Security Advisor Middle East | Issue 17

Page 1

ISSUE 17 | MAY 2017 www.tahawultech.com

f o e s i r e Th O S I C the

NT RISK MANAGEME L E V E -L H IG H O T N Y ADMINISTRATIO IT R U C E S IT M O R EVOLVING F

User awareness training

Exploit Application kits security


Everybody.

Everywhere.

Every day.

Ordinary days require extraordinary protection. genetec.com

Find out more about the software behind the everyday at genetec.com/protectingeveryday

Š 2017 Genetec Inc. GENETEC and the GENETEC LOGO are trademarks of Genetec Inc., and may be registered or pending registration in several jurisdictions.


STRATEGIC INNOVATION PARTNER

STRATEGIC PARTNER

CONTENTS

FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119 PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159 Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by

Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of

© Copyright 2017 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for

any errors therein.

06

THE RISE OF THE CISO

Security Advisor ME explores why the CISO’s role is more varied and critical than ever before.

10

22

14

28

IGNORANCE IS ‘NOT’ BLISS We take a look at the growing importance of user awareness training programmes for today’s organisations.

GETTING TO THE POINT Carbon Black’s Michael Viscuso and Weston Security’s Ian Jones spell out the trends influencing endpoint protection.

18

SECURE APPS, NOT THE CLOUD Mike Kail, chief innovation officer, Cybric, explains why the application stack is the new perimeter organisations need to protect.

THE RISE OF EXPLOIT KITS

Infoblox’s Cherif Sleiman looks into the types of vulnerabilities that exploit kits target.

A WAY TO BETTER SECURITY

32

Ray Rothrock, Chairman and CEO, Redseal, discusses how digital resilience coupled with world-class prevention can be your best line of defense. WHEN PHYSICAL MEETS CYBER How can we get physical security experts to take IT security seriously, and vice versa?


NEWS

CAREEM TO INTRODUCE FACIAL RECOGNITION TECH Dubai-based ride-hailing company Careem has announced the integration of facial recognition technology to its technological framework to ‘set a new benchmark in passenger safety.’ Powered by Digital Barriers, a provider of intelligent security solutions across the globe, the backend biometric identification system enables Careem to confirm its Captains’ identity in real-time, eliminating all risks associated with fraudulent car ownership and possession. Magnus Olsson, co-founder and chief experience officer, Careem, said, “When customers rely on a ride-hailing service or any other mode of transportation to go from point A to point B, they are also placing their trust on the service provider for their safety and security. In our efforts to simplify people’s lives in the region, safety plays an unprecedented role and the integration of Digital Barriers’ facial recognition technology will further bolster the confidence and faith our users have in the Careem brand.” Secured by a robust verification process that validates every Captain’s identity with their assigned car, users are assured of being in safe hands at all times, with the technology providing Careem with round-the-clock Captain authentication capabilities.

$1.2

billion

estimated value of Saudi Arabia’s access control market by 2020

4

05.2017

PEGASUS, HUAWEI SIGN MOU FOR SAFE CITY SOLUTIONS

Pegasus, a DarkMatter company, has entered a memorandum of understanding (MoU) with Huawei to develop and deploy joint smart and safe city Big Data solutions tailored to customer requirements. The agreement will see the companies jointly develop technology and professional capabilities, including but not limited to products and services leveraging Huawei’s Public Safety Cloud solution and Pegasus’ Big Data analytics applications.

Signed during Huawei’s Global Safe City Summit 2017 held in Dubai under the theme “Leading new ICT: The road to collaborative public safety”, the MoU sees Pegasus combine its Big Data Analytics solutions; Smart City Big Data applications; and Safe City Big Data applications with elements of Huawei’s FusionInsight Big Data platform solutions to target Smart City environments and provide customers with an efficient, open, and collaborative cloud experience. Peng Xiao, CEO, Pegasus said, “This agreement with Huawei is a significant step forward in our partnership programme and our plans to go-to-market with leading entities in the cloud and data spheres. We are excited to bring the Pegasus Big Data Analytics and Smart City application capabilities to the Huawei platform. We view this MoU with Huawei as a fundamental development in helping secure Internet of Things ecosystems everywhere.”

CYBERSECURITY CONFIDENCE RISE AMONG UAE USERS Kaspersky Lab has updated its Cybersecurity Index, a set of indicators that allow the evaluation of the level of risk for Internet users worldwide. The Index for the second half of 2016 demonstrated a positive trend: the number of people who are concerned about their security, and are ready to protect themselves against cyber threats, is constantly growing. The study is based on an online survey of Internet users around the world, conducted by Kaspersky Lab twice a year. In the second half of 2016, 17,377 respondents from 28 countries, including UAE were surveyed. According to the report, 79 percent of users surveyed in the UAE do not believe that they could become cybercriminal targets, 52 percent of respondents did not use protection solutions on all their connected devices, and 44 percent of those surveyed have been affected by

cyber threats in the last few months. The number of users that encountered malware remains the same at 31 percent the costs for eliminating the consequences of infection declined from $112 to $65. The average amount of money stolen by online scammers decreased from $599 to $348. “The Kaspersky Cybersecurity Index for the second half of 2016 shows positive dynamics which, we hope, will continue,” said Andrei Mochola, head of Consumer Business, Kaspersky Lab. “At Kaspersky Lab we are doing everything we can to tell as many people as possible about cyber threats and the ways to combat them. Our goal is to make the cyberworld safe for everybody. We are working towards a world in which people do not lose their data, their digital identity and their money because of cybercriminals’ machinations. The Kaspersky Cybersecurity Index is just one of our steps towards this goal.”

www.tahawultech.com


MCAFEE DISCLOSES NEW INFORMATION ON SHAMOON ATTACKS McAfee has released evidences that a series Steve Grobman, of Shamoon malware McAfee campaigns targeting Saudi Arabia are the work of one coordinated force of attackers, rather than that of multiple independent renegade hacker groups. Results of the company’s investigations showed that the evolution of Shamoon malware campaigns, from the 2012 attacks on the Middle Eastern energy sector, to the latest cyber espionage campaigns of 2016 and 2017. Whereas, earlier Shamoon campaigns targeted a relatively small number of energy sector organisations to disrupt the operations of the region’s critical energy industry, the more recent attacks focused on a greater number of organisations in the energy, government, financial services and critical infrastructure sectors of Saudi Arabia. The commonalities between these campaigns suggest that, rather than being the product of multiple independent hacker

groups, they are more likely the product of one comprehensive cyber espionage operation on the scale one would expect from a serious geopolitical actor. In this regard, McAfee also announced that it will increase investments and resources in cyber threat research. “Campaign investigations complete our triad of research capabilities focused on keeping the digital world safe,” said Steve Grobman, chief technology officer, McAfee. “We are committed to bringing together world-class threat intelligence, vulnerability research, and investigative expertise to provide customers more insights into how specific malicious actors develop and wage cyber-attacks.” The company also aims to increase its engagement with law enforcement and academia, including coordinated efforts to take down criminal networks, develop new approaches to fighting cybercrime, and recruit more young people to join the ranks of cybersecurity professionals.

DUBAI TO INTRODUCE NEW RULES FOR DRONE OWNERSHIP

The Dubai Civil Aviation Authority has announced that it will be implementing new mandates that will require UAE residents and visitors to acquire a licence and complete a training course before they operate a drone they purchased. The new ruling will come into effect after 40 days as a new law, according to the government firm. The move is to ensure airport, airplane and passenger safety. In a report by The National, Michael Rudolph, head of the authority’s airspace safety section, said, “Each registration will be vetted for security and their skill level will also be tested by approved bodies.”

www.tahawultech.com

When buying a drone, a customer will be given a receipt and leaflet explaining the registration process. They then must enroll in an approved training course and submit the certificate to the authority. Once this and a security clearance is complete, the customer can receive the card and return to the retailer to collect the drone. According to The National, a “Sky Commander” tracking device must also be attached to any drone cleared to fly in approved zones. In case of an alert, Dubai aviation officials can contact the operator to ask about a violation or order an end to the flight. All information will be stored in the operator’s records. Stiff fines of up to AED 20,000 for unregistered drone users come into effect in May, following regulations approved by Sheikh Hamdan bin Mohammed, Crown Prince of Dubai.

GOOGLE ADDS ‘FACTCHECKING’ TAG TO NEWS AND SEARCH RESULTS Google has recently rolled out a new fact-checking tool, which will highlight articles in its search and news results that have been vetted and identified as to whether it is factual or fabricated. The new search feature was first introduced to Google News in the UK and US in October, will now be shown as an information box for search results as well as news search results globally. According to reports, Google has on-boarded third-party websites like Politifact and Snopes for the feature. The fact check tool also includes a link so users can provide feedback in case they think something is wrong. In a statement published by Bloomberg, Google mentioned that it is also opening up the system to publishers including The Washington Post and The New York Times. “These fact checks are not Google’s and are presented so people can make more informed judgments,” Google said. “Even though differing conclusions may be presented, we think it’s still helpful for people to understand the degree of consensus around a particular claim and have clear information on which sources agree.” A number of Internet companies faced scrutiny over the last few months over the influence of misinformation, or ‘fake news’ on various sites. In Europe, the government of Germany has recently signed a bill that will impose a fine of up to EUR 50 million to Internet sites that will fail to properly police and remove offensive and/or fabricated content.

05.2017

5


COVER STORY

THE RISE OF THE CISO The CISO role is more varied and critical than ever before. It is no longer about just managing firewalls or patching systems, but rather a role that entails both technical and business skills.

6

05.2017

www.tahawultech.com


FEATURE

I

nformation security is no longer a luxury but a necessity today. For a long time, security function was within the purview of the CIO. However, CIOs have so many projects and plans on their plate they let slide their responsibilities to beef up the security of their systems or ensure the integrity the networks and devices they already have in place. Moreover, a CIO may not the technical acumen and expertise to stay on top of the evolving nature of the security landscape. Though the role of CISO has been around for a couple of decades, many enterprises in the Middle East still don’t have a dedicated executive focused on cybersecurity. But, fallout from recent prominent security breaches and the increasing visibility of information security in general might change that soon. If you already have a CIO or CTO, why do you need a separate C-suite for security? It is about prioritising both the business and security of information, infrastructure, data, and minimising risks to all of these before a breach occurs. “Globally, regulators started demanding that companies should have a decided security executive, giving rise to the CISO role. There is a growing realisation among enterprises that information security is not about technology but about managing risks. This shift in perception is resulting into the creation of the CISO function,” says Hariprasad Chede, CISO, National Bank of Fujairah. Deloitte says that the CISO today must have four ‘faces’; the strategist, the adviser, the guardian (protecting business assets by understanding the threat landscape and maintaining security programmes) and the technologist. www.tahawultech.com

The consultancy firm found that CISOs on average spend 77 percent of their time as ‘technologists’ and ‘guardians’ on technical aspects of their positions, although they would like to reduce this to 35 percent – a sign of the times perhaps. CISOs are hard to hire because there are far too few business executives with the right mix of business and technical chops. Companies should hire CISOs who strike the right balance of business leader and risk assessor, says Chris Patrick, head of global CIO practice, Egon Zehnder. “You want someone who can architect a comprehensive security architecture and explain it clearly to the board when called to do so. And you want someone who can coordinate communications among the C-suite, general counsel, media relations and other necessary parties to respond to a cyber incident,” says Patrick. Egon Zhender consultant Kal Bittianda says a CISO must understand issues and know what data is important to protect but they needn’t be the most tech-savvy leader on staff – that is familiar with all of the latest detection analytics and other emerging technologies. Bittianda says it is better to hire a strong executive who has the ability to influence key strategic leaders in the business, and surround him or her with technical whizzes who know what tools to apply and how. There is a strong demand for security pros who are as much, if not more, skilled in communications, business management, and explaining risk to executives in business terms. “As more security capabilities are automated, and more risk is transferred to third parties and managed security services, security pros are going to need to be able to broadly define these 05.2017

7


FEATURE

risks to business leadership and provide the best solutions to meet that risk, help quantify the risks of different IT architectures to management, and provide guidance on the people, tools, and processes necessary to manage that risk,” says Brian Honan, founder, BH Consulting. While there is no disagreement on what companies should look for in a CISO, there is a little debate about to whom the CISO should report. “The prevailing recommendation is that the CISO absolutely should not report to the CIO. Having the CISO report to the IT organisation is an inappropriate segregation of duties. However, the fact is that between 40 percent and 60 percent of CISOs do report to the CIO or IT executive, depending on industry. And in some industries there is a clear trend toward this reporting structure,” says John Kirkwood, chief information security and strategy officer, Security Innovation. Meanwhile, Tushar Vartak, director, Information Security, RAK Bank, says it is extremely important to ensure that connection exists between C-level executives and CISOs. “Without this, security can remain a technical only function at large. The business impact of insecure practices may not be conveyed

The business impact of insecure practices may not be conveyed appropriately and is only realised post-incident. It is necessary for CISOs to understand business requirement, identify risks and recommend mitigating controls to ensure probability / impact of a breach is minimised. - Tushar Vartak, director, Information Security, RAK Bank

appropriately and is only realised post-incident. It is necessary for CISOs to understand business requirement, identify risks and recommend mitigating controls to ensure probability / impact of a breach is minimised.” Kirkwood suggests that different oraganisations would require different type of CISOs, and most important one being the Business Information Security Officer (BISO). “There is a shift today from a traditional CISO role to Business Information Security Officer (BISO). The

Globally, regulators started demanding that companies should have a decided security executive, giving rise to the CISO role. There is a growing realisation among enterprises that information security is not about technology but about managing risks. This shift in perception is resulting in the creation of CISO function. - Hariprasad Chede, CISO, National Bank of Fujairah

8

05.2017

CISO role primarily focused on technical aspects of perimeter security, data protection and enforcement of good security practices. This role today has changed to a more business centric role. The BISO is required to understand business drivers and be a partner in success of business initiatives. They are required to work closely with business stakeholders, CIO and CTOs to institute a risk-aware-culture and ensure security is embedded in all business initiatives right from the inception stage,” says Vartak. The BISO specialises in information security issues related to the business, such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other. This person also assists in the implementation and translation of enterprise security requirements, policies and procedures. Additionally, the BISO should perform business security assessments or, at a minimum, coordinate between identified business-related security issues. Ideally, there should be a BISO embedded in every major business unit or division, and he or she should report to business management. www.tahawultech.com


DATACENTER SECURITY AUTOMATION

Incident Response Threat Intelligence Security Information & Event Management Database Security Network Access Control Next-Generation APT Insider Threat Prevention Next-Generation Endpoint Protection 21ST - 23RD MAY 2017 DUBAI WORLD TRADE CENTRE

Dubai Tel Fax Email

: +971 4 4330560 : +971 4 4537281 : sales@nanjgel.com

Abu Dhabi Tel : +971 2 6226301 Fax : +971 2 6226302 Web : www.nanjgel.com www.nanjgel.com


FEATURE

IGNORANCE IS ‘NOT’ BLISS When talking about security breaches what often comes to mind are the nefarious external attack groups. However, the biggest threats to information security could come within the four walls of the organisation and more often than not it’s the nonmalicious, unsuspecting employee.

S

ecurity is not just about the latest technologies. It is also about the people using them. The reality is, despite heavy investments your organisations may have made into IT security solutions, none of these systems are completely full-proof. That’s why, more than the latest products and solutions, it is also crucial that organisations invest in the people using these technologies. Ensuring that the people aspect of the security equation is strong requires that all members of your organisation have the right understanding of security. This is where security awareness programmes play a big role. The ‘people’ problem In November last year, the Ponemon Institute released the results of a study 10

05.2017

www.tahawultech.com


FEATURE

that surveyed 601 cybersecurity professionals, and discovered that 66 percent of respondents identified their company’s staff as the weakest link when it comes to IT security. Negligent staff or simply employees that are unaware of basic IT security best practices can create countless opportunities for hackers to compromise your company’s systems. According to a separate study conducted by Cisco and GBM, risks caused by poor employee security behaviour are the result of complacency and ignorance than malice. “Organisations today tend to insulate their employees from the scale of daily threats that people just expect the company’s security settings or teams take care of everything for them,” explains Scott Manson, cybersecurity leader, Middle East and Turkey, Cisco. Citing the study, Manson says that the report revealed that 66 percent of the employees surveyed believed their company has an IT security policy in place. However, 14 percent are not aware of it. The role that insiders play in the vulnerability of all sizes of corporations is huge and increasing. Often, they unsuspectingly perform tasks that they deem won’t cause any damage. “Referring specifically to nonmalicious users, the most common mistake they often make involves infecting the company’s network with malware by visiting malicious websites,” explains Ned Baltagi, managing director, Middle East and Africa, SANS Institute. “In addition, many employees connect their personal devices to the company network and work systems, and download applications without taking precautions or consulting their IT teams.” Another major security blunder that employees are guilty of is using weak or misusing passwords. But perhaps, the biggest security issue, involving users today, is falling victim to phishing and social engineering attacks. www.tahawultech.com

Since we are dealing with behavioural change, awareness programmes should be run like any other corporate change management project rather than an IT-driven initiative. - Anna Collard, founder and CEO, Popcorn Training

“Phishing attacks affect everyone across all demographics, social backgrounds, professional stature and income groups,” says Anna Collard, founder and CEO, Popcorn Training. “The fact that we are humans and respond to emotional triggers make us vulnerable to social engineering schemes that use psychological tricks to suppress our critical thinking. The schemes have also become more elaborate and could involve multiple messages, phone calls and social media requests.” For these reasons and more, organisations need to make it a priority to educate their staff by implementing a comprehensive user awareness programme. Addressing the threat According to a study by IBM, 95 percent of all security incidents involve human error. The goal of a security awareness programme is to increase organisational understanding and practical implementation of security best practices. “A solid security awareness programme must include comprehensive instructor-led training done periodically,” says Amir Kolahzadeh, CEO, ITSEC. “It should be succeeded by constant reminders through print and digital forms. It is also ideal to integrate user awareness

schemes in the training and orientation programmes for new employees. Cybersecurity awareness is an ongoing process and every company should have regular sessions planned out.” Training each and every employee to understand that they too are liable on an individual level is of critical importance, says Manson from Cisco. “Cyber-attackers have identified people as the weakest link and will continue to target them,” he says. “Looking at it from a different perspective, people are an organisation’s most important security defence. Therefore, it is optimal to invest in them to enable them to become more resilient against attackers and be competitive in the digital age.” The programme should change user behaviour and encourage them to become more cautious and alert as well as make them aware of cybercrime techniques so they can avoid falling for them, explains Collard from Popcorn Training. “Since we are dealing with behavioural change, awareness programmes should be run like any other corporate change management project rather than an IT-driven initiative,” she says. “They need both actual training content, as well as supporting marketing communication material to reiterate messages across multiple mediums.” 05.2017

11


FEATURE

Baltagi from SANS Institute concurs, adding that one of the best ways to make sure company employees will not make costly errors is to institute company-wide security-awareness campaign. “This includes, but not limited to, classroom style training sessions, online modular training and security awareness website(s) among others. These methods can help ensure employees have a strong understanding of company security policies, procedures and best practices.” Identifying the topics that will have the greatest impact within the organisation is critical in planning an awareness programme. According to Baltagi, a sound security awareness training programme should consist of a combination of existing organisational policies and procedures. “It should include topics such as physical security, password security, phishing, hoaxes, malware and copyright with regards to file sharing among others,” he says. “These subjects will help give your employees and idea how security affects them, how to prevent incidents from happening and what to do in the wake of a breach.” In addition, Kolahzadeh from ITSEC says, currently, there is still no industry standard best practices enforced by a governing body. “We believe awareness training must be categorised into four groups C-Levels, managers, users and IT personnel,” he explains. “The topics should be tailored in accordance with these categories.” Measuring the effectiveness of a user awareness programme is just as important as planning and executing it. “The onus, of course, will fall on IT teams or on the external training providers,” explains Baltagi. “Effectiveness of such programmes can be determined as a by-product of penetration testing,” he says. “While uncovering the vulnerabilities of the organisations, the Pen Test can help determine 12

05.2017

It is also ideal to integrate user awareness schemes in the training and orientation programmes for new employees. Cybersecurity awareness is an ongoing process and every company should have regular sessions planned out. - Amir Kolahzadeh, CEO, ITSEC

whether the employees have been putting their learnings into practice.” Kolahzadeh agrees, saying simulationbased techniques are the most effective metrics of a programme’s success. “Proprietary tools can be deployed pre-, during and post-cybersecurity awareness campaigns to fully analyse if the campaign’s key performance indicators have been met. For example, one of our basic tools is a fake phishing campaign designed for a particular organisation where we can monitor, analyse and drill down to the person and IP addressed that clicked on the emails.” As with any security scheme, user awareness training demands the investment of time and resources. Therefore, companies should also plan whether they want to carry out their programmes in-house or hire a thirdparty organisation. “Running awareness campaigns in-house has the advantage of making content really relevant and aligned to the company’s culture,” says Collard. However, she explains that it takes a lot of effort to successfully create and run a security awareness campaign and requires input from both security professionals and creative communication staff. “This is why, for some, it makes sense to

purchase content from companies whose sole purpose it is to create security awareness material that can be modified or adjusted to meet the needs of their respective organisation,” she adds. Sharing the same notion, Baltagi says that in-house training are more budget friendly, which makes them easier to carry out regularly. While external training providers specialise in delivering awareness training and implements are usually more comprehensive. “In short, the best security awareness programme should feature a mix of both in-house and thirdparty training to leverage the unique benefits of each. These teams must also work in close collaboration to ensure a comprehensive campaign,” he says. Security training is a critical component in a company’s security strategy and is an ongoing process that needs to be modified as an organisation grows. It is also important to understand that while people are considered by many IT security pundits as the ‘weakest link’ they are still a company’s biggest asset. Therefore, investing in the expansion of their knowledge and skills in information security is an fundamental in strengthening a firm’s security posture. www.tahawultech.com


INNOVATE MORE. = v;1 ub| =;-uv -u; Ѵblbঞm] o u ou]-mb -ঞomķ "omb1)-ѴѴ 1-m Ѵb0;u-|; o ĺ ); lo ;7 0; om7 |_u;-| 7;|;1ঞom 0 ;m]bm;;ubm] u;-ѴŊঞl;ķ ruo-1ঞ ; 0u;-1_ ru; ;mঞomķ v|orrbm] 1 0;u - -1hv 0;=ou; |_; v|-u|ĺ Unbridle your ingenuity with SonicWall.

Innovation starts at SonicWall.com


INTERVIEW

GETTING TO THE POINT Michael Viscuso, co-founder and CTO, Carbon Bank, and Ian Jones, divisional director, Westcon Security, spell out the trends influencing endpoint protection.

W

hat are the new trends in advanced endpoint protection? It’s clear that endpoints are the most coveted targets for attackers. They contain all of the sensitive information that can be directly used or monetised on underground markets. Right now we’re seeing a few key trends in endpoint security. First, is the convergence of endpoint detection and response (EDR) and endpoint protection platforms (EPP). Businesses are quickly coming to the realisation that they must be able to prevent, detect and respond to advanced threats. As a result, 14

05.2017

www.securityadvisorme.com


they are leaning on vendors to provide a comprehensive solution to cover that full lifecycle of an attack. The second trend, and this may not come as a surprise to most, is the increased willingness of businesses to replace their legacy antivirus solutions, which are ineffective against modern attacks. A few years ago maybe 10-15 percent of businesses were willing to replace AV. Now that number is more like 80-90 percent. Most enterprises want endpoint security tools that can prevent zero-day exploits and track down malware. What is Carbon Black’s approach to address this challenge? Carbon Black has a multi-faceted approach to prevention, detection, and response. We give enterprises the flexibility to choose the solution that’s right for them, depending on their environment and needs. With Cb Defense, we offer a lightweight next-generation antivirus (NGAV) solution that combines a breakthrough prevention model with detection and response capabilities. For businesses looking to lockdown critical systems and servers, we offer Cb Protection, which has been the de facto application control solution on the market for more than 10 years. And, for organisations looking to hunt down threats, we offer Cb Response, a threat hunting and incident response solution. Do you think organisations should proceed with caution while adopting machine learning-driven security products? Most experts are still skeptical of machine-learning driven security products, especially when they are used in siloes. Machine learning certainly has its place in security, but leading researchers are not yet willing to put all of their eggs in the machine learning basket just yet, so to speak. In a recent survey of more www.tahawultech.com

than 400 security researchers, 70 percent of researchers said attackers can bypass ML-driven security technologies; and nearly one-third (30 percent) said ML-driven security solutions are easy to bypass. It’s clear that skepticism still exists. Can you tell us about your Streaming Prevention technology? Will this be part of your CB Defense endpoint protection platform? Streaming prevention is the backbone of Cb Defense. By collecting, correlating and analysing endpoint events in real time, streaming prevention can identify

applications and services, including communications between processes, inbound and outbound network traffic, unauthorised requests to run applications, and changes to credentials or permission levels. What should users keep in mind while buying endpoint security products? Don’t be ashamed to pick the product that makes the most sense for your team or fills a gap in your tech stack. Only you can truly test applicability for your organisation. If the product becomes shelfware, it’s wasting money and not doing anything to make you

A few years ago maybe 10-15 percent of businesses were willing to replace AV. Now that number is more like 80-90 percent.

and stop an attack while it builds. It does this by assessing the risk of each event in a sequence or cluster, with each new event triggering a new assessment. When the risk level exceeds an acceptable threshold, streaming prevention stops the attack automatically. Streaming prevention offers a fundamentally new approach to identifying and preventing cyberattacks. Current approaches used by legacy AV and machine-learning AV focus exclusively on files and do nothing to target an attacker’s behaviours. In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of

safer. Pick the product that maps to your organisation’s specific requirements. Do you think next-gen endpoint security tools will replace antivirus? Ian Jones: As end users get to see how ineffective their traditional antivirus solutions are we will see these being replaced by next-gen endpoint security. With the threat landscape constantly evolving, enterprises need a solution that is also constantly evolving with the threat landscape and uses technology with the ability to prevent, detect and respond to those evolving threats and not rely on out of date technology that won’t even know it has been breached until the next scheduled update. 05.2017

15


INTERVIEW

GETTING SECURITY RIGHT Hani Nofal, vice president of Intelligent Network Solutions, Security and Mobility, GBM, discusses why his company is perfectly positioned to tackle the cybersecurity challenges facing the regional enterprises.

16

05.2017

www.tahawultech.com


W

hat is GBM’s expertise in security domain? Security was the fastest growing business for GBM last year, and when we made the plans for 2017, it is still by far the business that has the highest growth expectations. Mind you, we go deep into security by the virtue of strategic partnerships we have with the likes of IBM, Cisco, F5 Networks and Blue Coat. We have been recognised by all these vendors for our security domain expertise. Lately, there has been a market realisation that no single vendor can offer solutions that can help you keep pace with the rapidly evolving threat landscape. It’s been true in our case as a solution provider as well; we have realised that we need to work with almost everyone to offer our customers best of breed security solutions. What we have been trying to do is to bring some real security thought leadership to this region. You get a lot of international vendors landing in our region, which is great, but very few people bring the local flavour. We have been in the region for the last 27 years, so we thought we should be able to bring that local flavour and compare our region with global enterprises. This has helped us to reshape our approach, methodology and structure. Ensuing this, we created a dedicated security business unit in January last year. Before that, we had a security practice, and our solutions were scattered. We realised that we can’t have a scattered approach, but need to tell an end-to-end security story to the market.

We have invested a lot to build real thought leadership with the help of market studies and surveys, which we do every year now. The results of this year’s study will be unveiled at this year’s GISEC, but I can give you heads up; things are changing, and we want to reflect that and what it means for enterprises in the region. Most of the enterprises in this part of the world are going through the digital transformation journey, and they want to find real talent. I am not talking about basic CCIEs here, but security experts who can become trusted advisors to their customers. The kind of conversations that we are having with our customers are around how to build the next wave of defence centres and manage threats. Because of our relationship with IBM, we are now embedding cognitive computing capabilities into our solutions. If you go by revenues, IBM and Cisco are the biggest security players in the world today, and we are the biggest partner for both in the region. Besides, we have invested heavily in building our own skills, services and consulting capabilities. Do you have any plans to build a Security Operations Centre? The quick answer is yes, but with a caveat. We have seen many international and players jumping into the fray and building SOCs, and all of them have burnt their fingers, so we were lucky that we didn’t fall into this trap. There are two distinctive types of customers in the region. There are large enterprises that want on-premise capabilities

The customers are not all the same, and the one size fits all approach doesn’t work in security. What is important to you is different from others, and we help you design your security approach to mitigate risks.

www.tahawultech.com

when it comes to security – yes, they might pay and subscribe to threat feeds from vendors but they want their SOCs in house. Equally, they might look for experts who can run these SOCs for them and we have several such engagements. On the other hand, you can see SMEs that want to completely outsource their security operations but they would go with an IBM or Symantec. The time to detect and response to security incidents has become more important than ever. Is that something you can help your customers with? You are as secured as you can be at this moment, but you will never know what will happen tomorrow. If someone wants to hack you, they will eventually hack you, either from outside or inside. I don’t think any solutions provider can commit and say that you’d never be breached. What we are bringing to the table is a 360-degree approach to security. It is not just about people, database, network or website; it is about a fabric approach that will help to classify your priorities. The customers are not the same, and the one size fits all approach doesn’t work in security. What is important for you is different from others and we help you design your security approach and defence mechanism to mitigate risks. We bring this expertise backed by the best resources and partnerships. Do you see any synergy between your mobility and security businesses? A lot, and it is one of the main reasons why we decided to partner with Apple. We believe iOS is the most secure operating system out there. Now, mobile devices have become a dominant attack vector, and all our customers who are digitising their businesses want to go mobile and interact with their customers through various devices. When it comes to mobility, there is hardly any discussion today that doesn’t include MDM or integration with other security systems in the back-end. We do see lot of synergies between network, security and mobility, and it is not a coincidence that I oversee these businesses at GBM. 05.2017

17


OPINION

SECURE APPLICATIONS, NOT THE CLOUD Mike Kail, chief innovation officer, Cybric, explains why the application stack is the new perimeter organisations need to protect.

C

loud adoption is a strategic initiative for nearly every company today, but there is still a fair amout of fear, uncertainty and doubt around cloud security, most of it unfounded. In my experience, coding errors and application vulnerabilities are the root of most security problems, regardless of where the data resides. When it comes to cloud, you need to look past the distractions and focus primarily on securing applications. The main difference between onpremise and cloud security is there is no longer a well-defined security perimeter that can be protected by hardware appliances. SThe role that (poor) application security has played in exposing vulnerabilities is more than just a hunch. Through the work of the Open Web Application Security Project, you can see the historical fact that application security vulnerabilities have been a persistent threat for years. The OWASP top 10 list of web application vulnerabilities hasn’t substantially changed over the past decade and despite advances in firewall appliances, breaches are happening at an increasingly alarming rate. Security appliances, by nature, cannot be as adaptive as software solutions due to their perimeter-based approach. 18

05.2017

Web Application Firewalls (WAFs) have attempted to improve security defenses via layer 7 inspection and policies, but once again, those are static, not dynamic approaches, and can often result in false positives that block legitimate traffic, or worse yet, allow malicious traffic through. Developers versus defenders The biggest challenge that organisations face to improving application security in a software-defined world is the rapid spread of DevOps and the emphasis on continuous integration/continuous delivery (CI/CD). And it’s a challenge that seemingly puts developers at odds with the defenders. Developers will always prioritise velocity over security, so security solutions must allow them to continue to rapidly deliver features and integrate code and application security testing seamlessly into the software development lifecycle. Many also have a historical bias against security teams as they were often either a barrier to deployment, or the group that comes back with a litany of vulnerabilities after deployment, which makes for a challenging environment, and certainly not a collaborative one. Developers only need to be involved if there are vulnerabilities to remediate, otherwise the scanning and testing processes should be implicit to their daily activity. A large component of the solution to this challenge is the cultural shift

that needs to occur, both within development teams as well as within security teams. Developers don’t need to become security experts, but they do need to start recognising the importance of integrating security best practices into the entire software development life cycle. Defenders need to understand how to first collaborate more effectively with the development teams and how to share those best practices instead of casting blame and having contentious conversations. Empathy needs to be embraced across teams and they all need to share overall security responsibility. To help achieve this cultural shift, organisations need to place more of an emphasis on the ‘why’ benefits of application security testing. In the past, security teams would often only articulate the ‘how’ portion of testing, and that simply doesn’t resonate with developers who have other priorities. Once developers truly understand the value of the in-line remediation process and the fact that vulnerabilities can be resolved prior to production deployment, they will be much more likely to partner with the security team. After these cultural issues are addressed, organisations need to put a framework into place that continuously enables security as part of the software development life cycle. www.tahawultech.com


the next generation of Security and IoT solutions with the region’s number one provider of IT solutions

Visit us at the Za’abeel Hall 4, Stand E-20 May 21st to May 23rd 2017 Dubai World Trade Centre

#GBMGISEC2017 #GBMIOTX2017

OFFICIAL SECURITY SOLUTIONS SPONSOR


INTERVIEW

THE NEED FOR SPEED Sunil Gupta, president and COO, Paladion, explains why enterprises have to embrace rapid detection and response to combat cyber threats.

20

05.2017

www.tahawultech.com


W

hat is the new paradigm for cyber security? Our adversaries are no longer individuals but organised gangs who are well-funded, and equipped with better technologies. They look for the weakest link, gain entries to your systems through that, and look around for financially profitable data. If you take the case of Bank of Bangladesh heist, the cyber thieves were inside the network for more than three months, before they figured out which server to strike. There is only one way to tackle them. There is no point in trying to prevent them entry so what you need to do is to sit along with them, and quickly have your technology identify what they are trying to do before they strike. This is why we believe that cyber security is now moving in a direction where speed is the new paradigm. It is all about how fast can you identity these threat actors. It is reported that organisations in the region take around 522 days to detect threats. Can we reduce this to hours? Yes, it is possible if you have three things – Big Data, automation and machinelearning. There are several technologies being adopted in enterprises today, and each of them throws up alerts and logs. You can’t manually go through all these logs to figure out which one is important. This is where Big Data analytics can help you filter out false positives, and achieve what we call automated triaging. If you are getting 50,000 security alerts in a month, Big Data platforms can help you whittle it down to 38 alerts that really matter, connect those dots, link the relationship with them and recognise the attack patterns. Next is automating processes, detection and response and triaging. It needs to be end-to-end because if you automate just detection and if your response is slow it wouldn’t help you achieve your security goals. www.tahawultech.com

While Big Data will all you to look for that needle in the hay stack, machine learning and AI will help you to set the context because the threat landscape is constantly evolving. The people element is also equally important because you need high-end security experts with cognitive skills to look at those 38 alerts. How do you rate the maturity of security awareness in the region? The recent high profile breaches we have seen in the Middle East has create a huge awareness and we see a sense of urgency now. People have started to realise that what they have is not enough. In fact, we have a few customers in this region for our Big Data and high-speed cyber defence platforms. The question enterprises are asking has changed from

is changing, we will adapt to that so that our client’s investment in our platform is always protected. We have a cloud based platform for SMBs and 3 SOCs in India which help actively hunt for threats. We send out advisories to our clients every week, and we are now thinking of starting an industry initiative by building a threat intelligence platform that integrates with our competitors’ platforms and make it available to all customers. What are the threats to watch out for this year? We believe ransomware with worms will be a dominant attack vector this that, and IoT security will be another nightmare. As we have recently seen in the US, IoT devices can be taken

The recent high profile breaches we have seen in the Middle East has create a huge awareness and we see a sense of urgency now. People have started to realise that what they have is not enough.

‘why do we this?’ to how do we do this?’, and that is a big change. Is there an appetite for managed security services in the Middle East? Many enterprises are starting to realise that building their own capabilities is not enough because of the constant evolution of threats and changing technologies. It is difficult for every organisation to invest in threat intel platforms and this is why they need to partner with companies like us. We can quickly adapt our platform when technologies evolve – if SIEM is changing tomorrow, we will build connectors for it. Or if endpoint protection technology

over, and used as bots to launch bigger attacks. This is particularly scary if you consider the fact that 20 billion devices would be connected over the next couple of years. How strategic is this region for you? In fact, this region accounts for a larger portion of our revenues and our plan is to grow at 50 percent. We are investing in sales and marketing to achieve this goal. Our customers have bigger security budgets now. When businesses become more and more digital, they become more to risks, and security budgets are approved these days without any cuts. 05.2017

21


OPINION

THE RISE AND RISE OF EXPLOIT KITS By Cherif Sleiman, VP EMEA, Infoblox

F

or several months now, there has been an exponential increase in the use of exploit kits to execute cyber-attacks. Even household names are not immune from this threat as the exploits available have ratcheted up in power and sophistication. Perhaps most famously, the Daily Mail’s hugely popular ‘Mail Online’ site fell victim to a ‘malvertising’ campaign that exposed millions of its readers to CryptoWall ransomware. This successful attack is believed to have its roots in an exploit kit. The key to the growing popularity of exploit kits as the basis for cyberattacks lies in the relative ease of use for cybercriminals by significantly reducing the level of technical knowledge required to deliver malware and other threats. This increases the pool of potential attackers, a fact made more significant when we 22

05.2017

consider that some exploit kits have been built quite deliberately with a user-friendly interface to make it even easier to manage and monitor malware and other attacks. Exploit kits have previously acted as a vehicle for many different forms of malware, from malvertising or clickfraud attacks, through to ransomware or malware targeting users’ online banking portals. With the relatively newfound ease of delivering an attack via an exploit kit, it is perhaps unsurprising that they have quickly become the de facto method for some cybercriminals without the technical skills or inclination to script attacks of their own creation. Typically, the infrastructure components of an exploit kit are threefold. First, the back end which is made up of the control panel and payloads. Then there’s the middle layer, housing the exploit itself and a tool which is effectively a “drill” designed to

tunnel into the victim’s back end server. Finally, the remaining ingredient is the proxy layer, which executes the exploit on the organisation’s server. Although most exploit kits share broadly similar methodologies, differences start to creep in when we look at the types of vulnerabilities they seek to exploit, as well as the tactics used to navigate around an organisation’s defences. Mobile: a moving target Where once exploit kits were predominantly used to target desktop machines, the growing number of mobile devices in the world combined with an ever-expanding list of use cases, from email to mobile banking, mean that cybercriminals are increasingly switching their attention to mobile as a platform. Combine the ubiquity of mobile devices with low levels of security www.tahawultech.com


knowledge of most users, and mobile starts to look like a much softer target. As such, it’s not unreasonable to expect attackers to shift towards using web pages to deliver malware via a mobile browser, which is essentially the same approach as that used to deliver malware to desktop-based end points. Once delivered successfully, the malicious cargo can now operate behind the firewall. From here, the malware can also spread to other devices on the network and connect with a commandand-control (C&C) server. Making this connection enables it to either exfiltrate data and/or download even more malicious software. This communication often requires the use of the target’s Domain Name Server (DNS), which is a good reminder of the importance of securing DNS. Know your enemy Some exploits are more common than others. Here’s a quick run-down of the exploit kits that should be on your radar. RIG (variants include RIG-V, Empire Pack): RIG is currently the most active of the for-hire exploit kits. Most of the major actors transitioned to RIG after the Nuclear and Angler exploit kits shut down in mid-2016 and Neutrino went private in late 2016. RIG frequently uses randomly generated domains in the .top TLD and points to IP addresses at Russian hosting services. There are three major variants: RIG ‘classic’, Rig-V, and the Empire Pack. Astrum, aka Stegano: First detected in 2014, Astrum was recently discovered using innovative steganographic techniques to hide attack code in the alpha-channel of images. This approach is used to sneak malicious code into advertising networks/malvertising, which results in high-profile websites exposing visitors to malicious code. Sundown: More notable for stealing from other exploit kits than developing its own unique attacks, Sundown does have one innovation not seen with other kits: the acquisition of domains registered by innocent parties that are near expiration. www.tahawultech.com

Because the domains have generally been parked or used for banner-farming before being acquired by the exploit kit operators, the domains used by Sundown generally have a history of legitimate use and will not be reliably blocked by reputation-based systems. Neutrino: Neutrino briefly became the preferred for-hire exploit kit after the Angler shutdown. Then it went private, ceasing to perform exploitationas-a-service. This resulted in a general transition to RIG. Neutrino is still active, but at a greatly reduced level. Defensive tactics: A standard approach won’t work Defending against exploit kits is challenging. In addition to the administrative issues inherent in

exploit code used to exploit the system. Blacklisting malicious domains to block traffic to them is almost totally ineffective, as the domains used to serve attack payloads are deployed and discarded over a very short timeframe (often less than an hour), while block lists typically are updated every 24 hours. The exploit kit operators frequently hack websites to add hidden links to the exploit kits, or sneak malicious links into advertising networks, so even high-profile websites maintained by a team of professional full-time webmasters can be dangerous. More effective together: A multilayered strategy As the sophistication of exploit kits has increased, it’s gotten to the point that

Exploit kits have previously acted as a vehicle for many different forms of malware, from malvertising or click-fraud attacks, through to ransomware or malware targeting users’ online banking portals.

managing software updates in a large enterprise, new vulnerabilities are discovered frequently, and new exploits are constantly being developed to take advantage of those vulnerabilities. There are two common approaches to defending against exploit kits that many companies employ today: Intrusion prevention/detection systems (IPS/IDS), which use signatures to scan network traffic for known attack code, are the most popular approach. However, the effectiveness of this approach is dependent on having a set of current signatures that will reliably identify and block attacks, without interfering with legitimate network traffic. The constant development of new exploits reduces the effectiveness of signature-based defenses, which rely on recognising the

no one defense is effective on its own. Multiple layers are required for adequate protection that includes protected endpoints and an IPS/IDS with current signatures to identify and block known attack code. Importantly, this should be backstopped by an IP Policy RPZ containing the IP addresses of known attack servers, to block any DNS lookups that resolve to the hostile IP address, regardless of the specific hostname being looked up. (An RPZ, or “response policy zone,” is a file that contains information about malicious IP addresses, and instructs the DNS server how to treat requests according to policies set by the administrator.) Targeting IP addresses versus domains is more effective, as they typically are active for hours or days – versus minutes – before disappearing. 05.2017

23


INTERVIEW

TAKING THE LEAD Juan Miguel Velasco, founder and CEO, Aiuken Solutions, talks about why managed security is a compelling business proposition for regional enterprises.

24

05.2017

www.tahawultech.com


W

hat does Aiuken bring to the table for customers? When we started Aiuken around six years ago, we believed cloud was going to play a dominant role in the IT market. Back then, cloud was a mysterious thing to big companies and we strongly believed that cloud infrastructure will be the next security perimeter, which needs to be protected. So we started building services around that. Fortunately, we were right. The penetration of cloud is huge now, and cloud perimeter protection services have evolved over time. If you look at attacks like DDoS, it is impossible to prevent it outside the cloud because it is distributed in nature and the way telcos operate. As long as telecom service providers continue to make money from peering agreements, they will not protect you from DDoS attacks for the simple reason that more traffic means more money for them. Meanwhile, DDoS attacks continue to grow. We try to convince people that cloud can be a secure place if you take advantage of the tool we provide. We have two security operations centres in Spain and one in Latin America, and we are building a new SOC here in the UAE. We see an opportunity in this market. When you say cloud security, is it primarily to secure the public, private or hybrid cloud? All three. We realise that some countries have unique regulations for cloud in this region when it comes to moving workloads to public cloud environment. But, private cloud can also take advantage of the same public cloud technologies and solve data residency issues. You don’t actually offer a hardware solution? Not really. Appliance philosophy is good, I respect it but I don’t trust it. If you develop something then you www.tahawultech.com

should be able to deploy it in every hardware. Hardware is going to be useless in five years. As long as you have connectivity and data centre availability, you can hook up to cloud services. We are one of the few companies that can look after our customers even when they under an attack. We will not say, solve your problem first and then call us. Because of the technology we have, we can apply that on an ongoing attack, which is an issue for many other vendors. So how would you stop a DDoS attack? You don’t deploy anything on premise, do you? No, we don’t. It is just a matter of moving traffic between our SOCs and

You do a lot of training and certification as well? Yes we do, and we like it. We train our customers not only on our tehcnologies, but also for many other technologies. We are vendor agnostic. So if you have Fortinet, or Palo Alto Networks, we don’t care; what is important that the customer has the confidence in you as a managed security service provider that you are able to operate whatever they have or may need. The problem is that companies have to invest a lot in resources of their own to try to understand the complex world of cybersecurity. In most of the cases, the investment they make is on hardware, which leaves them with no money for anything else. What we are trying to create is the awareness

As long as telecom service providers continue to make money from peering agreements, they will not protect you from DDoS attacks for the simple reason that more traffic means more money for them.

our alliance partner networks. We just divert traffic based on BGP, DNS, and we combine different technologies and different architecture. The nice thing about DDoS attacks is that you know where all the attacks go, though you don’t know where they are coming from. If you are able to combine BGP, DNS and distributed connection, you can stop these attacks from reaching their target. Do you have any customers in this region? We are doing some pilot projects in the region now. Once we finish building our SOC, we are going to hire some local talent. In every country we operate, there is a lot of cybersecurity talent but the problem is how you develop it.

that companies like us are a reality and necessity in today’s world. We are the experts in our field, and we will do security as a service, and we will provide you with KPIs and SLAs. What is your go-to-market strategy? We operate in the market with local partners mainly telcos and ISPs or big integrators. We typically look for big SIs because our target is mainly medium to large enterprises. We are now partnering with local companies in the region – we have already signed up one in Saudi and another in Dubai. We are also talking to couple of telcos and ISPs in GCC. When do you plan to build a SOC here? We are looking at June or July. 05.2017

25


INTERVIEW

BRIDGING THE GAP Citrix CSO Stan Black on how to deal with security across multiple generations of employees.

C

itrix’s CSO Stan Black has been in the cybersecurity field for 20 years. He has seen generations of employees come and go at the software and data security company. There are three generations working side by side at Citrix – and a fourth on the way. Citrix has 9,500 employees with 51 percent being millennials. With each generation comes a new security challenge that employers need to be overcome so that eventually enterprise security is second nature by the time future generations are in the workforce. Black talks about how 26

05.2017

these challenges can be lessened in future generations.

role keeping information locked down, and expectations around access.

What is the biggest security issue you see of new employees? One of the biggest challenges new employees face is security integration with new policies and procedures. Security varies by organisation – policies, devices, access permissions, etc. The challenge is educating each new employee at the ground level about their role in security and keeping business and their personal information safe and secure. The key is to impart the security business challenges and goals, the employee’s

How has security evolved with the different generations of employees? Security has always been a part of technology. It’s just now getting its day in the sun. Up to the early 2000s there was a clear division of work and personal life. Employees had a 9-to-5 schedule, but that’s not the norm anymore. Now that personal and professional lives are blending and employees use multiple devices from various locations throughout the day to access work and personal information, we as security professionals have to focus on www.tahawultech.com


securing all that data on every device. It’s really no longer about locking down a specific device, it’s about locking down the applications and data that devices can access so information is secure on every device, everywhere. What security characteristics can you connect to each generation? The challenge is that each generation has had a different experience or holds a different mindset with security. We recently commissioned a study with the Ponemon Institute which found that: 55 percent of security and business respondents said that Millennials, born 1981 to 1997, pose the greatest risk of any age group of circumventing IT security policies and use of unapproved apps in the workplace. Thirty-three percent said Baby Boomers, born 1946 to 1964, are most susceptible to phishing and social engineering scams. 30 percent said Gen Xers, born 1965 to 1980, were most likely to exhibit carelessness in following the organisation’s security policies We need to take each of these vulnerabilities into account and provide education at each level. There isn’t a single explanation for why Millennials are more likely than other age groups to use unsanctioned technology in the workplace, and it’s important for organisations to recognise that this threat still comes from all generations. Different generations of employees hold different mindsets about security, but it’s important to keep in mind that any employee could fall victim to any type of security incident, regardless of age. For instance, attackers are not targeting a specific demographic when they are looking to steal information; they’re looking to get the most out of their attacks for the least amount of effort. Creating a security programme that educates about the www.tahawultech.com

various risks, especially those that take advantage of users, is essential to helping all employees understand what may pose a threat. While incidents that may be out of a user’s control, such as having a device stolen, may appear to be a quick fix, if there’s any sensitive corporate

to perform a basic test of verifying a sender’s email address in a potential phishing attack? Or mouse-over the links in a message to see that “button” doesn’t go to any domain that could possibly be associated with the vendor supposedly sending the email? These are just a couple of the

It’s really no longer about locking down a specific device, it’s about locking down the applications and data that devices can access so information is secure on every device, everywhere.

data stored on that device, the event becomes a much bigger issue for the security team. Millennials, as with any generation of workers, may not know when they’re putting the organization at risk, so education must be the foundation. How do you balance security awareness training for a diverse workforce made up of those who may be starting in their first professional role and those who may be 20 years into their careers? While it may seem that there’s a world of differences between employees that are new in their careers and those with decades of experience, in terms of security, work experience is not a reliable measure of one’s security smarts. Security programmes differ from organisation to organisation so allocating resources to educating all employees on your organisation’s policies is a crucial first step. Additionally, organisations need to focus on the basics and deliver repeatable, consistent content and guidance. How many people, Boomers or not, fail

basics, and if everyone practiced the basics we could significantly reduce, if not eliminate, the efficiency of phishing attacks. Can you put a timeline on a security education programme? How do you determine what policies and programs need to be shared within the first few weeks of hire and what can wait until the employee is more settled? The vast majority, if not all, security education should be delivered in the first 90 days of employment, and some (like incident response training for relevant staff) should be delivered prior to normal schedules and duties ‘kicking in.’ That said, security education should be a continuous process so employees are aware of the evolving trends in the attack landscape and can be on alert for anything that looks out of the norm in their work environment. Additionally, with any organisational restructure, such as expanding a BYOD programme, employees should be versed on how this impacts security. 05.2017

27


OPINION

DIGITAL W RESILIENCE: A BETTER WAY TO CYBER SECURITY By Ray Rothrock, Chairman and CEO, RedSeal

28

05.2017

ho says prevention is better than cure? Since the advent of networks and hacking, prevention, coupled with detection, has been the primary cyber strategy to counter cyberattacks. But, with the exponential increase in the pace and complexity of digital connections, and sophistication of the attackers, this approach is falling short as the recent Shamoon attacks in KSA so clearly demonstrated. Clearly, we need more and better prevention. But, here’s the cold, hard truth: It’s not a question of if your organisation will suffer a security breach but when – no matter how good your prevention is. Cyber-attacks are now so advanced that, should a hacker’s attention turn to your company, the attack will almost certainly succeed in getting inside your network. Your mission should be to shut the attacker down – and fast. You must be able to keep operating and stay productive even while fending off a cyber-attack or fixing a vulnerability. A new cyber operating strategy is needed. This new strategy is called resilience, and more specifically – digital resilience. Digital resilience, www.tahawultech.com


coupled with world-class prevention, is your best defence. An attack doesn’t have to equal disaster. To minimise harm and loss, your organisation must be able to operate through impairment and rebound quickly. I’ll say it again: Your organisation must have resilience as part of your cyber strategy. To make this happen, you must be able to accurately measure and manage your organisation’s digital resilience. This is now a crucial line in any effective cyber defense strategy. How do you measure it? You start with knowing your network and providing understandable metrics to the executive leadership. Network liabilities: People, places, things Networks evolve. They were built over decades by different people to achieve different goals. And, they are continuing to be built, even faster than ever. But people move on, they change jobs, and this means most companies do not possess a complete and accurate blueprint of their network. Even if those people are still around, the reasons behind a particular design ten years ago may no longer apply, yet that design is likely still to be in the network. Rarely is there complete or accurate documentation that shows the true blueprint, design and infrastructure of a network. The result is that these networks are very often fragile, fraught with design flaws, and while they were built with the best intentions by good people, they frequently contain devices with unpatched software, weak or default passwords or misconfigurations. The first step in addressing digital resilience is for every organisation to truly understand its network – in its entirety – starting with finding all the undocumented assets and understanding how it all works as a system. It is ‘The Unknown’ that keeps the CISO up at night. Leadership liability: Lack of visibility We have to get smarter. We can be smarter. We have to realise that www.tahawultech.com

cybersecurity is not a tactical aspect of business – it is a critical strategic function that starts at the top of the business. And as such, it must be understood at the board level. Yes, C-suite and board members may not be equipped to understand all the technicalities of cybersecurity. That’s not their job. But they should at least be able to understand a measurement of their organisation’s digital resilience and understand what the measurement tells them. If done properly, it will tell them how and where to invest, how to make decisions through an impediment, how to make decisions about which assets to protect first, how to respond, how to recover and how to reduce the impact of loss. Measurement

does not indicate overall risk. In reality, the only knowledge you can draw from such a report is how busy the security team is. That’s a useful number for staffing and budgeting but it provides zero insight to the network’s resilience in the face of an attack. The benefits of preparing for a cyberattack extend well beyond the company walls. Digital transformation, in the modern world, has made sure that virtually all companies these days are connected. And, given this connectivity, attention must be paid to the fact that a cyber-attack can initiate from a company’s own supply chain. Once organisations understand the value of being able to measure and manage their

To minimise harm and loss, your organisation must be able to operate through impairment and rebound quickly.

also provides a means to discuss cyber investments. A simple question like “if I spend $X, what might be my expected benefit in terms of resilience or security capability?” Measuring this capability provides the board with a starting point to have this important conversation in an informed, intelligent manner. Right now, the kind of overview data available to most executives looks something like the following. The IT department reports that it received 1,000 IDS alerts in the preceding 24-hour period. Maybe it pushed out 200 antivirus signatures in the same period. Or perhaps it implemented 50 device patches across the enterprise with 5000 devices in the past week. But such a report does not say if the network is at more or less risk based on these activities, or if it is better after their work compared to before. It

digital resilience, they can demand the same level of insight and accountability from their supply chain – containing their partners, their customers and their suppliers. Ideally, this connected resilience will soon form a new line of cyber defense. The Dutch Renaissance scholar Erasmus of Rotterdam coined the adage ‘prevention is better than cure’ back in the 16th century. But the only network Erasmus dealt with was the network of roads and canals around his city. In the modern cyber world, his slogan doesn’t hold water. But we’re not here to diss on Erasmus. In fact, we embrace another of his famous adages: “Give light and the darkness will disappear of itself.” In today’s cyber work, this light is in the form of knowing the network and operating with a strategy of digital resilience. 05.2017

29


OPINION

9 QUESTIONS TO ASK WHEN SELECTING APP SECURITY SOLUTIONS Open source security vendor Black Duck Software identifies key questions to ask in determining the right mix of application tools and capabilities for your organisations.

30

05.2017

www.tahawultech.com


T

here are many factors to consider when making an application security purchasing decision, and the pressure is on organisations now more than ever to improve their security risk management preparedness. In fact, more than 80 percent of security attacks target software applications, with application vulnerabilities as the No.1 cyberattack target. Organisations need a comprehensive application security toolkit to stay secure throughout the product lifecycle, and need to address key questions that can help them determine the right tools to address security risks. The following questions should help you make smart and sound decisions in selecting an application security solution: What types of applications do you develop (e.g., web, mobile, installed, IoT, etc.)? Mobile and IoT apps often require specialised (for example, smartphone pen testing) tools, while standard Dynamic Analysis Security Testing (DAST) tools can be used to test most installed and web-based applications. What types of networks will your applications connect to (e.g., Internet, LAN, wireless, etc.)? The application security testing tools you select must allow emulation of the attack types that your applications are likely to face. For example, wireless applications require protected access to the intranet or Internet, which ultimately affects routers, firewall rules and VPN policies. If most of your business applications run purely on wireless, it’s wise to consider these factors before making a purchasing decision. www.tahawultech.com

Do you have access to all the source code in your applications? The use of vulnerable third-party components and code in newer applications has become a major security issue over the years. If your organisation uses a large number of third-party components in your applications, be sure your application security tools can analyse those components effectively. By ensuring all third-party code is vetted and kept up to date, the code will be more dependable and easily managed. What programming languages do you use? These days, it’s almost impossible to function well in the software world with just one programming language. Although any programming language can do any job, it’s important to gear your focus on the right languages for your organisation. Knowing what languages are important to you will help you verify that the application security tools you are considering support those languages. The right tools will ultimately let you be able to solve problems faster and more efficiently. How much open source do you use in your applications? If open source comprises a significant percentage of your code, an open source vulnerability management solution is a must. A company’s plan for managing open source vulnerabilities determines the integrity of the applications it produces and the efficiency with which it does so. By using an open source vulnerability management solution to automate the process for open source security vulnerability testing and management, you will find a better experience for you and your team, such as rapid identification of vulnerabilities within the code base as they are disclosed.

How will you track or test for new vulnerabilities after your applications ship? It’s important to have tools to monitor and manage vulnerabilities in every version of your applications for as long as they remain in use. Without this, you run the risk of having an incomplete open source management strategy. Identifying a reliable application security toolkit will safeguard your sensitive information and prevent vulnerabilities from being exposed. What is your application development model? Make sure your application security tools are compatible with the development methodology and tools you use. Organisations benefit from tools and applications that are secure by design, but ensuring that they are compatible with development software is further safety assurance in the case of costly and disruptive events. Who will use your application security tools? The tools you select should provide the right balance of sophistication and ease of use your team needs. An automated process with the right toolkit will help development teams experience fewer interruptions during the SDLC consequent to late-term discovery, helping businesses operate more efficiently. What is your application security budget? It’s important to direct your application security budget where it will have the greatest impact. If open source is a significant portion of your code, and the chances are good that it is, make sure you allocate your spending to include an open source vulnerability management solution. 05.2017

31


OPINION

WHEN PHYSICAL SECURITY MEETS CYBER SECURITY By Ola Lennartsson, global product manager, System Management, Axis Communications

S

o, we all know that cybersecurity is important. It’s mentioned in the national news on almost a daily basis, whether it be about the government vulnerabilities, cyberterrorism, or major retailers letting criminals steal millions of customer’s credit card details. But, like securing physical spaces, it’s one of those things that only becomes newsworthy when it fails. For a long time, physical security was strictly analogue, and its only connection to the IT network was at its end point. And therefore, those responsible for physical security didn’t need to concern themselves with worrying about network security, while at the same time, the IT department didn’t need to be concerned with any undue exposure from cameras, etc. Sure, hacks have always occurred even in analogue systems (the prototypical breach through a baby monitor or garage door opener being well known examples). But now that IP-based security systems are becoming the norm, with all the associated benefits, both sides need to be aware that the game has changed. The challenge, as we see it, is that the physical security team and the 32

05.2017

www.tahawultech.com


IT team have, on the face of it, very different outlooks and priorities, and often don’t really understand each other. Physical security is from Mars and the IT department is from Venus! Often it can simply be a language/jargon barrier, where neither side truly ‘gets’ what the other one is talking about. But in many cases, it can also be more akin to a border dispute where the physical security team don’t consider cybersecurity to be part of their job, and the IT department may not even be aware of the potential vulnerabilities from a variety of devices that appear to have no obvious users or owners. One phrase stuck in my head after a recent conversation about cybersecurity with a customer: “We are not the Pentagon.” Basically, “we are glad Axis is thinking about this stuff, and it’s interesting, but we are pretty relaxed about it right now.” And if they haven’t been attacked (or at least don’t know if they have been attacked), then that response is often followed by “Cybersecurity is something that the IT department is worried about – I just have to make sure this building is secure.” At the same time, when I have talked to the IT department, they have sometimes been unaware of the potential exposure of unsecured IP cameras. So, how do we, as an industry, get the physical security manager to take IT security seriously? And conversely how do we enable the IT security team to talk to their physical security colleagues in a language that they understand? Actually, it’s not that complicated. The best way is to use the terminology that they are both familiar with: However, not all organisations and businesses are the same, and some already have good communication between these two departments, and a good awareness of the threats they need to tackle together. What I have seen is that organisations tend to fit into one of three broad categories depending on their understanding of the threat they face. At the top are those whose brand, business or credibility is based around trust and security – for example banks. By and large, they place security very high up their list of priorities, be it physical or computer-related, and it is www.tahawultech.com

In the end, though, both the IT and physical security departments need to care about the problem enough to want to engage with eachother, and not just pass the buck back and forth until an attack actually happens.

ingrained within their corporate culture. They are often cautious about embracing new technologies until they can be sure that their security won’t be compromised. This is especially true of new devices being connected to their network, such as cameras, access control points, etc. So, their IT departments are highly unlikely to allow any new IP-based equipment to be connected without ensuring they have been properly sourced, tested and set-up. Next there are those who are aware that they may be vulnerable to cyber-attacks, but may not have the specific expertise in-house to properly analyse their risks, nor how to mitigate them. However, they are at least willing to get advice, even if it’s not a critical priority for them. These companies probably are the most at risk – with enough complexity in their networks to make management a full-time job, but possibly without sufficient resources to properly police every device that gets connected. Lastly, there are those, usually smaller businesses, who have very little understanding of cybersecurity at all, and even less idea that devices such as cameras need to be properly secured before being connected to a network. They rarely have a full-time IT manager, let alone a person with sole responsibility for physical security. For these businesses, a very simple, automated set-up is ideal, with all security being taken care of out of the box. In the end, though, both the IT and physical security departments need to care about the problem enough to want to engage with each other, and not just pass the buck back and forth until an attack actually happens. So, how to do that? Unfortunately, the

case has already been made for us, on several recent occasions. It was only a few months ago, that the Mirai BotNet attack demonstrated how vulnerable IoT devices can be, how ubiquitous they are, and how these two facts make for a highly attractive opportunity for hackers. It was followed by the largest DDoS attack in history, going after Dyn. com, one of the key parts of the US internet backbone, upon which services such as Netflix, Spotify and Amazon rely. Now, some may say that not being able to watch the latest episode of ‘Orange is the New Black’ may not be a huge threat to Western civilisation, but this just goes to show the potential of what can be done with physical security devices that haven’t been properly hardened against cyberattack. The majority of the devices that were infected had easy-to-guess default passwords that had never been changed, or even worse, could NOT be changed at all. Or there were the devices that had ‘backdoors’ built into them to make it easier for the manufacturer to debug them during development, and were never closed again before production. In December 2016, 80+ cameras from a major manufacturer were found to have backdoor accounts. A month later, it was reported in the Washington Post that for three days the Washington DC Police were unable to record video from their security cameras due to 70 percent of their storage devices being hacked. So, we know that this won’t be the last time. The Internet of Things is currently an easy target, and even more so because there are very few human beings in the loop, so there is almost no-one to notice when an attack has occurred until too late. 05.2017

33


OPINION

HOW SECURE IS YOUR CAR CLEANING FIRM? By Alastair Paterson, CEO and co-founder, Digital Shadows

I

n today’s connected world securing your own network is simply not enough. Today your digital risk extends not only to your own servers, PCs and other devices in your offices and other locations; it also extends to your mobile workers and other staff working from home, customer sites and other remote locations. But the third, and often ignored, area of digital risk is your supply chain; companies that have access to your employee and customer information. The risk was underlined again last month with two stories I saw – first a well-known Denver based car wash confirmed many of its point of sale terminals had been compromised, revealing customers’ personal details. Then in the UK, a parking app confirmed its network had been compromised, exposing more customers’ details bank and credit card numbers. Taken in isolation these incidents appear to be ‘just another case of data breaches’ but in reality, they should be a worry for all security teams across governments and companies around the UK and further afield. The trouble is we 34

05.2017

know that people are lazy and often use the same email addresses and passwords across multiple sites. Research last year suggested that many people think nothing of using their company email address and the same passwords they have in the office when accessing a wide range of services and online sites. So, what happens when cybercriminals get hold of their details and passwords via a car parking app or a cleaning service? Criminal organisations running online scams and hacks know that a large percentage of people using car services will be corporate employees, and that a good way to circumvent the millions of dollars a year spent on cybersecurity is to target the suppliers and companies we use outside of work. Sometime ago I heard about a car chauffeuring business which was similarly targeted and compromised. The actors used executives’ personal details to target them via phishing and other targeted attacks. The trouble is that in this connected world we all have a large digital footprint, a shadow of our activities and interactions across the web. While this footprint can be advantageous,

information can be inadvertently exposed and thereby used maliciously. Besides damaging your brand, a digital shadow can leave you vulnerable to corporate espionage and competitive intelligence, as well as create targets for cyber-attackers. So, we cannot wash our hands when we have built the best possible defences for our own businesses and networks. Today, the network is vast and continually growing. We are not the only people to leave behind traces online, the adversary also casts a shadow like that of private and public corporations. We can use that information to understand attacker patterns, motives, attempted threat vectors, and activities on the dark web, to better assess and design your security postures By ensuring we have the necessary visibility to manage our own digital risk and ensure we have warning and knowledge of any threats which might come via this extended connected network of suppliers, employees and other third parties. In that way, we can hope to become more secure and enjoy the huge benefits the digital world brings us. www.tahawultech.com


ORGANISED BY

www.cnmeonline.com/enterprise360 For sponsorship enquiries Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 / +971 56 787 4778

Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 / +971 50 758 6672

Merle Carrasco Sales Manager merle.carrasco@cpimediagroup.com +971 4 440 9147 / +971 55 118 1730

For agenda-related enquiries Jeevan Thankappan Group Editor jeevan.thankappan@cpimediagroup.com +971 4 440 9129 / +971 56 415 6425

James Dartnell Editor james.dartnell@cpimediagroup.com +971 4 440 9153 / +971 56 934 4776

Adelle Geronimo Online Editor adelle.geronimo@cpimediagroup.com +971 4 440 9135 / +971 56 484 7564


PRODUCTS

Brand: HP Product: A3 MFPs

Brand: AXIS Product: FA series AXIS has announced several new and improved products in its FA Series. This series consists AXIS FA54 main unit, AXIS FA1105 sensor unit with a standard lens, AXIS FA1125 sensor unit with a pinhole lens and AXIS FA4115 dome sensor unit with a varifocal lens. The new devices enable ‘costeffective and highly discreet’ indoor surveillance of four closely situated areas using just one camera system, according to AXIS. The FA54 Main Unit can stream at full frame rate HDTV 1080p videos from four connected sensor units simultaneously using one single IP address. What you should know: The devices capture video with Forensic WDR (wide dynamic range) that is optimised for low light and motion. AXIS FA54 also has the capacity to support advanced video analytics, and has an HDMI output for connection to a surveillance or public view monitor (PVM), making the system ideal for retail applications. The sensor units are small enough to be built into surfaces, structures or devices, and can be installed at eye level such as at building entrances without drawing attention. The sensor units come with an 8-m (26 ft.) cable for connection to an AXIS FA54. An optional 15-m (49 ft.) cable can also be used.

36

05.2017

HP Inc has announced its new A3 multifunction printer (MFPs) lineup in the UAE. The company stated that the new A3 portfolio transforms copier experience for customers and service professionals by offering advanced security features unmatched in the marketplace, affordable colour via HP’s PageWide printing technology, and longer device uptime via HP’s Smart Device Services technology. HP’s portfolio of A3 MFPs include three PageWide platforms and thirteen LaserJet platforms – benefit from the new, cloud-based proprietary service optimisation platform, HP Smart Device Services (SDS). SDS delivers maximum device uptime by integrating advanced diagnostics, device specific troubleshooting and remote remediation capabilities into the industry leading

MPS tool sets resellers use today. What you should know: The single and multifunction devices have print speeds ranging from 35 ppm to 60 ppm (up to 80 ppm in General Office mode). PageWide technology is also more sustainable – consuming up to oneseventh the energy of competing color laser machines in the same class while producing significantly less packaging waste associated with supplies and long life consumables.

Brand: Genetec Product: Security Center 5.6

Genetec has announced the general availability of its unified security platform Security Center 5.6. Key enhancements to the platform include additional cybersecurity measures, a new HTML5-based web client, integration of SimonsVoss electronic locks and the Mercury Security MS Bridge, and the ability to enroll license plates as access control credentials with the AutoVu SharpV camera. The Security Center Web Client has been redesigned with HTML5 to offer users a more fluid and modern web experience, according to Genetec. The Web Client ensures Security Center is accessible from any device or browser. With the Plan Manager, operators can now also monitor the live status of intrusion areas. It also has embedded support for ESRI ArcGIS software adds

layers of visual data so organisations benefit from greater context and insights of their surroundings. What you should know: Expanding its ecosystem of access control hardware partners, Genetec has also integrated the SimonsVoss family of digital locks. It also features AutoVu, the automatic license plate recognition (ALPR) system in Security Center, which lets end-users to extend their security coverage beyond the physical building and to their parking lots, parking decks and property perimeters. www.tahawultech.com


Officially Supported by

21 - 23 May, 2017

Dubai World Trade Centre

Connecting and Securing Smart Government and Enterprises With 34 billion devices connected to the internet by 2020*, how will your business stay digitally agile with enhanced customer experience while ensuring maximum security? DEMOS & WORKSHOPS

TECH SHOWCASE

DEDICATED CONFERENCES

BUYERS’ LOUNGE

Attend CPE accredited training sessions & demos by industry experts

500+ cutting-edge solutions from regional & global market leaders

75+ speakers including INTERPOL, GCHQ, Wells Fargo, AXA, HSBC & more

Discuss your RFPs and gain invaluable insights & advice from our key partners

REGISTER ONLINE FOR FAST-TRACK ENTRY! gisec | iotx

www.gisec.ae | www.iotx.ae

gisec@dwtc.ae | iotx@dwtc.ae

*source: businessinsider.com

CYBERSECURITY INNOVATION PARTNER

SMART MANUFACTURING PARTNER

TECHNOLOGY MEDIA PARTNER

PLATINUM SPONSORS

PRE-REGISTRATION SPONSOR

POWERED BY

PART OF

SILVER SPONSOR

BUYERS LOUNGE TABLE SPONSORS

OFFICIAL TRAVEL PARTNER

SUPPORTED BY

OFFICIAL SECURITY SOLUTIONS SPONSOR

PANEL SPONSOR

OFFICIAL AIRLINE

LANYARD SPONSOR

OFFICIAL COURIER HANDLER

EDUCATION PARTNER

ORGANISED BY


BLOG

WHITE HATS Alex Bennett, technical writer, Firebrand Training, explains why ethical hackers hold the top job in 2017.

T

he number of data breaches in the Middle East increased by 17-21 percent in 2016, according to data revealed in Gemalto’s Breach report. A lack of cyber skills is responsible for this dramatic increase in attacks. Plus, more disasters for Middle Eastern businesses are likely as the number complex and wellfunded cyber-attacks rises. To prevent these crippling cyber-attacks, organisations must scramble to boost their cybersecurity. But no security investment is effective without knowledge of the techniques and tools used by hackers. In response to this, organisations are increasingly turning to ethical hackers to identify unseen weaknesses and reduce the risk of catastrophic data breaches. Also known as penetration testers, these professionals are now highly sought after by organisations and the role is increasingly attractive to IT professionals. Here’s why ethical hackers hold the top job in 2017. Businesses demand ethical hacking skills Security experts are warning of the threat posed by increasingly rampant cybercrime and businesses cannot afford to ignore them. The global cost of hacking is set to increase and is predicted to reach $6 trillion annually by 2021. It only takes one hacker to discover security flaws and compromise your business. And because security vulnerabilities can exist indefinitely without detection, cybercriminals can use these to secretly conduct privilege escalation attacks or intercept sensitive data. 38

05.2016

Organisations rarely realise they’re vulnerable to catastrophic data breaches, which now cost an average of $4 million. That’s why they hire ethical hackers to probe their networks, applications and systems. By using the same tools and techniques as malicious cybercriminals, ethical hackers are able to conduct ‘real life’ attacks against businesses. But unlike ‘black hat’ hackers, these penetration tests do not harm the business. Instead, they provide the insight needed to fix flaws before they can be exploited. Through harmless penetration tests, these security experts can identify the potential weaknesses that are often invisible to internal IT teams. Ethical hacking is required in every organisation and penetration testing is not a luxury for global corporations. SMEs demand these skills too: 43 percent of cyber-attacks target small businesses, revealed Symantec’s 2016 Internet Security Threat Report. The damage caused by weak cybersecurity is greater than ever. Clearly, there’s no shortage of work for professionals with ethical hacking skills. Great career prospects The cybersecurity skills shortage is massive and the deficit is now estimated at 1.5 million professionals, according to global security non-profit, (ISC)2. Cybersecurity has reached the top of the C-suite agenda, resulting in a surging demand for IT security professionals, like ethical hackers and penetration testers. Because of the huge risks accompanying a security vulnerability

passing undetected, security expertise provided by ethical hackers is massively valued by organisations Organisations are increasingly crowdsourcing ethical hacking knowledge by providing rewards, or ‘bug bounties’, to ethical hackers that safely identify security holes in websites or applications. At the beginning of 2017, Facebook paid its largest bounty ever to Andrew Leonov, after he identified a remote code execution flaw in ImageMagick, a popular opensource software tool used by Facebook. After notifying Facebook, Leonov received $50,000 through the social media giant’s bug bounty programme, which has already paid out $5 million to responsible security professionals. The increased demand for cyber roles, like ethical hacking, is also reflected in rising salaries, with the average security salary increasing by 4.99 percent in Q4 2016. Ethical hacking salaries are healthy too and the average salary for an ethical hacker is $99,000, according to data from PayScale The days of hiring dark web-lurking hackers are over. There’s now a growing pool of qualified security professionals to choose from and a number of ethical hacking certifications available to provide an industry-standard benchmark for skills. When hiring an ethical hacker organisations should look out for industry-standard certifications, like GIAC’s GPEN, EC Council’s Certified Ethical Hacker (CEH) or CREST’s App Sec Hacker. The top job of 2017 Without investment in security training, technology and skills, Middle Eastern businesses could be at real risk of catastrophic breaches. To prevent these crippling cyber-attacks, businesses need ethical hackers to test and secure their defences. With increasing salaries, great job prospects and plenty of work to do securing businesses across the Middle East, 2017 is the year of the ethical hacker. www.tahawultech.com


䌀礀戀攀爀猀攀挀甀爀椀琀礀 昀愀愀最甀攀㨀 䘀攀攀氀椀渀最 漀瘀攀爀眀栀攀氀洀攀搀㼀

䌀漀洀瀀爀攀栀攀渀猀椀瘀攀 䌀礀戀攀爀 吀栀爀攀愀琀 䐀攀琀攀挀挀漀渀 ☀ 䤀渀挀椀搀攀渀琀 刀攀猀瀀漀渀猀攀 匀攀爀瘀椀挀攀

倀爀攀瘀攀渀渀漀渀       䐀攀琀攀挀挀漀渀       刀攀猀瀀漀渀猀攀 眀眀眀⸀挀琀洀㌀㘀 ⸀挀漀洀



Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.