Information security by Lyonsdown

It’s not feasible to spend millions building a security centre Rackspace’s Brian Kelly on why he thinks cloud security is the perfect solution for SMEs MAY 2015

supplement

Information security

So you want to be a cyberanalyst for Lockheed Martin? First, you’ll need to answer this question (among others)

There are three lights in one room connected to three switches outside. You can only go into the room once. How do you work out which switch connects to which light? See Pages 10-11

DISTRIBUTED WITHIN THE SUNDAY TELEGRAPH, PRODUCED AND PUBLISHED BY LYONSDOWN WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS

Business Technology · May 2015

Information security

Opening shots Shane Richmond

HE APPOINTMENT of Joanna Shields as Minister for Internet Safety and Security earlier this month raises questions for those involved with information security. Not because of Baroness Shields herself, it should be said. She has plenty of technology experience, including at Google, Facebook and, most recently, as chief executive of Tech City. The concern is her remit. Her role, according to the government website, covers three areas: “making the internet a safer place for children by curbing online abuse, exploitation, bullying and access to harmful content”; “working with the Home Office to remove terrorist, radicalising, and extremist content from the internet”; and “promoting safe, open access to the internet for everyone”. Making the internet safer for children is the kind of vague aim that allows governments all sorts of latitude. This government proposes filtering internet content by default and has unhelpfully conflated child pornography with adult pornography. Online abuse and bullying, meanwhile, is a real problem, but surely is more a matter for parents, schools and, when necessary, the police. Second comes the goal of tackling extremist content. There are troubling free speech concerns here, too. Who decides what is extremist and radicalising and how? Furthermore, the suggestion that anything can be “removed” from the internet

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

THE ESSENTIALS

Publisher Bradley Scheffer | Editor Daniel Evans | Production Editor Dan Geary

A question of priorities: I’m concerned by confused thinking around digital security is naive. With both these objectives it appears that the government intends to make companies like Google and Facebook police the web, holding them responsible for removing content that falls foul of the authorities. Baroness Shields’ background at those companies might help her to exert that pressure. There isn’t space to go into either issue here but obviously I, like any sensible person, am against child pornography, bullying and terrorism. But I’m not convinced that this government knows how to tackle any of those things effectively. The Minister for Internet Safety and Security should have more important concerns. Consider, for example, reports last month that Britain’s railway systems could be susceptible to hacking. Or recent news from the US that a security researcher has been arrested for having allegedly claimed to have hijacked a commercial airliner, mid-flight. The risk in either case is low but that is partly Twitter: @ because hackers have not yet targeted transport. shanerichmond

How high up on Baroness Shields’ to-do list are these threats? While transportation attacks are theoretical for now, what is real is the threat to business and consumers from data breaches. A May 2014 report by IBM and Ponemon Institute found that of 314 companies surveyed, in 10 countries, every single one had experienced a data breach of some kind, at an average cost of $3.5million. And this is a problem that will get worse. The rise of the internet of things - which will be considerable during this government - will see many more points of attack for hackers, from smart homes that leak data to smart glasses that can be hacked to gain access to a corporate network. This should be within Baroness Shields’ remit - and perhaps it is, tucked away in that third item, “promoting safe, open access to the internet for everyone”. If it is – and let’s hope that’s the case – it still means a whole world of threat is being woefully underplayed.

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Client manager Emma Sutherland e.sutherland@lyonsdown.co.uk | Project manager Marc Morrow | Contact us at info@lyonsdown.co.uk

Information security

86 per cent of websites at risk from hackers, says WhiteHat By Joanne Frearson

COMPANIES THAT leave their websites vulnerable to hacking can face devastating consequences. Website breaches can lead to fraud, identity theft, regulatory fines, brand damage, lawsuits and financial costs, with losses potentially going into the millions. Even though software bugs such as Heartbleed and Shellshock exposed weaknesses in hundreds of thousands of company websites, many are still vulnerable to being hacked. Data from a recent study by WhiteHat Security which examined the vulnerabilities of more than 30,000 websites showed the majority of organisations have some kind of weakness in their systems. WhiteHat found that 86 per cent of all websites tested had at least one flaw considered serious enough to potentially allow a hacker to take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news. There were also 56 per cent of websites that had more than one of these vulnerabilities. Of the sectors WhiteHat studied, the report found 55 per cent of retail trade sites, 50 per cent of healthcare and social assistance sites, and 35 per cent of finance and insurance sites were always vulnerable to a serious breach. Transport layer protection, which is a protocol that ensures communications security over a computer network, was the most likely vulnerability on their websites. Jeremiah Grossman, founder of WhiteHat Security, says: “This year’s report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users.” The study showed remediation rates were low for these sites considered

With thanks to…

to be “always vulnerable” to web attacks. The remediation rates for healthcare, retail, trade and finance were set at 20 per cent, 21 per cent and 27 per cent respectively. According to WhiteHat, the best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug-tracking or mitigation channels. Firms that feed vulnerability results back to the development team had 40 per cent fewer vulnerabilities, fixed issues nearly a month faster, and had their remediation rates increase by 15 per cent. The report explained this approach makes application security front-and-centre in a development group’s daily work activity and creates an effective process to solve problems. Grossman says: “From our research, what matters between the spectrum of those who are always vulnerable and rarely vulnerable is less about the programming languages, industry vertical, size of the organisation, and so on. “What seems to matter more than anything else is organisations having a strong internal driver, and a culture of accountability for fixing identified vulnerabilities in a specific timeframe. The executive-level mandate creates an environment for the development groups to create effective remediation processes.” Organisations that were compliant-driven to remediate vulnerabilities had the lowest average number of vulnerabilities, at around 12 per website and the highest remediation rate, at 86 per cent. WhiteHat also recommend that organisations create a metrics program that tracks the areas they want to improve upon, and then identify the activities that will most likely improve the weakness, to help mitigate vulnerabilities. WhiteHat also advises, however, that if there is no measurable benefit, companies should save time and energy and try something else. Grossman says: “The best approach is for organisations to identify specific security metrics they’d like to improve upon, and then strategically select activities most likely to make a positive impact.”

Business Technology · May 2015

Information security

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-technology.co.uk | Join us on LinkedIn: Business Technology UK

Bring Your Own Key – helping you stay secure in the cloud C

loud computing has opened up exciting possibilities for businesses to reduce the costs of in-house operations, increase operational flexibility and create competitive advantage. However, the move from the physical to the virtual is also forcing organisations to consider the level of control they are willing to relinquish to the cloud provider in order to reap these benefits. This is particularly true of encryption and key management, which lie at the heart of a strong cloud data protection strategy. When we think about the cloud, one of the big concerns that springs to mind is its multi-tenancy nature. In allowing multiple organisations to use the same core infrastructure, it’s inevitable that you will end up sharing the cloud with other customers – maybe even your competitors. As a result, establishing and understanding the trust relationship that you have with your cloud provider is absolutely crucial. If we think about the issue of establishing trust in the cloud environment, the challenge of managing keys comes into stark focus. Cryptographic trust comes down to the secrecy and quality of keys – and keys are the Achilles heel of crypto. Giving away control of your keys will almost always mean giving away some control over your data. The recent Thales Encryption And Key Management Trends report reveals that concerns over inadvertent

exposure, including e-discovery, now outweigh concerns over actual attacks by more than two to one. Currently, the problem is that if keys are unnecessarily exposed they can be easily found, stolen or substituted. Even if an attacker can’t actually steal the keys they can still attempt to misuse them, typically by corrupting the applications that have the rights to access them. It’s therefore important to minimise the group of individuals that can manage your keys, and that means isolating them from cloud service providers and potentially from app developers, testers and contractors as much as possible. We’ve learned that no matter where they are, keys must be locked down. Theoretically the safest option is to keep control in-house, encrypting and decrypting data and managing the keys only within the enterprise. The big leap is when you allow keys to be used in the cloud – then the question is where are they managed – by and in the enterprise, by the enterprise but in the cloud or by the cloud service provider (CSP) in their cloud. The goal for any security-oriented CSP must be to provide the reassurance that they don’t have the ability to touch your keys, and that you, the customer, can upload and more importantly delete keys whenever you require. These types of “Bring Your Own Key” or BYOK policies can help by allowing organisations to have complete ownership over their own keys. BYOK can protect both the customer and the cloud provider simultaneously.

A great example of BYOK is the recently announced Microsoft Azure Key Vault service, which essentially creates a “crypto-as-a-service” capability within Azure. Keys that are managed in on-premises Thales HSMs can be securely uploaded to Azure-based HSMs to provide endto-end assurance. Any Azure-based applications can use the Key Vault service to access a variety of key management capabilities, such as key creation, backup and rotation as well as basic crypto operations like encrypt/ decrypt and sign, and have the option to perform all operations within the secure boundary of the HSM. But Key Vault is more than just a good source of strong keys and a safe place to keep them; it also creates true separation between security operations teams and application owners. With organisations using the cloud to store their most valuable assets, it’s important that they are given the guarantee that their keys are sufficiently isolated, and their documents and data safely protected. With sensitive data secured with keys that you fully control, you can rest assured knowing that your secrets will never be visible to anyone but you. John Grimm is senior director of product marketing, Thales e-Security. To find out more about the Thales BYOK deployment service for Microsoft Azure Cloud Applications: 01223 723600 www.thales-esecurity.com

| Follow us on Twitter: @biztechreport

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Like us: www.facebook.com/biztechreport | Contact us at info@lyonsdown.co.uk

Information security

Global payment taskforce set up to protect small enterprises

The inner geek

Moz & Bradders

Bosses must instill a security culture from the top down By Joanne Frearson

CYBER-CRIME is a growing threat to companies. It can cause not only financial damage, but reputational as well. Boards need to have an information security strategy on top of their agenda to protect themselves against these attacks. “People have become much more aware that it is not just about the impact on stock price,” says Steve Durbin, managing director of the Information Security Forum, about the current threat landscape. “It is also about the impact on reputation. Organisations are fiercely protective of their brands.” Durbin believes cyber-security risks to an organisation must have a regular slot on the board’s agenda. He says: “It is about how you get the most appropriate information flowing between the board and the business. The CEO doesn’t want to have to worry about patching. But the CEO’s job is to set the mood across the organisation, which includes the management of risk in cyberspace. “It is about setting the tone and having someone responsible at the higher level that can make sure the business can be aligned with those strategic principles that the board is setting.” It is increasingly important for boards to have an information security strategy in place as threats progressively rise for businesses, Durbin believes. “Cyber-crime gangs are becoming more collaborative, organised and sophisticated in their attacks,” he says. “Intellectual property theft is emerging more and more as an issue in the pharmaceutical area as well as the computing, defence and manufacturing industries.” Attacks which involve financial crime are also growing. “Financial services are always going to be at the front end and they will continue to be one of the most attractive targets as that is where the money is,” Durbin says. State-sponsored attacks to get hold of information to be used for intelligence

Steve Durbin

purposes rather than anything else is also increasing to a level that we have previously not seen, Durbin warns. The best way to prevent an attack, he says, is for organisations to make themselves look as unattractive as possible. “There are some really basic things you have to get right,” he says. “They are the boring side of information security. They are the things like the policies, the processes, making sure that your systems are up-to-date and that you have patched appropriately. “Then it is into areas of people. How do you really embed security awareness as a natural part of their day job? To do that effectively, you have to take a step back and ask, what are we actually trying to protect? What are the important elements of the business that

we need to put the focus on? It is a bit like doing a risk assessment of your organisation.” Durbin believes the industry is at its most vibrant. There is a huge demand for cyber-security skills, he says, “that we have never seen before because of the real push towards trying to align security with the business. “That is a significant change we have seen probably over the last 12 to 18 months, where businesses are ready to understand that information security is an enterprise risk, as opposed to the way they viewed it in the past, which was perhaps an IT-related issue.” However, despite the proliferation of services being offered to fight cybercrime, Durbin does not think it is possible to stop it completely. Companies are also being challenged by regulatory pressures across various jurisdictions in regards to the handling of information data. Says D u rbi n: “ If you a re a

multinational, how do you understand what the regulatory pressures are in different geographies that you work in? That is going to increase. We do not have a flat landscape in that. The European Union takes one particular view and we are seeing other parts of the world – Malaysia and Singapore, for instance – introduce their own personal data laws. “It is really presenting challenges for multinational organisations. It is about understanding what the different regulations are in each jurisdictions in which you are operating. If you are a large Fortune 100 company, you have probably got your own legal counsel which you can push this problem onto. “But if you are medium-sized enterprise and you happen to sit in a complex supply chain, you are going to be relying on government support and perhaps on the larger providers to give you some insight in this area.”

THE PCI Security Standards Council (PCI SSC) has launched a global taskforce to help improve payment data security for small businesses. The Small Merchant Taskforce, which will be co-chaired by Barclaycard and the National Restaurant Association, will collaborate on guidance and resources that simplify data security for these types of businesses. Small merchants are highly prized targets for hackers and cyber-attackers, as they rarely have the technical knowledge or resources to understand how to apply PCI Standards to protect payment data against today’s threats. Phil Jones, payment security manager at Barclaycard, who is cochairing the taskforce, says: “Though incidents of fraud are low, it’s small merchants that are particularly vulnerable. They usually have very limited resources and technical expertise at their disposal, and often lack the necessary tools, information and education to recover and prevent them. Helping these businesses will be a key focus of the taskforce’s efforts. “By working together we aim to provide practical ways to help improve the security of smaller merchants, reduce their risks, and make the experience of PCI DSS compliance quicker and less complicated for them.” The task force will rely on cross-industry expertise to develop resources that help small merchants understand how to protect payment card data and resolve risks to their businesses. Specifically, the group will provide best practices and recommendations on what is needed to protect the payment environment, including working with security assessors, vendors and service providers. Market insight will be used to give the PCI Council input into the current trends, issues and concerns for small merchants, and the group will provide simplified guidance for small businesses, with content specific to their needs, that will help them take advantage of PCI best practices, standards, training programmes and solutions.

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Information security

Find us online: business-technology.co.uk | Join us on LinkedIn: Business Technology UK

Boredom: the most insidious security risk I

t’s amazing what we can get used to. Psychologists use the term “habituation” to describe the phenomenon where you no longer notice the things that were once startling – traffic noise when trying to sleep in a new home, for instance, or the loud ticking of a clock. Wearing a hat feels weird if you’re not used to wearing one. And then, after just a few hours, not wearing a hat feels weird. Unfortunately, the same is true of security warnings. We may pay attention to a single pop-up warning as we browse the web but repeated warnings result in a sharp drop in the visual processing that takes place in the brain. Earlier this year, researchers from Brigham Young University used an MRI scanner to measure how bored people were by repeated security warnings as they browsed online – after 13 repetitions they barely noticed them. 2014 was another bumper year for security breaches. Each week, it seemed, a new story broke about a data hack at big corporations, small businesses and every kind of company in between. The Ponemon Institute, a research centre dedicated to information security policy, reported that 43 per cent of companies experienced a data breach last year, compared to 33 per cent in 2013. The rate of growth looks set to continue in 2015. The

dangers become ever more intense, and any sensible company has redoubled its efforts to keep its users informed of potential threats and how to keep data safe. And that’s a problem. Habituation, or “breach fatigue”, means that there’s a real risk of people simply ignoring the warnings. There’s only so many times you can sound the alarm before it just fades into background noise. So what can companies do to make sure security remains an active concern? Applying the “three Es” is a good place to start:

Educate Continue treating security breach awareness as a priority by keeping it top of mind in face-toface conversations and internal emails. Using a mix of different educational methods and tools will help avoid habituation. Emails may get the information out, but periodic face-to-face meetings with users can shake out the complacency and gives opportunity to present your version of an IT security “State of the Nation” address.

Enforce Creating rules and best practices for the workforce is a solid start. But they’re no good if they’re not enforced. In other words, don’t just create policies – apply them. People

| Follow us on Twitter: @biztechreport

Brian Kelly believes cloud-based security is the perfect cybersecurity solution for small to medium enterprises

can become habituated to best practice just as they can become inured to warnings, so making it second nature is the best way to make sure it is applied.

Embed Review the solutions in place to protect all of your business systems. A cloudbased platform makes automation of anti-virus, patch management and web protection simple, and complements the education and enforcement you can provide. A repeated warning to keep up to date with patches may become ignorable white noise for a user, but an automated managed security solution minimises risks without the need for user intervention. It’s counterintuitive – increased warnings about the risk of a security breach make people less receptive to the message. Users have worn that particular hat for long enough to simply get used to it. It’s the security experts’ job to make that hat feel weird again. Join Ian Trump (below left) on June 3 2015 at Infosecurity Europe’s Tech Talks at the Olympia, London – at 13.20 he will be discussing what the end of Windows Server 2003 support means for businesses, and what they need to do to prepare. 01382 309040 www.logicnow.com

Joanne Frearson

RIAN KELLY, chief security officer at Rackspace, has been involved in creating some of the world’s first information security systems, starting his career in the US Air Force in the early 1990s, when the World Wide Web was at its beginning stages. While he was stationed at the Pentagon, it was only when the military began to understand the role cyber could play in war that Kelly’s big break came in information security. He was asked by the joint chiefs of staff to help in a mission called information warfare, which resulted in him spending a lot of time working on how this could potentially change military doctrines. His efforts in the military saw him win the Defence Meritorious Service Medal, the thirdhighest award bestowed upon members of the US military which recognises non-combat achievements. But soon after leaving the military, Kelly had an ambition to take what he had learnt in cyber-security to companies. Kelly, who is based

in San Antonio, Texas, told me: “I had reached a point where I thought we needed to take this to the private sector. A lot of this was happening in the public sector, but it was not getting to the companies that were the greatest risk. That was my transition point.” Kelly was working for a company called Trident Data Systems, whose focus was also on info war for the government and the air force, but Kelly felt the systems they were developing could be adapted to the private sector. Kelly says: “There was an intrusion detection technology called DIDS (Distributed Intrusion Detection Systems), probably one of the first ever examples of this technology. We created what they call today the Security Information Management System (SIMS), which is basically a data analytics platform. “We created one back in the 90s called ASIMS (Automated Security Instant Management System), which was almost really one of the first SIMS. There were a lot of things that had not been done before that came out of those days. A lot of technologies emerged from the early days in San Antonio.” Kelly thought the best way to bring this to the private sector was through Wall Street because it was the banks that were dealing with these issues first and foremost. He moved over to work at the big four accounting firms, first to

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Information security

Like us: www.facebook.com/biztechreport | Contact us at info@lyonsdown.co.uk

The big interview Brian Kelly

It may feel better to go into the data centre and see all the lights blinking, but that does not mean it is safe Deloitte and then Ernst & Young, to bring this to the banking industry. His main focus these days is protecting the data of one of the world’s biggest cloud service providers, Rackspace, which had revenues of $1.79billion last year. At Rackspace, Kelly’s approach is that a company can help improve the security of its data by keeping it in the cloud. He says: “By buying into a cloud provider they are also inheriting a security team. You are more secure in the cloud because we are able to dedicate a large number of resources to security. “I have over 300 security professionals that support our customers every day. I do not see that level of attention and focus when I visited even Fortune 100 companies. Sometimes we miss that fact.” There has been some concern from companies that data is not secure if it is not on premises. Kelly believes this is because companies are worried about potentially having loss of control over their information. Kelly says: “What we are hearing is that it is just the uncertainty – because customers feel that they do not know what is happening to their data if it is off premises. “There is this assumption that if data is in-house it is safer, and that may be a bad assumption. It may feel better to walk down the hall and open the door and go into the data

centre and see the racks and the lights blinking, but that does not mean it is safe.” For small-to-medium-sized companies it can be difficult to have the resources required to implement the security systems needed to protect data. Says Kelly: “There is a big section of the market – the small-to-medium business area – that are in a tough spot today. The very large companies have the resources to really build their defences for advance detection responses. “They can build security operations centres with the latest and greatest technology. They can attract and attain very high-end security people, but they are a minority. For the majority of companies in that mid-market level it is not feasible and practical for them to spend millions of dollars to build a security operations centre. “They very likely cannot compete for highend security talent – even spending a few million dollars a year for a managed service offering by a third party is difficult for some of these customers. They are in a very tough spot because their only alternative is to try to find low-cost solutions to give them at least some visibility to what is happening in their environment. “The problem with these low-cost solutions is that they may be within budget, but it is likely they will not be effective against the more sophisticated attacks that we are seeing today.”

Rackspace’s UK offices near London’s Hyde Park

“For the majority of companies in the mid-market level, it is not feasible to spend millions to build a security centre” – Brian Kelly

This is where cloud computing providers can help companies gain access to security they would not have otherwise, believes Kelly. He says: “Just given the access we have to our customers and the scale in which we can deliver these services, we can actually provide that advanced detection and response monitoring for these customers at a fraction of the cost, by taking advantage of the scale we have.” Technology has certainly become a lot more sophisticated since Kelly’s early air force days, with cyber-attacks a very real threat. Companies who do not look at ways of keeping their data safe could become increasingly vulnerable to attacks, but cloud computing could be one lowcost way of keeping their systems safe.

Business Technology · May 2015

Information security

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-technology.co.uk | Join us on LinkedIn: Business Technology UK

CONNECTED THINKING

| Follow us on Twitter: @biztechreport

Why the automotive and security industry must work together to protect vehicles from emerging cyber-threats. By Joanne Frearson

ARS ARE getting smarter. A typical motor contains dozens of computerised elements that can control such things as brakes, wheels, lights and heating and in connected cars users can gain access to social networks, email and route calculations. Driverless cars will soon become a reality and car manufacturers such as Audi, BMW, Ford, Renault and Volvo are all in the process of making vehicles which have some form of connectivity in them. In the world of Formula One, hundreds of sensors provide data points in real-time, from tyre pressure to fuel burn, that are then analysed by onsite race engineers. But with this increase in connectivity there also comes a whole new set of problems. It also

increases their vulnerability to cyber-attacks. Last year, Kaspersky Lab undertook a study with Spanish marketing and digital media company IAB on whether or not connected cars were secure. In analysing BMW’s ConnectedDrive system, they found several areas were at risk, in particular that a third party could gain unauthorised access to user information and the vehicle itself through phishing, key logging and social engineering. The study showed privacy, software updates and car-oriented apps could potentially leave connected vehicles vulnerable to cyber criminals and give hackers access to remote services to the vehicle as well as allow them to drive it. The issues have since been addressed by BMW, which released software patches to correct the flaw.

David Emm, principal security researcher at Kaspersky Lab, says: “Connected cars can open the door to threats that have long existed in the PC and smartphone world. Several areas of risk have already been identified. “For example, by obtaining a vehicle owner’s identity credentials, thieves could remotely unlock, and take possession of, a vehicle. By intercepting and tampering with mobile communications and over-the-air software updates, cyber-criminals could transmit malicious code or, in a worst-case scenario, send new and dangerous instructions to the vehicle’s software systems. “And, as with other areas of online life, something as a simple as poor password protection could also quite literally leave the door open to criminals. “At any point in the production line, vehicles can be exposed to cyber-threats, so it’s not just about ensuring the vehicles’ internal systems are safe, but also that the systems involved in the cars’ production are protected.

“Cyber-security is the responsibility of all parties along the automotive supply chain: designers, component manufacturers, assembly lines and distributors.” According to Emm, it is important for the automotive and security industry to work together to protect connected vehicles from emerging cyber-threats. He says: “With the new breed of driverless car being trialled on our roads as early as this summer, the automotive and security industries should be looking to join forces to protect our connected vehicles from emerging cyber-threats, before the cars become widely available to consumers and the risk increases. “The current mechanisms for realtime tracking, detection, analysis and resolution of cyber-threats for computers and mobile devices will not be enough on their own – it could take just seconds to disable or destroy a connected vehicle, with disastrous consequences. “Rather than waiting for

Secure transaction system THE GLOBAL IDENTITY FOUNDATION (GIF) is working with the security industry to develop a single, open source, globally accepted, digital ecosystem called Identity 3.0 which can be used in making secure and trusted online and offline transactions. The idea behind Identity 3.0 is to be able to understand the context in which an entity – a person, device, code, agent, or organisation – is operating, to a known level of trust. The entity (typically a person) only shares the attributes and information that is essential to the transaction they want to undertake. This allows the parties involved in the transaction to make a risk-based decision about whether to transact, or whether they require additional information before proceeding. All of this happens in the background, invisible to the user, or

with minimal interaction. The goal for the development of Identity 3.0 is for it to become the overarching ecosystem that will be accepted by governments and corporations all over the world. It builds on the work of the Jericho Forum. Paul Simmonds, CEO of the GIF and ex co-founder and board member of the Jericho Forum, says: “We are taking a bunch of work which was originally done by the Jericho Forum on identity before it disbanded. The Jericho Forum came to some very radical conclusions that authentication and identity is horribly broken and the bad guys are busy exploiting it. “Online credit card fraud, phishing, and cyber-crime all succeed by fraudulently using someone else’s identity, and users are rightly concerned about access to their

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Information security

Like us: www.facebook.com/biztechreport | Contact us at info@lyonsdown.co.uk

What a medieval farming village can tell you about your security systems BMW’s ConnectedDrive system was found to be vulnerable to security risks earlier this year

Keil Hubert

I the first attack to take place, we have to find and stop these vulnerabilities now before the technology is integrated extensively into our cars. The good news is that many security issues relating to critically important functions can be fixed relatively easily.” Emm believes the automobile industry should look towards the software industry, which has the experience to deal with malware and hacking for guidance. Large-scale malware outbreaks have cost the software industry billions of dollars and it has learned to provide frequent updates to fix vulnerabilities in systems. In the Formula One industry, for example, Kaspersky is working with the Scuderia Ferrari racing team to help make its vehicles cyber-secure. “Ferrari has given us tremendous exposure to the challenges and vulnerabilities that the automotive and racing industry faces,” Emm says. “We implement solutions for the

commercial manufacturing side of the business as well as for the Scuderia Ferrari racing team to ensure the safety of the business as well as the people who drive their vehicles. “Everyone involved in the creation of a connected vehicle – including policy makers – need to work together to ensure these points of weakness are dealt with before connected vehicles become commonplace on our drives and on our roads. “This means analysing all the different vectors Software security that could result in cyber-attacks, accidents or firm Kaspersky Labs is working even fraudulent maintenance of the vehicle. The with the Scuderia government is also set to publish a new code of Ferrari racing practice, which should be accommodating to team to ensure the new technology and potential threats that the safety of its come with this. cars, as well as drivers such as “At the same time, owners of next-generation Sebastian Vettel cars must learn that threats, specific to the (above); Left: computer world, now apply to connected vehicles Kaspersky’s and take these risks into account.” David Emm

puts its trust in the customer personal information. In 2014 alone, millions of user records were stolen through data breaches, including those at Sony, eBay, and JP Morgan. In a world where we shop and bank online, and share personal details on social media, we urgently need to move beyond passwords and basic web security. “The question is, what are we going to do about it as an industry? If we do not do something radically different, the problem is only going to get worse. At the moment the bad guys are winning bigger and better than the good guys. What people want is a simple solution that will put them back in control of who they trust in their digital lives. Identity 3.0 has the potential to stop much of the cybercrime going on today.” The GIF is looking for vendors, academics and security experts to contribute to the

Paul Simmonds

development of Identity 3.0 as research sponsors and partners. In the first project phase, the GIF will define practical use scenarios, future directions for development, and pilot projects to determine the viability for a global deployment of the solution. Dr Steve Moyle, COO of the GIF, says: “Collaboration in a vendorneutral environment is key to making this work globally. We need to be able to answer key questions such as ‘will the Chinese accept a US identity and vice versa’ and ‘can I verify that identity attributes are authoritative?’. “Solving these and other identity problems is of benefit to all companies and governments on the planet today.”

F YOU want to keep your company’s production data network reasonably secure, then keep your executives a healthy distance away from information security appliance salespeople. I’m deadly serious, and not for the reasons you’re probably assuming. I like a good security information and event management (SIEM) tool as much as the next head of IT. What I don’t care for is the common belief held by nontechnical executive types that a shiny new security appliance could do a human security expert’s job. It can’t. All of those lovely intrusionprevention systems and log aggregators and alerting systems are wonderful security awareness tools, but they’re all useless without trained and savvy operators. If it helps, think about your production network as if it were a medieval farming village: picture a bunch of smithies, carpenters, and other shops that provide critical services, people running about doing work that benefits the community, and well-marked roads leading in and out of town. If those roads are left unguarded, then any blaggard could sneak into town, break into an unlocked storeroom, and nick some valuables. If you only guard the city gates, then a baddie can run around for weeks causing havoc inside because no one’s paying attention. It’s a metaphor, but it works. Most people want the security and stability that comes with living in a gigantic stone fortress, but those are hugely expensive – only the Fortune 500 global megacorps can afford to build impregnable castles. The rest of us have to make do with improvised, partial measures. That’s the security appliance vendors’ niche: they provide a cost-effective solution for significantly improving your meagre defences. In our village metaphor, they offer to build you a tall and sturdy watchtower in the centre of town. From there, your watchmen can survey the entire community, thereby allowing them to spot suspicious activity to help

thwart the occasional evildoer. It’s a practical solution for most companies’ security situations. Where the appliance solution inevitably falls apart is after the SIEM watchtower gets erected in the village green. “We have a security appliance,” the mayor announces. “Therefore we’re safe. Everybody get back to work.” The trouble is, the mayor neglects the most important part of the equation – there’s no one stationed inside the tower to keep watch. The baddies then saunter in and nick everyone’s valuables without difficulty. If it seems I’m oversimplifying things, please understand that I’ve seen this exact scenario play out at far too many medium-sized businesses in real life. I recently interviewed the CISO of a multibillon dollar company about how his team leveraged his monitoring kit. He sheepishly admitted that his company had spent oodles of cash deploying them, but that no one on staff was tasked to monitor them. The appliances sounded the alarms 24/7, but no one received the alerts. The deployment of SIEMs had made their executives feel good, but accomplished absolutely nothing. They were worse than useless. That is not the fault of the security appliance manufacturer. Most of the ones I know make good products that can be wickedly effective when properly employed. Their function is to arm up a well-trained security team with tools optimised to aid security incident detection, response, and management. What many executives miss is that the security people are the critical elements in the equation; you cannot make security work effectively without them. When it comes to systems security, start by hiring, resourcing, and empowering a savvy infosec team. A watchtower is useless without a watchman; a security appliance is equally useless without well-trained security analysts monitoring it.

Business Technology · May 2015

Information security

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-technology.co.uk | Join us on LinkedIn: Business Technology UK

| Follow us on Twitter: @biztechreport

Lockheed Martin makes some of the military’s most sophisticat systems in the world, so it’s no surprise that cyber-security is a m

YBER-AT TACKS can involve stealing secrets from competitors or sabotaging critical infrastructure such as transport, electrical, water or power systems. It is a real threat to the national security of countries and to the livelihood of companies. Corporations that are involved in helping to protect the security of countries are extremely vulnerable to these threats. Among the most cyber-attacked companies on the planet is Lockheed Martin, one of the world’s largest defence contractors. Talking to Business Reporter at The Cyber Security Show in London, Craig Pollard, head of cyber security at Lockheed Martin UK, says: “It is because of who we are that we are attacked so much.” Lockheed Martin makes some of the military’s most sophisticated machines, including the F-35 fighter jet, Merlin helicopters and the Apache Arrowhead night vision system. Having to safeguard some of the most sensitive information and mission-critical systems in the world, cyber-security is a big priority for Lockheed Martin. Since 2003, Lockheed Martin has been building up knowledge about cyber-security to deal with the threat of attacks and understand how these cyber adversaries operate. It is presently tracking more than 50 campaigns and also provides other companies with services to enable them to protect their businesses. Pollard says: “We are able to identify when an actor [cyber-attacker] is one that we have seen for the last eight years. We know it is them again. We know it is that campaign and know what they are likely to do and what they have done previously, and what they might be changing. “It will be that needle in the haystack that will be half an IP address or they have changed one character. It will be something that is really small. If you have not recorded that change three years ago, then today’s analysis isn’t going to find it.” It’s not easy to become a cyber-security analyst at Lockheed Martin – getting the job takes more than just good academic qualifications. Potential applicants have to undergo a rigorous interview process, which tests their ability to work under pressure and be resilient. “Despite all of the increases in cyber-security courses, what we are finding when it comes to recruiting analysts, even with Masters degrees, it that it

Lockheed Martin’s cyber-analysts come from all walks of life, counting musicians, psychologists and mathematicians among their ranks. The military and aerospace firm has become so good at combatting cybercriminals that it now outsources its expertise to other companies

is not straightforward to find people with the right mindset,” explains Pollard. “You can have the right academic background and on paper a CV looks like it will be a good fit, but when we conduct the interview a lot of the fundamentals we are looking for are just not there.” Lockheed Martin likes Craig Pollard to choose people from a

diverse range of backgrounds to be analysts because they can offer different viewpoints in various situations. “The interview process is quite rigorous and thorough,” Pollard says. “We throw in problemsolving questions rather than have you discuss the latest cyber-report. We would rather say there are three lightbulbs in an attic and three switches downstairs – you come into the room, you need to find out which lightbulb works with

which switch, but you are only allowed to go into the attic once. “It is that kind of approach we throw at them. Then we want to see the rigour of the approach, do they bring academic discipline to it and then how do they work through the process. How are they under pressure? “In our team in Farnborough there are pure mathematicians, clinical psychologists and musicians. It is as much about an analytical

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Information security

Like us: www.facebook.com/biztechreport | Contact us at info@lyonsdown.co.uk

ted machines and safeguards some of the most mission-critical major priority for the global company. Joanne Frearson reports

Lockheed Martin’s state-of-the-art F-35 Lightning II stealth fighter is currently under development

So could you be a cyber-analyst? “We throw in problem solving questions. We would rather say there are three light bulbs in an attic and three switches downstairs. You come into the room, you need to find out which light bulb works with which switch, but you are only allowed to go into the attic once.” For the answer, go to business-reporter.co.uk. (Sorry, but you didn’t think we’d make it easy for you, did you?)

approach to problem-solving and the ability to get into the mind of the adversary. That is ultimately what we are looking for.” Lockheed Martin also parachutes analysts into companies, for whom it provides a managed cyber-security service to help them understand what is going on in their network. Pollard says: “They will be out there for a period of time and will quickly be able to say, I have seen this before and know how to fix it.

The customer’s first response can sometimes be along the lines of ‘I’ll fix this if I get one of these’. No no no! It is about your mindset and re-educating people. You often have lots of the right elements but in not quite the right place and not working together. You can do more through organisational change and having the right analyst than by just adding another firewall.” It can be difficult for a company to get the right mix in place to be able to have a good

cyber-defence system. There must be a number of factors to enable an analyst to have a comprehensive visualisation of what is going on in the network. This includes getting the board on the same page, as this is often not the case. Pollard says: “They might think they are, but you might talk to the CISO and they will say, I am very clear about my biggest risks and I am protecting the intellectual property rights. Then you will sit in front of the chairman and the CEO and they will talk nonsense. It is about uptime, it is about manufacturing processes, it is about continuity of business. “You talk to CTOs and CISOs who know they should not be buying more technology, but almost cannot help themselves and you say, please don’t buy another thing because you need to do this first, you need to solve this problem.” Rather than a company just adding different pieces of technology architecture to solve a problem, Pollard believes they need to have the right infrastructure in place, which can give an analyst complete visualisation of a network to begin with. He says: “Getting that is very difficult if your work, architecturally, is

not in a good place to begin with. If you do not know how many internet pipes you have and if you have not reduced your data centres and you have not done all of that consolidation, this is going to be a challenge because you will get patchy visualisation. “You will be seeing only what is happening on a quarter of your network. Whereas you need to see all of it because the adversary moves laterally. Once they are in, they don’t just go in and out, they stay there for a long time and they go sideways. Getting complete visualisation is a significant challenge.” Lockheed Martin is naturally selective about who it shares information with because a lot of companies do not have these systems in place to make sense of the type of intelligence available. Pollard says: “When you are sharing there not only has to be the normal legal and ethical constraints – you have to be really careful about potential leakage. The trend is that not all organisations are mature enough to consume this and take the appropriate actions. They really aren’t.”

Business Technology · May 2015

Information security

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-technology.co.uk | Join us on LinkedIn: Business Technology UK

| Follow us on Twitter: @biztechreport

Why cyber should not be limited to cyber Cyber-security is not an “IT-problem” but a company-wide challenge that must be tackled on many fronts

ore and more companies are realising that effective cyber-threat intelligence means more than getting technical insights about a threat or a hack. It’s not equally obvious, though, where they can turn for help. Many emerging intelligence needs are not addressed by the offerings of the traditional IT security industry. Assessing a company’s reputation and how it may prompt attacks, understanding the motivations and beliefs of a threat actor, and discovering how a geopolitical event triggers the use of a new attack type promoted on social media all require access to and analysis of data that IT or product companies don’t provide. Yet, putting cyberevents in the context of the world at large is critical in order to understand and potentially predict future threats. The need for a more holistic

approach to threat intelligence, beyond the technical parameters, is undeniable – and it’s there for the taking. Open-source intelligence (OSINT) is not new, and making sense of data from publicly available sources is as relevant for cyber security as it is for other purposes. With a plethora of data everywhere about everything, access to data is no longer the issue. On the other hand, access alone is not the solution either. We live in times when availability of data is better than ever, yet the fear of having missed something continues to keep company executives awake at night. This disconnect can only be mitigated by broadening perspectives, recognising the need for change in internal processes, and using new technologies to find and unlock the information hidden in the vast volumes of data available today on the web.

Taking this broader intelligence approach is nevertheless pioneering. Many companies still regard cyber-security as an “IT problem” and pass on the internal responsibilities accordingly. The results are mixed and suffer from similar issues that the business intelligence industry has struggled with.

Companies collect data and carry out analyses which are appropriate and important but miss information that is equally critical because the data required for such additional explorations is external, unstructured or too voluminous, none of which their existing tools or processes can deal with. Despite the

technology innovations of late and all the talk about big data, companies remain constrained both technologically and organisationally by the classic data issues of internal versus external and structured versus unstructured. Cyber-threat intelligence is at risk of falling in the same trap. Management needs to involve more resources and introduce new methods to meet the challenge. Cyber-events don’t happen in a vacuum. There is context around them that often is hard to see. A proactive cyber security strategy should recognise that timely and relevant intelligence is as likely to come from soft data as it is from hard statistics. Taking advantage of both gives companies the best opportunity to stay ahead of the next threat. Kristofer Månsson is CEO and co-founder, Silobreaker kristofer.mansson@silobreaker.com www.silobreaker.com

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Information security

Like us: www.facebook.com/biztechreport | Contact us at info@lyonsdown.co.uk

RE THE RISKS associated with bring you r ow n dev ice (BYOD) wor t h it? As BYOD grows in popularity, whether to allow employees to use their own smartphones, PCs and tablet computers for both personal and work purposes is the decision being faced by IT departments across the country. The simple fact is that, when a company doesn’t own the devices its employees are using, there is an increased chance of serious security breaches. Martin Hickley, a senior consultant at both Customer Essential and GO DPO, says the Information Commissioner’s office has become so concerned about this that it produced new guidelines last December about the potential information security management problems that can arise from adopting a BYOD strategy. Hickley thinks the likelihood of a breach has increased because the devices involved can now store far more data than they could previously, and that data can be offloaded far more easily. Attacks can occur when people are not careful about what they opt into when they download applications, which may ask them for access to their contacts list and location data. These devices can also be hacked via an open Wi-Fi connection, and there are plenty of guides on the internet that could help a would-be hacker gain access to these devices. Malware attacks can lead to a hacker taking over a device without the owner’s knowledge, and there is also the problem of what happens when a device used for personal use and work is lost or stolen. Luke Beeson, vice-president of security at BT’s UK and global banking and financial market division, says: “These security breaches all have a major impact on business processes, take up valuable helpdesk time and, in most instances, reduce employee productivity, affect the customer experience and can lead to heavy fines as well as cause reputational damage.” Nevertheless, Beeson feels BYOD offers some distinct advantages that can benefit organisations if the right policies are in place, such as an increased level of flexibility and efficiency. Bharat Mistry, a cyber-security consultant at Trend Micro, points out that there is no way of knowing what sensitive data is being transferred or accessed on a device, or where it will end up. He says: “The theft of intellectual property is the primary reason for information security breaches on devices which are noncompliant with a security policy.” Orga nisations a lso have to contend with the fact that each device will have private user data on them. “If this private user data is backed up onto an enterprise platform, then there is a whole raft of protective measures that have to be applied to ensure that it is safeguarded,” adds Mistry. This means organisations have to be able to gain visibility of all of the data stored on the device in order to delete any sensitive data when

TO BYOD OR NOT TO BYOD?

Graham Jarvis looks at how bringing outside devices under the workplace IT security umbrella is a worthwhile challenge required. This visibility is particularly important because cyber-criminals might want to use a device “as a hopping point to get access to the corporate network,” Mistry explains. “This becomes more of a problem when you get devices that haven’t been well managed and which don’t have any baseline controls or policies attached to them.” In order to take advantage of flexibility and efficiency gains that

come with BYOD, it is important for organisations to educate their employees about the security risks. Organisations should require them to sign a BYOD usage and security policy to ensure that they use their devices wisely, to establish a back-up policy and to outline how private user and corporate data can be handled – particularly in the event of an information security breach or a malware attack.

Without impinging on the user experience, organisations should have a reasonable ability to control and manage devices in order to resolve any existing vulnerabilities and to detect and encrypt data beyond the corporate network. With a stringent BYOD security strategy in place, and with a high level of transparency and co-operation enforced between employees, most of the risks associated with BYOD can be reduced.

Simon Bain, CEO of SearchYourCloud, spoke for many when he said he felt that BYOD is worth the risk. “We should be embracing it as it can bring with it some major benefits,” he said. “However, I do believe that users, corporations and managers need to ta ke respon sibi l it y for t hei r information because you would not cross a busy highway without looking.” The same precautions should also apply to BYOD.

Oil sector at risk from ‘Phantom Menace’ malware attacks HACKERS ARE launching thousands of attacks on oil transportation companies, according to a recent report from IT security firm Panda Security called Operation Oil Tanker – The Phantom Menace. These attacks come in a variety of guises and so, in addition to having a robust anti-virus programme, the companies concerned need to implement a number of other security measures. “The project was called Operation Oil Tanker because all of the targeted companies belong to the oil logistics industry, and Phantom Menace is the name we gave to

the attack as it does not use any conventional malware,” explains Luis Corrons (below), technical director of PandaLabs. Corrons adds that the attacks, which began in August 2013, use a few scripts such as VBS and batch files. With them they used some quite legitimate and non-malicious tools such as Unzip. “The closest thing to something malicious was the use of different password recovery tools by the hackers to harvest credentials that were stored on the attacked computer,” he says. The key problem is that the Phantom Menace could not be

detected by anti-virus engines. The issue was first detected when a secretary opened a PDF email attachment that had been declared safe by the enterprise’s endpoint security system. Corrons says the potential impact of such a breach could be huge, and the financial cost could equate to millions. The lesson that arises from the Phantom Menace is that “it is beneficial to conduct attack analyses and penetration testing, especially in sensitive industries and any information garnered from these evaluations should be fed back to the security policy team to allow additional measures to be taken if they are required,” he advises.

Business Technology · May 2015

Information security

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-technology.co.uk | Join us on LinkedIn: Business Technology UK

| Follow us on Twitter: @biztechreport

Protecting the keys to the kingdom from cyber-attackers

he critical moment in a number of recent high-profile data breaches has been the point at which the attacker manages to hijack powerful internal privileged accounts and credentials. The transformation of malicious outsider into a privileged insider enables an attacker to access sensitive assets, install malware and reach the attack goal – all by employing the same permissions and workflows that have been established for the organisation’s own, legitimate processes. Privileged account exploitation is an essential step in targeted cyber attacks. It is inevitable that attackers will look to hide in plain sight in order to access the most valuable information within a network. Protection from within is invaluable, and while there is no silver bullet to secure a company from today’s advanced and targeted threats, removing the ability for attackers to hijack and abuse privileged accounts under the radar is a crucial proactive step that can be taken. Perimeter breaches are to be expected and security teams should be taking the approach that it’s

not if, but when, they will be targeted in an attack – whether internal or external. Organisations must first ensure that they fully understand the scale of their privileged account security risk, as this is commonly unknown or greatly underestimated. (Indeed, privileged accounts can be three to four times the company headcount.) Only then can firms effectively control these accounts and determine the necessary security measures. Once organisations understand the scale of their privileged account vulnerability and have taken steps to isolate and control the use of credentials and access to critical systems, monitoring the use of these privileged accounts on an ongoing basis is a proactive move towards protecting against advanced threats. The final step is having the right tools in place to respond to these issues – whether it’s immediately revoking privileges while individual instances are investigated, or filling a security hole that has been identified. Businesses can reduce their exposure dramatically by being able to respond quickly and locking down access to their critical information before attackers can exploit it. Privileged account security should be top priority for any business, given the recent spate of highly damaging

attacks. As evidenced by last year’s eBay data breach – in which a small number of employee login credentials were hijacked, allowing unauthorised access to eBay’s corporate network – privileged credentials enable access to vast stores of information, data and control within digital depositories and, as a result, are the primary target for hackers. Perimeter security, long relied upon by enterprises to defend their networks, is clearly failing. The entry point for malicious attacks is through the inside and, as such, protection needs to start here – at the centre of the organisation. The consequences of a data breach can be severe, with financial losses and reputational damage both major causes for concern. With this in mind, organisations must start better protecting their assets – and critical to this is securing the privileged accounts which are at the heart of so many harmful attacks. Matt Middleton-Leal (left) is regional director, UK&I, CyberArk Matt.Middleton-Leal@cyberark.com www.cyberark.com

Complying with the EU General Data Protection Regulation: what you need to know

s it currently stands, the European Union’s General Data Protection Regulation (EU GDPR) could be introduced as law in just a few years. If the current proposal passes, the new regulation would completely revamp the 1995 EU Data Protection Directive, reflecting current and future advances in how we use and manage our data. The draft proposals demonstrate a far-reaching impact, and businesses need to start preparing now to avoid being noncompliant. While there is a lot of information to digest, there are five key areas organisations need to be aware of: 1. The regulation will automatically apply across Europe Not only will the new law apply across the 28 European Union states, but also to organisations outside the EU active in these markets. The proposed EU GDPR law will still have jurisdiction over organisations with no physical presence in the EU. If they handle the data of EU citizens, they can be investigated, fined and even prosecuted by an EU regulator for data loss and misuse.

2. Companies will be liable for larger fines The proposed law includes increased sanctions, with fines of up to €100million or up to 2 per cent of annual global turnover – whichever is greater. Compared with the current maximum fine in the UK of £500,000 from the Information Commissioner’s Office, the new law will dramatically raise the stakes. 3. Companies will have to notify those whose data has been breached Where a data breach has occurred, the organisation has to notify all those affected by it unless it can prove that data is illegible to anyone not authorised to access it. In a worst case scenario, telling this to tens of thousands of customers could lead to significant brand damage, litigation and public scrutiny of the incident. 4. Organisations must notify the authorities about data breaches as soon as possible The draft regulation states that, “if feasible”, companies should report a data breach within 24 hours. While it may be in the best interest of the business to promptly report a

breach, this is easier said than done. There are often hurdles when determining the accurate identification and confirmation of data breaches, including the participation and wherewithal of employees to be forthcoming and prompt with information. 5. Firms with 250 or more employees must employ a corporate data protection officer Enterprises with more than 250 employees will need to hire someone who’s responsible for data protection. This person will have to be properly trained. Given that the penalties are set to be much higher, it will be vital for organisations to choose and invest in the right candidate.

While we don’t know for certain the exact provisions of the EU GDPR, we do know that it is going to have a major impact on all businesses across the globe. Although 2018 may seem a distant future, organisations must start seeking the correct advice, implement suitable preventative technology, and take action now to ensure full compliance once the regulation comes into force. Stephen Midgley is the vice president of global marketing for Absolute Software smidgley@absolute.com www.absolute.com

Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Information security

Like us: www.facebook.com/biztechreport | Contact us at info@lyonsdown.co.uk

Inspector Dogberry

By Matt Smith, web editor

Graham Cluley’s blog

Band for life

https://grahamcluley.com

Everybody, including dogs, has a unique heartbeat which can be measured by an electrocardiogram (ECG). It is so difficult to forge that it is starting to be used in biometrics as a security system to unlock devices. The Inspector – who, being an inspector, takes security very seriously – has discovered a wristband, called the Nymi Band, which has the capabilities to unlock devices and remember passwords using the unique signature of your heartbeat. The wristband has an electronic module that incorporates an ECG sensor and two electrodes. A biometric template is made of the user’s ECG on their smartphone, tablet or computer. The wristband is activated if a person’s heartbeat Organised crime is being blamed for the increasing number of data breaches around the world, as the bad guys turn their sights on valuable financial and medical records, according to a study

matches what is stored on the biometric template. Dogberry has the Nymi Band on order and can’t wait until he gets it because he will be able to use it with a range of different devices. He is planning to use his as a credit card when he forgets his cash, an alarm clock to gently wake him in the morning and a fitness tracker for chasing squirrels around the park. The band can also be used to unlock mobiles and computers, as well as make sure payments from your phone are secure.

by the Ponemon Institute which was released last week. Caleb Barlow, vice president of IBM Security, told Reuters: “Most of what’s occurring is through organised crime. These are wellfunded groups. They work Monday to Friday. They are probably

The Nymi Band employs a number of sophisticated security systems to stop hackers gaining entry to the device. As heartbeats are an internal vital signal of the body, they are difficult to replicate, unlike fingerprints and iris scans. There is currently no means of falsifying an ECG waveform and presenting it to a biometric recognition system. Unlike a password, even if your Nymi Band is stolen, no one else can use it, and removal of or damage to the wristband immediately invalidates biometric authentication.

better funded and better staffed than a lot of the people who are trying to defend against them.” According to the study, the cost of a data breach is now $154 per record lost or stolen, an increase from $145 last year, based on interviews with 350 companies from 11 countries that had been subject to a data breach.

Speaker and independent security analyst Graham Cluley’s multi-award winning blog covers the latest developments in the industry. If you enjoy the site, be sure to sign up for the GCHQ – that’s Graham Cluley HQ – newsletter for the latest posts direct to your inbox.

Naked Security https://nakedsecurity. sophos.com

Krebs on Security

Run by the people behind Sophos’s security software, Naked Security provides news, opinion advice and research on the latest threats. Recent posts look at concerns over plain text passwords in Über emails, a mobile spyware customer data leak, and a robot that can pick combination locks.

Ex-Washington Post reporter Brian Krebs’s interest in information security began when his home network was overrun by a Chinese hacking group. Now, some 1,300 Security Fix blog posts later, he runs this site, which covers the latest breaches and software fixes and explains how they affect users.

Kaspersky https://blog.kaspersky.co.uk

McAfee Security & Antivirus (FREE – Android, iOS) McAfee’s mobile offering features both standard anti-virus functions and ways to lock or wipe your smartphone if it falls into the wrong hands. LastPass Password Manager (FREE – Android, iOS) As well as eliminating the need to remember lots of passwords, users of compatible Samsung Galaxy devices can use their fingerprints instead.

Themes

TUESDAY 29 SEPTEMBER 2015 • THE BRITISH MUSEUM • LONDON At some stage, every company will be breached. What do you do next? After the record-breaking security breaches of 2014, information security has never been higher on the corporate agenda. The challenges remain, however, both in managing colleagues and partners, and in keeping security strategies agile enough to compete with increasingly sophisticated attacks. There is also the question of the coming EU Cybersecurity Directive, and how that will impact on commercial operations. For more information, go to www.biztechevents.co.uk/r3

http://krebsonsecurity.com

Anti-virus software provider Kaspersky lab runs this information security blog. As well as the usual posts, tips and interviews with industry experts, there are tools to check the strength of your online passwords and a real-time map showing threats around the world.

For inform more ati R3 201 on about call M 5 please arc on +44 Morrow ( 8349 0)20 6453

P Managin g reputat ional risk P Debunk ing the regulator y myth P Best pr actice P Breach response P Recoverin g forward P Data los s P Consequ ences

16 · Business Technology · May 2015

INSIDE TRACK

steps to business cybersecurity success

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

he growing frequency and sophistication of security threats makes protecting an organisation more important than ever. In 2014 alone, cyber-criminals stole more than 500 million individual identities from organisations worldwide, and attacks and malware infections continue on an industrial scale. For many businesses, defending their networks and data is fast becoming a task that appears insurmountable. However, when stripped right down to its most basic elements, information security risk can be assessed against a combination of three factors: assets, vulnerabilities and threats. Assets are exposed by vulnerabilities that may be exploited by threats, with one breach becoming the seed for subsequent attacks. So how should organisations devise a proactive security strategy? Here’s a 10-step guide to developing a robust approach to protecting critical network and data assets.

Use security to unlock innovation Security does more than just protect a company from attack – it can also accelerate adoption of new technologies, enabling businesses to operate more efficiently and unlock innovation. When adopting new solutions and devices, a security risk assessment should be part of the process, to ensure protection against threats is built in from the start.

Test the limits One mistake businesses make is to assume that once they implement security measures, the job is done. But threats are morphing and cyber-criminals learn as they go: so security has to be an ongoing process, with infrastructure regularly tested with intrusion detection and on-the-spot audits to identify vulnerabilities.

Stay focused Companies should concentrate on where they would be most vulnerable in the event of a security breach and make that their top priority – then they can focus on minimising the risks.

Be prepared No matter how careful a business is, security incidents will happen. A contingency plan helps companies recover faster, with less impact on business operations. Identifying threats in advance will significantly reduce response times and costs in the event of an attack.

See the big picture It’s important to see the threats and vulnerabilities, as well as the big picture of what an organisation is trying to achieve. The best security policies come from strategic goals and business objectives, linked to procedures and requirements, performance measurements, and people.

Go beyond regulations Compliance does not ensure a secure network, so it shouldn’t be the basis of a security policy. With that in mind, businesses need to push beyond compliance and create a robust security policy that safeguards information and supports threat mitigation.

Make it official When employees are engaged to help implement policies, enforcement becomes more efficient, so the best information security policies are those that are well publicised, are simple to understand and that employees can help to enforce.

Get buy-in Executive buy-in for the company security policy is essential as it demonstrates active support and fosters greater awareness. The key to obtaining this is by identifying key security indicators and measurements that demonstrate the return on investment that robust IT security delivers.

Create accountability Organisations should take the time to identify specific individuals who will be responsible for their information security policy. Distinct responsibilities should be mapped out, along with a clear understanding of how they intersect.

Never ease up If security management is outsourced due to lack of resources or expertise, demand that service providers and suppliers follow their information security policies, and also ensure that they in turn understand the policies and safeguards their partners enforce. Good security is business critical. By understanding potential threats and vulnerabilities, by creating a solid plan that aligns with your business and by ensuring protections are integrated into IT infrastructure, businesses can turn security into an enabler, rather than an inhibitor, for their business. Will Benton (left) is director of sales for Check Point www.checkpoint.com

Business Technology · May 2015 · 17

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Facing up to the BYOD security challenge

ring Your Own Device and Data Security… are they mortal enemies destined to battle each other until the end of time? Or are they simply unlikely bedfellows? There are many companies that cannot align the two priorities, and as a result some have lowered the priority of their BYOD initiatives. The postponement or even abandonment of these employee-first initiatives is a concern for businesses at large; but data security remains the paramount concern. One way to unite the two ideas is actually a process of separation: split out corporate data. Software such as Good Work from Good Technology securely mobilises content and data by locking it into the Good container. Data is more secure when accessed by email, browsers and instant messenger within the Good container rather than Hotmail, Open Office and Whatsapp, all of which are out of the control of IT.

Have the courage to face up to growing cyber-threats I

f trust is the most valuable commodity of the information age, then a strong reputation is priceless. You can trade on that; you can compete and grow. But when every business is so vulnerable to internet attack, how strong is the truth behind your reputation? How well can you look after what your customers and partners entrust you with? With more than 200,000 enterprise customers, including nine of the top 10 banks and nine of the top 10 defence/ aerospace companies, Fortinet is one of the biggest IT security vendors in the world. We’ve learned truths that would make your toes curl. We also know that the resilient win.

You can take it as read that cybercriminals are putting a big price on your data, but need only pay pennies of their own to find holes in your defences. There are hard choices to make. You could batten down the hatches, pull down the blinds and kill off your risks. Or you could carry on innovating and embracing change, driving agility in your business, confident that your data, your people and your reputation are safe. According to a new global study commissioned by Fortinet, 54 per cent of CIOs see security as an obstacle to innovation, and have either slowed or thrown out new business initiatives because of fraud and other cyber-security fears. Sadly these aren’t businesses

enjoying the freedom to achieve their objectives. These are businesses where security likes to say “no” instead of “yes”. Cyber-threats are rising in volume and complexity, and your business must have the resilience to face this challenge without changing course. Such resilience only comes when you commit to a cohesive life-cycle approach to confronting the many facets of today’s advanced and persistent threats. This allows you to grow, take advantage of new technologies, be compliant to your regulatory requirements and remain trustworthy in the eyes of your market. marketing_emea_north@fortinet.com www.fortinet.com/atp

Segregating corporate from personal data through Good adds encryption to the data on employees’ own devices, without touching the underlying protocols of the phone or tablet. This can be achieved through Good Work and the array of secured apps in the Good Dynamics ecosystem, ensuring that any business or organisation can secure its data on an otherwise unsecured device. BYOD will become more crucial as the wearables trend gathers momentum. Apple Watch, a variety of Android Wear devices and other connected “things” are bound to enter the workplace in rapidly growing numbers. When they do, you will need a secure productivity solution that’s deviceagnostic, such as Good Work. Then you can secure any device that an employee wants to use and make their dayto-day jobs better. +44 (0)20 7845 5300 www.good.com

Business Zone

18 · Business Technology · May 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

The future

New research reveals perfect cyber-storm

wo HP-sponsored research reports confirm that the cost of cyber-crime in the United States is rising fast, and business is failing to prepare. It’s not just the cost – the research conducted by the Ponemon Institute, revealed that the frequency of attacks is rapidly increasing. The Ponemon 2014 Cost Of Cyber Crime Study revealed that the time it takes to resolve a cyber-attack has increased to 31 days, with the average cost incurred to resolve attacks standing at $1,035,769. Meanwhile, the corresponding Ponemon 2014 Executive Breach Preparedness Survey showed that a startling 57 per cent of CEOs have not been trained on what to do after a data breach, and more than 70 per cent

of executives think their organisation only partially understands the information risks it is exposed to. In most organisations, senior leadership, including the CEO and board of directors, are seriously underprepared for the job, according to the report. While the CISO/CSO owns the internal response, it’s typically the CEO and executive leadership that sets the tone for the public response. Based on the findings of the report, HP’s security experts recommend a cross-functional team that is comfortable working together. This should be a senior team that includes general counsel, internal audit, human resources, and corporate communications. To help executives prepare for a breach, HP has developed free online

tools to help determine the amount of risk the organisation faces and how prepared the organisation is to respond to those risks. These include: • A how-to guide to develop a breach preparedness plan • An online participation tool to assess preparedness for a breach against other organisations • Webinar series to help executives draft and implement breach preparedness plans To download the report visit www.hp.com/go/ponemon 360@rethinkitsecurity.com www.hp.com/enterprise/security

In focus: Why you should be prepared for a data breach Video special

Many companies struggle to bring innovation to life. Innovation firm Fahrenheit 212 is changing that. http://business-reporter. co.uk/video/technology/ increasing-the-oddsfor-innovation-successwith-fahrenheit-212/

xperian recently carried out research showing that a third of UK organisations do not have a data breach response plan in place and, of those that do, only a quarter of the plans have specialist support in crisis communications or legal lined up. Some 17 per cent of UK organisations have suffered a data breach and four out of 10 consumers have been affected. Public perceptions around data breach are changing. Consumers are less understanding, and less willing to see organisations affected by data breaches as victims. Rather, they increasingly believe that data breaches come as a result of organisations’ own failures – failures in procedures, security and data controls. Increased public awareness of data breach, the likely heightened effect on reputation and customer loyalty, and

the multiplying effect of adverse advocacy, add a new dimension to the financial impact of a data breach – creating a halo effect of financial and reputational implications. With European legislation on the horizon, the UK data breach landscape is on the cusp of massive change. Within two years, it’s likely that a series of provisions will be introduced that will be a gamechanger – raising both the financial and reputational stakes significantly. Read Experian’s latest whitepaper, Data Breach Readiness 2.0: The ‘Customer First’ Data Breach Response at www.experian.co.uk

data-breach-readiness, investigating UK businesses’ preparedness for the growing threat of data breach, drawing on insights from senior business experts from legal, insurance, digital forensics and communications. www.experian.co.uk/databreach

Fast scalable analytics: the future of identity access The last few years have seen technology platforms proliferate and, with that, increasing insider access threats. It’s becoming obvious that identity and access management (IAM) tools that were fit for purpose a decade ago are now struggling to manage the complexity and scale of access. Framing the issue is part of the problem. Company employees will be familiar with regular access reviews – an email arrives with a long list of staff, an even longer list of privileges, and an instruction to take the review seriously. What is missing is any contextual information that might allow a good decision. This betrays a misconception about risk, but is also the biggest opportunity for analytics to deliver dramatic benefits. In the past risk has involved counting: tickets processed and outstanding; time of reviews; or number of removals. That was acceptable, because that was all we could measure. Now that we have better analytic tools, we can look at risk differently – how unusual is the privilege, how is access distributed, what other access is there. At Idax we see efficient processes as half an answer; process effectiveness is the new priority. Access reviews that through analytics focus on unusual, high-risk patterns along with some context, at last begins to live up to the compliance obligation. But solutions need to be fast and scalable, both to implement and run. There’s too much focus on the “big” and not the “data”, with resulting escalating setup costs and inflated delivery time. The Idax mantra is that firms should demand useful insight in hours not days, and dynamic information as near real-time as possible. Our experience is that it is possible today. Charles.Bantoft@ idaxsoftware.com

Business Technology · May 2015 · 19

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

The debate What are the challenges facing the information security industry? Alistair Tooth Director, product marketing, (cloud security), Akamai Online availability is the lifeblood of many organisations today, so it’s easy to forget that the internet is inherently insecure. Underinvestment in IT security, growing political and commercial incentives and accessibility to sophisticated attack toolsets has left many enterprises vulnerable to the explosion in online crime. Cyber-espionage, for example, is on the rise, as typified by recent activities from the DD4BC group. Their Distributed Denialof-Service (DDoS) campaigns threaten to render particular websites inaccessible, unless a payment (anonymised via bitcoin) is made. In the absence of a highly scalable security solution, victims often pay, knowing that further downtime could result in huge online revenue losses and brand damage. Akamai’s 2015 Q1 State Of The Internet Security report quantified these trends, stating that the number of DDoS attacks across its network, which carries 15-30 per cent of all web traffic, more than doubled since Q1 2014. With the average cost of a successful cyber-attack now exceeding £1m, it’s easy to understand why online business continuity has made it to the boardroom. 07900 166427 atooth@akamai.com

Dwayne Melancon VP of research and development/CTO, Tripwire Most companies evaluate cyber-security risks using the same risk/reward calculations used for other business risks. In addition, competitive pressures to deploy costeffective business technologies can affect resource investment calculations for cyber-security investments. These competing business pressures mean that conscientious and comprehensive oversight of cybersecurity risk at the board level is essential. However, it can be very difficult for technology executives to accurately convey the rapidly changing shape of cyber-security risks to non-technical executives and board members. It’s also very challenging to tie security to business initiatives and the metrics needed to standardize the evaluation of cyber security risk are still emerging. The good news is that substantive conversations about effective management of cyber-security risks are beginning to happen at all levels of the organisation. These conversations are a critical opportunity for the security industry; we need to deliver information that will help build executive cyber-security literacy so they can better cyber-security risk management decisions. Twitter: @ThatDwayne http://www.tripwire.com/state-of-security/ contributors/dwayne-melancon

Peter Wood CEO, First Base Technologies LLP

Pravin Kothari CEO and founder CipherCloud With the typical enterprise consuming 1,100 cloud applications, cloud is the killer app for security. By enabling the convenience of the “anywhere, anytime” revolution, cloud is projected to become a $106billion market by 2016. But the accelerated productivity and go-to-market benefits introduce additional risks to the enterprise. Expanding the corporate perimeters exponentially increases vulnerable entry points for surveillance, breaches and other attacks. Snowden, Target and Sony all reflect the ubiquitous threats facing sensitive data in the dispersed network of the cloud. These risks also demonstrate the intermingling of security with privacy, residency and compliance. Security has become a boardroom issue because inadequate protection tools create a chain reaction of breaches to these other elements. The most immediate remedy is innovation in the layer between the cloud and the enterprise. As Gartner recently noted, the cloud security access broker (CASB) space is the fastest growing security segment. Expect more developments from CipherCloud and other leaders in this space at the upcoming InfoSecurity Europe.

Today, the most innovative security professionals are looking for new security practices that add real value to the business. However, sometimes it’s possible to take a new concept and turn it into a truly ground-breaking idea that directly addresses a major security challenge. Recently a client engaged us to conduct a red team exercise – a process that involves completely reimagining traditional security testing into a simulated criminal attack under controlled conditions. This advanced concept mimics the realworld targeted attacks that businesses face on a daily basis, and delivers the true business impact of a breach. What was truly innovative in this case? Our client took the results of the exercise and created an engaging, storybased presentation and delivered it to all levels of the business worldwide. The result was an awareness campaign that staff talked about with enthusiasm and recommended to their peers, strengthening the organisation’s security in that most vulnerable area – the human firewall. +44 (0)1273 454525 http://firstbase.co.uk

Nathan Wenzler Senior technology evangelist Thycotic From limited budgets, to lack of organisational support, to the everexpanding nature of where critical data is stored, security organisations have more challenges now than ever. Attackers have more tools and methods with which to launch attacks and compromise systems, which makes it increasingly important for security teams to find costeffective, efficient, easy-to-use solutions that can automate and bolster the layers of defence to prevent such attacks. Even from a non-technological standpoint, security teams are often fighting against the internal culture of their organisation, which views security as “hard” or “too much of an obstacle”. These types of challenges can be even harder to overcome, but are no less critical to the success of any security programme. Without support from leadership and buy-in from admins and end-users, no amount of change, process or toolsets you implement will ultimately be successful in protecting critical data and securing the organisation. +44 (0)20 3608 4323 www.thycotic.com

sales_emea@ciphercloud.com

International product marketing director, Dell Network Security

Florian Malecki

Stephen Midgley Vice president of global marketing, Absolute Software

Simon Whitburn Executive VP, global sales Resolution1Security

Organisations are spending more than ever on IT security, both to comply with internal and regulatory requirements and to protect their data from cyber-threats. Yet each year, high-profile data breaches continue to fill the headlines, sabotaging the reputations, relationships, and revenue of the businesses that are victimised. It’s clear that global cyber-crime is alive and well, and will only continue to be pervasive as long as organisations delay taking the necessary defence measures to stop threats from slipping through the cracks. Dell Security’s 2014 Threat Report saw a 109 per cent increase in the volume of HTTPS web connections in 2014. Managing threats against encrypted web traffic is complicated. Just as encryption can protect sensitive financial or personal information on the web, it unfortunately can also be used by hackers to inject malware.

One of the main challenges organisations face is how to protect a rapidly growing database of information on mobile devices. Not long ago, business-critical and sensitive corporate data was protected behind the walls of a robust data centre. Today with the growth of mobile deployment, this dynamic has changed drastically. Most employees have the ability to access sensitive information directly from their mobile devices and we often see that the security infrastructure of an enterprise becomes far less effective and secure as it reaches endpoints. Not only do we need to be concerned with the event of the breach itself, but the financial implications of noncompliance with regulatory bodies can and has proven to be incredibly costly. Organisations need to implement a layered approach to security in order to address the wide range of sophisticated attack vectors that we commonly see.

Tel: +44 (0)1932 579 321 www.dell.com/security

smidgley@absolute.com www.absolute.com

There is too much industry focus on the network, and not on endpoints. The industry has gravitated towards developing network security products because TCP/IP (first developed in 1975) hasn’t changed in years and there is a false belief that if you watch the front door, you’ll catch every attacker since they have to traverse the threshold. Unfortunately, that’s not true. With so much innovation around Bring Your Own Device (BYOD), tablets, smartphones, VPN, and so on, workers are becoming much more mobile. A laptop that is on the network and protected by multiple layers of network security at work is then virtually naked when it leaves the protect shell of the enterprise. What most of the industry has failed to notice is that the data lives on the endpoint and it’s constantly going on and off network, which really extends the “attackable surface” by which threats can get in. There needs to be much more focus on endpoints, and less on network. swhitburn@resolution1security.com www.resolution1security.com