Security Advisor Middle East | Issue 6 by Security Advisor Middle East

ISSUE 6 | JUNE 2016 www.securityadvisorme.com

A MATTER OF SECURITY DarkMatter combines global expertise with local knowledge to address cybersecurity challenges

MESA Awards 2016

Phishing attacks

Enterprise Security 360

STRATEGIC INNOVATION PARTNER

STRATEGIC PARTNER

CONTENTS FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015)

Publishing Director Rajashree Rammohan raj.ram@cpimediagroup.com +971 4 375 5685 EDITORIAL

A MATTER OF SECURITY

Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 375 5678 Editor James Dartnell james.dartnell@cpimediagroup.com +971 4 375 5684

Faisal Al Bannai, CEO, DarkMatter, speaks about the company’s customer-centric action plan.

Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 375 5683 ADVERTISING Commercial Director Chris Stevenson chris.stevenson@cpimediagroup.com +971 4 375 5674 Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 375 1647 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 375 5676 CIRCULATION

Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 375 5682 PRODUCTION AND DESIGN Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 375 5673 Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 375 5680 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 3751644

DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas webmaster@cpimediagroup.com +971 4 440 9100

Published by

Registered at IMPZ PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing & Publishing Regional partner of

© Copyright 2016 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.

GONE PHISHING We take a look at ways on how you can be on your guard against ne of the most prevalent methods of cyberattacks – phishing. MAXIMUM SECURITY We bring you the highlights of the seventh annual Enterprise Security 360 roadshow which covered KSA, UAE and Qatar. DEFENCE LINES Emad Abu Jazar, Country Manager – KSA, Fortinet, tells us why his company is at the forefront of the fight against cybercriminals 5 COMMON MOTIVES FOR DDoS ATTACKS

As hackers continue to utilise DDoS attacks to disrupt businesses, organisations need to be wary of these tell tale signs of an attack.

BUILDING A RESILIENT REGION Emirsec Technologies, in partnership with the CISO Council, hosted the inaugural Middle East Security Awards and Conference SAFE AND SECURE (ISC)²’s Wesley Simpson on the importance of continuous education for cybersecurity professionals. WHY CIOS SHOULD WORRY ABOUT IOT While IoT promises a plethora of benefits there remain questions on how it will affect the storage and security of an organisation HOW TO TELL IF YOU’VE BEEN HIT BY FAKE RANSOMWARE Ransomware is no joke, but sometimes, amateur attackers use ‘pretend’ ransomware -and you can get your data back.

NEWS

DARKMATTER APPOINTS NEW SVP FOR SPECIAL PROJECTS DIVISION

Dr. Najwa Aaraj, Dark Matter

DarkMatter has recently announced the appointment of Dr. Najwa Aaraj as the Senior Vice President – Special Projects, having previously served as the Vice President of the business unit. The Special Projects division of the company is under the authority of the CEO’s Office, and is responsible for identifying and developing new business opportunities, providing new security and technology tools to the company and focusing on research. In her new role, Dr. Aaraj will continue to be involved in evaluating and customising secure product architecture; designing and setting up special projects related to authentication and cryptology systems; and overseeing the development and operation of the company’s test and validation labs. Dr. Aaraj said, “It has been an exciting and fulfilling journey with DarkMatter so far. I am so impressed by the progress we have all been able to achieve in a relatively short period of time, and I would like to thank my colleagues for their support throughout. We are only at the beginning of having a profound impact on how cybersecurity is regarded and implemented in the UAE and further afield and I look forward to building a legacy we can all be proud about having had a part in establishing.”

06.2016

HUAWEI, DUBAI POLICE PARTNER FOR SAFE CITY INITIATIVES Huawei has signed a Memorandum of Understanding (MoU) with Dubai Police that will see both parties collaborating on a long-term initiative to support the vision of Dubai in creating a smarter and safer city. Under the agreement, Huawei and Dubai Police will work together to identify how Huawei solutions can be deployed to aid in crime prevention and reduction, improve road safety through the reduction of accidents and fatalities, as well as share knowledge on the latest innovations safeguarding cities around the world. “Huawei is excited to be collaborating with Dubai Police on such an important initiative that is in-line with Dubai’s 2021 vision to become a city of happy, creative and empowered people with Dubai being the preferred place to live, work and visit,” said Fan Si Yong, Vice President, Huawei, Enterprise, Global. “A core component to achieving this vision is ensuring the wellbeing and safety of residents and we are working closely with Dubai Police to share our leading ICT solutions capability

and address their important safe city requirements.” The Dubai Police is fully committed to technological innovation as per the directives of His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, and Ruler of Dubai. H.E. Major General Khamis Mattar Al Mazeina, Commandant General, Dubai Police, said, “We are collaborating with Huawei to see His Highness’s vision achieved by ensuring that Dubai Police remains an innovation leader and is leveraging best-practice approaches and technologies being deployed around the world.”

STME increases offerings with Veritas Technologies STME has signed a new Al Bayaa, CEO, STME. “The partnership agreement Veritas solution empowers with Veritas Technologies organisations by reducing to provide clients in the complexity and outpacing Middle East with the relentless data centre growth, company’s NetBackup and greatly expands the solutions for backup and effectiveness of backup and recovery. recovery. We are pleased to be Ayman Al Bayaa, STME “Protecting your able to offer these solutions to organisation from the loss our clients in the Middle East.” of data and information is crucial for the The agreement was announced continuity of your business, especially in during a recent partner event STME the service-oriented age businesses now hosted together with Veritas, at Etihad operate in. The downtimes that result Towers Hotel in Abu Dhabi. The event from the loss of data and due to the lack covered topics such as analysing of a backup system, or a reliable backup and classifying data, and supervising system, may also cause the organisation and managing storage. The full day that has already lost so much, to event had presentations by STME and also lose customers and clients who Veritas staff and was attended by IT demand quick turnaround,’’ said Ayman professionals from across the region.

www.securityadvisorme.com

NEWS

FIREEYE: MIDDLE EAST BANKS HIT BY TARGETED CYBER-ATTACKS FireEye’s Dynamic Threat Intelligence (DTI) identified emails containing malicious attachments being sent to multiple banks in the region. The threat actors appear to be performing initial reconnaissance against would-be targets and were detected since they were using unique scripts not commonly seen in crime ware campaigns. According to the report, the attackers sent multiple emails containing macro-enabled Excel (XLS) files to employees working in the banking sector in the Middle East. The themes of the messages used in the attacks are related to IT infrastructure, such as a log of Server Status Report or a list of Cisco Iron Port Appliance details. In one case, the content of the email appeared to be a legitimate

email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached. Office documents containing malicious macros are commonly used in crimeware campaigns. Because default Office settings typically require user action in order for macros to run, attackers may convince victims to enable the running of risky macro codes by telling them that the macro is required to view “protected content”. The report further highlighted that the rise of the region as a hub for banking and finance has made it a tempting target for cyber-attackers.

IBM announces 'Watson for Cybersecurity' IBM Security has announced ‘Watson for Cyber Security,’ a new cloud-based version of the company’s cognitive technology trained on the language of security as part of a year-long research project. To further scale the system, IBM plans to collaborate with eight universities to expand the collection of security data IBM has trained the cognitive system with. According to IBM, training Watson for Cyber Security is a critical step in the advancement of cognitive security. Watson is learning the nuances of security research findings and discovering patterns and evidence of hidden cyberattacks and threats that could otherwise be missed. Starting this fall, IBM will work with leading universities and their students to further train Watson on the language of cybersecurity, including: California State Polytechnic University, Pomona; Pennsylvania State University; Massachusetts Institute of Technology; New York University; the University of Maryland, Baltimore County (UMBC); the University of New Brunswick; the University of Ottawa and the University of Waterloo.

www.securityadvisorme.com

The announcement is part of a pioneering cognitive security project to address the looming cybersecurity skills gap. IBM efforts are designed to improve security analysts’ capabilities using cognitive systems that automate the connections between data, emerging threats and remediation strategies. IBM intends to begin beta production deployments that take advantage of IBM Watson for Cyber Security later this year. “Even if the industry was able to fill the estimated 1.5 million open cyber security jobs by 2020, we’d still have a skills crisis in security,” said Marc van Zadelhoff, General Manager, IBM Security. “The volume and velocity of data in security is one of our greatest challenges in dealing with cybercrime. By leveraging Watson’s ability to bring context to staggering amounts of unstructured data, impossible for people alone to process, we will bring new insights, recommendations, and knowledge to security professionals, bringing greater speed and precision to the most advanced cybersecurity analysts, and providing novice analysts with on-thejob training.”

RAKBANK SIGNS GEMALTO FOR CONTACTLESS EMV PAYMENTS

Gemalto has been chosen by RAKBANK to support its migration to contactless EMV payments to benefit from this system’s speed, convenience and security. The cybersecurity vendor will be supplying RAKBANK with its dual interface cards, which will be personalised by the Bank using the already implemented Gemalto Dexxis issuance system. RAKBANK is initially deploying the cards for the launch of its new RED MasterCard, offering customers all the benefits of swift ‘tap and go’ transactions, alongside an attractive package of loyalty and saving programmes. Afterwards the bank’s entire payment card portfolio will be upgraded to dual interface technology. “RAKBANK is committed to empowering customers with technologybased solutions that save them time,” said Ian Hodges, Managing Director, Retail Banking, RAKBANK. “The launch of our RED MasterCard reflects this drive to offer simple and convenient banking solutions, and benefits from Gemalto’s experience of successful contactless deployments in markets worldwide.”

60%

of digital businesses face major service failures by 2020 due to the inability of IT security teams Source: Gartner

06.2016

FEATURE

GONE PHISHING Here’s how to be on your guard against phishing attacks

ccording to the Verizon data breach investigation report published last month, phishing remains a major data breach weapon of choice. The report, which examined over eight million results of sanctioned phishing tests in 2015 from multiple security vendors, found that 30 percent of phishing messages were opened by the target across all 6

06.2016

campaigns. About 12 percent went on to click the malicious attachment or links and thus enabled the attack to success. This indicates a significant rise from last year’s report in the number of people who opened the email (23 percent in 2014) and a minimal increase in the number who clicked on the attachment (11 percent in 2014). The median time for the first user of a phishing campaign to

open the malicious email is one minute, 40 seconds. Phishing is the best known variety of social engineering – a method of trying to gather personal information using deceptive emails and websites. “Phishing is an increasingly common type of spam that can lead to theft of personal details such as credit card numbers or online banking passwords. www.securityadvisorme.com

FEATURE

Such attacks often attempt to spoof or forge the source address of their email messages, pretending to be someone they’re not in order to fool anti-spam systems and users alike,” says Harish Chib, VP-MEA, Sophos. Early phishing attempts were crude, with tell-tale misspellings and poor grammar. Since then, however, phishing e-mails have become remarkably sophisticated. Phishers may pull language straight from official company correspondence and take pains to avoid typos. The fake sites may be near-replicas of the sites phishers are spoofing, containing the company’s logo and other images and fake status bars that give the site the appearance of security.

Phishing is an increasingly common type of spam that can lead to theft of personal details such as credit card numbers or online banking passwords. - Harish Chib, VP-MEA, Sophos.

What can your company do to reduce the chances of being targeted by phishing attacks? “In short, user awareness. This also makes phishing so extremely difficult to prevent as we are relying on educating our users in order to get a proper defense. With that said, organisations should think about how they can minimise their brand from being targeted by phishing. This consists both of policies and technical solutions,” says Nicolai Solling, Director of Technology Services at Help AG. Firosh Ummer, MD of Paladion, says a professional anti-phishing service can also greatly improve defences against a sophisticated phishing attack. “A professional security service conducts regular drills to ensure employees are aware and are taking the right measures. They also bring in the latest security intelligence which can block a phishing attack from taking hold in the first place. The human factor is decisive in protecting the institution’s digital assets.”

usually conducted by sending malicious emails to as many people as possible. To fool, trick or attack the victims, the phishing email usually appears to originate from a trusted source, such as corporation, bank and legal entity or someone the victims may know or are familiar of. It usually works because, by definition, a large percentage of the population has an account with a company with huge market share,” says Aadesh Gawde, Principal Consultant, ProVise Management Consultancy. Spear phishing, in comparison, is a targeted variant of phishing. “The attacker is going against your organisation, has researched its layout and will use subjects that are interesting to your end-users,” says Wolfgang Kandek, CTO of Qualys. Ghareeb Saad, Senior Security Researcher, Kaspkersky Lab, offers another perspective: “Spear phishing is not a massive spam. While in normal phishing attackers usually use a phishing template sent to multiple victims, in spear phishing for each email the messages subject and body are highly customised for a specific victim profile. Spear phishing attacks are more tricky and harder to identify.”

What Is the difference between phishing and spear phishing? Phishing is generic in nature. “Traditional phishing attacks are

How can you spot phishing emails? “Many phishing emails are easy to pick out as they are wrought with spelling and grammatical errors,

www.securityadvisorme.com

make outrageous claims , request personal information such as bank and credit card details, and have suspicious attachments (which typically tend to be malware, trojans or key loggers). Email filters and cloud based email security systems are quite efficient at identifying and eliminating most of these threats. It is when attackers get a more sophisticated that users need to give a little more thought to security,” says Solling. He lists out some of the signs to watch out for: Minor spelling differences in the email address: Attackers commonly change just a few characters in the email addresses in order masquerade as the legitimate sender. Therefore, if the address is similar but not entirely the same, it’s a good indicator of phishing. Urgent call to action: Attackers often try to include an urgent call to action with their phishing attempts as the sense of urgency can sometimes circumvent a user’s better judgement. Emails with the ‘take immediate action’ should therefore be treated with caution. Doesn’t conform to the organisation’s standard policy: In recent years, banks have begun to inform customers that they will never request for sensitive information to 06.2016

FEATURE

be shared via email. Similarly, other organisations have such policies in place and users need to be aware of such policies. If they then receive an email that conflicts, it can easily be flagged as attempted phishing. Suspicious links: Many phishing attacks require users to navigate to website where they are then requested to share sensitive information. If the link looks suspicious (minor spelling discrepancies, does not utilise https etc) it is likely a phishing email. Users should also refrain from clicking links with the email and instead opt for copying and pasting the address into their browser manually. How can you avoid your customers falling for phishing? People who know about phishing stand a better chance of resisting the bait. Which is why users must be trained to think twice about replying to any e-mail or pop-up that requests personal information. “Socially-engineered emails continue to play a major role in infecting end users and networks today. We believe that this trend will persist for many years to come; this threat has been well established for years but has become increasingly sophisticated in its approach. However, by carefully analyzing details and trends in email social engineering, we become more familiarised and are

Organisations should think about how they can minimise their brand from being targeted by phishing. This consists both of policies and technical solutions. - Nicolai Solling, Director of Technology Services, Help AG

therefore empowered to make better decisions when faced with suspicious emails. In fact, organisations, their employees, and average end-users alike are entirely capable of defending themselves by observing best practices and educating themselves about email and other cyber threats,” says Tony Zabaneh, Channel Systems Engineer, Fortinet. Ummer from Padion adds that this is particularly true for spear phishing schemes when the deceiving message can be so pertinent to the concerned personnel with a recognisable sender and convincing information. Installing effective security software is the first step against phishing attacks. However, it is imperative not to neglect the second and most important step that is to raise the security awareness of the personnel. Keeping them informed

A professional security service conducts regular drills to ensure employees are aware and are taking the right measures. - Firosh Ummer, MD of Paladion

06.2016

about the latest phishing techniques will significantly mitigate the risks of ending up in the phishers’ trap. Gawde from ProVise agrees: “Educating staff and customers about phishing is the single most important thing to prevent phishing, because these attacks work by exploiting a lack of awareness. Hence security awareness training becomes extremely important and many organisations miss this leading to security risks. A single click on a malicious link can possibly compromise an entire organisation. Data indicates that a significant number of data breaches reported are due to corporate employees or contractors—whether intentional, or through careless actions.” The Verizon report calls for a three-point approach to protecting employees from phishing scams, including better e-mail filtering before messages arrive in user in-boxes, a security awareness programme, and improved detection and response capabilities. Industry experts say information security policy and practices must pay special attention to nonexecutive employees, where most of the compromises will originate. Security teams should also develop granular policies and defences for departments that are particularly vulnerable. www.securityadvisorme.com

unified IT monitoring + analytics powering the intelligent data centre Unified Monitoring and Event Management

Service Impact and Analytics

Alerting, Remediation, and Integration

get future ready, software-defined, business-driven

ixtel software defined solutions power everything

To know more about software-defined operations at scale contact us at info@ixtel.com

CYBERCRIMINAL ECOSYSTEM

Malware Cost: Free - $20k (licence based) Trojan designed to steel data, manipulate online banking sessions, inject screens and more.

Infrastructure Cost: $50 - $1,000 (Rental per month) Hosting services for malware update, configuration and command and control servers. Some are fast flux or TOR based.

Spammers Cost: 1 - $4 per 1000 emails Spam botnet operators that spread emails with attachments or links leading to a Trojan infections

06.2016

www.securityadvisorme.com

Cybercrime is no longer a one man operation. Within the cybercrime underground an attacker can be bought or rented to facilitate different aspects of the attack lifecycle.* Fraud as a service is constantly changing and adapting to new security solutions, offering endto-end technologies, multiple SLA levels and low prices for everything a cybercriminal might need.

Exploit Kits Cost: $2,000 (Rental per month) Toolkits designed to exploit system and software vulnerabilities resulting in a malicious download.

Droppers Cost: $10,000 Software designed to download malware to an infected device, evading antivirus and research tools.

Money Mules Cost: Up to 60 percent of account balance A person whoe receives the stolen money from a hacked account and transfers the funds via an anonymous payment service to the mule operator. SOURCE: IBM www.securityadvisorme.com

06.2016

COVER STORY

A MATTER OF SECURITY Having ramped up quickly since its inception, the UAE-based cybersecurity player DarkMatter is gearing up to lead the regional security market, armed with security pros and a diverse range of services. Faisal Al Bannai, CEO of DarkMatter, talks about the companyâ&#x20AC;&#x2122;s customer-centric action plan.

06.2016

www.securityadvisorme.com

COVER STORY

an you tell us about Dark Matter’s business model? Are you a specialised security systems integrator or a solutions provider or a VAR? The way we look at this is, in order to ensure you are secure, you need to look at security from an end-toend perspective; it is not just matter of buying some good solutions or hiring someone to do your security monitoring operations. Because any one of these elements will not work properly If the other bits are not done. Which is why we are focused on end-to-end cybersecurity, with global subject matter experts across each of these streams. Whether its reviewing your security architecture, systems integration and implementation, or selecting the right solutions or vetting these solutions and testing them, we cover the entire value chain of cybersecurity. The reality of the local security market is that we have two types of players in the market – first, you have the multi-nationals, most of which are based out of the US or Europe. Many of them do have offices here, but these are mostly sales and marketing offices, while technical support is offered from elsewhere. They may offer you some sort of level two or three technical support from their local offices but the real heavy hitters are in the home base. Then comes the resellers and system integrators. They don’t have an end to end approach and security is just one element of what they do; they are not very security conscious. Now, that’s what our differentiator is. Some of our services are developed in house by subject matter experts. For example, the head of our GRC practice was the global head of information risk assurance at Salesforce.com and one of the editors of the ISO standards. The person heading our security management centre, wherein we advice our clients to build their own SOCs and use our’s as a service, which www.securityadvisorme.com

will be built by the end of this year, was involved in the US Department of Justice’s security operations centre. The former global head of Samsung’s security engineering team is the head of our secure communications practice. I don’t think any other security company in the Middle East has such a concentration of high-calibre individuals. Having said that, we do realise we can’t do everything by ourselves, so we partner with others, and integrate their products and services. But, we review everything, vet these solutions before critical entities or government can deploy them. Do you do your own R&D and plan to develop products? We have R&D teams based here locally, and in Canada and China. We are developing products in the space of secure communications, cyber defence, signal intelligence, Big Data and analytics, among others. All of these teams are run by highly-accomplished individuals, who have come here looking for an eco-system conducive to innovation. And that is in line with our country’s vision. The UAE has gone through different phases. In the 60s and 70s, it was a phase of catering to basic needs such as hospitals and schools, and was followed by building basic infrastructure as such as roads. Later on, the government’s focus was on making sure all the government entities were running on a business excellence model to ensure efficiency and transparency. The current phase is all about innovation and developing intellectual property. That’s when we felt, if we are creating a new cybersecurity player, UAE might be the right market to base that in. So we are going to use the UAE as a springboard to cover this region and eventually become a global player. The aim is not become a local or regional player, but to become a key global player that can attract talent to our country.

So we are going to use the UAE as a springboard to cover this region and eventually become a global player. The aim is not become a local or regional player, but to become a key global player that can attract talent to our country.

When are you planning to go global? Well, as they say, one step at a time. You need to to make sure your home turf is covered; we need to make sure that the UAE and the region is covered first over the next two years. Some of the products that we will introduce over the next couple of years will appeal to the global market as well, but right now our focus is the regional market. You can’t do everything for everyone from day one. Right now, the aim is to make global products and services, and to become a dominant regional player. Once we accomplish that, we will go global. It is going to be our natural progression. You have a strategic partnership with the UAE Government. Is that your primary target market? There are four types of customers – individuals, SMEs, large enterprises and governments. All of them can be our potential targets, but our current customers are those who are highly security conscious because cybercriminals are targeting them in a big way. So our customers now are either government or critical entities which includes banks, oil and gas, healthcare and telecom operators. 06.2016

EVENT

MAXIMUM SECURITY The seventh annual Enterprise Security 360 Roadshow took place last month, reaching Riyadh, Dubai and Doha, the show covered a variety of issues surrounding the ever-changing cybersecurity landscape. Security Advisor ME reports from the UAE leg of the show.

he increasing complexities of the IT landscape and sophistication of cyber-attacks across the globe are compelling enterprises to adopt in-depth defence strategies to protect their valuable digital assets. What’s more is at a time when third platform technologies such as cloud and BYOD are dominating the market traditional security approaches are simply not enough. Last month, one of the most prominent financial institutions in the region, Qatar National Bank, fell victim to a hacking incident where 1.5GB of the bank’s data were stolen and leaked online. The likes of these issues and how enterprises can adopt a 360 degree strategy for security to keep both external and internal threats at bay dominated the agenda. Microsoft Gulf’s Senior Premium Field Engineer Humberto da Silva started off the proceedings with a presentation that explained the growing importance of identity management and security in the cloud. “According to an IDC study, 70 percent of CIOs will embrace a cloud-first strategy in 2016,” he said. “However, numerous organisations cited concerns around data security as a barrier to cloud adoption. What they need to realise is that cloud can bring security benefits they didn’t previously have on-premises. Utilising the cloud can enable them to obtain security and identity authentication strategies that will ease the work of end users and at the same time protect corporate’s data and IP.” Ayyman Mukaddam, System Engineer, Aruba, an HP Enterprise company, then took the stage and shared insights on top IT security considerations when dealing with a mobile workforce. With users carrying both IT-managed and personal devices, 14

06.2016

and connecting from anywhere to perform work related tasks, IT now has to deal with internal resources being accessed from various endpoints. “The BYOD and mobility trends are not going to slow down and will continue to grow. To enable the secure use of personal devices in the workplace, IT needs a way to automate who and what can be used.” Mukaddam discussed the benefits of Aruba ClearPass, which has guest and device registration tools and enables better management and monitoring of user activities within the workplace. Another crucial issue IT leaders need to keep an eye on is network and traffic security. Due to the increasing cases of malware most organisations are turning to encryption to ensure that their data is protected. Karthik Ramakrishnan, Senior Systems Engineer, Blue Coat, discussed that numerous organisations across various industries utilises Secure Sockets Layer (SSL) and Transport Layer Security (TLS) as part of their security protocol. “However, increasing cases of advanced persistent threats (APT) are using SSL as a transport into systems,” he said. “Therefore, it is highly ideal that enterprises find an effective strategy to manage SSL/ TLS, doing so will give them better visibility of any threat actors within their network,” he added. Next up was Samir Kirouani, Technical Manager, MEA and Indian Subcontinent, Centrify, who talked about best practices when managing privileged access. “Most enterprise security models today are built to try and keep the attackers out of the network. But the problem is today’s attacks are becoming more advanced and persistent.” According to Kirouani, as the new threat landscape is far more sophisticated than ever before eventually threat actors will

penetrate our networks. What’s worse is that among the most persistent security breaches are caused by compromised identities. “There are a variety of ways to minimise the attack surface to mitigate these kinds of threats,” he said. “Identity consolidation is the first step towards gaining control over your environment. IT leaders also need to minimise user access rights across the enterprise and set up various parameters in assigning employees with privileged access.” Dell Security’s Solution Architect for Security, Rajesh Agnihotri presented ‘Connected Security’ strategy, which is focused on combining technologies and solutions to effectively and efficiently mitigate threats. “Security solutions have to evolve, and connected security is not only desirable – it’s essential,” he said. “An ideal defence strategy entail a layered and threat centric model. This model entails three D’s – defend, which means before an attack you should fortify your position to give yourself the best chance of preventing a breach; detect, which involves ensuring that your tools can identify the threat during an attack and act quickly to prevent it; and lastly, discover, which means after penetration ensure visibility un-masks the threat quickly to minimise loss.” Following Agnihotri’s speech was Ibrahim Alaeddin, Business Manager, Fortinet, Exclusive Networks, who gave a presentation focused on the pervasive issue of ransomware. “In most cases, a ransomware will claim that you have done something illegal with your PC, and will ask you to pay a significant amount of money as a fine to government agency of some sort,” he explained. “However, there is no guarantee that paying the fine or doing what the ransomware asks you will bring access to your PC or files again. Detect, identify, mitigate and act www.securityadvisorme.com

EVENT

are the key steps to effectively thwart any kind of malware.” Umberto Sanso Vini, Channel Sales Manager South EMEA, CyberArk, gave a presentation that delved on security within an organisation’s perimeter. “The new battleground for cyber-attacks is not outside the perimeter, it’s actually inside your network,” he said. “Enterprises should look into a strategy that delivers both proactive protection and threat detection in the critical path of privileged accounts. They should also consider the combination of monitoring admin rights and application controls. This approach can reduce the attack surface by preventing known bad applications from executing and limit what malware can do by limiting the privileges granted to unknown applications.” Next up was Jude Pereira, Managing Director, Nanjgel Solutions, who discussed the various approaches in building a cybersecurity framework. “Organisations need to speed up breach detection and apply security intelligence, which provides actionable and comprehensive insights www.securityadvisorme.com

for mitigating threats from protection, detection through remediation,” he said. “Another important noteworthy approach is ensuring that you get full visibility into your environment. You should understand what is happening and what is not. Use insights and analytics to identify outliers. Then, develop an integrated approach to stay ahead of the threat. Finally, innovate and Use cloud and mobile for better security.” The last speaker of the day was Thomas Fischer, Global Security Advocate, Digital Guardian. During his presentation he looked into how the tools organisations possess can be better used to investigate and detect insider threats as well as expand visibility on external threats. “The key is having an intelligence in real-time that will inform us as to what is happening on the endpoint and to be able to take action to stop malicious activity,” he noted. “This can be achieved by enhancing our network visibility through detecting insider and external threats before damaging incidents occur. Then, organisations need to establish control and enforce data rights policies in real time for

privileged users online or offline. Next, they should establish data chain-of-custody and incident context for investigations, in real time. Finally, ensure the access and uses of sensitive data are continuously audited and consistently managed.” The Riyadh leg of the event featured the following speakers: Tamer Adil, Senior Systems Engineer, Blue Coat; Ahmed Ibrahim, Solution Architect, HP Enterprise; Sameh Gamil, Pre-sales Engineer, Dell Security; Hamza Al-Qudah, Technical Consultant, Exclusive Networks; AbdulRahman Al-Dalbahi, System Engineer, Intel Security; and Javed Abassi, GISBA Group. In Doha, the line up of expert speakers also included Kamel Heus, Regional Sales Manager, Centrify; Wesam Alassaf, Enterprise Sales Manager, HP Enterprise; Mohammed Ameen, Network Security Consultant, Westcon ME; Robert Wickberg Taylar, ME Sales Manager and Surmed Shaikh, Akamai Technologies; and Shahul Hameed, Partner Technology Strategist, Microsoft Qatar. 06.2016

FEATURE

DEFENCE LINES Emad Abu Jazar, Country Manager – Saudi Arabia, Fortinet, tell us why his company is at the forefront of the fight against cybercriminals.

he threat landscape in the Kingdom is pretty intense and complex now. How do you help your customers address the cybersecurity challenges? The threat facing all networks, whether SMB or large enterprise, has and continues to increase exponentially. The combination of the growth of threats with the dramatic increase of the number of devices that can be used to access the network means the job of protecting an enterprise network will continue to be more and more difficult. In order to secure Fortinet’s customers networks it’s imperative to understand the challenges and their root cause. From Fortinet’s perspective there are three key issues affecting the network’s security position; the way that security has traditionally been implemented is too complex, the networks themselves have drifted away from a defined perimeter and organisations are faced with the compromise of choosing between security and performance. Fortinet’s response is to counter these three issues with its philosophy “Security Without Compromise” by offering seamless, intelligent and powerful solutions. 16

06.2016

Saudi is now developing a national information security strategy. How can Fortinet contribute to the country’s vision? All of Fortinet’s resources are geared to develop new technologies, and enhance current solutions in order to cover the entire security spectrum. As a leading network security vendor we are committed to supporting efforts that contribute towards fighting modern cyber crime. Our Cyber Threat Assessment Program (CTAP) is designed to provide organisations a detailed look into the type and amount of cyber threats posing risks to their networks, yet are going undetected by their existing security solutions. This new initiative is part of a broader effort by Fortinet and our FortiGuard Labs threat research team to integrate risk and advisory capabilities with its end-to-end security platform to provide customers greater insight into dynamically changing cyber risks that threaten their businesses. Our collaborative efforts and global alliances play a key role in helping us work with governments and local security councils in an advisory role to address the growth threat concerns. There is a dearth of security skills in the Kingdom. How is Fortinet planning to address this? Enterprises are facing a severe skill

shortage when it comes to cyber security and according to the Enterprise Strategy Group (ESG), a cybersecurity specialist is the most difficult IT position to fill. Fortinet has developed an effective method to help address this challenge. We conduct intensive training sessions for our partners and end-users on all our solutions and implementations. This helps them to better understand the solutions and simplify its implementation and management. We also actively participation in industry seminars, and share intelligence on the latest threat landscape and cybersecurity protection techniques. Also, Fortinet introduced this year a worldwide network security academy, designed to develop and train actionoriented cybersecurity experts to manage new and advanced threats on the horizon. The Fortinet Network Security Academy (FNSA) was created to address the international shortage of cybersecurity experts and to build a workforce skilled in all aspects of Fortinet’s end-to-end network security fabric who will be recognized in the industry among an elite group of security professionals. From code to client to cloud, the Academy brings the training and certification opportunities previously only offered to Fortinet customers and partners to educational institutions, www.securityadvisorme.com

FEATURE

non-profit organisations and veterans programs. Training for faculty is free of charge for these organisations, arming the professors with the skills required to teach the program to students who will learn how to protect global organisations from cyber threats.

What do you think are the top threats facing IT decision makers in Saudi? ZeroDay attacks, DDos attacks, Web Application attacks, and data theft are among the top threats facing organisations in Saudi Arabia. That difficulty is readily seen from the number of high profile data breaches over the past several years. However, while the headlines of each new data breach grab our attention, particularly the number of identities or credit cards compromised, what is frequently overlooked in the long term impact to the organisation, both from a reputational and financial point of view. But securing an enterprise network is more than just looking at yesterday’s or today’s issues. Looking ahead at different trends and their potential impact on the network’s security is also part of the ongoing challenge. To avoid becoming obsolete with the next wave of new trends that will hit the market, Fortinet’s technology vision, the Fortinet Security Fabric has to have certain characteristics that will it allow to adapt as necessary.

Can you name of some of your biggest customers in the country? Our customers span various verticals and include leading telcos, universities, banks, enterprises, oil & gas, healthcare as well as a number of SMBs. Do you think the traditional security methods can prevent the new breed of attacks? Enterprises today are still relying on the same old strategies. Just look at the news: it seems that almost daily we’re reading about another attack, another breach, another massive loss of data. Why aren’t these strategies working anymore? It could be a number of reasons but there are three key areas that we can point to. The first is being too focused on compliance: just checking all the boxes on a list isn’t enough. How many massive retail breaches have we seen where the company was recently audited and found to be fully PCI-compliant? Attackers don’t care that you passed your last audit. They’re also too risk based and reactive. While yes, it is important to protect against the low-hanging, alreadyseen fruit, it’s the new unknowns that are critical to detect. An annual risk assessment is obsolete the moment it’s done in today’s threat landscape. Finally, they’re far too focused on ‘best of breed’ solutions. A firewall from one vendor, a sandbox from another,

Fortinet introduced this year a worldwide network security academy, designed to develop and train actionoriented cybersecurity experts to manage new and advanced threats on the horizon.

www.securityadvisorme.com

a spam solution from a third. None of these tools were ever designed to work together, leaving your network with potential protection gaps. What should an organisation do to avoid becoming the next headline? The solution starts with changing the way the enterprise looks at security. Security must be comprehensive and intelligent with zero trade-offs in network performance. Legacy security approaches have gotten too complex and network traffic has become unmanageable, resulting in too many alerts and not enough clarity on what is important. At Fortinet, we’ve come up with three maxims defining our approach to security today. Rule number one is to Keep It Simple: the more complex your network is, the harder it is to secure it. The second rule is that the definition of a network has changed and the number of potential attack vectors has multiplied. What was the boundary of your network yesterday no longer exists today. And finally, rule number 3. Slowing down the network to implement security is not, never has been nor will it ever be a satisfactory strategy. Fortinet has recently broadened its Secure Access Architecture solutions. Can you tell us what is new? Today’s network surface has changed and there are more ways to access networks through wireless networks, mobile, and the cloud. Fortinet’s Secure Access Architecture of wired and wireless networking solutions merges advanced security with enterprise access layers to provide seamless protection across the expanding attack surface - from IoT (Internet of Things) to the Cloud. It offers universal management and policy controls that simplify administration across wired and wireless infrastructures, enabling sophisticated segmentation of devices from critical data. 06.2016

OPINION

RANSOMWARE:

THE GREAT WHITE SHARK OF MALWARE By Mark Kedgley,CTO of New Net Technologies What value would you put on all your personal documents, photos, music, etc? Corporate user: The stakes are even higher for a corporation, where the absolute dependency on IT systems means ransomware could threaten the very life of the business itself. In the case of the LA Presbyterian Hospital, this threat to life was more literal, in that patient systems were under threat from ransomware – the hospital paid the equivalent of $17,000 dollars in BitCoin as the “quickest and most efficient way to restore our systems and administrative functions”; and just like that a dangerous precedent was set!

TOP! Are you really sure you want to load this attachment? Are you certain that this link is safe?’ A prompt from your computer may be the difference between a disastrous ransomware infection and a regular day at the office. Right now, ransomware is the great white shark of cyber-attacks, the most feared malware of all, and both corporate and home users are running scared. And rightly so - anyone who has had experience with ransomware, will attest 18

06.2016

to the agony and disruption. But instead of worrying about an attack, what action can be taken to safely venture back into the water and not necessarily “with a bigger boat”? Who should be aware of the ransomware threat? Home user: The home-user community for ransomware has been highly active for a few years now but has escalated in recent months. Being given just hours to either pay the ransom or lose permanent access to everything on your personal computer is a stark choice (often enough to precipitate agreement to the extortion).

How does ransomware typically attack systems? Email – phishing, be it the mass, spear or now whale variety for corporate targets – is still the most common means of invoking a ransomware attack. The home-user ‘market’ for the extortionists lends itself to mass-emailing, but this means that the malware can just as easily end up on corporate workstations. Significantly, now that there has been a very public precedent of a hospital paying a ransom, expect to see greater targeting of corporate targets. The first thing we need to establish is the fact that ransomware is no different than any other form of malware in terms of its delivery means – usually, but not exclusively, via email with either malware attachments or links to infected websites. The difference - and the scary part - is how it is used to extort money from victims. Once the malware has been invited onto a user’s computer it can then get to work, encrypting files before announcing its presence and declaring its ransom demand. The nature of its immediate www.securityadvisorme.com

OPINION

demands and very tangible threat is precisely what makes it more feared than other malware. However, your line of defense and your approach to preventing ransomware should be the same as it would be for any other malware. Don’t be thrown by the sensationalism surrounding ransomware – pragmatism should always prevail. CryptoLocker - Best avoided! You don’t want to see this Classic ransomware operation - after the malware is in place, a unique encryption key is generated for each computer infected and is used to encrypt data on the machine. If the ransom is not paid within the allotted time the files are lost forever. Make sure backups are up to date and isolated from the computer, otherwise they may be encrypted too. What should you be doing right now to prevent ransomware? Over and above standard firewalling and anti-virus protection, there are additional defenses that should be in place to defend against phishing, given that this is the primary delivery mechanism used. Unfortunately, phishing is, by design, notoriously tough to prevent, due to its cunning and devious methods. The malware is invited in by the recipient, typically either by opening an attachment or by activating/ downloading a link, thereby largely subverting corporate IT security. The best approach is to therefore harden the user workstation environment, to prevent malware activity where possible and to at least place more obstacles in the way when not. As with any hardening program, a balance must be found between strong security and operational ease of use. The majority of exploitable vulnerabilities can be mitigated within the workstation operating system, and further protection can be provided using manufacturer extensions such as Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) and Windows Defender or 3rd Party AV. 20

06.2016

Secure the desktop and the user But when it comes to users’ emails and their content, accurately protecting against the bad while allowing the good is beyond any technological solution. While blocking all email attachments and links would improve security, there aren’t many users that would sign up for this. A more graded approach to protecting the user is needed. And in fact this solution already exists for most browsers and the Microsoft Office applications. Controlled by Group Policy, the desktop applications otherwise used to welcome in ransomware can be fine-tuned to mitigate exploitable vulnerabilities while requiring elevated approval for other functions – this may slow the user down for certain tasks, but that additional pause for thought while the system prompts for approval elevation will ensure security hygiene is observed. For example, MS Outlook security policy options are available to control: • How administrator settings and user settings interact in Outlook 2013 • Outlook COM add-ins • ActiveX and custom forms security • Programmatic Access settings • Settings for Attachments, Cryptography, Digital signatures, Junk email, Information Rights Management and Protected view Similarly, fine grain security settings are available for Excel, Word, PowerPoint and Office, all serving to mitigate vulnerabilities within the application that could be exploited by an attacker, overall bolstering ransomware defenses. Likewise for contemporary browsers like Chrome, Firefox and Internet Explorer, antiphishing controls should be enabled alongside other built-in security measures that are often disabled by default. Key questions regarding desktop application hardening • Which settings need to be set and which are optional? • What are the implications in terms of user experience and application

function if security settings are enabled? • How do you actually apply the necessary secure configuration, and how do you do it in bulk for your entire IT estate? Help is at hand: 5 steps to mitigate the ransomware threat 1. Hardening homework: While organisations like The Center for Internet Security (CIS), NIST and the National Vulnerability Database provide system hardening guidance, you’ll still need to work out what is right for your users 2. Leverage automation: Most scanners and FIM solutions will provide fast, automated reports to establish where vulnerabilities exist, while the best options will also provide remediation advice, or better still, Group Policy or Puppet templates to automatically apply a hardened configuration to Workstations and their Applications. 3. Change control: You’ll also need to make sure that patching is up to date as a further means of closing of exploitable vulnerabilities, but think about getting more structured. Change control is a key security best practice when done right, makes a cyber attack much easier to detect and head-off before lasting damage is done 4. Ransomware: If you can’t stop, make sure you can spot it. There still is no such thing as 100% security, so while your emphasis will be on prevention, accept that detection of a breach is going to be a necessary contingency. This is where FIM and SIEM systems also enhance security, by analyzing system activity for signs of suspicious behavior. 5. Rip it up and start again: And if you do fall victim to ransomware, think how grateful you will be when you can simply scrap a Desktop, re-image it and recover all data, all in its useable, non-encrypted state. Goes without saying that backups are critical, but make sure the restore process works by testing regularly. www.securityadvisorme.com

OPINION

LAYERED SECURITY: NOT JUST FOR NETWORKS The need for a radically different approach to security

n various occasions and celebrations, most of us like to surprise our family, friends and colleagues with gifts that aren’t what they appear to be. A ring wrapped in the box your microwave came in. A sweater in a package weighted down with a few bricks. Or maybe a new suitcase that actually contains tickets for a trip. You get the picture – using deception for a pleasant surprise. It strikes me that attackers like to ‘surprise’ their targets in much the same way – disguising threats as something they aren’t, but leading to a not so pleasant surprise. They may 22

06.2016

send emails that appear to be from a trusted source but instead include a link to a website or a file attachment infected with malware. There are targeted attacks that combine sophisticated social engineering with elusive methods to gain a persistent foothold within the network and exfiltrate critical data. There are entirely new zero-day attacks, unlike anything we’ve seen before and which traditional defences can’t recognise. And techniques continue to change. One of the latest methods is ‘snowshoe’ spam, so named because much like a snowshoe that has a large but faint footprint that is harder to see, the attacker spreads a lot of

small messages across a large area to avoid detection by traditional defences. Snowshoe spammers rapidly change body text, links, the IP addresses used to send from, and never repeat the same combination. The possibilities are seemingly endless. These various types of attacks are successful because they are welldisguised, blend different techniques, and constantly evolve. That’s what we as defenders need to do with our defences – use a security architecture that supports a combination of defences in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. As security professionals we’re all familiar with www.securityadvisorme.com

OPINION

the concept of defence-in-depth and multi-layered protection. Traditionally these approaches have been focused on the network, but they can and should be applied to email gateways as well. Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers. According to The Radicati Group, in 2015 businesses sent and received over 112.5 billion emails per day and by 2018 the number is expected to reach more than 124.5 billion. This fertile ground for attackers is making secure email gateways an increasingly important component of any cybersecurity strategy. However, conventional secure email gateways that operate at a point in time – only scanning once and based on one set of intelligence – have limited effectiveness. Today’s email-based attacks don’t occur at a single point in time and use multiple methods to evade detection. To bolster protection, organisations may turn to a set of disparate products that don’t – and can’t – work together. Clearly this approach isn’t conducive to effective security controls. As you evaluate secure email gateway technology or revisit what you already have, be sure to ask the following questions for more effective protection against spam, blended threats, and targeted attacks: How do you deal with the variety of types of spam and viruses? We all

Scott Manson, Cyber Security Leader for Middle East and Turkey, Cisco

know that there is no such thing as 100% protection but we can reach the 99% plus range by layering and integrating multiple anti-spam engines and multiple anti-virus engines. A security architecture that tightly integrates multiple engines and allows them to automatically and seamlessly work together not only increases protection levels but also reduces false positive rates as they serve as a check and balance against each other. In addition, reputation filters that look at the reputation of the sender’s IP address can help protect against attacks like snowshoe spam that hijack IP address ranges. How do you deal with blended threats that include links to websites

Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

www.securityadvisorme.com

laced with malware? Look for solutions that include web categorisation and web reputation. With web security administrators can set policies to allow only certain categories of web sites to be accessed. Web reputation assigns a reputation score to a URL based on a variety of data, including the length of time the domain has been malwarefree, so you can set policies about whether or not a link can be accessed based on thresholds. What happens if an attack still gets through – do I have any recourse? Because some sophisticated attacks manage to get through, you need advanced malware protection that includes retrospective security. Retrospective security continues to track files and analyse their behaviour against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that defenders can quickly contain the threat and remediate. What capabilities do you offer to help me stay ahead of emerging threats? To identify any trend you need to have visibility into data across a community. In this case, the ability to look at email and network security telemetry from a community of users together with other sources that track threats can give you the intelligence and lead time you need to proactively protect against emerging outbreaks. Look for vendors that include outbreak filters within their email security architecture and can leverage collective security intelligence to develop protections in real-time against new outbreaks. We all appreciate surprises, but not in the form of a surreptitious email. Security professionals face an unprecedented number and variety of threats. Some are new, but many blend tried and true techniques to evade detection by traditional defences. That’s why we need to layer a variety of defence techniques in new ways, integrate them and use new approaches for more effective protection. 06.2016

OPINION

COMMON MOTIVES FOR DDoS ATTACKS

By Chris Gale, EMEA Partner Director at A10 Networks

istributed denialof-service (DDoS) attacks continue to be one of the most prevalent methods hackers use to disrupt businesses. Involving the use of multiple systems (personal computers, smartphones, etc.), DDoS attacks overload an organisation’s network by generating web traffic that can’t be accommodated by the system’s capacity limits. Unlike with other forms of cyber attacks, DDoS attackers run the gamut in terms of their technical prowess. With DDoS services available for purchase online, even the least tech-savvy teenager with a credit card is capable of taking down company web assets for hours and even days. Due to the diversity amongst those carrying out DDoS attacks, ranging from

06.2016

high-school kids to state-sponsored hackers, the purpose behind separate incidents can vary significantly. For example, while an experienced cyber criminal may use a DDoS attack for diversionary purposes, a disgruntled employee may carry out an attack just for the sake of causing chaos. Here are some of the most common motives for these attacks and the telltale signs:

HIT-AND-RUN The least sophisticated form of DDoS is the hit-and-run attack. These come in a wide variety, targeting gaming services, consumer websites and various other high-visibility targets. These attacks aren’t typically very strategic and are commonly executed by hackers causing chaos for attention or young cyber criminals testing their chops.

Considering these attacks are typically the least organized, and pulled off by the least technical individuals, they are the easiest to prevent. Unskilled troublemakers typically will use a paid service to pull off the attacks, making it costly to sustain long-term. By optimizing your network configuration, and utilising technology with robust load balancing capabilities, the risks posed by these attacks are greatly minimised. This category of attacks serves as a grab-all for incidents that don’t fit into the more defined versions of a DDoS attack. As they are often poorly organised attacks on random companies, it is difficult to pin down specific warning signs. If you are a highprofile company that would make for good headlines, you can assume you’ve been the target of this sort of incident. www.securityadvisorme.com

OPINION

Depending on the resources of attackers, sophisticated DDoS attacks on improperly secured networks can be extended for days, costing companies thousands and even millions of dollars in lost business.

POLITICAL Government and state-run websites have been a common target for protestors and activists looking to make a statement via cyber means. Most commonly associated with the likes of Anonymous and other hacker collectives, these attacks are a slightly more advanced/targeted version of the hit-andrun. There is no true end-game in terms of tangible payoff — these attacks tend to be symbolic in nature. By taking down government web assets, attackers cause headaches for officials looking to both save face and bring critical services back online. While there is little payoff for the hacktivists, the damage caused to operations and reputation is very real.

FISCAL The ease of pulling off a rudimentary DDoS attack means that the hackers aren’t always the usual suspects. For example, a recent survey from Kaspersky Labs found that 48 percent of companies who had experienced a DDoS attack believed their competition was responsible. While these statistics may be slightly inflated due to human paranoia, at least some of the attacks being reported fall into the category of B2B cyber crime. Along with causing productivity declines that reduce the efficiency of a www.securityadvisorme.com

key competitor, companies perpetrating these attacks also aim to damage the target’s reputation. While there are no direct monetary gains for the perpetrator, the indirect benefit of not having yourself associated with a cyber attack is enough to draw customers away from the competition.

SMOKESCREEN Hackers have increasingly turned to DDoS attacks as a means of diverting IT’s attention away from separate, and often times more damaging, behaviour. When an attacker damages or completely brings down a company’s network, the process for complete remediation can take days. Coupled with the fact that DDoS attacks are highly visible, both externally and internally, returning to business as usual becomes priority one for responders. With the IT team’s attention focused elsewhere, it is easy for otherwise alarming behaviour to slip through the cracks. False-positives are already a common headache for those monitoring network activity, and during a time of crisis, it becomes much easier to neglect best practices and allow for incidents such as malware injection or data theft to occur. You typically don’t realise a DDoS attack is being used as a smokescreen for a larger security incident until it’s too late.

The best defence comes from ensuring that all normal cybersecurity processes are continued in the wake of an attack and never assuming the worst is over.

RANSOM The last form of attack has the most obvious pay off for hackers: cold hard cash (or at least cold hard cryptocurrency). For companies involved in e-commerce, stock trading, customer service and basically any form of business requiring access to a website or portal, extended network downtime is not an option. Depending on the resources of attackers, sophisticated DDoS attacks on improperly secured networks can be extended for days, costing companies thousands and even millions of dollars in lost business. Attackers know this and prey on businesses looking to cut their losses and pay their way out of the situation. The good news is these attacks are easy to categorize since they come in conjunction with a communication demanding a ransom. The bad news is the price tag (usually requested in Bitcoin) is at the complete discretion of the attacks, and as more companies pay up, the demands are only bound to increase.

06.2016

EVENT

BUILDING A RESILIENT REGION Last month, CISO Council and Digital Alliance, organised the inaugural Middle East Security Awards and Conference (MESA).

eld on 24th and 25th May at The Address, Dubai Marina featured a two-day conference with an awards gala held on the evening of the first day. Over 20 CISOs from leading organisations across Middle East and 10 international experts took part as speakers and panellist at the event. It was attended by 200+ senior delegates from various organisations across the region. MESA 2016 was aimed exclusively aimed at chief information security officers (CISO) and security executives to foster collaboration and encourage thought leadership and information sharing in the IT security community. Ahmed Baig, Founder and CEO, CISO Council, said, “MESA was conceived to address the growing needs and cybersecurity challenges in the Middle East. By bringing the security leadership and industry players together to deliberate and discuss various industry challenges and find ways to deal with it. This was possible in partnership with CISO Council that already connects 1000+ CISOs and security fraternity globally on its platform. Among the topics highlighted during the MESA conference include ‘Need for information sharing and collaboration for enhancing cybersecurity’; ‘Measuring effectiveness of information security’; ‘Redefining the role of CISO in the modern enterprise’; ‘Tips to improve the cybersecurity literacy of executive management and board members’; and Building the cybersecurity workforce to defend nations.’ As for the awards programme, Baig highlighted that the idea of establishing 26

06.2016

this awards programme is to recognise the work and contribution of the members of the cybersecurity community here in the region. “A lot of times, the only instance when cybersecurity professionals get the attention is when something goes wrong within their organisations,” he said. “The growing complexities of the IT security landscape are demanding more from CISO professionals and we believe that it’s the right time that they get the recognition they deserve. In this first edition of MESA, we received a phenomenal response and participation from key regional and global industry players such as (ISC)2, ISACA, Polcyb, Online Trust Alliance and many others. “ MESA honoured 100 security leaders in four categories namely Government security leader, Information security Leader, Woman security leader, and Rising stars in security and risk. The

gala evening also saw three (ISC)2 awards given away, which was decided based on community votes that included the following categories (ISC)2 - Government security leader, Information security leader and Woman security leader. Wesley Simpson, COO, (ISC)2, said, “An aspect that we really liked about MESA is that it is an event built by the industry and for the industry. From (ISC)2s perspective, it reflects our vision of fostering a safe and secure cyber-world. It is about growing the engagement and fostering collaboration among the CISO community. It served as a great platform for information security leaders to learn and grow more as professionals.” MESA in partnership with CISO Council aims to connect the security community on a single platform to be able to collaborate, contribute and learn. www.securityadvisorme.com

INTERVIEW

SAFE AND SECURE

The COO of non-profit IT security training and certification body (ISC)² Wesley Simpson sat down with Security Advisor ME during his most recent trip to Dubai, to discuss the importance of continuous education for cybersecurity professionals in the era of a dynamic threat landscape.

an you please give us a brief background of (ISC)²? International Information System Security Certification Consortium or (ISC)², is the global, notprofit body focused on educating and certifying cyber, information, software and infrastructure security professionals. We have been in the market for over 25 years and are recognised for Gold Standard certifications and education programmes. (ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ISO/ IEC Standard 17024, which is a global benchmark for assessing and certifying personnel. We also offer education programmes and services based on its CBK, a compendium of information and software security topics. We have a growing presence across the Middle East and Africa region as part of our remit in the EMEA region. We have about over 120,000 members in 160 countries worldwide, and we have about 2,000 members in the Middle East alone. Our members come from across a variety of verticals. We have ten different certifications or credentials that we offer across a variety of verticals from IT, healthcare, oil and gas, and so on. How has the cybersecurity profession evolved over the years? They cybersecurity profession is relatively new and the journey for CISOs is not over yet. The security landscape has changed a lot and is continuously evolving every day. This is because of the threats looming around the industry. What’s more is that cybersecurity is constantly transforming due to the increased awareness and education being spread across the industry. www.securityadvisorme.com

The thing about cybersecurity is that it is industry agnostic – it affects everybody. That’s why we don’t just target one specific area, we seek to enable current and potential ISC members regardless of what industry they are in. How important is getting certified for a cybersecurity professional and at the same time if they are an (ISC)² certified member what advantages will that entail? At (ISC)² what we always say is, “certification is just the start of the quest.” What that means is, once you pass the programme and become a CISSP, we don’t forget about you. As an organisation, want to inspire a safe and secure cyber world. That’s why we are creating an environment of life-long learning for our members. We want them to be the gold standard in the industry. We want companies to pursue our members, not just because of the certificates and titles that they have but because they know that these are professionals who have achieved a high level of expertise in their respective fields. In general, as a professional in the security space, you can never stop learning. Education and innovation have to be a continuous process. Just like the threat actors out there are constantly changing their tactics, so should you to be able to stay ahead of them. I believe the role of certifying bodies like ourselves is to help people in the industry to grow more as professionals and expand their knowledge of the evolving industry. A big issue in the industry today is the shortage of talent and skills within the security landscape. As an entity that’s focused on training cybersecurity professionals, what are you doing to address this issue?

This is a global issue. In fact, according to one of the studies that we have conducted titled, Global Information Security Workforce Study, we have estimated that there will around 1.5 to 2 million shortage of IT security applicants by 2020. On our part, what we are doing to address this issue goes back to spreading awareness. We are constantly finding ways to help organisations attract and retain talents in this field. First, we are looking at the academia. We aim to spread awareness at the early stages and promote the cybersecurity profession to educational entities. And, if possible, we are looking at ways of how we can introduce cybersecurity as part of school programmes and curriculum. Then, once they start getting into the business, leaders and managers within an organisation should look across their departments and create a securityminded culture. Everybody needs to have that mind-set and there should be constant education and awareness on the importance of cyber security. What are (ISC)²’s objectives over the year? Our primary objectives are, of course, focused on moving the cybersecurity profession forward. It’s also centred on promoting and supporting our members to make them be the best technical professionals that they can be. We aim to do this, by continuing to host programmes and events that will further enable collaboration between our members across the world. Cybersecurity issues are not something that (ISC)² alone can address, it will take efforts from all of us in the community to talk, collaborate and share our expertise to solve various issues in this space. 06.2016

INSIGHT

7 MYTHS

ABOUT THE BITCOIN BLOCKCHAIN There’s some confusion around what the Bitcoin blockchain can and can’t do. Gartner analysts list 7 common myths about the technology.

veryone’s talking about the Bitcoin blockchain – a global, distributed ledger of transactions for the Bitcoin digital currency – allowing for peer-to-peer payments over the Internet. According to a Gartner definition, the Bitcoin blockchain is “an authoritative record of Bitcoin transactions, and is not stored in, or controlled by, a central server.” Instead, transaction data is replaced as a whole across a peer-topeer network of thousands of coins. The Bitcoin blockchain is being applied across many industries in areas such as the Internet of Things, digital rights management, and global payments. 28

06.2016

But among all the global noise, there is some confusion around what it can and can’t do. In a report published recently, Gartner analysts Ray Valdes, David Furlonger, and Fabio Chesini shared seven common myths about the Bitcoin blockchain. MYTH 1: THE BLOCKCHAIN IS A MAGICAL DATABASE IN THE CLOUD The blockchain is not a “general purpose database” but rather it is conceptually a flat file – a linear list of simple transaction records, the analysts said in the report. “This list is ‘append only so entries are never deleted, but instead, the file (currently about 50 gigabytes), grows indefinitely and must be replicated in every node in the peer-to-peer network

(thereby introducing scalability and latency issues).” MYTH 2: THE INTEGRITY OF THE LEDGER IS DEFINED BY THE MAJORITY OF NODES IN THE PEER-TO-PEER NETWORK The reality is that its integrity is defined by the majority of “hashpower” (the computational resources used in data mining) not the number of distinct nodes in the network, the analysts said. “This means that a single sufficiently powerful entity on the network can ‘outvote’ the rest of the nodes,” the report said. MYTH 3: THE LEDGER REPRESENTS AN IRREVOCABLE RECORD www.securityadvisorme.com

INSIGHT

This is pragmatically correct, the analysts said, but it is “theoretically possible for a party to accumulate enough hashpower to rewrite the record all the way back to the Genesis block (the first block of a blockchain).” “Such an action would work against the incentives of the usual participants in the Bitcoin ecosystem because it would destroy all user confidence in the blockchain technology and the commercial economy it supports,” the report reads. MYTH 4: BLOCKCHAIN TECHNOLOGY IS SCALABLE TO THE LEVEL OF A GLOBAL ECONOMY This is not just a myth, but more widespread perception today as people become aware of scalability issues relating to the current form of the Bitcoin technology stack, the analysts said. Due to its design, the network can only handle a relatively small number of transactions per second. “This number is due to the constraint of a maximum block size of one megabyte, combined with around a 10-minute confirmation delay per block which, depending on the average transaction size, results in a maximum capacity of seven transactions per second (tps),” the analysts said in the report. “Actually, due to the increasing size of transaction records, this number has been decreasing and is now estimated at less than three tps, a small number compared to the peak capacity of, say, the Visa network at 47,000 tps or Nasdaq’s potential of 1 million tps,” the analysts said. MYTH 5: THE BLOCKCHAIN CAN BE DECOUPLED FROM THE CURRENCY OR DIGITAL TOKEN Some financial institutions considering using blockchain are saying they don’t care about the currency, only the blockchain. But in its present form, bitcoin is a key part of the blockchain, the analysts said. www.securityadvisorme.com

“The blockchain is simply a list of bitcoin-dominated transactions. Also, the design of the consensus mechanism relies on the currency providing the incentive for miners to confirm transactions. “Therefore (as some members of the bitcoin community have said), anyone who states that the currency is not important and can be ignored in favour of the blockchain, does not understand the technology and how it works,” the analysts said. MYTH 6: BITCOIN TRANSACTIONS ARE ANONYMOUS, INSTANTANEOUS AND ABSOLUTE. “In the bitcoin technology stack, participants in transactions are pseudonymous,” the analysts said. “Regarding transaction speed there is, by design, a minimum 10-minute latency in confirming transactions, and pragmatically, one could wait for an hour for confirmation. “Transactions on the blockchain are probabilistic rather than absolute, in that it is theoretically possible for an attacker to build an alternative chain (a data fork) that would allow double spending. Unless the attacker has a majority of hashing power, this will not succeed.” MYTH 7: THE BLOCKCHAIN IS A DECENTRALISED SYSTEM. The original design was a decentralised peer-to-peer network, but in practice the blockchain has become more centralised, the analysts said. “The number of peer-to-peer nodes on the network has dropped steadily at about 15 per cent per year,” they said. “Mining is conducted in large part (about 80 per cent) by only four mining pools, which are all based in China. “Any two of these four could theoretically collude and would together constitute a majority of the computational resources (hashpower) needed for mining, and could then control the updating of the distributed ledger.” 06.2016

FEATURE

MULTI-FACTOR AUTHENTICATION GOES MAINSTREAM Good-bye username plus password, hello smartphone plus thumbprint

ingerprints, rather than passwords, are what more than a million financial services customers at USAA use to get online. Part of a trend toward multi-factor authentication (MFA), there is no stored list of passwords for hackers to steal. In 2014, San Antonio-based USAA became the first financial institution to roll out facial and voice recognition on a mobile app, says Gary McAlum, USAA’s chief security officer. Thumbprint recognition followed a few months later. A year after that, USAA had 1.1 million enrolled MFA users, out of a target population of 5 million mobile banking app users. “The security model of the Internet is a legacy model, a dying model, based on information that is known -- your password or your high school mascot, for instance -- all of which is readily discovered from data breaches or from Facebook,” notes McAlum. “Getting away from ‘information that is known’ is imperative to us.” As the alternative, “Pretty much every bank in the world is using a form of MFA, if they are compliant with regulations,” says Avivah Litan, Gartner security analyst. For decades MFA often amounted to a “secure token,” a small device that displayed a one-time password that changed every few minutes. The bank’s security server had 30

06.2016

the same algorithm and would recognise the latest, correct password. “But MFA has always been too complex and expensive for broad usage,” says Jon Oltsik, security analyst at the Enterprise Strategy Group. “What’s changing now is the use of consumer technologies, primarily smartphones, and increasingly the use of biometric factors like thumbprint readers on smartphones.” FACTORS DEFINED “MFA is something you know, something you have and something you are -- and you can’t rely on just one,” says Michael Lynch, chief strategy officer at authentication software firm InAuth. “Something you know is a credential like a password. Something you have could be a secure token, but with mobile you’re using the phone as a secure token. Or it could be the PC. Something you are is biometrics, such as fingerprint, iris, voice or pulse recognition.” Other biometric factors, in use or proposed, include heartbeat, typing speed, vein patterns in the whites of the eye or in the skin, walking gait, location and long-term behavior patterns. Iris recognition requires a camera with infrared functionality. Some are still using two-factor security. The traditional name-password

combination typically counts as one factor, and the device is the second, Lynch says, while the trend (as with USAA) is to use a mobile device as one factor and a biometric property detected by the device as a second factor, with no password. For a desktop, Lynch explains that “browser fingerprinting” can be used as a second factor, by gathering information about the machine’s fonts, language, application and browser type. “The machine’s fingerprint changes over time, as applications are updated or patched, so the fingerprint typically lasts 60 days or less,” which is why a bank’s login requirements may suddenly change for a desktop user, Lynch says. The combination of a cookie and the browser fingerprint is more reliable, he adds. (Cookies can last for as long as the browser is installed but a given machine may not allow them.) “But you don’t have to see the second factor -- the bank is checking your PC through a cookie, almost always,” Litan notes. If the bank doesn’t recognize a machine, it will often send a one-time password to that user’s cell phone number or email address, she adds. As for biometric factors for mobile devices, “Fingerprint ID is big because it’s often built into the platform, it’s convenient and users are used to it, but it’s no better or worse than other ID methods,” says Jim Ducharme, vice president at security www.securityadvisorme.com

FEATURE

systems vendor RSA. “We are seeing things like voice and facial being less popular since there are so many ways they don’t work -- voice not on a subway, facial not at a nightclub.” At USAA, about 90% of the users rely on thumbprint recognition, and the log-on success rate for both thumbprint and facial scans is higher than 90%, McAlum says. While voice recognition is subject to more environmental factors, some users still prefer it, he adds. (PIN access is also available so the user will not be locked out if other methods fail, he notes.) But the choice of what factor to use does not always hinge on technology. “In some places it is not acceptable to use the face as an identifier, since clothing impedes it or they see the eye as the path to the soul,” says Marc Boroditsky, vice president of authentication software vendor Authy. “They may not like fingerprint sensors for various reasons. They think it implies criminality in Brazil. In parts of Asia they think it’s unclean to be touching” the fingerprint sensor. “Your identity is a personal thing, and when you start using pieces of a person for identification you are encroaching on something with complex cultural implications,” Boroditsky adds. “There is also an element of being spied on with almost every [biometric] factor. There is a creepy element in detecting the users and not involving them in the process. We need to be up-front about it and let the customers opt out. For instance, they could switch off location detection and add another step in the authentication process. ENROLLMENT For MFA to work with a mobile device, that device also has to be enrolled so that the online service trusts it. The device will be doing the biometric scan that authenticates the user, so the device must be reliably identifiable to the online service. McAlum would not give any details about the enrollment process that USAA uses, other than it can be done online, and that the system also establishes some links to the user’s smartphone. www.securityadvisorme.com

Lynch was a little more open about the enrollment process InAuth uses for smartphones. “First we protect against malware and see if the device has been jail-broke or rooted. Is it moving? That’s good. If it’s always at a 45-degree angle and always plugged in, that’s an indication of a fraud shop. You put factors together for predictive analysis. You can do that with a browser but you can get so much more from a phone. “We use a permanent identifier to recognise your phone even if you install a new app or a new operating system,” adds Lynch. “It gives us a permanent anchor of that person to that phone. Trusting a device helps you eliminate friction for a customer.” EFFECTIVENESS There are only a handful of major implementations, so we can’t honestly say there is no fraud, but they’d have to hack your fingerprint as well as your device,” says Ramesh Kesanupalli, founder of Nok Nok Labs and vice president of the Fast ID Online (FIDO) Alliance, which promotes industry standards for MFA. Under FIDO’s standards, no personal information such as a description of the fingerprint leaves the device, and authentication is done locally, he adds. Overall, “There is nothing that can’t be broken, and in our pursuit of the strongest possible authentication we have made the user experience horrible -passwords have to have 12 characters, with upper and lower case and special characters,” says RSA’s Ducharme. “We see things moving towards what we call identity assurance, with multiple factors that individually may not be as strong.” Scott Petry, CEO and co-found of secure browser vendor Authentic8, agrees: “No one security solution is going to be sufficient, but using a cocktail of things will create speed bumps for the bad guys. Remember the old adage: You don’t need to outrun the bear, just the other campers. MFA will make you more secure than the softer targets.” 06.2016

FEATURE

WHY CIOS SHOULD WORRY ABOUT IOT The Internet of Things brings with it the promise gee-whiz applications and lifechanging innovation. But one thing’s for sure – there are as many questions as there will be gigabytes of data being poured into your data centres.

he Internet of Things (IoT) has the promise to make everything more intelligent and efficient. Smart grids, smart meters, smart refrigerators and smart cars are just some examples that get mentioned in just about every article that gets written about IoT. But while compelling applications and innovations can come from the IoT, CIOs continue to have two legitimate major areas of concern when thinking about how the mechanics of IoT will affect their organisations: storage and security.

Handling the sheer quantity of data It’s a well-known fact that it’s difficult for the human brain to accurately understand 32

06.2016

really, really large numbers. But there’s no getting around the fact that large numbers are needed to establish the context of IoT. According to Cisco, currently there are 10 billion things – phones, PCs, things – connected to the Internet. That sounds like a lot, right? But that is 600ths of one percent of the actual devices and things that exist right now. There are over one trillion devices out there right this very minute that are not talking to the Internet – but soon enough they will be. In a world where, according to IBM, a connected car can generate 25 GB of data every hour, CIOs must immediately make plans to house the giant hurricane of data coming their way. Even if your business has nothing to do with the automotive industry, it will probably end up talking

to something. And although storage is cheap these days compared to historical averages, the sheer quantity of data being generated is unprecedented in computing history. CIOs need to develop strategies of dealing with this. Aspects of this impending data avalanche to consider include: • How to store the data when it initially comes in. You’re probably going to receive data from IoT devices in a variety of formats, both structured and unstructured. How will you store it? Will you just write it to disk in the format it comes in and figure it out later? Will you set up a Hadoop online instance to process this data? Will you make it available hourly, daily, weekly or on some other interval? www.securityadvisorme.com

FEATURE

• How to categorise and classify the data you receive. You may not care about all of the data that you’ll be receiving every hour from every device. But then again, the part of the data you’re not interested in today may be the key to an undiscovered insight for tomorrow. How will you develop classification systems? Will you retain some data you classify as immediately relevant in an online, on demand way and then archive the raw data later? How often will you review your results and your classifications to make sure they stay in line with your expectations? • How long you should retain this data. Will you need to figure out what happened with any given connected device or sensor at some random time on any given day of the week in 10 years’ time? At some point you have to make some record retention decisions: if nothing else, your attorneys will make you do it. But you need to figure out how long to keep stuff, and in what forms. Will you summarise data at the end of the year? Will you do a rollup of sorts? Will you archive some data to the cloud so that it’s someone else’s problem to store, and you’ll just pay the bill? • How you should securely dispose of this data. With the advent of IPv6, there are enough addresses to give every atom on Earth 100 IPv6 numbers, so in the future there won’t be any need to masquerade addresses. We will be able to identify every device, which means that there are security and privacy concerns that need to be addressed when you discard data with that sort of trackable information in it. What is your plan there?

Security is still a series of openended questions The security of connected devices themselves is important, of course, but perhaps even more crucial is the security of the network and the platform to which those devices are connected. Most CIOs will deal with the first phase of the Internet of Things by investing in and www.securityadvisorme.com

deploying a platform. Any number of them exist, but the one getting the most buzz right now seems to be Google’s Brillo product, along with the AllJoyn platform from Qualcomm and the platform created by the Industrial Internet Consortium. The idea behind a platform, among other things, is to quickly create the sort of massive device network you need to do interesting IoT related tasks by automatically letting joined devices see the network and talk to the network as well as, in some cases, each other. A bunch of chatty devices is one problem, but what happens when there’s a breach or a vulnerability? How quickly might an unmitigated exploit travel across the device network? What sorts of risks are there to the sensor data, activity data and transmission of that data should an error occur? What sorts of protections are built into the sharing and connectivity protocol such that transmissions are secure, encrypted and not vulnerable to man in the middle and other attacks? How will you integrate security on the IoT platform with existing security products, policies, and procedures that you have in place in your organisation today? “Current IoT security is where the internet was in 1984 – no baked-in security, encryption or authentication,” says Raj Goel, CTO of Brainlink International, a consultancy in New York. “Adding IoT to a developers’ resume does not magically make them competent, secure developers. Large developers haven’t been able to build and sell secure home routers (which have far more CPU, RAM and capabilities than IoT devices), so I have far less faith in the competency of IoT lightbulbs, plant feeders, TVs or fridges.” CIOs need to be mindful of this issue as they make plans for the future, of course. But they also have a chance to hold vendors’ feet to the fire and ensure security is a well thought-out first-class citizen of the IoT platform they decide to deploy in their organisation. 06.2016

HOW-TO

HOW TO TELL IF YOU’VE BEEN HIT BY FAKE RANSOMWARE Ransomware is no joke, but sometimes, amateur attackers use ‘pretend’ ransomware -- and you can get your data back easily

nlike most malware, ransomware is not stealthy. It’s loud and obnoxious, and if you’ve been infected, the attackers will tell you so in no uncertain terms. After all, they want to be paid. 34

06.2016

“Your personal files are encrypted,” the message on the computer blares. “Your documents photos, databases, and other important files have been encrypted with strongest encryption and unique key, generated for this computer.” While the language may vary, the gist is the same: If you don’t

pay the ransom -- typically within 48 to 72 hours -- your files are hosed. Or are they? There is a slim possibility the perpetrators may be trying to fake you out and the files haven’t been encrypted. While not a common scenario, it does happen, according to industry experts. Rather www.securityadvisorme.com

HOW-TO

than paying up, you can bypass the scary fake message and move on with your day. “There are a number of examples where true encryption doesn’t occur. Instead, cyber criminals rely on the social engineering edge of the attack to convince people to pay,” warns Grayson Milbourne, director of security intelligence at Webroot. Is it real or fake? It takes only a few seconds to confirm whether it’s a real infection or a social engineering scam. If the ransom demand includes the name of the ransomware, then there’s no mystery, and you’re in trouble. Ransomware families that identify themselves include Linux.Encoder -- the first Linux-based ransomware -- which clearly says “Encrypted by Linux.Encoder.” CoinVault identifies itself by listing the support email address. TeslaCrypt and CTB-Locker are also among the well-known ransomware families that tell you who is holding your files hostage. But there are plenty of ransom plays that don’t bother with names. For example, CryptoLocker simply warned that your files have been encrypted and never flaunted its name. Instead, you’ll have to look for other clues: Is there a support email address? Search the Internet for the bitcoin payment address or the actual ransom message and see what comes up on forums or from security researchers. If you can’t identify the ransomware, then there’s a chance it could be fake. In such cases, your files aren’t actually encrypted; the attacker simply pops up a scary message and locks the screen. The ransom demand typically shows up inside a browser window and doesn’t let the user navigate away, or it locks the screen and displays a dialog box asking for an encryption key. Because the victim can’t close the message, it looks real. www.securityadvisorme.com

If it’s possible to close out of the screen using key commands, such as Alt-F4 on Windows and Command-W on Mac OS X, then the ransom demand is fake. Or try force-restarting the device and see if the message goes away. Ransomware tends to change the filename as part of the encryption process. Locky adds a .lock file extension to all documents, while CryptXXX uses the .crypt file extension. Look through the files and see which files have been modified. See if you can still open them or if you can change the file extensions back and open the files. Sometimes, the file extensions have been changed without actually encrypting the files. Get back into the system using a Linux Live CD and search the system to see if the actual files have been moved or renamed. Most modern operating systems can search the contents of the file along with filenames. Don’t get your hopes too high While it’s good to be skeptical, if you see a ransom demand, it’s probably legitimate. Thanks to crimeware kits preloaded with ransomware and ransomware as a service, the barrier to entry is much lower. Script kiddies and other less technically inclined criminals are trying to piggyback on the success of real ransomware gangs without putting in the work. “The simplicity of buying your crypto-malware from a crimeas-a-service provider now means cyber criminals can easily deploy a ransomware attack that uses complex and effective encryption against their targets,” says Mimecast’s cyber security strategist, Orlando Scott-Cowley. Ransomware infections are a serious threat and fake attacks are relatively rare. But before you start the process of rebuilding your machine to recover from a ransomware infection, make sure you aren’t being scammed. It takes only a few minutes. 06.2016

PRODUCTS

Brand: Honeywell Product: MicroRAE

Brand: Sophos Product: Sophos Clean What it does: The signature-less technology uses progressive behavior analytics, forensics and collective intelligence to discover and remove code from zero-day threats, Trojans, root kits, polymorphic malware, irritating cookies, spyware and adware. Sophos Clean represents the next generation of malware detection and removal tools that can detect known and unknown threats. The on-demand scan does not need to be installed, which is particularly useful in cases of ransomware infection or in situations where malware is manipulating installed security software. What you should know: Sophos Clean is an on-demand malware scanner of just 11MB and can be started directly from a USB flash drive, CD/DVD or network attached storage device. The tool can scan and remediate without leaving a footprint on the local system. A typical scan with Sophos Clean takes less than five minutes because it can immediately distinguish safe applications from malicious software through advanced behavior analysis and verification of content with a database of trusted applications.

06.2016

What it does: MicroRAE is a portable gas detector thatoperates with all major wireless communications protocols — including Bluetooth, Mesh, GPS, and Wi-Fi. The MicroRAE can also be paired with an intrinsically safe smart phone (available from Honeywell) to transmit gas readings for non-wireless users over a cellular network. The MicroRAE simultaneously monitors hydrogen sulfide (H2S), carbon monoxide (CO), oxygen (O2) and combustible gases (LEL) in its standard four-gas configuration, and has a sensor configuration available for hydrogen cyanide (HCN) as well. What you should know: This makes the unit suitable for a wide range of applications including oil and gas, wastewater treatment, manufacturing, utilities and telecommunications, firefighting, construction, petrochemical/chemical industries, as well as confined spaces and various industries with toxic and flammable gas hazards. Real-time, wireless gas monitoring allows remote stakeholders to view critical information within seconds, from anywhere. This enables them to respond quickly and decisively to mitigate or prevent safety incidents and process malfunctions.

Brand: Sony Product: SNC-VM772R

What it does: The new model combines the enhanced resolution of 4K with low-light sensitivity leveraging 1.0 type back Illuminated Exmor R CMOS image sensor, bandwidth optimization features, and intelligent scene capture capability to adopt the best picture quality, ideal for city surveillance, transportation, railway, traffic monitoring and airport surveillance applications. 4K technology gives security users the ability to capture content at four times the resolution of Full HD (1080p). With the exceptional detail provided by 4K technology, security professionals can expand their wide area surveillance and still capture, magnify and examine the smallest

parts of a scene like a face or a car license plate number – all with a single camera. The SNC-VM772R camera combines these benefits with enhanced visibility, reduced total system costs and flexible and easy installation. What you should know: Higher-resolution imaging has traditionally come at the expense of low-light sensitivity. The new SNCVM772R uses a 1.0 type 20MP Exmor R sensor and is capable of 0.1 lx sensitivity for clear image capture in light and dark conditions. A back-lit structure doubles the camera’s light sensitivity and a builtin infrared (IR) light source which enhances low-light use and nighttime shooting with visibility at longer distances. www.securityadvisorme.com

BLOG

PREVENTING DNS-BASED DATA EXFILTRATION Cherif Sleiman, General Manager, Middle East at Infoblox

everal high-profile data breaches have been in the news recently. We read that millions of customer records are stolen, emails hacked, and sensitive information leaked. Most enterprises have multiple defense mechanisms and security technologies in place, such as nextgeneration firewalls, intrusion detection systems (IDSs), and intrusion-prevention systems (IPSs). Yet somehow malicious actors find a way to appropriate data. So what types of data are being stolen? They vary and may include: • Personally identifiable information (PII) such as Emirates ID numbers in UAE for example • Regulated data related to Payment Card Industry Data Security Standard (PCI DDS) • Intellectual property that gives an organisation a competitive advantage • Other sensitive information such as credit card numbers, company financials, payroll information, and emails Motivations vary from hacktivism and espionage to financial wrongdoing, where the data can be easily sold for a neat profit in the underground market. When sensitive information is stolen, it causes financial and legal woes, not to mention the huge negative impact to brand. According to a Ponemon Institute study in 2015, the average consolidated cost of a data breach is $3.8 million, which includes investigative and forensic efforts 38

06.2016

and resolution and consequences of customer defection. This is an average— recent breaches have cost victims a lot more. Hackers can use multiple pathways to steal data, but the one that is often unknowingly left open is DNS, or the Domain Name System. DNS is increasingly being used for data exfiltration, either by malware-infected devices or by rogue employees. The nature of the DNS protocol, which was invented more than 30 years ago, is such that it is trusted, yet vulnerable to hackers and malicious insiders. According to Dan Kaminsky, the a well-known DNS security researcher, DNS can be thought of as a globally deployed routing and caching overlay network that connects both the public and private Internet, which raises serious questions: Is it sufficiently secure? Is it vulnerable to data breaches? The answer is that DNS can be abused in all sorts of unconventional ways that make it the perfect back door for hackers seeking to steal sensitive data. DNS tunneling is the tunneling of IP protocol traffic through Port 53—which is often not even inspected by firewalls, even next-generation firewalls—most likely for purposes of data exfiltration. Malicious insiders either establish a DNS tunnel from within the network, then encrypt and embed chunks of data in DNS queries. Data is decrypted at the other end and put back together to get the valuable information. All sorts of things can be tunneled (SSH or HTTP) over DNS, encrypted, and compressed—much to

the dismay of network administrators and security staff. DNS tunneling has been around for a long time. There are several popular tunneling toolkits such as Iodine, which is often considered the gold standard; OzymanDNS; SplitBrain; DNS2TCP; TCP-over-DNS; and others. There are also newer contenders that allow for tunneling at a much faster pace and offer lots of features. Even some commercial services have popped up offering VPN service over DNS, thus allowing you to bypass many Wi-Fi security controls. Most of these tools have specific signatures that can be used for detection and mitigation. DNS is not only used for data leakage, but also to move malicious code into a network. This infiltration is easier than you think. Hackers can prepare a binary, encode it, and transport it past firewalls and content filters via DNS into an organisation’s network. Hackers send and receive data via DNS—effectively converting it into a covert transport protocol. DNS is the perfect enforcement point to improve your organisation’s security posture. It is close to endpoints, ubiquitous, and in the path of DNSbased exfiltration. While DLP technology solutions protect against data leakage via email, web, FTP, and other vectors, most don’t have visibility into DNS-based exfiltration. To maximise your chances of fighting back against these data theft attempts, complement traditional data loss prevention protection with a DNSbased solution. www.securityadvisorme.com

Cybercriminals Now there’s nowhere to hide Conventional security strategies just aren’t working against today’s cybercriminals. But what happens when you bring the power of network visibility to the security fight? With the world’s first Security Delivery Platform, your existing security tools can see what kinds of data are flowing inside the most complex network. As a result, the threats are identified, isolated and eliminated before they do their damage - giving you far more value from your security investment.

It’s time to turn the tables on the attackers. Join us, at wefightsmart.ae

FROM A RICH HISTORY TO A BRIGHT FUTURE To take a virtual walk through of the AirCheck G2, visit our demo page: www.enterprise.netscout.com/ aircheck-g2-demo

FOR MORE INFORMATION enterprise.netscout.com/aircheck

Netscout Enterprise portfolio contains: NETSCOUT TruView, NETSCOUT TruView-Live, NETSOCUT AirMagnet Enterprise, NETSCOUT OptiView XG, NETSCOUT Handheld Network Test Solutions For more information contact : Mea@netscout.com