ISSUE 16 | APRIL 2017 www.tahawultech.com
PAY IT OR
FIGHT IT? WARDING OFF THE MENACE OF RANSOMWARE
Incident response
Penetration testing
EDRM
Everybody.
Everywhere.
Every day.
Ordinary days require extraordinary protection. genetec.com
Find out more about the software behind the everyday at genetec.com/protectingeveryday
Š 2017 Genetec Inc. GENETEC and the GENETEC LOGO are trademarks of Genetec Inc., and may be registered or pending registration in several jurisdictions.
STRATEGIC INNOVATION PARTNER
STRATEGIC PARTNER
CONTENTS
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130
06
Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147
PAY IT OR FIGHT IT?
CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119
Security Advisor ME explores best practices on how
organisations can survive a ransomware attack.
PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159 Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh
12
UNDERSTANDING INCIDENT RESPONSE How to build an effective security incident response mechanism for your organisation.
Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by
16
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of
© Copyright 2017 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for
any errors therein.
22
SCAM ECONOMY A look at the growing cybercrime economy in West Africa and insights from TrendMicro. COMBATING MOBILE THREATS Trends in mobile security that are impacting the threat landscapes.
26 30
38
THINK BEFORE YOU CLICK Simon Taylor, Vice President of Products, Glasswall, shares email security best practices to prevent malware distribution HOW TO FEND OFF CYBERATTACKS Online security and data protection experts explain how smaller businesses can prevent security breaches and digital attacks. CYBER THREAT HUNTING DarkMatter’s Eddie Schwartz on keeping your networks’ immune systems in check to keep your assets safe.
NEWS
DARKMATTER NAMES NEW EXECUTIVE VP FOR CYBER SERVICES DarkMatter has appointed Eddie Schwartz as its Executive Vice President of Cyber Services. In his new role, Eddie Schwartz, Schwartz will lead DarkMatter the activities of DarkMatter’s following business units — governance, risk and compliance; cyber network defence; test and validation labs; managed security services; cybersecurity education; Public Key Infrastructure, and infrastructure and systems integration. Schwartz’s career in cybersecurity spans over 25 years, and has seen him hold a number of senior leadership positions including as Global Leader for Cyber Security Solutions at Verizon, Chief Security Officer for RSA, Co-Founder and CSO of NetWitness (acquired by EMC), EVP/CTO of ManTech, GM of Global Integrity (acquired by INS), SVP of Operations of Guardent (acquired by VeriSign), and as VP/CISO of Nationwide Insurance. Commenting on Schwartz’s appointment, Faisal Al Bannai, Founder and CEO, DarkMatter said, “Schwartz is a great addition to our leadership team, and I am confident his expansive experience and impressive track record will be wellreceived and leveraged in our cyber services operations.”
$2.94 billion
forecasted value of MEA security solutions market by 2020
4
04.2017
US INTERNET PROVIDERS PLEDGE TO NOT SELL CUSTOMER DATA The three major US Internet Service Providers (ISPs) – Comcast, Verizon Communications and AT&T – have pledged to protect the private data of US citizens, after the US Congress approved legislation reversing Obama administration’s Internet privacy rules. The bill, which was announced last month would repeal regulations adopted by the Federal Communications Commission (FCC) in October 2016 under former President Barack Obama. Under the previous regulations, US Internet service providers (ISP) were required to protect customers’ privacy, however, repealing these now allows ISPs to sell the users’ browsing history. Comcast, Verizon and AT&T have declared their opposition of the bill and said that they will not sell customers’ individual data. “We do not sell our broadband customers’ individual web browsing history. We did not do it before the FCC’s rules were adopted, and we have no plans to do so,” Gerard Lewis, Chief
Privacy Officer, Comcast, told Reuters. Further into the Reuter’s report Verizon has two programmes that use customer browsing data: the first allows web marketers to access “de-identified information”, and the other provides “aggregate insights” useful for advertisers. In both cases there is no scope for any individual browsing history being sold to third parties, according to the company. In addition, in a blog post AT&T published recently, the company said it “will not sell your personal information to anyone, for any purpose. Period.” It said it would not change those policies after President Trump signs the repeal.
IBM UNVEILS ENTERPRISE-READY BLOCKCHAIN SERVICE IBM has announced the release of the first enterprise-ready blockchain service, aimed at giving enterprise players the option to build their own scalable and secure blockchain networks based on the Linux Foundation’s Hyperledger Fabric version 1.0. By utilising Hyperledger, businesses can host secure blockchain networks via the IBM Cloud that can quickly scale as new network members join, and transact at rates of more than 1,000 transactions per second. In order to enhance security, IBM Blockchain is also underpinned by IBM LinuxONE, a Linux server which is heavily influenced by security. “IBM has applied decades of
experience running the world’s largest transaction systems for banks, airlines, governments and retailers, to build the most secure blockchain services for the enterprise,” said Marie Wieck, general manager, IBM Blockchain. “IBM’s blockchain services are built on the company’s High Security Business Network, and are designed for organisations that require blockchain networks that are trusted, open and ready for business.” IBM has also announced the first commercially available blockchain governance tools, and new open-source developer tools that automate the steps it takes to build with the Hyperledger Fabric from weeks to days.
www.tahawultech.com
FBI CONFIRMS INVESTIGATION OF RUSSIAN HACK OF US ELECTION The FBI is actively investigating Russia’s attempts to influence the 2016 US presidential election and possible cooperation from President Donald Trump’s campaign, agency director James Comey confirmed. The existence of an investigation has been speculated for months after the election. The agency typically does not comment on active investigations, but the Russian actions targeting the US election represents an “unusual” case, he told members of the House of Representatives Intelligence Committee. Comey told lawmakers he couldn’t comment more on the investigation, but he said the FBI is looking into possible contacts and cooperation between the Trump campaign and
the Russian government. During the hearing, Comey James Comey, FBI also shot down Trump claims that former President Barack Obama wiretapped Trump Tower in New York City during the presidential campaign. The FBI and the Department of Justice have “no information that supports those tweets” by Trump in early March, Comey said. Meanwhile, the intelligence community remains confident the Russians coordinated the election hacking campaign, Mike Rogers, director of the National Security Agency, told lawmakers.
Global IT security leaders to gather at GISEC 2017 Cybersecurity experts from across the globe will discuss, debate and highlight the latest Smart City technology and service innovations at the Gulf Information Security Expo and Conference (GISEC), which will be held from 21st to 23rd May at the Dubai World Trade Centre (DWTC). The event will run concurrently with the Internet of Things Expo (IoTx). GISEC 2017 will host more than 500 international delegates and 75-plus high-profile speakers from entities including GCHQ, the UK Government’s Communications Headquarters, the US Cyber Consequences Unit, HSBC, EasyJet, Wells Fargo and GSK among others. More than 6,000 visitors are expected across the three-day events. In addition to sharing international best practices required
www.tahawultech.com
to address the growing concern of cyber-attacks and the rising number of high-profile hackings, GISEC 2017 will also debut an all-new ‘Start-up Pavilion’, where more than 50 startups, based or incubated in the UAE, will feature the latest products and solutions driving innovation in the smart tech sphere. Representatives from several start-ups will also be given the floor during a dedicated session at the GISEC Conference, to pitch their ‘evolutionary concepts’ direct to the gathered audience.
DIGITAL SHADOWS EXPANDS OFFERING FOR MOBILE THREAT REPONSE Digital Shadows has announced new enhancements to its SearchLight digital risk management service helping organisations detect and respond to mobile application threats against their employees and consumers. According to the company, SearchLight now offers identification of malicious and unsanctioned applications in official and third-party application stores. This new capability also identifies impersonated or spoofed mobile applications that could damage an organisations’ brands or compromise sensitive information. The new capability around mobile application protection extends the capabilities of Digital Shadows’ flagship service which monitors the Internet to identify digital risks to organisations, including cyber threats, data leakage, and reputational risks. “Mobile is no longer a niche or isolated part of an organisations’ digital footprint. New devices and applications are the status quo and organisations must be able to identify the digital risks associated with them,” said Alastair Paterson, CEO and cofounder, Digital Shadows. “In an increasingly mobile-first world, our customers now have the ability to precisely account for evolving threats jeopardising irreplaceable reputations and information.” Digital Shadows has been trialing the new service with some key clients and within one week, for just one financial services client, the firm has identified 39 incidents of mobile applications posing a risk to their organisation.
04.2017
5
COVER FEATURE
PAY IT OR FIGHT IT? How to survive a ransomware attack unscathed
6
04.2017
www.tahawultech.com
I
f you thought 2016 was the year of ransomware, you should read the forecasts this year. In 2017, TrendMicro sees a 25 percent growth in the number of new ransomware families available for use in breaches. Reports of the encroachment of ransomware on government, law enforcement, critical infrastructure, and health and safety are already climbing. Add to this rise of ransomware-asa-service (RaaS) and payments made to anonymous bitcoin accounts, and the result is a booming criminal enterprise worth $1 billion last year, according to TrendLabs 2016 Security Roundup . Since RaaS is available in the underground, the service provides fledgling cybercriminals the necessary tools to run their own extortion campaigns. “Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; with few notable exceptions, data loss was
mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data,” says Scott Manson, Cyber Security Leader for Middle East and Turkey, Cisco. According to the 2017 Annual Cisco Cybersecurity Report , last year, a bright spot emerged with a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino, whose owners were brought down in 2016. Now that three of the most dominant exploit kits have cleared the field, smaller players and new entrants can expand their market share. And they are becoming more sophisticated and agile. Exploit kits that appeared poised for growth in late 2016 were Sundown, Sweet Orange, and Magnitude. These kits, as well as RIG, are known to target Flash, Silverlight, and Microsoft
Because mobile devices are usually backed up to the cloud, the success of direct ransom payments to unlock devices is often limited. - Ghareeb Saad, Senior Security Researcher, Kaspersky Lab
www.tahawultech.com
Internet Explorer vulnerabilities. It is reported that around 27.5 percent of businesses in the UAE experienced a ransomware attack in the last 12 months. “Unfortunately, we have observed that ransomware is not just aiming at businesses now, but is even used for targeted attacks. As a result of such attacks, the victims cannot use data from workstations and servers to continue normal operations because ransomware encrypts the entire disk,” says Ghareeb Saad, Senior Security Researcher, Kaspersky Lab. Listing out couple of ransomware trends to watch out for, Raj Samani, CTO of McAfee, says mobile ransomware will continue to grow this year but the focus of mobile malware authors will change. “Because mobile devices are usually backed up to the cloud, the success of direct ransom payments to unlock devices is often limited. Mobile malware authors will combine mobile device locks with other forms of attack such as credential theft.” He adds threats to healthcare is another tend. “We do not yet know why attackers are breaching media devices that collect patient information, but it is happening and medical data is exfiltrated. That is likely to continue for the next two to four years, and we will also learn why they are stealing medical data. More ominously, medical devices that monitor and control human systems—including pacemakers, insulin pumps, and nerve stimulators—are all becoming Internet enabled. Unethical attackers will see these medical devices as the next step in their journey beyond hospital ransomware attacks.” With the spate of ransomware 04.2017
7
COVER FEATURE
Because mobile devices are usually backed up to the cloud, the success of direct ransom payments to unlock devices is often limited. - Raj Samani, CTO of McAfee
attacks escalating at an alarming rate, industry pundits say businesses must do more to protect consumers from ransomware extortion, one of the biggest cyberthreats today. “Ransomware can be difficult to protect against, particularly as perimeter defences increasingly prove to be inadequate at defending a company against cyber-attackers. As a priority, firms need to have a robust back up system in place, to ensure that they have the ability to recover from a complete loss of data. Also, it is essential that firms continuously monitor the network for anomalous behaviour that could indicate a hacker is on the network. From there, the security team can lock down access and expel the attacker from the network before data can be exfiltrated and become at risk of a ransomware attack,” says Roland Daccache, Systems Engineer, MENA, Fidel Cybersecurity. Christopher Green, Regional Director, Malwarebytes, says to stay safe, businesses must invest heavily in both employee education and technology. “Above all, it’s crucial for everyone to adopt a layered approach to security – whether faced with ransomware or any other form of malware. On top of this, it always 8
04.2017
pays to educate staff about basic security practices; for example, if one person spots signs of an email phishing attack, it could save the whole network.” Since ransomware will eventually find your enterprise, prepare by implementing an information security governance model that you align with the business objectives and the risk assessment of an organisation, says Brandon Gunter, IT Consulting Manager with Moss Adams. The enterprise should then continually identify risks as these occur, implement risk remediation
and mitigation strategies, secure operations, monitor and identify new risks, and come full circle to update and improve the security strategy and road map, explains Gunter. Enterprises should then take several practical steps down-in-thetrenches to mitigate ransomware, including mature endpoint security measures. “Use best-in-class endpoint anti-malware products which regularly update and recognise changing ransomware. Professional vendors work hard to keep products current to interdict new variants and protect the data residing on devices. Repelling malware also prevents systems from being leveraged to attack other devices or penetrate deeper into an organisation,” says Ramani. Simon Bryden, Consulting Systems Engineer, Fortinet, says the important thing is to back up data regularly, and more importantly, to test the restore process to ensure that it works. Often when disaster strikes, users discover that the backup was not happening, or that
It’s crucial for everyone to adopt a layered approach to security – whether faced with ransomware or any other form of malware. On top of this, it always pays to educate staff about basic security practices. - Christopher Green, Regional Director, of Malwarebytes
www.tahawultech.com
not all data was being backed up. Regular drills are important. Also, it goes without saying that users should be careful not to visit links or to open documents which may be suspicious. A good antivirus system, backed up by a sandbox to analyse undetected files, is essential to provide optimum protection. Users who are not sure about particular files or links should check with their security operations teams for advice, he adds. Mike Lloyd, CTO, Red Seal, agrees: The easiest defense against basic ransomware is to always retain the ability to recover a computer’s state as of one day ago. “Inside a data centre, this is quite easy, but for corporate laptops, it’s harder just due to the physics of mobility and user behaviour. Of course, if we get better at backups, and can brush off ransom demands by going back one day, attackers will have two choices - make fancier ransomware that infects the backups for a while, then only triggers after lying dormant, or move on to other attack forms.” He says the second choice is actually more likely than the first – the state of our defenses overall is so weak that it is predictable that attackers will find some other vector that is easier and cheaper for them. “This is why we need to increase the level of automation we use, to orchestrate our complex, multipart defenses.” While ransomware still relies on a variety of tricks to infect users, phishing is largely seen as the predominant infection vector. Phishing attacks have also gotten much more sophisticated. “This means users need to be extremely vigilant when handling email attachments and clicking on links within an email. If there’s any www.tahawultech.com
If we get better at backups, and can brush off ransom demands by going back one day, attackers will have two choices - make fancier ransomware that infects the backups for a while, then only triggers after lying dormant, or move on to other attack forms. - Mike Lloyd, CTO, Red Seal
doubt about an email’s legitimacy, leave it be. Especially emails from unknown origin with a strong call to action. If it’s from someone you know or an organisation you do business with, don’t forget that you can always pick up the phone and call them. Trust but verify. In addition, making sure your system and all its applications (this includes mobile devices) are fully patched, having a robust backup strategy, and proactive defenses will greatly enhance your chances of preventing or recovering from a ransomware attack,” says John Shier, Senior Security Advisor, Sophos. THE LATEST RANSOMWARE THREAT As if ransomware wasn’t bad enough, there is a new twist called doxware. “The term “doxware” is a combination of doxing — posting hacked personal information online — and ransomware. Attackers notify victims that their sensitive, confidential or personal files will be released online. If contact lists are also stolen, the perpetrators may threaten to release information
to the lists or send them links to the online content,” says Rishi Bhargava, Co-founder and VP Marketing, Demisto. He says doxware and ransomware share some similarities. They both encrypt the victim’s files, both include a demand for payment, and both attacks are highly automated. However, in a ransomware attack, files do not have to be removed from the target; encrypting the files is sufficient. A doxware attack is meaningless unless the files are uploaded to the attacker’s system. Uploading all of the victim’s files is unwieldy, so doxware attacks tend to be more focused, prioritising files that include trigger words such as confidential, privileged communication, sensitive or private. Security analysts agree that doxware attacks are likely to increase over the next two years. So far the attacks have targeted businesses and high-profile individuals rather than the general public. However, that could change if attackers find ways to target smartphones or IoT devices. 04.2017
9
FIGHTING BACK AGAINST DOWNTIME
6 Traits that define best-in-class disaster recovery Downtime costs companies billions
Downtime costs an enterprise an average of
$686,000
per hour
Downtime costs an enterprise more than Lost revenue isn’t the only problem:
18%
of firms say that IT outages had a “very damaging” impact on their reputation
$26 billion
a year in lost revenue
Downtime costs companies billions
Compared to the industry average, best -in-class firms report:
75%
90%
fewer downtime events (.56 vs 2.26)
less downtime per event (.16hours vs 1.49 hours)
78% faster recovery times from downtime events (1.13 hours vs. 5.18 hours)
Best-in-calss firms say their longest downtime event lasts an average of just 12 minutes 96% less than the industry average of 4.78 hours and 99.5% less than the laggard-firm average of 43.71 hours.
Keys to achieving best-in-class downtime Best-in-class firms, compared to the industry average, are:
62%
45%
more likely (73% vs. 45%) to determine recovery-timeobjective (RTO) per application, helping them balance recovery time needs versus costs
more likely (42% vs. 31%) to determine recovery-point-objective (RPO) per application, telling them how much data they can afford to lose during an outage
68%
more than twice as likely (69% vs. 34%) to measure, track and report DR performance
more likely (84% vs. 50%) to test their disaster recovery (DR) capabilities regularly
22%
more likely (66% vs. 54%) to assess their high availability processes and procedures
</>
32%
more likely (62% vs. 47%) to review high availability technologies
Putting your enterprise on a best-in-class path Fight back against downtime risk and achieve total business resiliency with business continuity management solution that:
Drives engagement: Give every stakeholder the ability to identity and address the risks that matter
Enables real-time awareness of key IT
Proves the effectiveness of DR plans
systems, people and processes to allow fast and effective responses
with testing, tracking and measurement capabilities
Source: Sungard Availability Services
FEATURE
UNDERSTANDING INCIDENT RESPONSE How to build an effective security incident response mechanism in your organisation
A
n organisation’s security posture hinges on the well-known security maxim ‘preventiondetection-response’. While the first two components of the security architecture are favoured by many, ‘response’ has a unique characteristic – it is impossible to avoid. It is not uncommon for organisations to have weak prevention and nearly non-existent detection capabilities but response will always be necessary. Being prepared for security incidents thorough an incident response (IR) plan is one of the most cost-effective security measures an organization can take. Timely and effective IR is directly responsible for limiting security incident related damages. Developing an incident response plan, and ensuring that it aligns to the organization’s goals and needs, as well as existing policy and compliance regulations, can be a daunting. Moreover, the process will require all sides of the business to communicate, which in itself can be quite the task.
12
04.2017
“The effectiveness and cost of incident response depends on the capability of the organisation to detect an incident in the first place. With a median breach detection time still being measured in months, it is indicative that most organisations have not reached a sufficient maturity level to perform effective incident response themselves,” says Roger Sels, DarkMatter’s VP of IT Security. He adds that in those cases where external events trigger the incident response process, a financial or reputational loss might already have occurred and an external party may need to be brought in with the
foremost mission of finding out the origin and nature of the incident. This hampers the organisation’s ability to recover from the incident as it may still be ongoing at the start of the incident response process. The basic idea behind IT is simple – once an incident has been recovered steps must be taken to address it, ensure the organisation recovers from it and that it doesn’t happen again. This might sound like an easy thing to do, but security experts note that this simply isn’t true. Incident response is something that is developed and that changes with the organisation over time. Incidents can
The effectiveness and cost of incident response depends on the capability of the organisation to detect an incident in the first place. - Roger Sels, DarkMatter’s VP of IT Security
www.tahawultech.com
FEATURE
be technical or physical, and while you can’t prepare for everything, it is wise to at least prepare for the mostly likely threats your organisation will face. One of the often-repeated problems with incident response is that organisations rarely understand who are attacking them, what the attacker is looking for, and how they are trying to get it. What are the important steps companies should incorporate into their IR plan? “The first step is making sure the appropriate information is readily available to search when a data breach does occur versus relying on forensics. Such information might include firewall logs, endpoint logs or identity logs. That information should be easily accessible and centrally stored, “says Mike Viscuso, Co-founder and CTO, Carbon Black. “The second important step is to be prepared from a communications perspective. If an organisation is concerned that its infrastructure has been compromised, an entire new communication system must be set up to handle the incident. Many companies who have had a breach in the past say they were significantly delayed in responding since an entire new communication infrastructure needed to be implemented on short notice. They couldn’t simply rely on their email system. Having a communications plan ahead of time can help reduce that stress significantly.” Sels says enterprise security leaders should definre metrics and reporting frequencies, both for incidents as well as incident www.tahawultech.com
The first step is making sure the appropriate information is readily available to search when a data breach does occur versus relying on forensics. - Mike Viscuso, Co-founder and CTO of Carbon Black
response itself. Both quantitative as well as qualitative KPIs should be measured (including but not limited to time to detect, time to triage, time to response, number of false positives or root cause). A quick guide from Cybereason says companies should also use the preparation phase to consider the various breach scenarios that could play out. These scenarios should be reviewed in activities like team training, tabletop exercises and blue team-red team exercises. Businesses should even simulate a breach so employees know their roles when a real breach occurs. This is the phase companies identify their weak points and risk factors, figure out what activities need to be closely monitored and decide how to spend their security budgets. An IR plan should be revised yearly or more frequently if the company grows rapidly. Additionally, the IR plan should incorporate any business regulations. Lately, IR automation has become a very hot topic in the security
world. There are multiple factors driving demand for IT automation and orchestrations, including the manual nature of IR work, cyber skills shortage and the difficulty of coordinating activity between teams. Should you automate your IR process? Sels from DarkMatter says automating parts of the process might be feasible and recommended but the overall process as such should not be automated. The nature of an incident may prevent automations. Viscuso from Carbon Black offers a different perspective: “Over the past few years, many businesses have set up security operation centres and these teams tend to do the same things over and over again each day in responding to alerts. SOCs should look to automate those tasks done repeatedly throughout the week. Automated technology can look at the problem from a different perspective and provide additional content to help speed up IR.” 04.2017
13
EVENT
PROTECT, DETECT AND RESPOND Microsoft Gulf, last month, hosted an exclusive event that focused on how cloud technologies can help organisations defend themselves in the evolving threat landscape and the role of the CSO. We bring you some of the highlights of the event.
T
he global cybersecurity market is predicted to be worth more than $120 billion in 2017 – a 35-fold increase over the past 13 years – and to reach more than $1 trillion cumulatively over the next five years. As the region’s enterprises and public bodies continue to adopt technologies like cloud computing to digitally transform their businesses, it is of utmost importance that enterprises realise the need to address the demand for fresh policies and procedures in the evolving threat landscape. During an exclusive event held at its Dubai headquarters, Microsoft Gulf addressed how Gulf-based organisations can use cloud services to protect themselves against these growing cyber threats. According to the company, the GCC has, over the past decade, become a hot zone for cyber-attacks, due to the acceleration of Internet and mobile penetration and relatively high average net worth of the people living in this region. During his presentation, Cyril Voisin, Executive Security Advisor, Enterprise 14
04.2017
Cybersecurity Group, Microsoft MEA, noted that cybercriminals’ motivations for launching attacks have evolved with the times. “Now, we have organised cybercrimes. These are mainly opportunistic attacks where threat actors are targeting people not because of who they are but because they’re someone who can potentially be a channel for a bigger attack.” Voisin highlighted that ransomware has been one of the most well-known attacks that made noise in the industry over the last few years. However, from Microsoft’s perspective, these kinds of attacks do not happen as often but when it does the impact it has is huge. “In the region, we have seen incidents like the Shamoon virus attacks in 2012. These kinds of attacks are mostly aiming to cause damage than seek financial gains. We can expect more of these incidents in the future and we should be vigilant and prepared,” he said. Further into Voisin’s presentation, he highlighted that Microsoft’s vision is to provide security that enables digital transformation through a comprehensive platform, unique intelligence and broad partnerships. Microsoft’s security strategy,
according to Voisin, is focused on three elements – protect, detect and respond. “In an age where cloud and mobility are increasingly impacting the way people live and work, everything is evolving and we have to keep pace with all the developments that are happening. So, it is imperative that you protect your assets this involves everything from sensors in Internet of Things (IoT) to data centres where you store all your data,” he explained. He then noted that it is impossible to 100 percent protect or secure everything. “We must always assume an attack. Some attacks will be successful, that’s why you must set systems and procedures in place to detect vulnerabilities. Lastly, with detection comes your reaction or response. The most prepared companies will be those who can best a cyber incident that will come their way.” Among the key topics at the Microsoft event is cloud security. “The threat landscape evolves with the technology ecosystem and so cybersecurity is a top priority for Microsoft,” said Mohammed Arif, Windows and Devices Business Group Lead, Microsoft Gulf. “As targets for attacks grow, we expect www.tahawultech.com
the number of breach attempts to increase. Microsoft cloud incorporates security at every level and in every scenario. We encrypt data to the highest standard, whether at rest or in transit to or from our data centres. Whatever the size or nature of your organisation, we can tailor a cybersecurity solution that keeps you safe but allows you to operate, meaning security does not get in the way of your growth.” Further into the event, Arif hosted a panel discussion on the challenges Gulf businesses face as they try to address the shifts in the threat landscape. Thomas Heukeroth, Vice President – IT Security, Emirates; Sandro Bucchianeri, Group CSO, NBAD; and Saqib Chaudhry, CISO, Cleveland Clinic Abu Dhabi were among the panelists. Past high-profile attacks across the GCC have propelled cybersecurity from the IT office to the boardroom, and it now tops the C-level agenda. The participants explained how they had adopted Microsoft solutions to help protect their digital assets and employees. Talking about the CSO’s role in today’s organisations, Heukeroth underlined that his focus is mainly on understanding what’s new in the market in terms of www.tahawultech.com
security, what threats they need to be wary of and how they can best protect their customers’ data. “On a daily basis, we need to ensure that we can secure our data and our customers’ information without disrupting the business,” he said. “What’s important as well, is that as security leaders we have to maintain the balance between the company’s security and business strategies. On his part, Chaudhry noted that the CSO’s role has evolved into becoming a trusted advisor for the Board. “We have become brand ambassadors for information security within the organisation,” he said. “A crucial part of our role as well is partnering with the leaders of the different business units within the company and helping them navigate through the complexities of the security within their functions. And ultimately, help them become more security intelligent.” Apart from the evolution of the CSO’s role, the panelists also underlined that the understanding of the importance of information security within the business has transformed as well. “From our perspective, two or three years ago we couldn’t talk to a member of the board or management about security,” explained Bucchianeri. “But now, it’s the complete opposite. Now, we even get phone calls from the chairman asking about how we can further enhance our security posture. That mindset shift at the management level is great because it makes it easier for us to get their support if we need to invest on a certain security technology.” When it comes to spreading awareness about security within their respective organisations, all three panelists have emphasised that CSOs need to ditch the traditional approach and resolve to a more interactive programme if they haven’t already. Bucchianeri said, “We have comprehensive security awareness programmes where we get everyone
within the company involved in an interactive and dynamic way. We don’t want our employees to just sit through 30-minutes long presentations because we found out that that’s just not effective. So, we put them in real-life scenarios where we test their understanding and capabilities in security. We then coach them on what they did wrong and how they can improve it.” On his part Chaudhry said that Cleveland Clinic has a 13-level security programme, which uses methods such as games to educate its employees about potential threats. “We also use a lot of visual materials like infographics to catch their attention,” he explained. “We try to make it engaging as much as possible. To spark their curiosity about security we ask them their personal concerns about their devices and their processes.” Heukeroth underlined that being adaptive is important. “You have to tailor your programmes and discussions based on the needs and capabilities of the different members of your organisation. What a finance person needs in security may differ from what someone who is involved in the day-today operations of the company.” The event also saw the company announce the upcoming Windows 10 Creators Update, which will come with a variety of security features including the Windows Defender Security Center. This new feature, according to Microsoft, combines security and health options in one place making easier for users to control Windows 10 device security and health options. The firm also unveiled the Office 365 Secure Score a new security analytics tool that helps IT professionals assess the strength of their current Office 365 security configuration. This solution has threat intelligence that provides near real-time insight into the global threat landscape, to help users stay ahead of cyber threats. 04.2017
15
INTERVIEW
SCAM ECONOMY Trend Micro, in collaboration with the INTERPOL, has released a study titled: Cybercrime in West Africa: Poised for an Underground Economy. Security Advisor Middle East spoke with the company’s Head for MENA region Ihab Moawad to discuss the study and what it means for organisations here in the region.
C
an you please give us a brief background of your partnership with INTERPOL? INTERPOL has been one of our primary partners for three years now. Our partnership with them is mainly focused on providing them data that will help them, as a law enforcement agency, to detect and eventually catch threat actors across the globe. We have over 100 million sensors deployed across the globe through our cyber protection network. Through this we are able to gather comprehensive data as to what the nature of the latest attacks are and where they are coming from. We leverage these capabilities and information in our partnerships with organisations like INTERPOL by giving them the intelligence to enforce cybersecurity laws. What was the motivation behind focusing the study on the West Africa region? While West Africa has no underground market yet to speak of, a surge in cybercriminal activity in the region suggests that it is going towards that direction. There are tremendous business and investment opportunities in the West Africa region, however, as with any promising markets, there are also a lot of risks in this part of the world. Cyber threats are among those risks. The West African threat landscape is currently rife with cybercriminals conducting simple scams. 16
04.2017
The report mentioned about two kinds of cybercriminals emerging in West Africa, the Yahoo Boys and Next-Level Cybercriminal, can you please shed some light on the difference between the two? These two groups portray distinct characteristics and operate different types of scams based on their levels of experience. Yahoo Boys, named for their use of Yahoo apps to communicate, are often part of groups operating in the same physical location and supervised by a more experienced ringleader. These cybercriminals are known for the scams that they carry out like asking people for advance-fee, romance and strandedtraveler scams, such as the “Nigerian Prince” phishing emails. These are the attacks that brought West Africa on the theoretical map of cybercrime in the early 2000s. The method of these scammers is to convince their victims to transfer large sums of money for a variety of illegitimate reasons. Meanwhile, Next-Level Cybercriminals are the opposite of Yahoo Boys. This group consists of well-off and highly respected family men who are mature in terms of personal behaviour. They engage in more complex attacks, such as Business Email Compromise (BEC) and tax scams, by using malware and other crime-enabling software from
Russia and other English speaking underground markets. They also maintain connections and accounts overseas to feign legitimacy with their victims and keep law enforcement at arm’s length. They use social engineering tactics to pull off their scams, significantly more research and effort go into the crimes committed by Next-Level Cybercriminals. How can the growing cybercriminal market in the West Africa region affect businesses here in the Middle East? The world today is very connected. While this is beneficial and has positively transformed the way we live and work it undeniably has its risks. It exposes us to threats actors not just in the market we’re operating in but also to cybercriminals in other parts of the world. We believe that business process compromise (BPC) will be one of the biggest cyber threats in 2017. This kind of attack particularly targets unique processes or machines facilitating various processes within an organisation to quietly manipulate them for the attacker’s benefit. Once an attacker infiltrates the system, a part of the process can be altered by the attacker, without the enterprise or its client detecting the change. The victims believe the process is proceeding as normal, but in reality, the attackers are already gaining either www.tahawultech.com
Organisations should have comprehensive awareness campaigns and even training courses for educating their workforce about cybersecurity. They should implement these courses strictly, ensuring that everyone is complying with the programme.
funds or goods from the enterprise. A cybercriminal from say, Nigeria, can potentially intercept your transactions or shipments here in Jebel Ali without you knowing. Another threat we should keep an eye on is ransomware-as-a-service. Cybercriminals from this region may employ the service of hackers from other parts of the world to steal data from your organisation here.
As far as we are concerned, we have laid out a vision and a plan on whatâ&#x20AC;&#x2122;s going to happen in the next five years. We are not just prepared to help customers on the cyber-attacks they are facing today but we are also well-equipped with the knowledge and skills to help them thwart off threats in the coming few years.
What do you think organisations in both public and private sectors do to strengthen their security strategies? What kind of support can they expect from organisations like Trend Micro? Firstly, organisations should have comprehensive awareness campaigns and even training courses for educating their workforce about cybersecurity. They should implement these courses strictly, ensuring that everyone is complying with the programme. Second, they should make sure that they deploy the right security solutions. Itâ&#x20AC;&#x2122;s not enough that they buy the most expensive hardware or the latest solutions. They should see to it that the products and solutions they adopt fit their specific security needs. www.tahawultech.com
04.2017
17
FEATURE
WHAT MAKES A GOOD APPLICATION PEN TEST? Research from application security crowd testing and bug bounty programme provider Cobalt attempts to define what enterprises could measure to improve results.
W
hen it comes to creating secure applications, nothing beats focusing on the basics: secure coding in development and then testing the application for security defects. Part of the testing regime should always include an in-depth application penetration test (pen test). But how do organisations know they are getting the full benefit from such assessments? What goes (or should go) into developing application security is well known. Developers should have their code vetted in their development environment. Their code should go through a series of quality and security tests in the development pipeline. Applications should be vetted again right after deployment. And, after all of that, it’s very likely that more vulnerabilities exist in the application that have yet to be uncovered. Finding those stubborn flaws is where periodic application penetration tests come in; this is when an application is poked and prodded to see if its security controls work as intended and if it’s vulnerable to attack. Research firm Markets and Markets predicts that the entire penetration testing market will 18
04.2017
grow to $1.7 billion by 2021, up from $595 million in 2016, and that the web application penetration testing segment had the largest market size in 2016. The difficulty in finding bugs throughout development, and as applications run in production, is why application security pen tests remain a critical part of any security programme. These tests are how latent vulnerabilities such as cross-site scripting, SQL injection, remote code execution, and poor authentication are identified and hopefully sent for remediation. But what does a successful penetration test look like, and how should enterprises measure success, so that they can improve their results and get more value in the future? In a study of all of the application penetration tests the company conducted in 2016, Cobalt set out to detail how application penetration test metrics can be used to measure the effectiveness of application penetration tests on security programmes and third-party pen test engagements. After all, the only way to improve is to assess the current situation, establish goals, and measure progress against those goals. With that in mind, it’s reasonable to ask why an enterprise would conduct an
application penetration test to begin with. Caroline Wong, Vice President, security strategy, Cobalt, says the most common reason, by far, is when companies need to prove due diligence to customers as part of a business transaction – or to prove that uncovered security deficiencies were remedied. “This is the most common use case we see,” she says. The second, says Wong: Security complaints. Chris Blow, Security Risk Technologist, Liberty Mutual Insurance agrees. “The majority of application penetration tests I’ve seen professionally were compliance or customer driven,” he says. “There are the rare cases when a company is making a big push to be more secure, and they want to see where their applications stand, but most of the time it’s compliance driven, such as meeting a PCI requirement, or a customer is doing due diligence.” Cobalt wanted to determine how organisations could learn how to get the most out of the application penetration tests. “The idea was to help define the key metrics that we think are needed to determine the impact and or the ROI for today’s modern penetration testing program,” says Wong. “Organisations are spending a lot of money on pen testing. www.tahawultech.com
What are they getting for their money?” Application penetration testing metrics can help to answer that question, contends Wong, who is also the author of Security Metrics, A Beginner’s Guide. “Measurement provides visibility, educates and provides a common way for understanding the security programme, and it enables the best positive management of the security programme through improved planning and decision making,” she says. Experienced red team professionals generally agree that it’s difficult to determine the value of application penetration tests without looking at other aspects of the application’s security programme. “Suppose an application penetration test is conducted, and it identifies 10 high-, 20 medium-, and 50 low-risk vulnerabilities in January. The organisation remedies all of those vulnerabilities in 60 days. But when they conduct another test in March, they find a new batch of, and even more, vulnerabilities that include 20 high, 30 medium, and 50 low vulnerabilities,” Blow says. “Was the first application penetration test a waste?” he continues. “No, as flaws were fixed. But results like this www.tahawultech.com
indicate that more developer training is in order and perhaps more testing in the development pipeline.” In addition to using metrics to inform a secure application development program, what are examples of other metrics? These can include measuring the frequency of application assessments, how long it takes to fix critical vulnerabilities, or the reduction of certain classes of flaws. “The important thing is to start measuring based on what is important to you and use these measurements to improve over time,” says Wong. When it came to the periodicity of application penetration tests, the Cobalt study found that most opt for an annual test. Of those organisations Cobalt examined, about 46 percent conducted an annual pen test, 39 percent semiannual, and 15 percent quarterly. As for the criticality of the vulnerabilities uncovered? It turned out that for the enterprises in the study nine percent of vulnerabilities uncovered in the penetration tests were critical, eight percent were high criticality, 14 percent were medium. And at 72 percent, the clear majority of flaws uncovered were ranked as low criticality. While it may seem at first blush that
the more application penetration tests the better, that isn’t necessarily so, as different organisations will have different approaches to technology and their deployment of new internal applications and features. “A lot of it depends on the nature of your security programme and the nature of your application development efforts,” says Blow. For instance, today with the pressures that come with DevOps and agile development workflows to ship new code, it is important to have the right testing tools in place so that software can be vetted during the development and deployment process. They can have automated application scans running against their apps in production running continuously. “In cases like this it may make sense to have an application pen test every six months or right after a major release,” Blow says. When it comes to choosing which applications to spend the most time assessing and remediating, experts agree that it all comes down to business criticality. “You want to focus on the most important business applications and those that pose the most security and regulatory risks, and you want to fix the most critical flaws in this apps first,” says Wong. 04.2017
19
OPINION
7 PRACTICAL TIPS TO PREVENT ATTACKS ON BACKUP STORAGE By Rick Vanover, Director of Technical Product Marketing at Veeam Software
I
f one thing has the attention of IT decision-makers worldwide, it is the risk of ransomware. We frequently see headlines on outages caused by ransomware and the reality is that this is a big problem for organisations of all shapes and sizes. Ransomware is not just a PC problem. It can be a data centre problem as well. To get some insight into the scope of ransomware today, we commissioned a survey in the summer of 2016 for nearly 1000 organisations (approximately 84 percent were Veeam customers) to share some insight on their ransomware experiences. Here are some of the findings from the survey: • Nearly 46 percent of the respondents have had some form of ransomware incident in the last two years. • Of those who had a ransomware incident, 91 percent had data encrypted. • Only two percent of the respondents admitted to paying the ransom for recovering their data. • Of that small sample who paid the 20
04.2017
ransom, all but one of them paid less than USD $10,000. • 84 percent of the respondents were able to recover their data without paying the ransom. These are just a few numbers, but shocking in terms of the quantity of incidents. A few things also need to be said here to clarify these numbers. First of all, the ransomware incidents took place on a variety of platforms – they include PCs, data centre workloads and more. Many other factors went into these responses. One important part of being resilient to ransomware is being able to recover from backups. That’s the availability you want when things don’t go as planned, should ransomware become an issue in your data centre. Here are a number of tips I’ve prepared to incorporate into your designs for backup storage: 1. Use different credentials for backup storage This is a generic best practice and in the ransomware era it’s more important than ever. The username context that is used to access the
backup storage should be very closely kept and used exclusively for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations. Whatever you do, please don’t use DOMAIN\ Administrator for everything! 2. Have offline storage as part of the Availability strategy One of the best defenses against propagation of ransomware encryption to the backup storage is to have offline storage. 3. Leverage different file systems for backup storage Having different protocols involved can be another way to prevent ransomware propagation. Put some backups on storage that uses different authentication. The best examples here are backups of critical things like a domain controller. In the unlikely event that a domain controller would need to be fully restored, there can be an issue if the storage containing the backups is an Active Directory authenticated storage resource. www.tahawultech.com
4. Take storage snapshots on backup storage if possible Storage snapshots were mentioned above as what I call a “semi-offline” technique for primary storage, but if the storage device holding backups supports this capability it may be worth leveraging to prevent ransomware attacks. 5. Start using the 3-2-1-1 Rule The 3-2-1 rule states to have three different copies of your media, on two different media, one of which is off-site. This is great because it can address nearly any failure scenario and doesn’t require any specific technology. In the ransomware era, it’s a good idea to add another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. You may not need to completely reconfigure an installation to implement an offline element. However, consider these options as additional steps to existing designs. 6. Have visibility into suspicious behaviour One of the biggest fears of ransomware www.tahawultech.com
It is good to have an availability solutions that provides a pre-defined ‘Ransomware activity alarm’ that will trigger if there are a lot of writes on disk and high CPU utilisation.
is that it may propagate to other systems. Having visibility into potential ransomware activity is a big deal. It is good to have an availability solutions that provides a pre-defined ‘Ransomware activity alarm’ that will trigger if there are a lot of writes on disk and high CPU utilisation. 7. Let the Backup Copy do the work for you Backup Copy is a great mechanism to have restore points created on different storage and with different retention rules than the regular
backup job. When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with Backup Copy. Design for resiliency and plan for vigilance There many ways to prevent ransomware from encrypting your backups as well and hopefully one or more of these tips listed above can be leveraged in your environment. 04.2017
21
FEATURE
COMBATING MOBILE THREATS Trends in mobile security that are changing the threat landscape
M
obile devices have transformed the digital enterprise allowing employees to access the information they need to be most productive from virtually anywhere. Has that convenience come at a cost to enterprise security, though? According to Forrester’s The State of Enterprise Mobile Security: 2016 to 2017, by Chris Sherman, “Employees are going to continue to purchase and use whatever devices and apps they need to serve customers and be highly productive, whether or not these devices are company-sanctioned.” Additionally, the report found that S&R professionals will face complex 22
04.2017
challenges as a result of the different API interfaces and security profiles across devices. Sherman wrote, “Security teams must plan for years of increasing complexity by choosing technology solutions that simplify management and security workflows.” Scott Simkin, Senior Threat Intelligence Manager, Palo Alto Networks, said that BYOD is a trend that we were talking about five years ago. “Bringing a personal device into the enterprise is not something new, but the masses have come to peace with the fact that employees – in order to achieve their objectives – are requiring it.” What that means for security practitioners is that the attack surface is massive. “It now has been multiplied by a factor of 100 or 1,000 by the sheer number of vulnerable applications and devices that the attacker is able to leverage,” Simkin said. In addition to bringing devices to the office, employees are also demanding that they have access to the network when not on premise. “They want access to resources whether it’s Dropbox or other
applications that allow them to get their corporate data,” Simkin said. There are myriad issues that challenge enterprise security www.tahawultech.com
FEATURE
whether it is the apps themselves or the user behaviour of the folks who own and operate the mobile devices not keeping their operating system up to date. “Thousands of applications developers are taking their great ideas and putting them into practice, but they are not thinking about building security into their application from the beginning,” said Simkin. Given that there are generally three ways for users to access applications, where they get their apps becomes incredibly important from a security perspective. “They can go to the official app store or download it from a third party application site, or they can jailbreak or side load the application,” Simkin said. “The official app stores do a good job of filtering out malware and threats, but those third party app stores are more of the Wild West.” A wider trend in the mobile threat landscape, according to Simkin, is that attackers are going after the application developers. “They are unknowingly infected with malware and then the application is infected and that is then passed on to users.” As it is with securing the traditional network, mobile security is also about building policies. “Security resources are scarce,” said Simkin, “so, organisations needs to think about how they safely enable those mobile devices to access corporate resources. They need to take the time now to consider what technology they are going to put into place to keep the company safe.” Even the White House is changing the paradigm a little bit. The President’s now infamous use of an Android phone has helped bring to light the need for better mobile security, said Paul Innella, CEO, TDI. www.tahawultech.com
“If organisations don’t start treating mobile devices, which includes IoT, as corporate assets, they are going to see this wide scale disruption and infiltration. So, they have to be thinking about how they evaluate the risk of one of these mobile devices coming into their environment,” Innella said. Taking a more pragmatic approach and treating mobile as they would anything else in their environment, means that they need to do appropriate access, identity, application, and data management, Innella said. “There are numerous mitigation tactics from whitelisting and blacklisting and authenticating the device itself to malware detection. All of the mitigation tactics they would use on a laptop,” Innella said. Also key is having policies that don’t require as much rigor. “There has to be a systematic understanding of what they should and should not do, like not using public hotspots and not transmitting wireless, turning off Bluetooth and not using the save password function on browsers,” Innella said. If practitioners recall the challenges that came with securing the network with the advent of laptops, they can look to the future of mobile with the benefit of hindsight. “It’s about protecting data at rest on the device, data in transit, and the data at rest in the infrastructure, within the enterprise,” Innella said. “There has to be encryption of data at rest on both ends. Encrypting data at rest on the device is a big, big issue.” The device itself is one reason the mobile threat landscape is changing directions, said Josh Shaul, Vice President, Web Security, Akamai. “How does that thing in the conference room turn into a covert listening device accessing my intellectual property and everything else?”
When users load that game onto their phone, they are giving access to the camera, microphone, calendar, and contacts without thinking about what they are loading onto the phone. “The outlier is who we worry about,” Shaul said. “Folks put bad software on there that can be used to spy on people through their mobile devices. It’s not hard to do that particularly when they overtly ask for and are granted permission.” The attackers are now pivoting and moving from filling in webforms on the website to attacking the API, which allows them to do the same things but it’s set up for mobile apps, Shaul said. “They are realising that it’s easier pickings going after the APIs that are just getting published and becoming mainstream because there is the misconception they will only be used as intended. It’s just another service connected to the internet that people can access,” Shaul said. Rather than having the device turn into something that can spy on them, enterprises need to be using good mobile device management software. “Tools that lockdown the camera and the microphone. Enterprises can adopt that as a standard and roll it out as part of the mobile device management system they use,” Shaul said. Beyond the API as another attackable entity, the issues related to code remain largely unfixed as there is a lack of good security testing or strong development processes around security in mobile applications. “If the APIs are going to be pushing the whole order of web traffic, it’s going to take a different architectural approach to fix mobile security. You get into a scale where you are required to go into the cloud, and for some that is going to be a challenge,” Shaul said. 04.2017
23
OPINION
314-DAY
BATTLE PLAN By Phil Burdette, Senior Researcher, SecureWorks
W
hat can you accomplish in 314 days? That’s how long it took one intrepid pilgrim to walk from Bosnia to Mecca, while yachtsman Matt Rutherford completed a circumnavigation of the Americas in the same time. It’s also how long scientists expect the trip to the Red Planet to take. Mankind can indeed achieve great things in a little over ten months – but sadly, noticing a data breach is not among them, with most successful corporate attacks going unnoticed for an average of 314 days. While cyber-attacks aren’t linear, the suggested timeline below outlines what’s possible in the days, weeks and months after an initial breach. TIMELINE: DAYS 0-10 Cybercriminal’s battle plan: Spread out across an organisation Process: Adversaries will want to be embedded as far as they can with as many access points as possible. They’ll often steal credentials to get additional access points and more privileges, ideally for them, connected to the domain controller. This will be 24
04.2017
used to connect to other accounts, e.g. on another site, or accessing a different range of information. It’s the equivalent of a skeleton key for the whole organisation, through which they can not only access information, but control it. Defence strategy: The more access points, the more likely adversaries will get caught. By ensuring all accounts are audited or maintained, it will be easier to monitor abnormal access. It’s not enough to monitor one access point, all access points should be considered and controls applied to disrupt malicious users. One way to destroy the adversary’s skeleton key is to conduct an organisation wide password reset. This can be costly and time consuming, but it’s a price worth paying. Organisations can effectively prepare for this scenario, thus reducing the disruption and cost. TIMELINE: DAY 10-20 Cybercriminal’s battle plan: Create a plan B and a plan C for access Process: Once inside a network, an adversary wants to know they have alternative routes back in if they’re discovered. They will explore additional
ways to break through a perimeter and gain access. Defence strategy: Ideally, companies would catch an adversary where they get in, implement additional layers of security at that entry point, but also look at other places which need defence. Cybercriminals will quickly learn as and when they’re discovered and use different tactics. Companies need to be aware of this and over time, evolve their defensive posture in response to adversarial changes. A real-world example would be that if a burglar broke in through the back door, the home owner shouldn’t spend their whole security budget securing the back door – they also need to examine the front door, the patio doors and the windows. While this strategy is focused on defence, organisations should also be considering a ‘Prevent – Detect – Respond’ strategy so that they are proactively examining security across the entire IT ecosystem. TIMELINE: DAYS 20-40 Cybercriminal’s battle plan: Set up camp where the data is What’s at risk: Most organisations have a flat architecture in terms of their www.tahawultech.com
IT set up: an adversary doesn’t need direct access to data, as long as they can connect to it through other routes. For example, they can get to finance through HR. Process: Once they’re secure, have remote access and their re-entry plans, adversaries will identify and locate the ‘crown jewels’ of a company’s data. They use different tactics to do this, for example compromise members of the security and IT team to gather network diagrams to identify high value assets. Or use social media to identify employees who would likely have access to high profile data. Once they’ve been identified and access has been gained, adversaries can run commands to determine what networks that user has access to, which will indicate if they can see the targeted data. Defence strategy: Network segmentation would help solve this issue by creating boundaries between different components in the organisation. Identify and ring fence the high value data and put in additional security layers around the company crown jewels. TIMELINE: DAYS 40-60 Cybercriminal’s battle plan: Discover relevant and valuable data and create a ‘shopping list’ Process: Once an adversary gains access to a company’s files, they’ll create a recursive file listing of what information they think is valuable. Once this has been examined, the adversary will go back into the organisation and get more detail on specific information sets. Defence strategy: Cybercriminals who are intent on gaining access to an organisation will do so: it’s a case of ‘when’, not ‘if’. In order to protect their valuable information, security specialists need to make it as difficult as possible for the criminals to create their shopping list. Apply the principle of least www.tahawultech.com
privilege as not all users need access to all data. In addition, periodically review the privileges and create audit logs to see who is accessing and moderating high value data. TIMELINE: DAYS 60-80 Cybercriminal’s battle plan: Getting data out of an organisation Process: Adversaries are likely to compress data for convenience and to avoid detection when they exfiltrate it. With elevated privileges adversaries can use tactics that mean that an organisation will never find out what they were looking for, or, what they took, for example bypassing data loss prevention or manipulating logs. Examples of defensive evasion methods we have observed include gaining remote access to copy and paste data onto a remote machine. Another is to create a draft email within the company’s network, access it remotely to get the data, then delete the draft. Because the email was never sent, there’s no record of it anywhere so an organisation may never know what was taken. Defence strategy: This is an area which is difficult to defend against – shadow IT is still creeping into organisations and remote working is on the rise. These trends mean employees take risks and use personal devices to access work documents. The cybercriminals are always evolving their tactics. Understanding the risks in the context of the threats is a significant defensive tactic. Organisations need to be constantly vigilant in monitoring, responding to and defending against data exfiltration. TIMELINE: DAYS 80-314 Cybercriminal’s battle plan: Maintain a surveillance operation and avoid detection Process: If adversaries want to keep monitoring interesting information
they’ll do what they can to avoid detection. They may check every few months to see what files have changed and examine the changes. Cybercriminals learn fast and change tactics, move around in a network and create new and cunning ways to remain undetected. Defence strategy: Companies need to examine perimeter security, but also internally inside a network how do they detect anomalous adversary activity. Set up layers of network and endpoint trip wires and an adversary will hit one: it’s only a matter of time. An adversary will behave in a completely different way to a ‘normal’ user, meaning that their activity can be spotted. A high volume of trip wires increases the chance of detection – meaning the dwell time could be much lower than the average 314 days. Stopping adversaries long before 314 days It’s key to note that adversaries don’t need 314 days to conduct malicious activity or access sensitive information. This timeline would be as short as five days or even a matter of hours. Attacks don’t follow a linear route such as the above timeline and a cybercriminal could access a company’s entire infrastructure from high privilege credentials obtained with one simple spear-phishing email, achieve their goal and leave. A trace that adversaries were there may be discovered 314 days, or even years after the event. To defend against these adversaries, organisations need to be as adaptable, determined and tenacious as the cybercriminals they’re facing. In constantly being vigilant and changing tactics, it is possible to prevent an organisation from an adversary maintaining access long before the average dwell time of 314 days. 04.2017
25
OPINION
THINK BEFORE YOU CLICK Simon Taylor, Vice President of Products, Glasswall, shares precautions that businesses can take to thwart malware and keep sensitive data protected from malicious actors.
E
mail is a critical enterprise communication tool synonymous with sending important documents quickly and efficiently between employees, managers, HR, finance, sales, legal, customers, supply chain and more. That said, organisations often don’t understand that the file types used every day to share important information are also the most common attack vectors widely used for the distribution of malware. For cybercriminals, it’s often too easy to target a user with a spoofed email or phishing attack, and trick them into opening an infected attachment that appears to be legitimate. With email representing an open, trusted channel that allows malware to piggyback on any document to infect a network, it’s often up to the organsations to adopt appropriate security strategies and best practices to prevent a company-wide attack. Here are top five email security best practices to prevent malware distribution: Analyse risk factors in attached email documents As with anything, organisations need to consider and evaluate all possible 26
04.2017
avenues of attack and decide what functions their business needs to either keep or eliminate to safely operate. That especially goes when evaluating email attachments as a threat vector. Unbeknownst to many, exchanging documents represents a high risk – about 98 percent of them do not conform to the manufacturers’ document design. Thus, organisations need to determine whether the aberration in the file is due to an attack, or something that’s just poorly written or configured, before they can effectively mitigate any potential threats. To address these risks, organisations need to comprehensively understand what documents are coming through their network, the types of files and structural problems, and what functional elements are attached that could represent risk. Creating a big picture view of the organisation’s email security and risk posture is a critical first step in understanding potential threats and implementing effective policies designed to mitigate risk and thwart attack. Avoid relying on legacy technologies as stand-alone email security solutions Once you get a handle on the risks, it will be imperative to apply the appropriate security solutions. Most
organisations have all the standard border controls, including firewall, antispam, antivirus and even a sandbox, which are often still bypassed by targeted attacks. By now it’s clear that current antivirus and other signaturebased solutions placed at the border are not stopping well-crafted, highly targeted attacks, leaving gaping holes in defensive security architecture. Assume that traditional signaturebased antivirus solutions and even relatively new sandbox technology will let a socially-engineered malicious document through to the user. Remember, it only takes a user to click on one malicious attachment for a company to face disaster. There needs to be a ‘new baseline’ for security with innovation that eliminates specific threat vectors rather than the ‘catch all’ border protection that is failing. Look for the good (instead of going after the bad) Addressing gaps in email security defenses will require a paradigm shift that supplants targeting the bad with techniques that look for and validate the ‘known good.’ The reason? Cybercriminals are constantly updating their tactics while malicious www.tahawultech.com
files mutate so frequently, they’re almost impossible to track. Validating a file’s legitimacy against ‘known good’ provides a high benchmark and offers an accurate point of comparison. To that end, organisations need to validate documents against the manufacturers’ specifications and regenerate only ‘known good’ files. From there, they can create a clean and benign file, in its original format, which can be passed along without any interruption to business. Organisations should also continue this proactive stance by leveraging deep file-inspection, remediation and sanitisation tools to
eliminate malicious documents before they enter the system. Restrict BYOD with specified policies around document transmission The BYOD phenomenon undoubtedly comes with a myriad of benefits – not the least of which is giving employees flexibility to work from anywhere and conduct both personal and business activities, including document transmission, with the same device. However, while convenient and efficient, conducting business functions from a personal device often undermines control organisations have over the types
Ultimately, organisations need to reduce the risk of a single employee opening up their whole organisations to a malware attack. Among other things, that means determining what kinds of file types and functional items employees need to do their jobs.
www.tahawultech.com
of sites and apps used by the employee. This in turn enables employees to potentially expose corporate data to information-stealing malware and unintentionally put the organisation at risk of attack. Meanwhile, malware that can be transmitted via attachments to employee workstations can just as easily be transmitted via mobile devices – and what’s more, many mobile devices aren’t equipped with security solutions aimed at detecting infected documents. Thus, malware from infected documents successfully downloaded on a company mobile device will have the same access to sensitive information as it does on the corporate network. While the ability to send attachments via mobile devices might be an inevitability for some, it’s best to judiciously determine for whom this function is an absolute necessity, and then restrict this function to employee workstations for everyone else. Allow only the file types and functional items that users need Ultimately, organisations need to reduce the risk of a single employee opening up their whole organisations to a malware attack. Among other things, that means determining what kinds of file types and functional items employees need to do their jobs. Organisations need to assess all the variables, including potential threats employees are exposed to when receiving specific attachments, and then decide what functions the business needs to productively operate. For example, which departments need macros, JavaScript or embedded links in the documents they receive? If certain departments, groups or individuals don’t require these functions, reduce the risk by setting appropriate restrictions. Creating policies that prevent users from exposing the company to threats while maintaining business continuity takes the maximum amount of risk off the table. 04.2017
27
OPINION
THE ROLE OF EDRM IN CYBERSECURITY Information-centric security strategies require a blending together of different solutions, with enterprise digital rights management playing a crucial role, writes Vishal Gupta, Founder and CEO of Seclore.
T
oday’s cybersecurity professionals have a wealth of tools at their disposal, ranging from firewalls and anti-malware packages to intrusion detection systems and file access controls. Yet, despite the array of solutions available to help us deal with the problem, breaches continue to occur at an alarming rate. PwC’s recent ‘Global State of Information Security Survey’ gives an idea of the size of the cybersecurity challenges here in the Middle East. Of 300 companies surveyed in the region, 56% lost more than $500,000 due to breaches last year and 13% lost at least three working days. Businesses in the Middle East are also more likely to have suffered a security incident, compared to the rest of the world (85% of respondents compared to a global average of 79%). The problem isn’t going away and in a world where collaboration and connectivity are essential, new approaches to cybersecurity may be needed. As a result, there is now increasing interest in informationcentric security methods that can function as the last line of defence when firewalls, anti-malware tools and other traditional defences fail. 28
04.2017
In its recent study, ‘Market Guide for Information-Centric Endpoint and Mobile Protection’, John Girard from Gartner identifies nine different methods for information-centric endpoint protection. These range from physical and virtual reboot encryption, to removable media encryption and electronic digital rights management (EDRM). In Gartner’s research, ‘full-disk and file system encryption will always play the first line of defense. Enforced protection for peripheral file transfers, such as flash drives, maintains encryption control over local ports. Containers and “secure PIMs” provide methods to quarantine specific parts of business information workflow for particular usage patterns. Data loss prevention (DLP) and cloud file protections will trap and protect data movement to and from network resources. And enterprise digital rights management (EDRM) can imbue files with persistent encryption in coordination with rights-aware apps.’ Each of these methods may perform a slightly different function, but the end goal is the same: to prevent breaches and loss of critical information. When put together, each forms part of a broader solution that can reduce the
risks of data leakage. EDRM is a particularly important part of the puzzle, as it allows organisations to collaborate and intentionally share files with confidence. Research recently conducted by Enterprise Strategy Group (ESG), shows just how widespread, and vital, external collaboration is to today’s enterprises. In its survey of 200 ICT and cybersecurity professionals in North America, conducted in the first half of 2016, 18% of respondents said that more than half of employees are sharing files externally. A further 34% of respondents said that between 26 and 50% of employees regularly shared files with individuals outside the organisation. With EDRM solutions, organisations can precisely specify who can view, www.tahawultech.com
Developers of EDRM solutions also continue to innovate and add functionality. Support for Mac allows the growing number of Apple users in the enterprise to enjoy the same level of data-centric security as their Windows counterparts.
edit, copy, screen-capture and re-distribute files, as well as which devices a document can be viewed on and for how long. An audit trail is created, clarifying who has accessed a document and when. Advanced features include documentand user-specific watermarks, SSL tunnelling and prebuilt connectors for critical business applications. Developers of EDRM solutions also continue to innovate and add functionality. Support for Mac allows the growing number of Apple users in the enterprise to enjoy the same level of datacentric security as their Windows counterparts. With onestep email verification, users can open protected www.tahawultech.com
files immediately without needing a password. Similarly, login through Google accounts login enables quick and easy access to protected documents. Other developments that enhance ease of use include the ability to view multiple files simultaneously and ‘auto-discovery’, whereby forwarding a protected email automatically transfers access permissions to all new recipients of the mail. ‘This method is suited to contextdependent data protection,” Gartner writes, in its definition of EDRM. ‘Files are imbued with persistent protection policies when created, read and updated. The policies can specify access by company, user, project, and other details. EDRM can also stipulate limitations on app behaviour such as blocking “save as,” clipboard copying, printing and so on.’ Summing up its defence value, the analyst adds: ‘EDRM creates the tightest possible access control relationships between files and apps. Policies can be detailed, and access can be tracked’. Information defence technologies have developed as point solutions focused on one part of the cybersecurity puzzle. Today’s realities require putting the pieces together to form an end to end package. EDRM’s role is to protect data when it leaves the organisation. 04.2017
29
FEATURE
HOW TO FEND OFF
Experts in online security and data protection explain how smaller businesses can prevent security breaches and digital attacks
A
ccording to research conducted by Symantec, the number of cyberattacks against small businesses (companies with fewer than 250 employees) has been steadily growing over the last six years, with hackers specifically targeting employees (phishing). And while distributed denial of service, or DDoS, attacks are still a leading form of cyber warfare, ransomware and malware attacks, targeting users of smartphones and internet of things (IoT) devices, as well as PCs and systems running on Macs and Linux, are also a big threat to small businesses. For large businesses with IT departments and/or security professionals monitoring the business 24/7/365 for security threats, protecting themselves from cyber threats is annoying but doable – part of the cost of doing business online. But what can small(er) businesses, which typically don’t have IT departments or the ability 30
04.2017
to hire a security firm, do to protect themselves? Here are nine ways small businesses can ward off cyberattacks and security breaches, as well as several tips on how to protect your data if or when prevention fails.
1
TRAIN EMPLOYEES ON CYBERSECURITY BEST PRACTICES “Ninety-five percent of all security breaches at the workplace are because of human error,” says Tony Anscombe, senior security evangelist, Avast. “To combat this, cybersecurity should be a core part of the workplace culture – including ongoing education, training and reviews for each employee.” “Educating employees regularly must be a top priority,” agrees Vijay Basani, CEO, EiQ Networks. “Unaware and careless employees are one of the most effective ways for cybercriminals to find ‘open doors’ to the corporate network, usually through spear phishing techniques designed to deliver malware. “Educating employees on the dangers
of phishing and malware – clicking on even one attachment or link in an external email – and making it part of the employee onboarding process can be the best defense in preventing malware from finding that open door,” he says. “Furthermore, [businesses] should teach their employees never to open an unsolicited email attachment and be wary of any URL links contained in email messages,” advises Marc Laliberte, information security analyst, WatchGuard Technologies.
2
INVEST IN ANTIVIRUS SOFTWARE “Regardless of the type of computers that you are running (Windows or Mac), an investment in antivirus software is always a great move,” says Tom DeSot, CIO, Digital Defense. “While many people may think that Macs are immune to viruses, they in fact are not and can become infected almost as easily as a Windows computer.” That’s why he recommends that businesses “run at least two different www.tahawultech.com
types of anti-virus software: one on [their] servers, one on [their] laptops/ desktops. The reason for this is that you stand a better chance of catching [and stopping] a virus since one of the anti-virus software packages may have a signature for it whereas the other one may not.” Most importantly, “don’t forget to keep your signatures up to date,” he says. “Not updating your antivirus software is almost as bad as not having it at all.”
3
TURN ON FIREWALLS In addition to having antivirus software, “make sure that you have firewalls enabled on your desktop/ laptop computers as well as your servers,” says DeSot. “This not only lessens the attack surface of the host; it also helps prevent systems from becoming infected by worms or other types of malware that are looking for services such as FTP or file shares to infect another host. “If your host does not come with a native firewall, there are plenty of internet protection suites that have a firewall built into them as well,” he says. “Many of the anti-virus vendors sell these types of suites and often bundle them with their anti-virus software. This goes a long way to protecting your systems from attack and keeping your data safe.”
4
. MAKE SURE EVERYONE HAS STRONG, UNIQUE PASSWORDS “Seventy-six percent of attacks on corporate networks are due to weak passwords,” says Anscombe. “Your child’s birth date, your home town or a pet’s name [are all examples of weak passwords, codes that can be easily hacked].” Instead, make sure all employees use strong passwords. And by ‘strong’ he means it “should have numbers, special characters and upper and lowercase letters.” Also, passwords should not be re-used or shared on different sites. www.tahawultech.com
To ensure passwords are unique, “employ password managers that will generate unique, strong passwords for you.”
5
USE ENCRYPTION/SSL “The No. 1 security measure that small businesses should not overlook is encryption,” says Doug Beattie, vice president, GlobalSign. “SSL/TLS certificates allow sensitive information to be sent securely. Without them attackers are able to intercept all the data being sent between a server and a client (a website and a browser, for example). “SSL certificates from a trusted certificate authority (CA) are imperative, especially for secure credit card transactions, data transfer and securing browsing,” he states. “But problems and vulnerabilities often come into play when their lifecycles are not properly managed and the certificates expire. An expired certificate leaves your doors wide open for a hack (i.e., allows the browser to become an entry point), so it is important to [keep] track [of] when your certificates are up for renewal” and renew them promptly.
6
UPDATE (PATCH) YOUR OPERATING SYSTEM AND SOFTWARE REGULARLY “Hackers are constantly probing operating systems, browsers and software for vulnerabilities,” says Troy Gill, manager of Security Research, AppRiver. “It is not a matter of if they will find these flaws as it is a matter of when. Once vulnerabilities are discovered, software vendors work quickly to patch these vulnerabilities. The fix comes in the form of an update, and the failure to apply these updates can leave you very exposed.” So to prevent exposure to hackers, “make sure your operating system is set to receive automatic updates,” and regularly check for or download updates (patches) for your most regularly used software and apps, too.
7
ENABLE TWO-FACTOR AUTHENTICATION “Enabling two-factor authentication provides far more security (and thus peace of mind) than a password alone,” says Mike Catania, CTO, PromotionCode. “The odds are that you have your mobile phone on you anyway, so the level of inconvenience is extremely low for a huge return in keeping the bad guys out. 2FA, as its popularly referred, essentially confirms you by requesting a PIN verification from your mobile device if someone attempts to log in from an unrecognized machine.”
8
USE A VIRTUAL PRIVATE NETWORK (VPN) “The growth of bring your own device (BYOD) in the workplace means employees may be tempted to use their own cloud-based apps to store or share customer data with colleagues,” says Julian Weinberger, director of systems engineering, NCP engineering. That “may leave sensitive company data vulnerable with only the strength of an employee’s password to protect it.” To protect against mobile breaches, “small businesses can restrict [or prohibit] BYOD or use a virtual private network. A VPN will enable remote offsite employees to create an encrypted, end-to-end connection with the company network and transfer data securely regardless of their location or the application they are using.”
9
MINIMISE RISK FROM THIRDPARTY VENDORS “SMBs need to talk to third party vendors about their security policies [before they do business with them] to ensure they’re properly protecting company information,” says Kevin Haley, director of product management, Symantec Security Response. “Ask questions such as: Are you using multilayer security? Are you backing up the data? Are your systems up to date? SMBs should also limit the amount of customer data they share and only provide what is absolutely necessary in order to minimise risk.” 04.2017
31
OPINION
PROTECTING CONNECTED CARS By Alain Penel, Regional Vice President â&#x20AC;&#x201C; Middle East, Fortinet
32
04.2017
www.tahawultech.com
T
he technology in today’s vehicles is amazing. Auto manufacturers are rushing to add connectivity to its vehicles, to complement and enhance its bells and whistles. It warns me if I stray out of my lane, and if there is a car in my blind spot. It has adaptive cruise control that slows down if a car pulls in front of me. It alerts me of cross traffic, pedestrians and even dogs, when I back up. It monitors road conditions and automatically enables all-wheel drive if roads are wet. And that’s just the start. It has collision detection, and automatic braking, and a fully connected entertainment and communications system. The windshield wipers even turn on automatically when it starts to rain. A modern car may have as many as a hundred electronic control units. When you add satellite infotainment systems with Bluetooth and voice commands, and a 4G LTE WiFi hotspot in your car, these vehicles are not only incredibly connected, they are also increasingly vulnerable. Not surprisingly, attacks on a car’s sophisticated computer systems are becoming a serious threat. Last year, hacking researchers demonstrated how they could remotely hijack control of a connected vehicle while it was actually cruising down an interstate. The attack came via a vulnerability the researchers found in its Internet-connected infotainment system. Through that point of entry they were able to access other systems within the car, including the transmission and braking system, with alarming results. The www.tahawultech.com
demonstration was dramatic proof that our vehicles are now under serious threat of cyber attack, and led to the recall of 1.4 million vehicles in the United States to install a software update to patch the vulnerability. And the potential attack surface is growing. Soon, cars will be able to do things like automatically pay for fuel when you pull up to a pump, negotiate online shopping services, check and read your email to you, and sync with your calendar to remind you of conference calls and events. Individual passengers will be able to each have their own separate Wi-Fi connection to the Internet to stream movies, browse social media, check their banking information, and shop online. These cars are really only a generation or two away from being fully driverless. What happens then, when cars on the road are dynamically sharing road conditions, negotiating traffic, and responding to intelligent traffic systems designed to move traffic more efficiently through urban environments? The potential for a catastrophic result from a well-planned attack seems high, and in addition to the loss of life and property, could stall technological advancement for years. Securing complex systems like these is no easy task. Once you connect your car to a 4G or 5G network, how do you secure that connection? How do you incorporate security solutions throughout the car to ensure your passengers and their data are protected, especially from zero-day attacks? What are the security implications once automakers become their own carriers, providing personalised connectivity services to their cars?
Technology is advancing at a rate that the intentionally slow process of legislation and laws will never be able to keep up. Laws will either be too specific to address the latest threats and challenges, or so vague as to allow too much wiggle room in terms of developing appropriate safeguards. So the big question is, what can we do now? I suggest that a good first step would be for auto manufacturers to begin to partner with security vendors to design safer vehicles. Securing a car should not be much different from securing a modern network – harden your access points, monitor and inspect traffic for malware and unauthorised commands, segment the network into security zones, secure communications, and share global and local threat intelligence. Everything else in a car is branded, from XM radios, to Bose speakers, to designer interiors. Why not also have a vehicle provide branded security from a leading engineering company that does this sort of thing as their primary business? Our love affair with the car shows no signs of slowing down. And as it becomes even more integrated with our online lives, including the advent of what I refer to as Transportation as a Service, we are exposing ourselves to more risks than ever. So, what do we do next? With 25 per cent of Dubai’s transport set to go driverless by 2030, these are important discussions we as consumers, and as a security industry, need to be having right now. 04.2017
33
INSIGHT
ROBOTS PRESENT A CYBER RISK The security of robots lies with many in organisations
T
he prospect of an army of robots marching in unison to launch an attack on an unsuspecting city belongs in the realm of science fiction—as do most images of menacing autonomous machines wreaking all kinds of havoc on civilization. That’s not to say robotics is free from security and safety threats, however. In fact, experts say the growing use of robots by companies such as manufacturers, retailers, healthcare institutions and other businesses can present a number of cyber risks. There are two primary issues related to security and robotics, says Michael Overly, a partner and information security attorney at law firm Foley & Lardner. First, these machines are generally integral to assembly line operations and other similar activities, Overly says. “An attack could literally bring a manufacturing or assembly plant to its knees,” he says. “We have seen this 34
04.2017
very outcome in a ransomware attack targeted at robotic assemblers in a plant in Mexico.” In that case, the ransomware locked up the specifications files from which the robots drew their operating parameters, he says. Second, robots are generally large and capable of causing significant bodily and property damage if operated other than in accordance with their specifications. “If the subject of an attack, the machines could cause dramatic harm, both to individuals and to property,” Overly says. The difference between actual and potential risks with robot security incidents “is a function of the complexity of the algorithms used by robots, and the physical and social context of their operation, and their numbers,” says Tom Atwood, executive director of the National Robotics Education Foundation, which provides educational information about robotics to students, educators and professionals. For example, the circumstances and
predictions of potential harm will vary widely depending on whether the robots are used in an industrial, military, urban, mobile, educational context or other context, Atwood says. “These contexts are growing in number as physical and virtual robots proliferate in all spheres of human endeavor,” Atwood says. Many organisations that operate autonomous machines such as industrial robots mistakenly think they will not be targets because the machines don’t process personal information or financial information. The same goes for companies that produce the machines. “They tend to not have the level of security protection found in other industries,” Overly says. “These organisations should start with a thorough information security audit conducted by a third-party auditor who has specific experience in the manufacturing and automation space. They should prioritise remediation measures based on the outcome of that audit.” www.tahawultech.com
The motivation to build rigorous and secure robots should be there “because it is quite possible that all involved in its design could be held liable if a horrendous weakness was found that led to personal distress or financial losses,” says Kevin Curran, senior lecturer in computer science at the University of Ulster and a senior member of the Institute of Electrical and Electronics Engineers (IEEE). “Security should also not be an afterthought,” Curran says. “Ultimately every device connected to the Web should be password protected. It should not be connected with the default out of the box password. A long complex password needs to be set. All devices should be updated as soon as updates are released, just like best practice on PCs and tablets.” Robot manufacturers should also release security updates once vulnerabilities are found, Curran says, “but the incentive is simply not there for them to do it much of the time.” Examine how robots use data Data security risks related to robotics can be addressed by examining how robots use and harbor data, and by evaluating how they can be hacked. But again, the outcomes from such analyses depend in large part on the type of robot in use and how it is being used, Atwood notes. Much like the risk of other industrial controls systems, the risk of autonomous machines is the unpatched vulnerabilities and access to critical and confidential information within the environment, says Jerry Irvine, member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of IT outsourcing provider Prescient Solutions. “These vulnerabilities can allow access to [business] critical systems and intellectual property,” Irvine says. He recommends that organisations implement secure access and authorisation controls, limiting access to people who need it to perform www.tahawultech.com
their jobs. Another good practice is to segment autonomous machines from other networks to limit their digital footprint and accessibility to other systems and applications, he says. One of the most important steps to ensuring strong security for robotics is to keep a close watch on them. “Human stewardship of robot protocols and operating procedures, and human oversight of robots at work, must be maintained at a high level at all times for the foreseeable future,” Atwood says. “These detailed oversight practices are important to prevent endangerment of people in work environments where robots operate,” Atwood says. “Hotel lobbies, factory floors, parking lots, warehouses, hospitals and our streets where robotic autos are emerging are all immediate front lines.” Deciding who within an organization is responsible for robotics security is up to the individual enterprise. But in general because robots can transcend multiple areas of operations it should involve representatives from several groups, including IT and security management, operations, and even top senior managers. “The board of directors and the most senior officers bear ultimate responsibility,” Overly says. “IT management and security management are on the front line, but senior management is, by law, the ultimate responsible party. They need to exercise reasonable business judgment in addressing these issues.” The role of CISOs and CSOs in robotics security should be to oversee overall security policy and approach, but also to ensure that the board and senior management is adequately informed of any security-related issues and the efforts being made to address them, Overly says. At many organisations, top security and IT executives will have a key role in robotics security, especially if robotics
efforts are tied to IT-related areas such as cloud services, mobile applications and big data/analytics initiatives. “The CISO and/or CSO is the titular head of cyber security, and is the leading executive whose job it is to inform and coordinate with the CEO and other designated people to protect the company’s robotic infrastructure as well as the people working in the organisation,” Atwood says. Curran agrees. “The CISO and his IT team should assume responsibility for all connected devices including robots,” he says. “No distinction should be made between a Web-enabled robot and a router in a back office.” Appropriate preventive and corrective controls in the form of policies, standards, procedures or technology functions and monitoring mechanisms are needed to minimise the risks associated with deploying any connected devices within an organisation, Curran adds. Robots themselves might in some cases play a role on the security team. “Already, security intrusion detection robots have been developed by many companies,” Curran says. “These for the most part consist of smaller mobile robots with cameras and movement detection, which move around a building looking for intrusion.” These machines use technology such as high-definition cameras, sensors, and microphones to measure a variety of conditions and actions. “There is [always] the risk of such robots being hacked, therefore additional measures need to be taken such as implementing extra security authentication—perhaps facial recognition of the owner when opening panels,” Curran says. “There is a real risk of privacy invasion,” especially in the case of a robot that has complete freedom to roam inside a building, he says, “so we have to ensure that the surveillance footage is securely stored.” 04.2017
35
PRODUCTS
Brand: Tyco Security Product: C•CURE 9000 v2.60
Brand: HID Global Product: HID Location Services HID Location Services, according to the company, provide organisations with visibility into the location of their workforce in a facility, making it possible to analyse room usage for better building management and increased operational efficiency. It is enabled by Bluvision, a company recently acquired by HID, and provides numerous capabilities based on an organisation’s needs. It has real-time location services that’s ideal for monitoring and providing deeper analytics around the movement of personnel in a building for better insight to optimise usage of facilities, common areas and individual rooms. What you should know: The solution leverages Bluetooth Low Energy (BLE) and delivers “unprecedented accuracy,” even in large, open spaces and areas in which it has historically been challenging to implement RFID technologies. HID Location Services includes a cloud service, portals and Bluetooth beacons in the form of HID smart cards, providing a one-card solution for both indoor positioning services and physical access control. The installation simply entails plugging in AC-powered BLE/WiFi gateways and providing personnel with the smart card beacon.
36
04.2017
Tyco Security Products has introduced the latest version of its C•CURE 9000 security and event management platform that offers users increased operational efficiency, improved processes and procedure compliance as well as greater accountability. According to Tyco, C•CURE 9000 v2.6 has achieved this through a number of core features including a new web based Access Authorisation Portal and a new Web Client user interface, which enables specific individuals greater flexibility and efficiency through the use of their mobile devices to perform administrative tasks.
What you should know: This new product also allows security officers to visually verify cardholders before they are allowed to access to the specific areas of the building assigned to his/ her access privileges. The latest version of the C•CURE 9000 security and event management platform also supports IPV6 address protocols for the iSTAR Ultra door controller and iSTAR Ultra Video, an access control and video edge device for integrated security monitoring for small sites.
Brand: Xerox Product: VersaLink B7035 and AltaLink C8035 Xerox’s AltaLink and VersaLink product lines, according to the company, highlights how it has transformed traditional printing devices into smart, connected workplace assistants that reflect the evolving needs of today’s businesses. The 12 entry (A4) and 17 workgroup (A3) devices, both colour and monochrome, and with speeds up to 90 pages per minute, are all equipped with ConnectKey, which combines technology and software for SMBs and workgroups in larger enterprises. What you should know: ConnectKey technology ensures comprehensive safety for system components and points of vulnerability. It offers protection from unauthorised access to devices; keeps confidential communications and information safe with encryption and image overwrite; audits device access attempts and protects both data and device from malicious intent.
ConnectKey-enabled devices offer added security – ensuring they are monitored and trusted in even the most security-conscious environments. AltaLink MFPs feature an added layer of security through Xerox’s partnership with McAfee. www.tahawultech.com
Officially Supported by
21 - 23 May, 2017
Dubai World Trade Centre
Connecting and Securing Smart Government and Enterprises With 34 billion devices connected to the internet by 2020*, how will your business stay digitally agile with enhanced customer experience while ensuring maximum security?
DEMOS & WORKSHOPS
TECH SHOWCASE
DEDICATED CONFERENCES
BUYERSâ&#x20AC;&#x2122; LOUNGE
Attend CPE accredited training sessions & demos by industry experts
500+ cutting-edge solutions from regional & global market leaders
75+ speakers including INTERPOL, GCHQ, Wells Fargo, AXA, HSBC & more
Discuss your RFPs and gain invaluable insights & advice from our key partners
REGISTER ONLINE FOR FAST-TRACK ENTRY! gisec | iotx
www.gisec.ae | www.iotx.ae
gisec@dwtc.ae | iotx@dwtc.ae
*source: businessinsider.com
CYBERSECURITY INNOVATION PARTNER
LANYARD SPONSOR
SMART MANUFACTURING PARTNER
EDUCATION PARTNER
OFFICIAL SECURITY SOLUTIONS SPONSOR
POWERED BY
PLATINUM SPONSORS
PART OF
OFFICIAL TRAVEL PARTNER
SUPPORTED BY
OFFICIAL AIRLINE
OFFICIAL COURIER HANDLER
PRE-REGISTRATION SPONSOR
ORGANISED BY
BLOG
CYBER THREAT HUNTING By Eddie Schwartz, Executive VP of Cyber Services, DarkMatter
T
he “common cold” runs amok through our offices, schools and gyms. Even though we can send human beings to live in outer space for months at a time, and have shrunk incredibly powerful computers to fit in our pockets, we’ve still not conquered the all too common cold. That’s because not only are there hundreds of different cold viruses attacking our bodies, but they also are constantly mutating into different ones, so our immune system doesn’t have the antibodies to recognise and defend against whatever new viral strain is making its rounds this winter. Does that sound familiar? Unfortunately, this “virus” metaphor for cybersecurity threats continues to demonstrate that it’s exactly the right comparison, particularly as evolving and increasingly sophisticated threats take inspiration from nature to bypass today’s most advanced cybersecurity technologies. We don’t want to wait for our networks and systems to fall sick before we find a solution. There is too much at stake to lag behind the threats we face. After all, threats today have long ago blown past any notion that we can be safe by building walls or moats around our assets and infrastructure. We must be one step ahead. We must deploy robust, agile and evolving 38
04.2017
immune systems to keep our networks and other assets safe. We should employ cybersecurity products and services such as advanced managed security services that include threat information feeds, both off-the-shelf and bespoke network and endpoint security solutions, and other specialised cybersecurity services that can recognise potential threats before and while they are happening. But we must also do more. Our immune system is constantly and proactively scanning the body for anything foreign that doesn’t belong and so could pose a threat. Then it takes immediate action to eliminate that threat. That, fundamentally, is what “threat hunting” does in cybersecurity. The immune system understands what’s foreign to the body and what’s not. It also keeps a registry of every harmful virus and bacteria that it has previously encountered and looks out for these. This “registry” is comprised of antibodies previously developed in response to a specific virus or bacterial threat. If that virus enters the body again, the immune system recognises it as foreign and harmful and immediately attacks it before it can replicate and make us ill. Where this breaks down is when the body is invaded by a new (cold) virus it has never seen before. The immune system doesn’t immediately
“recognise” the virus, and this gives it a chance to grow – think “dwell time” in cybersecurity parlance – and, at least temporarily it overwhelms our immune response. The result: we become sick. In cybersecurity, we create databases of known malicious software. We study their “signatures” and use these to programme antivirus, endpoint security and other software to monitor for, isolate and remove this malevolent software. As already noted, however, today’s advanced threats can be polymorphic, so signature-based detection engines won’t work. They use code obfuscation techniques and encryption at the execution layer and network transport layer to slip detection. The most sophisticated malware is able to identify and disable security software. But to address the increasing polymorphism of malware, signaturebased antimalware solutions should be combined with behaviour-defined identification. This gives added information by looking at network flows and packet capture, in search of operations that shouldn’t be happening. However, there is one problem: the body’s much-valued immunity generally only comes after you’ve been attacked by a virus and been made ill. That model won’t work for cybersecurity. We have to constantly assess and create our immunities before a new threat arises. www.tahawultech.com
Get complete protection against zero-day attacks, ransomware and advanced threats with our new CAPTURE ATP sandboxing service.
www.sonicwall.com