Security Advisor Middle East | Issue 1 by Security Advisor Middle East

Issue 1 | January 2016 www.securityadvisorme.com

Top security predictions for 2016 The wild, wild west of IOT security Common cybersecurity myths

rapid response Rapid7 CEO Corey thomas on tackling the new breed of attacks

OUTSMART ADVANCED AD THREATS Blue Coat Security Analytics A Proactive Approach to Incident Response

Learn more at bluecoat.com

CONTENTS

GROUP Chairman and founder Dominic De Sousa GROUP CEO Nadeem Hood

Publishing Director Rajashree Rammohan raj.ram@cpimediagroup.com +971 4 375 5685 Editorial Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 375 5678

Clear and present danger

Editor Annie Bricker annie.bricker@cpimediagroup.com +971 4 375 1643 Deputy Editor James Dartnell james.dartnell@cpimediagroup.com +971 4 375 5684

Corey Thomas, CEO, Rapid7, talks about his views on the changing threat landscape and the company’s long-standing partnership with Spire Solutions.

Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 375 5683 ADVERTISING Commercial Director Chris Stevenson chris.stevenson@cpimediagroup.com +971 4 375 5674 Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 375 1647 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 375 5676 Circulation Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 375 5682

Production and Design

Designers Analou Balbero analou.balbero@cpimediagroup.com +971 4 375 5680

DIGITAL SERVICES

Web Developer Jefferson de Joya Abbas Madh

webmaster@cpimediagroup.com +971 4 440 9100 Published by

Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing & Publishing Regional partner of

© Copyright 2016 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.

Cybersecurity myths debunked

The dark side of layered security We take a look at layered security’s unintended consequences and why it can sometimes cause more damage than good.

Next-gen cybersecurity threats Digital Guardian’s Luke Brown on the new wave of attacks that will shape the security threat landscape.

Dispelling fundamental security myths that cause organisations to incorrectly assess threats, misallocate resources, and set inappropriate goals.

Photographer Charls Thomas Maksym Poriechkin

Registered at IMPZ PO Box 13700 Dubai, UAE

Industry experts and analysts give insights on what they foresee for the security industry in 2016.

Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 375 5673

Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 3751644

Predictions for 2016

The wild, wild west of IoT security In the case of Internet of Things security, it’s the Wild West out there. With over 25 billion connected ‘things’ in use by 2020 the potential for trouble seems to be endless.

Bring your own encryption How the BYOE security model can give cloud customers complete control over the encryption of their data.

SECURITY TRENDS

Top security predictions for 2016 Experts and analysts take their best guesses on what form cybersecurity will take in 2016.

01.2016

www.securityadvisorme.com

SECURITY TRENDS

ven the best informed in the security industry doesnâ&#x20AC;&#x2122;t have an infallible crystal ball. However, being effective in an ever-more-rapidly evolving threat environment means looking ahead. An accurate prediction can help an organisation protect itself better. A wrong one can mean less ability to prevent or respond effectively to a breach that can damage reputations, the bottom line and more. So, here are some best guesses about 2016 from vendors and analysts. What will be the cybersecurity trends to watch out for in 2016?

Cherif Sleiman, GM-Middle East, Infoblox In 2016, globally the motive of cyber attacks will shift from plain denial of service towards financial gain from attacks. Last year it was mostly about toying with organisations or bringing services down. This year will see a reversal of trend to how we can get sensitive data out from organisations and monetise that as hackers. We will continue to see cyber warfare and hactivism in this region given the geo political situation. DNS has become the number one threat vector today, whether for denial of service or data exfiltration. This www.securityadvisorme.com

01.2016

SECURITY TRENDS

trend will continue in 2016. Malware will be another one of the biggest threats. Today’s trends such as SDN and cloud have de-emphasised the network. Network attacks will move to application attacks and attacks on DNS infrastructure, because without applications and DNS, organisations cannot transact business.

for ensuring sophisticated attacks aren’t able to dent their networks or endpoints.

of business or customer trust from breaches, grow considerably across all industries and this will continue in 2016. Hackers are increasingly targeting third parties and suppliers as a way in to organisations rather than attacking the organisation directly. Suppliers create added vulnerability in the organisation’s supply chain so businesses need to take measures to mitigate the risks.

Tom Scholtz, VP & Gartner Fellow, Gartner

Harish Chib, VP-MEA, Sophos One of the significant trends that will be evident next year is that Android exploits will become prevalent. While there are known vulnerabilities on the Android platform, so far most hackers have ignored them. But not for long. With the rise in popularity of thirdparty app markets, you will find many people being tricked into granting malicious apps control of the Android Accessibility service. There is also a very good chance that we will see the mainstreaming of iOS malware. As more and more apps enter the market, cyber criminals will keep trying to get past the stringent vetting processes that Apple is famous for. Many of them will succeed. The good news is that data protection legislations will get more stringent and companies will be subject to expensive fines if customer data falls in the wrong hands. This will provide much needed impetus to organisations to keep improving their security posture 6

01.2016

The main challenge will be for organisations to respond to the challenges associated with digital business: more devices, more data, more transient business relationships, and less control by central IT. What do we need to learn from the breaches in 2015?

Mark Morland, Regional Sales Director, Middle East, Dell SecureWorks Security incidents and the financial impact associated with them, are still a problem. We are seeing the cost of remediation and the resulting loss

Ghareeb Saad Muhammad, Senior Security Researcher, Global Research & Analysis Team, Kaspersky Lab In 2015, even home users who are not interested in information security heard about stunning security incidents such as those of Sony Entertainment or dating website Ashley Madison hack. Perhaps for the first time in history, issues relating to the security of the Internet and the protection of internal networks were discussed by and relevant to every sector of the economy as well as everyday life: from finance, manufacturing/industrial, automotive and aircraft to wearable devices, healthcare, dating services and more. This makes it clear that cybersecurity is not something that one shouldn’t worry about until it happens, but prepare proactively to prevent rather than mitigate. www.securityadvisorme.com

SECURITY TRENDS

What kind of new technologies pose biggest cybersecurity threats to the enterprise?

Glen Ogden, Regional Sales Director, Middle East, A10 Networks. Everyday, attackers conspire to take down applications and steal data, leaving data center infrastructure in the crosshairs. Storing the most valuable and most visible assets in the organisation – the web, DNS, database, and email servers – data centres have become the number one target of cyber criminals, hacktivists and statesponsored attackers.

to a cyber attacker. Many of these devices are by design reachable from the public internet, and so firewalls are often bypassed. In other cases, devices are controlled from a vendor web portal. Because of the aggressive competitive marketplace for consumer devices, security is not a primary design goal, and so vulnerabilities are regularly found. In case a device is compromised, it can be used as a stepping stone to a higher-valued device such as a PC or tablet, or maybe a corporate smartphone. The number of attacks on mobile devices is expected to continue to rise, as the number and performance of devices increases. The quality of information (identity and positional for example) makes it a good target for identity theft, and the connectivity options (Internet, voice, SMS) provide many options for the cyber criminal to monetise the attack. How can enterprises in the Middle East respond faster and comprehensively to security incidents?

Raimund Genes, Trend Micro Chief Technology Officer, Trend Micro Partick Grillo, Senior Director, Solutions Marketing, Fortinet The Internet of Things continues to grow, and presents an inviting target www.securityadvisorme.com

According to a popular saying, ‘an ounce of prevention is worth a pound of cure.’ While it can be applied to a lot of things, prevention is way cheaper than having

to deal with a cure when you’re talking enterprise security. Especially when you consider how much damage a data breach and other threats can do to an organisation. Spotting bad links – Being constantly connected exposes users to various online tricks and scams that can compromise not just one user, but everyone else on the victim’s network. Learn how to spot malicious ads, spam and email scams, online banking fraud, and other schemes. Encrypting your work email – Despitethe number of communication platforms available today, email still remains the most popular and widely-used platform for business correspondence. A single email can contain vital data and personal information that can make or break a business, so one must learn to err on the side of caution. You can also set up email encryption for webmail accounts. Spotting frauds on professional networks – Everyone’s on social media these days, and there are social networks designed for different purposes— including ones that offer a way to connect professionals. Unfortunately, scammers and attackers know this too. Be on the lookout for suspicious elements that could trick you into divulging sensitive company information on professional social networks. Avoiding being your company’s weakest link – Data breaches aren’t entirely caused by external factors. Sometimes human error and employee negligence can play a part in unintentional data distribution. Identifying and dividing networks and users – Network segmentation—allowing control on both user privileges and network traffic—is of crucial importance to fight against targeted attacks. Categorising data to fight insider attacks – Insider threats are not just a thing of the movies anymore, they’re also the reality of many vulnerable networks. Good news is that they are avoidable. 01.2016

cover feature

Clear and present danger We caught up with Corey Thomas, CEO, Rapid7, to talk about his views on the changing threat landscape, new attack vectors and the companyâ&#x20AC;&#x2122;s long-standing partnership with the regional security SI, Spire Solutions.

01.2016

www.securityadvisorme.com

cover feature

Corey Thomas, CEO of Rapid7

hat brings you to Dubai this time? We have number of customers both in Dubai and in the region. Spire Solutions is a long-term partner who has had great success in the area. So, I wanted to get out and meet some of the customers and prospects and spend some time the team at Spire. Despite the latest and greatest security technologies, organisations continue to get breached on a daily basis. Should we plan to fail and try to minimise the impact? Absolutely we should plan to fail. I think this is a solvable, addressable problem, not in some distant future but today. The reason you see so much failure is because people have a fundamental confusion about what type of conflict we are engaged in. It is clearly not a physical or armed conflict but people confuse it for a technology conflict. But, it is not a technology conflict, instead it is an intelligence conflict. Therefore, the reason that we fail is because people actually think if they have the latest technology or the latest firewall, they are going to be safe. It is not about the latest preventive technology, but about how well you manage your overall ecosystem and how quickly you can detect the attacks. That is an achievable goal today, but it does require how well people can collect and gather information, how well they can gather talent and how quickly they can apply the talent.

“Companies are going to be breached, but what makes a difference is how well they can manage the situation.

www.securityadvisorme.com

So I think it is solvable now. To answer your questions about companies being inevitably breached despite all the latest technologies – my answer is yes. Companies are going to be breached, but what makes a difference is how well they manage the situation. We believe that with good information and best practices, organisations can minimise the number of successful attacks and when attacks do happen they can respond quickly and effectively. I think all along the focus has been on prevention, but not much on remediation or prevention. So what kind of security posture or defensive mechanism would you recommend to your customers? Absolutely. Too much focus has been on what we call on the preventive technologies. That’s what I call ‘deploy and forget’ – when we deploy the firewall or endpoint we tend to forget all about security. That’s an unmanaged insecure state. What we recommend is, investing in preventive technologies, which can control the environment while ensuring that you manage your exposure. Then you should have the right visibility to know what your weaknesses are and have a programme to minimise your attack surface. That’s the first part - having low attack surfaces. The second part is to have detection machines in places where you can detect the attacks as and when they happen. Most companies spend more money on preventive controls and almost no money on the ability to either manage their attack surface or detect the attacks when they happen.

01.2016

cover feature

The security landscape has definitely changed. You are talking about APTs, new breach of attacks, and security is very complex now. Are we still using the old approach to security, using the old frameworks? What needs to change? Do we need to rethink security radically? Here is what needs to change - most people are under the illusion that it is about stopping malware and stuff like that, which is really a failed concept. Because bad guys are able to change the type of technology they use, people don’t focus on understanding or managing the root cause of security weaknesses in their environment. We have a radically simplified approach when we think about security. First off, manage your own weaknesses and the threat environment. Second, don’t focus on the malicious technology, instead focus on malicious people. Let me explain what I meant by that. Malicious technology can change daily or hourly basis. Therefore, it is hard to detect and identify them. If you think about malicious people though, a person’s behaviour, however, doesn’t change. Attackers when they get into your environment can use thousands of different techniques to get into your environment. But, the second the attacker gets into your environment, they are blind. What do they have to do? They have to get visibility into the environment. They have to figure out what they are and map out their environment. That behaviour doesn’t change. If an attacker wants to compromise your environment, they are going to have to go from one machine to another. Our research’s focus has been on how do we identify the underlining behaviour that attackers use, not focus on the specific malware or malicious technology. This is why Rapid7 has been so successful because we understand the vulnerabilities that they target, we understand the behaviour they use to move around the environment. Understanding an attacker’s behaviour gives you an ability to actually think ahead and to be able to stop them and to be able to compromise. 10

01.2016

“If an attacker wants to compromise your environment, they are going to have to go from one machine to another. Our research’s focus has been on how do we identify the underlining behaviour that attackers use.

How can you get that kind of pervasive visibility across endpoints, networks, virtual and cloud environments. it is a bit of holy grail, isn’t it? It is not a holy grail. We are doing it today. There are a couple of difficulties that do present itself. First one is that visibility is tricky because we made it difficult to collect information. This is one of the reasons why we focus so much on agentless data collection combined with other techniques. If you think about the ways people have historically collected data, it all required either log-based data in the data centre or agents. We have an agentless data collection technology based on Nexpose, our vulnerability management solution. It can collect endpoint data, local data,

cloud-based data and we use that to analyse the attack surface. So data collection is going to be a big investment and that is part of why we are successful. The second thing is that you have to be able to analyse the data in context and this is where we are spending a lot of time. Because of the fact that this is very CPU process intensive, we have a hybrid model today where we do it on-premise and on the cloud. The challenge is that in an on-premise environment, it is very prohibitively expensive. So for customers who don’t have the resources or money, we do it in a cloud environment. Do you think vulnerability management will be the cornerstone of security? The way we look at it is that security data analytics will be the cornerstone of security. Of which, vulnerability management is a core part. But we really think about it as how do you collect data across users, assets and controls and analyse that data to both understand threats and exposures and also detect attacks. What we have done is that we have taken the traditional concept of vulnerability management and turned that around into a larger concept of analysing threat exposures. That’s important because companies need to manage their overall threat exposure, as this is what makes them vulnerable to attacks. So, if I have a vulnerability but have limited control to cap its impact then our data analytics won’t matter as much. Therefore, what you really want to analyse is what are the vulnerabilities that are most likely to cause compromise and that’s what we are focusing on. You have had a long-standing relationship with Spire Solutions. How do you see this relationship evolving in the near future? Spire has been an amazing partner and our business has grown together over time in this region. We see them as a long-term strategic partner as we provide great technology, expertise and capabilities on security data and analytics both in Dubai and the Middle East in general. www.securityadvisorme.com

Opinion

Common cybersecurity myths debunked By Michael R. Overly and Chanley T. Howell, Partners and IP Lawyers at Foley and Lardner

ne of the greatest challenges for organisations attempting to address cybersecurity risks is the number of fundamental security myths that cause organisations to incorrectly assess threats, misallocate resources, and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security. All too frequently, security is thought of as ensuring data that cannot be accessed or used for unauthorised purposes or by unauthorised users. While this is certainly a key concern, the systems and networks on which the data resides must also be protected against attack. For example, a Denial of Service (DoS) attack is not aimed at gaining access to a business’ sensitive data, but at preventing others, such as the business’ customers and business partners, from accessing and using that data. MYTH #1: ‘IT’S ALL ABOUT PRIVACY’ Another common misconception is that security only relates to the protection of personally identifiable information. While protecting personal information is clearly of critical importance, other types of information assets must also be protected. Additional information assets include trade secrets and other 12

01.2016

intellectual property (such as source code for a company’s software products), competitive information (such as customer and supplier lists), pricing and marketing data, company financial information, and more. It is particularly important to ensure all forms of confidential and proprietary information are protected in entering into relationships with vendors and business partners. MYTH #2: ‘IT’S ALL ABOUT CONFIDENTIALITY’ When talking about security, the tendency is to focus on the most obvious element: ensuring data is held in confidence (i.e., the data is not used by unauthorised individuals or for unauthorised purposes). For data to be truly secure, it must be confidential, its integrity must be maintained and it must be available when needed. These are the three prongs of the well-known information security acronym ‘CIA.’ ‘Confidentiality’ means the data is protected from unauthorised access and disclosure. ‘Integrity’ means the data can be relied upon as accurate and has not been subject to unauthorised alteration. A few years ago, a well-known hacker magazine ran an article designed to educate employees who thought they were going to be laid off how to harm their employers. In particular, the article suggested ways

employees could easily corrupt company databases to render them unreliable these include changing account numbers for key suppliers and changing invoice addresses among others. ‘Availability’ means the data is available for access and to be used when required. It does no good to have data that is confidential and the integrity maintained, but the data is not actually available when a user requires it. For example, DoS attacks are specifically designed to prevent availability of key systems and data, instead of compromising confidentiality or integrity. MYTH #3: ‘TO BE A HACKER, YOU MUST BE A TECHNOLOGICAL GENIUS’ It is a common error for businesses to focus security measures on the professional hacker, or protecting against individuals or entities that are highly skilled in programming and technology. Such skills are, however, are no longer a pre-requisite to hacking. Today, someone with little or no knowledge of technology can find online, easy-to-use hacking tools capable of causing substantial harm to a business. These individuals are sometimes referred to in the hacking community as ‘script kiddies,’ because they require no real hacking knowledge. There are also a wide range of readily available books that can quickly educate www.securityadvisorme.com

Opinion

technological neophytes regarding hacking. One popular book even includes a chapter entitled, ‘How to be a hacker in thirty minutes.’ Finally, one of the most effective means of hacking used today is social engineering, this requires no technological skills whatsoever. Rather, to be an effective social engineer, all that is required is self-assurance and a knowledge of human nature. One prevalent form of social engineering is phishing, a hacker sends fake emails and tries to solicit sensitive information or include attachments that install malware that can infect a company’s network. Phishing attacks and other social engineering techniques were used recently to conduct a concerted attack on banking institutions worldwide, causing losses of $300 million or possibly as high as $1 billion. MYTH #4: ‘I CAN ACHIEVE 100 PERCENT SECURITY’ Finally, one of the most common misconceptions about security is that complete security can be achieved and that complete security is required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is ‘reasonable.’ Complete security is not required or even realistic. Studies show that it would www.securityadvisorme.com

require businesses to increase overall security budgets nine-fold to address just 95 percent of the threats. That increase would, in most cases, exceed the overall budget for the entire business. There is a fundamental paradox with regards to security efforts: As security protections increase, usability of the secured systems decreases. That is, the greater the security, the less useful the thing secured will be. It is, for example, possible to completely secure a mobile device, such as smartphones. All that is necessary is to (i) put the device into airplane mode and (ii) lock the device in a secure safe. While complete security has been achieved, usability has been reduced to zero. A balance must always be struck between effective security measures and usability of the data or system being secured. Lessons learned While protecting a business’ data is key, a well-crafted approach to security requires protection of the systems on which that data resides and the networks through which the data is accessed. In most instances, a practice known as ‘security in depth’ should be employed. That practice recommends the use of multiple layers of protection from threats. For example, to address phishing attacks, a company can begin employee education on opening unidentified emails. As a further measure

of security, the business could combine that training with anti-virus software and possibly a software specifically designed to detect phishing. All sensitive and proprietary information, not just subsets of that data, must be accounted for in addressing and mitigating cybersecurity threats. Protection of those information assets must be addressed not only within the company, but also with its external vendors, contractors, and other partners. The headlines are replete with security breaches that resulted from a business entrusting its data to a third-party vendor that had inadequately protected its systems. When assessing security measures, the concept of CIA should be a foundational requirement. Specifically, security controls must be designed to address not only the confidentiality of data, but the integrity and availability of that data. Hackers know all the tricks. If they cannot get access to data, they may target denying others that access or finding ways to corrupt the integrity of that data. Never underestimate the effectiveness of social engineering and other similar ‘non-technical’ attacks. Every business experiences these attacks on a daily basis through phishing and other means. Appropriate, repeated training for employees is one of the most important steps in mitigating this substantial threat. 01.2016

Opinion

Matt Gyde, Dimension Data’s Group Executive – Security Business Unit

Top 5 trends to watch in 2016 In 2015, several high-profile security breaches kept the topic of cybersecurity in the headlines — and the next 12 months don’t look any different, writes Matt Gyde, Dimension Data’s Group Executive – Security Business Unit.

01.2016

www.securityadvisorme.com

Opinion

s organisations look to change their business models to adapt to the digital economy, they’re also looking to change their security posture to defend against cybercriminals. In an increasingly connected world — of social media, mobility, and cloud — the need for greater intelligence and insight will give businesses a stronger and smarter security stance. However, the complexity of the new digital environment is informing some radical new approaches when it comes to security in 2016. Trend 1: Security steps up to meet the digital age The chief information security officer (CISO) faces a new headache: digital complexity. The digital world has changed how organisations communicate with the world out there. The rapid increase in how we use technology to communicate has led to more data and more points of entry or breach. Because of the rapid pace, security hasn’t adapted fast enough. We saw this in the explosion of hacks in 2015. CISOs will now have to have a hard look at new policies and processes to address this as an urgent item on the security agenda in 2016. Information security, like any other discipline, has to be re-evaluated and re-aligned as part of digital transformation. Social media plays a fundamental part in this journey. People aren’t holding back on social media — they’re sharing more than ever before. Sadly, cybersecurity policies haven’t accounted for this. In the new year, these will have to gain alignment fairly rapidly as organisations strive for a greater depth of security. For example, a disturbing new trend is ‘whaling’ — where hackers target senior executives with ransomware, demanding money or www.securityadvisorme.com

using their information fraudulently. The challenge is to protect an individual and not just their cyber presence. We also predict that forensics will be even more important in the coming year. As people use different types of technologies in the digital enterprise, these technologies will all be increasingly subject to exploitation. As the stakes get higher, businesses will need to continuously scan the Dark Web as cybercriminals become more bold and deliberate. The reality is that no enterprise, no matter its size, can avoid security incidents anymore. Instead, the enterprise must be able to anticipate them, and have the capability to identify and respond to these threats, often in real-time. Many of our clients are seeing the value in outsourcing information security activities to third parties as part of their efforts to mitigate risk and bolster their defences. Trend 2: Cloud shatters the perimeter As organisations move security controls from a traditional perimeter to cloud-based providers, the traditional corporate network is becoming irrelevant. The adoption of cloud platforms and security-as-a-service, will continue in 2016. We’ll see CISOs moving more of their perimeter security controls to these platforms as part of the efforts to reduce their physical footprint and costs associated with traditional infrastructure. When you’re able to turn security controls on and off as needed, and enable your security in real-time, there are obvious benefits but also hidden management complexities. The perimeter was always considered the ‘catch-all’ for critical applications and workloads — such as ERP, bespoke applications, intellectual property, and so forth. But the cloud has now shattered that paradigm. Users and their devices are no longer confined to a

single location — and the same applies for the data they’re accessing. In fact, some applications may not reside in a facility or location that businesses even know about. The trend will be to start following, or tracking workload applications and securing them wherever they ‘live.’ In essence, organisations will need to replicate their on-premise security controls in the cloud. However, it’s important to keep in mind that these workloads and applications behave very differently than a network from a security point of view — they’re often a lot more unpredictable. While perimeter security remains critical, security in the time of cloud and digital needs a new approach as we start to see an emergence of hybrid security infrastructures. The challenge, as we move into the new year, is to have policy and event management that can be controlled centrally, regardless of the location of the application or data. Trend 3: Business adopts a ‘seize’ mentality A year ago, we predicted a resurgence in interest in endpoint security. Security professionals were starting to take a closer look at their devices — whether a PC, Mac, smartphone, or tablet — for indicators of compromise. Because companies have allowed so many employees to bring their own devices into the corporate environment, traditional network-based security controls aren’t able to keep up. This is motivating many organisations to seize control of the security of devices at their endpoints without restricting a user’s mobility or productivity. The focus now will extend into applications and patching. We expect businesses to start exploring methods to validate the safety of applications before allowing users to download these applications onto their devices. Identity will become more linked to the network 01.2016

Opinion

as IT teams put individual users in the cross hairs: Where are they located? What information can they access? What device are they using? Some of our clients are already talking to us about leveraging a system where devices or endpoints can evaluate and ‘rank’ local applications according to a perceived level of risk. We’re really moving away from a signature-based identity model to a proactive approach — where you can verify the ‘intentions’ of an application before allowing it to be downloaded. One thing we’ve noticed is that organisations struggle to create a business case for user awareness activities. We’ve worked with our partners to create a series of security awareness videos — called Inside Security — and we’re making these available to the community at no cost. For security professionals, the caution is the critical applications and workloads you need to protect may not be on the network anymore. You won’t understand the masses of data traversing your environment in the digital era without intelligence. Trend 4: Intelligence takes on a defensive stance — keep your eye on the target Intelligence can’t be separated from any security initiative as we move into the next 12 months. With better intelligence, you can get smarter about security — taking a proactive rather than a reactive stance. All too often, businesses fall victim to malicious attacks because those monitoring and control systems in place provide them with too little information, too late. These traditional approaches of gathering intelligence tend to put you on the ‘back foot.’ Not only should your security allow you to anticipate attacks, but allow you to take the appropriate action. We believe organisations should take a ‘one-two punch’ approach to 16

01.2016

“Most security professionals have masses of unstructured data at hand. The next step is to put this data in a structure that gives you a level of intelligence to make an informed decision on how to adapt your security posture.

intelligence. It’s important to keep your eye on the target and not on the ground. The first is to engage a managed security services provider — to give you information about possible or real threats to your systems. The second is to augment these insights with deeper threat analysis and reporting. This is where data will give you a stronger stance. Most security professionals have masses of unstructured data at hand. The next step is to put this data in a structure that gives you a level of intelligence to make an informed decision on how to adapt your security posture. In this way, you’re making better decisions and taking swifter action based on the events you’re seeing in your environment. Trend 5: Hypervirtualised, softwaredefined security — the appliance is dead, long live the (virtualised) appliance If anything, 2016 is set to be the year of hypervirtualised security. The firewall was always seen as the first and last line of defence for preventing threats, but this can lead to a false sense of security or, worse, an attitude of complacency. With workloads dispersed over the Internet, security professionals will need to think of new strategies to

build and secure critical applications and workloads in a variable security environment. It’s about taking the physical hardware of the firewall, which is sold as an appliance, and making it a software-based entity. In this way, you start solving a software problem with software. As with software-defined networking, software-based security will help create an agile and flexible infrastructure, When you start to virtualise fullfeature security workloads, you unlock true portability and cost efficiency. As vendors are required to deliver consumption models to their customers they may see their sales dip but then even out and become more consistent. While there may not be large once-off hardware sales, vendors will start to see more repeatable and predictable sales. Those enterprises making their foray into the digital space will be reap almost immediate benefits. Firstly, they’ll have more agility as there are no expensive assets to write off at the end of a cycle; secondly, they’ll be able to change their strategy to adapt to security concerns as they manifest in their own environments. We predict that IT purchasing patterns of business will start to change in 2016, as businesses start to ‘take back’ security into their own hands. www.securityadvisorme.com

interview

Cloud security

hen it comes to successfully managing cloud use within the enterprise, some security organisations try to establish and enforce firm lines between what is permissible and what is banned, while others try to learn what their employees are trying to achieve and help them do so more securely. To get a sense of what enterprises think about cloud deployments and cloud security, we recently reached out to Jim Reavis, Co-founder and Chief Executive Officer, Cloud Security Alliance. As a nonprofit, the Cloud Security Alliance promotes the use of security assurance best practices in cloud computing, as well as cloud computing education. 18

01.2016

Reavis is an information security industry vet and has advised on industry business launches, mergers and acquisitions, and IPOs. Since its founding, the Cloud Security Alliance has launched numerous successful cloud security efforts, including the cloud security provider certification programme, the CSA Security, Trust and Assurance Registry (STAR), a cloud provider assurance programme of self assessment, third party audit and continuous monitoring, and the cloud security user certification the Certificate of Cloud Security Knowledge (CCSK). The Cloud Security Alliance also provides research programmes in collaboration with the industry, higher education, and governments in areas of cloud computing, mobile, and Internet of Things.

In your role as president of the Cloud Security Alliance, where do you see the state of enterprise cloud adoption right now? When it comes to cloud, enterprises are really all in. They’re doing a lot more of their mission critical activities in cloud. The security around their cloud implementations is growing as well. Enterprises are getting better at securing their cloud environments and you’re seeing the tier one cloud providers certainly investing in the security of their services. Because of the scale of their services, they can invest in security in ways that enterprises just can’t on their own. We’re also starting to see the impact of the economics and scale when it comes to security investments, and www.securityadvisorme.com

interview

that’s true whether it’s sophisticated intrusion detection, identity management or event monitoring. They’re building a level of security in their systems that surpasses what a typical enterprise can do. Their level of investment is why we’re seeing that the bad guys will target cloud users and not try to breach the cloud provider itself directly because they are much more secure. Enterprises also are learning now how to transition into cloud and to understand the level of security they are getting from cloud providers. Enterprises will always have a role in securing their cloud deployments, whether it’s more of the implementation of the technical controls inside private cloud or if it’s more due diligence and procurement efforts and looking for the assurance from the providers that they adhere to secure practices. That’s interesting. What do you see the catalysts being to change how enterprises rethink cloud security? It’s human nature to become attached to our servers and systems. Many enterprises have this mentality, and they will even name their servers after pets. With physical machines, they very much had a defensive posture that prized keeping that system up for years and years. If there was a breach, they would identify it and try to cleanse that system because the cost of taking things down, the cost of downtime, could be severe. That creates entropy and systems just lose a lot of stability. As a result of virtualisation, orchestration, and automation tools, what I’m seeing some of the enterprise leaders in this area do now is, instead of finding and cleansing malware, they just destroy the virtual machine and launch a new instance that points to the data source. There’s no downtime and no loss of production time doing the forensics. They just basically reimage that virtual machine. They’ll do the forensics later in a different way, and after cleaning up and restarting their infected workloads. www.securityadvisorme.com

Jim Reavis, Co-founder and Chief Executive Officer, Cloud Security Alliance

I also think that organisations are investing more into indicators of compromise as well as into being able to react more quickly when there is a breach. They understand that attack surfaces are becoming vast with the growth of apps and all the mobile endpoints. This creates a need for more agility in reacting to security issues and incidents. They are also investing more in sharing information in their industries, and we are seeing more interest in participating in ISACs or having more of these sorts of relationships to share best practices. I would imagine that security analytics plays an important role here. Many of the things you just described

Enterprises will always have a role in securing their cloud deployments, whether it’s more of the implementation of the technical controls inside private cloud or if it’s more due diligence and procurement efforts and looking for the assurance from the providers that they adhere to secure practices.

When it comes to companies today that are successful in how they manage cloud in their environment, what are some of the things you see them doing to manage risk and embrace innovation, but in a mature way? Gentle policing based on very strong knowledge of how their organisation is using cloud is very important. This way, they look at what people are trying to accomplish with cloud, and can step in and consult. Gentle policing isn’t meant to inhibit cloud usage as much as help to guide the organisation to the more secure options that are available, if users chose an option that wasn’t secure. This ends up being a very good way for enterprises to embrace a mature approach to provide guidance and not just say ‘no’ all of the time.

have a lot of metadata and other data around them, so the need for security data analysis is probably much higher now than five years ago. That’s a really good point. A lot of what I was talking about when it came to investing in incident response included security analytics. A lot of that type of response requires that organisations invest in security analytics. Enterprises can gather all of their different data points across their infrastructure and cloud systems and see that certain data indicators probably increases their confidence level that a breach occurred, and then those data will help them to figure out what to do there. This is transforming a lot of how we think about securing our systems. There’s no doubt about that. 01.2016

feature

The dark side of layered security Sometimes, layered security can have unintended consequences and even make a company less secure than before

ayered security is currently considered a best practice for enterprises, since a single layer of defense against attackers is no longer enough. Sometimes, however, these layers can have unintended consequences and even make a company less secure than before. Complexity Jason Brvenik, principal engineer in the Cisco Security Business Group, said that he’s seen organisations with as many as 80 different security technologies applied in layers. “The proliferation of best of breed technologies creates security technology sprawl in pursuit of layered security and defense in depth,” he said. “We see plenty of examples and sprawl and operational cost rising, where the technologies tend to conflict with each other.” Security practitioners have been talking about layered security for decades, said Brian Contos, Chief Security Strategist and SVP Field Engineer, Norse Corp., a cybersecurity intelligence firm founded by former law enforcement and intel officials. “While academically this makes sense,” he added, “if done incorrectly, it leads to the number one enemy of security: complexity.” Without an overall plan in mind, it’s easy to overspend on individual products, to buy overlapping 20

01.2016

systems, or to leave unsecured gaps between layers. “It’s very common for security organisations to jump at technologies that address ‘the monster of the week’ but don’t have broader value,” said Carson Sweet, Co-founder and CEO, CloudPassage, “Keeping long-term perspective is extremely important, especially with point vendors pounding at security buyers about the latest FUD.” Cisco’s Brvenik pointed out another problem with purchasing too many technologies, that of unmanaged or undermanaged systems. Companies buy a technology in order to meeting a compliance need, or fill a security gap, or check off an item on a list, without budgeting or staffing the system’s implementation or ongoing management. Then they forget about it, he said. Not only is this a waste of money, but it actually hurts a company’s security posture. “You’re creating opportunities for blind spots, because you think you mitigated that risk, but you haven’t maintained a solid presence there,” he said. And even well-managed layers can create problems within an organisation, said Jerry Irvine, CIO at Prescient Solutions. Different security systems require different kinds of expertise, and the larger the organisation, and the more systems there are in place, the more

possibilities there are for conflicts – especially when some of the systems are managed by different companies, such as outsourcers, cloud vendors, or other service providers. Each security team focuses on its own security task, and this can interfere with that of other groups and with enterprise operations. “Groups saddled with the responsibility of physical security may tighten down access controls to the point where applications and systems are affected, causing failure or extreme performance issues,” Irvine said. “And when separate groups within the organisation are responsible for the application they frequently open up access at the lower levels to assure connectivity, but increasing the overall vulnerability of the environment.” In fact, the more security layers are in place, the more likely it is that some will interfere with business operations, said Nathan Wenzler, executive director of security at Thycotic Software. Security products need to be configured then, once they’re in place, they might need ongoing tuning, patching, or other kinds of maintenance. Administrators need to understand how the initial configuration and the subsequent changes might affect business processes, as well as other security systems, he said. But most organisations only have so much expertise and time to go around. www.securityadvisorme.com

feature

problem, since its so easy for outsiders to find out employees’ email addresses. She suggests that enterprises require different formats for user names and passwords to different systems. “And make sure people understand the reasons you’re putting these things in place,” she said. She also warned against credentials that give users access to, say, all the systems within a certain layer. “Every admin doesn’t have to have god rights,” she said.

“The tendency to buy best-ofbreed systems from different vendors can also cause communication problems, forcing security analysts to learn to work with multiple systems instead of having one single view of a company’s security situation.

www.securityadvisorme.com

“There’s not enough time to implement them well, and keep managing them well,” he said. “That becomes a challenge.” User pushback Operations teams aren’t the only ones who might try to fight back against too-restrictive security layers. Individual users can, as well, said Leah Neundorf, Senior Research Analyst at Clevelandbased security consulting firm SecureState. Say, for example, a company decides to use different credentials for different systems as part of its layered defense strategy. Users are going to try to defeat that by using the same set of credentials for all systems, she said. At a minimum, a company is going to want a set of credentials to access internal systems and another set of credentials to access email. Users who use their email address as their account name for internal systems – and the same password for both – are creating a major security

Integration With each new security layer come integration challenges, where one product might interfere with the functioning of another, or create security policy conflicts. “Sometimes interactions can have operational consequences,” said Fred Kost, VP at security vendor HyTrust. “It’s critical for CSOs to test and validate layered security under different attack and load conditions. Clever attackers might use this to render some of an organisation’s layered security ineffective.” The tendency to buy best-of-breed systems from different vendors can also cause communication problems, forcing security analysts to learn to work with multiple systems instead of having one single view of a company’s security situation. The effort required might outweigh the benefits, said Usman Choudhary, chief product officer at security vendor ThreatTrack Security. In particular, enterprises have to deal with systems that don’t have a common data taxonomy and trying to correlate data after the fact can lead to gaps in coverage, he said. It also takes more time to deal with false positives and false negatives. “These layered security challenges are the big problem in the cyber threat detection and mitigation space, and are the root cause of many of the recent breaches,” he said. “Often the bad guys are very well aware of these issues and are able to exploit these gaps in the security solutions.” 01.2016

Opinion

The next generation of cybersecurity threats I

am sure most of us in the cyber-security community were happy to flip the calendar to 2016 for obvious reasons! Given what we witnessed in 2015, while cloud, mobile and IoT will continue to dominate the discussion in many boardrooms, it is actually security that should be close to the top of the priority list for any CIO. To that end, it is worth understanding some of the factors that will shape the security threat landscape. An increase in Wiper attacks Wiper attacks, which erase files from the victim’s computer drives in order to cripple essential apps, have been growing steadily for years. A wiper attack will not only damage the users IT systems, but can leave sensitive data exposed. Sony have been the most prolific organization to suffer this kind of attack to date, however as these kinds of hacks become easier, businesses of all sizes must be prepared to protect against them. Investing in security is essential for any modern business, however it will only be effective if they invest in the right areas. Focusing on endpoint

01.2016

protection, disaster recovery and backup applications that can be easily scaled will significantly reduce the chance of wiper attacks causing lasting harm. Hacktivism will be the motive behind many more incidents High profile data breaches such as the TalkTalk, Ashley Madison and Experian hacks have been extremely damaging for the companies involved and brought cyber-security to the forefront of every business-owner’s mind. Many of these attacks have been blamed on a rise in ‘hacktivism’. Self-proclaimed ‘hacktivists’ will attack companies for a variety of reasons, the most common of these being: Ethics: To place the spotlight on and expose a company engaging in morally questionable practices Opposing Values: As a result of fundamental differences in the values held by the attacking group and the organization being hacked Monetary Gain: To extort victims for monetary gain in an effort to cripple the target organization and fund the hacktivist’s causes Part of the reason these attacks are becoming more widespread is the

Luke Brown, GM and VP, EMEA, India and LATAM, Digital Guardian, discusses some of the new wave of attacks that will shape the security threat landscape.

fact that they are far easier to carry out than they were just a couple of years ago. With hacking tools readily available to those who know where to look, the resources required to stage a high-profile attack are dangerously easy to find and implement. The rise of nationalism in countries like Russia, Iraq and Syria is also likely to have an effect. Nationalist and terrorist groups will use these publicly available tools to make public statements and intimidate corporations with conflicting values – attacking freedom of speech, the film industry and the literary community. As information becomes more valuable with every passing year, there is a lot at stake not just for the information security industry, but for the world as a whole. This is why companies must do everything they can to research and implement a data protection solution that is designed to combat these new attacks. Social engineering attacks will rise in the wake of 2015 breaches Hundreds of thousands of customer details were leaked as a result of the 2015 data breaches. This data is most valuable to hackers before the leak is

www.securityadvisorme.com

Opinion

discovered and made public, when it becomes much harder to sell off or act without attracting attention. However, even after the breach is discovered, this information is still out there, still accessible, and is often used in a second wave of attacks to target the victims themselves many months later. Hackers will often bombard breached email addresses with phishing attacks in an attempt to gain access to more of their personal details. By impersonating banks, retail companies and government agencies, the attacker will try to trick users into sending them money or personal information. These imitations are becoming more convincing, with hackers explaining to users that they are vulnerable to an attack and must change their details immediately by handing them over in some way. If enough information is still available, hackers could also attempt to access the email accounts themselves using other details that have been leaked such as dates of birth. In some cases, malicious users could even try to access the victim’s bank accounts directly using leaked account details. There is a new wave of organized crime happening online worth billions of dirhams, and it’s growing exponentially.

save time and money, but smart tech companies must ensure it is not to the detriment of the user’s security. Devices such as smart electricity meters or thermostats could moderate power consumption and room temperatures based on when the residents are out. However if criminals were to access the network that these devices communicate through, this data could be used to plan a break-in. There are three main entry points when it comes to IoT devices. Firstly, attackers can hack the service provider, gaining database information that gives them access to data such as smart meter readings. Secondly, it is possible to break in through the wireless protocols between the devices, which are inherently insecure due to the low quality routers often supplied with home Wi-Fi packages. The vulnerable ISP boxes are reverse engineered for security, and give easy access to the consumer’s network. Finally, hackers could directly infiltrate the infrastructure. This however is far more difficult that the other two methods and so is unlikely to occur as frequently.

Additional cyber threats will continue to be discovered in the Internet of Things The Internet of Things (IoT) is developing at an unprecedented pace. With an incredibly broad spectrum of uses across a plethora of sectors, a ‘smart world’ is not simply the stuff of science fiction. These IoT devices are populating every aspect of our lives and it’s important to understand that this leaves people vulnerable in ways that haven’t been a problem before. Smart homes, for example, offer convenient solutions for busy residents looking to

(Re)Solutions - Combatting the threats Cyber-attacks are not going

www.securityadvisorme.com

away anytime soon and one can make the argument that on the contrary, these attacks are only going to grow in number and sophistication in 2016 and beyond. Against this backdrop, it is imperative that CIOs take more responsibility when it comes to data theft - leaving security vulnerabilities solely to the IT team is no longer excusable as data theft continues to be a prominent issue. Threat intelligent services are likely to be commissioned to provide reports and validation on malicious threats. The increase in the power and safety of the cloud will also give SMEs a chance to move from relatively weak IT infrastructures to a platform where security is evolving constantly. Ultimately, the focus on data protection is going to be paramount for businesses heading into 2016, and it’s up to them to ensure that they are prepared.

Luke Brown, GM and VP, EMEA, India and LATAM at Digital Guardian

01.2016

feature

The wild, wild west of IoT security One of the main problems is that security is often an afterthought, bolted onto solution after the fact, once issues arise.

n the case of Internet of Things security, it’s the Wild West out there. Drones with firearms attached, connected cars remotely sabotaged — the potential for trouble seems to be endless. As we think about a future world with over 25 billion connected “things” in use by 2020, the cyber risk scenarios grow exponentially – some of which have already materialised in recent months: • Connected home hacked to open the front door to thieves,

01.2016

open garage door to steal a car, raise heater to maximum levels to damage air conditioning system and/or household goods, turn off refrigerator, turn off sprinkler system, access personal computers, and so on. • Connected, autonomous car or delivery vehicle sabotaged to crash via inappropriate acceleration or braking, or sent to incorrect destinations; vehicles such as trains, aircraft, drones, ships etc. similarly misdirected or sabotaged. • Connected hospital hacked to

change the route of delivery robots; functions of medical devices such as pacemakers and insulin pumps, and so on. • Connected manufacturer hacked to interrupt functions of warehouse “picking” robots, equipment monitoring and maintenance sensors, plant control systems, supply chain activities, and so on. • SCADA and PLC systems sabotaged in similar fashion to the Stuxnet worm that span up Iran’s nuclear centrifuges.

www.securityadvisorme.com

feature

In each case the resulting ‘damage’ can range from nuisance issues all the way to serious issues related to potential injury or loss of life, damage to physical property, or even threats to national security. What makes IoT security so difficult? One of the main problems compounding this situation is that security is often an afterthought, bolted onto solutions after the fact, once issues arise. IT security experts and IT managers have been calling for security to be built-in by design for decades now, but there’s been a long line of technology innovations ranging from the Web, to mobility and cloud computing, and now to the IoT, where it still feels like, and often is, an afterthought. Adding security after the fact creates other issues as well. When emerging technologies are not secure from the start, they create delays in realising their full business benefits as organisations struggle to implement appropriate security controls. In fact, a study on ‘Risk and Responsibility in a Hyperconnected World’ by the World Economic Forum estimated delays addressing cyber risk ranged from 11 months for cloud, to five months for IoT and mobility, to three months for social computing. Clearly, a larger percentage of typically flat IT security spend needs to be redirected here versus perimeter security. What adds to this difficulty, in the case of securing the IoT, is that it’s a complex ecosystem no matter which industry you look at. IoT solutions and services are typically composed of not just one product, but a complex system of systems that includes hardware and software from many different vendors, much like RFID systems in the early 2000s, where you had to deal with a variety of tags, readers and middleware — all from different parties. The security of the overall solution is only as good as its weakest link, so this multivendor complexity opens up additional vulnerabilities for cybercriminals to exploit and makes endto-end testing essential. Some of the main www.securityadvisorme.com

vulnerabilities are explored in the Open Web Application Security Project (OWASP) Internet of Things Top Ten Project. A framework to think about risk When thinking about risk levels related to IoT security, it’s useful to know where the major issues may arise once hackers get to their target destination via the cyber ‘kill chain.’ One way to think about this is to consider the various categories of IoT devices and the corresponding types of cyber risk. As IoT devices become more controllable or more autonomous, the threat intensity increases as cyber-criminals are able to steal sensitive data, introduce malware, and ultimately conduct ‘command and control’-style sabotage. One of the frameworks that is useful has been Gartner’s classification of four categories of IoT devices, ranging from identifiable things (e.g., passive RFID tags), to communicating/sensing things (e.g., pressure sensors), to controllable sensing things (e.g. HVAC systems), to smart autonomous things (e.g., selfdriving cars). The figure shows this classification with a rough sense of the types of cyber risk illustrated alongside. Fortunately, when it comes to building in security for the IoT early on, and by design, there are some promising signs. One example is the recent reference architecture published by the Industrial Internet Consortium or IIC. This extensive document outlines key characteristics of Industrial Internet systems, various viewpoints that must be considered before deploying an Industrial Internet solution, and an analysis of key concerns for the Industrial Internet including security and privacy, interoperability, and connectivity. Another example of how security is being incorporated into an IoT vision from day one can be seen in the work of the German Industrie 4.0 Working Group focused on manufacturing. Its ‘Recommendations for implementing the strategic initiative INDUSTRIE 4.0,’ published in April 2013, included safety and security as one of eight priority areas for action, with a further eight

recommended actions specific to safety and security. Security by design was again highlighted as a key principle, as well as the development and implementation of IT security strategies, architectures and standards. Of course, there are many other examples of industry players coming together to address the challenges and opportunities afforded by the IoT — and IoT security, in particular — and these are just two of the bright spots. For example, the Security Center of Excellence, operating out of the Harrisburg University Government Technology Institute, is also addressing these emerging topics and providing education to Government CISOs in the State of Pennsylvania. Success in IoT deployment For organisations designing and implementing IoT solutions, the lessons are clear. First, have a clear sense of full spectrum of threat scenarios you may encounter — nothing is out of the question. As The Economist recently put it, you want to avoid the ‘Pay up or the fridge gets it’ scenarios or worse. Second, have a framework to help you understand the lay of the land, avoid the gunfights, and prospect in safety. Understand the threat intensity given your specific categories of IoT devices. The more controllable or autonomous your IoT devices, the higher the risk level, and you should also pay close attention to the massive amounts of data being collected by these systems. Third, since cyber-criminals will enter your IoT ecosystem through any weak link in your defenses en route to their ultimate destination, including via counterfeit hardware in your supply chain, take a holistic approach to your cyber strategy and review the guidance and recommendations from the numerous consortia and organisations working in your field. With these steps in mind, at least as your starting point as you head into the Wild West with your tools in hand, you’ll be well equipped to monetise your hard work in the years ahead. 01.2016

feature

A perfect smokescreen While security teams are distracted by DDoS attacks, hackers are infiltrating networks with malware.

istributed denialof-service attacks have increased in complexity so that they are no longer just an annoyance causing a disruption in service. Criminals are using these attacks as a distraction while targeting sensitive data, leaving enterprises to pay for lost business and breach recovery. Any conversation that involved breaches this year included the statement, “It’s not if but when.” The expectation has become, as IDC’s Christina Richmond, program director, security services, said, “Breach is a foregone conclusion.” For many companies, the attacks are frequent and more advanced. Richmond said, “Distributed-denial-of-service attacks are no longer an isolated event. Sophisticated attacks hit companies of all sizes, in all industries.” According to a recent report from Neustar, the odds of getting attacked are one in two, but once an enterprise has been attacked, the likelihood that they will be attacked again is 80 percent. The report also talked about the new trends in both the size and frequency of DDoS attacks. “If the attacker’s goal isn’t to cause an outage but to disrupt, he doesn’t need to craft an attack of extra-large proportions. A SYN Flood attack is a good example. The attacker sends enough 26

01.2016

SYN requests to a company’s system to consume server resources and stall legitimate traffic,” the report said. The method of attacks has changed in complexity and variability. Attackers don’t launch a single attack but rather send out waves and multiple vectors. “They may launch an email attack or attack an application or a server. They may launch multiple attacks in different vectors, coming from different places and attacking different targets,” said Joe Loveless, senior security manager, Neustar. Larger attacks are easier to detect and mitigate, but these smaller, frequent attacks result in more significant damage, Loveless said. “They create chaos but still leave access open somewhere else,” he continued. The result, according to Neustar’s report is that one in four companies experience an actual theft of data or funds. Another growing trend in DDoS is ransom. “Extortion is becoming more common, and companies are paying ransom to avoid being attacked but they are getting attacked anyway,” Loveless said. These attacks are particularly concerning because of the attacker’s stealthy ability to infiltrate the security environment during a disruption. Once they have access, they take a slow and steady approach and often go undetected until they have reached their target: valuable corporate data or funds.

“IDC believes that the customer is often the first to report a DDoS attack because their user experience suffers when they can’t access a web site to buy a product, pay a bill, or find support,” Richmond said. The result is not only a financial loss, but a strike against brand and reputation. According to Dave Larson COO, Corero Network Security, “A number of things are going on in the landscape and it’s hard to say whether these are rapidly changing or we are just starting to see them.” Denying service, which seems like it would have to be a big giant attack, is actually the result of something much smaller. “Almost 72 percent of attacks last less than five minutes and 93 percent are less than 1GB per second in capacity,” said Larson. The attacks, though, are not about denying service. Larson said, “These www.securityadvisorme.com

feature

aren’t just randomly occurring. People are orchestrating them, and they have to be doing this for a reason. We are starting to see material data breaches that included DDoS attacks as part of a multi vector intrusion.” These smoke screen style attacks have significant impact on an enterprise because by design, they are distracting, which leaves security professionals looking in all the wrong places. “DDoS itself isn’t creating the data compromise, but if it is causing you to look in the wrong place, you could be one of the very many organisations that have already been breached and you don’t know it,” said Larson. Constantly monitoring the environment to make sure that no unknown traffic is crawling around in the network will help to prevent a data compromise after a DDoS attack. Larson said, “You can imagine that www.securityadvisorme.com

more down in the weeds the impact could be that your environment is being scanned and crawled and floor planned. The bad guys are figuring out what they need to gain access.” The cost of recovering from an attack is significant, particularly for small and midsize businesses. In a special report on security risks, Kaspersky Labs noted, “On average, a DDoS attack costs SMBs more than $50K in recovery bills, which is significantly more than the typical costs they face recovering from other types of attack.” For some reason, though, companies still aren’t convinced that investing in security against DDoS attacks is money well spent. The Kaspersky Labs survey found that only around half of respondents (56 percent of IT professionals) believe that spending money to prevent or

mitigate an attack would be worth the investment. Evgeny Vigovsky, head of Kaspersky DDoS Protection at Kaspersky Labs said, “Protection from DDoS attacks is an important part of risk management, yet only 34 percent of survey respondents have fully implemented DDoS prevention systems of any type.” There are many factors to consider in evaluating risks for enterprises, from dependence on online services to other resources. “In most cases, online services--websites, emails, databases-are critical. Without them, normal workflow stops,” said Vigovsky. “Costs associated with failed online services are bigger than expenses for prevention solutions, but unfortunately, there are still companies that do not include DDoS attacks in their risk management strategy,” Vigovsky continued. The risks of not investing in DDoS prevention and protection are more than monetary. “When a company has to mitigate an attack that is taking place instead of preventing an attack from occurring, then they will pay a steep price for not only lost business contracts and damaged reputation, but also for an urgent solution too,” said Vigovsky. Echoing the need for prevention and protection, Larson said, “All reasonably likely to be attacked environments should have DDoS defense on the perimeter.” One measure enterprises should take to build a culture that prioritises security and prepares for the inevitable of an attack is, “Simulating worst-case scenarios in order to create a corresponding cybersecurity strategy,” said Vigovsky. Enterprises can take steps toward making security a central concern for all. “A comprehensive strategy should include a combination of IT solutions, security policies and prepared staff to help prevent cyberattacks,” Vigovsky said. In order to effectively make that change, executives have to buy in to an inclusive plan that is well designed and focused on cross communication. DDoS attacks impact more than security, and everyone from marketing to public relations shares an interest in preventing these attacks and minimising their impact. 01.2016

Analyst view

biggest cybersecurity concerns in 2016 Carl Leonard, a principal security analyst for Raytheon’s Websense cybersecurity software unit, offers insight into the most serious threats CIOs and CISOs are likely to grapple with this year.

ast year began and ended with a series of highprofile cybersecurity attacks, starting with the pilfering of 80 million Social Security records at health insurer Anthem and culminating with infiltrations at Starwood, Hilton and Hyatt hotel chains. Expect digital assaults – ranging from standard malware to more sophisticated, clandestine entries – to continue on leading corporate brands in 2016, according to Raytheon’s Websense business. The cybersecurity software maker, which analysed threat data from 22,000 customers in 155 countries, says hackers will conjure attacks that target emerging technologies, such as mobile payments and top-level domains. Companies and consumers can also expect targeted attacks on ageing Internet infrastructure, as well as on the Facebook, Twitter and Instagram accounts of presidential election candidates, says Carl Leonard, a Websense principal security analyst and author of the company’s 2016 predictions report. CIOs, scrambling to defend their corporate assets, will continue to invest in cyber insurance, though they will find it tough going as insurers conduct more scrupulous vetting of potential clients’ 28

01.2016

cybersecurity postures. Below are the five biggest concerns CIO and CISOs need to focus in the new year, according to Websense. Hacks of mobile payments and other non-traditional payment systems. As smartphones continues to become the preferred source of authentication for many financial transactions, malware authors will increase their efforts to steal funds from consumers’ Apple Pay, Google Wallet and other mobile payment systems. CIOs listen up: once attackers have learned to infiltrate consumer’s mobile wallets they may tap into your corporate networks for that smartphone owner’s work. “Emails, contacts, authentication measures and apps that access the corporate network from the phone can become a phenomenal source of intellectual property, insider information and other confidential business materials become easily obtainable and can net an attacker sizeable treasure,” Leonard says. From Heartbleed to heartache. Open source vulnerabilities, including Heartbleed, Shellshock and Poodle, struck fear into the hearts of Akamai and other companies in 2015. Expect more attacks on the creaky Internet

infrastructure. Leonard notes that a significant number of the Alexa 1000 top websites are not up-to-date on certificates. “We observed certificate issues related to older hashing schemes such as SHA-1, as well as problems related to the version of ciphers supported. If some of the “big names” on the Internet are struggling to keep up, how can smaller vendors cope?” Additional problems include old and broken Javascript versions; end-of-life challenges for core software such as Windows XP; and new applications built on recycled code with old vulnerabilities. “It’s very difficult for systems to be migrated because you risk losing functionality or introducing new bugs,” he says. New top level domains pose phishing pitfalls. Emerging general TLDs, which number more than 800 and may expand another 1,300 in the next few years, will be used in active spam and other malicious campaigns. Leonard says criminals and nation-state attackers will lure, via social media, email and other tools, unsuspecting users toward malware and data theft. For example, criminals could steer unsuspecting consumers towards shop.apple, apple. macintosh or apple.computer to try to steal their information. In a Raytheon www.securityadvisorme.com

Analyst view

Carl Leonard, a principal security analyst for Raytheon’s Websense cybersecurity software unit

Websense sample set of several TLDs, millions of different URLs hosted malicious content. “These TLDs will also make it significantly harder for defenders to protect, as many are unprepared for the new landscape,” Leonard says. Presidential elections are prime ‘hacktivism’ time. As the US moves closer to the US presidential election in November, so-called “hacktivists” will increasingly delight in hijacking the Facebook, Twitter and Instagram accounts of candidates and news outlets and attempt to spread misinformation. Such lures will look like political party or candidate email, advocating an online petition or survey about specific election issues, linking to a supposed news story, or relaying information about voter registration or debates. “They’re generally politically motivated hackers that delight in bragging about their achievements afterward,” Leonard says. To hedge against such risks, Leonard says he imagines some campaign teams hiring CIOs to protect their media assets. Cyber insurance better aligns with www.securityadvisorme.com

“We observed certificate issues related to older hashing schemes such as SHA-1, as well as problems related to the version of ciphers supported. If some of the big names on the Internet are struggling to keep up, how can smaller vendors cope?”

cybersecurity postures. Cyber insurance premiums soared in 2015, as companies raced to purchase indemnification coverage. To maintain profitability, insurance carriers will require more threat and protection intelligence and develop baseline requirements for issuing cybersecurity policies. Such policies will take into account a company’s market capitalisation, defence and risk profile, attack frequency, as well as the capability to halt attackers and remediate breaches. Insurers will send auditors to conduct hands-on assessments of cybersecurity systems, reinforcing the need for advanced threat detection, both of the perimeter and at the data level. “That can dictate premiums, or even whether you get a payout to your claims,” he says. “We expect to see an increasing sophistication in the way the risks associated with a cyber breach are factored into policy cost, just as a driver’s safety record and driving habits are factored into the cost of an automotive policy.” Cause for some optimism Given the threats outlined, cybersecurity defence appears to be, yet again, an exercise in Sisyphean boulder pushing. But Leonard strikes an optimistic tone, noting that CIOs can shore up their assets by building a team of trusted advisers, including internal and external partners. These teams will share the labour for monitoring technology developments and introducing new technologies, as well as the practices of cybercriminals, and evolving legislation. Moreover, companies must assign data owners and data custodians to distribute responsibility for safety, and vet suppliers, including third-party companies with whom they work. Educating employees’, often a company’s weakest security link, is paramount. CIOs should also commit to cybersecurity drills that incorporate communication, threat assessment and risk mitigation. 01.2016

Blog

Bring Your Own Encryption While cloud computing, virtualisation, and other enabling technologies are integral to the Always-On business, it should not detract from the importance of security. This article discusses how bring your own encryption (BYOE) could reprioritise this for decision-makers

ring your own encryption, or BYOE, is a relatively new cloud computing security model that is providing companies with a new way to address data storage security concerns in a cloudbased environment. Above all, this new trend is encouraging decision makers to put security as high on the agenda for the Always-on business as other businesscritical technologies such as cloud computing and virtualisation. The BYOE security model gives cloud customers complete control over the encryption of their data. In essence, this enables them to use a virtualised example of their own encryption software together with the applications they are hosting in the cloud, to encrypt their data. At the same time, cloud providers are finding innovative ways to let users manage their encryption keys. Data sovereignty Up to now, questions around data sovereignty drove the majority of decisions around moving to the cloud. After all, having corporate data being subjected to the laws of the country in which it is located has created additional 30

01.2016

challenges for CIOs the globe over. With BYOE, it does not matter where organisational data resides as the company has its own encryption key. The BYOE paradigm places the onus on the business to encrypt the data locally before storing it offshore. Given the connectedness of the world and the extent at which people access back-end corporate data using a myriad of devices irrespective of location, this is an especially empowering way of going about security. It is a great way of diversifying the backup strategy of an organisation. Not only does it mean there are local and off-site copies available, it also provides decision-makers with the added peace of mind that the data is secure from prying eyes. Of course, this does not mean companies should embark on a mass exodus and migrate to international solutions providers. Instead, BYOE gives companies the flexibility to use local cloud providers as their primary option and offshore data centres as additional backups once the data is encrypted. Lost my keys! When it comes to this model one of the biggest concerns is what happens

Gregg Petersen, Regional Director, Middle East and SAARC at Veeam Software

if the encryption key is lost? After all, encryption is theoretically a single point of failure that could see all corporate data lost. There are ways to address this. As an example, Veeam has implemented a feature where it can generate a new encryption key for the company. This is done once certain elements have been verified and provides customers with a fail-safe solution around encryption. It is important to note that using BYOE does not mean there is an inherent distrust towards cloud providers and their ability to store data. Rather, it is about securing corporate information as effectively as possible using all the options available to meet regulatory requirements. Bring your own encryption can even help build trust with partnered vendors. If a corporate company relies on a service provider who understands its unique requirements, the best way to enhance the relationship is to integrate BYOE. The always-on business requires an environment that is conducive to innovation and leveraging the best technologies for the needs of the business. BYOE supplements that from a security perspective and ultimately allows businesses to confidently transition their IT operations into the cloud. www.securityadvisorme.com

INTRODUCING

SECURITY HEARTBEAT™

Sophos Security Heartbeat Share intelligence in real time between your endpoints and firewall. Advanced attacks are more coordinated than ever before. Now, your defenses are too. Sophos is revolutionizing security by synchronizing next-generation network and nextgeneration endpoint security, giving you unparalleled protection: • System-level intelligence • Faster decision-making • Automated Incident response

• Automated correlation • Accelerated threat discovery • Simple unified management

www.sophos.com/heartbeat Network Protection

Enduser Protection

Server Protection

Sophos Cloud

Security made simple.