ISSUE 13 | JANUARY 2017 www.securityadvisorme.com
Ransomware Information security programme
Seclore predictions
ACCESS GRANTED WHY IDENTITY AND ACCESS MANAGEMENT SHOULD BE TREATED AS A CRITICAL SECURITY RESOURCE
WE ENSURE YOUR BEST-KEPT CORPORATE SECRETS REMAIN JUST THAT.
Corporate cyber espionage threatens to compromise everything an enterprise stands for. The ability to intercept an attack can make all the difference between success and failure. At DarkMatter, the world’s brightest minds are helping the region’s largest companies stay ahead of evolving cyber threats. Whatever the scope, scale and sensitivity of your work, we offer the full spectrum of solutions to safeguard your crown jewels. Take your first step towards genius: contactus@darkmatter.ae
STRATEGIC INNOVATION PARTNER
STRATEGIC PARTNER
CONTENTS
FOUNDER, CPIMEDIA GROUP Dominic De Sousa (1959-2015) EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129
06
Editor James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153
THE IDENTITY CONUNDRUM
Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Deputy Editor Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134
With identity emerging as a new attack surface, it should be managed and monitored as a critical resource rather than as a basic access provisioning function.
DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 375 5680 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9159 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9138 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119 PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 375 5673 Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin
12
WHAT’S IN STORE? Vishal Gupta, Founder and CEO, Seclore, shares the company’s top six data security predictions for 2017.
16
webmaster@cpimediagroup.com +971 4 440 9100 Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of
© Copyright 2017 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
18
COMBATING BREACHES CTM360 CEO Mirza Asrar Baig talks about the ways organisations can tackle cyber threats in real time. CREATING SAFE ENVIRONMENTS Azeem Aleem, Director, Advanced Cyber Defence Practice EMEA, RSA, talks about the trends that will shape the cybersecurity landscape this year.
21
26
32
THE CHANGING BATTLEFIELD Amit Roy, Executive Vice President and Regional Head EMEA, Paladion, examines fundamental strategies organisations can adopt to keep pace with rapidly evolving threats. KNOW YOUR (CYBER) ENEMY Understanding who the hackers are and what they want is key to minimising the impact of a network security breach. RANSOMWARE: AT YOUR SERVICE Stu Sjouwerman, CEO, KnowBe4, breaks down what Ransomware-as-a-Service is and shares best practices to protect your organisation.
NEWS
PEGASUS, A DARKMATTER COMPANY SIGNS MOU WITH DUBAI POLICE DarkMatter has announced that Pegasus, a DarkMatter company, has signed a Memorandum of Understanding Faisal Al Bannai, DarkMatter (MoU) with Dubai Police to provide a Big Data platform on which custom analytic solutions will be developed to help solve and prevent crimes and make citizens safer. Under the MoU with Dubai Police, Pegasus will assist Police authorities to maintain safety and security the emirate by applying both technology tools and professional services to create an ecosystem for producing high-value and high-impact information to drive decision-making. Faisal Al Bannai, DarkMatter Founder and Chief Executive Officer, said, “This agreement is an enormous endorsement of DarkMatter’s technical capabilities, and we are looking forward to partnering with Dubai Police in developing and utilising innovative Big Data and analytics tools to create a safer living environment for all citizens. We applaud Dubai Police’s proactive adoption of cutting-edge technology, and we see huge benefit from leveraging timely and actionable information to help solve and prevent crime. We are proud to be a UAE-headquartered technology specialist that is able to provide the authorities with this level of fundamental capabilities.”
4
01.2017
SANS TO HELP ME ORGANISATIONS DEVELOP CYBERSECURITY SKILLS SANS Institute has opened registrations for ‘SANS Dubai 2017’, a training event featuring three cybersecurity Ned Baltagi, SANS MEA training courses, taking place from 28th January to 2nd February 2017. The instructor-led classroom trainings feature a mix of security courses covering continuous monitoring, web app penetration testing and ICS/SCADA. Each of the three SANS courses will be led by a SANS instructor who promises to ensure that participants receive intensive and hands-on experiences. “The Middle
East is facing an acute shortage of qualified and certified cybersecurity professionals. We are providing businesses with a convenient and effective means to rapidly ramp up the technical skill-sets within their organisations,” said Ned Baltagi, Managing Director, Middle East and Africa, SANS. “SANS Dubai 2017 features courses that specifically address key security challenges that plague the region. These courses will impart a great deal of knowledge and real-world experience, and will best prepare attendees for the GMON, GWAPT and GICSP Certifications.” The courses that will be offered include SEC542: Web App Penetration Testing and Ethical Hacking, SEC511: Continuous Monitoring and Security Operations and ICS410: ICS/SCADA Security Essentials.
HID Global launches new IAM solution HID Global has announced the launch of the “first end-to-end identity access management solution” that enables government agencies and other organisations requiring higher security to use a single credential for accessing doors, IT systems, networks and data. According to the company, its new HID PIV (Personal Identity Verification) solution provides complete identity lifecycle management – from identity proofing plus secure credential issuance and use, to de-provisioning of these credentials. Through the new solution organisations are now able to unify physical and IT security systems to create a far more seamless experience for users, while also offering strong authentication applying trusted credential and other advanced security capabilities that are easier to procure, deploy and maintain. “HID PIV represents the industry’s first
comprehensive IAM solution that provides trusted identities for accessing both IT and physical domains,” said Brad Jarvis, Vice President and Managing Director, IAM Solutions, HID Global. “HID Global continues to develop fully integrated solutions across our portfolio of products and provide a convenient and trusted experience for our customers.” HID PIV aims to help government agencies and other regulated industries such as banking, healthcare, and transportation to improve their overall security posture and consolidate physical and IT security. The company’s PIV-based solution allows organisations to use strong cryptographic credentials for users to digitally sign emails or documents, decrypt emails or files, use full disk encryption and boot protection to secure laptops, protect sensitive print jobs with secure printing and leverage many other security capabilities.
www.securityadvisorme.com
PALADION: MOBILE APPS POSE BIG RISKS FOR REGIONAL BUSINESSES Paladion has highlighted that the increased uptake of enterprise mobility solutions has increased internal and external threats such as data leakage and network infringement. According to the study, due to the increased adoption of enterprise mobility solutions by a growing number of businesses, a new avenue for sophisticated cybercriminals has been created to launch their attacks. “As businesses capitalise on new opportunities by providing mobility services, they continuously face security breaches,” explained Rajat Mohanty, CEO and CoFounder, Paladion. “A recent study by Paladion found that 90 percent of mobile banking applications for instance, have serious security problems that could potentially compromise user data.” According to Mohanty, the increase in mobile penetration and the massive growth
of an unregulated app market in Androidbased devices have enabled cybercriminals to introduce infected applications to organisations like banks. In order to put an end to such security issues, securing remote access through mobile devices and protecting the data and applications on those devices becomes critical for organisations in the region. “Mobility initiatives should be a collaborative effort between management and the CISO to map out policies and objectives and ensure they are aligned with operational imperatives, digital strategy, and IT architecture developments. Third-party expertise can be massively beneficial in this rapidly evolving area, so organisations should not hesitate to engage their trusted security partners in determining requirements and planning deployments,” added Mohanty.
Infoblox, Qualys partner to bring enhanced threat protection Infoblox and Qualys have announced that they joined forces to provide enterprises with powerful network visibility to better safeguard organisations from cyber threats. Under the expanded technology partnership, Infoblox, the network control company that provides Actionable Network Intelligence, will integrate its solutions into the Qualys Cloud Platform. Corporate networks are becoming increasingly complex and use diverse deployment architectures, including physical, virtual, and private/public clouds. With the proliferation of the Internet of Things (IoT), analysts project there will be 20 billion devices connected to the Internet by 2020, up from 10 billion in 2015. Together, Infoblox and Qualys aims to enable security and incident response teams to leverage the integration of vulnerability scanners and DNS security to enhance network visibility, automate remediation, and share intelligence to improve the efficacy of security investments
www.securityadvisorme.com
customers have already made. “Cybercriminals Scott Fulton, Infoblox rely on critical network infrastructure such as DNS to infect devices, spread malware and steal data— and the longer it takes to discover, the higher the cost of damage,” said Scott Fulton, Executive Vice President, Products, Infoblox. “Sharing Actionable Network Intelligence with the Qualys Cloud Platform provides our joint customers unparalleled visibility into every connected device and end host on corporate networks. The rich context and out-of-the box integration accelerate remediation and allow customers to effectively manage risk.” According to Fulton, by combining Infoblox’s DNS technology with the Qualys Cloud Platform, organisations can automate scanning when new devices join the network or when malicious activity is detected.
FIREEYE SIGNS PARTNERSHIP WITH INGRAM MICRO FireEye has announced that it recently signed a strategic partnership agreement with Ingram Micro. As part of the agreement, Ingram Micro is authorised to distribute all FireEye products and solutions in Gulf countries, Egypt, Libya, Lebanon, Jordan, in North Africa French speaking countries Morocco, Tunisia, and Algeria, as well as South Africa. FireEye provides a variety of solutions for data centre security, industrial systems and critical infrastructure security, enterprise network security and endpoint security, as well as solutions for small and midsize businesses. “Organisations in the region can benefit from a partner to help them contend with an ever-evolving threat landscape and fend off increasingly sophisticated adversaries,” says Mohammed Abukhater, Regional Director for the Middle East and Africa, FireEye. “We are pleased to partner with Ingram Micro and believe that with this partnership, we can help enterprises improve their security posture and take a more holistic approach to cybersecurity.”
36%
of online banking attacks in 2016 target Android devices Source: Kaspersky Lab
01.2017
5
FEATURE
THE IDENTITY CONUNDRUM
With identity emerging as a new attack surface, it should be managed and monitored as a critical resource rather than as a basic access provisioning function.
6
01.2017
www.securityadvisorme.com
FEATURE
I
dentity management, as Gartner defines it, is the “security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” It sounds like a lofty ideal, but it is at once elemental and essential and, according to Gartner, is “a crucial undertaking for any enterprise.” Password-management tools, provisioning software, security-policy enforcement applications, single signon, reporting and monitoring apps, and identity repositories all fall under the umbrella of identity management. Yet for all the technology behind it, Gartner notes that the practice of identity management “is increasingly businessaligned, and it requires business skills, not just technical expertise.” Thanks to mobile computing, cloud apps and tele-working, the de-perimeterisation of IT security is a “fait accompli.” This has created new challenges for CSOs and new opportunities for attackers. One of the leading threats emerging from the postperimeter IT landscape involves using identity as an attack vector. Here’s why. Historically, information security professionals have focused on mitigating vulnerabilities across traditional attack vectors, namely networks,
software or physical plants within their computing environments. Despite the large investments made in preventive and detective security technologies, protecting these traditional attack surfaces continues to be a challenge. As Ponemon states in their report on Mega Breaches, many companies have failed to prevent breaches with the technology they currently have, where 65 percent responded that attacks evaded existing preventive security controls. What’s changed? Instead of targeting hardened networks and application infrastructures, more and more bad actors, whether outsiders or insiders, are exploiting identities to gain “legitimate” access to sensitive systems and data. Protecting this new attack surface is hard, since identities must be trusted unless there’s conclusive proof that they have been comprised. One of the core challenges for information security professionals is rooted in the fact that current security models are not designed to address identity as an attack surface. Instead of treating identity as a basic access provisioning function, it should be managed and monitored as a critical resource for the organisation. To prevent identity from being exploited as an attack surface, information security professionals must
IAM is really all about understanding who should have access to what, and controlling the lifecycle of the user within the organisation’s IT systems. - Nicolai Solling, Help AG
www.securityadvisorme.com
01.2017
7
FEATURE
The user population no longer consists of on-premise employees. It has expanded to partners, vendors, and customers – all of who require access to corporate applications. - Rashmi Knowles, RSA
return to something “old” and engage with something “new.” The “old” is verifying how effectively traditional identity and access management systems are being managed. Is basic, good quality hygiene being rigorously applied and exercised for these critical systems? For example, how often are users required to update their passwords? Is a reasonable amount of complexity required for those passwords? Also, is security awareness being promoted among users, including the importance of strong password choices, as well as the techniques used by attackers to steal passwords like phishing and social engineering? The “new” involves monitoring who, how, where and what identities are being used for in the organisation’s computing environment, including cloud. To keep watch over the typical “ flock” of identities in an enterprise, new tools and automation are required. This is what is driving the adoption of IAM solutions in the market. “IAM is really all about understanding who should have access to what, and controlling the lifecycle of the user within the organisation’s IT systems. There are a number of drivers for IAM solutions. One of them is that we today have many more systems than in the past and the access control rights are much more complex. Depending on business requirements, a user may 8
01.2017
need access to a full system or only subsets of the system’s functionality. Furthermore, the dynamics of the workforce today means that staff move around, not just externally, but also internally. Meaning the access rights need to be constantly adjusted,” says Nicolai Solling, CTO, Help AG. Rashmi Knowles, Chief Security Architect, EMEA, RSA, says since IAM is one of the most challenging components of a security programme, adoption of IAM is driven by a number of changes. “Firstly, the user population no longer consists of on-premise employees. It has expanded to partners, vendors, and customers – all of who require access to corporate applications. Secondly, devices are no longer restricted to corporate desktops. Finally, the increase in the number and
types of users and access methods has created an ‘identity crisis’ within many organisations – wherein their systems are unable to manage and unify disparate information resulting in fragmented user profiles and multiple digital identities.” These assumptions with everincreasing expectations of usability and flexibility often cause friction between users, IT staff and the business. Lack of a unified user profile can result in a missed opportunity to gain rich insights into user behaviour across different networks, applications and devices. Also, the regulatory and compliance landscape has grown considerably challenging and audits have become even more burdensome with the number of identities, systems and access methods, she adds. When it comes to IAM, one of the challenges facing CISOs is how to maintain control over access without impacting productivity and user experience. “This is one thing many organisations struggle in dealing with. Fundamentally it is down to an understanding that an IAM implementation is not only a technical implementation. If your business flow and processes are based on everyone having access to everything, an IAM solution will be challenging to implement. It can therefore be a good idea to get help from external experts,
With today’s modern Adaptive MFA, which only challenges users for additional factors when necessary, and not every time they access something, means that MFA is less cumbersome that ever before. - Kamel Heus, Centrify
www.securityadvisorme.com
like Help AG, as our consultants have specific expertise as well as methodology to understand these business processes and map them to an IAM approach,” says Solling. Kamel Heus, Regional Manager of Centrify, says from a user perspective, the the right authentication and access experience can be a huge win-win. “With today’s modern Adaptive MultiFactor Authentication (MFA), which only challenges users for additional factors when necessary, and not every time they access something, means that MFA is less cumbersome that ever before. When you combine the ability to use a mobile device as a factor (and not a dedicated, easy-to-forget token), it gets simpler still. And when adaptive MFA is integrated with SSO, users get fast and easy access to stronger security.” What is key to an effective identity access management programme? “Today, a typical day in the workplace involves interacting with various systems via various credentials to access parking, building access, clocking in/out, network access, audio/ video conferencing system and wellness facilities access. An effective IAM programme should be designed to answer the needs of today’s more connected environment to derive more value from your access control investment,” says Miguel Braojos, Global Vice President Sales, Identity and Access Management, HID Global. He adds that security managers should consider these points while implementing an IAM programme: • The premise’s current physical and network infrastructure • Administrative requirements to best suit your employees • Technologies needed in different locations • Company’s existing mobile landscape • Future-proofing your physical access control www.securityadvisorme.com
An effective identity and access management programme consists of three key pillars –visibility, analysis and action. An IAM programme needs to offer optimal visibility into identity intelligence and simultaneously accumulate and combine information on user identities. Once the required identity information is collected and analysed, the programme needs to offer a single point visibility into user activities. In addition, it has to assess whether user behaviours pose unacceptable risk to the organisation. Providing contextual information to make accurate risk assessments must be core to any IAM, whether
the unicity and authenticity of an identity. Using MFA does not have to be cumbersome nor counter-productive. MFA could also be extended to challenge administrators when they request access to critical resources or when they raise their privileges. “IAM must evaluate each access request based on a gathered set of identity intelligence—the profile and role of the user, application sensitivity, and context of the request. To make the experience both secure and convenient, authentication cannot be a one-time decision. Similarly, a single sign-on should not be granted universally. Not all users,
An effective IAM programme should be designed to answer the needs of today’s more connected environment to derive more value from your access control investment. - Miguel Braojos, HID Global
it is applied to identities, websites, end points, or networks during authentication, runtime or business processes. An IAM programme has to be designed to provide secure and convenient access to users, from anywhere, and from any device. The future of IAM is said to be multi-factor authentication (MFA) with usernames and passwords becoming a gateway. Hues from Centrify says passwords alone can no longer be considered secure. MFA will become a standard user experience that most users will just come to accept. MFA along with context aware policy help providing identity assurance - proving
applications, or situations are the same. Only by understanding the context of an event can you provide a single sign-on where appropriate, yet enforce step-up authentication when required. Authentication methods should be simple, familiar and take advantage of a device owned by the user. For example, mobile phones or tablets can become authenticators. multi-factor authentication supports a range of mobile-optimised authentication methods including push notification, one-time passcode, and fingerprint biometrics. In a nutshell, multi-factor authentication is here to stay,” Knowles sums up. 01.2017
9
R BE CY I CR
ME
CY
CYB ER
C
Cyber-attackers use malware to infiltrate networks then rely on standard network and IT administration tools to move within the network and steal data.
S E Q U E N C E O F A C Y B E R - AT TA C K
Exploit vulnerables and gain foothold in the organisation by using malware.
Use ubiquitous apps to communicate with command and control servers.
Map out network, probe clients, and monitor activity using networking and hacking tool.
Gain control of administrator’s machine/account including access privelege and data associated with it by using admin tools.
Access new hosts, move within internal network, or remotely compromise infected devices by using remote desktop tools.
Transfer data from compromised host to attacker.
TOP 5
Angry IP Scanner
NETWORK AND HACKING TOOLS IP address and port scanner
PingInfoView
Programme that pings multiple hosts at once
Nimap
Network discovery and security auditing tool
Ping Mimikatz
IP address and port scanner Programme that pings multiple hosts at once
E
E CYB
E RIM RC
E
M ER CRI ER CRI ME CYB E C Y BE RIM R CR RC IME BE
E IM CR
RIM
THE SEQUENCE OF A TA R G E T E D C Y B E R - AT TA C K
CY B
ER CYB
TOP 5 TOP 5
SecureCRT
ADMIN TOOLS SecureShell (SSH) and Telnet client
VMware vSphere Client
SSH and Telnet client
Putty BeyondExec Remote Service
TOP 5
MobaXterm
Management utility fir VMware vSphere Server Virtualisation Xserver and tabbed SSH client for windows
Utility to spawn processes and shutdown remote work stations
REMOTE DESKTOP TOOLS Cloud-based or locally hosted remote desktop and web conferencing software, can be used for command and control and lateral movement
AnyDesk
Remote desktop software
WinVNC
Remote desktop software using Virtual Networks Computing (VNC) for remote access
LogMein
Cloud-based remote access and remote desktop service
Radmin
Remote desktop and technical support software
TeamViewer
TOP 5
Trojan/Gen:Variant. Graftor Win32/ShopAtHome.A W32/Urlbot.NAO!tr
M A LWA R E VA R I A N T S Malware used to boost advertising revenue to inflate a page ranking in search results Malware that redirects and monitors Web activity
BrowserModifier:Win32/ Elopesmut Win.Trojan.7400921-1
A family of malware that changes web browser settings Malware that attempts to write to a memory location of a loaded process to manipulate other applications
Malware that monitors all activity, including keystrokes, email and web access
T O P R I S K WA R E
WEB BROWSERS
WEB-BASED EMAILS
POPULAR SOCIAL MEDIA SITES
Internet Explorer, Chrome, Firefox
99%
of threats originated from legitimate apps or from riskware
Twitter, Reddit
1%
originated from malware
Source: http:/lightcyber.com/wp-cyber-weapons-report.lp/
INSIGHT
What’s in store? Vishal Gupta, Founder and CEO, Seclore, shares the company’s top six data security predictions for 2017.
2
016 has been an epic year for cybersecurity threats. According to Cybersecurity Ventures’ annual cybercrime report, current projections indicate that cybercrimes will only continue grow to an enormous $6 trillion in annual losses to the world by the year 2021. Due in part to our hyper-connected world, advances in collaboration technologies, multiple devices, and increased use of outsourcing, hackers are seizing opportunities and becoming more sophisticated in their attack techniques. Their quest has gone beyond stealing data for a profit to leaking incriminating information to influence and expose individuals and governments. However, hackers are only part of the challenge faced. Third-parties partners also carry a potential threat to organisations as they often have authorised access to organisations’ information and systems with little oversight or monitoring. Organisations that fail to increase their security budget and make security a top priority, are most likely to suffer the greatest financial losses. So what do we predict for 2017 besides building a better offence? Here are Seclore’s top six security predictions for 2017: 12
01.2017
1
2017 Will be a historic year for US cybersecurity legislation Next year will be a historic in terms cybersecurity legislation. We’ve already seen the beginnings of this in 2016, and high-profile incidents such as the breaches at the Democratic National Committee and Yahoo, and the Apple encryption debate have further increased public awareness around the importance of data security and privacy. The Chinese government was also recently implicated in buying stolen national defense research related to the F-22 and F-35 and C-17 fighter jets from a cybercriminal who hacked Lockheed Martin and Boeing. The growing awareness, coupled with the government’s willingness to acknowledge the national security risks posed by cyber-attacks, makes us hopeful we’ll see meaningful progress made in the fight to create effective cyber-legislation by the end of 2017. This legislation will likely start with mandatory breach notifications, which initially eliminate undisclosed (or slowly disclosed) cyber incidents, but will eventually take the form of specific guidelines for how citizens’ data must be protected wherever it travels or is stored. Europe is leading the way with the General Data Protection Regulation (GDPR) act and
we expect North America to follow with similar legislation.
2
Global leader’s will take steps towards establishing standards for cyberwarfare (InfoSec Geneva Convention) 2017 will (hopefully) be the year global leaders finally recognise the need for an InfoSec Geneva Convention, setting standards for what cyber-activities are and aren’t acceptable. Holding highly confidential information hostage and using it as black mail or manipulate elections is a whole new level of warfare. I’ll admit, this is an optimistic prediction, considering the current geopolitical landscape, but technology has reached the point where having clear rules of engagement is an absolutely necessity. While this may not happen in 2017, I expect the global community will at least begin acknowledging the catastrophic repercussions that could result from an all-out cyberwar.
3
Hackers will continue to exploit the weakest link (service providers and law firms beware…) The ransomware epidemic is a reminder that the cybercrime economy is based on the principles of capitalism. Until www.securityadvisorme.com
organisations persistently protect information at the data level (and stop paying the ransom), these attacks won’t slow down. And, as companies increasingly utilise third-party service providers to reduce costs, more and more information will be at risk. In 2016, the healthcare industry was revealed to be especially vulnerable to ransomware attacks with 75 percent of hospitals surveyed in a poll by Health IT News and HIMSS to have been hit by one. And while that will remain true next year, we expect hackers will expand into other verticals. Hackers will look for the weakest link and exploit industries who have highly sensitive information and lower investments in security solutions.
4
Organisations will be more stringent on the security of their third-party vendors and collaboration partners This year we can expect to see organisations placing stricter compliance regulations on their third-party outsource vendors and other external collaboration partners. Third-parties such as advisors, vendors, sub-contractors and business partners pose a huge risk to organisations because they require access to systems and data to conduct business, yet there is no accountability in the way they handle a company’s data. In fact, one in four companies believe they have had data stolen by a third-party vendor. Once information is shared with a third party, the organisation loses control over what happens to their sensitive data. Often, the third-party organisation or contractor do not have the necessary security mechanisms in place; hackers are always looking for the weakest link in the information supply chain. The Panama Papers breach is a great example of how information shared with a third-party, in this case a legal firm and corporate servicing agency, has caused personal and corporate reputations to be deeply tarnished or ruined. Then we have the continued challenge of employees and sub-contractors stealing intellectual property. 67 percent of www.securityadvisorme.com
independent contractors and employees take IP with them for the express purpose of leveraging it at a new position, costing organisations more than $400 billion in annual losses. With on-going pressure to achieve profits, organisations will become ever more reliant on third-party vendors and processing partners in 2017. However, profitability can no longer trump security when it comes to collaboration. Ultimately, companies are responsible for the safety of their data (and their customer’s data) regardless of where it is being stored. Our prediction is that in 2017 organisations will begin to invest in solutions that persistently protect information, keeping it under their control even when it is shared with third-parties.
5
InfoSec teams will give up on perimeter security, and instead adopt a data-centric approach Data is flowing through and outside of organisations at an unprecedented speed, and it will only continue to accelerate in 2017, especially with the growing adoption of outsourcing, a global/mobile workforce, and the use of innovative (but perhaps non-IT sanctioned) technologies such as Enterprise File Synch and Share (EFSS). These trends mean that the security of the infrastructure and the devices that are storing sensitive data become far less important, as information is likely present on multiple systems/devices and shared via numerous routes, many of which lead outside the traditional corporate perimeter. The free flow of information will warrant a paradigm shift in the InfoSecurity community, who will be unable to assure the security of data as it moves across and outside of corporate boundaries. Instead, the InfoSecurity teams will shift their focus to securing the data itself, striving to achieve persistent security through solutions that control granular usage policies regardless of where the information resides.
6
Data-centric security solutions will become an InfoSecurity fundamental, The value offered by
Vishal Gupta, Seclore
firewalls and anti-virus solutions has been on the decline. We predict that 2017 will be the year that organisations acknowledge the need to secure the data itself, and not just infrastructure and devices. The shift to persistent data-centric has already begun, with Gartner pointing to Enterprise Digital Rights Management (EDRM) capabilities as a key requirement in their Enterprise File Synch and Share (EFSS) Magic Quadrant. In fact, a number of vendors have already jumped on the data-centric security trend in 2016, with Citrix and IBM adding Rights Management features to their EFSS and Enterprise Content Management (ECM) offerings. You can expect more vendors to follow suit in 2017, and I’d be surprised if any of the major EFSS, CASB (Cloud Access Security Broker) and Virtual Data Room (VDR) vendors hadn’t integrated EDRM capabilities with their offerings by the end of this year. For the organisation itself, 2017 will be the year that rights management becomes part of an overall data-centric security infrastructure, seamlessly integrating with the organisation’s ERP, EFSS, ECM, Data Loss Prevention, Data Classification and SIEM solutions to provide automatic protection (and auditing) of information as it is downloaded, discovered and shared. 01.2017
13
OPINION
GET WITH THE PROGRAMME Cherif Sleiman, Vice President, Europe, Middle East and Africa, Infoblox, discusses how organisations can combat cybercrimes in 2017 by building an information security programme.
s far as we’ve come with information security, the landscape still feels like the wild west. Every day we read about the cyber equivalent of ungoverned towns terrorised by
A
enterprising criminals who pillage as they wish with seemingly no consequences. The good guys are few, and the sheriffs are too far between. Maintaining the peace rests upon you; whether you asked for the job or not. Swiftly reacting to intrusive foes may grant you the right to fight another
It’s not always easy to identify risks; especially when you are unfamiliar with the current threat landscape. Fortunately, external assistance may prove useful in such situations.
14
01.2017
day, but getting ahead of security risks warrants a proactive, strategic plan with structured management oversight. ASSEMBLE YOUR STRATEGY Security spending is estimated to have exceeded $75 billion in 2016. While it’s good news that security spend is increasing, there’s a broad range of security products to choose from and knowing where to allocate funds requires a strategy. Security programmes are often derived from venerable frameworks such as the SANS Critical Security Controls or ISO 27000. Although comprehensive, these frameworks can be daunting at first. A more simplistic approach revolves around building a security programme based upon a limited set of foundational pillars www.securityadvisorme.com
which serve as security programme categories or “tracks.” For an emergent security programme, about four to five pillars should be sufficient. For example: 1. Business alignment - security should support the business and must not impede company objectives. 2. Security awareness - the securing of human beings and the internal “marketing / PR” of information security. 3. Governance and compliance - the management aspects of security, such as planning and measurement, as well as adherence to internal and external regulations. 4. Vulnerability management and incident response - finding and managing vulnerabilities as well as responding to crises. Formal security frameworks have granular controls that conveniently “roll up” into these pillars. For example, the SANS Critical Control 20 (Penetration Tests and Red Team Exercises) can be aligned with the Vulnerability Management pillar. Likewise, the ISO 27001 control A.15.2.1 (monitoring and review of supplier services) can easily align with governance and compliance. Taking a page from agile methodologies, the objective here is to start small with a handful of pillars, then over time scale into something stronger. Essentially pillars are baby steps that pave the way to broader ISO or SANS-type programmes. FIND YOUR PILLARS As noted, pillars represent your security programme’s high-level “tracks.” Your enterprise will likely have different pillars, and you may have more or less than five. www.securityadvisorme.com
Regardless, these four simple steps can help identify your organisation’s security pillars: 1. Identify what’s important to the organisation; be it money, intellectual property, customers, and the likes. 2. Enumerate potential threats posed to the items identified in the first step. 3. Determine protection and mitigation strategies to prevent threats from intersecting with important assets. 4. Iterate through steps one to three, and categorise activities into general categories. Consolidated categories will then help you form distinct pillars. It’s not always easy to identify risks; especially when you are unfamiliar with the current threat landscape. Fortunately, external assistance may prove useful in such situations. A security consultant can provide comprehensive threat models, and security companies can provide free security assessments that identify active threats on your network which were previously invisible. MANAGE SECURITY AS A PROGRAMME Once you’ve identified the pillars of your security programme, each pillar will start to develop associated sets of projects and on-going activities around improving the company’s security posture. There are a number of tools available to support this effort, but a couple of staple artifacts worth calling out are the risk register and operational security reviews. The risk register is essentially where one lists risks, and summarises how these risks are being managed. It’s not rocket science, and contrary to popular belief, it doesn’t require
Cherif Sleiman, Infoblox
the purchase of exorbitantly expensive software. In fact, for newly-founded security programmes, a spreadsheet works just fine. While the risk register may be appropriate for executive review, operational security reviews are intended to track progress (or lack thereof) on a more tactical level. For instance, tracking progress in the “vulnerability management” pillar may warrant metrics which track the number of high-risk system vulnerabilities, exploited vulnerabilities, average time to patch, and so on. These metrics must resonate with system owners and those responsible for day-to-day operational security so that they have actionable data to improve security posture. In summary, a security programme is a continuous journey that never ends. Like most journeys, it starts with a single step, and will certainly have pitfalls along the way. Perfect security is unrealistic, so don’t be afraid to fail. How we manage and adapt are ultimately more important. 01.2017
15
INTERVIEW
COMBATING BREACHES Based out of Bahrain, CTM360 offers a cyber threat management platform that covers all aspects of prevention, detection and response. The company’s CEO Mirza Asrar Baig talks about the ways organisations can tackle cyber threats in real time.
16
01.2017
www.securityadvisorme.com
H
ow do you see the threat landscape evolving in 2017? We anticipate substantial growth in cyber threats with an expected rise in integrated / hybrid attack types. It is imperative to differentiate between threat vectors and the corresponding attack types; dealing with hybrid attack types is challenging given that a single threat vector can be used in a variety of ways such as a social media profile perpetrating ransomware, conducting Advance Fee Fraud (AFF) and dispatching phishing URLs. One recent example is that of Cyber Evil Twin Sites, where a single website is the source of multiple threats containing investment scams, job scams, AFF and phishing; many practitioners miss these upon a cursory glance. In short, the threat landscape will most definitely see a sharp spike in growth via such integrated threats during 2017. Do regional enterprises need to rethink their security strategies to protect against advanced threats? Yes. Rethinking strategies is definitely necessary. This must start with the deployment and leverage of appropriate technologies and must be followed by a change in the industry’s current approach to this type of situations. Current threats always remain a high priority and should immediately be addressed and focused on; however, there is also a visible lack of skills, knowledge and coordination within the cybersecurity industry. A change in mindset is very much needed, as a communication gap is also apparent. People are still cautious of disclosing the details of an event from the fear of losing credibility. This coupled with the fact that threats keep evolving at an exponential pace makes addressing these issues critical. Additionally, there is too much www.securityadvisorme.com
technology being deployed, but not being used efficiently. What kind of security strategy do you recommend for them? The key element of any effective strategy is collaboration. With constantly evolving threat vectors, sharing information and discussing issues remains the most effective method. It is vital to be constantly aware of what is going on, which helps in identifying threats early and building an effective counteractive response strategy. Additionally, having a cyber incident response unit on-hand can assist in strengthening an organisation’s
hacker has already done sufficient reconnaissance to reach the target inbox. Organisations need to harden themselves to prevent such threats by identifying them earlier along the cyber kill chain process. Engaging with a cyber incident response unit locally, can help to better identify and mitigate current threats within the region. What is CTM360’s value proposition to the regional security market? Over the last two years, we have expanded with a 24 x 7 x 365 dedicated cyber incident response team, which proactively identifies and mitigates cyber threats. To date, we have managed 30,000 plus unique cyber incidents.
The key element of any effective strategy is collaboration. With constantly evolving threat vectors, sharing information and discussing issues remains the most effective method.
defence, and forming the backbone of the security strategy. Finally, it is essential to properly define and differentiate between information security and cybersecurity, as this remains a cause for confusion and roleconflict globally. How can enterprises speed up the time to detect and respond to incidents? The initial process is to understand that a threat has many elements and then to identify each of them; being one step ahead gives an upper hand in eliminating a cyber threat. When a targeted email is received, the
Beyond this, we fortify our members’ cyber footprint to secure online assets and enable the member to remain a resilient target. Remaining situationally aware is another key component of our offering, wherein the CTM360 team analyses new trends, including identification of new attack types, delivery mechanisms and the rationale of an attack. We have evolved with 10 service modules and the goal remains to make our members cyber resilient and cyber vigilant always. By Q2 2017, we will complete in-house development on 35 plus additional web and appbased components. 01.2017
17
INTERVIEW
CREATING SAFE ENVIRONMENTS Azeem Aleem, Director, Advanced Cyber Defence Practice EMEA, RSA, talks about the trends that will shape the cybersecurity landscape this year.
A
re security investments helping enterprises to reach their
business goals? In 2017, organisations will also face a conundrum, as the pressure of building a more efficient business will likely create more loopholes. The traditional perimeter will melt away and “not in my backyard” siloed approach will not work anymore. Organisations would need to look at cybersecurity as a business enabler rather than a hindrance. Only security investment made within organisations to express details of security in the language of business risk would be termed effective. Business goals can only be achieved by an organisation through evaluation of converged technical risk and their impact on business continuity, intellectual property, and damage to their reputation, among other things. What should be the cornerstone of a good security architecture? With the incremental attack vector sophistication, good security architecture could be developed based on the three-fold strategy/approach. Firstly, organisations would need full visibility across endpoints, network, logs, VMS and cloud among others, combined with actionable threat intelligence and business context. 18
01.2017
Secondly, to support this, organisations would need to perform deep analytics, which is the ability to process threat data to identify the behavioural classification of cybercriminals. This would require the use of deep analytic techniques, the latest science modelling and machine learning. Thirdly, what we see, as those organisations that understand rational of collecting the data from endpoints, network flow/packets, cloud-based apps and network perimeter, are facing a problem flux of data. To detect the pattern they have a task of finding a needle in the haystack; they lack the capability to integrate into a single normalised platform to detect the behavioural classification of these cybercriminals. Organisations also need to understand the full scope of the attack, which requires a wellcoordinated process that can help orchestrate the function of their teams and all available data to produce clear and actionable results. Is continuous authentication going to be the future of IAM? The user population is now dense with on-premises / remote employees, trusted partners, vendors, buyers and clients; all of whom require access to corporate applications and services. Also, devices are no longer just corporate desktops but now include
corporate and personal laptops, tablets and mobile phones. In the past, IAM has been based on reaction and detection phased strategy. The future lies in the implementation of an intelligence-driven IAM programme, which can deliver substantial business value by achieving business agility across all operational domains of the organisation by unlocking enormous business value. Intelligence-driven IAM combines visibility of user context and activities, an analysis that leverages this context, and enablement of appropriate and timely actions to mitigate any threats. The ability to analyse various metrics in real time and take the appropriate action to mitigate threats enables a highly secure way to link users anywhere and anytime while meeting compliance rules and regulations. Are your users getting the support they need post Dell EMC merger? For RSA it is business, as usual, providing support to the existing customer towards the enhancement of businessdriven security. With post Dell EMC merger, customers are getting an end-to-end solution by combining www.securityadvisorme.com
Dell’s strength in managed security services and its security offerings in network, endpoint and email security, combined with RSA’s focus on identity, security analytics and GRC.  Do you expect the threat landscape to evolve further in 2017? Business leaders are still unable to understand the business implication from the risk they face. A businessdriven security approach is needed to bridge the gap between the operational risk (e.g. how bad it is) and the technical details - connecting the dots
The future lies in the implementation of an intelligence-driven IAM programme; which can deliver substantial business value by achieving business agility across all operational domains of the organisations by unlocking enormous business value.
between technical details and the business impact to your enterprise. Security programmes solely focused on compliance will not work. Cyber-attacks generated through supply chains will be on the rise; there would be a need to manage the whole incident space by developing actionable threat intelligence capability to tackle TTPs (tactics, techniques and procedures). Co-ordinated ransomware attacks will become more aggressive and diversified, by attacking a multitude of attack vectors. Cybercriminals will find ransomware as an easy hit and run strategy. The traditional target point from SMEs (small to medium size business) will pivot towards larger corporations, mainly around public sector.
www.securityadvisorme.com
In 2017 we will witness a sophisticated surge in the attack domain across industrial control systems (ICS). The shift from legacy systems towards process control networks with connectivity around enterprise and Internet, will create more extensive backdoors around the industrial control systems. Organisations will not even be aware of the device connectivity patterns inside and outside their ICS environment. Attacks through cloud service providers within ICS are on the rise, and there is a dire need of intelligence correlations and reporting mechanisms around SCADA attacks, through behavioural analytics. Threats against IOTs will be on rise. Recent development in IOTs has created a technological disruption where now it is becoming difficult to contain the genie in the bottle. We have already seen the technological revolution of IOTs with businesses already under pressure to accommodate the flux of IOTs. The potential vulnerabilities from IOTs across the organisation network to home appliances even stretching to medical devices will be used as additional vector exploit against the organisations. IOT connections on corporate enterprise network creating third party breaches would be frequently seen. 01.2017
19
INSIGHT
WORKING TOGETHER Collaboration tools have become widely used across organisations today, as people come to rely on these handy tools to work more efficiently. Mike McCamon, President, SpiderOak, sheds light on the most common security and privacy mistakes organisations and employees make.
C
ollaboration tools help reduce reliance on email, increase conversation between teams and provide an easy way to share information with colleagues. However, in many workplaces applications today, there are so many gaps where security settings can fail, and corporate IT is beginning to take notice. WEB BROWSERS Many—if not most—collaboration tools these days are primarily delivered through a web browser, and there are vulnerabilities in this approach: malware, plugins, cookies and any number of other bad things can threaten your online security. Even if your online activity is done with security in mind, if just one team member isn’t up to date on their privacy settings, the entire organisation’s data is vulnerable. The only way to protect your organisation from these kinds of vulnerabilities is to make sure your collaboration tool can be fully downloaded to a device, instead of existing on the web. PASSWORDS Despite many websites’ requirements for long, multi-character passwords, there are countless ways in which passwords can be compromised that have little to do with their complexity or length. Through phishing scams, spam and simple guesswork, passwords are an increasingly popular entry point for cybercriminals. Businesses should ensure their 20
01.2017
applications use a recovery-key concept for lost devices, instead of the more common and less secure password challenge model. EMAIL DIGESTS Many applications use email digests as a way to recap the day’s conversations or to get teammates up to speed on company highlights. Why take the time to type content into a secure collaboration tool only to have one of your team members have that data summarised, and then sent over the Internet? Transport, delivery and storage of e-mail is far from secure today. The digests may be helpful for some, but any sort of digest should be featured within the application to maximise security. AUTO-EXPANDING LINK PREVIEWS When someone sends a link to a website in most collaboration tools, the app by default will pull into meta-data to include online with message thread. Depending on its implementation, this automatic behaviour can be very insecure: it automatically downloads the content to your device, and second, your device automatically sends internet traffic (and your IP address) back to that site, without your control or consent. There are sites online that many would not want their intellectual property associated with, so this kind of activity should never be outside of user control. INTEGRATIONS Integrations are great. They allow content from external data sources to enrich your
teams’ conversations. Most integrations today are hosted by the collaboration tool vendor which mean any data that passes through an application can be read by the vendor. While this is harmless for integrations that ingest public content on the web, like a Twitter feed, it would have severe security consequences if the data source is private and/or requires authentication to be read online. ENCRYPTION While several collaboration tools tout encryption as a feature, many do not offer full end-to-end encryption, which exposes conversations to eavesdropping and data collection. End-to-end encryption ensures that only those who are directly members of a conversation can decrypt the content. Without it, both hackers and rogue internal employees have access to any data that passes through the application. INFORMATION LEAKAGE When using a collaboration tool through a web application, it’s often possible to find out if any company uses the tool by typing ‘company.app.com’ or a similar combination into the browser, regardless of whether you’re signed in to a particular team. This allows outsiders and potential hackers to know which companies are using which workplace applications through this formula. Ensure the collaboration tool your company uses doesn’t allow for this kind of information leakage when not logged in. www.securityadvisorme.com
INTERVIEW
THE CHANGING BATTLEFIELD Amit Roy, Executive Vice President and Regional Head EMEA, Paladion, examines fundamental strategies organisations can adopt to keep pace with rapidly evolving threats.
W
hat kind of technology trends will impact security in 2017? The demand for social, mobile, cloud, IOT will rise with further requirements for analytics using Artificial Intelligence, machine learning and robotics covering all areas of the technology. Increasingly, governments and big business will adopt the newer technologies to secure their businesses. As the bigger and more respected organisations use the digitalised technologies, smaller businesses will start to follow suit, hugely increasing the overall demand for these products. What kind of changes do you foresee in the threat landscape next year? Internet fraud has grown exponentially in recent years, as businesses begin to use Internet technologies; this is ever changing and uncharted territory and new threats emerge daily. In the recent past, DDoS attacks using IOT, and the hacking and exposure of data using APT attacks have crippled huge businesses such as Yahoo and the Bank of Bangladesh, with ransomware attacks becoming far more common and affecting both businesses and individuals. With every passing year, more sophisticated and complex patterns of threat vectors emerge, exploiting the vulnerabilities of the new trends in software, requiring faster detection, response and retaliation in order to mitigate the threats faster than before. www.securityadvisorme.com
What are your tips for CISOs to make better security investment decisions? CISO brings together the perfect blend of security initiatives to help businesses to take advantage of all of the technological advancements that software such as social, cloud, IoT, robotics and digitalisation provide. The CISO needs to look at ways to leverage the various security tools they have recently procured and to find a competent partner to manage these security investments and utilize them to yield deeper situational analysis and faster detection, response and remediation. Has security become a boardroom level discussion yet? The subject of cyber security has become a hot topic in board rooms, and it certainly a reason why a CISO should become a business facilitator as well as technological expert. Recent high profile attacks and data breaches have done serious damage to shareholders’ investments, at times causing perfectly sound business decisions to be derailed; which has resulted in the board having to look at the security of all of their major business decisions. Having said this, much still needs to be done by the community to educate the board on the seriousness and sensitivity of
cybersecurity, ensuring it is put high on the priority list of all medium and large businesses and governments, to prevent further breaches from happening. Do you think skills gap will continue to grow worse? Can automation address this challenge? Cybersecurity is an ever changing dynamic business, and it can be a chellenge to get the right skills and solutions on board; a problem which might only become harder to solve over time. It is crucial at this time to have a good synergy between human intelligent and machine learning and using it in cybersecurity for better an faster security outcomes which do not entirely need human interaction and observation in order to be initiated.
01.2017
21
OPINION
CYBERSECURITY ON THE AGENDA by Matthew Gardiner, Senior Product Marketing Manager, Mimecast
T
here’s no reason to believe that 2017 will be any better for cybersecurity than it was in 2016. If anything 2017 will be even worse as cybercriminals continue to leverage social engineering and phishing techniques to find new vulnerabilities to exploit, develop new ways to 22
01.2017
monetise their activities and get through corporate defenses and target individuals. In 2017, cybersecurity battles favor criminals even more as vulnerable Internet of Things (IoT) devices will continue to expand the possible platforms of attack. Gartner estimates that by 2020 more than 25 percent of attacks in enterprises will involve IoT devices.
This past year, we saw cybercriminals becoming more sophisticated, threats becoming more advanced and cyberattacks causing more damage to organisations. So as we enter 2017, let me share a few cybersecurity predictions which we, at Mimecast, see becoming even larger issues as we enter a new year:
www.securityadvisorme.com
Ransomware becomes more regular and sophisticated Ransomware will become one of the biggest threats that organisations will need to address, fuelled by an increasing multitude of attackers using off-the-shelf kits and leveraging a vast network of cybercrime service providers to run their ransomware campaigns. Ransomware represents an easy, cheap, and low risk attack method that produces significant profits for the attackers. In addition, few organisations have effective defences against ransomware and now with Bitcoins and other anonymous payment systems enabling the perpetrators to get paid more easily, without being traced, it has never been so easy to make a good living off of ransomware.
cause, as the next “it” attack flooding the media. There is nothing cheaper, easier, and less risky for attackers to do than just send well-crafted and timely emails which creatively requests for money to be sent to them. The attackers don’t even need to use malware for this, they just need to be clever with their social engineering
firewalls to mitigate threats but allow regional business activity to continue uninterrupted. Advancements in managing Internet traffic from different geographies may also become a focus as the global trade landscape changes. Unfortunately this comes with the risk of ‘balkanizing’ the Internet and restraining the free exchange of information.
Macro malware still in the game Once thought of as a thing of the past, macro malware which often hides in Word or Excel files, has reentered into the ring of popular attack methods. While most organisations choose to block executable email attachments at their security gateways by default, they generally still allow potential work-related files, such Microsoft Office documents, to pass freely. Attackers exploit this by weaponising
Focus on data mining One theme that is still overlooked, but should come into greater focus in 2017, is that cybercrime is not just about wire transfers and immediate and direct monetisation of stolen information. Attackers are increasingly focused on data mining and will use the data they gather in more advanced future attacks, or sell it on the Dark Web for others to do the same. While more direct attacks such as email impersonation and wire transfer fraud is, and will continue be an issue in the future, organisations need to also think about where else they’re susceptible and ensure they have the appropriate protective measures in place against these longer tail attacks. Organisations need to determine which data of theirs could possibly be used to attack them or other organisations at a later time, and then take increased measures to secure it.
Ransomware will become one of the biggest threats that organisations will need to address, fuelled by an increasing multitude of attackers using off-the-shelf kits and leveraging a vast network of cybercrime service providers to run their ransomware campaigns.
Impersonation attacks in the spotlight The media in 2016 have been very focused on ransomware attacks. However, one of the lesser publicised problems (but by some measures is larger in terms of its negative impact to organisations) are email impersonation attacks. Sometimes called whaling or CEO fraud attacks, these attacks can cost organisations hundreds of thousands in financial losses. In fact, according to the FBI, impersonation attacks led to more than $3 billion in losses over the last three years. We expect to see these attacks, because of the associated fraud and loss that they www.securityadvisorme.com
files in these common Office formats. According to Mimecast research, 50 percent of firms have seen email attacks that use attached macros increase over the last year. Why? It works well and can get through traditional AV-based defenses. And that’s why we’ll continue to see waves of macro malware into next year and beyond. Reigning-in data residency and governance Increased state-sponsored attacks will lead to more stringent requirements around data residency and governance, as well as increased focus on national-level
Cyber espionage to cause more political disruption Nation states and their sponsored operatives will increasingly use cyber espionage to cause political shifts, disruption of adversaries, and to gain economic advantage in particular strategic areas. This will involve, but will not be limited to, email-based hacking and the disclosure of other forms of private communications, and the disruption of and interference with critical national infrastructures. Employee education and taking adequate measures to protect organisations from cyber-attacks will continue to be of high importance during the course of 2017 as cybercriminal continue to target the weakest link in an organisation’s security: its employees. 01.2017
23
INTERVIEW
THE HUMAN FACTOR By Alain Penel, Regional Vice President, Middle East, Fortinet
H
uman beings are prone to making all kinds of mistakes. It’s the nature of being human. However, there are differences in the gravity of mistakes we make based on context – the what, when, where, why, and how often they happen. When it comes to handling healthcare data, human mistakes can sometimes lead to very serious security issues, and the wrong kinds of mistakes could even put patient lives in danger. While we’ve learned that successful data breaches against healthcare institutions are “big wins” for cybercriminals, they aren’t the only ones posing threats to the industry. Data breaches and lost data caused by employee mistakes, or simply through sheer negligence is also on the rise, and healthcare IT professionals need to take note. So, how exactly are employees possibly the most dangerous threat to healthcare data security? Let’s take a closer look. PHISHING SCAMS As network security solutions at healthcare organisations have evolved and become more effective, cybercriminals have had to look for different ways to break in. As a result, brute force attacks giving way to 24
01.2017
phishing scams. They have once again become very popular techniques, with employees unfortunately proving to be easy targets. One reason is that today’s phishing campaigns are more sophisticated than ever, making them a serious threat to security. These email and social engineering attacks involve cybercriminals attempting to trick employees into providing personal or sensitive information, including user names and network passwords. It’s very common for today’s social engineering attackers to take the time to learn about the target employee, and create customised email addresses and messages very believable. Cybercriminals commonly use layered phishing scams (gathering a little bit of data at a time) to collect and use what they learn against another employee while at the same time maintaining the appearance of legitimacy. Once these attackers manage to gather the information they need, they either log in to systems using the usernames and passwords they have managed to acquire, or install malware to steal or otherwise jeopardise patient information. UNAPPROVED DEVICE USAGE Businesses across industries are also incorporating bring your own devices (BYOD) into their corporate
IT cultures. By doing so, employees are now able to work on the device or devices that they are comfortable using, while saving costs that would accompany providing work-sponsored devices. However, because of the ease of onboarding mobile device, including connected wearables, it has now become commonplace at some organisations for unauthorised devices to find a way to connect to the network. As a result of the expansion of mobile devices, the threat landscape has expanded at a breakneck speed, and many IT teams are struggling to keep pace. ACCESSING INSECURE WEBSITES AND APPS Employees can also do serious damage to a network’s security without even knowing it by accessing insecure websites or downloading apps while at work. While the apps that are available on official app stores are typically secure, there have been instances where “pirated” apps have found their way onto connected devices. When employees download compromised applications they can inadvertently inject spyware or malware into the network that can access sensitive data through the compromised device. www.securityadvisorme.com
The same goes for accessing insecure websites. Employees that visit infected websites, sometimes even bypassing protocols that block these sites, can expose the data stored on their personal devices, or even in the healthcare network itself, to theft or corruption. These same employees are also often prone to man-in-the-middle attacks, which occur when a malicious surreptitiously actor inserts themselves into a conversation between two individuals in an attempt to gather information or ultimately gain network access. BUILDING AND MANAGING A CYBER AWARE ORGANISATION Despite the clear risks that employees pose, organisations are still struggling to educate the workplace. Recent research has shown that only 35 percent of employees say senior management believes it’s a top priority for them to understand the risks they pose and to be knowledgeable about data security. Today’s healthcare organisations need to take the time to educate their workforce through continuous awareness training. And at the end of these training courses, these organisations should be sure to test the workforce, and test often, to evaluate their awareness, in an effort to reduce risk in the work environment. In speaking with our customers, many are using the Carrot and Stick approach of motivation, rewarding employees for good behavior or going so far as to cut-off access to employees who repeatedly fail to avoid phishing test emails. Further, it’s important for senior leadership to lead by example and embody security leadership. Simple measures such as locking screens www.securityadvisorme.com
when away could encourage another employee to do the same. At the same time, IT security teams need to take the reality of human error into account when planning and deploying their security solutions. While proper training can reduce human mistakes, they’re not going away entirely any time soon. IT teams would do well to become more familiar with error-prone human nature, and take that into account when designing and deploying networks.
01.2017
25
OPINION
KNOW YOUR (CYBER) ENEMY BY PAUL REUBENS, CONTRIBUTOR, CIO.COM Understanding who the hackers are and what they want is key to minimising the impact of a network security breach.
26
01.2017
www.securityadvisorme.com
P
icture this: Your company’s network is facing a DDoS attack, but you have no idea who is responsible or what their motivation might be. Without this knowledge, you can’t tell if they want money in exchange for stopping the attack or if the attack is a diversion to occupy your security team while your network is being penetrated and commercial secrets are stolen. In the aftermath of a network breach it can also be incredibly useful to know some information about the likely attackers. That’s because knowing who they were – or just where they were from – can help you carry out a more accurate damage assessment exercise. This knowledge can guide you where to look for signs of data compromise, and what other specifics (such as exploit kits or Trojans that may have been left behind) to search for. Knowing who you have been attacked by can also shed some light on why they may have attacked you, what they were after and what the likely consequences for your business may be. For example, a common cybercriminal may be after any data that they think they can resell (such as customer credit card details), while a foreign competitor or so-called “statesponsored” hackers may be after specific technical information. “If you can attribute an attack to a particular adversary you can understand their motivations, their capabilities and their infrastructure,” says Kyle Ehmke, a threat intelligence analyst at Virginia-based security company ThreatConnect. “If you can understand the ‘how’ and the ‘why’ then that can be very valuable information.” Knowing who has attacked you can help you formulate your future security plans and decide how best to allocate your security budget going forward. For example, if you believe that you were the victim of a targeted attack and the hackers did not succeed in exfiltrating everything that they were after, then www.securityadvisorme.com
you may decide to beef up your security specifically to protect those assets that you think they are most likely to come back for. The ability to attribute an attack to a particular group becomes even more important when it comes to major security breaches. So how do security experts go about identifying hackers and where they are from?
domain name, and use the same handle on hacker forums, on developer forums, on social networks and so on,” he says. The problem for security experts like Ahlberg is that smart hackers know about operations security (OpSec) and therefore know better than to reuse their handle in different environments. “They will do ‘handle hopping,’ changing their handles between forums, or indeed within a single forum,” he says.
FORAGING IN FORUMS The first thing to understand is that attribution is very hard. You can’t just look at the apparent source of an attack, because it will almost certainly be passing thought at least one proxy, perhaps on a compromised server on the other side of the world from the attackers. Or, in the case of DDoS attacks, the traffic will come from thousands of compromised machines that may be part of a global botnet. It’s also difficult to attribute an attack to a group or country based on messages left on compromised servers or strings in a particular language found in exploit code. In part that’s because hackers tend to share, buy, copy or steal other hackers’ tools, so code with a string of Russian text could just as likely be used by Peruvian hackers or North Korean students. And for every hacker who inadvertently leaves some trace of his activity (like a string of text in Russian) there is probably another who will leave such information deliberately as a form of misdirection. Another thing that’s important is that hackers rarely meet each other face to face. Instead they often exchange information, tools and hacked data on hacker forums – either on the web, or the more obscure darknet. Speaking at the Black Hat Europe 2016 security conference in London, Ahlberg said that in many cases the ability to attribute an attack to a particular group or individual comes down to “sloppy handle usage” on hacker forums. “We will see someone register a
IDENTIFYING PATTERNS What can be done to overcome the practice of handle hopping? A possible solution is to apply a dose of mathematics and carry out a Pattern of Life analysis, which Wikipedia defines as “a method of surveillance specifically used for documenting or understanding a subject’s (or many subjects’) habits. This information can then be potentially used to predict future actions by the subject(s) being observed.” In fact, Pattern of Life analyses can be carried out on all kinds of data sets, ranging from crime statistics to Uber rides, to spot certain patterns of behaviour, Ahlberg says. Predictable behaviour patterns can be found in cybercrime. Ahlberg’s company ran an automated system that collected data on 750 criminal or hacker forums on the web and the darkweb that use seven different languages, including Chinese, Russian and Arabic. Data on 1.4 million handles was processed and indexed, with some interesting results. In addition, by looking at the language used in different forums, it is possible to extract other information from the captured data. However, while some level of attribution is possible, it is very much an inexact science but using techniques such as Pattern of Life analysis the security community is increasingly able to shed some light on the “who?” and “why?” of cyber-attacks, and it is information that enterprises can take advantage of to minimise the damage when intrusions do occur and to help keep themselves safer in the future. 01.2017
27
OPINION
AGAINST THE TIDE As the enterprise applications market expands, the number of unmanaged Software-as-a-Service (SaaS) apps is going to continue to grow, making it increasingly more difficult for companies to contain the security and compliance risks. With this in mind, Al Sargent, Senior Director, OneLogin, provides ways companies can manage the risks brought on by a “SaaS tsunami.�
28
01.2017
www.securityadvisorme.com
E
very employee is on a mission to find the next SaaS application that will make their job easier. With nothing more than a credit card and an expense report, anyone within the organisation can sign-up for a new application in minutes. The problem is that employees are signing-up for SaaS apps without the knowledge or permission of their IT administrators. According to Gartner and Cisco, IT pros only know about seven percent of the apps in use. Meaning, within any given organisation, there are hundreds of unsecured SaaS apps that can each be a potential entry point for hackers to access your corporate data. Here are eight ways organisations can manage the risks brought by unsecured SaaS apps: FOLLOW THE MONEY Rather than discouraging employees from purchasing the applications they need to be more efficient, IT should work with finance to create a ‘SaaS subscription’ expense category. IT will then have a better understanding of which cloud apps are in use, so they can be more effective in maintaining and strengthening security. BUILD A COLLABORATIVE CULTURE Employees are always going to find ways to access their favourite apps, which is why the complete restriction of outside applications is an ineffective way to reduce shadow IT. Therefore, it is ideal to make IT open to employees who request to use new productivity or communication applications – and offer to put them into a Single Sign-on (SSO) portal for faster access. When employees feel comfortable requesting to use a certain application, and IT makes it easier to access, IT will begin developing a more thorough understanding of which tools they need to secure for professional use. www.securityadvisorme.com
SECURE THE PREMISE Once IT determines which apps are preferred by employees and puts them into an SSO portal, IT needs to begin enforcing strong authentication around password complexity, rotation, and uniqueness; as well as around multifactor authentication (MFA). An SSO portal should be part of a larger identity access management (IAM) solution that allows companies to monitor who is accessing which applications while ensuring each employee only has access to the apps and information they need to do their job. DEPLOY USER AND ENTITY BEHAVIOUR ANALYTICS IT should integrate their IAM with a cloud access security broker (CASB) to look for anomalous behaviour at their company; for instance, one identity accessing an app from two different countries. This way, when a CASB detects one of these behaviours, it can automatically take appropriate steps, including requiring MFA, terminating a session, forcing a password reset, and/or disabling an account. TRACK APP USAGE With hundreds of unmanaged apps in use, it’s not rare for former employees to maintain access to company information without the knowledge or consent of the IT department. Roughly 10 percent of former employees can access accounts of their former employers. For this reason, IT should connect their IAM to a security information and event manager to monitor for unauthorised user access of apps, and ensure that only authorised users have access to company apps. IMPLEMENT HR-DRIVEN IDAAS Further, IT and HR departments should work together to create an application de-provisioning plan for when employees leave the company, which includes HRdriven IAM. Once implemented, when HR changes an employee’s status to
Al Sargent, OneLogin
“departed” in their HR Information, the IAM automatically picks up these changes and revokes access to applications. This reduces the chances that any accounts are missed. APPLY APP CONTROL While encouraging employees to bring forward their SaaS applications is a crucial step in reducing shadow IT, not every app is appropriate for exchanging and accessing company data. OAuth apps are especially challenging, since their streamlined user experience makes them easy to adopt. Yet, some have extensive authorisation scope, such as the ability to completely modify all of a user’s files, which can easily be an attack vector for a hacker. IT should use a CASB to track OAuth app usage, and block apps with excessive authorisation scope. DATA PRIORITISATION Although you’ve taken the necessary steps to manage the SaaS tsunami, shadow IT will always be a risk factor. Determine your 25 most sensitive data assets, know who and which applications can access these data sets, and monitor them regularly with your IAM and CASB solutions to look for anomalous behaviour. 01.2017
29
HOW TO MAKE SURE YOUR DATA DOESN’T CRASH AND BURN 10 tips to protecting your data while in-flight
30
01.2017
www.securityadvisorme.com
HOW TO
T
he dangers of public Wi-Fi are already wellknown, but the security issues of in-flight Internet connection are still somewhat obscure. Typically, there’s no password protection on the Wi-Fi connection, so persons with malicious intent can intercept data that’s being transmitted on the wireless network quite easily. Airplanes are unique hacking grounds more dangerous than airports or coffee shops, as they cram passengers in one small space for hours. This gives plenty of time and opportunity for hackers to access all data that’s being transmitted over open networks. Passengers who do online banking, shopping or business emailing are especially vulnerable to identity and data theft. Devices such as WiFi Pineapple are accessible to anyone and are particularly dangerous on flights. The Pineapple, which is small enough to be stored in someone’s carry on, could be used as a pretend Wi-Fi connection so when a user connects to Wi-Fi, they are actually connecting to a device capable of hacking your private data. Here are 10 tips to better secure your data.
1
DESIGNATE THE NETWORK AS PUBLIC First, when a traveler connects to airline Wi-Fi, they get to designate the Wi-Fi network as Home, Work or Public. Those who choose Home network show that they trust all the people connected to the same network – which should not be the case on an airplane full of strangers. Work network should be used for a private group at work. So the safest option for airplane passengers is Public network setting – as this option is created to www.securityadvisorme.com
make sure it’s not visible by other computers.
2
MAKE SURE YOU ARE CONNECTING TO AN OFFICIAL AIRLINE NETWORK Travelers have to make sure they are connecting to the Wi-Fi network offered on the flight, and not a look-alike network with a similar-sounding name that might be spoofed.
3
BEWARE OF KEYLOGGERS Keyloggers work by intercepting your keystrokes from your keyboard to the computer either through hardware or software – and you are especially vulnerable if you are e-banking on inflight Wi-Fi. Therefore, use password managers – instead of typing in a password to one of your more sensitive and important accounts, your password manager will have it saved for you. All you need to do is click on the account and it will be filled in for you.
4
USE STRONG PASSWORDS Perhaps the most basic requirement for any online account set-up is using strong passwords. Weak passwords make it simple for hackers to break into your account.
5
USE A VPN Besides these local precautions, the most effective way for a traveler to protect their data is to use a VPN. A professional VPN service encrypts all the traffic flow between the Internet and a device and helps hide an IP address. How does it work? Log in (the first time only) and press the ON button. The app will then choose the fastest server to connect to, in a country of your choice. Beware of free VPN service providers that typically rely on third-party advertisers to cover the costs. Often, they are free proxy services, marketed as VPNs, when in
fact proxies are not encrypted (they just change your IP address, but do not encrypt it).
6
USE ANTIVIRUS ON YOUR COMPUTER Make sure your computer has installed one of the newest antivirus systems. You should have the antivirus turned on – at all times.
7
USE FIREWALL You have to make sure your computer’s built-in firewall is turned on, as it offers additional protection from hackers and viruses.
8
USE ANTI-SPYWARE Anti-spyware protects from unwanted spyware programmme installations, and also removes these programmes if they are installed.
9
BLOCK TRACKERS Prevent third-party websites from tracking and following you online by using browser add-ons that block cross-site tracking. One good option is the Privacy Badger, the brainchild of Electronic Frontier Foundation (EFF).
10
EXERCISE UTMOST CAUTION It is very likely you won’t be able to connect to a VPN on the flight. 1) On-flight Wi-Fi can be very slow making the VPN connection that much more difficult; 2) Airlines offer their own security measures - by collecting passenger personal data and monitoring online activity as a security measure. Considering the vulnerable nature of airplanes, it is reasonable for airlines to exercise caution. In turn, you should exercise caution and limit your activity on the web while in the sky. Avoid sensitive transactions, updating personal data, and any other activities that might expose your personal information. 01.2017
31
OPINION
Ransomware: at your service
Ransomware is on track to net organised cybercrime more than $1 billion in 2016, not taking downtime and other costs associated with it into account. Stu Sjouwerman, CEO, KnowBe4, breaks down what Ransomware-as-a-Service is and shares best practices to protect your organisation.
M
ost of us already know what ransomware is – a vicious malware that locks users out of their devices or blocks access to files until a ransom of some kind is paid. In the past year, however, we’ve been hearing more about Ransomwareas-a-service (RaaS). How is this really different from a typical ransomware and does RaaS require organisations to have new forms of protection? RANSOMWARE-AS-A-SERVICE RaaS is a variant of ransomware that is designed to be user-friendly and easy for cybercriminals to deploy, thus, 32
01.2017
becoming a popular model among cybercriminals. It piggybacked on the extremely successful Software-as-a-Service model, then added a dark twist. How does it work? Anyone can access a Dark Web TOR site, register with a Bitcoin address, then customise and download their own version of the malware. They can run multiple campaigns with different Bitcoin addresses. The executable can be spread with the usual infection vectors like massive spray-and-pray phishing campaigns, targeted spear-phishing, malvertising with poisoned ads on websites compromised with Exploit Kits causing drive-by-downloads
of the RaaS executable, manually hacking Linux servers or brute forcing terminal servers. The original developers take a 25 percent cut of any ransom collected while the rest goes to their criminal affiliate. Affiliates have a console available where they can view statistics and update settings on their personal ransomware campaign. RAAS IN REAL LIFE Ransom32 While we saw RaaS campaigns in 2015 (TOX, Fakben and Radamant), they have grown in popularity in 2016. Beginning in January, thanks to BleepingComputer, we became aware www.securityadvisorme.com
of a new strain called Ransom32: it was fully developed in JavaScript, HTML and CSS which potentially allowed for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brought us closer to the ‘write-once-infect-all’ threat. Petya/Mischa The cyber mafia behind the Petya/ Mischa ransomware launched its RaaS offering in late July 2016. It paid ‘distributors’ a part of the ransom that was extorted from victims and increased payouts up to 85 percent of the ransom if they hauled in more than 125 bitcoins. Conversely, if a ‘distributor’ only collected 5 bitcoins, they could keep only a paltry 25 percent. As pointed out again by BleepingComputer, this new RaaS business model was, unfortunately, encouraging people to distribute the ransomware if they were to receive a solid payday. Cerber In March 2016, Cerber, a sophisticated ransomware debuted. By September, it had matured and a massive and more sophisticated Cerber ransomware campaign was delivered through somewhat unusual phishing emails. Because it was a RaaS model, users could encounter Cerber campaigns being run by a number of malicious actors through a variety of attack vectors. The malicious emails were noteworthy for several reasons including a series of different, yet remarkably similar subject lines and social engineering hooks. Additionally, a password-protected Word document foiled easy detection by anti-virus scan engines, and lent the user experience an air of additional security, reinforcing www.securityadvisorme.com
the sense among gullible users that the document they were handling was, in fact, safe. PROTECTING AGAINST RAAS Ransomware is now so successful and profitable that it has drawn in the largest, well-funded malware mafias who continue to furiously innovate in an attempt to grab market share from each other. For every under skilled, overly confident new entrant into the ransomware market there is at least one extremely clever group of malicious actors capable of building effectively uncrackable crypto-prisons for your company’s data. And when your data goes to malware jail, your organisation suffers downtime, data loss, possible intellectual property theft, and in certain industries like healthcare, ransomware infections are now looked at to possibly be a HIPAA violation resulting in heavy fines. Protecting against RaaS is really the same as protecting against any form of ransomware. With every new ransomware strain, it becomes increasingly important to shore up and mobilise your company’s last line of defence, your end-users. That means ensuring they have been given effective security awareness training to identify social engineering red flags, whether they come through malvertising on exploit-laced web pages or deviously crafted phishing emails that make it through your filters. As part of trainings, consider utilising simulated phishing attempts that allow you to send links, attachments with Word Docs with macros in them, or even text messages asking for credential changes, so you can see which users are fooled by which methods.
Stu Sjouwerman, KnowBe4
Beyond training your users, here are other things you can do to protect your organisation from RaaS or ransomware in general: • Your best protection remains a solid and proven backup strategy, with regular off-site copies. If you can take snapshots every 10 minutes, so you can roll back what you need, you’ve nearly erased the threat. • From here on out with any ransomware infection, wipe the machine and re-image from bare metal. • If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly. • Make sure your endpoints are patched religiously, OS and third-party apps. • Make sure your endpoints and webgateway have next-gen, frequently updated (a few hours or shorter) security layers. • Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA). • Review your internal security policies and procedures, specifically related to financial transactions to prevent CEO fraud. • Check your firewall configuration and make sure no criminal network traffic is allowed out. 01.2017
33
OPINION
5
REASONS WHY WEB GATEWAYS AREN’T BULLETPROOF Over reliance on Web gateways is putting data, users, customers, organisations and reputations at risk. Guy Guzner, CEO and Co-Founder, Fireglass explains the why Web gateways aren’t bulletproof.
L
ike the threat landscape itself, web gateways have changed over the years. Today, web gateways do much more than enforce regulatory compliance and HR policies – organisations rely on web gateways to thwart Internet-borne threats. However, although web gateways have been around for decades and continue to evolve, they are not bulletproof, 34
01.2017
and over-reliance on them presents various risks.
1
URL filtering is always behind the curve 571 new websites are created every second, which generates a high volume of domains and increases the chance that some will be missed by security controls. Adding to this is the fact that many URLs used by attackers are triggered only by their targets, are
short lived (less than 24 hours), and use dynamic domains which are harder to thwart than static ones.
2
Blocking uncategorised Websites isn’t the answer Blocking uncategorised sites dramatically reduces enduser productivity. Not only is this intolerable for end users – security teams are forced to deal with an onslaught of support tickets for users www.securityadvisorme.com
occur only through websites that are categorised as suspicious or malicious is false. On the contrary, Forcepoint (formerly Websense) estimates that 85 percent of infections occur through legitimate and “safe websites.” The so-called safe websites are often used to serve up malicious content from other sources which they have little or no control over. A good example is malvertising, which injects malicious ads into legitimate online advertising networks later served by publishers that do not know if ads are malicious. Another example is when attackers leverage vulnerabilities in the sites themselves to get them to serve malicious content. This happened when the Forbes Thought of the Day widget was breached by Chinese threat actors targeting US based defense contractors.
4
Malicious files blow past Web gateways Some web gateways integrate antivirus engines and other file scanning services, however, these are less effective in detecting malware. Antivirus scanners detect only 20 percent to 30 percent of malware. Leveraging sandboxes is also
who legitimately need to access information which web gateways are unable to classify. This setup leads to “policy rule hell,” which is where security teams find themselves when they must maintain a growing – and indeed painful – number of policies and rules.
3
Even “safe” Websites infect visitors The belief that infections
www.securityadvisorme.com
background, a practice called second time prevention – which essentially means users are exposed to attacks.
5
Web gateways cannot neutralise malware on infected machines Gateways have a very hard time differentiating between legitimate and malicious traffic, or detecting and neutralising malware on infected machines. In fact, it is now well known that upon reaching an endpoint, advanced threats can be go undetected for weeks or even months. Indeed, recent research has found that 80
To avoid impacting user experience, web gateways often pass files to users while sandboxes complete their analysis in the background, a practice called second time prevention – which essentially means users are exposed to attacks.
ineffective, as they require time to run and analyse files. To avoid impacting user experience, web gateways often pass files to users while sandboxes complete their analysis in the
percent of web gateways failed to block malicious outbound traffic. Remote Access Trojans (RAT) represent another clear example of how web gateways fail to detect and stop malicious traffic. 01.2017
35
PRODUCTS
Brand: Aruba Product: Aruba 2540 Switch Series
Brand: Axis Product: Q35 Network Camera Series
Axis Communications, expands and updates its Axis Q35 Network Camera Series with models based on the latest image sensor technology and enhanced processing including Lightfinder technology, giving the devices light sensitivity and Wide Dynamic Range – Forensic Capture. Moreover, two new models with marine-grade, electropolished and coated stainless steel casing and nylon transparent dome are offered to withstand the corrosive effect of seawater and chemicals. What you should know: Axis Q3505-V/-VE/-SVE Mk II models provide HDTV 1080p video at 30 fps with WDR, and 1080p at up to 60 fps or 720p at up to 120 fps with WDR disabled. They are available with wide or telephoto lens. Axis Q3504-V/-VE cameras provide HDTV 720p at 30 fps with WDR, and up to 120 fps with WDR disabled. All new AXIS Q35 models offer remote zoom and focus capabilities as well as P-Iris control ensuring optimal depth of field, resolution, image contrast and clarity.
36
01.2017
Designed for the digital workplace, the Aruba 2540 Switch Series is optimised for mobile users. The series, according to the vendor, is equipped with advanced security and network management tools — Aruba ClearPass Policy Manager and Aruba AirWave — which makes this layer-2 access switch easy to deploy and manage. The vendor also highlighted that it also has support from cloud-based Aruba Central, therefore, enterprises can quickly set up remote branch sites with little or no IT help. What you should know: Among the key features of the series is enhanced access security, ACLs, traffic prioritisation, sFlow, and IPv6 host support. The Aruba layer 3 switches (29xx/3810/5400) are also capable
of user-based and port-based wired traffic tunneling to an Aruba Mobility Controller so that policies can be applied, advanced services can be extended, and traffic can be encrypted to secure the LAN, further reducing risk to networks. It also allows remote deployment with Aruba Central; wired and wireless experience with Aruba ClearPass Policy Manager and AirWave Network Management. The Aruba 2540 Series also support Zero Touch Provisioning and optional cloudbased management to allow enterprises to simplify and slash network deployment and management costs.
Brand: Malwarebytes Product: Malwarebytes 3.0
Malwarebytes 3.0, according to the company, is a new generation of computer security. The solution combines proactive and signature-less technologies with traditional heuristics to protect users. The malware prevention and remediation solution company also highlighted that Malwarebytes 3.0 replaces antivirus with superior technology designed to block malware, ransomware, exploits, and other advanced threats that antivirus isn’t smart enough to stop. What you should know: Malwarebytes 3.0 employs four independent technology modules – anti-malware, anti-ransomware, anti-exploit, and
malicious website protection – to block and remove both known and unknown threats. The anti-ransomware and anti-exploit modules employ signatureless technology so users are protected from advanced threats that are not yet known to traditional antivirus research labs. The solution also scans 4x faster than its predecessor, Malwarebytes Anti-Malware. www.securityadvisorme.com
+971 4 367 2210
BLOG
DDOS DEFENCE:
IS YOUR NETWORK PROTECTED? By Mohammed Al-Moneer, Regional Director, MENA, A10 Networks
D
istributed denial of service (DDoS) attacks are growing in both size and sophistication. In September last year, a pair of high-profile DDoS attacks reached more than 600 Gbps and 1 Tbps, respectively, ranking among the largest DDoS attacks on record. And their ferocity is only expected to trend upward. NO ONE IS IMMUNE DDoS attacks don’t discriminate. Mom-and-pop shops, enterprises, service providers and businesses of all types and sizes can find themselves in a threat actor’s DDoS crosshairs. According to an A10 Networks IDG Connect report, everyone is a target, but some types of businesses come under fire more frequently. Entertainment and gambling are targeted the most, with 33 percent of DDoS attacks aimed at that industry, followed by advertising media and Web content (28 percent), and traditional and online retail (22 percent).
truth is: DDoS attacks are costing companies money. Lots of it. A recent Ponemon Institute study revealed that between 2011 and 2016, the costs associated with a DDoS attack swelled by 31 percent, with some larger attacks exceeding $2 million due to lost revenue, business disruption and other hard costs. Brand and reputation damage, however, are largely immeasurable, but can also have a catastrophic lasting effect not easily broken down into dollars and cents. At the same time, the number of DDoS attacks increased 75 percent year over year, according to the Verisign DDoS Trends Report for the second quarter of 2016. The IDG Connect report found the average company suffers 15 DDoS attacks per year (some averaging as many as 25 DDoS attacks annually), and the average attack causes at least 17 hours of disruption, whether that’s downtime, latency, denied customer access or crashes. That’s 255 hours of disruption a year. Can your business afford that?
THE DDOS EFFECT And while the financial impact of a DDoS attacks varies, the hard
PREVENTATIVE MEASURES To be properly prepared, businesses must brace for the worst-case
38
01.2017
scenario. But how do you prevent something that you don’t know when or if it’s coming? Here are four steps to help ensure your network can stare down and stand up to a DDoS attack: • Be proactive, not reactive. Don’t wait for a major crash. You may already be experiencing attacks with slowed or blocked customer access, which can result in lost sales or dissatisfied customers. • Beware of the “world of denial.” Ask tough questions. What do your customer satisfaction metrics reveal? Do you see indicators of lost sales? What’s the real cost of service restoration? • Hope for the best, but prepare for the worst. Invest in sufficient DDoS protection and mitigation solutions early, before a major attack strikes. • Defend against all vectors. Consider dedicated multivector DDoS protection using in-path mitigation, coupled with integrated threat intelligence, for the best accuracy. Include hybrid protection with a cloud-bursting service as an extra precaution to combat volumetric attacks. www.securityadvisorme.com
INTERCEPT A completely new approach to endpoint security.
Sophos Intercept X is a next-generation endpoint detection and response
Sophos Intercept X is a next-generation endpoint detectionand platform designed to stop ransomware, zero-day exploits, provide detailed intelligence. response platformand designed to stopthreat ransomware, zero-day exploits,
and provide detailed threat intelligence. • Stop ransomware before it can take hostages • Block zero-day attacks with signatureless anti-exploit technology
• Stop ransomware before it can take hostages • Get easy to understand threat insight and root cause analysis • Block zero-day attacksremediation with signatureless anti-exploit • Automate and malware removal technology • Get easy to understand threat insight and root cause analysis Learn more and try for free at
· Automate remediation and malware removal www.sophos.com/intercept-x
Learn more and try for free at
www.sophos.com/intercept-x