ISSUE 26 | APRIL 2018 www.tahawultech.com
HONOURING EXCELLENCE IN SECURITY LEADERSHIP
Future-proof security
ISNR Abu Dhabi
Women in cybersecurity
CYBER EXPOSURE PARTNER
CONTENTS
The Cyber Exposure Company FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Managing Editor Michael Jabri-Pickett mjp@cpimediagroup.com +971 4 440 9158 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Mhar Delaben marlou.delaben@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130
12 SECURITY
Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 Business Development Manager Youssef Hariz youssef.hariz@cpimediagroup.com +971 4 440 9111
STALWARTS
CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119
Security Advisor ME’s inaugural CISO Awards and Forum honours excellence in security innovation and leadership.
PRODUCTION Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409
08
THE GAME PLAN How can today’s organisations prepare for the threats ahead?
18
Printed by Al Ghurair Printing and Publishing Regional partner of
© Copyright 2018 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
22
ON THE FRONTLINES Security Advisor ME’s exclusive roundtable delved into the latest defence strategies in the digital era. WOMEN IN CYBERSECURITY What is holding the security industry back from attracting more women in the field?
25
ACCESS GRANTED
Is biometrics technology a security bane or boon?
28
SAFETY FIRST How driverless cars will bring a new cybersecurity challenge.
32
GUARDING THE GATES Mimecast’s Brain Pinnock on why email security is a critical element of cyber resilience.
NEWS
UNDER ARMOUR DISCLOSES MAJOR DATA BREACH Athletic apparel brand Under Armour revealed that data from around 150 million MyFitnessPal diet and fitness app accounts was compromised in February, according to a report in Reuters. The stolen data includes account user names, email addresses and scrambled passwords for MyFitnessPal mobile app and website, Under Armour said in a statement. It added that Social Security numbers, driver license numbers and payment card data were not compromised. According to SecurityScorecard, this is the largest data breach this year and one of the top five to date, based on the number of records compromised. Larger hacks include 3 billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by California-based FriendFinder Networks Inc in 2016, according to breach notification website LeakedSource.com, Reuters reported. The firm said it is working with data security firms and law enforcement without sharing details on how the hackers compromised its network without getting caught. Reuters said that while the breach “did not include financial data, large troves of stolen email addresses can be valuable to cyber criminals.”
FACEBOOK UNDER THE MICROSCOPE FOR DATA MISUSE SCANDAL Last month, The New York Times and London’s Observer revealed that the data analytics firm Cambridge Analytica harvested private information from 50 million Facebook users to develop techniques to support President Donald Trump’s 2016 election campaign. The world’s largest social media network is facing great scrutiny from the US and European governments due to the incident. Facebook says the data was initially collected by a professor for academic purposes in line with its rules. The information was later transferred to third-parties, including Cambridge Analytica, in violation of Facebook’s policies, Facebook has said. Facebook founder and CEO Mark Zuckerberg has since issued an apology and has pledged to further restrict developers’ access to user data, including automatically
DARKMATTER NAMES NEW CEO DarkMatter has appointed Karim Sabbagh as Karim Sabbagh its new chief executive officer, effective April 2018. The announcement was made by the firm’s founder and former-CEO Faisal Al Bannai who will now assume the role of managing director Al Bannai noted that his new role will enable him to focus on the strategic direction and oversight of the firm as the, while the new CEO will take responsibility for the business. Sabbagh joins DarkMatter with an impeccable track record as a technology thought leader and practitioner across the Middle East and globally. He most
$1.5 B 4
04.2018
removing access for any app the user hasn’t opened in at least three months. Facebook will also investigate all apps with access to large amounts of user data. “This was a major breach of trust. I’m really sorry this happened. We have a basic responsibility to protect people’s data,” said Zuckerberg. Zuckerberg said he was open to additional government regulation and happy to testify before the US Congress if he was the right person to do so. “What we try to do is send the person at Facebook who will have the most knowledge,” Zuckerberg said. “If that’s me, then I am happy to go.” According to reports, the company had already lost over $60 billion of its stock market value since the incident was revealed.
recently served as President and CEO of Luxembourg-based communications satellite owner and operator, SES, the world’s largest satellite operator. Prior to joining SES, Sabbagh spent more than 15 years working in management consultancy with Booz & Co (Strategy&, Booz Allen Hamilton). At the time of his departure from Booz & Co in 2013, Sabbagh was a Senior Partner and a global practice leader for Communications, Media & Technology. “It is exciting for me to return to the vibrant Middle East region having spent a number of years away, and to lead one of only a handful of full-service cybersecurity firms present in the world today. I look forward to contributing to building a global cybersecurity powerhouse in arguably the most significant industry of our time.”
forecasted value of Internet of Things security spending by 2021 Source: Gartner
www.tahawultech.com
NEWS
HACKERS TRIED TO TRIGGER PETROCHEMICAL PLANT BLAST IN SAUDI ARABIA Cyber-attackers tried to trigger a deadly explosion at a petrochemical plant in Saudi Arabia in August, The New York Times reported. Investigators declined to identify the suspected attackers, but people interviewed by the newspaper unanimously said it most likely aimed to cause a blast that would have guaranteed casualties. A bug in the attackers’ code accidentally shut down the system instead, according to the report. The cyber-attack – which could signal plans for other attacks around the world – was likely the work of hackers supported by a government, according to multiple insiders interviewed by the newspaper. According to the report, attackers were sophisticated and had plenty of time and resources, an indication that they were most likely supported by a government, according to more than a dozen people, including cybersecurity experts who have
looked into the attack and asked not to be identified because of the confidentiality of the continuing investigation. All sources declined to name the company operating the plant as well as the countries suspected to have backed the hackers, The New York Times said. Security experts, however, told the newspaper that Iran, China, Russia, Israel and the United States had the technical capacity to launch an attack of that magnitude. There was no immediate comment from Saudi Arabia, which has come under frequent cyber-attacks, including “Shamoon”, the aggressive disc-wiping malware that hit the Saudi energy sector in 2012. But the August attack was “much more dangerous” than Shamoon, according to The New York Times, and likely aimed to send a political message -- investigators said the code had been custom-built with no obvious financial motive.
NEW MALWARE TARGETS VICTIMS VIA ROUTERS: REPORT A new malware that attacks and infects victims through compromised routers and can run in kernel mode, giving it complete control over victim devices has been uncovered in the Middle East and Africa region. Kaspersky Lab researchers have uncovered a sophisticated threat used for cyber-espionage in the MEA from at least 2012 until February 2018. The malware, which researchers have called ‘Slingshot,’ attacks and infects victims through compromised routers and can run in kernel mode, giving it complete control over victims’ devices. According to researchers, among the techniques used by this threat actor include hiding its traffic in marked data packets that it can intercept without trace from everyday communications. The Slingshot operation was discovered after researchers found a www.tahawultech.com
suspicious keylogger programme and created a behavioural detection signature to see if that code appeared anywhere else. This triggered a detection that turned out to be an infected computer with a suspicious file inside the system folder named scesrv.dll. Analysis of the file showed that despite appearing legitimate, the scesrv.dll module had malicious code embedded into it. Since this library is loaded by ‘services. exe,’ a process that has system privileges, the poisoned library gained the same rights. The researchers realised that a highly advanced intruder had found its way into the very core of the computer. When an administrator logs in to configure the router, the router’s management software downloads and runs the malicious module on the administrator’s computer. The method used to hack the routers remains unknown.
PROMINENT TECH CONFERENCE UNDER FIRE FOR LACK OF DIVERSITY Cybersecurity professionals from companies including Facebook and Alphabet have created a small security event to rival Dell’s RSA Conference after criticising the major industry gathering for scheduling just one female keynote speaker this year. The alternate conference is dubbed “Our Security Advocates Conference,” or OURSA will be held on 17th April at the San Francisco offices of computer security company Cloudflare, about a mile from the Moscone conference center where RSA is being held. RSA Conference was criticised for having announced just one female keynote speaker out of 22 headliners this year. According to reports, some also criticised the fact that the only female speaker is not a computer security expert, but instead, anti-online bullying activist Monica Lewinsky. “Inspired by a lack of diverse representation on the program agendas of other [information security] events, we decided to host our own with a dedicated focus to feature a diverse set of experts,” OURSA organisers said in a statement. “Some conferences claim this is too hard to do because of the overall lack of diversity in the industry, we’re going to prove otherwise.” Facebook’s Stamos and Google security expert Parisa Tabriz put together a lineup of speakers that they say reflects the diversity they’d like to see at cybersecurity events. They’re backed by sponsors Google, Facebook, Uber, Netflix, Dropbox and Cloudflare.
04.2018
5
FEATURE
BLOCK BY BLOCK The Internet of Things (IoT) is among one of the most exciting developments in the technology industry. As the race to make the interconnected era a reality continue to gather pace, there is a criticial issue that organisations need to solve: security.
T
he world is full of connected devices – and more are coming. The billions of smart devices coming to the Internet of Things (IoT) could transform homes, cities and lives. By 2020 that number could exceed 20 billion, and by 2030 there could be 500 billion or more. The IoT allows devices and people to connect via the Internet so new actions can be enabled. The main ability of IoT is to gather and exchange data from various sources in such a way that the data becomes actionable and lets devices and users make decisions based on it. As IoT continues to gather pace to become more mainstream, a number of 6
04.2018
key challenges are also fast emerging, chief among which is security. “This proliferation of IoT presents new and unique security challenges,” says Sebastien Pavie, director, Enterprise and Cybersecurity, META, Gemalto. “The interconnected nature of IoT means that every poorly secured device that is connected online poses a potential risk, and as the number devices and connections increase, come an even greater need for security,” he explains. Since IoT involves interconnecting multiple devices that threat actors can access, that means that hackers can accomplish more. Cybercriminals could potentially gain access to a device as menial as a printer or a thermostat and take over the whole ecosystem of devices connected to it.
“As businesses become increasingly interdependent and cloud-enabled, they need reliable, secure and instantaneous connectivity to compete,” says Jeroen Schlosser, managing director, Equinix MENA. Schlosser says that among the key challenges in interconnected era include securing exponential growth in volumes and velocity data; managing complex and multi-provider integration; monitoring the movement of data to a single location for; and security and operational risk exposure. But perhaps, the biggest IoT security flaws revolve around three areas: authentication, connection, and transaction. “Blockchain can alleviate the security flaws that revolves around www.tahawultech.com
FEATURE
these three areas,” says Schlosser. “The decentralised nature of blockchain ensures that no single authority can influence the activities within an IoT ecosystem making it secure.” Schlosser explains that this quality of blockchain plays a vital role when it comes to cybersecurity. In a centralised network, hackers can perform cyberattacks like shutting down systems, tampering with data, spoofing identities, luring users into cyber traps and so on. “They do these things just by targeting central repositories and single points of failure,” he says. “Blockchain’s decentralised approach to store and share information in a ledger is the way to bypass all the security threats.” Among the biggest security advantage of blockchain is transparency. Everyone can see the blocks and the transactions stored in them but at the same time, the cryptographic algorithms used by blockchains ensures that the data is kept private. Blockchain has strong data protections built in by design, which prevents a vulnerable device from transmitting malicious information or from disrupting a home, business or even a city. According to a study by Netscribes, the global blockchain technology market is expected to grow at a compound
The decentralised nature of blockchain ensures that no single authority can influence the activities within an IoT ecosystem making it secure. - Jeroen Schlosser, Equinix MENA
annual growth rate of 42.8 percent and reach $13.96 billion by 2022. These figures highlight that just like IoT, blockchain is one of the most pivotal emerging technologies today. It has far-reaching potential and widespread applications for both government institutions and major businesses across the Middle East, particularly the GCC. As a leading example, Dubai is committed to becoming the world’s first blockchain-powered city by 2020, as the government believes that several sectors will be the beneficiaries of this technology. “Like so many other transaction types, IoT communication has historically required a trusted thirdparty,” explains Pavie.
The interconnected nature of IoT means that every poorly secured device that is connected online poses a potential risk, and as the number devices and connections increase, come an even greater need for security. - Sebastian Pavie, Gemalto META
www.tahawultech.com
“Blockchain changes this dynamic, distributing the trust model, recording the transaction on a shared ledger and cutting out the central authority. This new design will benefit the security of IoT since it eliminates the restrictions imposed by the traditional central authority trust model, which have made IoT vulnerable.” Pavie highlights that blockchain’s immutability keeps identities secure and all data far more trustworthy, which have profound benefits for sectors such as finance, insurance and trade among others. Blockchain’s dependability and security also hold great potential for new offerings like “smart contracts” – self-executing agreements that were largely theoretical before blockchain. “For instance, a life insurance smart contract could immediately release funds to a beneficiary upon the death of a policyholder through electronic checking of death certificates,” explains Pavie. By eliminating (or dramatically reducing) the need for human involvement, processes can be accelerated while errors and delays are kept to a minimum. Both blockchain and IoT technologies have long ways to go before being completely integrated and secure. Nevertheless, these two emerging trends hold great promise for future developments and it will extremely be exciting to see where that path leads. 04.2018
7
FEATURE
THE GAME PLAN Every technological wave brings with it a plethora of vulnerabilities. With the cybersecurity landscape constantly changing, how can today’s organisations prepare for the threats ahead?
8 04.2018
www.tahawultech.com
FEATURE
T
he battle between organisations and cyber-attackers has always been like a game of cat and mouse with the good guys and the bad guys constantly trying to one-up each other. Every technological wave brings with it a plethora of vulnerabilities. Wi-Fi, mobile, cloud and IoT have provided new opportunities for businesses and attackers alike. The fast-paced evolution of the threat landscape has caused cybersecurity technologies and strategies to come in and out of vogue almost regularly. While none of us have crystal balls to find out what technology would work best for the looming cyber threats; we can put measures in place that will help us move forward without fear. “No one vendor or technology alone can deliver on all your cyber resilience needs. It is, therefore, important that organisations work with service providers who specialise in specific areas of security,” says Heino Gevers, director, Customer Experience, Mimecast. Organisations can start off with setting up good firewalls, which should always be your first line of defence against a breach of your network, says Gevers.
“Hackers use automation extensively for the scale and speed needed for attacks; to be future-proof we need to take back the initiative and use automation to enable speed and accuracy for security.” - Laurence Pitt, Juniper Networks
“Then add extra layers of security to email and the websites and apps your business uses,” he adds. “But remember to work with providers that don’t only focus on defence but ensure that you are able to recover quickly and swiftly continue with business as usual.” To stay abreast of the growing sophistication of cyber threat actors, organisations need to embark on a process of continuous improvement, based on long-term thinking and fueled by an appetite for learning. “Developing a defensive strategy against cyber-attacks is an increasingly necessary step for a
“CISOs should work with security partners who provide predictive security, including early detection and prevention with deep learning technology, plus anti-ransomware capabilities.” - Harish Chib, Sophos, Middle East and Africa.
www.tahawultech.com
business to be future-proof,” explains Mahmoud Mounir, regional director, Secureworks. “It is paramount to have a platform that provides advanced correlation of all alerts, machine learning and expert systems to automate decisions on alerts, paired with a cloud-based team of security experts to analyse all your alerts before you even receive them, freeing up your staff to address tangible security events as they arise.” Mounir noted that a future-proof security architecture works with an organisation’s existing technology, take in any form of data, enable global visibility, is informed by the latest security intelligence and affords flexible management and monitoring capabilities wherever and whenever needed. Businesses should regularly test their cyber resilience strategy with mock exercises to ensure that they are ready in the event of a successful attack, according to Gevers from Mimecast. “This way they can update any gaps in the systems,” he says. “It also makes sense to adopt the services of a SaaS cloud provider as they will deploy regular and automatic updates.” In the near future, sophisticated and complex threats will continue to proliferate the business space and,
04.2018
9
FEATURE
with advances in technology creating new attack vectors, these will be harder to find and mitigate. Laurence Pitt, security strategist EMEA, Juniper Networks, says, “Two things will help – investment in the right people and in the right technology; automation is key.” Automation is increasingly being adopted today, but typically only for simple tasks, explains Pitt. “Hackers use automation extensively for the scale and speed needed for attacks; to be future-proof we need to take back the initiative and use automation to enable speed and accuracy for security.” No preventive system is 100 percent effective when it comes to implementing a full cyber resilience strategy. Future-proofing does not necessarily just require an organisation to buy a bunch of new security technologies. It also entails enlisting skilled and knowledgeable partners that can help them stay on top of security. “CISOs should work with security partners who provide predictive security, including early detection and prevention with deep learning technology, plus anti-ransomware capabilities,” says Harish Chib, vice president, Sophos, Middle East and Africa. “Partners should be aligned with security vendors who are accelerating and innovating next-gen technologies in products and their labs.” Chib remarks that CIO/CISOs should be prepared by partners for more complex ransomware attacks and zero-day threats with predictive security and technology that shares intelligence between the network and endpoints. In this day and age, even the wellresourced companies are still falling victim to attacks that use phishing and social engineering techniques to dupe employees. “Therefore, companies need to re-think the traditional approach of ‘layered security’ and think more about ‘synchronised security’,” says Chib. “With the latest deep learning technologies, new cybersecurity solutions can now take 10
04.2018
Everyone plays an important role in future-proofing security: “For a company to truly reduce cyber-risk and protect data – including personal data – integrated, automated and effective controls need to be in place to detect and prevent known and unknown threats at every stage of the attack lifecycle. Technologies such as behavioural analytics, machine learning, and artificial intelligence can help automate the process of detection and implement an equally automated and closed-loop process of prevention. This significantly reduces the operational burden on security teams and shorten the response time.” Tarek Abbas, Systems Engineering Director, Emerging Markets, Palo Alto Networks “Employees can make an enormous difference in the success of achieving organizations security from resilience and future-proof perspective. To ensure that skilled team members are engaged in work and up to the task of maturing the organisation’s security posture, consider challenging them. Involve them in advanced technology and strategy-based training and workshops and then seek their inputs on how they can help the company become cyberresilient.” Aadesh Gawde, chief innovation officer, ProVise Consulting “Cybersecurity is the responsibility of all employees and executives within the firm. Technology alone cannot stop all cyber threats. This implies that in order to stop a threat actor, there needs to be a blended model for a successful defence strategy. This includes: employee and leadership education; integrated security solutions; policies and procedures governing workflows and implementations; and service level agreements for monitoring, measuring, and mitigating risks All of these involve technology and employees, and require the responsibility be shared by everyone, all the time, in order to be successful.” Morey Haber, chief technology offer, BeyondTrust
action faster than an IT Manager predicting issues and stopping threats before they can enter an organisation’s network.” The cybersecurity landscape will always be a battlefield, with
organisations and threat actors trying to outsmart each other. But with a futureproof architecture and an open and innovative mindset, organisations can emerge victorious against the security adversaries in the digital age. www.tahawultech.com
ADVERTORIAL
Securing the modern enterprise HPE Gen10 ProLiant Servers help organisations optimise workload performance and secure data. In the fast pace and digital world, staying innovative remains HPE’s key differentiator. The pursuit for innovation is what has driven HPE into the development of the Gen10 ProLiant Servers. The devices are primarily manufactured to satisfy three essential and fundamental needs of today’s enterprises: security, agility and economic control. With the increasing security risks of the public cloud in mind, HPE designed the Gen10 servers to be the world’s most secure industry standard server making it suitable for enterprises who are moving into hybrid cloud environments. The Gen10 Servers support Intel’s Xeon Scalable CPU family with a new modular design. HPE’s Smart Array RAID controllers have been uprated to offer more storage and interface choices. The servers support 3TB of DDR4 SmartMemory and can handle up to 192GB of HPE’s Persistent Memory NVDIMMs. These target high-demand apps such as analytics or databases and provide 8GB of high-performance DRAM, backed up by 8GB of flash mounted on a standard form factor DIMM module. It is also equipped with HPE’s new iLO 5 management controller, which offers a heap of new features along with improved server monitoring, it has a laser-sharp focus on platform security with silicon fingerprinting, encryption and breach detection technology. Gen 10 DL servers can also accommodate more storage supporting up to 30 SFF drivers in a DL380 www.tahawultech.com
and 48SFF drives in DL580. The series also has SFF HDD offerings which come with 900GB disks at 15k and up to 2.4TB at 10k. It also has a new M.2 backplane option which will support up to 30 SATA SSD drives in 2U. Furthermore, the Gen10 Servers are equipped with HPE Scalable Persistent Memory, an integrated storage solution that runs at memory speeds with terabyte-scale capacity, unlocking new levels of compute performance with built-in persistence. With up to 27 times faster application checkpoint operations and 20 times faster database restores, HPE Scalable Persistent Memory delivers the fastest persistent memory in the market at scale. HPE’s “silicon root of trust” has also been integrated into the iLO chip, creating an immutable fingerprint in the silicon, preventing servers from booting up unless the firmware matches the fingerprint. Because HPE has total control of its own custom-made silicon chip and the server-essential firmware, it is the only vendor in the industry that can offer this advantage. The new silicon root of trust protection includes state-of-the-art encryption and breach detection technologies and is complemented by HPE supply chain security and HPE Pointnext security assessment and protection services. The new features are great for customers who are conscious of security threats or are concerned about data protection. HPE Gent10 ProLiant servers promise resilience while aiding with effective and efficient business operations. 04.2018
11
EVENT
SECURITY STALWARTS Security Advisor ME’s inaugural CISO 30 Awards and Forum placed the spotlight on IT leaders who have demonstrated how security is becoming an integral and powerful force for enabling business transformation.
C
PI Media Group and Security Advisor ME have successfully hosted the inaugural CISO 30 Awards and Forum. The event recognised individuals whose security projects have demonstrated innovation and business value. Held on 27th March at the Habtoor Grand Hotel, Dubai Marina, CISO 30 Awards and Forum rallied together leading security thought leaders from the region who have shown how forward-thinking organisations are embracing today’s challenges and preparing for the future with security innovation. The event also featured a roundtable discussion, which explored the latest developments in cloud and IoT security. It also delved into how today’s IT security leaders can create innovative defence strategies to keep pace in the ever12
04.2018
growing digital world. This was followed by a panel discussion, which highlighted how today’s enterprises can build a cyber-skilled and securityaware workforce. During the panel discussion Bhavani Suresh, President, ISACA, UAE Chapter; Irene Corpuz, IT Planning & Security Section Head, Al Dhafra Region Municipality; Ahmad Mohamed Darwish Ali Alemadi, CISO, Dubai Municipality; George Eapen, CISO, GE MENAT; and Niraj Mathur, Manager Security Practice, Gulf Business Machines shared expert insights on how today’s CISOs can address the challenges and harness the opportunities in the security space. The conference concluded with an awards ceremony to celebrate the achievements of top 30 security leaders in the Middle East, who have fostered innovation and demonstrated thought leadership in their enterprises. www.tahawultech.com
EVENT
Abdelaziz Mohamed ADNEC
Abdulla Bader Al Sayari Department of Health - Abu Dhabi
Ahmad Mohamed Darwish Ali Alemadi Dubai Municipality
Aliasgar Bohari Zulekha Hospitals
Arif Irfani Sharjah Islamic Bank
Basil Al Suwaidan Kuwait International Bank
Biju Hameed Dubai Airports
Binoy Balakrishnan AW Rostamani Group
Dr. Reem Al-Shammari Kuwait Oil Company
Fatma Ahmad Bazargan Injazat Data Systems
www.tahawultech.com
04.2018
13
EVENT
Fru Christian Bills, SADAD Electronic Payment Systems
14
Hariprasad Chede NBF
Hend Salem AlShamsi, Municipality & Planning Department of Ajman
Ilyas Kooliyankal Abu Dhabi Islamic Bank
Irene Corpuz Al Dhafra Region Municipality
Irshad Mohammed VPS Healthcare
Kausar Mukeri Invest Bank
Konstantinos Kalampokis Terracom
Kuldeep Bhatnagar, Environment Agency, Government of Abu Dhabi
Mansoor Ahmed Mughal Dubai Financial Market
04.2018
www.tahawultech.com
EVENT
Mario Foster Al Naboodah Group Enterprises
Nasser Hassan Ali Mohamad Dubai Health Authority
Nikhil Patil Emirates Flight Catering
Piyush Kodape Dubai First
Safdar Zaman Nakheel
Shailesh Mani Flemingo International
Taimur Ijlal Network International
Terence Sathyanarayan Drake & Scull International
Tushar Vartak RAKBANK
Venu Sriraj UAE Exchange
www.tahawultech.com
04.2018
15
INSIGHT
BY THE BOOK By Sébastien Pavie, regional director META, Enterprise and Cybersecurity, Gemalto
C
yber threats and cybercrime are more evident than ever before. With rapidly growing data infrastructures and assets, there are also increasing data security vulnerabilities that must be addressed. According to Gemalto’s latest Breach Level Index Report, 918 data breaches led to 1.9 billion data records being compromised globally in the first half of 2017. It is therefore no surprise that governments are mandating data security regulations in order to improve cybersecurity and data protection. To protect the UAE’s critical data information infrastructure and improve national cybersecurity, the government introduced the UAE Information Assurance Standards (UAE IAS), which is a set of guidelines for government entities in critical sectors. Compliance with these standards is mandatory for all government organisations, semigovernment organisations and business organisations that are identified as critical infrastructure to UAE. In order to comply with these regulations, organisations should take a data-centric approach to security by applying comprehensive encryption methods, enforcing strict authentication and identity management solutions and building strong crypto management techniques to protect their data. Making sure only the right people 16
04.2018
can access private information in today’s high risk environments is a critical need if organisations are going to meet their customer and partner expectations. Similarly, ensuring that administrators can manage data without altering it, for instance, is a vital requirement for addressing a range of regulations. Layering access control with strong, multi-factor authentication solutions and hardware security modules (HSMs) ensures only authorised individuals can access regulated information. Another critical requirement for many compliance mandates and security best practices is centralised, efficient, and
Safeguarding regulated data in applications, databases, mainframes, storage systems, laptops, and other areas is a critical requirement for security and compliance.
secure management of cryptographic keys and policies. Securing cryptographic keys provides reliable protection for applications, transactions and information assets. With keys securely stored in hardware, organisations can ensure both high performance and the highest security available. With robust hardware security modules, encryption appliances, and key management solutions, organisations can maximise the security of encryption keys and policies, adding a critical line of defence for confidential information. This approach is also the easiest way for organisations to integrate application security in order to achieve regulatory compliance. Many regulations mandate that sensitive data be adequately protected. Safeguarding regulated data in applications, databases, mainframes, storage systems, laptops, and other areas is a critical requirement for security and compliance. With encryption employed, even if an organisation’s initial defences are subverted, they can still guard these critical repositories against theft and manipulation. This will not just meet the demands of regulation, but will also protect your business interests. As the number of guidelines, rules and interpretations of data compliance regulations continue to evolve, organisations must make it a priority to implement an infrastructure to centrally support, manage, www.tahawultech.com
8TH MAY, 2018 JUMEIRAH EMIRATES TOWER, DUBAI
THEME: BOLLYWOOD GLAM Reseller Middle East’s Partner Excellence Awards has been the industry’s most prominent event over the last decade. In its ninth year, the Awards applauds the successes of the regional channel business, saluting the excellence and resilience of individual executives and firms. Raising the bar every year, the Partner Excellence Awards strives to create a memorable, actionpacked and entertaining evening to honour the crème de la crème of the channel business.
FOR SPONSORSHIP ENQUIRIES Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 +971 56 787 4778
Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 +971 50 758 6672
Youssef Hariz Business Development Manager youssef.hariz@cpimediagroup.com +971 4 440 9111 +971 56 665 8683
FOR AGENDA-RELATED ENQUIRIES Janees Reghelini Editor janees.reghelini@cpimediagroup.com +971 4 440 9167 +971 50 459 5293
OFFICIAL PUBLICATION
Adelle Geronimo Online Editor adelle.geronimo@cpimediagroup.com +971 4 440 9135 +971 56 484 7564
HOSTED BY
EVENT
ON THE FRONTLINES Security Advisor Middle East, as part of the launch of the inaugural CISO 30 Awards and Forum, hosted an exclusive roundtable discussion which delved on how today’s organisations can build more resilient defence strategies for the digital era.
18
04.2018
www.tahawultech.com
EVENT
H
umans are the weakest link when it comes to protecting an organisation, said a collection of the Middle East’s top chief information security officers. Security heads from a variety of both public and private entities from across industries gathered to highlight the pressing challenges they’re seeing in the threat landscape today. During an in-depth roundtable discussion prior to the inaugural CISO30 Awards and Forum, hosted by Tahawul Tech and Security Advisor Middle East, security heads from a variety of both public and private entities from across industries gathered to highlight the pressing challenges they’re seeing in the threat landscape today. “Currently, the major risks that we’re seeing centre around the users themselves,” said Mario Foster, group CIO, Al Naboodah Group. “We’re seeing a lot of phishing attempts, and users not following directions from security professionals, which is ultimately leading to vulnerabilities within the organisation.” The majority in the room agreed that this was the number one headache for CISOs, and went on to discuss methods around solving this issue in a proactive
A good awareness programme should involve regular email flyers, assessments, and changing wallpapers and screensavers around the organisation to display basic information security tips. - Piyush Kodape, Dubai First
and efficient manner. Creating a sense of awareness around best practices when opening spam emails, entering company or personal details on suspicious websites, and correctly disposing of company sensitive information stored on portable devices were pinpointed as many of the attendee’s top priorities. However, simply rolling out training exercises is not enough, said Piyush Kodape, CISO, Dubai First. “Similarly, if you set assessments that are beyond an employee’s means, it will just encourage people to cheat and attempt to share answers,” he said. “A good awareness programme should involve regular email flyers, assessments, and changing wallpapers and screensavers around the
Humans are the first line of defence, and, therefore, we need to invest highly in them. Normal training courses, or typical question and answer-type assessments are no longer efficient. Instead, we should be looking to entice the user to want to become cyber aware through gamification and storytelling techniques. - Dr. Reem Al-Shammari, Kuwait Oil Company
www.tahawultech.com
organisation to display basic information security tips.” Dr. Reem Al-Shammari, team leader, Information Security, Kuwait Oil Company, was in agreement, and highlighted the need to create a cyberaware organisation from the top down. “Humans are the first line of defence, and, therefore, we need to invest highly in them,” she said. “Normal training courses, or typical question and answer-type assessments are no longer efficient. Instead, we should be looking to entice the user to want to become cyber aware through gamification and story-telling techniques.” Biju Hameed, head of Information Security and Compliance, Dubai Airports, put an interesting spin on the discussion, and said that security practitioners often get the education aspect slightly wrong. “Implementing e-training courses and distributing informative flyers will not make people instantly compliant. We tend to overcomplicate the issue by bombarding these outlets with tech jargon and suddenly expect everyone to become a security expert,” he said. Instead, Hameed believes, organisations must consider those that are the “least tech sound” to be their biggest concern, and therefore their main audience when targeting these awareness campaigns. “When you carry out a phishing campaign, you discover people are guessing and pressing,” he said. “Our new motto is to ‘think thrice,’ to encourage users to think before they think, share and use.” 04.2018
19
EVENT
SECURING THE NATION This year’s edition of ISNR Abu Dhabi homed in on how artificial intelligence will revolutionise national security, heralding a shift from traditional physical security and law enforcement towards a more transformative and digital future. Glesni Holland reports.
T
he Middle East homeland security market is on course for significant growth over the next five years, with revenues more than doubling in value from an estimated $9.6 billion in 2017 to $19.7 billion by 2022. And with the advent of emerging technologies, the UAE is no stranger to redefining traditional security methods through the likes of artificial intelligence and data analytics. At the International Exhibition on National Security and Resilience last month, Abu Dhabi played host to a number of exhibitors that aligned with the vision that technology is 20
04.2018
www.tahawultech.com
EVENT
Brigadier Khalid Nasser Al Razooqi, director general of artificial intelligence at Dubai Police transforming both law enforcement and national protection across the region. Ex-Dubai Police chief, HE Dhahi Khalfan Tamim – who is now deputy chairman of police and public security in Dubai, emphasized this notion, and said he was “particularly impressed” with the solutions on display during the event. “The new locally-built smart operation room being showcased by Dubai Police is fantastic, and a real sign that the UAE is striving forward with innovative technology solutions to protect the community,” he said. In addition to the smart police station display, the force’s Robocop employee was also on hand to provide assistance to ISNR attendees, and put the spotlight on the use of innovative technologies to enhance the emirate’s homeland security efforts. Leading the way in implementing these plans is Brigadier Khalid Nasser Al Razooqi, director general of artificial intelligence at Dubai Police, who said that the force’s ultimate goal is to reduce visits to police stations across the emirate by 80 percent before the end of 2018, using a number of smart technology initiatives. www.tahawultech.com
“Encouraging Dubai’s residents to use these smart services, rather than coming to the police station for minor incidents, is the ultimate goal,” he said. “The government set us this goal for 2018, and it has been the driving force behind many of our smart initiatives.” But with a service so personable as policing, surely the entire force cannot be run by machines? “This is why the government has left the 20 percent margin in order for these services to still be conducted on a face-to-face basis, and I believe this is enough,” he added. And it’s not just the UAE that has turned its focus to transforming national protection through technology. Anthony Leather, principal security consultant for Aerospace, Defence and Security at Frost & Sullivan, based in the UK, highlighted how in order for law enforcement agencies to be effective in distributing real time data during life threatening attacks – such as the Westminster attack in London last year, technology needed to up its game. “During the attack, police officers in London were using social media sources on their smartphones to receive live updates, and this just isn’t a
Dubai Police’s new locally-built smart operation room is a real sign that the UAE is striving forward with innovative technology solutions to protect the community. - HE Dhahi Khalfan Tamim, deputy chairman of police and public security in Dubai
proficient way of monitoring an incident of this scale’s progress,” he said. “We are now seeing huge investments in various parts of the world for networks and data services that are purely dedicated to law enforcement communications, and this is vital during such high-profile attacks.” He went on to add that work still needed to be done on technologies such as facial recognition, body worn cameras, and real-time video analytics if they are to mature into efficient forms of data collection for law enforcement agencies. Elsewhere at the event, the focus centred on concerns surrounding cybersecurity within Middle East organisations. During a panel discussion on day two, on the topic of cyber insurance, Eddie Schwartz, EVP of cyber services at DarkMatter, said that while he couldn’t disclose specific breaches, he could confirm that he was seeing them happen on a “weekly basis” across the GCC, targeting both public and private entities. Cybersecurity insurance should therefore be considered the “last line of defence” and not a replacement for investment in security tools, said Simon Bell, vice president at insurance broking and risk management firm, Marsh Middle East. He added that while it is encouraging to see a wider range of industries looking to invest in cyber insurance, more is still to be done. In this increasingly dynamic threat landscape that companies now encounter on a daily basis, organisations must adopt a more consistent method of assessing their vulnerabilities, said Tenable regional director, Maher Jadallah. He explained how Tenable’s technology enables organisations to scan their entire networks – across its complete infrastructure, servers and devices – to distinguish any vulnerabilities that may be present. “Today, the hacking business is worth trillions of dollars, and any company that cares about data confidentiality – regardless of their industry, should be looking to invest in this cyber exposure technology,” he added. 04.2018
21
FEATURE
WHY WE NEED MORE WOMEN IN CYBERSECURITY Women continue to be underrepresented in the cybersecurity workforce, which leads to missed opportunities for today’s organisations to acquire the best information security talents. But what is holding the security industry back from attracting more women in the field?
22
04.2018
www.tahawultech.com
FEATURE
H
oda Al Khzaimi was always keen to pursue a career in a technical subject. She describes herself as having had “a passion” for engineering when she was young, as being someone who “wanted to know the proof of an algorithm” and to work out the meaning of equations that she saw. Unlike in many nations, as a woman in the UAE interested in these fields, she did not stand out. “When I decided to focus on technical studies, we had more ladies in engineering and information security classes: we had 70 to 80 in our class; in the male class we had 50 students. Women here are being encouraged in these fields,” she says. Her enthusiasm has translated into a highly rewarding career in cryptology, the science of codes. She earned a PhD in Denmark and is now a research assistant professor in engineering at New York University Abu Dhabi, and director of the institute’s Centre of Cyber Security. Women are well represented in science, technology, engineering and mathematics (STEM subjects) in many other parts of the Middle East too. For example, half of science degrees in Saudi Arabia are awarded to women. In Al Khzaimi’s field of cybersecurity, a very different picture emerges globally, however. According to the International Information Security Certification Consortium or (ISC)², only about 10 percent of the cybersecurity workforce worldwide is female. In computing as a whole, women occupy fractionally more than one quarter of positions. Dr Maria Bada, research fellow in The Global Cybersecurity Capacity Centre at the University of Oxford’s Oxford Martin School, has experienced cybersecurity’s gender imbalance first hand. “I go in different meetings, whether it’s with technical experts or governmental representatives or policymakers, it www.tahawultech.com
When I decided to focus on technical studies, we had more ladies in engineering and information security classes: Women here are being encouraged in these fields. - Hoda Al Khzaimi, NYU Abu Dhabi
doesn’t make a difference: the gender imbalance is the same,” says Bada, who is originally from Greece. “I could be in a meeting with government representatives, and everyone is male. In many [situations] I will be the only female.” Bada does not feel unwelcome because of her gender; if anything, the opposite is true: she has had “a very positive experience”. But she is clear that the gender imbalance has consequences. “There’s a lack of experts in the field in general and people say this is because of women not joining cybersecurity. If women … went to study and work in this area, that lack of expertise, that lack of people and skills, would be erased,” she says. This skills gap has caused much concern. For example, 2017 research by the Enterprise Strategy Group (ESG) suggested that it was causing difficulties to 45 percent of organisations. So why has cybersecurity globally not attracted more talented women like Al Khzaimi and Bada? Many researchers feel that wider preconceptions of gender roles influence decisions linked to careers. “From a very early age people are shaped into particular gender
stereotypes: technical professions are more suited to males; caring professions are more suited to females. That’s related to other social attitudes,” says Professor Silke Machold, a specialist in women’s status in the workplace at the University of Wolverhampton in the United Kingdom. “If the industry is very male dominated, there might not be many women to look up to, to find role models who make them want to choose a profession. Then the phenomenon keeps perpetuating itself,” she says. In cybersecurity, Bada suggested that terminology that could be perceived as aggressive may put off women. “As a field, it’s not very attractive to women because usually the language used is, for example, ‘This position would require you to combat cyber threats or build resilience,’” she says. One highly contentious suggestion to explain a lack of gender balance is that men and women, on average, have different capabilities. The subject’s controversial nature was illustrated by last year’s sacking by Google of a male engineer who suggested that men were typically more suited to technical roles and that efforts to increase female representation might not, as a result, make business sense. 04.2018
23
FEATURE
Some psychologists do suggest that there are average differences in the nature of men’s and women’s brains. Simon Baron-Cohen, professor of developmental psychopathology at the University of Cambridge, has spoken of the “female brain” (which is more common in, but not restricted to, women) as being stronger at empathising than systemising, with the opposite pattern seen in the “male brain”. He has described autism as representing the extreme male brain. Others, such as Gina Rippon, professor of cognitive neuroimaging at Aston University in the United Kingdom, reject this idea. While tests may indicate that there are gender differences in aptitudes (as examples, men tend to perform better on spatial tasks, women at multitasking), Rippon says that the brain is “very responsive to experiences”. So the capabilities of people will vary if their experiences have been different, even if the starting point was the same. Rippon cites the example of London taxi drivers, whose “visuospatial parts of the brain increase in size”. “So the idea is that women aren’t in science because their brains aren’t organised appropriately, but you can show that that’s a function of experience, not the fact they’re female,” she says. Another issue that has caused discussion is why there is a less equal
There’s a lack of experise in the field in general and people say this is because of women not joining cybersecurity. If women … went to study and work in this area, that lack of expertise, that lack of people and skills, would be erased. - Dr Maria Bada, University of Oxford’s Oxford Martin School
gender balance in STEM subjects in countries often perceived to have higher levels of gender equality. One idea is that, in less equal societies, women choose STEM subjects because they offer the chance of a career, rather than marrying young and having children. By contrast, in nations where gender equality is seen as being higher, specialising in science may not be seen as necessary by women intent on establishing a career. Another hypothesis is that boys are falling behind educationally in Middle Eastern countries, especially in sciences, because the disparity in quality between girls’ and boys’ schools is greater in the region than elsewhere. Further ideas to explain the “gender equality paradox” exist.
..in nations where gender equality is seen as being higher, specialising in science may not be seen as necessary by women intent on establishing a career. - Gina Rippon, Aston University UK
24
04.2018
“The other explanation is that [in certain countries women] have the luxury not to go into an environment that’s not welcoming,” Rippon says. Al Khzaimi, who experienced a more male-dominated environment in science in Denmark than she did in the UAE, thinks the family support structure in the Emirates makes it easier for women to choose scientific careers. Without this, she says science would be a less realistic option because of the long hours of laboratory work. She is concerned that this support structure may weaken as women migrate, say, from other emirates to the capital for work. This could restrict career options. “Your family is three hours away now. Most of the local workforce in Abu Dhabi, they come from Ras Al Khaimah or Fujairah or Dubai, or the same thing in Dubai,” she says. “I’ve been interviewing a couple of candidates and their major concern is, ‘We don’t have enough support to leave our kids at home and be in the experimental lab.’ This highlights for Al Khzaimi the importance of robust maternity leave and childcare provision, as these enable women to follow their passion for technical subjects – such as cybersecurity. “That should be a requirement of all the institutions in the UAE, to make sure you can leave your kids,” says Al Khzaimi. www.tahawultech.com
FEATURE
ACCESS GRANTED Biometric security, whether fingerprint, facial or iris recognition, is fast emerging as the preferred way to safeguard the data of companies and individuals from threat actors. However, while biometric identification may be less prone to theft and spoofing than passwords, it’s still vulnerable to hacking.
ubai has always been at the cutting edge, so it is no surprise that the emirate’s authorities have embraced biometric technology with enthusiasm. As was widely reported at the time, 120 latest-generation smart gates were installed at Terminal 3 of the city’s airport late last year. These dramatically cut the time passengers spend going through passport control by using facial recognition technology, plus a form of ID. This summer things go a step further when the airport introduces a “smart tunnel” with dozens of cameras to analyse the face or the eyes. Travellers using it will not have to pass through a passport gate, smart or otherwise, on the way to their flight.
D
www.tahawultech.com
04.2018
25
FEATURE
The use of biometric authentication at Dubai International Airport mirrors the situation at airports across the world – and in myriad other contexts. From unlocking computers to gaining entry to offices, its use is becoming routine. We can secure access to bank accounts thanks to voice recognition; to tablets using fingerprints; and to smartphones through facial biometrics, to give just a few examples. There is also retinal scanning, based on the pattern of blood vessels in the eye’s inner coat, and iris recognition, which uses mathematical methods to identify the coloured part of the eye. In future, we might be able to walk into our favourite store in a UAE shopping mall and make purchases without a bank card; instead, the unique shape of our ears, photographed by an instore camera, will identify us. A recent survey by Spiceworks, a Texas-based IT professional network, found that biometric authentication is now used by almost two-thirds of
not secure.
A common mistake of current systems is that they still use pretty plain challenges, such as just smiling and blinking, to prevent spoofing attacks. Any system that uses a fixed challenge like that is
- Erkam Uzun, Georgia Institute of Technology in Atlanta
organisations and, within the next two years, most of the remainder will get on board. So by the end of 2020, nearly nine out of 10 organisations may rely on biometrics. Yet for all its growing ubiquity, biometric authentication is often not trusted to do the job alone: just one in 10 of the IT professionals Spiceworks
If the enrolment process doesn’t include positive identification, then the whole system is at risk from the start. The wrong person’s biometric data could be used and [become associated with] a different person. - Michael Fauscette, G2 Crowd
26
04.2018
surveyed thought that the technology was secure enough to be used without an additional form of security. “I don’t see it replacing passwords for the near future, but if the improvements that we see continue, you can see in future why it would wipe away passwords. But it will be used more … along with passwords and pin codes,” says Kevin Curran, professor of cyber security at Ulster University in the United Kingdom. A major concern associated with biometrics is the risk of the data being stolen. An advantage of passwords and pin numbers is that they can be easily changed, but the loss of biometric data is potentially much more concerning. Our fingerprints or voices may be unique, if this data is lost, the consequences are far reaching. “A password is something people know and it’s easy to change it and to update it. But with fingerprints or face ID, if they’re stolen, they’re gone,” says Curran. There are multiple risks that can www.tahawultech.com
FEATURE
result in biometric data being hacked, according to Michael Fauscette, the chief research officer at G2 Crowd, a Chicagoheadquartered platform for peer-to-peer reviews of business solutions. “The security risks associated with biometric data are very similar to any other personal data: once the data is stored somewhere, it can be hacked,” he says. “Moving the data from the sensor to the repository is also a risk point, and must include data encryption to prevent hijacking.” There is also a “large risk” linked to data held in storage, but Fauscette says there are other concerns too, with the process of setting up the system, sometimes called enrolment, a potential weak point. “If the enrolment process doesn’t include positive identification, then the whole system is at risk from the start. The wrong person’s biometric data could be used and [become associated with] a different person,” he says. “Or, if the enrolment process includes a comparison of biometric data to some central repository as a way to validate identity, there is risk to the data in transit if it is not encrypted.” When it comes to the day-to-day use of biometric authentication, a key vulnerability is that hackers can use image-generation software and machine learning to overcome defences. According to researcher Erkam Uzun, of the Georgia Institute of Technology in Atlanta, United States, faces or voices can relatively easily be spoofed, so technology relying on them is vulnerable “to even primitive attacks”. Algorithms can generate a fake image of a user’s face, for example. “Attackers today know what to expect if an authentication challenge only asks them to smile or blink, so they can produce a blinking model or smiling face in real time relatively easily,” he says. Indeed Uzun says that many thirdparty cloud-based services providing audio and facial authentication to other large organisations involve methods prone to primitive spoofing attacks. www.tahawultech.com
I don’t see it replacing passwords for the near future, but if the improvements that we see continue, you can see in future why it would wipe away passwords.
- Kevin Curran, Ulster University in the United Kingdom
“A common mistake of current systems is that they still use pretty plain challenges, such as just smiling and blinking, to prevent spoofing attacks. Any system that uses a fixed challenge like that is not secure. The challenge should always be randomised. We feel strongly about this,” he says. Uzun, who previously was a research assistant at New York University Abu Dhabi, has worked with his co-researchers at Georgia Tech to introduce a method that involves such a randomised challenge. Presented at a recent conference in San Diego, their solution involves Captcha (Completely Automated Public Turing Test) methods, which ensure that the user is a human, not a machine. A simple Captcha method might involve asking the user to write a word or a number that was written in distorted letters. “Captcha has been used for years to prevent bot attacks, such as fake account creation, to many web services of major companies like Facebook, Amazon and Google. On the other hand, adversaries have been trying to build sophisticated Captcha-breaking mechanisms based on machine learning and deep learning,” says Uzun. Uzun and his colleagues, including Professor Wenke Lee and Simon Pak Ho Chung, have developed a realtime Captcha method (rtCaptcha) that requires the user to look into a smartphone camera and answer a randomly chosen question within a short time window.
“rtCaptcha strengthens the computational challenge by forcing adversaries to figure out what the authentication tasks are and quickly combine them – synchronizing the voice, face and personal knowledge of an individual in a way that appears lifelike,” says Uzun. “We force attackers to show, share and say what only an individual could know – and do that in less than two seconds.” While tests showed that humans take a maximum of about a second to respond, it takes machines at least six seconds to understand the question and then produce faked video and audio. “Our goal in rtCaptcha was to combine as many modern authentication methods as possible in a way that could always be randomised for the strongest security while preserving the usability of the authentication system,” adds Uzun. While rtCaptcha is a promising method to help make biometric authentication more secure, Uzun is under no illusions that those working to improve the security of biometric authentication will ever be able to rest on their laurels. It is a cat-and-mouse game. “As long as there is reward behind the risk, hackers will continue to attempt to break any new security method. We have to make breaking security financially disadvantageous, extraordinarily time consuming and also computationally burdensome,” says Uzun. 04.2018
27
FEATURE
SAFETY FIRST How driverless cars will bring a new cybersecurity challenge
I
t has long been a favourite scene in films and television drams: a driver desperately stamping on the pedals in a futile attempt to stop a car after the brake cable has been cut. In future, perhaps directors will instead show a person left helpless in the front seat as an autonomous vehicle obeys the commands of a distant hacker. This is not a fanciful scenario. In 2015 Fiat Chrysler Automobiles launched a 1.4-million vehicle recall when two hackers showed that they could use a Jeep Cherokee’s wireless entertainment system to take over the vehicle. From 10 miles away, they played about with the heating, the stereo and the windscreen wipers before grinding the vehicle to a halt. This was done while a journalist 28
04.2018
drove the vehicle, with the mischievous hackers (actually two cybersecurity researchers) demonstrating their prowess for a magazine article. Imagine if more malign actors were at work. It could be a major problem: the technology research organisation Gartner estimates there will be 250 million connected cars by 2020. With their constant need to communicate with nearby objects or other vehicles, autonomous vehicles are especially vulnerable. Amir Kanaan, the Dubai-based managing director for the Middle East, Turkey and Africa at the cybersecurity specialist Kaspersky Lab describes them as “computers on wheels” connected to a network. “Cars will gradually be installed with new intelligent technologies, telematics and autonomous driving, remote driver assistance and infotainment,” he says. “Internal control systems are
becoming more sophisticated and complex, with multiple sensors, controls and applications that interact with nearby vehicles and the environment. “Their functions can be controlled remotely, via digital systems. With this, connected cars are becoming more of a target for cyber-attacks. “A key vulnerability is injecting malware into the heart of an unsuspecting vehicle through its essential connection, transferring control to a hacker.” Complicating things is the fact that a vehicle can have many software subsystems, often written by different developers and implemented separately. Possibly lacking full knowledge of different proprietary systems, manufacturers can lose control of the source code and software. “Vulnerabilities can also be introduced via a growing portfolio of www.tahawultech.com
FEATURE
affiliated products and services,” says Kanaan. “In short, manufacturer-installed software and connectivity nodes, and every further link to the automobile, serves as a potential point of weakness.” These weaknesses extend beyond safety. Owners could arrive back at their cars only to find a message demanding money before they can start the vehicle, an automotive equivalent of the ransomware attacks seen with office computers. The potential effect on a fleet owner, all of whose vehicles could be affected, is devastating. In recognition of the issue’s growing importance, four years ago General Motors appointed its first chief cybersecurity officer and the issue has moved further up the agenda of the car giants, which have launched initiatives to share cybersecurity information. www.tahawultech.com
The move to electric vehicles is giving OEMs and new disruptive companies entering the market the opportunity to redesign the underlying vehicle architecture. It gives them the ability to implement cybersecurity solutions, - Dr Paul Sanderson, SBD Automotive
“It’s pretty well recognised by the OEMs [original equipment manufacturers] and suppliers that this is the issue that needs to be addressed,”
says Betty Cheng, a professor in computer science and engineering at Michigan State University (MSU), who has formed a tie-up with a German 04.2018
29
FEATURE
car parts manufacturer, ZF, to address cybersecurity threats. There are many factors that should be considered from the outset to ensure that problems do not arise later, according to Dr Paul Sanderson, a cybersecurity senior technical specialist at a UK consultancy, SBD Automotive. This company works with OEMs in Europe, North America and Asia to do work including threat modelling, design review and penetration testing of components and vehicles to make the vehicle and its software attack resistant. SBD has introduced the Automotive Security Development Lifecycle, ASDL, which has been described as a “cost-effective hardware and software approach to cybersecurity” covering the whole vehicle development cycle. “Software: has it been written robustly; is it secure; has it been developed using secure and safecoding guidelines; has it been checked and validated; pen [penetration] tested?” says Sanderson. He also noted that, until now, the answer to these questions has been ‘no’, but that “things are getting a lot better”. Ethical hacking is used by corporations such as the telecommunications giant BT to identify weaknesses. It employs tests aimed at the vehicle’s “attack surfaces”, including interfaces accessible inside the car like Bluetooth links or USB ports, plus external connections such as links to mobile networks. All systems
interacting with the vehicle are tested and verified. “The ultimate objective is to identify vulnerabilities that would allow unauthorised alternation of configuration settings or that would introduce malware into the car. These remote systems can include the laptops of maintenance engineers, infotainment providers and other supporting systems,” says Martin Hunt, BT’s senior business development director for the global automotive industry. One novel security approach being assessed by Siraj Shaikh, professor of systems security at Coventry University in the United Kingdom, involves using light to produce random numbers. Cryptographic systems can be vulnerable because the numbers they use are not truly random. A tie-up between Crypta Labs, a cybersecurity start-up based in London, and Coventry University’s Institute for Future Transport and Cities (FTC), where Shaikh works, involves testing whether Quantum Random Number Generation (QRNG) technology can make systems more secure. “It’s a technology that could underpin security. There’s definitely potential,” says Shaikh. Physical security is also important. For example, tampering with the position of a sensor can make it misinterpret what it detects and where. A key safeguard is the high level of redundancy. An autonomous vehicle
Cryptographic systems can be vulnerable because the numbers they use are not truly random. - Siraj Shaikh, Coventry University
30
04.2018
may receive input from radars, cameras, lidar (which uses pulsed laser light to determine distances) and ultrasonic sensors, so if one is compromised, operation should not be affected. The growing popularity of electric cars – forecast by the bank UBS to make up 16 percent of global vehicle sales by 2025 – may allow for the creation of more robust systems. “The move to electric vehicles is giving OEMs and new disruptive companies entering the market the opportunity to redesign the underlying vehicle architecture. It gives them the ability to implement cybersecurity solutions,” says Sanderson. “Generally, you get a different version of the vehicle every three or four years. [Manufacturers] will make minor changes, but the underlying architecture is the same. “When you get a disruptor like Tesla, their architecture is different from the traditional OEM. They can design from scratch.” For all the concerns over cybersecurity, Cheng at MSU counsels against exaggerated fears. Firstly, it is not just the onboard technology that is the subject of cybersecurity work; the infrastructure too is “being hardened so the communications cannot be compromised.” Also, autonomous vehicles are not, Cheng points out, going to become common worldwide overnight. “There’s a bit of a misperception that it’s going to be sooner than it actually will be. People see Google and Tesla, but they’re slightly different in scope and the implications are different in terms of the consumer,” she says. So the OEMs still have time to deal with the vulnerabilities, and the increasing emphasis they appear to be putting on cybersecurity suggests a determination not to allow a repeat of the type of PR meltdown that Fiat Chrysler endured three years ago with their runaway Jeep. “The OEMs are taking it seriously and investing in cybersecurity solutions. We’re very, very busy,” says Sanderson. www.tahawultech.com
INTERVIEW
A NEW ERA FOR DATA PROTECTION As the enactment of the EU General Data Protection Regulation is fast-approaching, John Michael, CEO, iStorage, discusses how the new policy will impact data security approaches of regional organisations.
A
s the GDPR implementation date is fast-approaching, can you elaborate on the impact it will have on the Middle East firms? The implementation of GDPR on 25 May 2018 will impact organisations worldwide, including the Middle East. It will affect organisations that supply products or services to individuals in the EU, hence ushering in a new era of unyielding compliance. Companies will need to review their data protection risk assessment and best practices policies and implement change where necessary in order to ensure full GDPR compliance. Failure to take action and implement GDPR based policies can result in fines of up to 20 million or four percent of annual turnover for non-compliance, worst still, this can severely damage company reputation, have adverse media attention and even lead to the downfall of an organisation. Are regional organisations on the right path when it comes to implementing best practices for data protection? The upcoming GDPR standard which is set to affect all those dealing with EU data means that data security is at the forefront of many organisations agendas. The positive signs are an ever-increasing demand for hardware encrypted, PIN authenticated portable data storage devices such as the iStorage range that ensure best practice and compliance. The rigorous testing and certification www.tahawultech.com
procedure that is offered within our products provide reassurance for all organisations, and users can be rest assured that our products meet the strictest standards of data protection, which is a vital and critical requirement for today’s data security environment. What technology and policy changes need to be implemented? Whether you’re an individual, small business or large multinational corporation, it is crucial to get into the habit of protecting valuable data at all times – use PIN authenticated hardware encrypted portable drives and take steps to back up data so that if your drive does get lost or stolen, you do not have the worry of your data being exposed. Changing company policies like ensuring the company use only trusted and government certified encrypted portable data storage devices, adding anti-virus software to computer hardware and mobile devices which more and more people are using on a regular basis and adding multiple authentication methods can all contribute to keeping data secure and more importantly keeping your business safe. After all people protect money in the bank so why not treat sensitive and priceless data in the same way. What do you believe is currently lacking in the region? The implementation of specific data
privacy laws must become more widespread throughout the region and this must fit in with the GDPR model so that the region is compatible and keeps up with the rest of the world. What are the two biggest factors CIOs and security heads overlook when it comes to safeguarding data? One of the biggest factors is overlooking the responsibility of ensuring companywide GDPR training and awareness – so that all employees understand their responsibility towards data due diligence. The second biggest factor is ensuring all employees understand the importance of data security and the use of encryption particularly on personal or company issued mobile devices. Once these two points are understood, then employers should look to implement the use of hardware encrypted portable drives such as the iStorage range. What are iStorage’s plans for the region? iStorage’s current plans for the region include establishing a distribution and reseller channel so that our products are available for purchase. We will also continue to invest heavily in promoting and advertising our products throughout the region, as has been the case for the past few years. We also aim to open an office in the region so we can better serve the requirements of our distributors, resellers and end-user customers. 04.2018
31
INTERVIEW
GUARDING THE GATES Mimecast regional manager, sales engineering for the MEA markets Brian Pinnock discusses why email security is a critical element of cyber resilience.
A
t Infosecurity Middle East, the regional edition of Infosecurity Europe, Mimecast’s regional manager, sales engineering for the MEA markets Brian Pinnock said the biggest challenge when it comes to cybersecurity is IT departments’ difficulty in explaining the importance of security solutions to board-level executives. “They still have this mistaken belief that protecting email is not important. Unfortunately, this continues to be the mindset even today. People think the cost of implementing a solution is quite high but they are not weighing it against the potential risks,” said Pinnock.
“I believe the IT department can do a better job in communicating the significance of such solutions. They need to talk in a language that C-level executives understand instantly. IT tends to view the risk analysis in relation to breaches but what is required here is that they need to speak in business terms.” According to Pinnock, IT heads need to talk about potential loss of shareholder value if the firm is exposed in a data breach or loss of business operations or any other financial ramifications. “They cannot speak in vague terms, it needs to be quantifiable for C-level
Cybercriminals use email as the number one system for an entry point into an organisation. By protecting your email, you are essentially protecting your whole organisation.
32
04.2018
executives to truly understand the risks. However, in order to do this, IT heads need to have data from organisations that have been affected and how much losses they have suffered because of a breach. But this is easier said than done, as companies don’t reveal the complete impact of damage during a breach.” During the event Mimecast highlighted its solutions and launched a “vision for cyber resilience for email.” According to the firm, cyber resilience is more than just cybersecurity. It constitutes several elements – cybersecurity solutions, people, before, during and after aspects. During the ‘before’ stage, customers should analyse the best protection they can get. They should examine how their operations can keep functioning when an attack is taking place. And devise strategies to avoid it for the future and recover quickly. “One of the misnomers of email is that customers believe they are simply protecting just their email software. However, cybercriminals use email as the number one system for an entry point into an organisation. By protecting your email, you are essentially protecting your whole organisation.” www.tahawultech.com
PRESENTS
l Reality
Blo ckch
AI/ M a
uto mation
Virtua
Learning e n i ch
IT A
REGISTER NOW Monday, 17th September 2018
WHO
Business leaders seeking to explore and leverage the benefits of emerging technologies, such as artificial intelligence, Blockchain, IT automation and virtual reality.
WHY
Learn how your organisation can prepare for the onslaught of these new technologies, and explore the best methods of integrating them into future business models. Get to grips with how your organisation can utilise these technologies to progress to the next phase of digital transformation with measurable business value.
Speakers
Adam Lalani Group Head of IT, Tristar
Ajay Rathi Senior Director of IT, Meraas Holding
Farid Farouq Director of IT, Dubai World Trade Centre
Alia Al Hammadi Director of IT, Emirates Nuclear Energy Corporation
Herbert Fuchs Chief Information Officer, ASGC
David Ashford Chief Information Officer, The Entertainer
Jon Richards CEO, Yallacompare.com
Faisal Ali Senior IT Manager, Deyaar
HE Dr. Rashid Alleem Chairman, Sharjah Electricty & Water Authority and UAE Knowledge Ambassador
TO REGISTER PLEASE VISIT
www.tahawultech.com/powerof4/2018/ For sponsorship enquires, please contact OFFICIAL PUBLICATION
Natasha Pendleton, Publishing Director +971 56 787 4778 HOSTED BY
a in
INTERVIEW
ARMING THE WEAKEST LINK Alasdair Kilgour, vice president Middle East and Africa, Nuvias, reiterates how employees are the weakest link in an organisation’s security strategy.
V
alue-added distributor Nuvias is seeing the region develop skills at protecting itself as businesses are increasingly becoming more aware of the security steps needed to be taken. At Infosecurity Middle East, which took place in Abu Dhabi, the distributor highlighted key security threat factors along with its strategic partner Juniper Networks. According to Alasdair Kilgour, vice president Middle East and Africa, Nuvias, one of the areas where organisations are investing more time on is the post-breach detection phase. This is because businesses understand that they need to protect their operations and the next step is to ensure they are protected from the breaches that they have experienced. He added, “Employees are one of the weakest links in security for all organisations. This is because adversaries prey on the fact that an employee can inadvertently trigger an attack from within a company.” Kilgour suggests that businesses need to invest in educating employees on how they could accidently allow a security attack to take place. “This is quite a difficult task as there are several dangers on a day-to-day basis. Also, it will be challenging to keep track of all the employees of an organisation.” 34
04.2018
However, he explained that employee awareness and tools to help them behave in a particular manner will go a long way to avoid being victims of a security or data breach. As a pan-EMEA distributor for Juniper Networks, the company is building the relationship across the region. Kilgour said, “Our main priority is to help advance our relationship with Juniper and increase the market
“Employees are one of the weakest links in security for all organisations. This is because adversaries prey on the fact that an employee can inadvertently trigger an attack from within a company.”
awareness of the firm from a security perspective. We are looking to play a role in partner accreditation programme that can help accelerate partners’ investment in the Juniper franchise.” The distributor offers partners a host of marketing support and resources throughout the year. “We make sure to enable our channel on all fronts. We are launching a new programme called Nuvias Rapid Acceleration Programme (NuRAP) for Juniper partners. Juniper is an important partner and we are invested in them. As its value-add distributor, our primary focus is to continuously enable our partners on their offerings.” The distributor has launched an advanced networking, cybersecurity and recently a unified communication practice. Over the course of this year, we will see the distributor bring its existing vendors from other markets into the region. “It is very much in harmony with our overall strategy. As part of the value proposition to our vendors, we consistently deliver across whole of EMEA as one organisation,” Kilgour added. Operating across most verticals, Kilgour tells the market to “watch out” for the distributor. He added, “We are rapidly expanding across the region. We have just opened in Southern Africa and there are further expansion plans across the region.” www.tahawultech.com
倀爀攀猀攀渀琀猀
㠀吀䠀 䴀䄀夀 ㈀ 㠀 䐀唀䈀䄀䤀Ⰰ 唀䄀䔀 簀 䨀唀䴀䔀䤀刀䄀䠀 䔀䴀䤀刀䄀吀䔀匀 吀伀圀䔀刀 䠀伀吀䔀䰀
匀倀䔀䄀䬀䔀刀匀
刀愀洀欀甀洀愀爀 䈀愀氀愀欀爀椀猀栀渀愀渀 倀爀攀猀椀搀攀渀琀 刀攀搀椀渀最琀漀渀 嘀愀氀甀攀
䄀猀椀洀 䄀氀䨀愀洀洀愀稀 䌀䔀伀 䄀氀䨀愀洀洀愀稀 䐀椀猀琀爀椀戀甀琀椀漀渀
一椀搀愀氀 伀琀栀洀愀渀 䴀愀渀愀最椀渀最 䐀椀爀攀挀琀漀爀 匀琀愀爀氀椀渀欀 䴀䔀
一椀挀栀漀氀愀猀 䄀爀最礀爀椀搀攀猀 䌀栀椀攀昀 漀昀 匀愀氀攀猀 愀渀搀 䐀攀瀀甀琀礀 䜀䴀 䴀椀渀搀眀愀爀攀
䠀攀猀栀愀洀 吀愀渀琀愀眀椀 嘀倀 䴀䔀一䄀 䄀猀戀椀猀 䴀椀搀搀氀攀 䔀愀猀琀
䜀愀爀攀琀栀 䠀愀渀猀昀漀爀搀 䜀攀渀攀爀愀氀 䴀愀渀愀最攀爀 䜀甀氀昀 匀漀昀琀眀愀爀攀 䐀椀猀琀爀椀戀甀琀椀漀渀
䘀愀礀攀稀 䤀戀戀椀渀椀 䴀愀渀愀最椀渀最 䐀椀爀攀挀琀漀爀 䄀氀瀀栀愀 䐀愀琀愀
一攀栀甀氀 䜀漀爀愀搀椀愀 䌀漀ⴀ昀漀甀渀搀攀爀 䔀渀愀戀氀攀爀 伀渀攀
䘀愀爀愀栀 䄀渀眀愀爀 䌀漀ⴀ䘀漀甀渀搀攀爀 䄀猀栀爀愀昀 䔀氀攀挀琀爀漀渀椀挀猀
匀愀瘀椀琀栀愀 䈀愀猀欀愀爀 䌀伀伀 䌀漀渀搀漀 倀爀漀琀攀最漀
䐀栀愀爀洀攀渀搀爀愀 匀愀眀氀愀渀椀 倀爀攀猀椀搀攀渀琀 䐀甀戀愀椀 䌀漀洀瀀甀琀攀爀 䜀爀漀甀瀀
匀栀愀椀氀攀渀搀爀愀 刀甀最栀眀愀渀椀 䴀愀渀愀最椀渀最 䐀椀爀攀挀琀漀爀 䔀砀瀀攀爀琀猀 䌀漀洀瀀甀琀攀爀
䠀唀刀刀夀 匀䔀䄀吀匀 䰀䤀䴀䤀吀䔀䐀 刀䔀䜀䤀匀吀䔀刀 一伀圀 䄀吀 眀眀眀⸀琀愀栀愀眀甀氀琀攀挀栀⸀挀漀洀⼀洀愀爀最椀渀戀甀椀氀搀攀爀⼀㈀ 㠀⼀
吀䠀䔀 䰀䄀刀䜀䔀匀吀 刀䔀䜀䤀伀一䄀䰀 䔀嘀䔀一吀 䘀伀刀 吀䠀䔀 䌀䠀䄀一一䔀䰀 䤀一䐀唀匀吀刀夀 䨀漀椀渀 琀栀攀 挀漀渀瘀攀爀猀愀琀椀漀渀 愀渀搀 搀漀渀ᤠ琀 洀椀猀猀 漀瘀攀爀 ㈀ ⴀ 䤀渀搀甀猀琀爀礀 䔀砀瀀攀爀琀猀Ⰰ 䌀䔀伀猀Ⰰ 䌀栀愀渀渀攀氀 愀渀搀 倀愀爀琀渀攀爀 䴀愀渀愀最攀爀猀Ⰰ 䈀甀猀椀渀攀猀猀 䠀攀愀搀猀Ⰰ 䤀渀琀攀最爀愀琀漀爀猀 ☀ 匀攀爀瘀椀挀攀 倀爀漀瘀椀搀攀爀猀Ⰰ 䤀吀 刀攀猀攀氀氀攀爀猀 愀渀搀 匀瀀攀愀欀攀爀猀 愀氀氀 搀爀椀瘀椀渀最 搀椀猀挀甀猀猀椀漀渀 漀渀 瀀攀爀琀椀渀攀渀琀 椀猀猀甀攀猀Ⰰ 猀栀愀爀椀渀最 椀搀攀愀猀Ⰰ 渀攀琀眀漀爀欀椀渀最 愀渀搀 搀椀猀挀漀瘀攀爀椀渀最 猀漀氀甀琀椀漀渀猀℀ 䠀攀愀爀 昀爀漀洀 挀漀洀瀀愀渀椀攀猀 猀甀挀栀 愀猀 刀攀搀椀渀最琀漀渀Ⰰ 䴀椀渀搀眀愀爀攀Ⰰ 䄀氀䨀愀洀洀愀稀 䐀椀猀琀爀椀戀甀琀椀漀渀Ⰰ 䄀猀戀椀猀 䴀椀搀搀氀攀 䔀愀猀琀Ⰰ 䠀攀愀爀 昀 匀琀愀爀䰀椀渀欀Ⰰ 䜀甀氀昀 匀漀昀琀眀愀爀攀 䐀椀猀琀爀椀戀甀琀椀漀渀Ⰰ 䄀氀瀀栀愀 䐀愀琀愀Ⰰ 䔀砀瀀攀爀琀猀 䌀漀洀瀀甀琀攀爀Ⰰ 䔀渀愀戀氀攀爀 伀渀攀Ⰰ 䐀甀戀愀椀 䌀漀洀瀀甀琀攀爀 䜀爀漀甀瀀Ⰰ 䔀一䈀䐀 愀渀搀 洀愀渀礀 洀漀爀攀⸀ 䐀椀猀挀漀瘀攀爀Ⰰ 䤀搀攀渀琀椀昀礀 愀渀搀 伀瀀琀椀洀椀猀攀℀
䔀瘀攀渀琀 倀愀爀琀渀攀爀
伀昀昀椀挀椀愀氀 倀甀戀氀椀挀愀琀椀漀渀
䠀漀猀琀攀搀 戀礀
INTERVIEW
BE ON GUARD Jose Menacherry, managing director, Bulwark Distribution on how customers should consider safeguarding from cybersecurity threats as a “continuous battle”.
A
t its inaugural participation at Infosecurity Middle East in Abu Dhabi, regional distributor Bulwark is demonstrating how adversaries can enter an organisation stealthily through email attacks, APTs and other sophisticated means. Jose Menacherry, managing director, Bulwark Distribution, said, “Organisations need to accept that protecting their operations from data breaches and other cybersecurity threats is a continuous battle. End-users need to constantly be on top of emerging security trends and keep themselves updated to try to be one step ahead.” Menacherry believes CIOs are already treating the lack of effective security solutions as a business problem rather than a technology one. “Although the current market is sluggish, we have seen a significant appetite for security solutions over 36
04.2018
regular IT infrastructure projects.” He said one of the first steps to be taken is to identify which part of the network and what sort of data of a business needs to be protected. “Strategise which data is considered as business assets and then implement relevant solutions to protect it.” Understanding that it is not possible for businesses to overhaul existing systems every few years, Bulwark’s solutions can be complemented with current infrastructures. The company is focusing on security solutions from global players such as Sophos, Mimecast and iStorage at the show. “We are showcasing our entire data security portfolio including solutions around APTs, email security, UTMs, endpoints, encrypted data storage and privilege identity management,” he adds. Over the course of 2018, the firm will continue its focus on all GCC countries with onsite resources and work through
“Strategise which data is considered as business assets and then implement relevant solutions to protect it.”
security focused integrators in Jordan, Egypt and Lebanon. “We are bringing innovative solutions into the region to counter sophisticated attacks and address cybersecurity issues effectively. We work through partners and train them so that they can be better positioned with their customers,” Menacherry said. www.tahawultech.com
INSIGHT
DATA PROTECTION SOUL SEARCHING By Tarek Jundi, managing director, Middle East and Turkey, McAfee
W
ith just a few weeks to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR. Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it. Once-in-a-generation opportunity From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management—bringing it to the attention of the C-Suite. This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. According to a recent McAfee Labs Report, almost 40 percent of cloud services are now commissioned without the involvement www.tahawultech.com
of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year. 65 percent of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52 percent) of respondents report that they have definitively tracked malware from a cloud SaaS application. Better late than never There are specific requirements in the Regulation—reporting breaches, reviewing processing in advance, making sure vendor contracts have particular language. But GDPR makes a larger and more fundamental ask: That each company look carefully and studiously at its environment, evaluate the data it holds, and “implement … measures to ensure a level of security appropriate to the risk.” It’s a sort of data protection soul-searching designed to protect people and their data from harm. And this perspective challenges organisations to embrace the spirit of the law and be accountable for it, not just to tick a box. “Appropriate” and “adequate”—tough words in a security context—are found repeatedly in the GDPR. The regulation suggests that “in assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted,
stored or otherwise processed.” That sounds like a basic risk assessment. Each company has to decide for itself what it needs to do to comply with GDPR but organisations can consider these steps as ways to get started on the journey: 1. Scope. Know what you have. We can’t protect what we don’t know we have. This is a good time for companies to figure out how and where they hold personal data—and not just of EU residents, and not just for its EU affiliates. 2. Protect. Know how you are protecting those assets. Are you doing the basics? Could you do more? Are your peers doing more? Are you following your data classification policy in automated ways or just expecting employees to know it? Do you delete unnecessary data? 3. Monitor and detect. Do you have technologies in place (such as encryption, data-loss prevention or anti-virus software) to protect those assets from malicious actors, loss, unwanted leaks? And do you know what to do if something goes wrong? 4. Review. Do you have a process to make sure that all new applications or cloud services are reviewed and that you know how you are using them? Are you implementing data protection by design by thinking of privacy and security at the very beginning of any project? 5. Then repeat. The regulation requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” 04.2018
37
BLOG
THE ROAD AHEAD By Vinod Vasudevan, co-founder and CTO, Paladion
T
he increasingly-complex, data-flooded threat landscape has created new challenges for cybersecurity. Attacks and attackers are no longer known, and must be uncovered in near real-time. The threat landscape has changed. Organisations have more vulnerability points than ever—and these will only grow as organisations increasingly embrace the cloud, mobile, and the IoT. Cybercriminals now exploit this wealth of vulnerability points through sophisticated, high-volume, multi-dimensional attacks that produce a flood of threat data. Every day, organisations can face thousands of alerts, and find themselves forced to analyse hundreds of thousands of potentially malicious files. Attacks and attackers are no longer known, and must be uncovered in near real-time. Organisations have come to see they cannot prevent breaches, and must focus on continuous monitoring, detection, and response. And as cybercriminals attack with increasingly stealthy, sophisticated, multi-channel Advanced Persistent Threats, cybersecurity providers must search through every point of vulnerability within every organisational system for the entire lifecycle of a threat. The heart of the problem and the heart of the solution Our new threat landscape is filled with many complicated challenges, to say the least. But each of these individual complicated challenges add up to a single simple issue: How to contend with the flood of data generated by, and required to monitor, detect, and respond to, multidimension attacks. 38
04.2018
Traditional security approaches fail at dealing with all this new data. Vulnerability points are too numerous to monitor manually. Human-led detection is too slow to keep up with today’s barrage of AI-driven cyberattacks. To contend with your new data-flooded threat landscape, you must evolve past traditional security approaches, and begin to deploy your own Big Data-driven, AI defenses. How AI-driven cyber defences work The right AI platform enhances every level of your cybersecurity system. It increases the speed and accuracy of your prediction, monitoring, detection, and response. To do so, your platform collects and processes a staggering volume of raw data in search of the tell-tale anomalies of an attack. Every attack—even an unknown attack— leaves a network event trail. Properly uncovered and analysed, these anomalies show you the steps an attacker has taken within your network. They can tell you how the attacker breached your systems, where they have been, where they are likely going, and what their plausible aim might be. Uncovering and analysing this network event trail essentially turns an unknown attack into a known attack—one you can effectively respond to, and one you can prevent in the future. However, to uncover and analyse this network event trail, you must collect, analyse, contextualise and process every piece of raw data produced by your network. Modern cyberattacks both approach through a wide variety of vulnerability points, and exhibit many different behaviors as they move through many files, networks, protocols, and systems to reach their target. As such, you cannot ignore any piece of data that
moves through your network’s flows, forensics, and logs. An anomaly can appear anywhere. Any anomaly can indicate a breach. And only a Big Datadriven platform can process the volume of data required to find them, analyse them, and raise the red flag. Finding Big Data’s place in modern cybersecurity It’s easy to oversell the power and use of multichannel Big Data in cybersecurity. But the approach—while necessary—can’t do everything. At the end of the abovementioned data collection, analysis, and processing, your platform still needs to bring a focused list of anomalies to your human security staff. But, even the best Big Data cybersecurity platform is not one-sizefits-all. No single security analytics system can detect modern, blended attack vectors on its own. Every Big Data-driven security system must evaluate multiple dimensions at once, and in correlation with each other. In addition, every security system must be able to evaluate the nine types of modern attacks, and their combined use (they are advanced malware, social engineering, lateral movement, insider threats, transaction frauds, account takeovers, data exfiltration, run-time app exploits, and encrypted attacks). And even with this platform, each organisation must define the specific use cases they require to meet their unique security needs. Simply bringing some analytics to your organisation is not enough. A security analytics based on a comprehensive data-based system, supported by human insight, and fine-tuned to your specific needs, can protect you from today’s evolved threat landscape. www.tahawultech.com
REDEFINING technology transformation
+971 4 440 9100
@TahawulTech
info@cpimediagroup.com
www.tahawultech.com
facebook.com/tahawultech
twitter.com/tahawultech
linkedin.com/in/tahawultech