Information Security by Lyonsdown

DISTRIBUTED WITHIN THE SUNDAY TELEGRAPH, PRODUCED AND PUBLISHED BY LYONSDOWN WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS

security

The power behind decisions

APRIL 2014

business-technology.co.uk

24 on -p in age se for re cu m po rit ati rt y on

Information

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

2 | Information security

Find us online: business-technology.co.uk

British Museum summit hailed as another success

would like to thank everyone who joined us at our Information Security 2014 event in February

Sponsors

BUSINESS Technology Inner Circle confirmed its impressive standing in the business world with its second European Information Security Summit, held at the British Museum in February. More than 150 IT professionals attended the two-day conference with high-level speakers from organisations as diverse as HP, Symantec, the UCLH NHS Trust, Warwick Business School, Barclaycard, Oxford University and the Isle of Man government. As part of the conference, Business Technology Inner Circle linked up with HP to quiz the high-level audience on the current trends and threats in information security. To see what is causing concern in the IT community, catch up with the findings on pages eight and nine. Keil Hubert, a retired US Air Force cyberspace operations officer, gave a fascinating insight into a real-life problem he encountered in his work – read his column on page 11 – and Shane Richmond, our resident IT expert, also hosted an expert panel. Read his view on proceedings on page four. The event was hosted by TV presenter Jon Bentley who, when asked for his favourite quote from the two days, replied: “The greatest danger to your iPhone or iPad is gravity.”

Media partners

ISO 27001 INFORMATION SECURITY CAN YOU AFFORD NOT TO?

Come visit us at

and find out more 29th April - 1st May 2014

Stand N64

Cybercrime costs UK businesses an estimated £27 billion every year and rising. Certification to ISO 27001 is a best practice approach to securing your data. This globally respected standard that aligns internal and external factors has now become a crucial board level decision for many. Can you afford not to find out more…

NEVER STOP IMPROVING

Let’s Talk: 08433 085501

Download your FREE ‘Information security best practice guide’: www.nqa.com/isms

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

April 2014

Information security | 3

Find us online: business-technology.co.uk

Intellectual property is number one target for cyber attacks

By Joanne Frearson MUMSNET is among the first websites to come forward and say user information has been hacked as a result of the Heartbleed bug, while the Canada Revenue Agency has revealed the social insurance numbers of around 900 taxpayers were removed from the system because of the vulnerability. Potentially two thirds of websites have been affected by the Heartbleed bug, which leaves users of these sites vulnerable to having sensitive information stolen such as private keys, username and passwords or contents of encrypted traffic. The Heartbleed bug affects web systems that use the OpenSSL 1.0.1 software through to 1.0.1f version. It was discovered by security engineers at Codenomicon and Google Security in April and had gone undetected for two years. Popular websites such as Facebook and Yahoo have been impacted. Both have since announced patches to fix the problem. There also could be millions of smartphones that use Google’s Android 4.1.1 device affected by the bug. Google has been issuing patching information to its partners. The issue has affected websites globally. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) put out a note to say it was addressing the vulnerabilities. Jason Steer, director of Technology Strategy at FireEye, says: “The impact of this may take weeks or even months to really play out fully and many organisations will be doing OpenSSL checks for months and years to come. It just goes to show that despite all the testing, documentation and code checks that things get missed. What other surprises are there in soft ware and hardware? “Open SSL is so ubiquitous today that it is hard to think of where it is not used for secure transmission of information, soft ware updates. Open SSL is found in so many things, virtual private networks, email encryption, instant messaging, Voice over Internet Protocol (VOIP) and many others.” Although not everyone thinks hacking has been widespread. David Rawle (inset), chief technology officer at Bytes Security Partnerships, says: “If there had been mass targeting of username and passwords because of this vulnerability, it would have been spotted a lot sooner.” Steven Murdoch, researcher in the Security Group at the University of Cambridge, says: “The attacker does not get to choose what it gets and it is a bit unpredictable on what it is going to get. But it is going to be in memory which was previously used by the same program that was using OpenSSL.” Advice security companies have been giving to those impacted by the bug is to only change your password once you receive confirmation that

Business Technology

xxxxxxxx

Heartbleed bug: scale and danger still unknown the system has been fixed by the company affected. Rawle says: “If you change your password for something that has not yet been fixed tomorrow someone could take your password and use that, particularly n o w this vulnerability is known, the number of people who will be trying to utilise it to get data will be going through the roof. “I would advise people to go to the site directly and be happy that they have changed their system before you change your password. “If a ny of t he compa n ies you a re using give you the choice of doing two factors of

Publisher Bradley Scheffer.......................info@lyonsdown.co.uk Editor Daniel Evans.....................................dan@lyonsdown.co.uk Production Editor Dan Geary.............d.geary@lyonsdown.co.uk Reporters...................................Dave Baxter and Joanne Frearson Client Manager Alexis Trinh...................alexis@lyonsdown.co.uk Project Manager Marc Morrow....m.morrow@lyonsdown.co.uk Syndication .....................syndication@theinterviewpeople.com +49 (0) 8161 80 74 977

identification take this as an opportunity to turn it on.” The OpenSSL Project is managed by a worldwide community of volunteers and the Heartbleed bug throws up the debate whether there is enough money being poured into the scheme which impacts such a vast amount of websites. Daniel Page, lecturer at the University of Bristol, says: “These sorts of things are occurring with a greater frequency. OpenSSL itself you could argue there should be more investment in that project in particular, because it is so important. There should be more investment in expertise on a national level to cope with these things.” • A 19-year-old Canadian has since been arrested in regard to the hacking of the Canadian Revenue Agency insurance numbers.

For more information contact us on 020 8349 4363 or email info@lyonsdown.co.uk

ACADEMIA is one of the most targeted sectors in cyber attacks, according to security firm FireEye. Greg Day, CTO of FireEye across EMEA, says: “We see on average about 25,000 new attacks every month. In terms of volume of targeted attacks, the most prolific space is actually in education. They are doing it to steal high-value intellectual property.” Day believes academics are viewed as a softer target. “If I was to compare either a government or even a large financial organisation to academia, they are not on the same level in terms of security,” he says. Day also says that “we see more focus on governments”, and claims academia is a target because it is the next generation of thought leadership, which sometimes the government provided funding for.” Firms wishing to protect themselves from cyber attacks must understand what the risks are. Says David Robinson, chief security officer at Fujitsu: “If we do not understand the risks, how do we know we are protecting the right things, with the right security, at the right time?”

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

4 | Information security

Opening shots Shane Richmond

S PART of the countdown to the Super Bowl, American football’s season-ending jamboree held in New York in February, one of the US TV networks took a look inside the “secret command centre” from where the security operation would be co-ordinated. Among the wall of video screens, which no self-respecting secret command centre can be without, was one displaying the Wi-Fi network and password. And it was broadcast to the nation on live television. I was reminded of that at The European Information Security Summit 2014, run by the people here at Business Technology, at the British Museum earlier this year. Time and again, speakers and panellists emphasised that human error often represents the biggest information security risk for any organisation. Whether it’s a USB stick left on a train or a Wi-Fi password stuck on a Post-It note on a monitor, the message was clear: thoughtlessness and forgetfulness can put your business at risk. It’s certainly true that there are plenty of other threats to information security. Cyber attacks are a real and growing danger, the cloud services supporting more and more firms can be vulnerable targets, and viruses and Trojans are an ever-present threat. All of that must be guarded against. And yet, it’s our own mistakes that are most likely to cost us. The summit spent a lot of time considering the rise of Bring Your Own Device (BYOD), which

Find us online: business-technology.co.uk

How the Super Bowl showed us why human error is still the biggest threat to security has struck terror into the heart of many a CIO over the last few years. Sian John, of security firm Symantec, pointed out that 50 per cent of people don’t password-protect their mobile devices and so anything on them is open should the device be lost or stolen. Often, the IT department responds to such silly mistakes with draconian security measures, such as password protecting absolutely everything, forcing staff to change passwords regularly and even PIN-protecting very sensitive applications. These measures might be sensible but if they are viewed as unreasonable, people will work around them, creating even more security risks in the process. As another speaker pointed out, BYOD itself emerged as a way to get work done without jumping through the IT department’s hoops. How, then, do you minimise the risk of human error compromising your information security, without installing systems that ultimately make it harder for the organisation to function efficiently?

Shane Richmond travels the world advising businesses on changing technologies, and was head of technology (editorial) at Telegraph Media Group Twitter: @ shanerichmond

Sarah Davis of SAI Global and Sarah Lawson of the University of Oxford both emphasised the importance of training to ensure that staff are constantly aware of the need for good information security habits. Lawson said we have to “train people to think”, but also explained that companies need to make sure that staff understand why certain precautions are important. Someone once told me a story about a colleague who had left his computer unattended for a short time. While he was away somebody used his PC to send an abusive email to a senior manager. He was unable to prove that he didn’t send the email and was dismissed. I was never able to find out whether the story was true or not, but I put a password on my screensaver after that. It was a vivid illustration that I was taking an unnecessary risk, albeit a small one, and that was enough to make me rethink my security habits. Sarah Lawson interview – pages 20-21

Today’s Security for Tomorrow’s Threats Check Point is delighted to support BT and Sport Relief

GET YOUR COPY

w w w. c h e c k p o i n t . c o m

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

April 2014

Find us online: business-technology.co.uk

Business Technology

Information security | 5

Maude: cyber security is ‘an essential feature’ of the economic recovery By Joanne Frearson

ROUND 93 per cent of large corporations had a cyber security breach over the past financial year. The average cost of each one is somewhere between £450,000 and £850,000, according to Francis Maude, the Cabinet Office minister with responsibility for the UK Cyber Security Strategy. In an exclusive interview with Business Technology, Maude says: “Cyber threats from criminals, hostile states, opportunist hackers and others continue to develop and evolve. “The pace of change is extremely fast and as societal dependence on cyber systems and networks increases, so the opportunities for attackers to cause real harm will continue to increase.” Cyber attacks are considered one of the top four threats to the UK’s national security. The government has recently launched the Computer Emergency Response Team (CERT-UK) as part of its cyber-security strategy. CERT-UK which will be led by Chris Gibson, the former director of e-crime at Citigroup, has three primary objectives. The first objective is cyber-situational awareness. The Cyber Information Sharing Partnership (CISP), which allows governments and business partners to exchanges material on threats and vulnerabilities, will be moved inside CERT-UK. The second is on forming relationships with other international partners, while the third is national incident management, which will involve working with various areas of critical national infrastructure to plan, exercise and raise awareness of incident management. In January this year, the government launched “Cyberstreetwise”, a campaign of public and SME awareness drives increasing cyber confidence and improving online safety. The campaign builds on the work the government has already already been doing to raise awareness at all levels of the need for cyber security. It is being delivered in partnership with the National Fraud Authority and Get Safe Online, as well as the private sector, with sponsors including Facebook, RBS Group, Sophos, Trend Micro and Financial Fraud Action UK. Maude says: “No one can afford to be complacent about cyber threats. A malicious script doesn’t care if it is exploiting a home business, chip shop or blue chip company – it will exploit any vulnerabilities it can. “Hackers will often scan any internet connected device they can find and sell access

Cabinet Office minister Francis Maude has urged businesses of all sizes to be wary of cyber attacks

to compromised machines on the internet black market – you do not have to be a high profi le target to be caught out. The nature of cyber security threats mean that they are not contained geographically or by sector. However, some sectors, such as fi nance, have been subjected to more attacks by cyber criminals, who see a potentially lucrative opportunity in targeting the sector. “We are not complacent and already recognise the threat to this country. I believe the message is a simple one. Cyber security isn’t a necessary evil: it’s both an essential feature of – and a massive opportunity for – the UK’s economic recovery. We can go forward being better

prepared, better informed, better connected and ultimately more resilient.” The government set out its UK Cyber Security Strategy in 2011 to support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment. As part of this strategy, the government set out four objectives. The first aims to make the UK one of the most secure places in the world to do business in cyberspace. The second is making the UK more resilient to cyber attack and better able to protect its interests in cyberspace. The third is helping shape an open, vibrant and stable cyberspace that supports open societies

and that is building the UK’s cyber security knowledge, skills and capability. Maude explains these are as relevant today as they were in 2011. He says: “Our whole approach hinges on building effective partnerships between government, law enforcement agencies, academia and the private sector. We’re also encouraging organisations within these spheres to work in partnership with each other. “We are only as good as our weakest link and therefore industry as well as individuals must take steps to protect themselves and their businesses on line.” Governmental organisations such as GCHQ, the Centre for the Protection of National Infrastructure (CPNI), Department of Business and Skills (BIS) and the Office of Cyber Security and Information Assurance (OCSIA) help industry CEOs and board members by producing guidance on safeguarding their most valuable assets. The government has also produced a 10-step guide to cyber security for businesses to help give them advice about effective information risk management. “This has been followed up by a wide range of briefi ngs and seminars to industry groups as part of our ongoing efforts to embed this way of thinking in pursuit of good corporate governance,” says Maude. “In April 2013, the Department of Business and Skills released a version of their cyber security guidance tailored for SMEs – ‘Small businesses: what you need to know about cyber security’. We’re regularly talking to businesses across all sectors to raise awareness of the threat and what they can do to protect themselves. “We’re focussing on areas where our efforts can have a greater effect – for example, talking to trade associations and professional bodies to help them influence their members, and financial institutions and audit houses to get them to influence their clients.” Although there will be the constant threat of cyber crime, Maude explains: “The internet obviously isn’t inherently a bad thing. It’s inherently a really good thing. “It brings people closer together and for the most part it is a huge upside – we must never lose sight of that. And the work that is done by people involved with cyber security is ultimately all about making the internet a safe place so we can all share in the benefits.” Having a cyber security strategy is essential for protecting national interests in the UK. It is vital that businesses are aware of potential threats to them and they have procedures in place to deal with these risks. An attack can happen from any place around the world and at any time. They cost UK businesses a tremendous amount of money. It is important for them to be prepared.

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

Find us online: business-technology.co.uk

April 2014

Information security | 7

The inner geek

Moz & Bradders

Boardrooms must be more aware of cyber crime issues By Joanne Frearson

CYBER security is a boardroom issue for financial institutions, says Sir Jonathan Evans, former director-general of MI5 and non-executive director at HSBC. Speaking at City Week, the forum about international financial services, Sir Jonathan says: “At HSBC it is certainly an issue we do take seriously as a board, but if the board are talking about botnets and Trojans then they have kind of lost the plot. The issue for the board is not, ‘do you understand the technology underlying cyber security?’, it is, ‘do you understand what cyber security means strategically for your business?’” A recent survey by KPMG shows boardrooms have concerns over the quality of information on cyber risks. The KPMG 2014 Global Audit Committee Survey found the proportion of UK respondents who said the quality of information about cyber-security needs improvement doubled to 47 per cent compared to 24 per cent last year. There were 58 per cent dissatisfied with the agenda time devoted to this issue. About half said it was “increasingly difficult”, given the audit committee’s expertise and heavy agenda, for the committee to oversee major risks in addition to fi nancial reporting, while 47 per cent of respondents were not fully confident in their understanding of the critical accounting judgments and estimates, an audit committee fundamental. Sir Jonathan says: “The board’s role in this is to understand the nature of the threat, to understand the information assets that are significant and important for your business and decide on the basis of those two pieces of information: what your risk appetite is, and to make sure you can operationalise that, and that the executives know clearly. “If the board can do that they will be heading in the right direction. But even having said that, it is not simple, particularly in large companies. Identifying and understanding what your information assets are significant and difficult steps. You cannot make sense

Former MI5 director general Sir Jonathan Evans calls for greater cyber security awareness in UK business

Sir Jonathan Evans at the Foreign Office in 2011

Business Technology

of this unless you see it in the context of what matters to your business. What are the risks? What is it you as a company have to invest in to get this right? It is not just about the technology, it is also about the people and the culture. The technology is a very important part of it, but it is not the least. “This idea of not being just a technology issue is really important. There may be a technology element to it, there may well be a staff training issue and there may actually be a deliberate insider threat. “A surprisingly high proportion of successful attacks are where they have a deliberate insider element. It is got to be an issue right across the company and not just for the technology department.” Sir Jonathan also had some thoughts about the risks associated with cloud computing for businesses. “One question I occasionally get asked is about cloud computing, and whether there are particular risks in moving to a particular cloud configuration. It depends on the business. For some businesses particularly for small or medium-sized enterprises that don’t have a particularly strong internal security function, this can be a real opportunity,” he says. “There can actually be benefits transferring some of those risks into a service provider of a bigger company who can specialise in these areas.” Before joining HSBC, Sir Jonathan spent 33 years in the UK Security Service, serving as director general from 2007 to 2013, when he was also senior adviser to the UK government on national security policy and attended the National Security Council. His experience includes counterespionage, protection of classified information and the security of critical national infrastructure. His main focus was counter-terrorism, both international and domestic, including initiatives against cyber threats. Cyber crime is a continual threat to financial institutions. A firm’s boardroom cyber security strategy should focus on what matters to it as a business and the risks associated with that.

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

ExpertInsight

8 | Information security

Find us online: business-technology.co.uk

The Internet of Things – more than just smart fridges We need to build in safety measures now to avoid catastrophe

INDUSTRY VIEW

he murmurs of excitement around the hotly anticipated Internet of Things (IoT) are hard to ignore. It is a ridiculously vague term, rather like describing a gorgeous meal as a plate of stuff, or a gripping book as pages of words, but the IoT does look set to hit the big time, rapidly becoming an integral part of our lives and infiltrating everyday objects. Google is already making pioneering moves in this space, purchasing connected device company Nest Labs in January. But, with billions of devices set to become connected to the internet and intended to do something intelligent, the IoT holds the potential for far more interesting things than controlling our fridges, thermostats and smartphones. At the outset of this year Gartner identified the IoT as one of the top 10 strategic technology trends for 2014, but many believe that it is in fact the big technology concept that will dominate the sector for years to come – and it’s not just about home automation. The revolution will impact much of the critical infrastructure we all rely on – utilities, transportation, smart cars, smart buildings, smart cities – smart everything. These intelligent, connected devices will eventually become our eyes, ears and fingertips, operating in places we would never want to visit, environments we couldn’t survive in, and with levels of performance we could never achieve. Of course, the positive potential of the IoT has been matched with an equal amount of concern over its security – not to mention the significant legal implications these devices carry with regards to data privacy. The scale, complexity and geographic spread of IoT networks, coupled with the amount of data that makes them tick, make them highly vulnerable. The types of data flowing through

The key findings from our summit Business Technology links up with HP to discover current thinking

the IoT network come in many forms, spanning personal data such as behaviour and location, to command and control data driving our critical national infrastructure. A main reason for these concerns is that the devices themselves are often in vulnerable locations, may have very little physical protection, and the networks through which they communicate can’t always be trusted. This makes them a prime target for malicious hackers and cyber criminals. It’s not just about the devices themselves, it’s also the backend systems, the points of aggregation where data from millions of devices is collected and analysed – where decisions get taken and instructions issued. Compromise at the centre could drive breaches the scale of which we’ve never seen before. Building trust across these huge-scale distributed systems must be a main priority for companies seeking to implement a successful IoT adoption strategy. The good news is that there are already technologies capable of securing trust on the mass scale of the IoT. Public Key Infrastructure (PKI) is a tried and tested method that has been used for years to secure communications across the internet, and is the backbone of security in the global payments networks. Through encrypting data and using digital credentials to identify web services, devices and users, PKIs can enforce access to sensitive systems and protect data from unwanted intruders. Tied to a pair of cryptographic keys, these digital credentials can form the basis of trust, with the keys only able to be used by the device or user to which they belong. Of course, managing and securing these secret keys becomes one of the foundations of the entire security model. Looking just five years down the line, we could find ourselves living in a futuristic world where many of the day-to-day responsibilities in our critical systems are entirely handed over to machines. It’s clear that the IoT is an exciting advancement in our technological evolution, but the question of trust and security has never been more paramount. We need to ensure that we build the appropriate safety measures into these networks now, to avoid catastrophe. Richard Moulds (left) is vice president of strategy, Thales e-Security +44 (0)1223 723600 www.thales-esecurity.com

AS PART of Business Technology’s Information Security Summit, HP sponsored a white paper to focus on the key elements of the day. The aim was to find out what the leaders in the information security industry thought about current and future trends, expert opinion and analysis. With such a high quality of delegates among the 150-strong audience, HP and Business Technology felt they shouldn’t waste the chance to be at the forefront of current thinking within the information security community. Among the people attending were IT directors, information security officers and CTOs.

Threats, incidents and threat actors The biggest threat posed to organisations came from abuse of access by legitimate users (18 per cent), closely followed by the threat posed by unauthorised access (17). The threat of spam email, often containing links to malware-infested websites, also rated highly (15). User error and social engineering rated quite highly (13). This is often a tough risk to address and it requires a degree of end-user education to combat. It emerged that the insider threat from disgruntled employees or contract staff was the largest group behind these problems (46). Criminal hackers (24) and social activists (14) were also a significant number. The figure for terrorists and state-sponsored criminals is low (3). The biggest problem regarding employee activities which posed the greatest risk to an organisation was the opening of malicious email attachments or links (36). Even the well-intended peer-to-peer sharing solutions ranked at number two in the risks (26).

The consequences of incidents and threats When it came to the frequency of security incidents in an organisation, the majority of respondents (65) saw less than 20 incidents a week, while the number who saw more than 100 incidents per week was relatively small (2). The number of those that didn’t know the number of security incidents per week was high considering the expert nature of the audience (23). Almost a third of respondents (29) said that physical damage or loss was the most serious consequences for their business. The threat of legal and regulatory action rated highly in terms of consequential problems (25). Malware (12) and insider attacks (14) were still damaging but the more public DDOS (8) and web-based attacks (3) were less of a problem.

The respondents’ capabilities and challenges When it came to assessing the top three challenges facing a firm, it came down to a dead heat between controlling mobile devices and dealing with security breaches (both 23). Business engagement was third (16). Business continuity and disaster recovery provision had been addressed by most participants (28) followed by systems, network and mobile security (24).

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

April 2014

Business Technology

Information security | 9

Find us online: business-technology.co.uk

Indicate which three of the following threats pose most risk to your organisation Abuse of access priviledge by legitimate users Business, organisational or technical change Damage to hardware Human error and social engineering Legal and regulatory challenges Loss of hardware Malware Spam, Phishing and Pharming Unauthorised access

18% 8% 5% 13% 11% 2% 11% 15% 17%

Indicate the top two employee activities posing the greatest risk to your organisation

Who do you think were the primary actors behind the incidents?

Competitors

Criminals (hackers)

24%

Disgruntled employees/contract staff 46% Social activists (hacktivists)

14%

Terrorists or state-sponsored criminals 3% Use of own mobile devices Opening malicious emails attachments or links Remote access to network from home/travel Use of peer-to-peer applications Use of removable storage media units/USB drives Use of social networking apps

2% 8% 2% 23% 65%

Business disruption Damage to reputation or brand Financial loss Loss of sensitive information Productivity decline

44% 9% 5% 16% 26%

What effect did these incidents have?

What is the frequency of security incidents in your organisation?

More than 100 per week Between 20-50 per week Between 51-100 per week Don’t know Fewer than 20 per week

Business partners

3% 36% 15% 26% 10% 11%

Which of the following types of incident had the most serious consequence for your business? DDOS attack Failed service management Insider attack Legal or regulatory action Malware attack Physical damage or loss Web-based attack Website defacement

In which of the following cyber security management measures does your organisation have a good level of capability maturity? Applications and data security Asset management Business continuity and disaster recovery Business governance/risk management Supplier security management Systems, network and mobile security

How much do you believe the most significant incident cost your organisation? Under £10k 58% £10k-£50k 25% £50k-£100k 6% £100k-£200k 4% £200k-£300k 2% £300k-£400k 2% £500k-£1m 2% Over £1m 2%

8% 8% 14% 25% 12% 29% 2% 2%

Highlight your current top three biggest challenges from the list below

21% 13% 28% 7% 7% 24%

Better engagement with business organisation Controlling mobile devices Dealing with security breaches Delivering cost effective information security Implementing effective security intelligence/analytics Improving SLAs with vendors Securing social media Taking a stratgic (not tactical) approach Understanding how to secure cloud

16% 23% 23% 8% 9% 1% 5% 7% 8%

Exclusive poll: the nine questions which focus on information security

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

ExpertInsight

10 | Information security

Find us online: business-technology.co.uk

Compliance can pay cyber security dividends How to concentrate efforts on detecting abnormal patterns INDUSTRY VIEW

yber security regulations are becoming more complex, and they affect a growing number of businesses every day. These regulations require your business to invest in a variety of technology and resources necessary to pass regular security audits. In short, compliance is here to stay and it’s safe to assume your business will be required to invest in compliance for the foreseeable future – and it’s an even safer bet that the job will become even more complex over time. Since you’ll be doing compliance work anyway, it makes sense to maximise the return on those investments. To gain additional value from compliance technology and resources, don’t focus on passing audits. Instead build your programme around the greater goal of all cyber security regulations: the protection of sensitive business and customer data. Aligning your security programme with this goal automatically expands the focus of the programme and delivers multiple benefits including improved security vigilance, better oversight, and increased accountability. The first steps towards getting more value from your compliance efforts are to identify the data that’s most important to your business and then focus on aggressively protecting those assets. This shift automatically “up-levels” your team’s efforts, allows them to move towards continuously monitoring your network and makes it possible to concentrate efforts on detecting the abnormal patterns and anomalies that indicate a breach is in progress. These capabilities are necessary building blocks that make it possible to quickly focus your security resources on the small number of events that are most likely to harm your business. These changes are not easy but they make tremendous business sense. After all, since you’re going to have to spend the money and do the work to be compliant, why not maximise your leverage of these investments so you also achieve a dramatic improvement in cyber security protection? Dwayne Melançon is chief technology officer for Tripwire +44 (0) 17 8448 5850 www.tripwire.com

Medical devices at risk from cyber attack By Joanne Frearson

PACEMAKER designed to send life-saving electrical pulses to your heart and provide your doctor with vital information about your health can also unfortunately be a target of a sinister cyber attack. Medical devices that use a wireless con nec t ion suc h a s pacema ker s, defibrillators, monitors and insulin pumps, as well as automated drug distribution systems that are implanted in the bodies have all been considered to be at risk. Gunter Ollmann, CTO for IOActive, says: “The medical industry is not a thought leader of information security – it is still largely playing catch up. When I look at implanted medical technology, it is pretty scary stuff. “Many of these technologies have been around for over 20 years, but have always had connecting cables leading from outside the body. What has happened in the last five years is there has been the removal of those physical connections and a shift to wireless communication. “The problem is you have very skilled and talented medical engineers developing these technologies. But they are now relying on software technologies being added onto their existing hardware and they do not have the 10 or 20 years of software experience to counter many of the security threats today.” One of the problems Ollmann (inset, right) says he has encountered is “the lack of encryption for communications. It ties back to the protocols (and the view) that if the wireless is only a few centimetres away

then perhaps we do not need to worry about the encryption or we do not need to make the encryption that good. Unfortunately that is where these things get caught out. “These devices are capable of being updated remotely. Not just being able to send information back about their operations and the use of the device back to the doctor, but allow the doctor to tweak certain settings. “This includes dosage amount as well as the ability to do updates of the actual soft ware itself. It is just like patching and adding additional functionality improving the performance of the devices as you would expect to do for any hardware-based technology.” Research that Ollmann has carried out has in the past has been focused on defibrillators, heart monitors and insulin pumps. He has found the process of applying patches designed to improve the performance of IT systems can be insecure. “In a normal computing system, that may result in a denial of service where a service is hung or it needs rebooting,” Ollmann says. “That may be fine for your iPad, but it is not such a cool idea for an implanted device.” According to Ollmann this is also the case for other medical devices w it h w i r eless con nec t iv it y, s uc h a s d ia ly si s mac h i nes, as well as heart and brain monitors which are connected wirelessly back to an EMT unit or the hospital networks so nurses can monitor multiple patients simultaneously. He s a y s: “ We find the same

classes of vulnerabilities again – such as the wireless being broken, the lack of encryption or poor encryption, the ability to update the soft ware, and the actual vulnerabilities in the devices themselves. “For the hospitals and general practitioners that may be monitoring the embedded devices, there is very little they can do to prevent these real threats. It is more about reducing the risk profile, so that the systems that they use for connecting and updating these devices cannot be tampered with or fall under the control of a remote user.” But Ollmann reckons that, in reality, the threat of someone going out of the way to maliciously hack a medical device is small. He says: “It requires effort, a level of technical prowess and access to classes of technology. “The bigger risk is researchers or hardware hackers experimenting with related technologies that happened to be in range of your device. Not targeting with malicious intent, just a situation of being in the wrong place at the wrong time.” Ollmann is now working with medical manufacturers to assess many of their new or next-generation technologies. He says: “In the last couple of years, because of the high visibility of these vulnerabilities, there has been a dramatic shift within organisations to better understand the nature of them and the capabilities of attackers. The bigger organisations are actively engaging companies to understand and review products before going out.”

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

VIEW By Keil Hubert AT THIS year’s European Information Security Summit, I deconstructed a real-world cyber security incident in order to highlight different ways that human misperceptions and flawed human judgment will often undermine the well-thought-out security protocols and highpowered defensive equipment that could, on their own, pre-empt or contain a breach. People are usually the Achilles’ heel of a good cyber security programme, and that’s why people have to be the primary focus of a successful programme. The most important piece of advice I offered in my presentation was that all of us in the cyber security community have to overcome our basic human tendency to avoid unpleasant confrontations. We have to act, and act swift ly, when we encounter aberrant behaviour in the workplace that might foretell future (deliberate or accidental) misconduct. In simplest form, this idea starts with paying attention to what’s going on around you, and then directly addressing the early manifestations of a potential problem before it evolves into a catastrophe. Yes, we have to get into the workplace and interact with other human beings. Tweaking fi rewall rules and tightening password policies are a waste of time when every employee has an unregulated smartphone, a home broadband connection, and access to worldwide social media communities. My argument seemed to resonate with the audience. All of us, around the world, have the same common problem: we work with people. People, being people, are complicated, overstressed, distracted, and subject to

April 2014

Find us online: business-technology.co.uk

Information security | 11

We must overcome our desire to avoid unpleasant confrontations significant and often unpredictable pressures. Many a violation of security protocols could be neutralised early on if only someone in the workplace would pay attention to the potential violator’s early behaviour and take action to address their issues. Patch a leaking tyre now to prevent a blowout later. We do that with operating systems – we need to do the same with human beings. A cyber security programme that focuses on static rhetoric and draconian policies isn’t likely to have any meaningful effect on the people who most need help from the cyber security team. For us to make a practical difference, we need to have a welcome presence down to the shop floor. We must make it clear to all of our fellows that we value them each and every one as individuals. We need to demonstrate that we’re concerned about each worker’s personal success, and that we want to be their trusted guardians – not to be their oppressors or be an obstacle on their path to success. We need the rest of the business to trust us, and for that to happen, we need to invest in building legitimate, reliable relationships with the people that we’re empowered to support and protect. Professional relationships matter! From a programmatic perspective, you can’t convince an overburdened and stressed-out lineof-business employee to take personal

SECURITY OPERATIONS

REDEFINED www.rsasecurity.com

Business Technology

@RSAsecurity

/RSASecured

responsibility for the abstract defence of their kit if they’re deeply worried about more immediate concerns. In parental calculus, a small child with a fever takes precedence over remembering to close out applications and lock a workstation at the end of the day. That’s not laziness or malfeasance – it’s just the parent role taking precedence over the employee role. We should empathise, not castigate.

Talk to your people. Learn what their problems are, and help solve them. Earn your co-workers’ trust by helping to shoulder their burdens, and they’ll help you by paying attention to your announcements, monitoring their systems, and reporting suspected indicators of adversary action. Be your workers’ ally first, and they’ll reciprocate by becoming an extension of the cyber security department in turn.

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

12 | Information security

Find us online: business-technology.co.uk

hacked cked Organisations should be taking the same precautions as governments, as cyber attacks become increasingly common. By Joanne Frearson

ROTECTING a country’s or corporation’s information is vital for the security of any nation – and yet with cyber criminals managing to infiltrate emergency services systems or obtain information about national defence networks over the last few years, the risks are mounting. Edward Snowden, a former employee of the CIA and former contractor for the NSA, hit the headlines last year when he disclosed thousands of classified documents from US government surveillance programmes to journalists in Hong Kong. Snowden was charged with espionage on June 21 by the United States federal government and is currently living in temporary asylum in Russia. And this year, BAE Systems Applied Intelligence found computer networks in the Ukraine had been hit by cyber attacks from the espionage virus Snake. The Snake malware, which has also been known as Uroburos, provides attackers with full remote access to the compromised system, and its ability to stay inactive for a number of days makes its detection difficult. It can steal files and infect other machines within a network. It has been connected to a previous virus called Agent.BTZ, which was used in a cyber attack against the US in 2008, when a USB stick containing malicious code infected the military’s network. David Bailey, chief technical officer of cyber at BAE systems Applied Intelligence, says: “The sustained success of Snake and similar operations has shown how defences based around anti-malware technologies can be circumvented. “These have been sophisticated operations and a great deal of investment has been made by the attackers to develop these tools and enable them to evade detection. Anti-malware tools have their place, but well-resourced attackers can evade many existing security controls. “If you can buy an anti-malware product to protect your network, it is likely that the attackers have as well and are actively testing their malware against those products. This creates a constant arms race between the attacker and defender and one that can be very asymmetric. “The present threats include state-sponsored espionage, organised crime groups, politically and socially motivated activist groups and individuals. These threats have been common across all sectors and there has been a blurring between national security and economic motivations for some attacks.” A survey of IT decision makers in the UK, US, Australia and Canada by BAE Systems in February 2014 found that 84 per cent of all respondents expected the number of attacks to increase. It is not just governments with cause for concern about

Below: David Bailey, BAE’s chief technical officer of cyber; opposite page, far right: Edward Snowden, currently at large in Russia and wanted by the US government for leaking classified CIA documents

cyber attacks. Organisations also need to protect themselves from industrial espionage. IT security vendor Kaspersky recently discovered a new cyber-espionage campaign called Icefog, which hit the supply chains of Western companies by focusing on targets in South Korea and Japan. Icefog hijacks sensitive documents, company plans, email account credentials and passwords, and the victim can remain infected for months or even years. The virus has been active since at least 2011, and has targeted government institutions, military contractors, maritime and shipbuilding groups, telecom operators, industrial and high-tech companies and mass media. There are various reasons why a cyber criminal may use malware to get information on a company or government. It could be for financial gain, to get a competitive edge, to blackmail and also terrorism. “One trend we are seeing strongly at the moment is the rise in organised crime groups using cyber attack tools to commit fraud on an increasingly large scale,” Bailey says. “These attacks exploit a range of techniques including breaking into the networks of financial institutions, targeting endusers’ computers – both commercial and corporate banking – and launching denial of service [DoS] attacks against banking websites to mask a larger fraud campaign. “This trend is, in part, enabled by the proliferation of sophisticated attack

techniques and malware to more and more threat actors. A successful cyber attack can have a material business impact – for example, fines resulting from a loss of customer data, theft of intellectual property, or commercially sensitive information which subsequently falls into the hands of a competitor, or direct money loss through theft or cyberenabled financial fraud. “Quantifying the financial impact of a successful attack on a business is critical to being prepared. The overall impact of a successful cyber attack on a business can run into tens or even hundreds of millions of pounds. The most recent government figures show that the average costs incurred

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

Find us online: business-technology.co.uk

April 2014

Business Technology

Information security | 13

d off off? in dealing with a single breach on a large corporation are somewhere between £450,000 and £850,000.” Bailey recommends businesses and governments collaborate more closely in order to take advantage of shared intelligence and understanding to keep ahead of emerging threats. He says: “Robust security will not come from putting all your faith in a single solution, but can only be achieved by adopting a range of techniques that work together. It is also essential to be able to share and exploit the best threat intelligence available in order to adapt defences to reflect emerging threats and attack techniques. “In the first instance, addressing the threat presented by cyber attack is about awareness, understanding and preparation. Once the risk is understood, getting the right controls in place is key. A combination of protecting critical information assets with strong security controls and monitoring activity is essential to give a robust defence. Getting effective monitoring in place, and ensuring that works seamlessly over the full range of mobile devices and cloud services, remains a key challenge. “We see a broader shift in how information security is addressing the threat. Good security practice works with the mindset that at some point a business is likely to be compromised – as recent examples have shown, it is not possible to guarantee keeping the attacker out. There is a therefore a shift from relying on protection alone to a combination of protection and monitoring, backed up by an effective incident response plan. “Effect ive mon itor ing requires a combination of detection techniques including analytic approaches alongside traditional signatures and rules, exploitation of the best threat intelligence available and a focus on efficient security operations, getting the right people to investigate the most serious threats rather than manually sift ing through large numbers of less critical security alerts.

“An important step in helping many organisations is the effective sharing of threat intelligence. We see a rise in the number of providers of threat intelligence, although these vary in both quality and relevance to individual threats. The challenge for companies shifts to the effective collation and exploitation of that intelligence and we see a change in many organisations that are looking to adopt a more ‘intelligence-led’ approach to security.” Protecting national interests against cyber criminals is a cat and mouse game. Once a new security system is implemented, hackers will be there trying to break it. It is important to understand the risks and have multiple systems in place to stay one step ahead of the cyber attacker.

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

ExpertInsight

14 | Information security

Find us online: business-technology.co.uk

The smartphone comes of age Payments providers need to meet changing demands without compromising the security of devices or transactions

INDUSTRY VIEW

f recent years have belonged to a device, it is the smartphone. Internet-connected phones have revolutionised the way people behave in the UK and the rest of the world. A milestone was reached in 2011 when global shipments of smartphones overtook those of the PC. The findings, in the Portfolio Research Mobile Factbook 2012, also point to the number of smartphone shipments exceeding one billion by 2016. This is in part due to a growing market in the developing world. In the Euromonitor Smartphone Penetration Report from 2012, it was estimated that more than 70 per cent of the population in developing countries had a smartphone. With the arrival of 4G networks, connectivity is also improving. Other innovations, such as the development of the App Store, mean people can use their phones for email, banking and a range of other functions. From Africa to Europe, it means customers want products and services available to them on their mobiles. For the payments industry, this spells big

changes. Payments providers need to meet changing demands without compromising the security of devices or transactions. Matt Martin, senior payment security risk manager at Barclaycard, believes mobile can be an essential source of growth for the

industry if it keeps up with these changes. “There is a lot of change and growth, and with that is opportunity. That drives innovation,” he says. “People increasingly want to do everything on their mobile phones. Phones aren’t phones and cameras aren’t cameras: everything is blurring into one device. Payments need to move in line with what consumers and merchants want.” While there are challenges, Martin hails new payment systems as an enabler for businesses and smaller traders in particular, as well as their customers. “This is a liberating innovation for the smaller merchant,” he says. “This is a huge enabler for people to take payments, make records, have accounting and be mobile. Previously there were large pockets of people dependent on cash and cheques. This is the great enabler for them.” He believes that, as customers demand the option of mobile payment, it has become critical for companies to respond. He says: “I think mobile payments are critical because so many people almost have an in-built expectation that whoever they are dealing with will accept a credit or debit card. “It can inhibit any business not to accept card payments, particularly for smaller traders. It is also moving merchants away from being seen as a VATavoider just taking cash. Credibility in the eye of the customer is a key benefit of accepting card payments.” Barclaycard is on the cusp of introducing a new mobile point-of-sale system, Barclaycard Anywhere, with the aim of enabling SMEs to take secure payments and improve their business. “We have been working very closely with PayLiquid, our delivery partner, to get this product through the rigorous levels of testing. We are very shortly going to be launching it,” Martin says. Barclaycard Anywhere will use a purpose-built app and a secure PIN-entry device which attaches to a smartphone or tablet using a cable and is designed to accept card payments from any connected UK

location, provided there is a 3G or Wi-Fi connection. It also uses an advanced reporting system which keeps users up-to-date with the payments they have received, meaning there could be strategic benefits for companies. They could, for example, track sales performance and payments trends, as well as targeting their most valuable customers. Martin says: “You can keep track of your transactions and spot return customers, which means you could use discounts or other rewards with them. This is a completely secure route and it’s very easy for people to use. It’s quick and it’s low cost.” Speaking at the Mobile World Congress in Barcelona where the product was showcased earlier this year, Paulette Rowe, Barclaycard’s managing director of global payment acceptance, said: “We wanted to create a solution that was ideal for both SMEs and for large enterprises with mobile work forces. “Security, speed, ease and cost are key concerns for all businesses, whatever their size, so these were our main considerations when we developed Barclaycard Anywhere. Having easy access to invaluable management information through the mobile payment app will enable time-poor business owners and staff to quickly learn about their customers’ spending behaviour. “The insights they gain and the time they save can be directly invested into making their businesses more successful.” It will join other Barclaycard systems, including GPRS, portable and countertop products. From this to digital wallets and other innovations, mobile is ushering in a new era of payments. But Martin warns that anyone using mobile payments – whether businesses or consumers – must take care in order to stay secure. “There is some basic general advice about mobile payment security people should be aware of, and a few dos and don’ts,” he says. “A lot of it is common sense. You should restrict device access to authorised users when you are not using it, and you shouldn’t leave your device lying around in places like the dashboard of your van. “You also need to inspect devices to see if anything could be tampered with in terms of skimming devices, for example. You should also have usernames if more than one person uses the device, and if a device is going to be connected to a laptop you should make sure you secure that laptop. People need to take certain precautions, but most of this is just common sense.” He adds that, as users do get to grips with new payment acceptance solutions, Barclaycard has a team on hand to offer their support. “We have a range of guidance,” he says. “We are here to help – we have expertise around the payments sector, with further information and advice available via our web site at www.barclaycard.co.uk/pcidss.” As consumers and traders wise up to the new forms of payment available, innovation is going to continue and accelerate. But businesses need to be on the right side of this. Matt Martin is senior payment security risk manager at Barclaycard 0800 056 1289 PCI.Taskforce@barclaycard.co.uk www.barclaycard.co.uk/pcidss

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

April 2014

Business Technology

Information security | 15

Find us online: business-technology.co.uk

One example of technology contributing to security is with panic rooms. Joanne Frearson reports MAGINE a room hidden in your home which no one knows about. A secret door disguised as a bookcase conceals the entrance to it. To get in, you have to play a sequence of notes on a piano, or press a series of buttons camouflaged among furniture around the room. This may all sound like something out of a Batman or James Bond movie – in fact, they were the subject of the 2002 David Fincher fi lm Panic Room, starring Jodie Foster – but panic rooms do exist in real life. They are being built around the world in increasing numbers to provide people a safe place of shelter against potential threats such as home invasion, kidnappings or even natural disasters such as tornados. Creative Home Engineering is a company that builds the secret doors guarding the entrances to these rooms. Hi-tech security devices are being used to create the elaborate ways people can escape into their concealed rooms and protect themselves once they are inside. Steven Humble, founder of Creative Home Engineering, says: “Sometimes they have sophisticated biometrics access controls. For example, you might have to scan your iris to get in the secret room. Every client is a little bit unique with regards to what they need. “Biometric is nice because you do not have to worry about remembering a code and you do not have to worry about anyone else getting in. It is really popular for people that do not want their kids to be able to access the secret room. It certainly is a higher level of security, if it is biometric. That draws in a lot of people.” But not everyone wants biometric access

controls. Humble says: “With biometric access control you have to worry sometimes about getting a false negative, which means that you scan your print or your iris or whatever it is and the machine takes a second to accept it. If you do it wrong, you might have to enter your finger a second time. “In a panic room situation, there are often times when we do not use biometrics access control. Instead we will use a secret button in a place that is very quick for the customer to run in there.” Access controls for the secret doors are customised for each person. “This is where it gets fun for us,” Humble says. “One is the access control, it is always a mix of practicality and also whimsical fun aspects, for example, people have seen the original Batman TV show, everybody knows about the Shakespeare bust [which opened the Batcave via a secret switch]. People ask for that, or they have seen a movie where you have to play a certain sequence of notes on the piano and that is what opens the secret door. We provide that for them. There are always a lot of fun and unique type switches. “If they can just imagine a way their ideal panic room or secret door would work or look and can describe it to us, we will make it happen for them. That is the most gratifying part of our work, being able to do something no one has ever done before. “We are working on a bunch of secret doors for a client that has 10 secret passageways in this residence. They have a couple of them which they want to be operated by pushing a secret button, but they do not want to push a secret button just one time because that is not secure enough. “They want it to be when they push the secret button in a certain sequence of timed button pushes that unlocks the secret door. They will set a code like three, five and seven. They will push the button three times and then pause and then five times and seven times and then the secret door will open. “That in itself is a bit of a technological challenge. Then on top of that they want a fast mode, so when they flip a switch that would be located inside the secret room the button would be able to be pushed once and then the door would unlock.” A lot of technology goes into creating these different access control devices. At Creative Home Engineering they will design their own circuit boards or electrical systems that can accomplish what they

need them to do. “If there is an existing technology that we can use then that is better,” Humble says. “For example, in the automation industry, there are robots that do things automatically. Those robots are controlled by computer systems and you can obtain one of those computer systems and re-programme it to operate a secret door. “There is some programming expertise needed to do the job. Every once in a while we will come up with something for which there is just nothing out there that does what we need, so in those circumstances we have to develop that technology. “Manufacturing that sort of thing is like manufacturing anything else. We are engineers, that’s what we are trained to do. We look at the system, we design the parts to go into it and go to the people who make the individual components and have all the parts fabricated, put it all together, test it and use it. “ We h a v e b u i l t staircases that telescope down out of the ceiling. We have built heavy safes that have come up out of the floor and every different kind of secret door you can imagine.” But if cer ta in t y pes of technologies are used to open secret doors, it could also make them vulnerable to cyber attacks.

Below: Creative Home Engineering founder Steven Humble with one of his creations

He says: “Some people will say, I want my iPhone to open my secret door. We can certainly do that for you. But that is one that is potentially vulnerable to a cyber attack. “If someone really does not be want to be vulnerable to a cyber attack then we will build a different kind of system that has absolutely no internet connectivity, so that it is impervious to cyber attacks.” There are also concerns about what happen if there is an electrical failure or p owe r out a ge and if someone could potentially get stuck inside a panic room. H e s a y s: “ We have it so the systems have a n automat ic clutch system or some sor t of brea kaway connection. If they need to they can be manually operated or they will have an override mode. Those are all unique technologies that we have to develop. We build panic rooms so people can get out under any circumstances.” Whether a secret door is triggered to open by playing a series of notes on a piano or a Shakespeare bust device like the one Batman used, technology is helping to secure panic rooms and protect people from potential threats in their home.

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

ExpertInsight

16 | Information security

Find us online: business-technology.co.uk

Cloud misconceptions: looking at why the cloud is secure Policies you know and trust are enforced regardless of where the user is located INDUSTRY VIEW

loud computing is secure. There, I’ve said it. It may sound like an obvious thing for someone who works at a company specialising in ensuring a smooth, reliable and secure network to say, but there are still misconceptions about cloud security. These concerns and misconceptions often arise from fears over losing control. Some IT departments will fear that losing control of the infrastructure will leave their data and applications more open to issues such as malware, hacking and data loss. There is a fear that cloud providers do not secure their environment to the same standards as a business will secure its own data centre. There are also fears over controlling who has access to that data. But cloud providers are often a more attractive target for attackers because of the variety of data they could be storing. That means cloud providers can and do expend vast resources on security – after all, it is their reputation and even their entire business on the line if something goes wrong. The truth is, therefore, that cloud computing can be more secure than a traditional, on-premises infrastructure. Using the cloud does not mean settling for lesser security than you’d get in-house. In fact, it can mean extending

your own security out to the cloud environment and adding that to the security offered by the cloud provider. Sending your data out to the cloud does not take it outside your responsibility. Businesses can and should ensure that any policy they have regarding security in-house is enforced beyond the perimeter as well. This means the policies you know and trust are enforced regardless of where they are deployed from, and where the user is located. Additional features such as encryption and multisite backups mean that your data is probably more secure than if it was sitting on servers in your own office, and in-built redundancy means it will be available when your workers and customers need it. Ensuring your own policies are enforced regardless of where the data is being held provides peace of mind that your business will remain compliant even when adopting cloud computing, further enhancing peace of mind. A policy and access management platform is the key to covering these bases and means a business will know exactly who is accessing its network – both cloud-based and on-premises – and where from. The cloud is not really a scary, unsecured place. It’s a place that is as secure as you make it – and why would you make it any less secure than your on-premises infrastructure? If fact, moving to the cloud can provide your business with agility and flexibility while improving control and access over your applications and data. Nathan Pearce, Cloud & SDN Architecture Group, F5 01932 582000 www.f5.com

The agility, flexibility and efficiency that comes with new technologies CIOs are taking a more hands-on role but must heed the risks INDUSTRY VIEW

ife has changed dramatically for the CIO. IT professionals, once seen as administrators and experts on hand to provide technical support, have become an important part of how a business is driven in just a few years. This is the result of recent innovations which can revolutionise employee behaviour, help businesses operate more

effectively and cut costs. Social media, mobile, analytics and cloud computing have changed the face of enterprise. They can make employees more collaborative, allow more flexible working styles, help leaders to refine business practices and enable greater efficiencies. This is all good for business. But, in order to benefit from these innovations, companies need to make sure their data will be safe. Alain Sergile, vice president

for product marketing at Ionic Security, says improved security methods allow businesses to get the most out of new technologies such as cloud computing without compromising their operations. “Historically, when people are thinking about protecting their data, they will plan out what they call layered security,” he says. “You start at the perimeter with firewalls and work into the servers with things like anti-virus software. That has been what people have done, but as technology has progressed data can go beyond the perimeter, such as in the cloud.” Because it travels so freely, data must be policed and kept safe beyond a conventional perimeter. But this requires a new approach. Sergile believes companies can get all the business benefits of new technologies without compromising security through what he refers to as “native data protection”. “One of the things that Ionic Security has done is given companies the ability to protect data at the point of creation,” he says. “When the data is born, it has the attributes to protect itself. It knows where it is, who is trying to access it and who should have access to it. Any time or place the data is accessed after that, it knows whether the person should be able to have access.” Anyone who is trying to access the data

but does not have the right to do so will get information that remains encrypted – but the company which created it will be alerted to what has happened. Sergile says this keeps firms secure, as well as their partners and other third parties. But he also argues native data protection will mean companies no longer have to worry about breaching EU rules. “You can’t control where your data will end up, but you can control how it’s secured and destroy it if necessary,” he says. “If data, taken under the EU Data Protection Directive, shouldn’t have left the UK but does get to America, it won’t be usable there. From a compliance standpoint, your organisation knows you will be compliant with the directive and able to have access, visibility and control over the lifecycle from cradle-to-grave.” As company directors wake up to the possible agility, flexibility and efficiency that can come through new technologies, CIOs are taking a more hands-on role. This offers them an opportunity to reap huge commercial benefits. But they must also heed the risks around security and compliance. info@ionicsecurity.com www.ionicsecurity.com

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

ExpertInsight ExpertInsight

“Increasingly control devices have become computers, which are often connected through the internet, either through Wi-Fi or through wired connection. What that means is they are vulnerable to the same kind of threats that normal IT systems are vulnerable to.” Although infrastructure may face similar cyber threats to traditional firms, they have very different operating characteristics than other businesses. Hankin says: “Whereas we could afford to take a business site system down for a few hours to do regular maintenance, if you are controlling a nuclear power station or controlling railway signalling, you cannot

Imperial College, London

take stuff out of action for long periods of time to fi x it.” By research and educating people about these threats, Hankin says: “You are probably 80 to 90 per cent the way there, towards having a secure system.”

Business Technology

Information security | 17

Find us online: business-technology.co.uk

Government initiates nationwide research into cyber security RESEARCH is being undertaken into protecting the UK’s critical infrastructure and industrial control systems as part of the government’s National Cyber Security Programme. Chris Hankin, professor at Imperial College London, is the director of the Research Institute in Trustworthy Industrial Control Systems, recently launched as part of the programme. The research institute is at its very early stages. Hankin says: “Critical infrastructure such as railways use lots of IT components which control things like trackside switches, while industrial control systems have become more IT focused.

April 2014

Spy drone highlights info-security dangers A DRONE called Snoopy is exactly what the name suggests – it can snoop on what you are doing on your smartphone and unscrupulously steal personal details from it. Glenn Wilkinson and Daniel Cuthbert at security firm SensePost developed Snoopy as a research project to raise the awareness of the problems associated with these devices. It has huge repercussions for companies who allow employees to bring their own devices to work. Cuthbert, CIO at SensePost, says: “The biggest implication for IT is that with a lot of businesses coming in with

BYOD, we have moved away from where the network parameters are nice and secure to people walking into environments with potentially compromised phones and tablets and plugging them in. “Be very careful about your BYOD policy if it is a device you have no control over. If you want a secure environment you need as much control as possible. If the awareness level is raised and people start thinking, hang on a minute this free Wi-Fi network I am using, who is controlling it, is it actually free, then we have won. That is the message we want to give.”

Security threats are real, but who really cares? Take responsibility for your security before the government does INDUSTRY VIEW

et’s turn the table and walk with “their” (government officials’) shoes for a while. Security threats are real. But who cares? And this is a very important question. Most companies do not really care. Of course, anti-virus software is installed on almost all computer systems, and firewalls are in place. But it’s still an open question, why so many systems – including network and internet servers – are compromised and already used by hackers to conduct bigger attacks, which can also hit governments or essential infrastructure services like power utilities and banks. If business owners and residents do not care, so the

government must take control. It’s not only denial of service attacks, but also theft of intellectual property, which could damage the economy. Protecting systems means to close every open door. Think about services running on your company systems. Every system which allows users to authenticate and use services like remote desktop, email or web applications like CRM or SharePoint is at risk of being misused by unauthorised internet users. Beside Trojans, brute force and dictionary attacks are the most common way to break into a system and steal data. Anti-virus

The stepping stones to secure mobility Maintaining control of sensitive data on multiple mobile devices INDUSTRY VIEW

verything digital is in some way discoverable. Security within the enterprise is a multi-level process with no single solution – each step needs to be evaluated individually. One of the key security problems enterprises are constantly fighting is how to maintain control of sensitive data when enabling users to access that data on multiple mobile devices. A lot of those organisations will opt for a simplistic mobile device

management model – which only addresses protecting the device, not the data on the device. When an organisation turns off a specific functionality, employees will find another, often less safe, way to get what they need. A better approach is to give

software is designed to protect against Trojans and viruses, so the majority of companies are protected against this threat. But firewalls are not designed to detect failed logins, so this is a completely open field for hackers. Closing open doors does not automatically mean big investments in enterprise security systems and large-scale projects. Free tools like fail2ban (for Linux, http:// www.fail2ban.org) or the free edition of Cyberarms IDDS (for Windows, http://cyberarms.net) are available at no cost but your interest. Protect your intellectual property and take the responsibility for your systems security before the government does. +49 (211) 936 76 290 emea@cyberarms.net

them all the tools they need within a secure ecosystem. Unless an enterprise is going to completely lock down a device in terms of which apps are installed then they must instead take control of the data that belongs to the enterprise. Companies are starting to learn the difference between managing hardware and securing data – data integrity and containerisation are the true solution to protecting digital assets. To build out a complete mobility strategy, any enterprise is going to need a complete toolbox to manage data, devices, application and configuration as well as monitor service quality and perform analytics to ensure that everything is running smoothly. If this is going to be deployable then all these parts need to work together rather than just being a bag of bits. What is needed is a complete and cohesive mobility solution. Join Good on stand F70 at the Infosecurity conference as we discuss the Three Cs of Secure Mobility – content, credentials, and configurations. We’ll show you how consolidating to Good provides unique protection and demonstrate the security risks of relying on MDM as your only mobile security layer. +44 (0)20 7845 5300 gooduk@good.com

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

ExpertInsight

18 | Information security

Find us online: business-technology.co.uk

I want to set business free from risk and technological barriers, says Art Wong As head of HP Enterprise Security Services, Art Wong is finding his entrepreneurial instincts and security expertise a key part of a mission to deliver world-class security solutions for the new age of business technology. Paul Fisher reports INDUSTRY VIEW

rt Wong has barely had time to draw breath since taking on the position at the head of HP Enterprise Security Services a year ago. His frantic schedule has taken him to virtually every part of the globe on a fast track tour of the resources that make up the strength of HP Enterprise Security Services. This seems to be a challenge that the energetic Wong is more than capable. A serial entrepreneur with five different start-up businesses under his belt, he has also spent time managing various divisions for McAfee and Symantec where he created an incubator for start-up businesses within the company itself. He left the last start-up, Ironkey, after its acquisition by Imation in 2012. So what was the attraction of HP? Wong explains: “It was a conversation with Meg Whitman (HP CEO). It is obvious there is a desire to drive the security business and execute on building the security assets within the company, which have become something of a hidden gem. When I came to look at it, I saw there was an incredible number of assets and quickly realised HP had something that no other security company in the world has – an ability to provide an end-to-end solution for its customers.” Wong makes the assertion that most rivals can only deliver around a technology or a product. “If the only tool you have is a hammer then every problem you have must be a nail, but of

course every company’s problem isn’t a nail.” What really appealed was HP’s ability to solve problems – a piece of the puzzle that has always proved elusive. Wong is keen to make a lot more of HP’s hidden gems and for the two security groups within the business – Enterprise Security Products and Enterprise Security Services – to remain autonomous as both contribute to the overall HP security offering with their different strengths. It’s all about serving the customer. “How we are organised internally should not have any impact on our customers. But how we talk to customers and how we go to market – that is being consolidated. Think of it as an identity or a message. It is how we face the customer that is important.” Having started an incubator at Symantec, Wong feels there may be a place at HP to fasttrack technology but for now he is keen to place value on the strength of HP’s own world-class security research at HP Labs, Enterprise Security Products and Enterprise Security Services. This is something that only one of HP’s rivals can even begin to match. Yet HP has not done the best job of telling the world about it. “We can provide real value here in innovation and security intelligence. We don’t talk about it much, but we should! The amount of research we do at HP Labs and the fact that we manage the largest networks in the world enables us to see things no other company can. This is the key; the better we understand the threat environment the better we understand the threats and the activities of our adversaries, the better we are able to protect our customers.” So one of Wong’s immediate tasks is to leverage this strength, get the message out and in his words: “Do a better job telling people that we do a great job at security.” Getting that message out is a priority, given that the threat environment and challenges to the CISO and CIO aren’t getting any easier with attacks now on an industrial scale. Wong argues that those CISOs are now completely outnumbered by adversaries, who are well-funded, sometimes state-funded Arthur Wong is senior vice president and and incredibly well orglobal GM, HP Enterganised. Against this are prise Security Services individuals in organisations

trying to cope, often with few resources, and they are facing what has become, in Wong’s words: “a global factory for developing threats”. So what will Wong and HP do to help its beleaguered CISO customers fight back and look forward to at least some valuable leisure time before they retire? Well, to begin with, HP has sheer size on its side. “We have an incredible amount of security resources; 5,000 security professionals around the world doing development, research and unpicking the methods of the attackers. “What we can do is bring our footprint, our people and augment and add value to our customers who don’t have our resources. “Most importantly we can help the CISO mature their organisation, help them articulate the risk to the board and justify their place there.” he says. If all that wasn’t enough to contend with, what Wong calls “new style IT” is bringing its own risks and hyper-challenges. The data is everywhere, the endpoint is anywhere and employees are super-connected. As IT technology changes, the IT departments are going to have to change with it. “Certain sectors, such as financial services, have a greater level of security maturity but the complexity level increases no matter what industry you are in. However, those industries that did not have a level of maturity are even more at risk from new style IT.” he says. Wong is focused on his task of leveraging the resources that HP has to enable companies to manage the technology changes that are transforming industry, and this means that CIOs and CISOs must to be able to spend less time worrying about security threats and more time driving the business because the business opportunities that IT is delivering are too good to miss. “Security is like brakes on a car – they are there to stop the car but more importantly they enable it to go fast. Without brakes, you would never be able drive fast, because you would have to stop with your feet. Properly implemented security enables businesses to thrive. So at HP I want to deliver on that vision of security as an IT performance enabler. That’s what we are about. We are about understanding risk and reducing that risk by delivering joined-up security solutions. It’s not about stopping things; it’s about setting enterprises free from risk and technological barriers.” ent.security@hp.com www.hp.com/enterprise/security

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

Dogberry was pleased to hear that scientists at Lancaster University have developed a method for encrypting confidential information which has been inspired by discoveries in human biology. It is based on a mathematical model on how the heart and lungs coordinate their rhythms

Security research firm ReVuln has discovered it is possible to hack into the Philips SmartTV and take control of it. Its Miracast feature, which allows sharing between devices through Wi-Fi, is enabled by default on the Philips SmartTV, with a fixed password and no PIN or request of permission for any new incoming Wi-FI connections. According to ReVuln, this means anyone in the range of the TV Wi-Fi adapter can easily connect to it and assess numerous features. These include the configuration files located on the TV, files located on the attached USB devices, transmitting video, audio and images to the TV, controlling the TV and stealing the browser’s cookies for accessing the websites used by the user. Twitter: @dogberryTweets

different from any earlier procedure. Inspired by the timevarying nature of the cardiorespiratory coupling functions recently discovered in humans, we propose a new encryption scheme that is highly resistant to conventional methods of attack.” The advantage of this discovery is that it offers an infinite number of choices for the secret encryption key shared between the sender and receiver. This makes it virtually impossible for hackers and eavesdroppers to crack the code.

Cyber attack security firm Websense has released the 2014 Threat Report, which discovered 85 per cent of malicious links used in web or email attacks to be located on compromised legitimate websites. Financial gain remained a highly motivating factor. But some attackers attempted to compromise data for reasons other than making money, such as destroying a company’s data to impair its competitive advantage or to disrupt civic infrastructure or steal state secrets. The Zeus malware, originally designed as a financial threat, was seen hitting the services and manufacturing sectors the hardest, joined by the government and communications industries over the last year.

Bot or not? Research by security company, NTT Group, which analysed three billion cyber attacks in 2014 shows 54 per cent of malware designed to take over compromised systems went undetected by anti-virus solutions. The 2014 Global Threat Intelligence Report also showed 34 per cent of cyber attacks observed were botnet activity, which can make computers perform automated tasks over the internet without you knowing it. Almost 50 per cent of botnet activity detected in 2013 originated from US addresses. The research found 77 per cent of organisations had no incident response plan. The report says: “It is disturbing most

organisations have little to no investment to help navigate critical incidents and minimise damage to their systems, their customers and their brand.”

Business Technology

Information security | 19

Find us online: business-technology.co.uk

Inspector Dogberry by passing information between each other. The discovery is published in the American Physical Society’s Journal Physical Review X and a patent application has been filed. Dr Tomislav Stankovski, Professor Peter McClintock, and Professor Aneta Stefanovska, the scientists behind the research, are based in Lancaster University’s physics department, while the patent application includes Dr Robert Young. Dr Stankovski says: “We offer a novel encryption scheme derived from biology, radically

April 2014

By Matt Smith, web editor

u Editor’s pick Schneier on Security www.schneier.com/blog Infosec expert Bruce Schneier posts his opinions on the latest cyber-security developments on this blog. Recent posts include an explanation of what the OpenSSL Heartbleed bug is and how to ensure your personal information is safe, and other news highlights relating to privacy and information security.

Symantec Security Response

ZoneAlarm Security Blog

www.symantec.com/connect/ symantec-blogs/sr

www.zonealarm.com/blog

Security firm Symantec is always quick to update users on the latest vulnerabilities, scams, and fixes. Find out about the ploys cyber criminals use to try to trick you on Instagram and Facebook, what your business should be doing on Microsoft’s Patch Tuesday, and what the biggest security threats have been over the last year.

The team behind ZoneAlarm security software offer their tips and advice. Includes the myths about malware, what to do now support for Windows XP has ended, and how to keep your Bitcoins secure. Also, scan the archive to find out why your latest friend request may not be as innocent as it seems.

David Lacey’s IT Security Blog www.computerweekly.com/ blogs/david_lacey

AntiVirus Security (FREE – Android)

Avira Mobile Security (FREE – iOS)

Allows you to scan files and apps to detect threats. You can also locate, lock, or even wipe your device if it is stolen.

This app combines anti-virus features with extras that can extend your iPhone’s battery life and help you find a lost device.

Information security expert David Lacey’s blog is full of useful advice and interesting analysis, with a wealth of experience building functions for major organisations and was a major contributor to BS7799, which details best security practices.

Next-Generation NAC Delivers Continuous Monitoring & Mitigation ForeScout has developed an automated security control platform that offers advanced security management The Frost & Sullivan 2014 Global Technology Leadership Innovation Award in Network Security was awarded to ForeScout Technologies based on ForeScout CounterACT™ and its advanced ControlFabric™ architecture. In that report, they noted the following. The evolving threat landscape and increased exposure to cyber attacks, compliance violations and data leakage have made security a business imperative. In response to these threats, organisations have deployed a variety of point security solutions. However, this approach has created multiple silos of

controls and information, increased security management complexity and overtaxed IT organisations already spread thin.

devices, including wired, mobile, remote and BYOD endpoints, as well as ensure endpoint compliance.

The solution? ForeScout CounterACT: An automated security control platform that provides continuous monitoring and mitigation capabilities, complemented by ForeScout’s ControlFabric architecture, which enables interoperability and information sharing between point products. ForeScout CounterACT is a next-generation Network Access Control (NAC) platform that provides real-time endpoint intelligence and policy-based remediation of security issues. CounterACT can dynamically identify, inspect and control all network-connecting

ForeScout’s open, standards-based ControlFabric architecture provides bidirectional interfaces to share contextual information and automate remediation actions across multiple network, security and management products. This enables organisations to make better use of existing security investments and IT resources, and increase situational awareness and responsiveness to security exposures. “Improvements in network security manageability are more than theory. Several companies have made notable strides across

all three phases of management evolution — visibility, implementation and automation — and ForeScout ranks among them,” said Frank Dickson, industry principal analyst, network security at Frost & Sullivan. “ForeScout’s CounterACT platform and the advancement of its ControlFabric architecture enable greater opportunity for customers and partners to materially advance security management.” ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable. They have been chosen by more than 1,500 enterprises and government agencies worldwide.

Learn more at www.forescout.com.

an independent report from lyonsdown, distributed with the sunday telegraph

Business Technology April 2014

20 | Information security

Find us online: business-technology.co.uk

Prescribing the Information security is a fundamental part of the healthcare research industry. Joanne Frearson talks to Sarah Lawson, head of IT at one of Oxford University’s research facilities

ExpertInsight

UILDING security into a system and making sure data is ccollected ollected securely is of prime importance at t he Nat iona l Perinatal Epidemiology Unit at the University of Oxford, which conducts medical studies to improve the healthcare of women and their children during and after pregnancy. Sarah Lawson, head of IT and Information Security at the NPEU, says: “My main concern is assuring confidentiality and integrity of the information. It would be making sure all the systems have security built in from day one. We project manage by

building security from top down or bottom up or both ways.” Her role is a combination of looking after various IT projects that she runs within the trials unit, and working on policy and governance within the university itself. She says: “The trials I am involved in I do not have any direct contact with patients. We do not work in the hospital, but work with the data collected from it. What we try to do is integrate with all the NHS trusts in the UK and provide assistance to collect information securely in an easy fashion. “We anonymise everything we can or encrypt information to make sure identity remains confidential. Making sure things are confidential is absolutely our business – without it we would not have a business. I think it is really important to make sure all staff and researchers understand confidentially and integrity.” Information security starts from the inception of a project. “A particular project would involve designing the systems and making sure there are different layers of security. It is about making sure

the programming team build in their own security, making sure we have externals coming into check that we are doing the right thing.” Lawson says her biggest threat is user error, such as someone doing something accidently like taking a laptop home when they should not. She says: “We do provide whole-disk encryption and encrypted memory sticks, as well as putting restrictions on when and where data can be seen. If it is highly secure we do not allow researchers to look at it outside the units. “If in an event that a laptop did leave the building and it was left on the Tube, they all have whole-disk encryption which should make it impossible for anyone else to get in. “The university itself has had laptops returned because people have stolen them, taken them to the pub, and realised they cannot get into them. Or they have taken it to an Apple dealer and said ‘can you break this?’ The Apple dealer has clearly realised it is encrypted and therefore stolen and given it to the police who have returned it to the unit it came from.”

Defending advanced cyber attacks through privileged account security Q&A with Udi Mokady (below), founder, president & CEO of CyberArk INDUSTRY VIEW What is privileged account security and why is it important? Privileged accounts act as the keys to the IT kingdom. In the hands of an external attacker or malicious insider, privileged accounts are a means to take control of any part of the IT infrastructure, including industrial control systems, and open a door to steal confidential information and commit financial fraud. Privileged account security solutions proactively secure and manage privileged credentials, monitor privileged account activity, and detect abnormal user behavior. This enables organisations to protect against, detect and respond to in-progress cyber attacks before they strike vital systems and compromise sensitive data.

What technologies are available to help companies identify and stop attacks targeted at privileged credentials after they have breached the perimeter? Many organisations still rely on traditional enterprise security solutions, such as anti-virus and perimeter-based technologies, to protect their critical data. However, these tools have been proven to be

ineffective against advanced external cyber attackers. With this in mind, organisations should employ a privileged account security solution that provides proactive protection and monitoring of these accounts and credentials. New tools are available that analyse privileged account behaviour in real-time, allowing organisations to identify abnormal privileged access or activity and provide immediately actionable intelligence to IT teams. For instance, if a systems administrator typically accesses the network during the week between 9am-6pm, and their credentials are used in the early hours of the morning, this is a potential attack indicator.

What recommendations do you have for companies beginning to look at protecting privileged accounts? First, organisations should ensure that they are managing all privileged credentials, whether associated with users, applications or network devices. Discovering, auditing and understanding vulnerabilities in privileged accounts across the network can address challenges associated with security and risk management as well as audit and compliance. This can be more complicated than it sounds. A CyberArk survey of IT security professionals revealed that more than 86 per cent of large enterprises either do not know, or have grossly underestimated, the magnitude of their privileged account security problem. To address this,

CyberArk offers a free tool to help organisations get a complete list of all privileged accounts on the network, as well as a status report on whether the accounts are in compliance with company policy.

What are some privileged account security best practices to maximise protection while minimising burden to the business? Organisations should be looking for scalable and layered solutions that address several key areas. First, discovery of all privileged accounts across the organisation is essential. The ability to protect, manage and audit privileged account credentials is also a must. CyberArk also advocates the use of real-time analytics to detect in-progress attacks.

How does CyberArk help organisations protect against advanced threats? One of the most critical layers of an effective advanced threat protection strategy is the implementation of a privileged account security solution. CyberArk enables our customers to proactively protect against, detect and respond to in-progress cyber attacks before they strike vital systems and compromise sensitive data. For further information, visit CyberArk at Infosecurity Europe 2014 (April 29 – May 1) at stand E55, or contact Leeanne Baard on +44 (0)20 3728 7040 leeanne.baard@cyberark.com

an independent report from lyonsdown, distributed with the sunday telegraph

BizTech’s

ExpertInsight

Lawson believes the future will hold more innovative ideas for information security. At the moment she is looking at ways to make it easier for new parents to sign up for their children to take part in possible future trials. She says: “We want to make sure the parents are assured that anything that is handed to us is kept securely, handled properly and the results will benefit future children. It is trying to find ways of getting the data we need in easy, innovative and secure ways. “All the big data stuff, all the data sharing the NHS is trying to do, is about how we can integrate everything in a secure and careful way that will suit everyone, I think that is quite exciting and there are lots of new things that we can do. “There are various things we are looking at for using iPads in the intensive care areas. The clinicians can use apps to record information. We are thinking of ways to integrate this to capture patient information at source throughout the NHS. “They are using electronic systems now and we are talking to those trusts about how we can directly link to these. It is all fairly new, so it is trying to make sure you can do so in a secure way.”

Information security | 21

Find us online: business-technology.co.uk

right tablets C-Suite spot

Business World United States

The United States Senate Committee on Commerce, Science and Transportation has released a report on last year’s cyber attack against retailer Target. In the attack 110 million Target customers had financial and personal information stolen. It suggested weak security from the third-party vendor Target used allowed the attackers to gain a foothold in their network. Once inside the hackers were able to move from less sensitive areas of Target’s network to areas storing consumer data. The report suggests Target failed to properly isolate its most sensitive network assets as well as fail to respond to multiple automated warnings from the company’s anti-intrusion software.

China

The NPEU centre at Oxford University; left: head of IT Sarah Lawson

Business Technology

A report by PricewaterhouseCooper’s on the Global State of Information Security 2014 shows China eclipses other Asian countries when it comes to security practices and policies in companies. For example, 60 per cent of respondents from China use behavioral profiling and monitoring, 73 per cent have centralised user data storage and 72 per cent employ vulner-

ability scanning tools, all higher than adoption rates of other countries. China had also a high rate of implementing security policies for mobile devices, BYOD and social media. There were 71 per cent of respondents from China who have a policy in place for the use of personal devices on the enterprise network.

Germany

The German Federal Office for Security in Information Technology (BSI) has confirmed that about 18 million email passwords have been stolen. The theft was discovered in the German city of Verden (below). BSI has set up a process on its website for concerned people to check if they have been a victim of the theft as well as give them information about necessary measures needed to protect themselves from it. The scam enables the hackers to log into not only email, but other online accounts such as social networks, and send spam emails.

Like us: www.facebook.com/biztechreport

April 2014

The hidden threat: are your employees putting company data at risk? The more a business understands the risks, the easier it will be to create a secure environment INDUSTRY VIEW

ata has been vulnerable since it started being stored, moved and transported. From the Enigma machine and Watergate to WikiLeaks and Edward Snowden’s NSA revelations, there have been numerous events to affect how information is managed and ultimately, shape how the world looks at data. As a result the value of data and the impact of misplacing it is now clear – and nowhere is this more apparent than in business. Already this year, a Morrisons employee has been arrested for stealing payroll data, and a Barclays employee gave a national newspaper a memory stick containing the private data of 2,000 customers. The Information Commissioner’s Office can fine firms up to £500,000 – so the threat to businesses is serious. Against this landscape, one would expect businesses to put robust measures in place to prevent data breaches. However, our recent

Absolute Software Mobile Enterprise Risk research showed that a third of enterprise employees describe the security culture of their workplace as moderate or lax, only 63 per cent say there is a formal procedure in place when a device is lost, and 30 per cent say there are no personal penalties for losing a device. Added to this, statistics showed that 23 per cent of employees claim that data security is not their responsibility, while 15 per cent admitted to having lost a smartphone or tablet, rising to 25 per cent in younger employees aged between 18 and 34. These statistics show that, despite the risks, neither businesses nor employees are taking responsibility for data. So how do we remedy this? Work has to be done on a granular level to educate on the very real threats and implications of data loss. Ultimately the weakest link may be the psychology and culture of a business and training and education needs to become a priority. In addition to this, IT decision-makers have to make sure they implement a robust device and data management solution. If a device is lost, stolen or

otherwise abused, the IT team has to be in a position where it can manage the problem. The key here is to find a solution that offers persistence by being installed on the device firmware, making it impossible to remove. This means that, even if the device is wiped, it can still be tracked, disabled and the data recovered. Absolute Computrace with persistence technology is a great example of a device tracking solution that offers this level of reliability and security. The message is this – employees need to be informed about data security and this comes from an understanding throughout the hierarchy of a business. The more a business understands the risks out there, and the potential impact on the company, the easier it will be to work together with employees to create a secure environment. However, data protection shouldn’t just stop at education. Any initiative like this must be coupled with strong security policies and the right tools for securely tracking and managing every device that has access to your corporate network. 0118 902 2000 www.absolute.com

an independent report from lyonsdown, distributed with the sunday telegraph

Like us: www.facebook.com/biztechreport

April 2014

Find us online: business-technology.co.uk

Business Technology

Information security – Industry view | 23

The debate

Where are organisations most vulnerable? Aviv Raff CTO Seculert

Stephen Midgley Vice president, global marketing Absolute Software

Hugh Boyes Cyber security expert, Institution of Engineering and Technology

Kevin Epstein VP Advanced Security & Governance Proofpoint

Dan Raywood Editor ITSecurityGuru.org

In the last 12 months many large enterprises have taken steps to reinforce their defences against targeted, advanced cyber attacks. In the wake of these efforts, however, many have found that their biggest point of vulnerability has moved from the network perimeter onto the devices and infrastructure within their network. As many modern threats are designed specifically to circumvent the perimeter defences of a single corporate entity, they present a clear and present danger to the security and integrity of large enterprise networks. The issue in detecting this kind of threat is that breach detection systems use only recently collected data, focus solely on prevention, and raise an alarm every time they “think” they’ve observed a new attack. Unfortunately, this tends to raise too many alarms for which too few people must respond. The best way to identify this kind of internal resident threat is by observing how they behave over time and identify exactly which systems are compromised. Security professionals can then isolate the infected systems and take swift remedial action.

Bring Your Own Device is creating multiple points of vulnerability for the average business, adding a layer of complexity to the challenge of keeping your company data secure. The days of an old corporate BlackBerry have been replaced by a landscape where you can bring your own device into the workplace, load it up with work data and then carry it off into your personal life. There are clear efficiency benefits to this, but from a security standpoint, it means that these devices are more likely to end up in bars, on trains or on holiday. Ultimately this makes it much easier to lose the device and the sensitive or confidential company data held within it. As our work and personal lives become more entwined and the way we work becomes increasingly mobile, the risk for business increases exponentially. Once a device is lost or stolen, it can be difficult to recover, let alone protect the data on it.

People rather than technology are typically the cause of most cybersecurity vulnerabilities. Whether it is the organisation’s own staff and contractors or customers of any online services it provides, people can undermine security measures and compromise the systems. It is people rather than systems that open phishing emails and their malware-laden attachments, or follow links to dangerous web pages. People take short cuts, such as using simple passwords, and reusing passwords across multiple websites or applications. They also copy sensitive material onto removable media, increasing the risk of it being lost or compromised. Some of them are also responsible for writing poor software, which is not trustworthy. To address these vulnerabilities we need to raise user awareness, help them understand the risks, and encourage them to take responsibility for their actions. In our education and training establishments, we must improve the knowledge and skills of those who will become software engineers, so that they develop and deploy trustworthy software.

Email and people combined created the largest single point of organisational vulnerability last year, and 2014 will be worse. A staggering 95 per cent of data breaches* last year originated with a targeted attack via mass-customised “industrial” email phishing campaigns (aka “longlining”), with even well-trained organisations experiencing one in 10 employees clicking links in any given attack. After multiple attacks, odds rose to 60 per cent that any given employee would have clicked such links, effectively inviting attackers into the organisation. Compounding the issue, one in five clicks happened “off network”, when employees accessed email from home, on the road or via mobile devices – outside of traditional gateway-based protection. Proofpoint’s human factor phishing research and advanced threat protection technologies are why the top global organisations rely on us - see why www.proofpoint.com/ threatinsight and why we’re shortlisted for SC Magazine Europe 2014 Email Security Solution of the Year.

The main area where businesses are vulnerable is around the lack of a perimeter – in other words there is no secure wall around the business. This has been caused by two things: firstly the lack of control over personal devices being brought into the business and employees using their own phones and tablets to access corporate networks; and also by more and more third party applications being used. While those applications may be safe and secure, the problem is it is another “break” in that perimeter wall, and another place where access can be gained for an attacker, as they could compromise that third party and use that as an access point to access the company directly. This has been the case in several incidents and organisations should be wise to this potential threat by not only monitoring access via those channels, but providing secure VPN access into the network.

0118 902 2000 www.absolute.com

ExpertInsight

+44(0) 203 355 6444 info@seculert.com

+44 (0)1438 767336 www.theiet.org

www .ITSecurityGuru.org

0870 803 0704 www.proofpoint.com/uk *Source – Proofpoint ThreatInsights Research

Time to move to mobile enablement F or well over a decade, the debate about mobile in business has ebbed and flowed. While the emphasis has largely been on the deployment, management and security of devices, the ubiquity of mobile now paves the way for realising the transformative effect that it can have on every workflow, process and transaction. Business leaders must shift their attention to mobile enablement and leverage the ubiquity of mobile to their advantage. Below are five key areas that business leaders need to consider: • Strategy: The IT department has spent the past five years scrambling to make an endless stream of devices fit for purpose and use within a business. Businesses leaders must move from this reactive, tactical approach to one that is focused on deploying technology that will allow them to meet and anticipate future needs. • Security and usability: There has been an increased emphasis on the importance of mobile security

but this must not dilute usability. Businesses must strike the right balance between robust security and individual usability, without compromise.

• COPE: The security-conscious climate is driving businesses away from BYOD to the COPE (corporate owned, personally enabled) model, which enables them to select and roll out devices without restricting usability. • Apps: Consumer apps have simplified access to information, entertainment and a myriad of other content. Business apps can offer the same benefits: businesses should seek to create customised apps that mobilise and consequently accelerate routine business processes.

• Embedded mobile: the Internet of Everything is quite literally everywhere. But embedded technology offers untold opportunity in terms of process, efficiency and customer responsiveness. Businesses need to consider today how different devices will interact with one another tomorrow to ensure that their organisation can capitalise on the opportunities that the increasing ‘mobilisation’ of every type of device will bring.

Mobile will imminently become the primary computing platform: it’s time for businesses to put it to work. Mike Gibson is head of enterprise sales at BlackBerry UK http://uk.blackberry.com/

One example of technology contributing to security, in a very real way, is with panic rooms. Joanne Frearson reports MAGINE a room hidden in your home which no one knows about. A secret door disguised as a bookcase conceals the entrance to it. To get in, you have to play a sequence of notes on a piano, or press a series of buttons camouflaged among furniture around the room. This may all sound like something out of a Batman or James Bond movie – in fact, they were the subject of the 2002 David Fincher film Panic Room, starring Jodie Foster – but panic rooms do exist in real life. They are being built around the world in increasing numbers to provide people a safe place of shelter against potential threats such as home invasion, kidnappings or even natural disasters such as tornados. Creative Home Engineering is a company that builds the secret doors guarding the entrances to these rooms. High-tech security devices are being used to create the elaborate ways people can escape into their concealed rooms and protect themselves once they are inside. Steven Humble, founder of Creative Home Engineering, says: “Sometimes they have sophisticated biometrics access controls. For example, you might have to scan your iris to get in the secret room. Every client is a little bit unique with regards to what they need. “Biometric is nice because you do not have to worry about remembering a code

and you do not have to worry about anyone else getting in. It is really popular for people that do not want their kids to be able to access the secret room. It certainly is a higher level of security, if it is biometric. That draws in a lot of people.” But not everyone wants biometric access controls. Humble says: “With biometric access control you have to worry sometimes about getting a false negative, which means that you scan your print or your iris or whatever it is and the machine takes a second to accept it. If you do it wrong, you might have to enter your finger a second time. “In a panic room situation, there are often times when we do not use biometrics access control. Instead we will use a secret button in a place that is very quick for the customer to run in there.” Access controls for the secret doors are customised for each person. “This is where it gets fun for us,” Humble says. “One is the access control, it is always a mix of practicality and also whimsical fun aspects, for example, people have seen the original Batman TV show, everybody knows about the Shakespeare bust [which opened the Batcave via a secret switch]. People ask for that, or they have seen a movie where you have to play a certain sequence of notes on the piano and that is what opens the secret door. We provide that for them. There are always a lot of fun and unique type switches. “If they can just visualise or imagine a way their ideal panic room or secret door would work or look and can describe it to us, we will make it happen for them. That is the most gratifying part of our work, being able to do something no one has ever done before. “We are working on a bunch of secret doors for a client that has 10 secret passageways in this residence. They have a couple of them which they want to be operated by pushing a secret button, but they do not want to push a secret button just one time because that is not secure enough. “They want it to be when they push the secret button in a certain sequence of timed button pushes that unlocks the secret door. They will set a code like three, five and seven. They will push the button three times and then pause and then five times and seven times and then the secret door will open.

“That in itself is a bit of a technological challenge. Then on top of that they want a fast mode, so when they flip a switch that would be located inside the secret room the button would be able to be pushed once and then the door would unlock.” A lot of technology goes into creating these different access control devices. At Creative Home Engineering they will design their own circuit boards or electrical systems that can accomplish what they need them to do. “If there is an existing technology that we can use then that is better,” Humble says. “For example, in the automation industry, there are robots that do things automatically. Those robots are controlled by computer systems and you can obtain one of those computer systems and re-programme it to operate a secret door. “There is some programming expertise needed to do the job. Every once and a while we will come up with something for which there is just nothing out there that does what we need, so in those circumstances we have to develop that technology. “Manufacturing that sort of thing is like manufacturing anything else. We are engineers, that’s what we are trained to do. We look at the system, we design the parts to go into it and go to the people who make the individual components and have all the parts fabricated, put it all together, test it and use it. “We have built staircases that telescope down out of the ceiling. We have built heavy safes that have come up out of the floor and every different kind of secret door you can imagine.” But if certain types of technologies are used to open secret doors, it could also make them vulnerable to cyber-attacks. He says: “Some people will say, I want my iPhone to open my secret door. We can certainly do that for you. But that is one that is potentially vulnerable to a cyberattack. If someone really does not be want to be vulnerable to a cyber-attack then we will build a different kind of system that has absolutely no internet connectivity, so that it is impervious to cyber-attacks.” There are also concerns about

Below: Creative Home Engineering founder Steve Humble with one of his creations

what happen if there is an electrical failure or power outage and if someone could potentially get stuck inside a panic room. He says: “We have it so the systems have an automatic clutch system or some sort of break-away connection. If they need to they can be manually operated or they will have an override mode. Those are all unique technologies that we have to develop. We build panic rooms so people can get out under any circumstances.” Whether a secret door is triggered to open by playing a series of notes on a piano or a Shakespeare bust device like the one Batman used, technology is helping to secure panic rooms and protect people from potential threats in their home.

Above, right and below left, opposite: examples of the kind of secret doors Creative Home Engineering produces