ISSUE 20 | SEPTEMBER 2017 www.tahawultech.com
THE GATEKEEPERS SECURITY ADVISOR ME RECOGNISES EXCELLENCE IN DELIVERING BUSINESS VALUE THROUGH SECURITY TECHNOLOGIES
Hacktivism
Fighting DDoS
Encryption for compliance
ALM Octane A Application Dev/Test
Do you need to bridge for hybrid application development today?
Support choice in the enterprise application portfolio with Micro Focus Application Delivery Management. As you transform your enterprise application portfolio from waterfall development to Agile and DevOps based delivery, a tool that supports Project Agile will not deliver to enterprise scale. This is why an integrated application lifecycle management toolchain matters. Manage complexity across the portfolio, to continuously deliver quality applications at scale. Discover the New. Start your free trial today. microfocus.com/alm-octane
STRATEGIC INNOVATION PARTNER
STRATEGIC PARTNER
CONTENTS
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119 PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159
16
SECURITY CHAMPIONS
Winners of the Security Advisor Middle East Awards 2017
Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of
© Copyright 2017 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for
any errors therein.
06
HACKTIVISM: THE GOOD, BAD AND UGLY As with any technology, hacktivism can be used for good or bad.
08 14
FIGHTING DDOS ATTACKS How can enterprises protect themselves against these persistent attacks? VANTAGE POINT We bring you the highlights of Security Advisor ME’s inaugural CSO Perspectives conference.
32
ENCRYPTION IS KEY
Gemalto’s Sebastian Pavie on why data encryption is critical for security compliance
36
MOBILE MATTERS
42
10 things to consider when choosing a MDM Solution. EMPLOYING AN EXTERNAL SOC Outsourcing security monitoring for enhanced productivity.
NEWS
PALTO ALTO NETWORKS SIGNS DATA EXCHANGE DEAL WITH INTERPOL Palo Alto Networks has announced its collaboration with the Interpol Global Complex for Sean Duca, Palo Alto Innovation Networks (IGCI). According to the firm, they are the first cybersecurity company to sign a Data Exchange Agreement (DEA) with Interpol. This agreement aims to combat criminal trends in cyberspace, cyberthreats and cybercrime globally through sharing threat information generated by Palo Alto Networks and Unit 42, its threat intelligence team. Palo Alto Networks will be involved in the operational briefings at Interpol and vice versa. A threat intelligence expert from Unit 42 will be assigned to collaborate with the IGCI, helping provide a clearer understanding of the current landscape, which can equip law enforcement officers with powerful information needed to prevent successful cyber-attacks. However, the two organisations highlighted that while the agreement formalises the cooperation between Palo Alto Networks and Interpol, both parties have long been in collaboration. “Cybercrime represents a significant amount of risk for businesses and organisations today. This collaboration marks a mutual commitment to information sharing, which is necessary in preventing successful cyber-attacks. Together with Interpol, we can continue to raise awareness and educate business leaders and reduce the collective cybersecurity risk over time,” said Sean Duca, vice president and regional chief security officer for Asia Pacific, Palo Alto Networks.
4
09.2017
TRA UPGRADES FEDNET SECURITY SYSTEMS The Telecommunications Regulatory Authority has announced the completion of its Federal Network (FEDNet) security systems upgrade in a step aimed at protecting more than 35 federal entities against ‘advanced persistent threats’ in their various forms, whether through e-mail or Internet browsing. According to the firm, the step comes in line with its efforts to enhance protection against cyber-breaches, as well as protecting the digital environment of smart transformation in the UAE. Hamad Obaid Al Mansoori, TRA DirectorGeneral, said, “Cyber risks and threats are persistently finding ways to reach their goals. Therefore, the provision of electronic security and protection needs to keep pace with these risks by using the latest cyber protection technologies.” According to Al Mansoori, a new generation of advanced cyber-attacks have arisen in recent years. “The TRA monitors
these risks, and protect against them through advanced procedures, Hamad Obaid Al including the Mansoori, TRA provision of protection to the federal government entities involved in the FEDNet, without loading them any additional financial or administrative burdens,” he added. The FEDNet serves as a common infrastructure for federal entities. It allows interconnection and data exchange between all local and federal government entities. Under these security modifications, the upgraded security system will verify the pattern of any e-content, whether email or website, and assess if the pattern is acting suspiciously in dealing with data or communicating with suspicious external websites. This method is effective in protecting against Zero Day Attacks.
UAE NEEDS TO DEVELOP ‘CYBER-SMART BUILDINGS’: REPORT A report titled ‘Cyber-smart Buildings’ has claimed that the UAE smart building industry needs to develop a cohesive Dr. Adham Sleiman, ecosystem Booz Allen Hamilton to safeguard against potential cyber risks. As smart cities become a reality in the GCC, smart buildings are increasingly becoming more prevalent because of the optimised efficiency and convenience they offer, for both operators and tenants. However, according to these latest findings, wider adoption of smart building technology should stimulate corporations and governments to ensure that they are adequately
prepared for potential cyber risks. “There is tremendous business value in embracing building automation, including their cost savings, energy efficiency and the security and convenience they offer to their dwellers,” said Dr. Adham Sleiman, vice president, Booz Allen Hamilton. “As such, it is of paramount importance to protect smart building investments for all stakeholders involved from developers to end-users. To achieve this, cross-functional cooperation between internal and external stakeholders is a must, including IT, cybersecurity and facility teams, external business partners and vendors. This will ensure that the truly transformative benefits of automation and connectivity can be protected so that smart buildings can achieve their full potential.”
www.tahawultech.com
BITCOIN RALLIES 300% IN 2017 TO BREAK $4,000 MARK Crypto currency Bitcoin soared above the $4,000 mark recently after the digital currency hit $4,009.89 on recently, and subsequently reached a record high of $4,225.40, according to CoinDesk. Bitcoin is currently trading at $4,118.61, giving it a market capitalisation of $67.98 billion. The currency’s 43 percent surge comes after Bitcoin split in two, following a growing tension between the demand for the virtual currency. The break-away, known as Bitcoin Cash, staged its trading debut at the start of the month. Demand for Bitcoin has taken off among start-up companies, who have raised money via “initial coin offerings” by selling digital tokes or coins – such as ether or bitcoin – that allow investors to
use the software or service provided by the start-up. “Up until now a lot of people didn’t really believe Bitcoin could go any higher until the scaling issue is resolved,” said Arthur Hayes, Hong Kong-based founder of bitcoin exchange BitMEX, according to Bloomberg. “With this actually being implemented on protocol, theoretically the amount of transactions that can be processed at a reasonable speed is going to be much higher, so a lot of people are very bullish about Bitcoin now.” Bitcoin has been on an incredible rally this year, up over 300 percent since the start of 2017. The digital currency only passed $3,500 for the first time earlier this month.
CAREEM LAUNCHES CALL MASKING FEATURE TO ENHANCE USER PRIVACY
Dubai-based ride-hailing service Careem has launched a new call masking feature to protect the privacy of its customers. With the call masking feature in place, the Captain will only receive an encrypted number instead of the user’s real phone number, ensuring the customer’s personal data remains completely safe and unexposed. The service is already live in the UAE, and will be introduced in other regional markets, including Saudi Arabia and Pakistan, within the coming 30 days. The feature gives Careem’s customers the option to keep their phone numbers undisclosed to the Captain (driver), adding www.tahawultech.com
another layer to customer privacy and security. With the call masking feature in place, the Captain will only receive an encrypted number instead of the user’s real phone number, ensuring the customer’s personal data remains completely safe and unexposed. “Ensuring the safety and security of our customers in all of the markets where we operate is our number one priority at Careem,” said Mudassir Sheikha, CEO and co-founder, Careem. “Introducing technology that simplifies their lives without compromising their privacy will remain among our key focus areas as we continue to work our way towards strengthening Careem’s position as the answer to the region’s most pressing travel-associated challenges. In Saudi Arabia, where Careem operates in more than 50 cities, the company has established a women-only call centre in the Kingdom, contributing to job creation and providing opportunities for the Saudi female workforce.
SAUDI NCSC RECEIVES GLOBAL CYBERSECURITY CERTIFICATION Saudi Arabia’s National Cyber Security Center (NCSC) has received an internationally recognised cybersecurity certification from safety science organisation, UL (Underwriters Laboratories). The NCSC has a deep understanding of regional and international cybersecurity issues and required that its Community of Trust network infrastructure security software meets the rigorous standards of UL’s Cybersecurity Assurance Program (UL CAP). The certification, according to the firm, was the first to be awarded in the Middle East region. UL CAP applies the new UL 2900 series of standards using testable cybersecurity criteria for networkconnectable products and industrial control systems to assess software vulnerabilities and weaknesses, minimise exploitation, address known malware, review security controls and increase security awareness. UL, which has GCC bases in Abu Dhabi and Dubai, is now carrying out similar projects with other organisations and authorities in the MENA region. Hamid Syed, UL, vice president and GM, MENA region, said, “We carried out an exhaustive examination of the NCSC system’s potential security vulnerabilities and mitigation steps before it was awarded our certification, which signifies that the required standards have been met.”
289
cyber-attacks have been thwarted by the UAE TRA in Q1 2017 Source: UAE aeCERT
09.2017
5
FEATURE
HACKTIVISM: THE GOOD, BAD AND UGLY The practice of activism has arisen to the cyberspace. However, as with any technology, hacktivism can be used for good or bad.
P
rotesting and demonstrations are practices that date as far back as the early 1920s. People who aspire to achieve political, economic and societal changes from governments, policies or organisations that they deem unjust. However, the modern-day protest is quite different. The Internet has not only transformed the way we live and do business. For activists, it has opened a whole new platform for their political or social causes to be heard. Most people live much of their lives online, from using digital banking services to document their day to day activities on social media. Therefore, taking activism online is simply a part of this natural evolution. ‘Hacktivism,’ is described as “the use of computers and computer networks to express or promote social and political ideologies.” Online platforms such as Change. org made it easy for web activists to launch campaigns that enable people to participate at the click of a mouse. However, as with any technology, 6
09.2017
hacktivism can be used for good or bad. Hacktivists often display their disapproval of the government, a company or some sort of event, and they use hacking to do so. “Traditional hacktivism was motivated by a political agenda, or by the thrill of making the headlines,” says Roland Daccache, senior regional sales engineer, MENA, Fidelis Cybersecurity. “Now, hacktivists are stealthier and more destructive, as they work on promoting and delivering socioeconomic causes, and as such, they are better funded, and can threaten the welfare of enterprises and nation states alike.” Daccache adds that if we are serious about combatting this threat, it is crucial that the right cyber defence frameworks need to be developed, adopted, and in some cases enforced. Over the last couple of years, we have witnessed the escalation of activities conducted by the Anonymous group, the collective of hackers expressing a social dissent through cyber-attacks. Often, groups like them use to attack systems and architectures with legal and illegal tools as a form of protest. “Hacktivists leverage information
technology as an anonymous method to spread their message,” explains Morey Haber, vice president, Technology, BeyondTrust. “This concept has evolved from posted bills, pirated radio stations, to hacking and messaging to hide their identities. Their motivation is the same as any disgruntled group that wants to spread their message of dissatisfaction and is looking for a vehicle to continue their protest with a low risk of being caught and prosecuted.” While the Internet may be the ideal hunting ground for hacktivists, their attacks take many forms. Some take over a famous personality’s social media accounts and share views contrary to what the celebrity believes. In others, a common method used involves penetrating a website and taking it over. “I believe we’re witnessing a recognition within organisations that hacktivism is distinct from other forms of cybercrimes, with the motivations and outcomes of such attacks still being fully contextualised,” says Eddie Schwartz, executive vice president, Cyber Services, DarkMatter. “National security-grade tools and capabilities are now being accessed by civilian threat actors, www.tahawultech.com
FEATURE
growing their capabilities to potentially make significant impacts on organisations.” The most common form of hacktivism uses Distributed Denial of Service (DDoS), which attempts to make a site or service unavailable to its users due to an enormous quantity of requests sent in a short period. With this kind of attack being able to disrupt critical systems of organisations like big commercial corporations or government entities, can hacktivism be crossing the line to cyber warfare? “Hacktivism motivated DDoS attacks can only inflict momentary pain,” explains Daccache. “As large organisations are already equipped with resilient infrastructures to recover quickly and bring their services back online. Today, attacks of preference are social media hacking, phishing campaigns, and data theft, as they are much more efficient and potentially harmful.” He adds that nation sponsored DDoS attacks, on the other hand, can be a very destructive weapon as a cyber warfare arsenal. “This is because they tend to target critical infrastructure, power grids, government online services, and therefore potentially cause harm to human life, so from a cyber warfare perspective, anti-DDoS defence solutions would need to be put in place that are not only adequate but also backed by governments.” In the Middle East, we have seen a dramatic rise in hacktivism. Up to 45 percent of all cyber attacks in the Middle East and North Africa are carried out by hacktivists, according to a report by Gulf Business Machines. According to Haber, an hacktivism
Now, hacktivists are stealthier and more destructive, as they work on promoting and delivering socioeconomic causes, and as such, they are better funded, and can threaten the welfare of enterprises and nation states alike.” - Roland Daccache, Fidelis Cybersecurity
attack can particularly be more severe outcomes for Middle East organisations due to the stricter and conservative policies in the region. “Threat actors are leveraging legitimate businesses and their vulnerabilities in IT assets to spread hacktivism content,” he says. “The concerns for businesses in the Middle East are much more serious than in other parts of the world. For example, a hacktivism attack against the government could lead to a business owner in jail due to an errant message linked to their domain, business, or assets.” Hacktivists have been active in the Middle East for the past five to six years, explains Daccache. “However more recently attackers have evolved their tools and tactics, as well as their target victims. It used to be that only banking, government, oil and gas and the media were targeted. Today, every organisation with an online presence can be a target, so the old ‘bury your head in the sand’ approach is particularly risky.”
Organisations need to assume a state of possible compromise and develop proactive processes and invest in detective capabilities to mitigate any incidents that may arise. - Eddie Schwartz, DarkMatter
www.tahawultech.com
Actions of hacktivist groups like Anonymous remain at the centre of a heated debate on public opinion, with some positioning them as modern-day Robin Hoods. As the world changes to a digital format, this will be the playing field and modern organisations should stay vigilant and resilient to the risks these activities pose. “Enterprises today need to be aware all attempts to illegally penetrate or compromise digital systems are concerning to organisations, and ought to be dealt with in a pro-active and determined fashion, commensurate with the actor’s threat profile,” says Schwartz. He adds, “We refer to this heightened level of active cyber defence as cyber resilience - which brings into play the adoption of a security life-cycle spanning asset identification, strategic planning, prevention, detection, response and recovery to cyber programmes on a continuous and real-time basis. Organisations need to assume a state of possible compromise and develop proactive processes and invest in detective capabilities to mitigate any incidents that may arise.” Whether hacktivism is a “good” or “bad” thing, a “political protest” or a “crime” will remain a matter of public opinion, but one thing is certain: It’s only going to get more prevalent. “I would urge businesses, now more than ever, to practice due diligence, increase their cyber awareness, and prepare for defense, response and recovery strategies,” says Daccache. 09.2017
7
FEATURE
FIGHTING DDOS ATTACKS How can enterprises protect themselves against these persistent attacks?
T
hough distributed denial of service attacks have been around more than two decade, recently we have seen a spate of DDoS attacks that have increased in complexity and variability. Both the size and frequency of DDoS attacks have gone up, and criminals use these sophisticated attacks to target sensitive data, not just to disrupt businesses. Some recent attacks have exceeded 1 Tbps while the average DDoS attack peaked at 14.1 Gbps in the first quarter of 2017, according to Verisign’s DDoS trends report. The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multivector attack that peaked over 120 Gbps and around 90 Million packets per second (Mpps). This attack sent a flood of traffic to the targeted network
8
09.2017
inexcess of 60 Gbps for more than 15 hours. In a new report, Imperva warns about a new type of ferocious DDoS attack that uses ‘pulse waves’ to hit multiple targets. “Comprising a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 gigabits per second (Gbps). We believe these represent a new attack tactic, designed to double the botnet’s output and exploit soft spots in traditional mitigation solutions,“ says Robert Hamilton, director, Imperva. “DDoS attacks are rarely complex. They are the result of a volumetric based attack which results in a platform, application or service being rendered unavailable for the user.
The biggest changes we have seen through evolution over the last few years are mostly within the amount of bandwidth attackers have at their disposal. This is due to the amount of more interconnected devices we now have on the Internet. We have three main types of DDoS attack, one is a volumetric, which accounts for most DDoS attacks, secondly we have application and lastly protocol level attacks,” says Warren Mercer, security researcher at Cisco Talos. Ransom is another growing trend in DDoS. “Ransom related attacks seem to be a trending issue as of late. Too many organisations are paying out these ransom requests, in an effort to remove themselves from the cross hairs of a DDoS attack – this behaviour likely causes an increase in ransom attack activity. Besides the financial loss that a company may experience by paying the ransom, companies must consider that they will still be www.tahawultech.com
INTERCEPT A completely new approach to endpoint security.
Sophos Intercept X is a next-generation endpoint detection and response platform designed to stop ransomware, zero-day exploits, and provide detailed threat intelligence. • Stop ransomware before it can take hostages • Block zero-day attacks with signatureless anti-exploit technology • Get easy to understand threat insight and root cause analysis • Automate remediation and malware removal Learn more and try for free at
www.sophos.com/intercept-x For more information please contact salesmea@sophos.com
FEATURE
subject to a DDoS attack even after the ransom has been paid,” says Stephanie Weagle, VP, Corero. What do you do if you are a CISO dealing with massive DDoS attack? What are your tips for CISOs dealing with massive DDoS attacks? “First thing would be to make sure the network is well prepared for such attacks. Making sure that there are protections and processes in place is critical. It’s also important to remember that the DDoS attack might not be the actual attack but just a distraction,” says Kalle Bjorn, directorsystems engineering, Fortinet. Mohammed Al Moneer, regional director, A10 Networks, says the challenge for defenders is to distinguish good and bad behaviour largely by analysing the instrumented data available from server logs and traffic behaviour reported from networking tools. In effect, threat hunting is the act of finding a needle in a haystack of logs and flow data. Unlike the stealth required for dropping malware or stealing data, DDoS is loud and does not hide in the shadows. Alaa Hadi, regional director, Arbor Networks, says these very large attacks must be mitigated in
We have three main types of DDoS attack, one is a volumetric, which accounts for most DDoS attacks, secondly we have application and lastly protocol level attacks. - Warren Mercer, Cisco Talos
the cloud, as close to the source as possible. I would also caution CISOs that to have cloud protection is only a partial defence against modern DDoS attacks. They also target applications and infrastructure, like firewalls, with low and slow attacks that cannot be detected in the cloud. The place to protect against these attacks is on-premise, with a tight connection to the cloud, as a means of providing mitigation support for large attacks. Only with this multi-layer, hybrid approach is a business fully protected from DDoS attacks. Another alarming trend in DDoS has been the rise of DDoS attacks using IoT devices, as we have seen in the case of Mirai botnet, which infected tens of millions of connected devices.
Comprising a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. - Robert Hamilton, Imperva
10
09.2017
“IoT can have positive implications across several core industries such as manufacturing, retail, transportation, and healthcare. However, it’s important to bear in mind that a higher number of connected devices translates to more points of entry for attackers to penetrate. Criminals can leverage these end points to steal confidential information from businesses, distribute malware, or takeover the capacity and network bandwidth of connected ‘things’ to carry out massive strikes. The necessary tools and best practices to mitigate such threats are well-known and available in the application security field,” says Hadi Jaafarawi, managing director, Qualys Middle East. Bjorn from Fortinet adds compromised IoT devices are a massive potential traffic generator source for attackers. Securing the organisations own systems would prevent them from being used in attacks against others. Manufacturers should also work actively to ensure their own devices are fixed when vulnerabilities are found, unfortunately there are multiple IoT devices on the market that cannot be even upgraded, this means that the security will lie on the network where the devices connect to. www.tahawultech.com
Incident Response Penetration Testing ICS / SCADA Security Web Application Security Managed Security Services
SECURITY ACROSS GENERATIONS Generation Z: Invincible to hackers? Ages 13-22
64.4%
40.8%
32%
25.6%
of Gen Z say they have never been hacked.
of Gen Z don’t put a lot of thought into password they create.
of Gen Z don’t believe they are a target for hackers.
of Gen Z admit to using only 1-2 distinct passwprd for all online accounts.
Despite being exposed to the Internet from a young age, Gen Z is least concerned with their online security and password hygiene.
Millennials: Most security-savvy of the bunch Ages 23-24
72.8%
72.8%
58.4%
40.4%
of Millennials believe they’re a target for hackers and, therefore, feel the need to put a lot of thought into passwords.
of Millennials use 3-5 distinct passwords across various online accounts.
Of the generations surveyed, Millennials are the most proactive with their online security and password hygiene.
of Millennials said they’re always on the lookout for new ways, programmes or devices to keep personal information secure.
of Millennials use two-factor authentication making them the biggest users of this type of password tool.
Online security is a growing global issue and no one is exempted. From baby boomers to Gen Z, users have different password and online security habits. A survey of 1,000 men and women uncovered the trends and highlighted how the generations compare.
Generation X: The worried generation Ages 35-54
88.4%
79.2%
46.8%
20.4%
of Gen X are connected with password security
of Gen X somewhat agree that they put a lot of thought into passwords they create.
of Gen X are somewhat concerned or very nervous about their personal online accounts being hacked.
of Gen X use more than 10 distinct passwords.
Although Gen X is most concerned with their online security and password hygiene, very few are taking steps to be more secure.
Baby Boomers: More tech-savvy than you thought Ages 55+
85.2%
84.4%
65.6%
32.8%
of Boomers put a lot of thought into passwords they create.
of Boomers said they have never been hacked.
of Boomers say they know how to recognise a phishing email.
of Boomers use more than 10 distinct passwords aross online accounts.
Baby Boomers are the most savvy in maintaining their online security and good password hygiene. Source: LastPass
EVENT
VANTAGE POINT Security Advisor ME hosted its inaugural CSO Perspectives conference in Dubai, last month, bringing together thought leaders to discuss how information security leaders can work towards aligning current strategies with business objectives.
T
he business threat landscape is evolving rapidly. As businesses continue to transform themselves in the digital economy they are met with increasing security threats across a new business and technology landscape. On 28th October at the Grand Habtoor Hotel, JBR, Security Advisor held its inaugural CSO Perspectives Conference. Gathering CISO, IT/security manager, security strategist, risk and compliance specialists the conference served as a platform for addressing the latest information security challenges. Jeevan Thankkappan, Group Editor, CPI Media Group, Technology, set the scene by putting the spotlight on one of the key questions most CISO and CSO have in their minds: “How do you fend off breaches in such a dynamic threat landscape?” “2017 is already set to be one 14
09.2017
of the worst years when it comes to cybersecurity,” said Thankappan. “Earlier this year we have seen cyber-attacks like WannaCry and NotPetya disrupt multiple IT systems and businesses across the world. Unfortunately, as the threat landscape grows we have to accept that we haven’t seen the last of such incidents. This calls for IT, security and business leaders to be more vigilant and proactive in defending their systems.” Thankappan then introduced the event’s keynote speaker, Saket Modi, cybersecurity expert, ethical hacker and international speaker; and CEO and cofounder of Lucideus Tech. Modi started his presentation by demystifying people’s notion about hackers. “Hacking is simply about using a specific tool for another purpose and optimising its outcome. That applies to technology as well, as ethical hackers, we
look into how threat actors might penetrate an organisation’s system and subsequently advise them how they can best manage or avoid cyber risks.” However, he noted that it is undeniable that there are people in the IT landscape who use hacking to disrupt enterprises. “A recent study in the US highlighted that about 69 percent of people surveyed have fears about their personal accounts getting hacked.” In this light, Modi said that this means IT security is no longer a pressing concern that’s just for CSOs. “This statistic shows that people are starting to become more aware about the risks that are out there,” said Modi. “With this in mind, it is now more important than ever for technology users to have a better understanding of the different technologies and solutions that they are utilising on a regular basis. At the same time, technology players and www.tahawultech.com
IT security leaders should look at this as an opportunity to educate and offer new innovations that will help today’s digital natives protect their data.” He then conducted a live hacking demo, showing the audience how easy it is for potential threat actors to penetrate a device such as a smartphone. “Whenever we install applications onto our devices we give the owner or creator of that app permissions to access several functions or data in our phone,” said Modi. “As users, we must invest time and effort to know how our device works and how we can best secure the data we put in it. More than that, we have to keep in mind that we should learn to use such devices as well as the Internet with the assumption that everything can and/or will be hacked.” Increasing advances in technology are blurring the lines between work and play, making it more apparent that information security within today’s organisations is no longer just an IT issue. Data is often viewed as a business enabler, making the subject of securing it critical for today’s businesses. Irene Corpuz, section head, Planning and IT Security, Western Region Municipality, Abu Dhabi, in her presentation highlighted how and why it is imperative for enterprise leaders to understand that information security is a business issue. According to her, to ensure that their data is secure, enterprises should be able to make risk aware decisions. “Information security should be a key element in any organisation’s risk management strategy and should, therefore, be aligned with business objectives,” said Corpuz. But how can this be done? Corpuz said it is ideal for CISO/CSOs to set in place governance, risk and compliance policies. “More importantly, they should make sure that it is embedded within every aspect of the business as it impacts multiple functions within the organisation.” She then reiterated that CISO/CSOs should be able to communicate security concerns or plans in such a way that business leaders understand. “At the same time, management leaders should also be involved in the planning of security or www.tahawultech.com
Saket Modi, Lucideus Tech
Irene Corpuz, Western Region Municipality, Abu Dhabi
Hariprasad Chede, National Bank of Fujairah
George Eapen, GE MENAT
risk management strategies. While they not be able to build structures or systems themselves, they need to understand the process to make appropriate and informed approvals for potential initiatives.” As with everything, preparation is key. But, what will happen if you’re already compromised? Incident management helps IT security teams identify, respond to, and mitigate these types of incidents while becoming more resilient and vigilant. “It is not a linear process,” said Hariprasad Chede, CISO, National Bank of Fujairah, in his presentation. “It’s a cycle that consists of a preparation phase, an incident detection phase and a phase of incident containment, mitigation and recovery.” However, it doesn’t stop there. According to Chede, the final phase consists of drawing lessons from the incident in order to improve the process and prepare for future incidents.” Chede highlighted that an important ingredient for a good incident management strategy is collaboration. “There should be an open line of communication between business and technical teams,” he said. “Integrity is probably the most important aspect any security team should have. This is because to effectively perform incident
management practices, trust should be established among all parties concerned.” Moreover, a Plan B should always be set in place, said Chede. “A good practice is having a ‘battle box’ of basic tools should things don’t go as planned.” The last speaker of the day was, George Eapen, CISO, GE, MENAT, who delved on ‘Implementing effective cyber security in an enterprise.’ “IT security is an issue that can impact multiple aspects of a business,” said Eapen, commenting on how security is turning into a boardroom agenda. “IT used to be a ‘backdoor’ function. But as cyber-attack incidents increase, it’s starting to catch the attention of CEOs and CFOs as it is something that can significantly affect the profitability and continuity of any organisation.” The first inning of Security Advisor ME’s CSO Perspectives closed with a thought-provoking panel discussion, which was participated by Safdar Zaman, head of IT Strategy and Governance, Nakheel; Ajay Rathi, CIO, Meraas Holding; Sebastian Samuel, CIO, AW Rostamani; Rinaldo R Oliveira, head of IT Risk and GRC, Commercial Bank of Dubai; and Debashish Basu Choudhuri, CISSP, director, Sales Engineering, Middle East, Splunk. 09.2017
15
AWARDS
SECURITY CHAMPIONS
T
he second annual Security Advisor Middle East Awards saw prominent players in the information security industry, including private and public sector CISOs and CSOs, gather in the UAE to celebrate achievements from the regional IT security space. The awards ceremony took place on 28th August 2017 at the Habtoor Grand Hotel, Dubai and was attended by 200 industry stalwarts, and recognised 18 organisations and IT security leaders.
16
09.2017
Security Advisor ME Awards honoured individuals, businesses and vendors that have showcased great prowess in delivering business value through the innovative use of security technologies. This year Security Advisor ME has revamped the process for the awards. Winners were chosen via online voting by the publication’s readers from a list of finalists selected by an esteemed panel of judges. Over 200 nominations were
received this year, with about 10,000 online votes. Security Advisor Middle East Awards’ judging panel included Adel Alhosani, CISO, Dubai Customs; Hariprasad Chede, CISO, National Bank of Fujairah and President, ISACA; and Javed Abbasi, founder, GISBA. We congratulate this year’s winners and applaud them for their continuous efforts and commitment to security. www.tahawultech.com
PRESENTS
PANEL OF JUDGES
Hariprasad Chede
Javed Abbasi
Adel Alhosani
CISO, National Bank of Fujairah
Founder, GISBA
CISO, Dubai Customs
www.tahawultech.com
09.2017
17
AWARDS
PRESENTS
END-USER CATEGORIES
Top CISO/CSO of the Year FINALISTS:
WINNER
Abdulla Badar Al Sayari, Health Authority – Abu Dhabi Anoop Kumar, Al Nisr Publishing Biju Hameed, Dubai Airports Binoy Balakrishnan, AWRostamani
Faisal Al Dashti, DEWA Furqan Hashmi, Emirates Investment Authority George Eapen, GE Mahbub Sherif, EGA RAK Tushar Vartak, RAK Bank
Emad Maisari, Mubadala Development Company
Personal Contribution to IT Security FINALISTS: Adel Al Hosani, Dubai Customs Ashith Piriyattiath, Al Masah Capital Jassim Haji, Gulf Air Raffik Basha, Esol Education
Sheikh Adnan Ahmad, Wasl Group Shuchi Chandra, National Bank of Fujairah Vivek Silla, Banque Saudi Fransi
WINNER
Aliasgar Bohari, Zulekha Hospitals
Most Outstanding Security Team FINALISTS:
WINNER
Dubai Chamber of Commerce and Industry 18
09.2017
Dubai Municipality General Civil Aviation Authority Gulf Air
Mubadala Development Company RAK Bank Zulekha Hospitals
www.tahawultech.com
Watch event videos and interviews:
Follow us on Twitter:
Link In with us: linkedin.com
@WhitehallMedia
/company/Whitehall-Media
youtube.com/whitehallmedia1
11 OCTOBER
ESRM UAE
2017
Enterprise Security & Risk Management
CONFIRMED SPEAKERS Chief Information Security Officer General Electric MENAT Information Security Manager Souq.com Assistant Professor AMERICAN UNIVERSITY IN THE EMIRATES Head of Information Security Abu Dhabi Government Entity Chief Information Officer Financial Services GCC
PREVIOUS SPEAKERS Head of IT Finance TULLOW OIL Head of Operational Risk, EMEA SUMITOMO MITSUI BANKING CORPORATION Senior Information Security Architect THOMSON REUTERS IT Technical Security Lead SHELL INTERNATIONAL Head of Global IT Security HERBERT SMITH FREEHILLS LLP
The Conrad Hotel, Dubai
ENTERPRISE SECURITY & RISK MANAGEMENT 11 OCTOBER 2017 The Conrad Hotel, Dubai Join hundreds of leading InfoSec, cyber security and risk management professionals at Whitehall Media’s prestigious inaugural ESRM Dubai conference to discuss the latest developments and best practices needed to address the most pressing security risks of tomorrow. Our line-up of expert speakers will discuss the cyber risk landscape, opportunities to detect and deter cyber-attacks through appropriate skills and capabilities, and best practice required to protect critical national systems and networks. This must-attend event offers unrivalled networking opportunities and insights on how to design, implement and embed deliverable action plans that balance risk mitigation with the pursuit of business growth. Through a series of thought-leadership and case-study presentations, the conference will showcase the very best examples of how the public and private sectors are building resilience and utilising technology to solve strategic security issues.
#wmesrm whitehallmedia.co.uk/esrmdubai
REGISTER YOUR PLACE TO ATTEND Complimentary passes worth 2,500 AED are available to senior information security professionals. To register your FREE PASS, please visit www.whitehallmedia.co.uk/esrmdubai/register and enter the code DPWM when prompted.
WHAT THEY SAY ABOUT OUR ESRM CONFERENCE “What I have really enjoyed this morning is, I think we’re starting to see more of a mix in terms of presentations about technology and then presentations about behaviour and really people starting to understand, and knowing that they need to understand, why those two domains need to intersect and work together.” Head of Business Systems, TULLLOW OIL Today’s conference has been really interesting because I think we are moving away from purely technology and security as a technical tool and thinking about much more the whole business environment, so in a world where social, mobile, media is so part of our everyday life’s we are realising that the human element is equally as important as the technical solutions.” Nominations Committee Chair and Past President, ISACA UK “I really enjoyed this event because it was really fast paced with short talks, so the speakers had to get to the point. The quality of the speakers was pretty high.” Director of Information Security, KING.COM
SPEAKERS/PROGRAMME ENQUIRIES
REGISTRATION ENQUIRIES
SPONSORSHIP/EXHIBITION ENQUIRIES
rrehman@whitehallmedia.co.uk
ESRMTeam@whitehallmedia.co.uk
steve.richardson@whitehallmedia.co.uk
+44 161 667 3046
+44 161 667 3023
AWARDS
PRESENTS
Best IT Security Project Public Sector
FINALISTS:
WINNER
Electronic Government Authority, Ras Al Khaimah
Dubai Chamber of Commerce and Industry Dubai Customs Dubai Municipality General Civil Aviation Authority, UAE
King Abdulaziz City for Science & Technology Kuwait National Petroleum Company
Best IT Security Project Private Sector
FINALISTS:
Al Masah Capital AWRostamani Dubai First Gulf Air
Landmark Group RAK Bank Zulekha Hospitals
WINNER
Al Hilal Bank
Editor’s Choice Award Al Masah Capital
20
09.2017
www.tahawultech.com
AWARDS
PRESENTS
Editor’s Choice Award Landmark Group
Editor’s Choice Award Juniper Networks
VENDOR CATEGORIES
Best Anti-Spam Vendor FINALISTS:
WINNER
Symantec
22
09.2017
Cisco Norton Sophos
www.tahawultech.com
SUNDAY 8TH OCTOBER 2017
CONRAD HOTEL, DUBAI, UAE
REGISTER AT
www.tahawultech.com/ictawards/2017
PARTNERS PLATINUM PARTNER
EXCLUSIVE SOLUTIONS ADVISOR PARTNER
OFFICIAL SECURITY SOLUTIONS PARTNER
GOLD PARTNERS
SILVER PARTNERS
For sponsorship enquiries Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 / +971 56 787 4778
Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 / +971 50 758 6672
OFFICIAL PUBLICATION
Merle Carrasco Sales Manager merle.carrasco@cpimediagroup.com +971 4 440 9147 / +971 55 118 1730
HOSTED BY
Youssef Hariz Business Development Manager youssef.Hariz@cpimediagroup.com +971 4 440 9111 / +971 56 665 8683
AWARDS
PRESENTS
Best Anti-Malware Vendor FINALISTS: Cisco ESET Middle East Malwarebytes
Mimecast Sophos Symantec
WINNER
Kaspersky Lab
Best Cloud Security Vendor FINALISTS:
Check Point Cisco Palo Alto Networks
Sophos Thales e-Security VMware
WINNER
Barracuda Networks
Best Encryption Vendor FINALISTS:
WINNER
ESET Middle East Thales e-Security
Sophos
24
09.2017
www.tahawultech.com
Corporate Data Breaches:
Is Your Information Exposed?
DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY Every Second
Every EveryMinute Minute
Every EveryHour Hour
Everyday Every Day
62
3,695 3,695
221,714 221,714
5,321,126 5,321,126 Source: breachlevelindex.com
AVERAGE NUMBER OF BREACHED RECORDS 2017
AVERAGE TOTAL COST OF DATA BREACH 2017 USA
USA
Middle East
Middle East
France
France
Japan
Japan
Italy
Italy
UK
UK
Australia
Australia 0 1 2 3 4 Measured in US$ (millions)
5
6
7
8
0
5000 10000 15000 20000 25000 30000 35000 Source: 2017 Cost of Data Breach Study: Ponemon Institute
BreachDB 80% of users tend to use corporate email as user IDs on various platforms where they also tend to reuse the same password across most accounts. It remains imperative for organizations to control what remains exposed online. Leaked corporate email as user IDs often acts as a convenient starting point for attackers to breach into any organization. By allowing attackers the luxury of pinpointing vulnerabilities at their own time and leisure, companies can then suffer from catastrophic data and financial losses. As part of its security-as-a-service offering, CTM360 offers a consolidated view for IT security teams and management of organizations to track all exposed corporate and user data from publically released breaches, dubbed BreachDB.
Gain access to real-time comprehensive dashboard and alerts on corporate emails and exposed passwords free of cost. Please contact us at cirt@ctm360.com
www.ctm360.com
AWARDS
PRESENTS
Best Identity and Access Management Vendor FINALISTS: Cisco Manage Engine HID Global
WINNER
CA Technologies
Best Mobile Security Vendor FINALISTS:
Kasperksy Lab Norton by Symantec Sophos VMware
WINNER
Check Point
Best Network Security Vendor FINALISTS:
WINNER
Fortinet
26
09.2017
Check Point Cisco Juniper Networks
Palo Alto Networks SonicWall Sophos
www.tahawultech.com
24th October 2017 | Dubai UAE
WHO
For sponsorship enquiries Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 / +971 56 787 4778
C-level, VPs, Directors of marketing, operations, finance, technology and innovation
Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 / +971 50 758 6672
WHY Learn how digital and new technologies are disrupting companies and industries. Explore how your organisation can progress to the next phase of digital transformation with significant, measurable business impact.
Merle Carrasco Sales Manager merle.carrasco@cpimediagroup.com +971 4 440 9147 / +971 55 118 1730
Hear from industry luminaries about how they solved complex business challenges with effective approaches and technologies
OFFICIAL TECHNOLOGY PARTNER
GOLD PARTNER
Youssef Hariz Business Development Manager youssef.Hariz@cpimediagroup.com +971 4 440 9111 / +971 56 665 8683
QUALITY TESTING INNOVATION PARTNER
EVENT PARTNERS
SILVER PARTNER BY
Register at www.tahawultech.com/evolve-forum/2017 OFFICIAL PUBLICATION
HOSTED BY
AWARDS
PRESENTS
Best Security Systems Integrator FINALISTS: AGC Networks Help AG Nanjgel Solutions
WINNER
Gulf Business Machines
Managed Security Services Provider of the Year FINALISTS:
Cisco eHosting DataFort ITSEC
WINNER
Paladion Networks
Managed Detection and Response Services Provider of the Year FINALISTS:
WINNER
CTM360
28
09.2017
ITSEC Paladion Networks PixAlert
www.tahawultech.com
Everybody.
Everywhere.
Every day.
Ordinary days require extraordinary protection. genetec.com
Find out more about the software behind the everyday at genetec.com/protectingeveryday
Š 2017 Genetec Inc. GENETEC and the GENETEC LOGO are trademarks of Genetec Inc., and may be registered or pending registration in several jurisdictions.
OPINION
TACKLING THE THREAT RIGHT UNDER YOUR NOSE By Ray Kafity, vice president, Middle East, Turkey and Africa at Attivo Networks
W
hen it comes to security threats, focus is often put on external hackers deploying a host of attacks such as Trojans, phishing attacks and APTs, among others. However, it may be time for organisations to stop only looking externally and think about the internal threats that may be lurking within their networks. A 2016 IDC survey found that the top threat to Middle East organisations’ security is insider threat. Data theft, device infection, and APTs are contributing to the rapid development of the threat landscape. 30
09.2017
When it comes to insider threats, they usually fall into three camps: • Malicious: Malicious insider behaviour combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated or for financial or other personal gain. • Negligent: Negligent behaviour can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognise the importance of compliance, their workarounds can be risky.
• Accidental: Accidental behaviour can occur as a result of individual’s careless actions that inadvertently cause security breaches. This can commonly occur when employees don’t actively patch their systems, use BYOD devices or accidently get hit with attacks like man-in-the-middle while connected to free Wi-Fi. Typically, when thinking about insider threats, malicious insiders out for their own gain come to mind. However, the greatest breaches happen because many employees fail to understand security risks and do not adhere to policies. When it comes www.tahawultech.com
to exposing critical data, those guilty often include employees, contractors, and third-party suppliers – with the data being stolen typically being office documents via physical media including USB drives and laptops. The mass adoption of cloud computing technology and bring-yourown-device (BYOD) have increased the likelihood of insider threats. This trend provides employees with increased network access – allowing malicious insiders to go undetected by security systems that are bound by parameters. Despite an increase in the frequency of these types of breaches, many organisations are overlooking the severity of this issue, resorting to traditional defense systems that are solely designed to prevent attacks hacks through a firewall, anti-virus or other perimeter solutions. A Gartner survey reported that such spending is expected to reach $2 billion by 2020 in the Middle East and North Africa region. However, organisations are spending more on complex legacy technology, which is inadequate to fend off sophisticated tactics and tools exploited by cybercriminals on a prowl. This lack of focus on the importance of securing critical data demonstrates the need for a new approach to dealing with insider threats. One that provides detection for inappropriate reconnaissance for detecting unauthorised access to assets and accidental risks associated to misconfigurations and credentials mishandling. When it comes to mitigating insider threats, acknowledgment of the risk will help organisations with ensuring steps are taken to prevent these attacks. To adequately address these threats, organisations need to employ www.tahawultech.com
The mass adoption of cloud computing technology and bring-your-own-device (BYOD) have increased the likelihood of insider threats. - Ray Kafity, Attivo Networks
preventative strategies and solutions that can stave off devastating insider attacks, but they also need to be able to detect the threats that evade prevention systems quickly and accurately. Hence, experts suggest implementing deception technology that focus on providing early visibility and accelerated response to detected incidents and dramatically increase the speed at which threats inside the network are uncovered, raise high fidelity alerts, simplify the correlation of data, and accelerate incident response actions to automate the blocking and quarantine of attacks. Deception technology is designed for the highest authenticity and will self-learn the environment, automatically update deceptions, and respin to avoid attacker fingerprinting after an attack. This paired with highly interactive decoys that are 100 percent customisable to a company’s production environment will make the environment indistinguishable to both external and internal threat actors. Adding deception for internal
threat actors does not add burden to security teams since the design is not reliant on having to “learn to get good”, signatures, pattern matching or big data analytics. Since alerts are engagement-based and include substantiated attack activities, there are no false positives and the infected systems are easily identified for prompt quarantine and remediation. Because of its high efficacy, deception technology is growing in popularity for detecting internal and supplier threats targeted at infiltrating company’s IP, personnel records financial, and other sensitive information stored in data centres or shared between third parties While external attacks will continue to plague organisations, it would be a mistake to overlook the threats that your employees and suppliers represent. Early threat visibility and detection solutions such as deception technology combined with employeetraining programs will defend against these insider threats and strengthen the protection of critical assets. 09.2017
31
OPINION
WHY ENCRYPTION IS A CRITICAL STEP TOWARDS COMPLIANCE By Sebastien Pavie, director, Identity and Data Protection, Middle East and Africa, Gemalto
L
ast year, the Middle East suffered more data breaches than any previous year. According to Gemalto’s Breach Level Index, data breaches in the Middle East are up by 16.67 percent to 21 in 2016 compared to 18 breaches in 2015. A total of 45.2 million data records were compromised in the region compared to 38.5 million in the previous year. Beyond the region, a total of 1,792 data breaches occurred worldwide which led to almost 1.4 billion data records being compromised in 2016, a whopping 86 percent increase as compared to 2015. Identity theft was the leading type of data breach in 2016, accounting for 59 percent of all data breaches worldwide. These events have raised awareness around the potential risks to our data and businesses are now realising the criticality of implementing effective 32
09.2017
security solutions. Encryption is starting to gain particular prominence because of its ability to render breached data useless to anyone that is not authorised to access it. When considering encryption, businesses must first understand what data they produce and which data is most valuable or sensitive, through conducting a data sweep. Only by understanding what data they have can businesses then seek to encrypt and protect it. www.tahawultech.com
REDEFINING technology transformation
+971 4 440 9100
@TahawulTech
info@cpimediagroup.com
www.tahawultech.com
Media City, Building 4 Office G-08, Dubai, UAE, PO Box 13700
OPINION
The key to businesses maintaining control over their encrypted data in an ever-more hybrid environment is thoroughly planning encryption key management strategies. Encryption keys are essential to unlock secured data and provide fundamental control over who has access to certain data – making companies, and more importantly customers, the custodians of their own data. The best approach is to store encryption keys in specially designed hardware, to avoid them from being hacked. Otherwise, it is like fitting your house with the best security out there, and then leaving your key under the doormat for the burglar to find. Businesses are not just risking a financial hit if they do not implement and manage the protection of their data properly, but a reputational one too. Customers, more than ever before, are starting to understand the risks associated with sharing and hosting information online. It may not come as a big shock, but consumers believe the majority of responsibility lies with the business to protect their data and will blame them if something goes wrong. Companies need to take note of this, because if something does go wrong, customers are likely to go elsewhere. With the upcoming General Data Protection Regulation (GDPR), the true cost of a breach is still to be felt across Europe as businesses are currently not forced to reveal when they have been breached. As such, they still maintain customer loyalty. While businesses should know that it is a case of when, not if, a breach occurs, GDPR should serve as a wake-up call. To keep that loyalty, they must show they are actively working to protect their customer data using techniques like encryption. Currently, there is limited incentive to prioritise security, and a lack of accountability for the business. GDPR is also relevant to businesses 34
09.2017
When considering encryption, businesses must first understand what data they produce and which data is most valuable or sensitive, through conducting a data sweep.
worldwide, beyond the European market, that transact or hold the data of any European Union (EU) citizen. GDPR is equally important in the Middle East as several companies in the region conduct business and transact in EU. More and more countries globally are beginning to adopt stringent data protection laws and the UAE is no exception with its National Electronic Security Authority (NESA), governing critical data protection and advancing cybersecurity in the nation. The UAE has led the way in the region with NESA to oversee the country’s cyberspace. It has been tasked to create and instill a range of strategies and policies to align and direct national cybersecurity efforts with a mandate to create a secure cyber-environment that enables the unimpeded progress of the UAE through these national cybersecurity standards and policies. With such stringent laws in place, it is evident that the region is making great strides to protect businesses and consumers alike. Globally, companies need to realise that being breached is an inevitability and customers will not put up with those that can’t protect their data. Encryption itself is very effective, but if you do not protect it and the encryption keys that unlock it, then it can easily be cracked by unauthorised individuals. To protect against this,
businesses should also focus on who is authorised to access valuable and sensitive data. The best approach is to use twofactor authentication, which requires the employee to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted by businesses. Currently, there is limited incentive to prioritise security, and a lack of accountability for the business. Companies need to start taking security seriously and this means from the top down. GDPR is still to come into effect, but businesses need to start preparing now before it is too late and they are faced with a potential fine and damaged reputation. Company boards should take a considered approach to security. It is not a question of the Chief Information Security Officer (CISO) saying no all the time, but rather implementing security protocols early so that it does not affect innovation and ensures the company adheres to the latest regulations. Furthermore, by establishing a security mindset at the top of the company, it will filter down to the rest of the employees. Every business should know that its defence is only as secure as its weakest link. www.tahawultech.com
gitex.com
Re - Imagining Realities
“
Dubai’s digitisation initiatives could generate a potential USD 4.87 billion in value by 2019
The event for transformative global technology Because digital business doesn’t wait
“
Dubai, is a city of the future, a dynamic innovation hub, a bridge between east and west, a pioneer in technology innovation & early adoption that makes theoretical technology a mass-consumption reality.
JOHN CHAMBERS, CHAIRMAN, CISCO, 2017
DISCOVER
INNNOVATE
TRANSFORM
Future Tech is synonymous with Dubai. Witness the revolution first hand with straight from R&D products, prototypes and the freshest ideas in the Future Tech Hall
From the back of an envelope to a billion $ business. It’s not all on the show floor in 2017, serendipity can happen at 1 of 100 events in GITEX Fringe
New Sectors for 2017! Smart Manufacturing, Global Smart Cities, Robotics and Vehicle Tech. Plus, the latest in AI, VR and AR
Dubai attracted USD 7 billion in Foreign Direct Investment in 2016, with 73% directed to tech projects
GITEX Technology Week gives your business access to these game-changing initiatives
CALL US TODAY FOR ACCESS TO THE MIDDLE EAST & AFRICAN MARKETS To find out how about this year’s participation opportunities contact us on +971 4 308 6282 / 4090 / 6566 / 6077 or sales@gitex.com Strategic Sponsor
Finance Vertical Title Partner
VIP Majlis Lounge Partner
Online Registration Sponsors
Business Transformation Partner
Official Publisher
Exclusive Digital Transformation Partner
Official Publication
Autonomous & Robotics Partner
Official Airline Partner
Official Courier Handler
Finance Vertical Title Partner
Organised by
INSIGHT
MOBILE MATTERS Nikhil Nayak, product analyst, ManageEngine, shares 10 things to consider when choosing a Mobile Device Management (MDM) Solution.
T
he past decade has seen an increasing trend in employees using mobile devices like smartphones and tablets to aid in their work. This trend has fostered organisations to adopt practices like bring-your-owndevice (BYOD) with hopes of improving employee productivity and efficiency. There is, however, a downside to this because such practices pose major risks concerning corporate data security and data management. In order to ward off these risks, enterprises seek out reliable mobile device management (MDM) solutions. There are many solutions out there, but selecting the right solution for your 36
09.2017
enterprise may seem challenging — especially if you’re not aware of what to look out for. Here is a list of 10 things to consider as you choose your MDM solution:
1
UNDERSTAND YOUR BUSINESS NEEDS AND SECURITY STANDARDS Every industry is different in its functioning. Defence, healthcare, IT, retail and others each have their own security requirements. For example, a nation’s defence sector will have far more protocols and security clearance requirements when compared with its logistics industry. Therefore, it is essential to be aware of your industry’s standards to ensure that there is no ambiguity while performing research
on the available features of an MDM solution.
2
KNOW WHAT’S IN STORE WHILE EMBRACING MOBILITY An enterprise that decides to go mobile should be aware of the associated pros and cons. Let’s say that your organisation supports BYOD, which allows employees to use their personal mobile devices to perform company-related tasks such as accessing work-related content. Employees would want the ability to complete routine tasks from their smartphones during their downtime so they can focus on mission-critical work while at their desks. This invariably poses a risk in the form of data leakage due to factors such as malware or device theft. www.tahawultech.com
3
UNDERSTAND APP MANAGEMENT AND SECURITY Managing mobility in organizations involves combating security risks concerning devices and apps. Existing security awareness programs are targeted toward desktop users. If an enterprise is looking to adapt to a mobile environment, these programmes have to be revisited to focus on the usage and risks involved with mobile devices. An enterprise should educate its employees to use trusted sources and avoid suspicious third-party sites for app downloads. It should discourage the habit of tapping “Continue” during app installations. An ideal MDM solution has features that prevent suspicious apps from being installed.
4
SEGMENT YOUR ORGANISATION BASED ON LEVEL OF TRUST Segments in an enterprise can be either hierarchical or departmental. Regardless, certain employees might have access to data that won’t be available to others, such as a taxi service provider whose drivers require passengers’ pickup and drop-off locations. Their mobile devices can be provisioned to show only this data on an app. However, their superiors can access further details such as passenger email ID and age, which they can use to make data-driven decisions. To maintain tiered protection, top-level employees require stronger encryption and more flexibility.
5
SET POLICIES AND RESTRICTIONS FOR DEVICES AND APPS An ideal MDM solution would let you push policies onto mobile devices. By setting up policies, you can restrict certain device functions. Consider the following situation: Your company has come up with a breakthrough product idea in a market with no other offering that is even remotely similar to yours. Your R&D team is working on materialising this product. To ensure that there is not even the slightest data leak, you need to disable data distribution by preventing local printing or data storage.
6
IDENTIFY NON-COMPLIANT DEVICES Jailbroken and rooted devices always pose a greater risk because they’re an easy target for malware and cyberattacks. You need a system that can quarantine devices so threats cannot spread after detecting malware, app risks, network attacks and other threats. Enterprise data is regularly compromised simply because employees’ devices aren’t compliant with the enterprise’s security policies. An ideal MDM solution should detect whether a device is compliant. It should also let your device lock or remote wipe non-compliant devices and bar them from your organisation’s network.
7
CREATE AWARENESS AMONG USERS Employees might find an MDM solution to be an invasion of their privacy. While
An ideal MDM solution should detect whether a device is compliant. It should also let your device lock or remote wipe noncompliant devices and bar them from your organisation’s network. - Nikhil Nayak, ManageEngine
www.tahawultech.com
this isn’t true, you must take steps to ensure that there are no misconceptions regarding user privacy invasion. An enterprise has to educate its employees on the need for securing mobile devices, while also making them feel comfortable about the MDM setup. This can be done either by developing an end-user licence agreement (EULA) or a general acceptance agreement that is shared and signed by the employees.
8
AUDIT REGULARLY FOR COMPLIANCE Reporting and auditing are common approaches for guaranteeing compliance with regulations and organidational policies. In order to prove compliance, you will need to run regular audits. Along with running regular audits, an ideal MDM solution should be able to push secure apps and enable patching and updates for both devices and apps to ensure that the devices are compliant.
9
EMBRACE NEW TECHNOLOGY WITH A BIT OF CAUTION There are plenty of device manufacturers out there, each running its own flavour of operating system – be it Android, iOS, Windows, Blackberry, Symbian and others. And the variety doesn’t stop there. Everyday, enhancements are made to devices to make them faster, increase their storage space and more. To make sure that your employees have what they need to be effective, you have to survey and study every new device enhancement and app technology. Ideally, the bugs have been worked out before spending your money.
10
DEPLOY A GOOD MDM SOLUTION In mobile device management, no single solution is one-size-fits-all. An MDM solution is customisable to match an individual organisation’s requirements. Many industries such as healthcare, retail and IT can use MDM to their advantage through its ability to cater to their unique needs. Ask your vendor to help you adopt and establish effective day‐to‐day MDM practices. 09.2017
37
INSIGHT
5
REASONS TO TAKE A FRESH LOOK AT YOUR SECURITY POLICY
Evolving ransomware and DDoS attacks, new technology such as IoT, and changing user behaviour are all good reasons to revise your security policy. STACY COLLETT, CSO ONLINE
T
oday’s advanced persistent threats, new business technologies and a younger workforce have prompted security budgets to shift from breach prevention to detection and response. Those same forces have also motivated many organisations to take a fresh look at thei0r security policies and guidelines – and for good reason. By 2018, for instance, 50 percent of organisations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, according to Gartner. Does your policy align with those of your partners? The majority of companies have some form of security policy already in place, whether created from scratch or borrowed from myriad templates available through security organisations and vendors. How effective those policies 38
09.2017
are today is another story. Some 31 percent of companies have a formal security policy for their company, while another 34 percent have an informal security policy that is adopted by various departments in the company, according to a survey of 1,500 software developers worldwide by Evans Data Corp. The golden rules for writing security policy still apply, such as making sure the process is shared with all stakeholders who will be affected by it, using language that everyone can understand, avoiding rigid policies that might limit business growth, and ensuring the process is pragmatic by testing it out. Just because policies are intended to be evergreen doesn’t mean they can’t become stale. Security and risk experts offer five reasons why companies should take a fresh look at security policies. 1. Ransomware, DDoS and APTs The number of ransomware attacks targeting companies increased threefold
from January to September 2016 alone, affecting one in every five businesses worldwide, according to Kaspersky Lab. The average distributed denial of service (DDoS) peak attack size increased 26 percent in Q1 2017 compared to the previous quarter, according to Verisign. In the past, security policies focused on how to protect information. There would be policies associated with data classification and policies associated with how to not share information in a certain way on the network. “Now, because of ransomware and advanced persistent threats (APTs), policies have to focus more on user behaviour and on the behaviour of the bad guys,” says Eddie Schwartz, chairman of ISACA’s cybersecurity advisory council and executive vice president of cyber services at DarkMatter. While a security policy should be “fairly stalwart and stable” to withstand those threats, some standards and individual procedures written for how to deal www.tahawultech.com
with individual threats may have to be updated more frequently as the threat environment changes, Bernard says Julie Bernard, principal in the cyber risk services practice at Deloitte in Charlotte, N.C. 2. Cloud, IoT blockchain and other new technology Next-generation tools, such as the Internet of Things (IoT) in manufacturing or blockchain in financial services, are driving changes to security policies. “Policy has to keep up with the dynamic environment you’re in,” says Bernard. “If your company is moving to cloud, tech people are worried about uptime and security, but what about the policies that go along with it? Can I share information with one of my key vendors through a cloud app? If so, which one? And how do you facilitate that, which gets into standards questions,” Bernard explains. “You could have a policy of ‘thou shall not share,’ but unless you have the technical ability to block that, people are still going to try to get their work done” and do it anyway, she adds. 3. Changing user behaviour A growing millennial workforce is changing the technology expectations and work behaviours that affect security policies and standards, Schwartz says. “It’s more about ‘if you’re on Facebook at work watching that funny cat video, be careful because it might contain embedded malware,’ or ‘just don’t do it at work,’” he says. “Instead of giving users instructions that are generic about protecting information, you really have to tailor those instructions to the behaviours that we know they’re doing at the office,” such as using smart devices connected to corporate networks or surfing social media on company laptops. In some organisations, security standards and procedures include equal parts of preventative measures and www.tahawultech.com
The right balance of security policy and risk tolerance varies greatly with each organisation. Having very specific policy goals is the starting point for governance. - Stacy Collett, CSO Online
response measures, including directions for taking action after a breach inevitably happens, Schwartz says. 4. Security fatigue and lax enforcement Sometimes employees just get tired of following all the rules, says Jay Heiser, research VP in security and privacy, Gartner. Pile on too many “don’ts” over time in the security policy, and security fatigue can start to diminish a policy’s effectiveness. “They’ll just begin tuning it out,” he says. In response, organisations often lighten up on enforcing policies because of rampant use, such as areas of public and cloud computing. “The majority of organisations are not enforcing the use of SaaS,” Heiser says. “They’re allowing fairly free use of anything that employees can connect to,” which negates having the policy at all. 5. Some policy elements are obsolete “Organisations typically don’t take a methodical look at their policy elements to see if they’re actually changing what happens,” Heiser says. “If they don’t change what happens, then what’s the point?” He suggests making a spreadsheet of all security policies and grading them on a scale from one to five. “Are they followed or not? If they were followed, would it reduce risk? If either one of those is zero, then the net outcome is
probably zero, unless there’s an audit requirement” to include it. POLICY REFRESH While an annual review of security policies is common, especially where compliance rules are involved, some analysts believe the standards and procedures should be reviewed quarterly. “In general, for a large organisation the absolute minimum is quarterly, but they should also be reviewed as needed,” Schwartz says. “If they discover a gap due to a change in the threat landscape, or get a new system HR system or move to the cloud, a new mobile environment – all of those events are going to trigger potential changes in policy.” All new threats should be held up to established security policies to make sure they are addressed at the highest level. If they aren’t, then, “You have to have an executive leadership conversation on what do you want to do on principle” with the security team, legal, audit and compliance to determine the right course of action and then craft a policy, Bernard says. Once the security policy, standards and procedures are cleaned and up to date, make it easy for employees to find quickly, she adds. The right balance of security policy and risk tolerance varies greatly with each organisation. Having very specific policy goals is the starting point for governance. 09.2017
39
Dubai’s BIGGEST Events Are Now Accessible On Your Smart Phone Devices
Access to latest events
Search using the Browse chronologically key name, calendar or map
PRODUCTS
Brand: Riverbed Product: Xirrus AP
Brand: HP Product: ElitePOS HP has unveiled its versatile allin-one point-of-sale (POS) system, the HP ElitePOS for the retail sector. The ElitePOS features a modular design, different from large, boxy POS terminals commonly used in retail environments, said the firm. Its design is also functional, supporting use cases such as interactive signage, employee attendance, and self-service applications like a customer check-in and access to additional product offerings in the “endless aisle�. For retailers who want a clean and clutter-free counter space the display can be separated from the input/output (I/O) base for maximum placement versatility. It runs Windows 10, DDR4 memory and 7th generation IntelCore processors with vPro technology. What you should know: HP is also integrating security software features into the ElitePOS such as HP Sure Start Gen3, self-healing BIOS, and HP BIOSphere Gen3, firmware ecosystems. It also has user authentication features and an optional bolt-to-counter configuration, VESA mounting K-Lock features and external fingerprint reader for secure login through Windows Hello. The ElitePOS is expected to be available in the UAE at AED 9,175.
www.tahawultech.com
Riverbed has launched its first Wireless Access Point, post its acquisition of Xirrus earlier this year. The new Xirrus AP (Model XD2-230) is an 802.11ac Wave 2 Wireless Access Point. The device comes with a number of key features. It features 3.9Gbps total Wi-Fi bandwidth. The 802.11ac AP can be managed from the cloud or on premise. The AP is designed with an integrated controller, providing layer 7 application visibility to keep up with the demands that applications are putting on Wi-Fi, according to the company. Management and control is provided by the cloud or an on-premise based Xirrus Management System (XMS), enabling complete visibility and control for all devices and applications from a single console. The onboard controller enables application-based policy control, integrated
location services, and software-defined radios directly at the network edge. What you should know: With 3 radios, including Bluetooth Low Energy (BLE), the XD2-230 model provides secure access for Wi-Fi users and Internet of Things (IoT) devices with an easy-to-use SaaS solution, while helping enterprises scale and adapt to evolving demands. Secure access for an unlimited number of users/devices is delivered by the EasyPass SaaS solution. EasyPass simplifies secure Wi-Fi connectivity with integration to the Microsoft Azure and Google application ecosystems, enabling single sign-on to both user applications and Wi-Fi.
Brand: QNAP Product: TS-x53BU Series NAS
2.3 GHz), up to 8GB dual-channel DDR3L RAM, SATA 6Gb/s, and with 4 Gigabit LAN ports, the TS-x53BU series delivers up to 415 MB/s read speed and 416 MB/s read with Intel AES-NI 256-bit encryption. Additionally, the TS-x53BU-RP provides a redundant power supply to ensure optimal uptime for mission-critical applications.
QNAP Systems has released the TSx53BU series NAS, which offers optimal performance and deployment flexibility with 4 Gigabit LAN ports and expandability for M.2 SSD and 10 GbE connections. The TS-x53BU features a standard 1U and 2U form factor for a stable, secure and highperformance storage. Powered by a 14nm Intel Celeron J3455 quad-core 1.5GHz processor (burst up to
What you should know: The device is available in 4-bay, 8-bay and 12-bay models with single and redundant power supply options. The TS-x53BU comes with a PCIe slot that allows installing a QNAP QM2 M.2 SSD/10GbE LAN adapter to boost SSD caching performance and to provide 10GbE connectivity. Users can also consider installing a 10GbE/ Gigabit adapter or a USB 3.1 10Gbps adapter for diverse storage applications.
09.2017
41
BLOG
WHEN TO LOOK FOR AN EXTERNAL SOC By Sachin Bhardwaj, director, Marketing and Business Development, eHosting DataFort
A
security operations centre (SOC) is an external control room that houses a team responsible for monitoring and analysing an organisation’s security profile on a continuous basis. The team’s goal is to detect, analyse and respond to cybersecurity incidents using a blend of their skills, technology solutions and a set of well-established processes. Without exception, security operations centres work closely with an organisation’s incident response teams to ensure incidents detected are addressed and controlled without delay. The security operations centre tracks anomalous activity on endpoints, networks, servers, databases, applications and websites, and is responsible for identifying, analysing, defending and reporting such threat incidents. An external security operations centre focuses on the day to day operational component of enterprise information security. This allows the in-house security and IT teams to focus on developing and improving security strategy, designing the
42
09.2017
security architecture, and implementing latest protective measures. However, security operations centres can also provide advanced services such as forensic analysis and reverse malware engineering to analyse the source, points of intrusion, and modus operandi of threat incidents. Integrating the role and services of an external security operations centre requires getting the right balance in preventive, detective and reactive security roles as well as access to its threat intelligence capabilities. This can be driven by an objective and proactive assessment and audit procedure or through the experience of painful and damaging historical incidents, including breaches and compromises. An important step in integrating the services of an external security operations centre is to identify business specific goals and include senior management and business heads as well, in the buildup process. Incorporating the role of an external security operations centre requires an internal gap analysis, detailing a list of milestones to be achieved based on the gap analysis, and an incremental budget spending approach as well.
The security operations centre will also need to communicate and coordinate with internal points of administrative control, such as first responders, public relations, and other identified points of control. An external security operations centre can provide services built through integration of threat intelligence, security monitoring, incident response, security analytics, to manage advanced persistent threats on the network, endpoint threat detection and data exfiltration. Security operations centres typically blend skilled people resources into processes and use the latest technologies to provide business focused compliance and service level agreements. A key benefit from the services of an external security operations centre is its uninterrupted and round the clock ability to build up a baseline profile of normal activity by monitoring users, applications, infrastructure, network and other supporting systems. The inability to establish such a normal baseline of activity is a common obstacle that enterprises face in being able to issue credible alerts over false positives. www.tahawultech.com
Gartner Security & Risk Management Summit 2017 16 – 17 October / Dubai, UAE gartner.com/me/security
Manage Risk. Build Trust. Embrace Change. Key benefits • Reinvent your approach to security and risk for the digital age • Embrace new ways of protecting vital assets without slowing interactions • Learn how to shift to more adaptive, dynamic, people-centric approaches to security • Build a trusted, resilient environment for digital business For more information and to register, visit gartner.com/me/security. Use promotion code SECMP1 to save $300 on the standard registration rate.
“The summit not only provided insights on forward-looking cybersecurity trends, but also assisted valuable networking with peers who face similar challenges…” Bandar Al Harbi, IT Director, Saudi Electricity Company
Jeffrey Wheatman Director, Gartner Research
© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. For more information, email info@gartner.com or visit gartner.com.