.” Organizations need to remember that it’s not enough to focus solely on attracting people in with promises of what the role will offer; they have to constantly take steps to give them a reason to stay and limit the ‘revolving door’ of staff that seems to impact so many businesses. The key here is

Q4 /// 2016

@InfosecurityMag

With so many companies desperately searching for new security professionals, there is an unprecedented level of competitive tension which can drive up candidate expectations and contract rates making the job and the company stimulating enough to maintain employees, and offering something unique and challenging is a great way to reduce churn. “When someone feels that they have exhausted all they can gain from a company, they will begin to look elsewhere for the next new and exciting challenge, so offering staff the exposure to wider areas within cybersecurity is really important to keep things fresh and interesting,” advises Hart. “Companies could also offer their staff options for further academic study and qualifications – it’s a fast moving industry so companies need to ensure that they are keeping their teams up to date and excited about what they are doing.”

Think Outside the Box Finally, companies need to be willing to think beyond the obvious when it comes to hiring staff. The industry is evolving at an incredible speed, so businesses must be just as forward-thinking and innovative when it comes to recruitment. Speaking to Infosecurity, independent consultant Dr Jessica Barker explains that a big part of this comes down to an organization's willingness

to sometimes look past what somebody has to offer on paper and consider the wider picture of what they can bring to the table as an individual. “Recruiting people with the right attitude, mindset and potential is really important. Rather than hiring people based purely on certifications, look at what they do outside of work, what their work ethic is like, whether they're a team player. If they have these qualities and the desire and potential to be trained-up, that might be a better investment than someone who has lots of certifications,” advises Barker. This is an opinion shared by David Baker, chief security officer at Okta, who says that some of the best security talent he has hired didn’t necessarily have a formal education but had the determination to find things out for themselves and become their own teachers. “It takes a person with a lot of creativity to really do that. I like to think of security professionals as ‘unique snowflakes’ – they’re often very creative people because what they do is actually a very creative endeavor; how do you figure out how to break things that are not designed to be broken?

“How you translate that creativity into a curriculum is where we are lacking as an industry right now, that’s something we haven’t figured out yet,” he argues. In the long run, adds Davis, companies need to look for a broader range of skills, not just a narrow technical focus. Understand you have to recruit junior-level employees (and train them). The bottom line is that opportunities must be provided in order for the next generation to grow and develop. There’s simply no escaping the fact that the cybersecurity skills gap is currently rife, and it’s not something that the industry can circumvent, nor is it a problem that will go away overnight. However, we are starting to see a change with more companies working with academia to show young talent how interesting and rewarding cybersecurity can be, in addition to providing opportunities to develop an interest in the cyber landscape. It’s now vital that businesses reinforce this by also evaluating their own strategies for attracting, hiring and retaining staff to ensure the process is kept relevant, inventive and ultimately allows them to build the very best security teams for the long-term.

www.infosecurity-magazine.com /// 47

@InfosecurityMag

Slack Space Pakistani Hackers Flood Air India Pilots with Music It would appear that the Jammu airport, which is very close to the Kashmir line of control between Pakistan and India, should now be referred to as the ‘JAM-mu airport.’ Pakistan and India might be at odds from a military and ideological perspective, but some are taking to playing DJ to get their point across. According to a Times of India report, Pakistani hackers are tapping into the frequency on which pilots communicate with air traffic control (ATC) while on the approach to land. They’re jamming regular communications and are instead transmitting popular Pakistani patriotic songs. Air India operates Army charters to the forward base located at Thoise from Jammu, and according to the report, these flights are also feeling the jams, as it were. “We are made to hear songs like 'Dil, dil Pakistan, Jaan Jaan Pakistan [an iconic 80s song by Pakistani band Vital Signs],” one pilot told the paper. “Hacking of our frequency has been happening for some time now.” It’s obviously a safety concern, so the pilots revert to the Northern Control in Udhampur when it happens, which coordinates with aircraft when they are over 10,000 feet up. The Northern Control calls up the Jammu ATC on landline and gets an alternate frequency for landing communications. It takes time to hack in, which gives enough time to land. As a precautionary measure, the Jammu ATC frequency is changed frequently to minimize the spontaneous jam-boxing.

Snowden: Movie Magic and Sobering Reminders In September the film Snowden hit our screens, reminding us all that a Big Brother world is not as unfeasible a reality as we perhaps once thought it was. Directed by

in flagrante, as it were, he was filmed in the middle of, erm, pleasuring himself. “There I was in all my glory,” he said, according to the Australian Broadcasting Corp. The hackers in this case demanded a ransom of $10,000 Australian dollars – and said that if he didn’t pay up, there would be swift social consequences. “There was an email saying they were going to release footage to all my Facebook friends and people I worked with if I don't pay them money,” he said. “Initially I laughed.”

Oliver Stone (who else? The maestro of conspiracy theory films is the only perfect pick for this), the film examines Snowden’s theft and subsequent leaking of tens of thousands of classified documents, leading to the revelations of mass surveillance of US citizens on the part of the NSA. Whether you think he’s a traitor (and let’s face it – holing up in Russia doesn’t help with that image) or a supremely ethical whistleblower (certainly Stone’s opinion), it’s irrefutable that those actions have sent ripple effects throughout Joseph Gordon-Levitt, Shailene Woodley society, both domestically and Zachary Quinto star in Hollywood and internationally. movie, Snowden The film has a certain ‘truthiness’ to it. Sure, there’s the only slightly telegenic casting of Joseph But the hackers had a screenshot of his Gordon-Levitt as the eponymous subject, Facebook friends, and personal details from and most reviewers call the flick his website, which had him spooked, but “restrained” for Stone – certainly compared after initially negotiating the fee down to to his exuberantly insane handling of the $3000, he decided to stay strong. He posted JFK assassination. about the hack on Facebook, and sheepishly Mostly though, it should be said that told his co-workers about the issue, in case Snowden asks the right questions and points anyone actually received a link to the video. out the right dangers of a government He never heard from the scammers again. spying program built to circumvent any However, ABC reported that the incident is semblance of privacy for citizens, unfettered far from isolated, with dozens of victims by any possible legal consequences. The posting about the gambit in an online forum. effects of Snowden’s revelations could be Not everyone is as brave as Matt from one of the more important turning points in Melbourne, and that’s exactly what the bad US cultural history; the scales have guys are counting on. The easiest way to permanently fallen from our eyes. avoid becoming a victim of blackmail? Cover the camera – or take Hackers Catch Man your private moments somewhere else! Red-Handed – So to Speak People, just put tape over your webcam already, okay? Anyone who wants to share their grumbles, groans, tip-offs One Melbourne man learned that the and gossip with the author of hard way when he clicked open an email to Slack Space should contact discover a video of himself in a rather infosecurity.press@reedexpo.co.uk compromising position. In addition to being

www.infosecurity-magazine.com /// 49

@MichaelInfosec

Parting

to give up their time to appear city traffic for what can sometimes be a as speakers. speaking slot of just 20 minutes or so. So “The cybersecurity what is it about speaking at events that is so community enjoys conferences appealing and valuable? because we love to learn and For Tony Pepper, CEO at Egress, speaking to share knowledge,” at events not only allows him to enhance independent consultant Dr the profile of his company, but also directly Jessica Barker told Infosecurity. engage with Egress clients. “Despite the perception that “We’re able to emphasize the importance we're an introverted bunch, of data protection in front of those best we love the networking aspects of placed to address the security challenges conferences too! faced across all industries, and it’s important “The hallway conversations and afterfor us to take the chance to spread our party are as valued as the talks themselves – message as widely as possible whenever we if not more so. Conferences provide a space can,” he said. “Cybersecurity is one of the to have conversations with most critical business issues of our time. It like-minded people who 'get' seems as if we’re never more than a few the subject in a way that your hours away from the next data breach family, friends or other people and the importance of staying one step in your organization might not.” This first foray into hosting James Chappell, CTO and co-founder of Digital a standalone magazine Shadows, holds a similar event has brought about its view, explaining that conferences provide the own set of exciting and perfect opportunity to not only share, but also rewarding challenges for evolve, our own the editorial team understanding of security – after all, collaboration is the key to education, and that’s no different ahead of threats has never been higher. with events. Security summits are one of the most “It’s important to attend with an open effective ways for the industry to discuss mind and be prepared to learn about new these threats, bringing the user’s concerns concepts and approaches to tackling directly to the security industry and its security issues, but at the same time expect supply chain.” to be challenged about one’s own approach So, as we prepare to lift the curtain on and take on board valuable our maiden magazine conference, I’d like to feedback," Chappell said. extend my gratitude to the fantastic set of In an industry that moves as experts and guests we have due to speak quickly as ours, he added, over the two days. Also, for those going there’s always something new along as attendees, I hope you have an to debate about how we incredible experience at what promises to tackle the complex challenges be a fantastic industry event, and for facing our customers. anyone unfortunately not able to make it Of course, these events this time around, we hope to would be nothing without the see you elsewhere in the very terrific lineups of speakers, near future! frequently enduring longMichael Hill, Deputy Editor distance flights or traversing

Shots I

t’s official; Infosecurity Magazine has thrown itself into the conference market for the first time, hosting its very own event in Boston, December 06 - 07. After 12 years of bringing you all the latest news, knowledge and insight from the information security community both online and in print, Infosecurity Magazine Conference now offers security professionals the chance to come together under one roof to share their experiences, learn from others and, above all, forge the type of relationships that help keep the industry at the very forefront of innovation. As part of the Infosecurity Group – home also to Infosecurity Europe – Infosecurity Magazine is no stranger to the ins and outs of the conference world. However, this first foray into hosting a standalone magazine event has brought about its own set of exciting and rewarding challenges for the editorial team who have worked tirelessly to put the show together. So, with the conference just around the corner, I was intrigued to delve a little deeper into what makes these types of shows so well-attended, what they mean to people, and why security experts continue

Infosecurity Magazine Conference heads to the bright city of Boston this December

Q4 /// 2016

01483 227600 info@wickhill.com www. wickhill.com

NEW

CONFERENCE

SUPPORTING BUSINESS TRANSFORMATION WITH AGILE CYBERSECURITY THE INFOSECURITY MAGAZINE CONFERENCE WILL CONNECT THE INFORMATION SECURITY COMMUNITY PROVIDING ACTIONABLE INFORMATION, PRACTICAL CASE STUDIES AND STRATEGIC AND TACTICAL INSIGHT.

Learn how to cultivate & retain the best talent

Identify appropriate risk metrics to communicate information security performance and ROI

Discover how to manage & mitigate APT’s including ransomware, phishing & insider threats

Develop an enterprise wide incident detection & response strategy

Consider the implications of IoT for cybersecurity

Understand how to build an information security strategy to support enterprise transformation

REGISTER NOW – DON’T MISS OUT, JOIN US IN BOSTON THIS DECEMBER WWW.INFOSECURITY-MAGAZINE.COM/CONFERENCES/BOSTON-AGILE-CYBERSECURITY/