ISSUE 35 | FEBRUARY 2019
BAD APPS
How to steer clear of malicious mobile apps
WWW.TAHAWULTECH.COM
THE BIG PICTURE
Hikvision on reshaping the future of physical security with AI
SAFE SURFING Cybersecurity in the defence sector
On guarD
HOW VULNERABILITY MANAGEMENT CAN KEEP CYBER THREATS AT BAY
CYBER EXPOSURE PARTNER
CONTENTS
CYBERSECURITY SOLUTIONS PARTNER
The Cyber Exposure Company
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) Publishing Director Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Managing Editor Michael Jabri-Pickett mjp@cpimediagroup.com +971 4 440 9158 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135
8
Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Mhar Delaben marlou.delaben@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130
20
12
Senior Sales Manager Sabita Miranda sabita.miranda@cpimediagroup.com +971 4 440 9128 Sales Manager Nasir Bazaz nasir.bazaz@cpimediagroup.com +971 4 440 9147
ON GUARD
Business Development Manager Youssef Hariz youssef.hariz@cpimediagroup.com +971 4 440 9111 PRODUCTION Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107
Why vulnerability management is vital in strengthening your cybersecurity posture
DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by
Printed by Al Ghurair Printing and Publishing Regional partner of
16
BAD APPS
24 DIGITAL FRONTLINES
© Copyright 2018 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
31
A CLOSER LOOK
6
How the power of partnerships is delivering business value amid data complexity
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409
28
AT YOUR FINGERTIPS
STRENGTH IN UNITY
How end-users can steer clear of malicious mobile applications Enhancing cybersecurity in the defence sector
22 Leveraging PAM for effective cyber forensics and breach remediation Getting to know Help AG’s Nicolai Solling on his life inside and outside the office
32 SAFE SURFING
Why securing browsers is crucial for your business
NEWS
KRISTINA TANTSYURA, INFOWATCH GULF
INFOWATCH TO BOOST CYBERSECURITY SKILLS IN THE UAE
CHINA DELETES 7 MILLION PIECES OF ONLINE DATA China’s cyber watchdog has reportedly deleted more than 7 million pieces of online information as well as 9,382 mobile apps, and it criticised tech giant Tencent’s news app for spreading “vulgar information,” according to Reuters. The Cyberspace Administration of China (CAC) said in a statement on its website the action was part of a clean-up of unacceptable and harmful information that started this month, adding that it had also shut down 733 websites. The administration singled out Tencent’s Tiantian Kuaibao news app, saying the platform had been ordered to make changes as it had been spreading “vulgar and low-brow information that was harmful and damaging to the internet ecosystem”. According to reports, the regulator also criticised Huaban, a photo-sharing social
InfoWatch Group has announced that it will launch an international education centre “InfoWatch Academy” in the UAE. The InfoWatch Academy will offer its Middle Eastern customers short-term and medium-term information security training programmes and courses as well as specialised trainings on building Information Security systems in organisations using DLP (Data Leak Prevention) class solutions. The project is aimed at increasing the level of digital competence in the field of information security of specialists and managers in the UAE as well as providing students with trainings on the basics of cyber literacy. Kristina Tantsyura, head, InfoWatch Gulf, said, “Our task is to export not only our technologies, but also our expertise therefore Saudi Arabia’s General Authority for Civil we are launching an education project in Aviation (GACA) has started issuing a new the UAE. The development of InfoWatch electronic service registering and issuing Academy will be carried out in partnership licences for Unmanned Aircraft Systems with leading Russian and foreign education (UAS) drone. institutions and high-tech companies. In the Launching the e-service is part of GACA’s future we intend to duplicate our courses to efforts for achieving a safe airspace and a other countries in the region.” secure environment in accordance with the Among the courses the academy offers strictest international safety are: (Short-term courses – consists of 8-24 standards. academic hours) “Corporate protection GACA pointed from internal threats”, “Public out that the key infrastructure as a basis for electronic e-government”; and (mediumservice for term courses – consists of 40 to registering PROJECTED VALUE OF THE 56 academic hours) “Incident drones REGIONAL COMMERCIAL SECURITY response and computer is user MARKET, WHICH INCLUDES VIDEO crimes investigation”, “Cyber friendly, SURVEILLANCE, ACCESS CONTROL, security of the crypto industry where all AND INTRUSION DETECTION, BY and blockchain” and a course the intended 2024 for children “Digital hygiene & the user has to SOURCE: 6WRESEARCH professions of the future.” do is visit the
network, as having “serious ecosystem problems”. Huaban said on its website its online service had been temporarily taken down for upgrades. Control of the internet has tightened under President Xi Jinping – an effort that has accelerated since 2016, as the ruling Communist Party seeks to crack down on dissent in the booming social media landscape. In November, the CAC scrubbed 9,800 social media accounts of independent news providers for violations that included spreading politically harmful information and falsifying the history of the Communist Party.
SAUDI CIVIL AVIATION AUTHORITY TO BEGIN ISSUING DRONE PERMITS
$7.4 BILLION
4
FEBRUARY 2019
website, fill out the needed information, and follow up the process electronically. Information required by GACA includes a copy of the applicant’s national identity card or iqama, as well as the make and serial number of the drone. The government entity also noted that any formal training in operating a drone will also be considered along with the application. In addition, GACA noted that registration for each drone is required, and permission for each flight is also required. GACA has reportedly received 241 applications within the first 24 hours of opening online registration.
www.tahawultech.com
SECURITY, SAFETY AND FIRE PROTECTION SHOW INTERSEC SETS NEW RECORD IN DUBAI
A new record in visitor numbers has underlined what has been the most successful edition yet for the world’s leading trade fair for security, safety, and fire protection in Dubai. The 21st edition of Intersec, which was held on 22nd January 2019 at the Dubai International Convention and Exhibition Centre, attracted 35,889 visitors from 126 countries, a 23 per cent year-onyear increase over the previous year (29,000 in 2018). Organised by Messe Frankfurt Middle East, Intersec 2019 took up a sprawling 60,000sqm at its Dubai venue, with Fire and Rescue forming the largest section, comprising 431 exhibitors. Commercial Security was the next largest with 375 exhibitors, followed by Safety & Health (142 exhibitors),
Information Security (120 exhibitors), Homeland Security & Policing (90 exhibitors), and Physical & Perimeter Security (54 exhibitors). Andreas Rex, Intersec’s show director, said, “We put in a lot of effort into making this edition of Intersec the most comprehensive yet in terms of increasing the diversity of our exhibitor range and offering a more engaging conference format, while at the same time returning with improved popular highlights such as the outdoor live demonstration area. “A lot of exhibitors used Intersec 2019 to not only announce important strategic business partnerships, but to launch their latest products for the global marketplace. The visitor response has certainly been the most pleasing aspect of the show this year and with the Dubai Expo 2020 coming up, we expect the 22nd edition of Intersec in 2020 to be even more successful,” Rex added. Intersec is supported by the Dubai Police, Dubai Police Academy, Dubai Civil Defence, the Security Industry Regulatory Agency (SIRA), and the Dubai Municipality. A further 35 international government partners, trade associations, and non-profit institutions also participated this year.
WEF NAMES FORTINET AS FOUNDING PARTNER FOR CYBERSECURITY HUB Fortinet has announced the company has been named the first cybersecurity founding partner of the World Economic Forum (WEF) Centre for Cybersecurity and CEO Ken Xie will serve as a member of the Centre for Cybersecurity Advisory Board. “We are proud to be the first cybersecurity company named a founding partner of the WEF Centre for Cybersecurity and look forward to collaborating with global leaders from the private and public sectors
www.tahawultech.com
through our shared commitment to deliver a response to the growing global cybersecurity threat,” said Ken Xie, Founder, Chairman of the Board, and CEO, Fortinet. “The WEF Centre for Cybersecurity is important for global multi-stakeholder collaboration, and serving as a founding partner of the Centre is yet another step forward in our own mission to secure the largest enterprise, service provider, and government organisations in the world.”
INTERPOL NABS FORMER IT HEAD FOR DUBAI SCHOOL The Dubai Police and the Interpol have reportedly arrested the former Head of Information Technology at a school in Dubai. The arrest was made in Italy after an international issued an arrest warrant against him. The former IT head was reportedly accused of hacking and saving the school files and taking advantage of his position to access the data. His arrest came under directives of the Dubai Police Commander-inChief Major General Khalifa Abdulla Al Marri and follow-up of Assistant Commander-in-Chief of Criminal Investigation, Maj. Gen. Khalil Ibrahim Al Mansouri. The data of the school running 18 branches around the UAE included that of the school itself and that of its students. According to reports, Dubai authorities are coordinating with their counterparts in Italy to extradite the defendant.
KEN XIE, FORTINET
As part of its charter, the Centre for Cybersecurity is committed to establishing, activating and coordinating global public-private partnerships to encourage intelligence sharing and the development of cyber norms. It is devoted to collectively developing, testing and implementing cutting-edge knowledge and tools to foresee and protect against cyber-attacks, current and future.
FEBRUARY 2019
5
INSIGHT
STRENGTH IN UNITY CLAUDE SCHUCK, REGIONAL MANAGER FOR MIDDLE EAST & CENTRAL AFRICA, VEEAM, DISCUSSES HOW THE POWER OF PARTNERSHIPS IS DELIVERING BUSINESS VALUE IN A WORLD OF DATA COMPLEXITY.
T
he power of partnerships has become very clear in the digitally disrupted world. Businesses in a whole host of sectors are busily working with technology providers to create innovative and exciting propositions, using the newest technologies. Some partnerships deliver much needed technical expertise, such as Audi working with Huawei on its connected car. Collaborations can also be surprising but despite this stand the test of time, Hewlett-Packard and Disney partnership goes back to when the way back to when Mr. Hewlett, Mr. Packard and Mr. Disney were still involved in the main decisions of their respective companies. Despite coming
6
FEBRUARY 2019
from entirely different industries, their collaboration has allowed both organisations to continually innovate. By contrast, software companies themselves have historically believed that the value of their organisation lies in the software itself, often preferring to go it alone, building walls and creating closed products. Now though, many technologists seek a level of openness from vendors, even those pursuing software that is fundamentality closed or proprietary. To put it simply, software can only truly exist today through partnerships between vendors, and in modern IT environments it is a marriage of storage, compute power, networking and applications that gets the job done.
The cleverness of collaboration When it comes to solving one of businesses’ biggest challenges – making use of data for business growth while simultaneously keeping it safe, there really is only one option; work together. Collaboration is fundamental to success. Modern software must have a mix of interoperability (ability to exchange and work with data from other software), and portability (can run in more than one environment and/ or operating system). And, it must go beyond simple gestures from a software marketing department. Partnerships enable collaborators to draw on each other’s expertise, access wider markets and develop
www.tahawultech.com
innovative, complementary products and services. That’s why it’s estimated that ecosystems could deliver an additional $100 trillion of value for business and wider society over the next 10 years. Perhaps the most important aspect of partnerships is the ability to orient solutions around the customer and what they need. And when it comes to the world of technology, one of the most critical and urgent business needs is being able to access the full value of data. The trouble with data Data can be immensely valuable for every business. Using data, organisations can gain important, actionable business insights, from understanding their customers and what they want through to predicting trends and putting the business in the best position to capitalise on them. Organisations face a huge challenge, however, when it comes to extracting value from their data. It’s not only the sheer volume of data, which is growing all the time, but the fact that it’s spread out across a whole range of databases, cloud providers and on-premise stores. With data scattered across the whole enterprise, it is both much more difficult and critical to ensure data availability for everyone in the business. This is an extremely pressing issue, as businesses face the immense lost opportunity of missing out on insights and flawed analysis. But it’s a challenge that is being addressed through the power of partnerships Delivering data availability Software providers can deliver exceptional data availability for their customers by working together to
www.tahawultech.com
“DATA REPRESENTS ONE OF THE GREATEST OPPORTUNITIES FOR ENTERPRISES TODAY, BUT IT’S EQUALLY ONE OF ITS BIGGEST CHALLENGES.” create a strong digital ecosystem. That means the providers of both cloud and on-premise solutions coming together in one platform, to deliver a seamless experience for the customer. By developing close relationships with partners, data management platforms can provide hypervisor integration, storage integration and interfaces with critical applications, such as Microsoft 365, all in one place. In short, creating this close-knit environment means that data is readily available for customers, no matter where it’s stored in the enterprise, or which endpoints or devices they wish to use to access it. CIOs can gain a view of their organisation’s entire IT infrastructure, benefitting from improved operational efficiency and outcomes. Meanwhile there are advantages for managed service providers too, who can gain management capabilities across disparate providers. Although no one company can deliver comprehensive data availability alone, thanks to collaboration behind the scenes, enterprises can truly benefit from all the data that they hold.
Diverse data protection The ‘hyper-sprawl’ of data today means that organisations do not only face a headache when it comes to accessing their data: it’s also challenging to ensure that all data is recoverable, in the event of an outage, loss, attack or theft. The hybrid cloud and multi-cloud computing environment presents particular data protection challenges. For instance, while cloud vendors offer their own backup, snapshotting and high-availability solutions, those approaches all require that technologists learn and understand vendor-specific services. Again, this is where partnerships between software providers can help. Hardware and software providers can leverage application programming interfaces (APIs) to provide customers with the integration that they need. Businesses then benefit from a single management solution for their data protection, no matter how many providers they use. In essence, this streamlines backup workflows – and creates stronger data protection across the business. United for data Data represents one of the greatest opportunities for enterprises today, but it’s equally one of its biggest challenges. No single provider can provide all the answers when it comes to the issues of data availability and protection in such a diverse IT landscape. Through collaboration, however, the IT community can deliver a seamless and convenient experience for all businesses. Going it alone won’t cut it, but through the power of partnerships software companies can enable enterprises to access and protect their data.
FEBRUARY 2019
7
FEATURE
SECURITY ON POINT FOR THE PAST SEVERAL YEARS, POINT OF SALE (POS) SYSTEMS HAVE BEEN A PRIME TARGET FOR CYBER-ATTACKS, MAKING IT MORE IMPORTANT THAN EVER FOR RETAILERS TO CONSIDER THE SECURITY OF THESE MACHINES AND THE INFORMATION THEY STORE.
8
FEBRAURY 2019
www.tahawultech.com
T
here are few things more embarrassing to a company than being forced to admit that customer payment information has been stolen. It is a situation that many organisations, among them the hotel group Starwood, have faced. Back in 2014, the company, which is now owned by Marriott, had its point of sale (POS) systems hacked, a breach that lasted until 2015 and affected scores of Westin and Sheraton properties. Among the other companies to have been hit in a similar way is a United States-based Italian restaurant chain called B&B Hospitality Group, which midway through last year reported POSrelated breaches at nine of its outlets. The blame was placed on malwareinfected POS devices that allowed customers’ card data to be stolen. The use of malware is typical in hacks aimed at securing card information, according to Rajesh Gopinath, the Dubai-based vice president sales engineering (cybersecurity) Middle East and Africa for the cybersecurity and information security company Paladion. While this type of attack is more common in North America and Europe than in the Middle East, this part of the world is not immune. “It’s not uncommon for these attacks to happen in other regions like the Middle East. There have been many cases in the past where attacks have happened,” he says. Nicolai Solling, the Dubai-based chief technology officer for the cybersecurity consultancy Help AG, says that point-ofsale security is “definitely” a field that many companies are focused on. He works with a number of large retail chains in the region who are trying to ensure that their systems are not vulnerable to attack.
www.tahawultech.com
“All of these ones I’m working with, they have problems around how they secure their point-of-sale systems. That’s a good thing, to see they’re investing money in it,” he says. These companies’ focus on POS security could be driven, says Solling, by the retail chains’ own desire to secure their systems. It could also result from pressure by banks and payment providers to clamp down on fraud. “If you swipe a card, if you want to store anything from the cards, you have to make sure the machines are secure,” says Solling. When POS breaches happen, customers can have their credit card and debit card data stolen, including the key details needed to commit fraud: name, card number, security code and expiration date. POS systems additionally offer criminals the prospect of stealing data that goes beyond such credit card and debit card details. “If you look at the current underground market for hacked information, it’s not just about payment card information,” says Gopinath. “They’re not just after card information, but information about names, date of birth, any other information they can get their hands on. That sells pretty well on the black market,” he says. One reason for this is because, as Trend Micro notes in a research paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industry, POS systems do much more than accept payments. They may also be involved in accounts, managing inventory and keeping track of sales. “POS terminals have many different purposes. They track payment, but it’s not unlikely that this POS system is also telling the mall operator about the performance of your store, and the rent is related to how many people are paying and what the revenue and turnover is,” says Solling.
FEBRAURY 2019
9
FEATURE
“So we have more and more requirements to integrate these POS systems. It means they’re mini computers in all of these stores.” As a result, POS systems are a potential entry point for fraudsters to access a host of sensitive information. They can be used as an way in to a company’s network, to the extent that criminals can even use them to reach, electronically, a company’s headquarters. When it comes to small businesses, the link to the credit or debit card company is often achieved using a cellular data connection. As Trend Micro outlines in its report, with larger businesses the POS device may connect to the company’s internal network, something that will enable it to link up to other back-end systems. It is common for POS terminals to run on Microsoft Windows operating systems such as Windows 7 and Windows XP and, as Solling notes, this can create problems, including the need for updates. “Just because there’s a new patch, you cannot just roll that out. You have an opening where it’s more challenging to maintain these systems,” he says. “A lot of the point-of-sale systems are really old as well. They’re still serving the purpose of a POS system, but the underlying operating system is still a version of Windows that may not be maintained any more. “We’ve had a few vulnerabilities that Microsoft didn’t release patches for Windows XP and Windows 7, so these systems today would be vulnerable to a specific form of attack.”
Rajesh Gopinath, Paladion
“THEY’RE NOT JUST AFTER CARD INFORMATION, BUT INFORMATION ABOUT NAMES, DATE OF BIRTH, ANY OTHER INFORMATION THEY CAN GET THEIR HANDS ON. THAT SELLS PRETTY WELL ON THE BLACK MARKET.” Solling says that security is less complex for a company if all of its POS devices are the same. That allows specialists like Help AG to “harden” the whole system. “We have one client with 6,000 POS terminals all the same. If you [deploy a security solution] on one device and deploy the same security across them all, it’s very beneficial,” he says. Other companies may have 50 or fewer of any one kind of POS terminal, perhaps if they have made an acquisition and not replaced its POS terminals. “And you have a lot of different flavours of POS system; it’s not necessarily a big device on a desk. It can be something in a pocket,” he says. One method of securing POS systems is the use of the Point-to-Point Encryption (P2PE) standard, which prevents criminals from accessing data while it is being transmitted through a merchant’s system. In a briefing paper, Paladion notes that, at the point of interaction (POI), this standard encrypts the data. “Even if it’s stolen, it doesn’t make sense to the hacker. Not many financial
Nicolai Solling, Help AG
“SECURITY IS LESS COMPLEX FOR A COMPANY IF ALL OF ITS POS DEVICES ARE THE SAME.” 10
FEBRAURY 2019
institutions have adopted it [because of] the complexity of implementing such a solution and the cost,” says Gopinath. “There are some alternatives – tokenisation solutions. Even there the adoption is not that great. But there are many providers that provide similar solutions without having to make separate investments. I believe the technique does work, but the adoption is not that great.” Another measure recommended is complying with the Payment Card Industry Data Security Standard (PCI DSS), a set of guidelines on how card information should be handled. “Any organisation that transmits card information should comply if they’re using Visa, Mastercard or Amex,” says Gopinath. “It has 12 requirements for secure storage and processing. It’s pretty detailed based on the controls that enterprises should follow if they’re processing or storing card information.” Another measure to have in place is a system that monitors for, and reacts rapidly to, threats. This is known as managed detection and response or MDR. So, although the threats are many and various, there are myriad measures that can be taken to counter them. This can help companies to secure their customers’ data – and to avoid the kind of nightmare publicity that Starwood and B&B Hospitality Group suffered when their POS systems were compromised.
www.tahawultech.com
REDEFINING technology transformation
+971 4 440 9100
@TahawulTech
info@cpimediagroup.com
www.tahawultech.com
facebook.com/tahawultech
twitter.com/tahawultech
linkedin.com/in/tahawultech
COVER FEATURE
ON GUARD
AN INCONVENIENT TRUTH FACED BY ENTERPRISES TODAY IS THAT THE GROWTH OF CYBER-ATTACKS ISN’T SLOWING DOWN AND HACKERS ARE CONSTANTLY FINDING NEW WAYS TO EXPLOIT WEAKNESSES IN IT ENVIRONMENTS. EXPERTS SHARE INSIGHT ON WHY VULNERABILITY MANAGEMENT IS A VITAL PROCESS IN STRENGTHENING AN ORGANISATION’S SECURITY POSTURE.
12
FEBRAURY 2019
www.tahawultech.com
M
ajor cybersecurity breaches that took place across the globe highlight how crucial vulnerability management
is for any organisation. WannaCry, NotPetya, the Equifax breach and other well-publicised cyber-attacks took advantage of vulnerabilities that could have been easily patched and secured. Vulnerabilities are like holes in a suit of armor - while they do not instantly pose a problem, it’s only a matter of time before they do. Global enterprises have an average of between 18 million and 24 million vulnerabilities across 60,000 assets, according to a study by Cyentia. However, as vulnerabilities alone are not active threats, it becomes a big challenge for organisations to pin point whatneeds to be addressed and prioritised. More often than not, organisations face a plethora of vulnerabilities at any given time. Almost anything can become a vulnerability and a liability to network security such as unpatched operating systems, programmes running old software versions as well as siloed applications plugged into a new network. In addition, attackers may exploit “holes in the armor” that are unknown. An effective vulnerability management programme starts with giving your organisation the tools needed to understand its security weaknesses,
www.tahawultech.com
assess the risks associated with those weaknesses, and put protections in place to prevent a breach. To be truly effective amid the growing number and sophistication of threats, enterprises are increasingly adopting new ways to address security vulnerabilities. “Traditional vulnerability technologies that perform a scan and report, are obsolete by current standards,” says Morey Haber, CTO, BeyondTrust. “These solutions often only present a snapshot in time that does not cover runtime vulnerabilities and intermittent changes that can create transient vulnerabilities; especially in the cloud.” According to Haber, security experts should consider having a Continuous Adaptive Risk and Trust Assessment (CARTA) approach. “This entails a continuous assessment approach that merges multiple technologies, including periodic network scans, agents, and network detection to perform a real time view verses the flaws of traditional vulnerability management.” Given the diverse and volume of vulnerabilities, it’s critical for IT and security teams to delve deeper in their risk assessment. “We have identified four main factors for vulnerability risk management: asset identification; enumeration of assets; prioritisation of patching; and remediation,” says Hadi Jaafarawi, managing director, Qualys Middle East. In addition, threat intelligence is an instrumental tool in detecting threats and performing preemptive patching. “Threat Intelligence is essential for security
FEBRAURY 2019
13
COVER FEATURE
teams to be able to communicate effectively with C-level executives and board members, who are increasingly interested in staying informed about the organisation’s security posture and strategy,” he explains. Having the right insights helps security teams focus on the highest risks to the organisation’s most critical assets. “This helps organisations to prioritise remediation accordingly and eliminate the most serious and pressing threats to an IT environment,” says Jaafarawi. Scanning for vulnerabilities help organisations to determine what is on their network, and how its assets can potentially be at risk. When all else is said and done, the only real consideration is frequency: How often should security teams conduct vulnerability checks? “Organisations often leave critical vulnerabilities unpatched for months, even years as it’s impossible to patch every single vulnerability. Thousands are disclosed every year, and patching systems can be complicated, time-consuming and inconvenient,” explains Jaafarawi, “For batch-based network scans, at a minimum, security teams should conduct vulnerability checks as required by regulatory compliance mandates,” says Haber. “But realistically, these checks should be conducted at least once a month corresponding to the vendor’s patch release cycles or change management actions, whichever is more frequent. For
Hadi Jaafarawi, Qualys Middle East
“ORGANISATIONS OFTEN LEAVE CRITICAL VULNERABILITIES UNPATCHED FOR MONTHS, EVEN YEARS AS IT’S IMPOSSIBLE TO PATCH EVERY SINGLE VULNERABILITY.” dynamic environments, like in the cloud, CARTA is a preferred approach.” Vulnerability scanners can’t always access the information that they need to accurately determine whether a vulnerability exists. This limitation commonly results in false positives. Furthermore, due to the rising volume, widespread exposure and acceleration of long list of major breaches and successful attacks, it’s hard for many businesses and organisations to prioritise remediation consistently and accurately. “The combination of today’s fast changing IT environments, increasingly common vulnerabilities and exploits requires a more automated, continuous and precise approach. Defence methods such as IT asset inventory, vulnerability management, threat prioritisation, and patch deployment all must adapt with new speed and scale to deliver continuous visibility of global IT assets and environments for the realities facing today’s digital business,” explains Jaafarawi. Attackers no longer are targeting only
Morey Haber, BeyondTrust
TRADITIONAL VULNERABILITY TECHNOLOGIES THAT PERFORM A SCAN AND REPORT, ARE OBSOLETE BY CURRENT STANDARDS.”
14
FEBRAURY 2019
the network and operating systems. Hackers have made major strides in making their attacks stealthier and more evasive, making them significantly harder to block and detect, as well as taking advantage of millions of vulnerable and improperly configured systems. Jaafarawi suggests five main requirements for organisation to identify and properly prioritise remediation work, this include: comprehensive and continuous updated view of all IT assets; knowledge of the constant stream of vulnerability disclosures; the ability to correlate external threat information with vulnerability gaps; dashboard tools to visualise the threat landscape; and precise assessments of the organisation’s threat scenarios. “Solutions focused on threat disclosure overload by automating the large-scale and continuous data analysis that the process demands. Such implementations can help correlate real-time threat information against your vulnerabilities and IT asset inventory, giving a clear and comprehensive view of your organisation’s threat landscape,” he explains. Whether your organisation has always followed the fundamental tenets of vulnerability management or is just now putting such systems in place, it is important to understand that this area is constantly changing. As new technologies emerge, it is imperative to be adaptable and be ready to evolve tactics to prevent damage from cyber-attacks.
www.tahawultech.com
27th March, 2019
Habtoor Grand Resort, Autograph Collection, Dubai Marina
Recognising excellence in security Security Advisor Middle East CISO 50 Awards recognise 50 top organisations and the people within them that have delivered groundbreaking business value through the innovative application of risk & security concepts and technologies. Winners will be announced at the CISO 50 awards and conference taking place in Dubai. To submit a nomination, please follow the instructions below and send: • Name of project, brief description including objective • Detailed narrative describing the project • Empirical facts & metrics that demonstrate the initiative’s value • Additionally, you will also be asked to provide details about key contacts in the nominated organisation. Award nominations may be submitted by an organisation, PR agency or a solutions provider. Submission Deadline: 7 March 2019
#CISO50
www.tahawultech.com/ciso50/2019 DIGITAL TRANSFORMATION PARTNER
HOSTED BY
OFFICIAL PUBLICATION
ORGANISER
FEATURE
HOW TO SPOT BAD APPS SECURITY CORRESPONDENT DANIEL BARDSLEY SPEAKS TO INDUSTRY EXPERTS ON HOW END-USERS CAN STEER CLEAR OF MALICIOUS MOBILE APPLICATIONS.
16
FEBRAURY 2019
www.tahawultech.com
O
ver the holiday season at the end of last year, countless people around the world were given new Amazon Alexa virtual assistant devices – and were keen to try
them out. Many went on to the Apple App Store to download a mobile phone app that would show them how to configure their shiny new piece of kit. There waiting for them was a free app, “Setup for Amazon Alexa”, that sounded perfect. Many iOS phone users downloaded the app, making it, at one point, one of the 100 most popular free apps. However, all was not as it should have been. Many of the thousands who gave the app a rating complained that it failed to work properly, leaving them unable to operate their precious Alexas. What is more, some were worried that had made themselves vulnerable to being hacked, as they had provided their device serial number, IP address and other details. Following a flurry of complaints and multiple news stories, Apple ejected the errant app from its official store. Android phone users too have been plagued by fraudulent apps,
www.tahawultech.com
thousands of which have come and gone over the years. Many are simply annoying because of the advertisements associated with them, while others create much bigger problems. According to Dr Tom Chothia, a lecturer in Computer Science at the University of Birmingham in the United Kingdom, “by far” the majority of bad apps will either be stealing personal data from users or plaguing them with advertisements. Such apps are often “relatively low impact” in their effects. “The vast majority of apps out there are making money advertising to people who don’t want to be advertised to. Apps that try to steal money are relatively uncommon,” he says. Bad apps are often put into one of two categories. One category, “potentially unwanted apps”, includes apps with aggressive advertising, says Professor Igor Muttik, CEO of the cybersecurity consultancy Cyber Curio. Also included are tracking apps, which can be abused without the device owner’s knowledge and can report or record location data. Another type of potentially unwanted app that Muttik highlights is one with “little regard” for personal data and that may transmit data “which no sane user would approve if they knew about it”. “[These], essentially, monetise their victims by reselling their data (not
FEBRAURY 2019
17
FEATURE
258.2 BILLION
always personal data, they may re-sell aggregated data),” explains Muttik. A complication when it comes to potentially unwanted apps is, says Muttik, the fact that the majority of free Android apps are supported through advertisements, something facilitated by developers incorporating advertisement libraries into their apps. With potentially unwanted apps, developers take someone else’s advertisement library and bundle into their own app. “Oftentimes they may even bundle several such ad libraries in an attempt
to maximise profit. The developer gets some money from each shown or actioned advertisement, so they try to maximise the profits,” he says. The second main category of bad apps is made up of “malicious apps”, which either directly steal money or attempt extortion. Such extortion approaches include, says Muttik, using ransomware that encrypts precious photos or scares users that their private or sensitive photographs will be leaked unless they make a payment. Only in December media highlighted
Igor Muttik, Cyber Curio
“IT IS MORE EXPENSIVE TO REGISTER AS AN APP STORE DEVELOPER, WHICH TRANSLATES TO A BIGGER LOSS FOR AN ATTACKER WHEN THROWN OUT FOR DISTRIBUTING MALWARE.” 18
FEBRAURY 2019
BILLION APPS ARE EXPECTED TO BE DOWNLOADED WORLDWIDE BY 2022 SOURCE: STATISTA
the effects of two malicious apps that took money from users by getting them to authorise a transaction without realising what was happening. The Fitness Balance app and the Calories Tracker app encouraged users to touch the screen for what was said to be a fingerprint scan. Users would hold their finger down and, in doing so, trigger a payment because the mechanism did not require a double-click. Fortunately, the apps were reported to Apple and removed from the App Store but, as with the Setup for Amazon Alexa app, it showed that even downloads available through official outlets are not always legitimate. Indeed, Muttik says that “it is not going to be a problem” for determined
www.tahawultech.com
attackers to place their apps in the App Store or Google Play despite the vetting that goes on beforehand. This typically includes static analysis (including checking the developer’s reputation, the app history and its similarity to other apps) and dynamic analysis (which involves running an app and observing its actions and network traffic). Muttik says the security of Android and iOS systems are similar from a technological point of view, so the overall safety of each ecosystem reflects how it is managed by Google and Apple. It is, he says, more expensive to register as an App Store developer, which translates to a bigger loss for an attacker when thrown out for distributing malware. In addition, he notes that Android allows installation of apps from thirdparty stores, although the user has to permit this. “For these reasons, most malware is created and distributed outside of controlled stores, as free apps for Android in third-party stores. Malware in App Store or Google Play is rarer,” he says. Researchers such as Professor David Aspinall, a professor of software safety and security from the the University of Edinburgh in the United Kingdom, are making things more difficult still for bad app developers. “App store owners, including Google, Apple and others, work hard to keep bad applications out. Security companies and universities are developing more advanced techniques for automatically spotting bad code,” he says. “At the University of Edinburgh, we’ve developed AI-based techniques which learn the differences in behaviour between good and bad.” One bad app type that users should look out for, says Aspinall, is the “repackaged” version of an ordinary app.
www.tahawultech.com
Dr Tom Chothia, University of Birmingham
“THE VAST MAJORITY OF APPS OUT THERE ARE MAKING MONEY ADVERTISING TO PEOPLE WHO DON’T WANT TO BE ADVERTISED TO. “A repackaged app could be a spoofed version of a very popular application. But we probably don’t see it with the most popular applications, as they are subject to greater scrutiny, and automatic mechanisms watch out for spoofed versions,” he says. “On the next tier, there may be applications that are more obscure but popular – games, for example. There have been prominent examples of games with duplicate versions in the Play Store which contain malware.” User ratings can help to identify bad apps – but they have to be looked at carefully because fraudsters can easily give their apps multiple positive reviews. “For that reason I always recommend to read only negative reviews and base your decisions on them alone,” says Muttik.
CUSTOMERS SPENT
$1.22 BILLION
ON APPS AND GAMES THROUGH THE IOS APP STORE OVER THE HOLIDAY SEASON
Muttik also advises users to pay close attention to the history of the app, such as how new it is, whether the developer has other apps and how they are rated, and the number of users. “This diligence may feel frustrating and even a bit depressing, but it is better to be safe than sorry,” he says. Other strategies include waiting several days or weeks after a new app is launched and then checking the feedback from others. While there are no absolutely foolproof strategies to avoid bad apps, Chothia suggests that users who stick to well-known apps are unlikely to go wrong. “If someone only downloads well-known apps from companies they know from official app stores, generally they’re extremely safe. If you want to download little-known apps, it’s quite hard to stay safe,” he says. An additional precaution Muttik suggests is to install new apps on a separate “footbathing” device, such as an old mobile that has had its data wiped and links to debit or credit cards removed. The app can be run on this to test it out. “Finally, if you are an experienced user and keen to get your hands dirty you can, of course, be more adventurous and check your firewall logs for app communication patterns that raise red flags,” says Muttik.
FEBRAURY 2019
19
INSIGHT
HOW TO SECURE PRINTING DEVICES AND THE HUMANS WHO USE IT BY GARLAND J. NICHOLS, PHD, VICE PRESIDENT, INFORMATION SECURITY, RESEARCH AND PRODUCT DEVELOPMENT, XEROX
“ANYONE WITH THE RIGHT TOOLS CAN INTERCEPT DATA YOU INPUT, SUCH AS PASSWORDS, WHICH ARE TRANSMITTED IN THE OPEN WHEN YOU USE UNSECURE WI-FI.” 20
FEBRUARY 2019
T
he Internet of Things — really the Internet of Everything — has disrupted how we view security. It’s not just locking the front door and installing an alarm system as we do to protect physical things. We must secure every aspect of our digital presence on the Internet to be assured we are indeed secure. Here are a few ways to secure your digital presence along with parallel tips to secure a networked multifunction or single function printer. 1. Apply good passwords and please change them! For your mobile devices, apply
passwords that are difficult to guess. Do this for all accounts that you access online. Some suggestions for creating good passwords: • characters long • Combinations of lower and uppercase letters, numbers and special characters • Don’t duplicate passwords, especially for websites that allow financial transactions such as banks or online shopping. • You should change your passwords periodically. Every thirty days is recommended, but probably difficult to maintain, so determine
www.tahawultech.com
“TODAY PHISHING IS NOT ONLY IN E-MAIL; IT HAS EXTENDED TO CELL PHONES IN THE FORM OF TEXTS ON YOUR PHONE.”
a frequency you’ll stick with. If your “favourite” password is compromised at one website, it can be used to scan thousands of websites to see if there is a successful login. Hackers use the power of computers to compromise passwords; they aren’t personally logging into your accounts one by one. 2. All Wi-Fi is not created equal Are you connecting your mobile devices to free Wi-Fi in public places like coffee shops or airports? If you are, free is not necessarily safe, and your transmitted data is not protected. Such connections are
www.tahawultech.com
meant for convenience, not security. Anyone with the right tools can intercept data you input, such as passwords, which are transmitted in the open when you use unsecure Wi-Fi. Your data is not encrypted from the PC to the Wi-Fi access point. It is only secured once a connection is made with the website via HTTPs. In addition, a hacker can easily create a rogue access point and trick you into connecting. It will look legitimate, but it’s malicious. Everything you access while using it, such as e-mail, social networking accounts and your banking accounts can be compromised. 3. Keep your software up-to-date Ensure that automatic updates are enabled for your mobile devices, especially your home-use PCs. The latest software can protect your information from vulnerabilities that those with malicious intentions can exploit. Software updates on your cell phone are critical but are often
well “after the fact” of identified vulnerabilities. Many carriers test software compatibility with all of the other apps installed on your phone before they deploy them. Those are the apps you have to keep, whether you want them or not. This means any vulnerabilities that might be resolved are not new and may have existed for some time. 4. To click or not to click How often do you get an e-mail that entices you to click on a cute video or an important message from your “friend” or a “business” that requires your immediate action? This might be phishing, the fraudulent practice of sending emails seemingly from reputable companies or individuals in order to induce people to reveal personal information, such as passwords and credit card numbers. Malware can also easily spread by unconscious link clicking, resulting in compromise of your information. Today phishing is not only in e-mail; it has extended to cell phones in the form of texts on your phone. Be wary, pause before you click and ask yourself, would this person just send me something like this out of nowhere? Would my bank ask me to go and log into my account via an e-mail or text with a hyperlink? When in doubt, confirm the sender and the information in the e-mail is legitimate or just delete it.
FEBRUARY 2019
21
INTERVIEW
THE BIG PICTURE
HIKVISION, A GLOBAL PROVIDER OF VIDEO SURVEILLANCE PRODUCTS AND SOLUTIONS, SEEKS TO RE-SHAPE THE PHYSICAL SECURITY MARKET WITH ITS AI-POWERED INNOVATIONS. THE FIRM’S TECHNICAL MANAGER ALAN ZENG SAT DOWN WITH SECURITY ADVISOR ME TO DISCUSS THE FIRM’S VISION AND THE TRENDS THAT ARE FUELING CUSTOMER DEMANDS IN THE SURVEILLANCE SPACE.
W
hat have been some of the biggest highlights at Hikvision over the last year? Last year, Hikvision strengthened its global workforce to reach more than 28,000 employees. Here in the Middle East and North Africa region, we now have close to 300 people on the ground. This has been significant development for us as a company. As for our technology, in 2018 Hikvision has placed significant focus on technologies such as artificial
“MEGA EVENTS SUCH AS THE UPCOMING EXPO 2020 IN DUBAI ARE FUELING DEMANDS FOR THE LATEST SECURITY INNOVATIONS.” 22
FEBRUARY 2019
www.tahawultech.com
intelligence (AI). We have developed and launched AI-powered high-end smart cameras that have key capabilities such as facial recognition, automatic number-plate recognition (ANPR) and behaviour analysis among others. We have also enhanced our entry-level surveillance offerings including EasyIP and TurboHD Analog Camera. How important is the Middle East market for Hikvision? The Middle East is a huge market for us and it has a lot of potential. We are seeing that the security needs of organisations in the region are increasing day-by-day. For one, in the UAE, the government has committed to building a smart city with world-class security solutions. Mega events such as the upcoming Expo 2020 in Dubai are fueling demands for the latest security innovations. In addition, with Saudi Arabia’s Vision 2030 initiative there are numerous construction projects underway many of which require surveillance technologies. How have customer demands for surveillance technologies evolved over the years? Just like with smartphones, more and more end-users seek surveillance cameras that can produce highresolution images. This demand is also driven by changes in government regulations. For example, here in the UAE, entities such as Dubai’s Security Industry Regulatory Agency and Abu Dhabi’s Monitoring and Control Centre have required establishments to use cameras that have 2MP or higher. Demands from the consumer side have evolved as well as users, even those without technical backgrounds, opt for products that deliver clear and more detailed video footages.
www.tahawultech.com
“WE BELIEVE AI IS A GAMECHANGER FOR THE SECURITY AND SURVEILLANCE SPACE.” In addition, harsh weather conditions here in the region are pushing organisations to utilise products that can withstand temperatures that could reach up to 65 degrees without suffering reduced performance. There’s also an increase in demand for cameras with qualities such as anti-corrosion and advanced thermal imaging. A lot of your offerings are integrated now with artificial intelligence. Is that the way forward? We believe AI is a gamechanger for the security and surveillance space. CCTV has long been known for its uses during and after an event. There are hundreds of thousands of cameras that had been installed by various organisations and cities across the globe. However, they typically do not have enough people to monitor them. This makes analysing video data and responding to potential threats a big challenge. AI is very instrumental in addressing this issue. It can help streamline surveillance monitoring as AI-powered systems can perform video analysis and provide alerts with minimal human intervention. AI also has the ability to make predictions, which makes the data valuable even before an incident. Deep learning is also another capability that we are significantly focusing on and have integrated into our offerings. This provides our products with continuous self-learning capabilities that enable them to capture
and analyse large amounts of highquality data as well as deliver human, vehicle and object pattern recognition with high accuracy. What Hikvision smart and safe city offerings are available in the region? We have a wide array of advanced security surveillance devices available here in the region from long range camera to thermal imaging cameras, access control, video management systems and smart home security products. Furthermore, we are looking at introducing our ANPR offerings here in the Middle East. The technology will enable authorities to capture vehicle license plates and provide data such as the owner of the vehicle, whether it is registered in Dubai or Abu Dhabi and the like. It is the ultimate solution for effective traffic surveillance and monitoring. Looking ahead, what do you think will be the biggest technology that will transform the surveillance industry? Currently, everyone is looking at AI and machine learning when it comes to technologies that are disrupting the surveillance market. Another important trend is the Internet of Things. The interconnectivity between multiple surveillance devices and other security solutions will have a big impact on the industry. Looking ahead, we may look at a future where intelligent surveillance systems are in every home across the globe. Imagine having access controls in your homes instead of normal keys. ANPR cameras deployed in neighbourhoods, which will send alerts to your security system and open your garage door automatically when you reach your house. Any alarm triggered can also be controlled using only your mobile devices.
FEBRUARY 2019
23
FEATURE
DIGITAL FRONT LINES AS MILITARIES INCREASINGLY MOVE DATA TO THE CLOUD, HOW CAN GOVERNMENTS MAINTAIN THE CYBERSECURITY OF THEIR DEFENCE FORCES IN THE ERA OF DIGITISATION? SECURITY CORRESPONDENT DANIEL BARDSLEY REPORTS.
24
FEBRAURY 2019
www.tahawultech.com
W
eaponry has come a long way since the first cannon were used as far back as the Song Dynasty in 12th century China. Rather than being based around gunpowder and crude projectiles, today’s weapon systems are pushing the frontiers of electronic and computing sophistication. With this complexity – and the automation and connectedness that accompanies it – comes risk, including cybersecurity vulnerabilities. Any weapon system that depends on software could be targeted, and the potential significance of a successful hack can hardly be overstated: missions can fail and people can be killed. The United States has overwhelmingly the biggest defence budget in the world at more than $600 billion (Dh2.20 trillion) a year, several times the officially declared expenditure of the second-placed country, China. But being the biggest does not provide immunity to cyber vulnerabilities, as a 2018 United States Government
Accountability Office (GAO) report, Weapon Systems Cybersecurity: Department of Defense just beginning to grapple with scale of vulnerabilities, makes abundantly clear. “Although GAO and others have warned of cyber risks for decades, until recently the Department of Defense did not prioritise weapon systems cybersecurity,” the report says. Not mincing words, the report describes the department as having a “nascent understanding of how best to develop more cyber secure weapon systems”. If the US faces such problems, it seems likely that many less wellfunded militaries have them in at least equal measure. Dr David Roberts, a security and defence analyst at King’s College London who specialises in the Gulf region, says that cybersecurity and other technological vulnerabilities were an “egregious” – highly serious – concern for the world’s defence forces. With modern weapon systems it was often, he says, a case of “layering technology upon technology upon technology”. “Just in terms of the numbers, the increasing numbers of vulnerabilities. I think that’s a pretty big concern that has to be considered,” he says. As the GAO report highlights, the potential vulnerabilities are many and various.
Dr Emma Garrison-Alexander, University of Maryland University College, USA
“LEADERS ARE ALWAYS HAVING TO BALANCE THE RISK OF CYBERSECURITY AND OTHER RISKS AS TO WHERE TO MAKE INVESTMENTS.” www.tahawultech.com
One problem is the use with weapon systems of open-source or standard commercial software, or industrial control systems, not designed for secure environments. Misconfiguration may lead to security controls for weapon systems being bypassed. Vulnerabilities may also be created by weaponry being linked to external systems, such as those for navigation. The use of USB devices and compact discs mean that even systems that do not connect to the internet are vulnerable. Obvious though it sounds, the fact that systems are under the control of people is another vulnerability. Sometimes even basic precautions, such as the choosing a password carefully, are not taken. While the GAO said that testers in the United States were often able to take control of weapon systems even without sophisticated tools, Morey Haber, who has extensive experience of military cybersecurity, says the fact that vulnerabilities could be found may be an issue of timing. “I would disagree with part of that report. Acceptance unit tests would’ve been tested for vulnerabilities. The government would not have signed off with known vulnerabilities. The problem is age,” says Haber, who began his career developing military simulators and is now the chief technology officer of the cybersecurity company BeyondTrust. “The government takes over a system now. In six months’ time, if it’s not patched, it’s going to have vulnerabilities. It’s how do you keep it up to date against cybersecurity risks.” One notable characteristic of military systems is their shelf life, which can frequently be measured in terms of decades, far longer than a typical civilian system would be designed to last for.
FEBRAURY 2019
25
FEATURE
CYBERSECURITY SKILLS SHORTAGES AND THE DEFENCE SECTOR The shortage of skilled professionals across the cybersecurity industry shows no signs of easing, with the number of organisations with a lack of expertise reportedly increasing. Estimates on the total personnel deficit are going up annually, with one forecast suggesting that there will be 3.5 million unfilled roles by 2021. The recent United States Government Accountability Office report Weapon Systems Security points to a particularly acute shortage in the defence sector. “Programme officials from a majority of the programmes and test organisations we met with say they have difficulty hiring and retaining people with the right expertise,” the report says. One factor is the overall shortage of people trained in cybersecurity, but another issue is private sector competition: industry can pay higher salaries than government. Often, the report states, people will gain
Sometimes being based on technology that might be considered obsolete in other contexts can bring benefits. “There was a report about five years ago that the US military’s nuclear arsenal still booted from 10-inch floppy disks,” says Haber. “It doesn’t connect to any network. It doesn’t have USB ports. You cannot send an email to it. Unless you have an insider threat in a missile silo, there’s no risk. They recommended not changing the technology.” Perhaps more often, however, there is a tension between updating or patching a piece of software and the difficulty of doing so, especially in a military context.
26
FEBRAURY 2019
experience in defence programmes, then leave to make more money in the private sector. Institutions such as the University of Maryland University College, an accredited distance-learning university in the United States, are at the frontline of efforts to train cybersecurity professionals. Many of those studying with the institution are serving military personnel. According to Professor Emma Garrison-Alexander, vice dean of the cybersecurity graduate programme, the skills needed in cybersecurity in defence are largely the same as those needed in cybersecurity in industry. “There’s probably about 90 percent overlap. A large part [of what is needed in military cybersecurity] is what’s needed for civilian,” she says. “You need to understand how to protect yourself and to do that, you need to understand your adversary.” The university has a range of current
“YOU NEED TO UNDERSTAND HOW TO PROTECT YOURSELF AND TO DO THAT, YOU NEED TO UNDERSTAND YOUR ADVERSARY.” As a result, sustainability problems are central to the issue of military cybersecurity.
and ex-military personnel enrolled on courses. Some serving military personnel want to improve their skills in cybersecurity and apply them in their current roles. There are also ex-military personnel who are keen to move into cybersecurity. “There’s a mix. There are people who have worked directly in cybersecurity as part of their military responsibilities. There are some in related fields, maybe IT, computer science, engineering – they want to get into cybersecurity because they want to protect the nation,” says Dr. Garrison-Alexander. “And a third group: career-changers. They’re doing something totally different. They want to be part of the cybersecurity solution for the nation. They want the appropriate education and training.” With demand for cybersecurity professionals set only to increase, those taking courses are unlikely to find themselves short of opportunities.
While the GAO report made some pointed comments about the level of cybersecurity prioritisation in the American military, financial realities mean that, perhaps, such issues will always develop. Dr Emma Garrison-Alexander, vice dean of the cybersecurity graduate programme at the University of Maryland University College in the United States, says that there will always be “competing priorities” in the military. “There are always more demands than resources. Leaders are always having to balance the risk of cybersecurity and other risks as to where to make investments,” she says.
www.tahawultech.com
INSIGHT
AT YOUR FINGERTIPS MOREY HABER, CTO, BEYONDTRUST, SHARES INSIGHTS INTO HOW ORGANISATIONS CAN LEVERAGE PAM FOR EFFECTIVE CYBER FORENSICS AND SECURITY BREACH REMEDIATION.
28
FEBRUARY 2019
www.tahawultech.com
N
o one wants to respond to a security incident or a breach, particularly at the start of a new year! Instead the highest priority should be to stop a cyberthreat before it compromises the organisation. But in reality, preventing a cyberattack from landing is not always possible. The steps for incident or breach identification - from threat hunting to searching for explicit Indicators of Compromise (IoC)—are well established. While the processes will vary from organisation to organisation, malware, compromised accounts, lateral movement, etc. will all need to be addressed as a part of any formal clean-up plan. If a breach is severe enough organisations may have no choice other than to reinstall the entire environment from scratch. While that is a worst-case scenario, it does happen. In many cases, businesses may choose to scrub servers as best as possible versus performing a complete reinstall. That is a business decision based on risk, feasibility, and cost. It also represents a no-win scenario if the threat is a persistent presence that uses techniques to evade traditional identification measures. If you think that is far-fetched, just look at the history of threats like rootkits, Spectre, and Meltdown that prove that there is always a way to attack a technology resource. Threat actors are after your credentials Regardless of your remediation strategy, you can be assured that, via some fashion or another, threat actors will have access to your credentials. This implies that any clean-up effort should not reuse any existing passwords or keys. If possible, you should change (rotate) all credentials across every affected or linked resource. This is where Privileged Access Management (PAM) comes into play. The clean-up or redeployment needs to be protected
www.tahawultech.com
from password reuse or from a threat actor regaining a persistent presence due to poor credential management, as remediation efforts begin. Password management is a core aspect of PAM, and includes the automatic onboarding, rotation, session management, reporting, and check-in and check-out of passwords from a password safe. While PAM technology is most prominently used for privileged passwords like administrator, root, service accounts, and DevOps secrets, it can also be used as a least privilege solution to remove administrative rights for applications and tasks. This means that end users would no longer have, or need, a secondary administrator account to perform business functions.
protect against future threats. • Analyse the accounts that have been compromised and determine the least amount of privileges needed for them to perform their functions. Most users and system accounts do not require full domain or local administrator or root accounts. • Analyse how data was used/accessed by the attacker during the breach. Was any IoC data captured during abuse of the privileged account? If data was captured, did it help identify the threat? If data was not captured, determine what needs to change to monitor future misuse of privileged accounts. This includes privileged account usage as well as session monitoring and keystroke logging, where appropriate.
“ANY CLEAN-UP EFFORT SHOULD NOT REUSE ANY EXISTING PASSWORDS OR KEYS.”
This analysis is not trivial. Tools are needed to discover accounts, identify resources, determine usage patterns, and, most importantly, flag any potential abuse. Even if all the log data is sent to a security information and event management (SIEM), it still requires correlation or user behaviour analytics to answer these questions. Once you have made the initial investigation, here are the five ways PAM can help after a breach and should be considered an essential component of your clean-up efforts: 1. After a discovery, automatically onboard your privileged accounts and enforce unique and complex passwords with automatic rotation for each. This will help ensure any persistent presence cannot repeatedly leverage compromised accounts. 2. For any linked accounts, have your PAM solution link and rotate them all together on a periodic schedule; including for service accounts. This will keep the accounts synchronised and potentially isolated from other forms of password reuse.
PAM’s role in clean-up after a breach With this mind, how does PAM help with security breach clean-up? During a security incident or breach, you first need to investigate and address the following: • Determine which accounts were compromised and used for access and lateral movement. • Determine the presence and resources using any linked, compromised accounts. For example, the same account that was compromised on asset X or application Y is also used on assets A, B and C for applications D, E and F so they can all communicate. • Identify and purge any illicit or rogue accounts created by the threat actor. • Identify, and remove or segment, any shadow IT, IoT, or other resource that was part of the cyberattack chain, to
FEBRUARY 2019
29
INSIGHT
3. When applicable, remove unnecessary privileged accounts all the way down to the desktop. This includes any secondary administrator accounts associated with an identity. For any application, command, or task that requires administrative rights, consider a least privilege model that elevates the application--not the user—to perform privileged management. 4. Using PAM, look for IoCs that suggest lateral movement, either from commands or rogue user behaviour. This is a critical portion of the cyberattack chain where PAM can help identify whether or not any resources have been compromised. 5. Application control is one of the best defenses against malware. This capability includes looking for trusted applications that are vulnerable to threats by leveraging various forms of reputation-based services. PAM
30
FEBRUARY 2019
“PAM WILL HELP STOP A THREAT ACTOR FROM ACTING ON SOME OF THE LOWEST HANGING FRUIT WITHIN YOUR ORGANISATION – POOR PASSWORD AND CREDENTIAL MANAGEMENT.” can help here too. Decide on an application’s runtime based on trust and known risks before it is allowed to interact with the user, data, network, and operating system.
PAM should not only be considered for new projects and legacy systems to stop privileged attack vectors. It should be considered for forensics and remediation control after an incident or breach. PAM will help stop a threat actor from acting on some of the lowest hanging fruit within your organisation–poor password and credential management. As a security best practice, privileged access should always be limited. When a threat actor gains administrator or root credentials, they do have the keys to your kingdom. The goal is stop them from obtaining them and “rekeying” the accounts via passwords on a frequent basis, so even if they steal a password, their usage can be limited and monitored for potential abuse. Therefore, after an incident or breach, this helps ensure that any lingering persistent presence can be mitigated and represents a valuable methodology in the clean-up and sustainment process.
www.tahawultech.com
A CLOSER LOOK What’s the one thing you can’t leave the house without? The romantic answer would be ‘a hug from my kids and my wife’. Though practically, I must admit that it is my phone – as it has become a very close companion that I depend on for work and other activities.
What’s the last gadget/tech item you purchased? Admittedly, I am a sucker for gadgets, so don’t get me started! I am especially intrigued by crowdsourcing such as Kickstarter and Indiegogo. From these platforms I have bought everything from an Internet Connected Coffee Machine, a guitar which does backing tracks when you play, to a high-tech toothbrush.
If you’re not working in the tech industry, where would you be? Definitely doing something related to food – I love to cook and also enjoy food – it is one of the things I wish I have more time for.
GETTING TO KNOW NICOLAI SOLLING, CTO, HELP AG, ON HIS LIFE INSIDE AND OUTSIDE THE OFFICE.
At what age did you own your very first mobile phone? What model was it? Whoaa! That is a good question: I think it would have been back in 1997 or so. The brand was called Dancall, a Danish supplier, which delivered handsets based on a technology called NMT and then later switched to GSM. The brand doesn’t exist anymore.
Who can you say is your inspiration? I would like to say something deep and profound here, but there are so many things that inspire me on a day to day basis, be it books on my kindle, podcasts that I listen to or news feeds on my devices.
What’s the last thing you do before you leave the office? I say goodbye to my colleagues – the same way as I try to say good morning to everyone here. If I am the last one to leave, I will turn off the lights for those who forgot.
What’s the best part of your job? I love engaging with people. There is a lot of technical stuff around me which I obviously like, but it is people who make me wake up with a smile every single day.
ABOUT Nicolai Solling is the CTO at Help AG Middle East. 41 years of age, he is a dedicated father and husband. He has been engaged with technology from the early age of 8 when he got his first PC. He has been dealing exclusively with the security aspects of IT for over 20 years – the last 11 of which have been at Help AG Middle East. Apart from technology and cybersecurity, he is passionate about food and music.
www.tahawultech.com
FEBRUARY 2019
31
INSIGHT
SAFE SURFING BY GIRIDHARA RAAM M, MARKETING ANALYST, MANAGEENGINE
32
FEBRUARY 2019
B
rowsers have become an integral tool many of us use several times throughout the day, both for work and personal reasons. Since cloud computing has become the new norm, a simple vulnerability in your browser or a phishing attack can pave the way for cybercriminals to take control of your browsers and, in some cases, access corporate data. As Paul Herbka, senior product manager at GCI General Communication said, “Security in IT is like locking your house or car—it doesn’t stop the bad guys, but if it’s good enough they may move on to an easier target.” Why is browser security so important? Most industries rely on web applications, with the average employee spending 21 hours of their work week online. Unfortunately, not all browser use at work is carried out on enterpriseapproved platforms. According to a survey conducted by International Data Corp (IDC), 30-40 percent of internet
www.tahawultech.com
access in the workplace is spent on nonwork-related browsing. On top of this, a staggering 60 percent of all online purchases are made during work hours. This increased nonwork-related browsing activity has led many IT security teams to focus on browser and port security. Proper browser security management can not only help enterprises defend against webbased threats, but it can also improve employee productivity by only allowing users to access approved sites. Escaping web-based cyber-attacks There are many types of cyber-attacks, but most of them, including web-based trojans and cryptomining malware, hide within browsers. Phishing has proven to be a prominent technique used by cybercriminals to breach corporate networks. A simple phishing email with a malicious attachment could cause chaos if downloaded or opened, as they commonly contain worms, trojans, ransomware, cryptominers, or other dangerous files. Even enterprises that are careful about keeping their network applications up to date often forget about updating the addons installed in their browsers. These add-ons can easily become outdated, leaving the door open for browser-based takedowns like man-in-the-browser and boy-in-the-browser attacks. Users browse different webpages based on their jobs’ demands. Some webpages may look legitimate, but can actually automatically download malicious content straight to the user’s device and spread across the network through open, vulnerable ports. To top this off, phishing and malicious websites aren’t the only web-based threats to worry about; there’s also cryptojacking, cross-site scripting, outdated JavaScript takedowns, and more. If IT admins have the right browser security options for monitoring add-
www.tahawultech.com
“PROPER BROWSER SECURITY MANAGEMENT CAN NOT ONLY HELP ENTERPRISES DEFEND AGAINST WEBBASED THREATS, BUT IT CAN ALSO IMPROVE EMPLOYEE PRODUCTIVITY.” ons, then they can easily avoid things like malicious extensions, cross-site scripting, and outdated browser vulnerabilities. Preventing data leaks in browsers There are several ways web browsing can lead to corporate or personal data leaks. One of the biggest risks is users uploading confidential documents to third-party sites. Employees can also take screenshots of internal corporate webpages through a browser or execute print page options to export confidential data. Autofill, while convenient for users, can also cause problems. For example, if a user has enabled autofill in their browser, cybercriminals can use phishing to steal users’ autofilled data when they fill out forms on third-party websites. Aside from traditional USB-based attacks and hard drive theft, browsers have become the primary entry point for all other data leaks. Simply disabling the autofill option or preventing file uploads on all end user devices can greatly benefit corporate data security. Preventing cyberslacking Adding to concerns over browser and data security, enterprises need to reign in cyberslacking and prevent employees from wasting company time and resources. That means restricting employees from visiting unwanted websites, downloading unwanted
software, and adding anonymous extensions to browsers. According to a survey conducted by Staff Monitoring, cyberslacking accounts for 30-40 percent of lost productivity. Another report from Interaction states that with 41 percent of UK-based employees admitting to nonworkrelated internet surfing during work hours exceeds three hours per week, finding the right browser security and management tool can be a huge advantage for any business. How browser security benefits your business Center of Internet Security (CIS) states that browser security is a critical security control for effective cybersecurity. Here are some ways establishing browser security can benefit your organisation: • Secures corporate data • Reinforces cloud computing security • Avoids browser-based cyber-attacks altogether • Monitors your users and their browser behaviour • Improves employee workplace productivity Proper browser security procedures not only add an extra layer of security to your enterprise, but they also give you total control over your network browsers to prevent cyberslacking and increase productivity.
FEBRUARY 2019
33
ON THE WATCH
ONLINE EDITOR ADELLE GERONIMO SHARES HER VIEWS ON THE LATEST DEVELOPMENTS IN THE SECURITY LANDSCAPE.
A CLEAR VIEW T
he video surveillance industry has rooted all the way back to the 1940s when closed circuit television (CCTV) was invented. Since then, the video surveillance market has evolved as industry demands change and technologies progress. What primarily functions as a tool used by government and law enforcement entities is now commonplace in everyday establishments. Video surveillance applications can now be found being used in places where we work, shop, eat and live. In the Middle East, the physical security market is expected to be valued at $10.9 billion by 2020, from its 2014 level of $3 billion, growing at a
34
FEBRUARY 2019
phenomenal 23.7 per cent, according to global analysts Frost and Sullivan. It has also been predicted that the Middle East will represent 10 percent of the global security market by next year. At Intersec Dubai, last month, a number of industry experts have pointed out that video surveillance technologies will continue to play a vital role in the region as organisations progress in their digitisation initiatives. Furthermore, with regional governments focusing on developing smart and safe cities there is now more than ever a need for increased for solutions that will deliver value beyond security. This puts emphasis on the need for shifting attitudes away from considering network cameras as a commodity and more as a significant component of a solution that can add true business value. At the show, experts have also echoed how technologies around artificial intelligence and machine learning are disrupting the video surveillance space. After all, AI applications are
now increasingly becoming prevalent across a variety of industries including healthcare (diagnosing illnesses and improving medical services), transportation (traffic monitoring) and public safety (facial/behavioural recognition) among others. It’s very encouraging how advances in AI is augmenting how cities are kept safe. AI-powered solutions could allow real-time monitoring and help security teams identify issues before they become problems. Meanwhile, machine learning, or even deep learning could help organisations monitor behavioural patterns and automatically flag any irregularities, thereby providing more accurate and safe surveillance. As with any technology, it is not without any challenges. Many have raised issues on privacy, however, with proper regulations and collaboration between citizens and, private and public sector firms AI-powered surveillance will definitely make our cities safer as well as smarter.
www.tahawultech.com
Gartner’s Top 10 Strategic Technology Trends for 2019 Intelligent #1
Digital #2
#3
Autonomous Things
#4
Digital Twins
#5
AI-Driven Development
Blockchain
#6
Empowered Edge
Augmented Analytics
#7
Mesh
#8
Smart Spaces
#9
Immersive Technologies
Ethics & Privacy
#10 Join us at Gartner Symposium/ITxpo 2019 to learn about Gartner’s technology trends, if they will work for you and how to implement them.
Gartner Symposium/ITxpo 2019 Dubai, UAE / 4 - 6 March gartner.com/me/symposium / #GartnerSYM
© 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email info@gartner.com or visit gartner.com.
Quantum Computing
#CyberSecurityME
SANS CYBER SECURITY MIDDLE EAST SUMMIT & TRAINING 4 APRIL 2019, ABU DHABI
Join SANS at the first SANS Cyber Security Middle East Summit and Training at the Fairmont Bab Al Bahr hotel. This event will be the first in a series of SANS Summits to be held in the Middle East. Share ideas with likeminded security professionals, and get insights from industry experts on what threats you need to prepare for in 2019. In addition to the Summit, world-class SANS training courses are being offered to help you expand your information security expertise. The following courses will be given: SEC 530 Defensible Security Architecture
SEC 560
FOR 572
Network Penetration Testing and Ethical Hacking
Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
ICS 515 ICS Active Defense and Incident Response
To book your place, visit www.sans.org/ME-Summit +44 203 384 3470
emea@sans.org
@sansemea