Hello. Welcome to the February 2017 edition of Cyber World - the monthly magazine that brings you the latest news in the world of cyber security. We bring you analyses from leading industry professionals, academics and rising stars in the industry, together with a roundup of the latest industry news, latest vulnerabilities and threat intelligence. In this edition, we are proud to present a special guest contribution by DarkMatter Founder and CEO, Mr Faisal Al Bannai. We are also excited to publish analyses by Daryl Flack, Co-founder and CIO of Blockphish and security lead for the Smart Metering Implementation Programme at the Department for Business, Energy and Industrial Strategy (BEIS). We also have an article by Kevin Murphy, a Cyber Security, Risk and Privacy Specialist at the Royal Bank of Scotland and president of the ISACA Scottish Chapter, and by Talal Rajab, the Head of Programme at techUK for Cyber and National Security. This edition also includes an analysis on ‘IoT - Security Issues in Factory Automation and Control’ as well as an interview with the Rising Star Siming Wei, a Cyber Security senior associate at PwC. As always, we thank all our readers for their interest and valuable feedback, and we look forward to your continuous engagement with our magazine. If you enjoy this magazine, feel free to share it with your friends and colleagues, and your feedback is always welcome.
Laith Gharib Managing Director
Major Incidents Rounding up the news
Siblings Arrested Over Italian Elites’ Hack
Hackers Seize Exposed MongoDB Databases
Police have arrested a brother and sister in Italy who are suspected of having targeted the communications of former Italian PM Matteo Renzi, former PM Mario Monti, Mario Draghi, the head of the European Central Bank, a cardinal and many other VIPs.
MongoDB is a so-called big data, unstructured database. It is popular with JavaScript programmers because you interact with it in JavaScript, and it stores records in JSON (JavaScript Object Notation) format. The problem with it is that the default installation does not set any kind of authentication.
The pair was caught when they sent a phishing email to a security researcher who turned it over to the police.
Researcher Niall Merrigan has now reported that hackers have seized 28,000 of these and held them for ransom. Hackers find these open databases using portscan and a programme called Shodan. They delete all the data but insert one record providing an email address where the victims can send payment to in order to get their data back.
The Guardian reports that the hackers stole financial information and then used it ‘in order to make financial gains’, presumably in the financial markets, since there is no evidence of blackmail or of them having sold this data.
3
C Y B ER WORLD
UK Healthcare System Comes Under Attack
Encoded HTML Phishing Attack on Netflix
Last October the Northern Lincolnshire and Goole NHS (National Health Service) Foundation Trust was infected with the Globe2 ransomware. Hundreds of operations and appointments had to be cancelled. The hospitals simply shut down their computers while figuring out what to do. An audit showed that many hospitals are still using Microsoft Windows XP, which is no longer supported. Barts Health NHS Trust in London, the largest in the UK, has reportedly also suffered a ransomware attack on 13th January, and has taken several drives offline as a precaution. In an official statement, however, the Trust has denied that the IT problems it experienced resulted from a ransomware attack.
FireEye reports that hackers have used phishing attacks to steal Netflix customers’ payment information. The mechanism seeks to avoid text-based detection by sending the web page as an encoded and encrypted payload. When the web page opens, JavaScript renders the page in the browser. The hacker also sought to avoid being blacklisted by generating an error 404 message when the page was loaded after clicking a link in certain large sites, including google.com. The user is attacked by way of a phishing email asking them to update their Netflix information.
FEB RUA RY 2 017
4
Ukraine Power Grid Attacked Again The power grid in the Ukraine, which had already been attacked in 2015, was attacked again in December 2016. The latest attack resulted in a power cut in the country’s capital Kiev in the night of the 17th of December, taking out roughly ⅕ of the city’s power. The 2015 attack was blamed on Russia, according to the BBC, and the security firm hired to investigate the latest incident, ISSP, says the two hacks are related.
Yahoo Hack Impacts Merger The news has spread across the globe that hackers stole 1 billion user accounts from Yahoo. Regulators at the SEC (Security and Exchange Commission) now want to know why Yahoo kept that information secret. Questions have been raised whether this failure has had anything to do with Yahoo’s merger with Verizon. News reports claim that as a result, Verizon wants to lower the purchase price by $1 billion.
San Francisco Train System Hacked Hackers managed to attack the machines that dispense tickets in the San Francisco subway. They changed the display to read “You Hacked, ALL Data Encrypted”. Fortune magazine wrote to the email address provided by the hackers. The hackers replied that the transportation agency is using equipment as old as Windows 2000, and so was an easy target. They stole 30GB of accounting, payroll, email, and other data.
5
C Y B ER WORLD
“
The news has spread all over the world that hackers stole 1 billion user accounts from Yahoo.
FEB RUA RY 2 017
6
Vulnerabilities Latest Developments and Trends
Deeper Dive — Aircracking Deeper Dive looks at an attack vector or vulnerability and seeks to better understand how hackers operate and what are the best practices. The topic of this edition is Aircracking the wireless network hacking tool whose development started in 2006. The aircrack toolkits’ main application is to find the passphrase used for networks. This can be divided into two categories, WEP and WPA/WPA2. To crack WEP networks, aircrack collects lots of initialisation vectors; the number required depends on the length of the password being cracked. It is estimated that 20,000 packets are required for a 64 bit passphrase and up to 85,000 packets for a 128 bit passphrase.
7
The other networks aircrack commonly breaches are WPA/WPA2. It does so using a brute force dictionary attack. Here you can find some example wordlist, most containing several million words each. This means the password will only be cracked if it is in the wordlist. Many tutorials can be found online for how to test a network with aircrack and ensure it is not vulnerable to an attack. The official website (aircrack-ng.org) also provides plenty of documentation and walkthroughs to help use the product. Protecting wireless networks is paramount to any organisation or individual as this is the gateway to all our personal information stored on the web.
C Y B ER WORLD
Eir Modem used by Irish ISP Open to Attack
Researchers Hack Samsung Camera
In November, a writer known only as kenzo2017 found what he calls a ‘serious bug’ with more Eir modems, bringing the number that can be hacked to three. The issue is that a hacker can use the TR-069 protocol to change the modem settings.
In 2014, researchers at the DEFCON conference demonstrated how to take over a Samsung camera. Samsung’s response was to remove the web interface rather than to fix it. That spurred a hacker group, Exploitee.rs, to ‘take another crack at it,’ writes Threat Post.
The TR-069 protocol is used by ISPs to reset passwords and make other changes when customers call support. One problem with the model is the LAN. The internal-facing side of the modem is incorrectly exposed to the public internet when the hacker resets the device.
Exploitee.rs is not a secretive group. It lists dozens of devices on its website and publishes code showing how to hack each. The exploit is pushed to the device using CURL, adding instructions to tell the code that updates the firmware to append the hacker’s own instructions to end.
FEB RUA RY 2 017
8
iTunes and App Store Vulnerable to Malware Vulnerability Lab showed that a user can enter JavaScript into the iTunes screen where users sign up to receive notification of a new app. The field is supported to be static, but a coding error causes the value entered there to be evaluated as a command. The Notification function lets a hacker spoof the email address. So the hacker can sign up for notification and use Apple to send its phishing malware to an Apple user.
FTC Files Injunction against D-Link The FTC filed a Complaint for Permanent Injunction and Other Equitable Relief against D-Link Corporation, maker of routers and IP cameras. The complaint says, ‘defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access…’ This includes ‘hard-coded user credentials and other backdoors and command injection flaws…’ The FTC also chastises them for storing passwords in clear text. The targeted devices are N300 Router, N Dual Band Router, and N Network Cameras.
New Malware Threatens Mac and Linux Fruitfly, aka Quimitchin, is a newly discovered ‘old’ malware that targets Linux and Mac systems. It is targeted at Mac, but also works on Linux, since Mac shares some Linux functions. Malwarebytes uncovered this issue when they noticed an infected machine making connection to different IP addresses. The computer was sending out screen prints. They do not know how long the code had been on the machine, but speculate it could have been there for some years. One reason for that is the coding techniques show a limited understanding of Mac and some aged design principles. Apple has released a fix. 9
C Y B ER WORLD
“
Researchers at the DEFCON conference demonstrated how to take over a Samsung camera
FEB RUA RY 2 017
10
Monthly Analysis November-December Threat Roundup
Global Distribution of Attacks November and December saw an increase in attacks, 74 and 103 attacks respectively, from previous months. This could be due to the Christmas vacation giving hackers more time to seek out targets. The US only represents 38% of attacks over the two month period, which shows the attacks were more widely distributed to other parts of the world, as seen for example in the increase in the attacks in India.
US
UK India
Global Israel
Ecuador
Global Distribution of Attacks
Middle East
11
International
Asia Pacific
C Y B ER WORLD
Europe
North America
Attack Timeline The graph to the right represents the 61 days in the two month period, with the usual ups and downs, especially from the beginning to mid November. There was also a slight spike in activity the week before Christmas, followed by a sharp dip on the 22nd of December.
November-December Top Sectors Targeted The Government sector experienced nearly double the breaches than the second most targeted sector — Online Services — with 37 attacks. There was a significant increase in the attacks in the ‘Other’ sectors category which includes a large number of universities that were attacked. The remaining categories, Healthcare, Finance, and Single Individuals experienced 23, 18 and 6 incidents respectively.
FEB RUA RY 2 017
12
Most Used Attack Vectors The pie chart shows a relatively even distribution of the attacks across the different attack vectors. Account Hijacking was the most prominent known vector, which could be a result of the OurMine Twitter account hijackings that occurred. There was also a significant increase in DDos attacks with services like Steam and Tumblr suffering outages for several hours. SQLi makes a strong return, having been absent in our December edition’s analysis.
Credentials Stolen In three days alone, over 100 Million credentials were leaked. It is interesting to note that when comparing the timeline with the credentials stolen, there appears to be no correlation. This suggests that these large credential breaches are the result of only one attack.
13
C Y B ER WORLD
VisDa
Take control of your data A revolutionary complete track and trace tool that visualises and analyses data transfers to understand what, how and where information is moving to achieve regulatory compliance. Key Features: GDPR transfers compliance score Instantly identify high risk communications All files transferred across a network are stored and recorded All content is fully text indexed, so information can easily be accessed Scalable, our solution is proven on networks that operate up to 1Tb/s
www.secgate.co.uk/visda
Special Guest
Faisal Al Bannai
17
C Y B ER WORLD
Making the Case for a Ministerial Cyber Security Appointment About the Author: Faisal Al Bannai is Founder and Chief Executive Officer of DarkMatter, an international cyber security company based in the UAE, which is empowering digitisation globally. He can be reached on Twitter @albannai_faisal
In February 2016, President Obama established the
3.
Prepare consumers to thrive in a digital age.
Commission on Enhancing National Cyber Security
4.
Build cyber security workforce capabilities.
with an Executive Order. The Commission completed
5.
Better equip government to function effectively
its report on December 1, 2016, providing detailed short-term
and
long-term
recommendations
to
strengthen cyber security in both the public and private sectors, while protecting privacy, fostering innovation and ensuring economic and national security. The report emphasises the need for partnerships between the public and private sectors, as well as international engagement. It also discusses the role consumers must play in enhancing the US’ digital security. The report categorises its recommendations within six overarching imperatives focused on infrastructure,
investment,
consumer
education,
and securely in the digital age. 6.
Ensure an open, fair, competitive, and secure global digital economy.
“
The report emphasises the need for partnerships between the public and private sectors...
The Commission’s recommendations are not binding, though it would be prudent to at least consider the
workforce capabilities, government operations and
report’s references and overviews given the broad
requirements for a fair and open global digital economy.
base of expertise drawn on in the preparation of the
The six imperatives are:
document, including consultation with technical and policy experts, input from the public through open
1. 2.
Protect, defend, and secure today’s information
hearings and a request for information, and reviewed
infrastructure and digital networks.
existing literature.
Innovate and accelerate investment for the security and growth of digital networks and the
The heightened level of cyber threat on a national
digital economy.
level is not just a US phenomenon but a trend that
FEB RUA RY 2 017
18
is growing across the globe, and it is high time cyber security is reflected within every government ministry and agency as a core function, with a direct reporting line to senior officials clearly defined and implemented. The importance of securing digital infrastructure has become as important to a nation’s continued development as its choice of domestic or foreign policy, and in many ways cyber security spans both of these important areas given the rise in threats emanating from within countries and those being faced from abroad. The six imperatives included in the Enhancing National Cyber Security report offer a strong framework for any progressive nation anywhere in the world to consider its cyber security posture and to take proactive measures to improve its defences given the uncertain nature of threat actors, be they nation states or hacktivists, common criminals or other
“
unknown adversaries.
The heightened level of cyber threat on a national level is not just a US phenomenon but a trend that is growing across the globe...
It is telling that the first imperative in the report relates to, “protecting, defending, and securing today’s information infrastructure and digital networks” as a guiding requirement, given we believe this is the key factor in creating a trusted and sustainable digital environment in which all participants have confidence to invest in and prosper from. This imperative is aligned to the Cyber Security Life-Cycle, which advises the planning, detection, protection, and recovery of digital assets in order to mitigate against the threat of a cyber incident. A holistic, end-to-end approach to cyber security is the most effective way to counter the ever-expanding cyber threat landscape, as it is clear that preventing or avoiding every cyber incident is just not possible. 19
C Y B ER WORLD
FEB RUA RY 2 017
20
Third Party Risk Management. Do you: rely on third parties to deliver services to clients? trust third parties with your company’s confidential data? integrate networks, systems or applications with third party solutions? assess your suppliers for their criticality?
We will: build you an operating model to identify and reduce third party risk. Implement an end to end third party risk management process within your business. manage and deliver your third party assurance programme. support your supplier criticality assessments.
Get in touch for a free consultation info@secgate.co.uk
IoT — Security Issues in Factory Automation and Control
An IoT DDOS attack against DYN.com in October used factory automation equipment to take down Netflix, Twitter, Amazon, and other high profile sites in large sections of the USA for several hours. DYN.com is a CDN (content distribution network) responsible for caching and replicating content around the world. Hackers used the default user ID and password built into IP cameras to create a botnet. This open IoT component was a large security hole that not many people had thought about before. Cyber defences are traditionally focused on hardening the IT systems in the plant, and not the factory automation devices themselves.
23
Here we look at that exploit, and more generally at the nature of IoT in the factory. FACTORY AUTOMATION There are two sides to IoT in the factory: Factory automation and the sensor-driven IP operating across wired and wireless networks. The second is what we usually think of when we write about IoT. But if you talk to engineers who programme PLC devices, they will tell you that they have been doing IoT for decades. The only thing new is the name assigned to it.
C Y B ER WORLD
True. Yet the difference is that today there is the cloud, big data databases, and analytics. But programming a serial or ethernet PLC device to control a lathe, welding machine, or painting machine is still an old-fashioned ordeal of programming ladder logic using desktop PC software like RSLogix for the Allen Bradley serial PLC devices. This kind of tedious programming has nothing to do with writing web services or otherwise using a full-featured programming language. Instead, the PLC programmer writes memory address information using the designation ‘file’, which is a file location and offset. The offset is the length of the data element. In the DF1 industrial protocol, the offset is the length of a single field, where the offset from the file’s initial location is
the size of the element and element number. That size is given in hexadecimal, decimal, or octet notation. The values are written as a string of single values. These are simple commands like start, stop, change baud rate, rotate, etc. that together describe a complete industrial process. Industrial network routers convert this serial (or ethernet) data to send to other serial or ethernet devices, and the management cloud. So it is difficult to imagine a hacker hacking that, since they are focused on PC hardware and network devices. Yet, attacking PLC devices is exactly what the
FEB RUA RY 2 017
24
American spy agencies allegedly did in 2010. They are said to have attacked Siemens PLC controllers that ran the centrifuges in Iranian nuclear fuel enrichment facilities. The Stuxnet worm was introduced by a phishing attack on Windows PCs. That attack caused the centrifuges to spin out of control and break. That wildly effective, daring operation dealt a huge blow to Iran’s nuclear programme. SENSOR-DRIVEN IOT The other side of IoT is sensors deployed for preventive maintenance, predictive models, measuring uptime, and gathering data to make changes to the line. That is done by adding assembly and subassembly stations, adding shift operators, improving training, and shifting material flow. Acoustic sensors ping devices and measure resonance to test the quality of materials and the completed 25
product. They use transducers to convert mechanical to electrical energy to check vibration. Increased vibration indicates when a machine needs new filters, maintenance, or calibration. Plants count items with cameras to measure operator and station productivity. They check emissions, temperature, humidity, ambient light, etc. All of this data is used to operate the plant in real time and fine tune the factory floor through offline, after the factor analysis, and make changes to the assembly line, using planning software designed for that. IP CAMERA EXPLOIT The October attack was caused by an IoT device that its Chinese manufacturer has since replaced. Hackers planted the Mirai DDOS malware in IP cameras and DVR recorders made by XiongMai Technologies,
C Y B ER WORLD
and unleashed up to 1.4 TBPS DNS traffic to the DYN. com cloud. That caused more traffic than the servers could respond too, thus taking them offline. IP (internet protocol) cameras are obviously connected to the internet, so there is no need to attack them at any wireless industrial or wired non-Ethernet protocol, as would be the case with an industrial controller. And the camera’s IP network is what let hackers discover their location in the first place. The hackers planted the malware easily because the devices had the default userid and password. The password was hard-coded into the firmware. The hackers could log in with telnet and ssh. In the write-up analyzing the attack, DYN.com made clear what the problem is when they wrote: “During a
DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic.” Despite their efforts to surge bandwidth and shape traffic, two successive waves of attacks overwhelmed their systems for several hours. The source code for Mirai is freely available on the internet. So the hackers did not write anything new. One part of the attack came from the Mirai command and control center, showing perhaps an increased level of sophistication that warrants further analysis. This botnet was also released on the security blog Krebs and the French ISP and hosting company OVH earlier last year. Different parties have claimed responsibility, although no group has of yet been confirmed as the actual culprit. The consensus is this was not state-sponsored.
FEB RUA RY 2 017
26
Forest Tree The most advanced cyber security solution Forest Tree is a patented advanced Cyber Security solution that allows organisations to monitor and understand the content and context of each electronic communication channel, from documents leaving the organisation, malicious traffic, to user behaviour. The captured network information is processed and systematically analysed in order to extract all the information and metadata contained in the communication channels.
High performance: 1 Tb/s Unique: Patented technology Highly scalable: Big data storage Proactive: Block advanced threats Intelligent: In-depth analysis Low Maintenance: Purpose built
A single platform solution:
Network Forensics Anomaly Detection Security Analytics User Profiling Machine Learning
We detect advanced threats in seconds and neutralise them in milliseconds www.foresttree.co.uk A defence-grade cyber security product built for the Enterprise, Government and SME marketplaces. Our partner’s ground-breaking monitoring technology – built and improved over 20 years of securing the world’s most sensitive government and commercial information – protects you against the most sophisticated and advanced cyber threats. This coupled with an enhanced Artificial Intelligence engine allows Forest Tree to learn and become an increasingly more effective and efficient tool. The modular approach taken during the development of the Forest Tree solution ensures clients have high levels of personalisation available.
How to Tackle the Human Aspects of Cyber Security Daryl Flack
About the Author: Daryl Flack is Co-founder and CIO of Blockphish and Security Lead for the Smart Metering Implementation Programme at the Department for Business, Energy and Industrial Strategy (BEIS). Previously, he was CIO of AXELOS, a joint venture between Capita Plc and the Cabinet Office. Not a day goes by without another cyber breach
to reduce the frequency and volume of cyber breaches
hitting the news. Recently, we’ve seen breaches impact
and the impact they have, then we are going to need to
corporations, individuals and our political systems:
do more to tackle the human aspect of cyber security. The causes of these incidents may all be different,
• • •
€53 million stolen from an aerospace parts
however, analysis shows that human actions are
manufacturer via a phishing scam;
overwhelmingly at the heart of the vulnerabilities, and
The US elections potentially influenced following
that attackers are actively seeking to exploit our human
a hack on the Democratic National Committee;
weaknesses to compromise target systems. Often,
1.5 billion individual’s data stolen from Yahoo in
this is through an employee being tricked using social
two enormous breaches.
engineering. For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can
29
As the number of cyber-attacks increases, so does the
reduce our susceptibility to these attack methods, it
potential negative impact to every one of us. If we are
will significantly improve our cyber security.
C Y B ER WORLD
The act of phishing is aimed at trying to solicit a
If the subject matter is compelling enough, it can be hard
response from a person or group of people via mediums
to resist the urge to carry out the attacker’s request.
such as:
Susceptible as we may be to our emotional responses,
•
all is not lost. We are adept at assessing and
•
Text (also known as ‘smishing’)
understanding potential threats or risks. However,
•
Phone calls / voicemails (also known as ‘vishing’)
how people perceive threats can be subjective based
•
Social media, or
on their personal circumstances and the relevance of
•
A combination of some or all the above.
a threat to them. If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust
The reason why this form of attack is so successful
our behaviour. This is one of the challenges of tackling
is because the structure and content of these
threats such as phishing: We don’t see a simple
communications are specifically designed to prey
everyday task such as opening and responding to
on basic human behaviours that we all exhibit. They
emails as being a threat.
borrow from the same techniques that people have used for centuries to try and influence others, either
To address this, there needs to be a greater
consciously or unconsciously.
understanding of what the threat is, how it could affect
Some examples of the techniques include: • • • •
An urgent request Instruction from someone in authority Curiosity Appealing to your compassion
us or the company, how we can help to stop it, and most importantly to feel like we have an active part to play. It’s this feeling of responsibility, i.e. an emotional response that decides whether staff is an active part of your cyber defences or rather part of the vulnerability. Once you have that basic principle instilled, how do FEB RUA RY 2 017
30
you ensure you have the right awareness programme in place to affect real changes to your staff’s behaviours? There are some basic principles that can be used to help in this regard. MEASURABLE •
Whatever learning you provide needs to be measurable so you can identify what works and
“ •
what doesn’t. Be willing to take on feedback from your staff and change your approach accordingly. •
This is also where ethical phishing campaigns, if tailored to suit your organisation and carried out correctly can have a huge benefit.
31
C Y B ER WORLD
If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust our behaviour.
By sending staff an initial ethical phishing email to attain a baseline at the outset, you can then follow up regularly with both ‘all staff’ campaigns and specific teams (spear Phishing) or individuals (Whaling) based on the risks you face. This will provide you with insights into the effectiveness of your training.
REGULAR AND CONCISE •
ADAPTIVE, PERSONALISED AND APPROPRIATE
Delivering a 1 hour session once a year won’t
•
and be relevant to the audience. People won’t
for the better. The awareness learning content
engage in the learning if they don’t understand
should be delivered in short modules of ideally
how the concept or the scenarios it is portraying
1-2 minutes but less than 10 minutes. •
The content should use understandable language
have a positive impact, or change behaviours
are relevant to them or their role.
Small nuggets of information that people can
•
The learning should be tailored based on staff
consume frequently without it affecting their
role, knowledge and skill levels. Consider short
productivity but will allow them to internalise
quizzes prior to assigning learning content for
the key messages.
staff to complete. This will enable you and the
FEB RUA RY 2 017
32
staff to see if they already have the requisite knowledge in one area and allow them to focus their learning on areas in which they are less proficient. UTILISE DIFFERENT LEARNING FORMATS •
Different people learn in different ways and at different speeds. This needs to be allowed for with different content types and delivery methods to provide accelerated learning.
•
Consider content such as videos, animations, games, simulations blended with traditional Learning.
•
Blend electronic learning with physical delivery mediums and communications such as lunch and learns, posters and other rich graphical content identifying the highest risks and threats. Specific breakout sessions with guest speakers work well too. The subject areas here can cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.
TRY TO MAKE IT ENGAGING, COMPETITIVE AND ENJOYABLE •
This is where the real behaviour changes can happen because if people enjoy something, they’re much more likely to remember it.
•
Consider using incentives and rewards. This can be anything from utilising points and leader boards to encourage competition to providing a sense of achievement or status. Recognition via benefits can be used too, such as small pay awards for those with the budget although nonfinancial incentives such additional annual leave or specific mentions on their annual appraisals can work just as well.
33
C Y B ER WORLD
“
By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.
FEB RUA RY 2 017
34
A good approach is to start out in a single risk area such
to know what to look for in a potential attack.
as phishing and grow it over time to include other areas
•
Be vigilant in spotting attempted attacks.
such as password security, social media, information
•
Be diligent in reporting anything suspicious.
handling and other relevant subjects. Technology will always be the first line of defence and Ultimately, your staff can be one of your strongest
is incredibly valuable in protecting your organisation
defences against cyber-attacks. However, for you to
but there will be times when the attackers get through.
make the most of this potential, your staff will need to:
Then your staff are your last line of defence. Only once you have a cyber aware workforce with a security
• •
35
Feel it’s their responsibility to understand the
culture embedded within your organisation, can you
threats and protect the company.
be confident in your ability to be resilient to the cyber
Feel confident they’ve had the necessary training
threats you face.
C Y B ER WORLD
Key Cyber Security Skills in the Digital Age Kevin Murphy
37
C Y B ER WORLD
About the Author: Kevin Murphy (CISM, CISSP, CESP, CEH, ISO27001) is a Cyber Security, Risk and Privacy Specialist at the Royal Bank of Scotland and president of the ISACA Scottish Chapter. He has more than 25 years of experience in enterprise IT processes and systems experience serving all service line clients in IT strategy, architectures, IT planning and project management, IT effectiveness and process improvements, systems lifecycles, and operations. A former police officer, Murphy received a Chief Constables commendation for a career which included front line policing, e-crime and drug enforcement. Moving into consultancy, Murphy was quickly nominated by the prestigious SC Magazine as one of the top emerging cyber security professionals in Europe.
In the past five years, we have seen the decline
fit to the business model or culture. The control
of ‘Information Protection’ and the rise of ‘Cyber
environment should be shaped by the business context.
Security’; the terms ‘Digital Age’ and ‘Internet of Things’
The key business drivers will affect the decision-making
firmly established in our professional lexicon; the
process, inform the overall culture and translate into a
continued evolution of the cloud; and the immediate
risk appetite which will determine what controls are
spectre of quantum computing as the next great
invested in and applied. How does the cyber security
technological advancement.
professional obtain this perspective? It is clear that a mix of academic and experiential learning is a great
By any measure, the cyber security professional
approach. Firstly, no matter what industry you operate
is working within a whirlwind of change; the only
in, there will likely be introductory qualifications you
true constant being humans (for now!) acting as the
can take to gain a better understanding of the business.
initiators of this change. The question can therefore be
For example, the ‘Professional Banker Certificate’
asked: What skills does the cyber security professional
offered by the Chartered Banker Institute is a great
require to remain relevant in the workplace? Three core
introduction to the core concepts of banking. There
skills are required for a successful career now and for
are no entry requirements for the qualification and
the foreseeable future.
it generally requires only a few weeks of self-study. Gaining a professional qualification also has the benefit
KNOW YOUR BUSINESS
of demonstrating both your commitment to your business environment and increasing your credibility
A first requirement is an understanding of the business
with stakeholders when engaged in debate.
for which cyber professionals are responsible. Whether this be banking, pharmaceuticals or oil and gas, cyber
Business credibility can help gain access to the
security professionals cannot be truly effective by
second key area in developing business knowledge –
simply overlaying generic controls in their environment
experiential learning. Though many of us may view our
to protect the information for which they are
audit colleagues with trepidation, it remains one of the
responsible. This will inevitably lead to gaps and
best areas in an organisation to gain an insight into the
inconsistencies, as some solutions will not be a natural
business and develop business knowledge.
FEB RUA RY 2 017
38
Any cyber security professional would benefit from
aspects when documenting a business case and
a secondment or shadowing opportunity within an
detailing the return on investment should a particular
audit function. Primarily, audit will provide exposure
security solution be advanced. Other areas of note
to a range of issues facing the organisation, thereby
include Human Resources and Marketing to understand
offering the cyber security professional a holistic view
how personal information is handled and secured. In
when providing control assessments and solutions.
sum, the cyber security professional should maintain a
Secondly, any professional would benefit from audit
healthy interest in all business functions to ensure an
experience – developing a cogent writing style,
effective understanding of the information lifecycle.
applying an investigative methodology, presenting fact-based conclusions, and the experience of having
KNOW THE RISKS
difficult conversations with positive outcomes are all The second requirement to remain effective in the
valuable skills gained by the audit professional.
workplace is for the cyber security professional to The cyber security professional should not limit his or
maintain a base level of subject matter expertise.
her experience to audit. Key skills can also be obtained
The diverging and increasingly sophisticated forms
by working in the risk function, thereby understanding
of technology, ranging from cloud to quantum
the concepts of key risk indicators, performance
computing, will make it increasingly difficult for the
indicators and risk appetite statements – all important
cyber security professional to specialise in more than
39
C Y B ER WORLD
one discipline. Their role will therefore evolve into
understanding of the data lifecycle in an organisation
becoming an informed interface between technology
is fundamental to the role of the cyber security
and business stakeholders.
professional. ‘Privacy’ can no longer be seen as distinct from cyber security, since a key tenet of the legislation
To be effective in this ‘nexus’ function, the cyber security
is how the confidentiality, integrity and availability of
professional will require a common denominator of
personal information are maintained.
subject matter expertise. The globally recognized qualifications offered by ISACA are a good step in this
So, what are the risks in the foreseeable future? It
direction, particularly the CSX Practitioner, CISM and
is likely that with the onset of quantum computing,
CRISC designations. But what defines a ‘base level
the cyber security professional shall require a
of expertise’? The cyber security professional should
more detailed understanding of cryptography as
consistently review the risk landscape and challenge
organisations transfer from classical computing to a
whether they have the expertise to provide informed
medium where many current forms of encryption are
comment on the threats an organisation faces. For
obsolete. The cyber security professional will have
example, in the previous decade, the ability to counter
a key role in managing this transition and interfacing
fraud through money laundering was a major area of
with technology providers, business stakeholders, the
focus for the regulator. Now, it can be argued that
privacy team, legal department and more.
with the EU General Data Protection Regulation an FEB RUA RY 2 017
40
KNOW YOURSELF What will enhance the cyber security professional’s ability to interface with such a diverse range of stakeholders on a myriad of subjects? Excellent interpersonal skills will clearly be a premium. How quickly can you synthesise many sources of information, then deliver this effectively in one paragraph or a fiveminute pitch to the executive? To ensure these skills remain effective, the cyber security professional has a responsibility to be objective in assessing his or her abilities and should consistently strive to improve. This development can be aided by employing the help of a more experienced mentor. Thankfully, many professional organisations now offer mentoring as part of their training environment. When development areas have been identified, the next step is to build these into an action plan with set goals and timeframes. Key to this process is the ability to practice these skills in a safe environment. For example, if you are nervous about an upcoming presentation to the board, practice first in front of your colleagues and slowly build that experience in a constructive environment. Also, volunteer for activities which use the skills you need to acquire as you will quickly develop confidence with practice. If these activities cannot be found in your organisation, ISACA has a designated area of the website where many opportunities can be found — opportunities range from the development of academic programs to organising the next international conference. Finally, the ability to travel and work in different jurisdictions should not be understated. Drawing on our earlier discussion regarding business culture and linkage to risk appetites, the opportunity to work in different parts of the world can provide an invaluable experience in broadening both your interpersonal skills in how you interact with others and providing different approaches to common problems.
41
C Y B ER WORLD
FEB RUA RY 2 017
42
THE TAKEAWAY The role of the cyber security professional is unique:
Presented like this, the cyber security profession can
What other position requires conversations with so
be exciting and daunting in equal measure. To help
many other areas of the organisation?
navigate these challenges effectively, professionals must understand their business and know the risk
What profession encompasses such a range of topics
environment to the extent they can provide an informed
from adequate fencing to cryptographic algorithms?
opinion. Ultimately the cyber security professional is a
Or skills that include presenting to an audience of 100
leader who should role model the values of continual
people and providing a one-paragraph summary for a
improvement, be solution-orientated, always act in
press release?
the best interests of the organisation, and help any colleague who requires assistance.
43
C Y B ER WORLD
Expert Opinion Talal Rajab
45
C Y B ER WORLD
A techUK Analysis of the UK Government’s National Cyber Security Strategy About the Author: Talal Rajab is the Head of Programme for techUK’s Cyber and National Security programmes. He manages strategic relationships between Government and industry members on cyber and national security related issues, in particular through the Cyber Growth Partnership. He also leads techUK’s work on the Investigatory Powers Bill. He has a parliamentary background having joined techUK from the Industry and Parliament Trust (IPT), where he managed the IPT’s business relations and led on the Trust’s Cyber Security Commission.
On Tuesday 1st of November, the UK Government announced the publication of its National Cyber Security Strategy. Underpinned with a £1.9bn investment, it sets out how the UK will use automated defences to defend citizens and businesses against growing cyber threats, support the UK’s growing cyber security industry, develop a world-class cyber workforce and deter cyber-attacks from criminals and hostile actors. The Government would be the first to admit that past policies on cyber security have not achieved the scale and pace of change required to stay ahead of the ever changing cyber threat. For many digital services and products emerging on the market today security has been an afterthought. Too many organisations are suffering basic breaches, too few investors are willing to risk supporting entrepreneurs in the sector and there is a lack of graduates and others with the right skills emerging from the education and training system. To address these failures, the new £19.bn Strategy will therefore focus on three key themes:
DEFEND: This strand of the Strategy, focusing primarily on the UK’s critical national infrastructure, aims to ensure that the UK has the means to defend itself against evolving cyber threats, to respond effectively to incidents and to ensure UK networks, data and systems are protected and resilient. In this regard, the new National Cyber Security Centre (NCSC) will provide leadership to industry on key national cyber security issues, and work with the Ministry of Defence’s (MoD) Cyber to help the Armed Forces respond to a potential, significant national cyber attack through active cyber defence (ACD) measures. The ‘Defend’ strand of the Strategy will also focus on ensuring that all government digital services built or procured have security ‘built in by design’, working closely with the Government Digital Service (GDS), the Crown Commercial Service (CCS) as well as NHS Digital in order to implement new data security standards. This is an area that techUK will look at increasingly in 2017,
FEB RUA RY 2 017
46
ensuring that the Government’s digital transformation agenda is underpinned with security. DETER: The ‘Deter’ strand of the Strategy will be led by the intelligence agencies, the Ministry of Defence, law enforcement and the National Crime Agency, in coordination with international partner agencies. It will see the Government investing in detecting, understanding, investigating and disrupting hostile actions taken against businesses and the public sector, pursuing and prosecuting cyber criminals whilst reserving the right to take offensive action in cyberspace. One of the main objectives of this strand of the Strategy is to reduce cybercrime. Law enforcement 47
has traditionally been underfunded in this regard, as highlighted by techUK’s recent ‘Partners Against Crime’ report, so it is good to see a commitment to enhancing law enforcement’s capabilities and skills at a national and local level, as well as establishing a new reporting system in order to share information across law enforcement in real time. Interestingly, the strategy recognises the importance of encryption to the protection of the UK’s most sensitive information and stresses that the UK will continue to maintain its sovereign capability in this area, whilst working with industry to ensure that there are no ‘safe spaces for…criminals to operate beyond the reach of the law’.
C Y B ER WORLD
DEVELOP: This strand of the Strategy will focus on growing the UK’s cyber security industry, investing in accelerator programmes, scientific research and skills. As part of this, the Strategy highlights the creation of two new cyber innovation centres to drive the development of cutting-edge cyber products and dynamic new cyber security companies as well as allocating a proportion of the £165m Defence and Cyber Innovation Fund to support innovative procurement in defence and security.
entrepreneurial skills required to grow. The two new cyber innovation centres will sit at the heart of this section of the Strategy, giving companies the required assistance to get their first customers and attract further investment. A proportion of the £165m Defence and Cyber Innovation Fund will also be put towards this, as well as the provision of testing facilities for companies to test products. Reassuringly, the Strategy also makes reference to the collective expertise of the Cyber Growth Partnership (CGP) that techUK continues to provide the secretariat for in order to focus further growth and innovation interventions.
The Government will also support the creation of a growing cyber security sector, helping UK companies and academics develop the commercial and
On the topic of cyber security skills, the strategy sets out a long term skills project that builds on existing work to integrate cyber security into the curriculum
FEB RUA RY 2 017
48
so that everyone studying computer science, technology or digital skills will learn the fundamentals of cyber security. This effort will also attempt to address the gender imbalance in cyber professions as well as people from more diverse backgrounds and will be spearheaded by a cyber skills advisory group made up of government, employers, professional bodies, and education providers. INTERNATIONAL ACTION Finally, the strategy recognises the importance of co-operation with international partners on cyber related issues. This includes an assurance that international law and human rights apply in cyberspace, a commitment to a multi-stakeholder model of internet governance, an opposition to data localisation and working towards the raising of cyber security capacity within partner countries. A large proportion of this section focuses on helping other countries develop and maintain their own cyber security, building their capacity to tackle cyber threats to the UK.
TECHUK RESPONSE It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK. The Government has admitted that a ’market approach’ to the promotion of basic cyber security hygiene has in the past not produced the required pace and scale of change, with take up of initiatives such as Cyber Essentials having been low. It is true that the market is not valuing and managing cyber risk correctly and techUK therefore welcomes the recognition that businesses need to ‘up their game’ in regards to cyber security. The Government has a role to ‘set the pace’ and lead the way by bringing its influence and resources to bear to address cyber threats, though it cannot do this alone. The strategy is also a lot clearer, for the first time, about the nation state cyber threats facing the UK and more confident and aggressive in its response to such threats. Whilst it could be argued that the strategy is too broad in certain areas, it is still good to see the Government aiming high and trying to ensure that the UK is a safer place to conduct digital business (though it will be difficult to cover all of the initiatives announced in a fiveyear plan). One criticism, however, is the lack of recognition within the Strategy that much of the world’s innovation in cyberspace comes from the US and increasingly the Far East. The Government should commit more heavily to engaging with innovators around the world, which will in turn help UK companies grow. Overall, the Strategy is a robust and comprehensive response from Government to the growing cyber threats that we face. It is now time for businesses across the country to step up and play their part in keeping their businesses and the UK as a whole secure.
49
C Y B ER WORLD
“
It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK.
FEB RUA RY 2 017
50
Secgate Technologies Fast Intelligent Protection At Secgate Technologies we deliver information technology and intelligence solutions that both strengthen and empower our clients’ IT security and resilience. Our tools give clients technology capabilities that allow them to analyse, correlate, identify and eliminate threats. We are industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and unique environments. Part of the specialist advisory group Secgate, our clients include large enterprises, governments and SMEs.
www.secgate.co.uk/technologies
Rising Star Siming Wei
53
C Y B ER WORLD
Rising Star is a new featured section of Cyber World. With our monthly interviews we introduce our Readers to a promising rising star in the Cyber Security Industry. We want to learn about what motivates these future leaders in the world of cyber, about their background, personal and professional development, specialisations and interests, as well as their goals for the future. And we also ask them to offer some advice for the benefit of the next generation interested in entering careers in this fast-growing industry.
Siming Wei is a Cyber Security Senior Associate at PwC. She joined PwC after completing a master’s degree in Wireless and Optical Communications. Siming has also achieved a first class degree in Electrical Engineering. She is currently studying parttime for a second master’s degree in Information Security at the Royal Holloway University.
Please tell us a bit more about yourself.
doing some research on cyber security, I decided it is a very interesting field that offers a promising career.
I joined the PwC Cyber Security Practice in 2014 after completing a master’s degree in Wireless and
What are the greatest positives about working in
Optical Communications. Over the past two and half
Cyber Security?
years, I have really delved into the exciting world of cyber security, working on a variety of projects in
Cyber security as an industry is constantly growing and
areas ranging from information security management
evolving with the rapid advance of new technologies.
to identity access management across a number of
Therefore, the work is never boring and no two days
industries.
are the same. Gaining exposure to different problems clients are facing and helping them solve these problems
What made you choose a career in Cyber Security?
has been a very rewarding experience. Cyber security is becoming much more important to business, and thus
Making things happen and making things better
it is a great pleasure to take part in shaping the cyber
always give me a great sense of satisfaction. This was
security world to enable business growth. It is exciting
the driving force for me behind choosing a degree in
to work in a very diverse team of people from different
engineering. With the inspiration to encourage more
of backgrounds here at PwC. The amazing people I
young people and especially girls to study STEM
work with help me to learn new things every day.
subjects, I became a STEM ambassador at University. This is where I encountered cyber security for the first
What are the greatest challenges in Cyber Security?
time. Thanks to the IT-related modules in my degree, I was able to understand more about information
Over the past few years, a few high-profile security
technology and started to pay more attention to news
incidents
concerning information security. Upon my graduation,
organisations to wake up to the importance of cyber
and being attracted by the PwC brand, I went on the
security. We have seen quite a lot of organisations
graduate recruitment website and found that they
starting to seriously invest in cyber security. However,
were recruiting graduates for cyber security roles. I
according to the Global State of Information Security
always wanted to work in the technology field, so after
Survey 2016, insider threats are still the top risk to
FEB RUA RY 2 017
have
caused
both
individuals
and
54
organisations. Building the right culture to encourage employees to be secure is the biggest challenge. Organisations must realise that only investing in technologies will not be sufficient to improve the organisational information security posture. People, processes and technologies should all be considered when building and improving their information security capability overall. What are the highlights of your career? Joining PwC has been the biggest change in my life and is definitely a highlight in my career. The great opportunities and enormous support I received from the firm and colleagues have really helped me to learn and develop as a cyber security professional. Another highlight of my career has been working on the Cyber Security Challenge Masterclass 2016, which is the culmination of a national competition programme to identify new cyber security talent and was this year designed and hosted by PwC. It is run by the Cyber Security Challenge UK, a non-profit organisation backed by the government and industry bodies. The event itself has helped to raise awareness in society, and encourage people – especially young people – to work in cyber security. It was an amazing experience to project manage this high profile event and to be involved from the beginning to the end in game design, event management, marketing and PR for more than 6 months. Where do you see Cyber Security in 10 years? With the constantly changing landscape of threats, I believe that cyber security in 10 years will be very different from today. The Internet of Things, the Cloud and other new internet-based technologies, while introducing great convenience and productivity to our lives, can introduce new risks to cyber security and privacy. Cyber security practitioners and law enforcement agencies will need to respond to new challenges. With GDPR coming into force in 2018, organisations are required to do more to demonstrate they can safeguard the information they are handling. In 10 years, new regulations and industrial standards 55
C Y B ER WORLD
“
Joining PwC has been the biggest change in my life and is definitely a highlight in my career.
FEB RUA RY 2 017
56
may be created to address cyber security in new
build a good understanding of different areas in cyber
technologies such as drones, driverless cars and
security before choosing my areas of expertise. With
smart homes.
the rapid advances in technology, there will be so many new risks to be mitigated and new assets to be
What are your career ambitions?
protect in cyber security in 5-20 years. Therefore, I want to keep an open mind and be the best I can when
Since cyber security is such a broad topic, it is
opportunities arise.
very difficult to be an expert in all areas. With my experience growing, I would like to become a ‘go to’
What would you do if you were not a consultant?
person in a specific field of cyber security to solve some of the important problems in society. As I am
I would probably be an electrical engineer in the
still at the early stage of my career, I would like to
renewable and green energy sector. I would love to use
57
C Y B ER WORLD
the knowledge and the problem solving skills I acquired
valued in cyber security. We have a very diverse team
through my degree to tackle energy shortage and the
here in PwC and we value the different backgrounds
pollution that comes with electricity generation.
and skills each individual brings to the team. Entering a career in cyber security will open up
What advice would you give young people hoping to
opportunities in many areas and on a wide range of
enter a career in the field?
issues. There are so many areas you can go into such as penetration testing, digital forensics and information
My advice for young people is to study what you are
security governance. You can explore and specialise in
really passionate about and interested in. Follow your
the area you are interested in the most. All you need is
heart instead of your peers. Whatever you choose to
to be open minded and ready to learn.
study, the skills you developed are transferable and
FEB RUA RY 2 017
58
Brexit could deal blow to UK’s Cyber Security Chris Luenen
About the Author: Chris Luenen is an experienced international security expert with over 10 years experience working in political foundations, academia and think tanks. He has worked with leaders in financial services institutions, industry and international organisations as well as senior politicians, journalists and academics. The outcome of the recent referendum on the question of Britain’s membership in the European Union has many important implications. These range from the exact modalities of Britain’s future relationship with the EU and other EU-member states, the free movement of labour on the continent, the continued stability of the UK housing market, financial services sector and the overall economy to the question of the very future of Great Britain, and especially Scotland’s role in the Union. While many commentators have rightly pointed out that a very much under-appreciated aspect of Brexit concerns security, the issue of cyber security deserves particular attention in this context. In our increasingly interconnected world, cyber security concerns everyone, from states, large corporations,
59
SMEs to individuals, and attacks and security breaches are on the rise worldwide. The number and severity of breaches recorded are unprecedented, and the culprits are diverse, including the youthful hacker out of his parent’s basement, criminal gangs, hacktivists, terrorists to state-sponsored hackers. The implications of a possible Brexit with regard to cyber security do not just touch on questions of the UK’s national security, but also on the continued competitiveness of the UK’s booming cyber security industry, one of the few remaining growth markets in a depressed global economy, as well as on the competitiveness and security of non-cyber related industries and services.
C Y B ER WORLD
IMPACT OF A BREXIT ON
or initiative, a full Brexit will at the very least mean
THE UK’S CYBER SECURITY INDUSTRY
that Britain will no longer have a say in devising any directives and policies the EU develops, and which will
Cybercrime is best combated in partnership with others
be implemented across Europe, and may be left having
and by establishing strong and resilient cooperative
to play catch up after the fact.
mechanisms for doing so, and the EU has done much in recent years to raise the level of, and harmonise, cyber security capabilities, regulations, information sharing and cooperation, and facilitate best practice, across the continent. As Britain’s future relationship with the EU remains uncertain, in the coming months and years it will have to redefine several aspects of a relationship that has previously been taken for granted. This will include a decision on its future relationship with the European Crime Centre (EC3) and Europol as well as with the European Union Agency for Network and Information Security (ENISA) and the newly created European Cyber Security Organisation. Irrespective of the specific details of its continued engagement with any individual EU agency, network
A particular uncertainty in this context relates to the adoption of the EU’s General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). While these regulations will come into effect before the UK potentially departs from the EU, there will be no obligation for the UK to uphold these regulations thereafter. Should the UK decide not to uphold these regulations, then it will become much more difficult, and costly, for UK companies to continue to do business in the EU on par with their European partners and competitors, and demonstrate compliance with its regulations and norms. Similarly, it is uncertain whether the UK will adopt the new directive on security of network and information systems (NIS), which was adopted throughout the European Union in August.
FEB RUA RY 2 017
60
SHORTAGE OF CYBER PROFESSIONALS
an estimated shortage of 1.5 million cyber security
SET TO BECOME WORSE
professionals over the next five years, and new talent is not easy to come by. If travel restrictions were
While an argument could be made that the United
imposed, it would be significantly less attractive for
Kingdom might currently be ahead of its European
talent to come and work, and build a career, in the UK.
partners with regard to its overall cyber security posture and measures, this advantage is set to wane as
LOSING ACCESS TO EU INVESTMENT
the UK’s pool of talented cyber security professionals diminishes over time – a very real prospect should the
Yet another way in which the United Kingdom will find
UK decide to end, or restrict in any meaningful way, the free movement of labour between the UK and EU member states. According to Diane Miller of Northrop Grumman, a
itself affected by a Brexit is through the loss of access
leading expert on the cyber profession, there is already 61
to the EU’s substantially increased investments into cyber security in recent years. Leaving the European Union will cut the United Kingdom off from the Union’s funding streams for cyber security initiatives,
C Y B ER WORLD
companies, and technologies, including the recently announced, and major, Public Private Partnership (PPP) programme, which is set to raise an expected €1.8bn of investment in cyber security. When combined with the potential drop in the cyber security talent pool that the United Kingdom might experience in the years ahead, the loss of
“
these advantages and funding streams will deal a big blow to the overall health and viability of the cyber security industry in Britain, and is unlikely to be
Yet another way in which the United Kingdom will find itself affected by a Brexit is through the loss of access to the EU’s substantially increased investments into cyber security in recent years.
compensated by investments from the UK government and private sectors.
FEB RUA RY 2 017
62
CONCLUSION
The future relationship between Britain and the EU, or even the trajectory for how Britain will seek to extricate
How vulnerable we have all become to cyber crime
itself from the EU and revise, rewrite or create new
should be clear at least since the US National Security
laws, regulations and new mechanisms for cooperation,
Agency’s very own hacker group, the Equation Group,
remain very much uncertain. When considering the
has fallen victim to a substantial security breach, having
potential implications for both the EU’s and the UK’s
been hacked and some of their offensive toolkit of
national, economic and citizens’ personal security, the
exploits and other cyber ‘weapons’ stolen and offered
competitiveness and growth of its respective cyber
for auction, apparently by a previously unknown group
security industries and many related issues, there is not
of hackers calling itself the The Shadow Brokers.
much room for error.
63
C Y B ER WORLD
Limited Time Offer Contact us on info@secgate.co.uk
What can you do to protect yourself from common cyber attacks? Secgate’s Cyber Health Check (CHC) is a comprehensive review of an organization's cyber security posture, and existing controls against cyber attacks. It is a unique service incorporating our best practice insights from both the public and private sectors.
CHC Alpha [Free Health Check] CHC Alpha has been designed by Secgate as a rapid high-level assessment of your organisation’s overall cyber and information security vulnerabilities, resulting in a report addressing each gap found with an improvement recommendation. The health check that looks across 6 domains, Governance, Risk Management, Technology, Resilience, People Factors and Legal will provide your organisation’s leadership with a view of the threats that exist specific to your organisation and what areas need to be addressed most urgently in order to close the most serious gaps in your overall cyber security. CHC Alpha assesses against five preset levels: initial, repeatable, progressing, mature and mastered.
Benefits of a CHC •
•
• •
• •
Reduces the risk of your organisation falling victim to a cyber attack by identifying vulnerabilities in your people, policies, processes, business culture and technologies while suggesting remediation measures. Optimises an organisation’s decision making and oversight mechanisms relating to cyber security as well as awareness and information flow throughout the organisation. Improves technical infrastructure, controls as well as business processes and cultures. Enhances levels of communication and confidence internally and externally, with staff and business partners assured of the security of their communications and data. Enhances an organisation’s reputation in the eyes of its customers, suppliers, business partners and regulators. Benchmarking against peer groups and competitors.
Adups Firmware Vacuuming up Android Phone Data
Back in November, The New York Times reported
Kryptowire discovered by accident that a BLU R1 HD
that the security research firm Kryptowire discovered
phone he purchased was connecting to IP addresses
that ‘several models’ of Android phones were shipped
at adups.com and other domains. So he conducted
with firmware installed that vacuumed up text
further analysis and found out that the phone was
messages, location data, IMEI, contacts, and then
transmitting data in JSON format using a REST web
send this information to a server in Shanghai every
service call. He then investigated what data the phone
72 hours, without the owner’s knowledge or consent.
was transmitting.
The firmware also allows the remote installation and execution of code, again without the owner's
Kryptowire says that Adups claims on its website that
knowledge or consent. But there has been no follow up
they have 700 million active devices in the field and
on the story: In particular, the question is whether the
a market share of over 70% in 150 countries. Their
firmware is still on new phones being distributed, and
phones are integrated with 400 wireless carriers. The
on which models exactly? Who is recording this data
phones with the firmware were sold on Amazon and
and why?
Bestbuy. Adups provides software to two Chinese cell phone manufacturers: ZTE and Huawei. But those
The software in question is firmware that helps
stats are only from ‘old’ information and sources. What
mobile carriers do over-the-air updates. The firmware
we do not have is a list of which phones are affected
with the recording features is aimed at the low-end
right now.
Android market. We know that much. A researcher at
65
C Y B ER WORLD
Adups also provides big data services to its customers.
Google told Adups to remove any feature that uses
Obviously the question poses itself whether this is a
Google Play Services. But Google does not operate in
Chinese government effort to spy on its citizens or
China – Google Play is used by Android programmers
just bad planning by the manufacturer. The New York
to do things like integrate with Google Maps and share
Times quoted Adups as saying that the software was
objects. But it is not required to write an Android app
written ‘at the request of an unidentified Chinese
and this firmware is not an Android app, but firmware,
manufacturer’ and that the company wanted the data
meaning software programmed at a level below the
for customer support and to block spam calls and texts.
OS. So Android would not have access. And Google’s
The New York Times wrote: ‘The American authorities
action would have changed nothing.
say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese
So the obvious conclusion is that there are phones out
government effort to collect intelligence.’
there still vacuuming up data and sending it to AdUps in Shanghai. How many of these are in the USA or
The Adups attorney responded by stating that ‘this is a
Europe is impossible to know for sure. We have no list.
private company that made a mistake.’
And Kryptowire only tested one phone.
Kryptowire only tested one phone. And Huawei or ZTE
Tom Karygiannis, VP of Products, stated: ‘I am pretty
have not produced a list of which phones have this
sure they are in the Chinese market. There are more
version of the firmware installed. BLU is an American
devices that I am sure they have it. But we would have
company and has already removed the firmware.
to test it in our labs to know.’
FEB RUA RY 2 017
66
Third Party Assurance: Why bother?
67
C Y B ER WORLD
Haydn Brooks, Manager at Secgate Ltd.
“
ABSTRACT Companies, large and small, rely heavily on their supply chain to run their business. As the number of third parties with access to company and customer data increases, so does the risk of security breaches that have the ability to damage the reputation and sustainability of the business. Third party assurance services can reduce these risks by developing governance and monitoring processes that ensure third parties are managing your data and their own risk appropriately. With threats constantly evolving, the need for a quality third party assurance service is increasing. INTRODUCTION Third party risk management is expensive. It involves performing security reviews of companies that don’t want to be (and don’t have the time to be) reviewed. To be successful it requires input from your procurement, legal, information security and internal audit teams and in order to add any real business value it has to be integrated into a process that produces a real and tangible business outcome. C-level executives have enough on their plate worrying about risks to their own business, let alone other people’s businesses. So why bother? The reasons are the same reasons that we hear time and time again. Operational, reputational, financial and, if your business sits within the financial sector, compliance risk. In short, a failure of one of your third parties will cost you money, clients and time. At Secgate we like to visualise each one of these four risks by placing them into two main categories – risks to your company’s confidentiality (the ability to protect your customer’s data and your business's intellectual property) and risks to your company’s availability (the
Customers therefore trust you, the custodian of their data to keep it personal. ability of your company to maintain the service it provides to its clients). CONFIDENTIALITY Customers have to hand out a massive amount of personally identifiable information in order to do anything in this day and age. They therefore trust you, the custodian of their data to keep it personal. A data breach at one of your suppliers, whether it be a supplier that handles customer credit card information or purely a marketing agency that handles customer names and phone numbers, will erode the trust your customers have in your business. And this will occur whether or not the breach was malicious or accidental. It will make customers think twice about handing over their personal information to you in the future, and this trust will take time to repair and rebuild. This loss of trust in your business and brand is, in essence, reputational damage. Damaged brands don’t do well. Think 2013 and Target’s data breach. Target’s stock price dropped by approximately 10% in the time after the breach was announced, all because of a third party HVAC (heating, ventilation and air conditioning) supplier that you probably can’t name (I know I can’t). Could your business recover from a hit of that magnitude to its bottom line? AVAILABILITY Outsourcing is one of the most popular pastimes of businesses in this day and age. Entire consultancies specialise in helping companies outsource pretty much any function they have, from HR through to payroll and IT. Companies are even outsourcing their C-suite executives.
FEB RUA RY 2 017
68
And you trust these companies to be able to maintain the same quality and availability that you would come to expect of an in house service. And why shouldn’t you trust them, that’s the service you are paying for. But what happens when something happens that means these companies can longer operate? This category is wider than information security. What happens when the supplier managing your help desk is hit by a flash flood? But that could never happen, could it? Just remember that an inch of snow can bring London to a standstill. Could your company operate without its payroll function? Could your company operate without an IT help desk, or even worse, without any IT capability at all? It’s at times like these that strong business continuity and IT disaster recovery (BC/ITDR) plans become a lifesaver. But why should your company have to invoke a business continuity plan and absorb
69
the associated cost, isn’t that the job of the company that suffered the incident? Ensuring that your suppliers have a strong, robust and well thought out business continuity and ITDR capability will reduce the chance that your company ever has to invoke its own business continuity plan, preventing operational and financial impacts and mitigating both operational and financial risk. SO THIS IS ABOUT TRUST? No. Third party assurance is not about your company not trusting its suppliers. It’s about collaboration. It’s about the sharing of best practice. It’s about saying that no matter how mature your information security control environment is, let's help each other to improve it. And it’s this constant improvement that helps create a robust and resilient economy that can benefit everyone.
C Y B ER WORLD
FINE, YOU HAVE MY ATTENTION. SO WHAT CAN I DO? Firstly, you need to ensure that your company knows what it is dealing with. Do you have a comprehensive third party inventory? Do you know what third parties you use, the service each one of those third parties provides and the data that they take from you to provide it? Does your CISO team talk to your procurement team to get this information? Does your procurement team even have the information? Secondly, you need to focus your attention on the suppliers that matter most. Rank your suppliers in order of importance from both a confidentiality and an availability perspective. A supplier may be supercritical when looking at them through a confidentiality lens, but bottom of the pile from an availability lens and thus should be reviewed appropriately. Your CISO team cannot do this alone. Your procurement and supplier management teams have to be involved.
Thirdly, implement a third party assurance programme. Look at the controls you have in place to mitigate the risk third parties present to your business. Do your third party contracts contain the required clauses (this will involve speaking to your legal team)? Do you check that third parties maintain their information security control environment? Do you check that your third parties are robust enough to recover from incidents and business continuity issues? Combine the criticality of the third parties with the results from your third party assurance program to measure the risk the third party poses to your business. Make the assumption that a strong third party review means a low risk of an incident occurring at the third party and combine the two into your businesses central risk framework. Finally compare this risk to your risk appetite – are you happy with the risk posed by the third parties that your company utilises?
FEB RUA RY 2 017
70
Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on cyber@secgate.co.uk
71
C Y B ER WORLD
Leron Zinatullin is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large scale, global, high value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors.
The Psychology Of Information Security In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible. The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour, helping security professionals understand how a security culture that puts risk into context promotes compliance.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk. This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
FEB RUA RY 2 017
This book draws on the experience of industry experts and related academic research to: • Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives. • Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity. • Give advice on aligning a security programme with wider organisational objectives. • Manage and communicate these changes within an organisation. Based on insights gained from academic research as well as interviews with UKbased security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
72