ISSUE 24 | FEBRUARY 2018 www.tahawultech.com
Securing industrial control systems Next-gen firewalls Mobile security threats
ANALYSE THIS HOW TO MAKE SECURITY ANALYTICS WORK FOR YOUR ORGANISATION
o t g n i m o C s i x o l b o f In ! u o Y r a e N A City Today’s networks are evolving at a blistering pace, but with 20 billion connected devices expected by 2020, conventional network management systems can’t keep pace. The exponential growth of IP traffic, trends in security, SDN and cloud coupled with increasingly sophisticated security threats, leave them vulnerable to attack. As a security professional this is a daunting challenge. That’s why Infoblox is hitting the road to deliver a half-day seminar in 20 cities and 5 regions in Europe, Middle East and Africa, to address: • Infrastructure Protection • Next-Gen Data Center
• Threat Containment & Operations • Data Protection and Malware Mitigation
Visit the website for event locations near you. Register today at: infobloxemea.com/roadtour/
STRATEGIC INNOVATION PARTNER
STRATEGIC PARTNER
CONTENTS
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Managing Editor Michael Jabri-Pickett mjp@cpimediagroup.com +971 4 440 9158 Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Mhar Delaben marlou.delaben@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130
06 ANALYSE THIS
Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 Business Development Manager Youssef Hariz youssef.hariz@cpimediagroup.com +971 4 440 9111 CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119
How to make security analytics work for your organisation
PRODUCTION Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin
10
webmaster@cpimediagroup.com +971 4 440 9100 Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing and Publishing Regional partner of
© Copyright 2018 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
THE WEAKEST LINK Industrial control systems are being targeted by malicious hackers. What are the risks when you run older equipment on modern tech?
14
18
MOVING TO NEXT-GEN FIREWALLS Front-line practicals for choosing and using next-generation firewalls 5 MOBILE SECURITY THREATS YOU SHOULD TAKE SERIOUSLY Mobile malware? Some mobile security threats are more pressing. Every enterprise should have its eye on these issues in 2018.
22
HOW ARE CYBER
26
CRIMINALS USING MACHINE LEARNING? Machine learning algorithms will improve security solutions. But they are also going to help threat actors launch bigger, more complex attacks.
5 BIGGEST RANSOMWARE ATTACKS OF THE LAST 5 YEARS From CryptoLocker to WannaCry and NotPetya, these attacks illustrate the growth of ransomware.
NEWS
GOOGLE PARENT ALPHABET LAUNCHES CYBERSECURITY FIRM Alphabet has launched a new business unit on Wednesday that will sell cybersecurity software to Fortune 500 companies, the latest move by the parent of Google to become a big player in corporate computing, according to a Reuters report. The new unit, dubbed Chronicle, is betting on the premise that machine learning software, a type of artificial intelligence, can sift and analyse massive stores of data to detect cyber threats more quickly and precisely than is possible with traditional methods, Reuters reported. Stephen Gillett, chief executive of Chronicle and a former top official at the cyber firm Symantec, said access to Google’s expertise in automated data analysis would give the company an edge. Alphabet’s big cash pile and existing customer relationships also make Chronicle a threat to security tools vendors such as Symantec, Palo Alto Networks and Cylance. The global cyber security market is worth nearly $100 billion, according to market researcher Gartner. But analysts note that previous efforts by internet search and networking companies to get into the cyber security business have faltered. “Being the heavy hitter and even having small teams spun out of that doesn’t translate to instant success,” said Avivah Litan, a vice president at Gartner. Gillett, on a conference call, declined to specify how Chronicle’s technology works and would not give the exact number of companies testing the service. Chronicle also houses VirusTotal, a virus-scanning tool Google acquired in 2012 that charges for premium features. The cyber security initiative reflects Alphabet’s desire to expand beyond its core online advertising business at Google and become a major player in enterprise computing technology. Google is a distant rival to Amazon.com in cloud computing infrastructure and lags far behind Microsoft in workplace productivity software.
4
02.2018
DUBAI POLICE TO MAKE THE EMIRATE THE WORLD’S SAFEST CITY The Dubai Police will soon have eyes all over the emirate with the launch of its latest smart security project. The law enforcement agency has recently unveiled its Oyoon (Eyes) project with the support and participation of the governmental, semi-governmental and private sectors to implement the Dubai 2021 plan in a bid to enhance the emirate’s global position it terms of providing a safer living experience for all citizens, residents and visitors. According to the Dubai Police, the aim of the project is to create an integrated security system that works through all strategic partners to exploit modern and sophisticated technologies and artificial intelligence features to prevent crime, reduce traffic accident related deaths, prevent any negative incidents in residential, commercial and vital areas and to be able to respond immediately to incidents even before they get reported to the command unit. Major General Ibrahim Khalil Al Mansouri , Assistant Commander for Criminal
Investigations of Dubai Police, said the ”The project is an effective translation of the UAE’s strategy for AI to achieve its objectives of relying on services, data analysis and smart application in various fields of work efficiently and effectively. Maj-Gen Al Mansouri said the project also contributes to supporting the decisionmaking process, ensuring the protection of all vital areas and roads, and optimising the use of human resources through reducing human intervention, especially in the areas of monitoring, analysis and surveillance. In addition, the Oyoon committee will set standards on the installation and use of all CCTV cameras across the Emirate of Dubai, and conduct field studies across all jurisdiction areas to ensure highest levels of security and safety in the region.
BLACKBERRY’S NEW SOFTWARE MAKES AUTONOMOUS CARS HACK-PROOF BlackBerry has reportedly launched a new cybersecurity software that can identify vulnerabilities in programmes used in self-driving cars. The software called Jarvis, will initially be offered to automakers. However, the company noted that the solution can also be applied to industry segments such as healthcare, aerospace and industrial automation among others. Jarvis scans and delivers insights in minutes, a process that would normally take a large number of experts and a lot of time, BlackBerry said. “Connected and autonomous vehicles require some of the most complex software ever developed, creating a significant challenge for automakers who must ensure the code complies with industry and manufacturer-specific standards while simultaneously battle-hardening a very large and tempting attack surface for
cyber-criminals,” said John Chen, CEO of BlackBerry, said in a press release. In addition to cost and time savings, BlackBerry said Jarvis helps ensure that production software adheres to industry standards such as MISRA and CERT, and enables OEMs to define custom rules to meet organisation-specific objectives. BlackBerry said Jarvis will be offered on a pay-as-you-go basis and customized for the needs of the manufacturer. Once initiated, automakers will have online access to Jarvis and can scan any number of binary files at every stage of software development. This includes the capability to evaluate new software under consideration as well as the ability to assess existing software already in production. Once scanned, development teams have immediate access to the results via user-friendly dashboards with specific cautions and advisories.
www.tahawultech.com
NEWS
AED 3.86 bn
value of date stole from 3.72 million consumers in the UAE last year Source: Norton by Symantec
ATM MAKERS WARN OF HACKS ON MACHINES
ATM makers Diebold Nixdorf and NCR have recently warned the public that hackers may be targeting US cash machines with tools that force them to spit out cash in a hacking schemes known as “jackpotting.” According to a Reuters report, though its nickname evokes big wins, “jackpotting” is instead a malicious cyber-attack that uses malicious software to enable hackers illegally gain control of ATMs.
The two ATM makers did not identify any victims or say how much money had been lost. The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details. Reports by Krebson Security highlighted that the cybercrime has long been a threat for banks in Europe and Asia. It also noted that the US Secret Service has quietly began warning financial institutions that jackpotting attacks have been targeting stand-alone ATMs typically located in pharmacies, big box retailers and drive-thru ATMs. NCR said that the cases were the first confirmed “jackpotting” losses in the United States. It said its equipment had not been targeted in the recent attacks,
but that it was still a concern for the entire ATM industry. “This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the alert said. Meanwhile, Diebold Nixdorf said in a separate alert that US authorities had warned the company that hackers were targeting one of its ATM models, known as Opteva, which went out of production several years ago. Diebold Nixdorf’s alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device. Russian cybersecurity firm Group IB has reported that cyber criminals remotely attacked cash machines in more than a dozen countries across Europe in 2016. Similar attacks were also reported that year in Thailand and Taiwan.
NEW MALWARE FOUND SPYING ON ANDROID USERS
An advanced malware implant that has been active since 2014 was uncovered by Kaspersky Lab researchers. The implant, named Skygofree, is designed for targeted cyber-surveillance, possibly as an ‘offensive security’ product. It includes functionality never seen in the wild before, such as location-based audio recording through infected devices. The www.tahawultech.com
spyware is spread through web pages mimicking leading mobile network operators. Skygofree utilises a multi-stage spyware that gives attackers full remote control of an infected device. It has undergone continuous development since the first version was created at the end of 2014 and it now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild. Other advanced, unseen features include using Accessibility Services to steal WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers. The implant carries multiple exploits for root access and is also capable of
taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory. A special feature enables it to circumvent a batterysaving technique implemented by a top device vendor: the implant adds itself to the list of ‘protected apps’ so that it is not switched off automatically when the screen is off. The attackers also appear to have an interest in Windows users, and researchers found a number of recently developed modules targeting this platform. The researchers found 48 different commands that can be implemented by attackers, allowing for maximum flexibility of use. 02.2018
5
COVER FEATURE
ANALYSE THIS How to make security analytics work for your organisation
6
02.2018
www.tahawultech.com
COVER FEATURE
A
s the latest buzzword in IT, analytics are increasingly spanning various components of IT systems. While use cases to gather analytics around data, networks and user behaviours, there are endless possibilities around utlising this information. But, when looking to drill down this data, to inform security decisions, is a massive amount of information, which could include false positives, really that useful? Industry experts say, if configured properly, security analytics can drive meaningful and actionable insights for your organisation. According to recent ESG research, 81% of cybersecurity professionals agree that improving security analytics and operations is a high priority at their organisations. “Security analytics and operations is complex work that requires more than just a crackerjack staff. Formal processes, process automation/ orchestration, and strong collaboration across security and IT should be top priorities for all CISOs,” says Jon Oltsik, principal analyst with ESG. Morey Haber, VP, Technology, BeyondTrust, says security analytics can enable more efficient threat detection within a network by identifying the “needle in a haystack”. “Traditional solutions are correlation or signature based and must observe events, parse logs, or rely on alerts from point solutions to identify a threat. In other words, they identify threats as they are occurring because something has happened. Security analytics is more than that.” He adds depending on the model, events, logs, and alerts should follow a certain pattern and abnormal (or unique) findings can initiate a workflow that would be traditionally missed. Analytics are designed to understand (learn, calculate, baseline, etc.) the steady state and raise awareness when something is www.tahawultech.com
02.2018
7
COVER FEATURE
not following the norm, without users scouring through endless amounts of data. They can find patterns when something is “starting” versus waiting for explicit events that correlate after the incident has occurred. Mohammad Jamal Tabbara, senior systems engineer at Infoblox, says security analytics is one important aspect of information security with many use cases, one of which can be used as an effective enforcement point against sophisticated or unprecedented threat techniques and a source of threat intelligence. “Some aspects of security analytics can be processed in a passive mode or offline, yet most security analytics solutions use real-time streaming analysis of live network traffic and machine learning data to instantly detect the presence of suspicious network behaviour or malicious communication.” Security operations and incident response teams need context when investigating a security incident. Security analytics tools provide behaviour intelligence context for security alerts and incident investigations. Ability to quickly and interactively analyse current and historical behaviours, patters, anomalies across multiple data silos enables faster incident analysis, eliminating reliance on skilled resources and manual analysis. Laurence Pitt, director of Security Strategy, Juniper Networks, says prioritisation of security events is among one of the biggest benefits that the security team gains from security analytics. Today the volume of alerts can overwhelm even the largest and most efficient analysts, they need a way to easily focus on what’s risky. Security analytics combines threat data with user-access, application usage and even location information to create a more accurate picture for risk, thus providing the security analyst with actionable information on the riskiest events. Over time the analytics engine can also learn from the analyst responses, meaning that 8
02.2018
Ideally an organisation should have a threat intelligence platform that can coordinate and combine dozens of threat feeds into a single feed. - Brian Pinnock, cyber resilience expert at Mimecast
eventually an automated response could be possible based on learned actions. Security analytics is all about helping security teams to focus on threats, vulnerabilities, and security controls that matter. However, there are a few things organisations should keep in mind while choosing a security analytics platform. Haber from BeyondTrust says organisations should keep in mind vendors that are compatible with the tools they have in their environment and the models used to build the analytics platform. Not all analytics platforms can consume and parse data from other leading vendors and their analytics models are easily definable. For example, if the solution cannot parse your version of SIEM, it will not be very helpful. If the vendor cannot articulate the models they are using, then there is probably some voodoo under the hood to make it work. End users need to understand why a security is escalated from an analytics platform verses just accepting that it occurred. Pitt from Juniper says it must be modular with the ability to leverage information between different systems and components. Different technologies may identify a threat at different points in the attack chain, and this can take too long – security analytics should combine data from different security solutions to spot threats at any point of the kill chain, helping with faster, more effective detection and remediation. This means that the solution also has to be open, with the ability to integrate
with solutions which may not be directly supported. This also ensures that data can be read, or imported, from the widest possible variety of sources – again, helping improve efficacy of detection and remediation, he says. Ryan O’Leary, VP, Threat Research Centre, WhiteHat Security says, getting the right security metrics from a trusted source is one of the more difficult aspects of owning the security programme at any company. “Lots of companies say they offer security analytics but few offer meaningful proven security analytics. This is especially true in the web application space. The main problem is that security tools more often than not product an incredibly high number of false positives. Before you purchase any analytics, make sure the company does vulnerability verification before statistics are done. Also, inquire about false positive rates so you can determine how accurate a company’s analytics will be.” Brian Pinnock, regional manager of sales engineering at Mimecast, adds: “Ideally an organisation should have a threat intelligence platform that can coordinate and combine dozens of threat feeds into a single feed. These feeds can consist of open source or paid-for feeds and telemetry data from existing security systems. The security systems should be able to easily send this telemetry data and any associated threat intelligence without the need for highly complex integration.” www.tahawultech.com
PRESENTS
Tahawul Tech would like to extend sincere thanks to our fantastic partners for their support at the 4th annual CIO 100 Awards. Your support is just as important to our winners’ innovation as it is to ours.
FEATURE
THE WEAKEST LINK Industrial control systems are being targeted by malicious hackers. What are the risks when you run older equipment on modern tech?
T
here’s been a startling increase in attacks against industrial control systems (ISC). According to SANS Institute’s annual survey, the introduction of unprotected devices into sensitive ICS networks and ransomware are now among the top threats that organisations face in securing critical infrastructure. The survey also found that some basic security practices are still not being implemented and identifying attacks remains challenging; 40% of ICS security practitioners lack visibility or sufficient supporting intelligence into their ICS networks and this is one of the primary impediments to securing these systems. Despite the high-profile news coverage of recent attacks against 10 02.2018 02.2018
unpatched systems, SANS found that only 46% of respondents regularly apply vendor-validated patches. An astounding 12% neither patch nor layer controls around critical control system assets. “Advances in ICS systems have increased the risk and introduced a myriad of new scenarios that can disrupt production and processes, impact safety and bring financial consequences. The adoption of cloudbased IT solutions, the widespread introduction of insecure connected IoT devices into networks, and the increasing reliance on digital technology for operations and expanded connectivity mean that many systems are far more vulnerable to attack than they once were,” says Doug Wylie, director of SANS Institute’s Industrials and Infrastructure Practice. www.tahawultech.com
FEATURE
Maxim Frolov, MD of Kaspersky Lab in the Middle East, Turkey and Africa, offers another perspective: “Modern industrial infrastructures are complex networks, with integrated automation and control functions that do not have sufficient built-in cybersecurity functions to combat the increasingly sophisticated range of security threats they face.” Kaspersky Lab’s study ‘Threat Landscape for Industrial Automation Systems in H1 2017’ showed attack attempts on almost half of the ICS computers in the Middle East. While ICS computers in the energy sector in the Middle East accounted for almost 9% of all attacks. What is worrying is that all these threats and more are only going to compound and further evolve, which is why firms need to have advanced monitoring and detecting solutions as well as having a rigid incident response plan in place. “A successful attack on ICS has serious impact on any organization. Some of these effects include operational shutdowns, damaged equipment, monetary loss, intellectual property theft, and substantial health and safety risks. As ICS continue to modernize, an increasing number of Internet of Things (IoT) devices are
introduced to improve productivity and enhance system control. With the use of related IoT devices, process controls, data monitoring, and communication with other systems are made simpler. However, there are risks involved when smart devices are used for such tasks,” says Aadesh Gawde, principal – R&D and engineering, at ProVise Secure Lab. Ra Kafity, VP-META, Attivo Networks, says attackers are now crossing ethical boundaries and targeting critical infrastructure in ways that are intended to extort money in exchange for preserving human safety. ICS devices have unique challenges. “Most are not managed as part of the standard IT infrastructure, and thus, are not monitored by traditional security solutions. Additionally, ICS devices have long operational lifespans that exceed the typical software support lifecycle, leaving them unpatched and exposed when their software reaches end-of-life. There is a reluctance to take devices offline for patch management, as doing so can interfere with critical operations, giving attackers the opportunity to exploit vulnerable systems at will and cause harm. Securing these devices is critical, as they can control everything from fuel sensors to medical devices to building infrastructure. New innovations
Modern industrial infrastructures are complex networks, with integrated automation and control functions that do not have sufficient built-in cybersecurity functions to combat the increasingly sophisticated range of security threats they face.
www.tahawultech.com
in deception technology address ICS security challenges by tricking and revealing attackers while providing an essential control for the early detection and derailment of attacks on critical infrastructure.” What are some of the challenges security teams face when it comes to securing ICS? “Changes in ICS/SCADA environments have historically come at a pretty slow pace, but this pace is accelerating with IT/OT convergence, and the speed of change is challenging everyone working with these systems to keep up, or accept growing levels of risk,” says Wylie from SANS. SANS report showed that many of the professionals responsible for today’s industrial control systems do at least recognise current cyber security risks. However, they aren’t always in a position to overcome them since governance is often seen as a lower priority when it comes into conflict with the objectives of the business around efficiency and productivity. Many ICS practitioners aren’t interested in becoming cyber security experts themselves, but they do realise that their organisation needs to plan to manage the threats. Wylie adds that it is also important to recognise that ICS environments pose unique challenges that do not exist in an ordinary business enterprise system. Automation and control systems frequently run continuously, ceasing only in the event of a loss of power, mechanical failure or an issue with the raw materials. Decisions to stop systems are not taken lightly, and a patch upgrade for example – a not-infrequent occurrence that every network administrator must factor in – will disrupt the operation of most ICS designed to run around the clock. A plant manager must weigh up the cost of downtime to patch a system as a preventative measure against the impact on system safety, uptime, efficiency and productivity. 02.2018 11
OPINION
WHY ENTERPRISES FAIL TO FOCUS ON THE REAL SECURITY THREATS Most companies are not focused on the real security threats they face, leaving them ever more vulnerable. That can change if they trust their data rather than the hype, writes Roger A. Grimes
H
umans are funny creatures who don’t always react in their own best interests, even when faced with good, contrarian data they agree with. For example, most people are far more afraid of flying than of the car ride to the airport, even though the car ride is tens of thousands of times riskier. More people are afraid of getting bitten by a shark at the beach than by their own dog at home, even though being bitten by their dog is hundreds of thousands of times more likely. We just aren’t all that good at reacting appropriately to risks even when we know and believe in the relative likelihood of one versus the other happening. The same applies to IT security. Computer defenders often spend time, money, and other resources on computer defences that don’t stop the biggest threats to their environment. What is causing this lack of focus in putting the right defences in the right places in the right amounts against the right threats? A bunch of things, including these: The sheer number of security threats is overwhelming There are 5,000 to 7,000 brand new 12
02.2018
threats a year, or about 15 a day. That’s 15 brand new problems on top of yesterday’s 15 brand new problems, day after day after day. It’s been this way for decades, for as long as they have been tracking the stat. Computer defenders could be likened to 911 call centre dispatchers who are getting more emergency calls each day than any single ambulance crew can adequately respond to, and so they have to triage and prioritise. Threat hype can distract from more serious threats It doesn’t help that some computer defense vendors are doing their best to make every rescue call a heart attack victim. Today’s announced threats and vulnerabilities often come with as much focus on the hype and intent to spread fear as the actual threat. They come with scary-sounding names and even media-ready, free-licensed cartoon figures. Don’t put all the blame on computer defense vendors. It’s their job to sell their software or service, and it’s easier to sell batteries during a hurricane. It’s up to the consumer to decide what is and isn’t deserving of their attention, and it’s exceedingly
hard to do when you’ve got 15 new threats a day coming in. Even when the threat and risk is huge, the overhyping of every threat makes it hard to pay attention to the right ones. For example, Meltdown and Spectre are actually one of the biggest threats we’ve faced as a computerised society. They impact nearly every popular microprocessor, allow attackers to invisibly exploit computers, often require multiple software and firmware patches for protection, and when solved may significantly slow down your computer. In many instances, the only good solution is to buy a new computer. Meltdown and Spectre are, rightly, big deals! In my opinion you can’t hype them enough. Yet, outside of computer security circles and a few mainstream media articles for a day or two, the world’s collective reaction is a global “meh.” Normally when something big happens in computer security, my friends and family ask me what they should do. With Meltdown and Spectre, I didn’t get a single inquiry. To warn my social circle, I sent out helpful information. Usually I get a few questions back. Nothing this time. Not a single post in my social circle of hundreds of people. It’s like www.tahawultech.com
OPINION
a hungry great white shark has been spotted at the beach and no one is trying to get out of the water. Because Meltdown and Spectre often require firmware patches, which almost no consumer has done or will do, you can bet we will have hundreds of millions of vulnerable machines for many years to come. Why? Hype fatigue. Every threat is so over-hyped that when a real, global threat comes out that everyone needs to pay attention to, they just shrug their shoulders and assume their OS or device vendor will patch it in due time. Frankly, I’m scared about the weaponisation opportunities these two new threats offer. They are probably going to cause more microprocessor bugs to be found and exploited. Bad threat intelligence skews focus Part of the reason is that most companies’ own threat intelligence does a poor job of telling their company which threats they need to be worried about. Threat intelligence (TI) should be looking at the thousands of threats and telling their employers which ones are most likely to be used against them. Instead, they usually act as megaphones replaying the global hype. Want to see how infective most threat intelligence departments are? Ask them what’s the number one way that their company is broken into causing the most damage. Is it malware, social engineering, password attacks, misconfiguration, intentional
attacks, lack of encryption, etc.? I’ve never met the TI team that could tell me that with a straight face, with data to back up the conclusion. How can a company most efficiently fight the right threats if they can’t even determine the biggest threats? Compliance concerns don’t always align with security best practices If you want to get something done quickly in computer security, claim it’s needed for regulatory compliance. Nothing opens the purse strings quicker. Senior management is required to pay attention to compliance concerns. In many cases, they can be held personally liable for actively ignoring a compliance deficiency. It begs for their attention. Unfortunately, compliance and security don’t always agree. For example, today’s best password recommendations announced over a year ago, pretty much go against every legal and regulatory requirement concerning passwords. Turns out that much of what we thought was true about password security, like requiring complexity, wasn’t the best advice, or the threats changed over time. The creators and maintainers of most legal and regulatory recommendations don’t seem to be paying attention, even though following the old password advice often makes a company more likely to be exploited. One of my personal pet peeves on this subject is how many websites won’t
Because Meltdown and Spectre often require firmware patches, which almost no consumer has done or will do, you can bet we will have hundreds of millions of vulnerable machines for many years to come.
www.tahawultech.com
let me create a password longer than 16-characters (which would be very strong regardless of its complexity), but forces me to use “special” symbols that it thinks in theory will make hackers’ lives more difficult, when the data and research shows this is clearly not the case in practice. Too many projects spread resources thin Every company I’ve consulted with has had dozens of ongoing projects, each designed to secure the company’s computers and devices. In every case, one or two of those projects, if finished to completion, would provide most of the security benefits the company needs to significantly minimise security risk. Splitting dozens of projects among a finite set of limited resources, however, guarantees that most projects will be delayed and inefficiently implemented even if run to completion. The IT security world is full of expensive software sitting on the shelf and promised projects with no one to properly oversee their continued operations. Pet projects usually aren’t the most important ones Worse yet, most companies have one or two pet projects being pushed by a senior executive as their flavor of the month. They read a book, heard a story on the radio, or went golfing with a friend who told them what they needed to do to fix their company. So, without consulting their own company’s data to see what the biggest threats are, they pull the best and the brightest team members from other projects to get theirs done first–if they can get a project done before becoming excited and enamored with their next pet project. The first step in fixing a problem is admitting you have a problem. If you see your company’s ineffective computer defenses represented above, now is the time to help everyone on your team understand the problem and help them to get better focus. 02.2018
13
FEATURE
MOVING TO NEXT-GEN FIREWALLS Front-line practicals for choosing and using next-generation firewalls
W
hat should enterprises expect if they want to make the transition from a traditional firewall to a next-gen firewall? It starts with a decidedly different way of thinking about security goals associated with a firewall, especially in terms of establishing application-aware controls over employees as they access the web and social networking sites. True NGFWs perform deep packet inspection to identity application
14
02.2018
traffic at Layer 7, performing a single inspection pass that integrates firewall, intrusion-prevention and additional security capabilities in a single highperformance appliance. Application intelligence combined with user identity information provides context for highly granular firewall access rules that allow for detection of contemporary Webbased attacks. “The NGFW market is driven by factors such as increased adoption of BYOD and IoT trend, increasing internal and
external threats, and high functionalities of NGFW solutions. For these reasons, enterprises are deploying nextgeneration firewall services to secure networks and endpoints from cyber threats. Everyone is digitising, everyone is enabling connectivity, everyone is pulling data from device’s we deemed not possible,” says Scott Manson, cybersecurity lead at Cisco. Cisco predicts that in the MEA region, mobile users will grow from 774 million in 2016 to 948 million in 2021 and once www.tahawultech.com
SECURING NETWORKS PROTECTING DATA
PROTECT YOUR ORGANIZATION AGAINST CYBER ATTACKS
PENETRATION TESTING/ VULNERABILITY ASSESSMENT
MANAGED SECURITY SERVICES
ICS | SCADA SECURITY
WEB APPLICATION SECURITY ASSESSMENT
WIRELESS SECURITY TESTING
SOCIAL ENGIINERING
<>
CONTACT US NOW AND SECURE YOURSELF +971.4.242.3608 | info@itsec.ae | www.itsec.ae
FEATURE
connected to the network, these device are now vulnerable coupled with no visibility which is where connecting the network and adding an endpoint agent becomes absolutely critical. “The NGFW is the answer to provide both safety and security to your network modernisation projects. It also provides the anchor point for converging IT and OT security visibility without interfering with operational practice,” adds Manson. Kalle Bjorn, Director, Systems Engineering, Fortinet, says one of the main improvements NGFW offers is the added visibility to the network traffic passing through the unit. Enterprises will be able to identify what type of traffic is used in the corporate network and also control it. Policies can be build based on granular matching criteria that allows mapping users, devices and applications together. The information and control that NGFW provides to the corporate is vastly superior compared to the traditional firewalls. Harish Chib, Vice President, Middle East & Africa, Sophos, offers another perspective on the factors driving the adoption: “Cybercriminals are continually changing their attack methods to avoid detection. These days, nearly every malware instance is a new zero-day variant that hasn’t been seen before and is more sophisticated, stealthy, and targeted than the one that came before it. This makes traditional signature-based detection obsolete. You need multi-layered defense across several vectors, each using behavioral analysis and working better
together to provide adequate protection.” Application-based controls and security provide the flash and the coolness factor, but the business case most often relies on the savings and reduced management overhead that come with consolidating several security products into an integrated platform that meets the needs of highly demanding enterprise networks. What are some of the dos and don’ts for NFWS? Bjorne says application control is not the only added benefit NGFWs come with, normally the systems support also NGIPS, anti-Malware and user authentication systems. Enabling
The information and control that NGFW provides to the corporate is vastly superior compared to the traditional firewalls. - Kalle Bjorn, Director, Systems Engineering, Fortinet
16
02.2018
these features will help enterprises to provide better protection to their network. “Today most of the NGFWs also support integrating with an Advanced Threat Protection system or a Sandboxing solution. Despite of NGFWs coming with multiple security features it critical that enterprises ensure that there are multiple layers of security in the network instead of purely relying on the NGFW.” Manson says users will have to make sure the NGFW they select provides tightly integrated, multi-layered threat protection. “Today’s multi-vector and persistent threats slip through gaps in protection and evade detection. A threat-focused NGFW provides bestin-class security technologies that work together across the network and endpoints and are managed through a central console. An NGFW should also be able to consolidate multiple layers of defenses on a single platform while delivering consistent and robust security at scale.” Next-gen firewalls are complex products, and vendors claim an impressive array of capabilities. Determining how well an appliance meets your needs requires understanding your enterprise’s requirements, and a lot of research and testing. www.tahawultech.com
THE REGIONâ&#x20AC;&#x2122;S NUMBER ONE PROVIDER OF IT SOLUTIONS
DRIVE REAL BUSINESS RESULTS WITH OUR LATEST IT TECHNOLOGIES COGNITIVE SOLUTIONS
IOT
CLOUD
SECURITY
ANALYTICS
www.gbmme.com
FEATURE
5
MOBILE SECURITY THREATS YOU SHOULD TAKE SERIOUSLY
Mobile malware? Some mobile security threats are more pressing. Every enterprise should have its eye on these issues in 2018.
M
obile security is at the top of every company’s worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is $21,155 per day, according to a 2016 reportby the Ponemon Institute. While it’s easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one estimate. That’s thanks to both the nature of mobile malware and the inherent protections built into mobile operating systems. The more realistic mobile security hazards lie in some easily overlooked 18
02.2018
areas, all of which are only expected to become more pressing in the coming year: Data leakage It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security as we head into 2018. What makes the issue especially vexing is that it often isn’t nefarious by nature; rather, it’s a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information. “The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users,” says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defense (MTD) solutions — products like Symantec’s Endpoint Protection Mobile, CheckPoint’s SandBlast Mobile, and Zimperium’s zIPS
1
Protection. Such utilities scan apps for “leaky behavior,” Zumerle says, and can automate the blocking of problematic processes. Of course, even that won’t always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. That’s a challenge the healthcare industry is currently struggling to overcome: According to specialist insurance provider Beazley, “unintended disclosure” was responsible for a full 41 percent of data breaches reported by healthcare organisations in the first three quarters of 2017 — more than double the next highest cause. For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios. www.tahawultech.com
FEATURE
Social engineering The tried-and-true tactic of trickery is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective. A staggering 90 percent of data breaches observed by Verizon’s Enterprise Solutions division are the result of phishing, according to the company’s 2017 Data Breach Investigations Report. While only 7 percent of users fall for phishing attempts, Verizon says, those gullible guys and gals tend to be repeat offenders: The company estimates that in a typical organisation, 15 percent of users who are successfully phished will be phished at least one more time within the same year. What’s more, numerous bits of research suggest users are more vulnerable to phishing from mobile devices than desktops — by as much as three times, according to an IBM study, in part because a phone is where people are most likely to first see a message. “We do see a general rise in mobile susceptibility driven by increases in mobile computing overall [and] the continued growth of BYOD work environments,” says John “Lex” Robinson, information security and anti-phishing strategist at PhishMe — a firm that uses realworld simulations to train workers on recognising and responding to phishing attempts. Robinson notes that the line between work and personal computing is also continuing to blur. More and more workers are viewing multiple inboxes — connected to a combination of work and personal accounts — together on a smartphone, he notes, and almost everyone conducts some sort of personal business online during the workday. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages
2
www.tahawultech.com
doesn’t seem at all unusual on the surface, even if it may in fact be a ruse. Wi-Fi interference A mobile device is only as secure as the network through which it’s transmitting data. In an era where we’re all constantly connecting to public Wi-Fi networks, that means our info often isn’t as secure as we might assume. Just how significant of a concern is this? According to new research being released by enterprise security firm Wandera this week, corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4 percent of devices have encountered a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within the most recent month. “These days, it’s not difficult to encrypt traffic,” says Kevin Du, a computer science professor at Syracuse University who specialises in smartphone security. “If you don’t have a VPN, you’re leaving a lot of doors on your perimeters open.” Selecting the right enterprise-class VPN, however, isn’t so easy. As with most security-related considerations, a tradeoff is almost always required. “The delivery of VPNs needs to be smarter with mobile devices, as minimising the consumption of resources — mainly battery — is paramount,” Gartner’s Zumerle points out. An effective VPN should know to activate only when absolutely necessary, he says, not when a user is accessing a news site, for instance, or when a user is working within an app that’s known to be trustworthy and secure.
3
Out-of-date devices Smartphones, tablets and smaller connected devices — commonly known as the internet of things (IoT) — pose a new risk to enterprise security in that
4
unlike traditional work devices, they generally don’t come with guarantees of timely and ongoing software updates. This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system (OS) updates and the smaller monthly security patches between them — as well as with IoT devices, many of which aren’t even designed to get updates in the first place. “Many of them don’t even have a patching mechanism built in, and that’s becoming more and more of a threat these days,” Du says. Again, a strong policy goes a long way. There are Android devices that do receive timely and reliable ongoing updates. Until the IoT landscape becomes less of a wild west, it falls upon a company to create its own security net around them. Physical device breaches Last but not least is something that seems silly but remains a disturbingly realistic threat: A lost or unattended device can be a major security risk, especially if it doesn’t have a strong PIN or password and full data encryption. Consider the following: In a 2016 Ponemon Institute study, 35 percent of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN, or biometric security guarding their devices — and about two-thirds said they didn’t use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices. The take-home message is simple: Leaving the responsibility in users’ hands isn’t enough. Don’t make assumptions; make policies. You’ll thank yourself later.
5
02.2018
19
OPINION
WHY CYBER INSURANCE MATTERS By Gregg Petersen, Regional Sales Vice President, MEA, Veeam Software
H
here is no question that ransomware attacks are becoming increasingly prevalent. In fact, some have proposed that 2017 is the Year of Ransomware. In May last year, the WannaCry attack led to the infection of more than 230,000 computers and more recently in June, the Petya outbreak led to a second global spread of ransomware. These attacks didn’t just hit individual users, they affected some of the biggest organisations in the world, and showed an increased level of threat sophistication and maturity. What became clear to many recently is that while traditional methods of data protection are essential, they are no longer sufficient. As the attacks or ‘threat landscape’ continues to evolve at a frightening pace, it’s clear that many organizations are failing to learn about what they’re up against from both a data protection and cybersecurity perspective. Sure, organizations today know that they need to have strategies in place to protect their business from being disrupted by cybercriminals, but do they have the ability to get up and running quickly after an attack or breach? With businesses putting more data and services online, so business 20
02.2018
models rely on connectivity and enhanced IT services to meet growing consumer demands for flexibility, ease of access and convenience, here-in lies the double-edged sword. It is this connectivity desire, to be ‘always-on’, which introduces more vulnerabilities and ‘threat surfaces’ from an increasing number of third-party sources. Cyber insurance explained Traditional data protection strategies have centered around the three foundational components of IT: people, process and technology. Data protection with people begins with education and a continuous focus on making employees aware of the most recent threats in the industry. While this is critical, it is impossible to achieve full organizational protection in this way. It only takes one weak link, or one unknown threat, before the data is compromised. Focusing on process is also essential. As many have pointed out, recent ransomware attacks would have been mitigated if patches had been applied on a timely basis. And finally, traditional data protection employs technology for network and endpoint protection such as firewalls and anti-virus. All these protections are essential and should not be ignored. Clearly however, they are not sufficient
as evidenced by the explosive growth of cyber insurance. Cyber insurance is not entirely new, but it has been growing (unsurprisingly) at a similar pace with malware and ransomware. In 2015, PwC set the cyber insurance market at $2.5B with a projected market size of $7.5B in 2020. Allied Market Research has cyber insurance premiums hitting $14B by 2022 — an impressive 28% compound annual growth rate. No matter how significant the cyber insurance market growth, recent incidents have proven that the adverse effect of malware on government agencies, and businesses have made this a board-level topic with a demand for better protection. Costs of ransomware are not just connected with the ransom demand itself, far from it in fact as the amounts requested are often below $1000, but tangible internal costs such as incident response, forensics, customer call centre support increases, legal engagement and public relations. External costs and insurance coverage are associated with the liability of failing to keep the data secure. Mitigating the ransomware risk with process and technology However, there is another fundamental insurance component www.tahawultech.com
OPINION
When assessing your current data protection situation, it is important to remember you shouldn’t strive to make yourself hack-proof.
that many have ignored — data backup with air-gapped protection – the process of isolating a backup from the live network. In fact, the very first recommendation that is provided by the US FBI in its guide, ‘Ransomware Prevention and Response for CEOs’, is to ensure that critical data is backed up and stored offline, and that restoration of this data is regularly validated. Here at Veeam, we agree with this principle. In fact, backup and validation of data restore is the cyber insurance that provides the most immediate and tangible benefit to the enterprise when compromised. Our customers have recognized the value of this insurance and we now have 250,000 customers (and growing) that are leveraging these capabilities. With proper technology and process in place, recovery time objectives (RTOs) can be minimized for critical systems, with the added benefit of leveraging the data to set up virtual labs where forensics can be applied to the incident. This insurance not only provides Availability for the business, but confidence for the board that they are better prepared. A second, real and tangible benefit is that employing a viable availability solution can reduce the cyber insurance premiums that are paid by www.tahawultech.com
the enterprise. While annual costs for cyber insurance ranges from $1,000s to $100,000+ depending on the revenues, industry and company size, one of the factors that determines the premiums are the existing protections that are implemented, just as is the case with house or car insurance. Ensuring your business has a comprehensive availability solution can potentially reduce the costs (and premiums) associated with first-party coverage. New technologies, same problems? With the growing opportunity for more sophisticated uses of data and Internet of Things technologies, artificial intelligence, biometric systems, Industry 4.0 manufacturing robotics, connected cars, and smart buildings, businesses must be aware of how threats, such as ransomware, will evolve in the near future, progressing from the PC to also impact their wider business operations. When assessing your current data protection situation, it is important to remember you shouldn’t strive to make yourself hack-proof. The speed at which attacks are changing means this is virtually impossible. Rather, you should make your security as robust as possible and ensure your backups are not solely located on your
network, to eliminate the possibility of attack or corruption. With respect to ransomware, it is common for attackers to look at smaller or midsize businesses for a way into bigger enterprises, so don’t be the weakest part of your supply chain, and scrutinise the structure of your partners. Like many professionals in the technology industry, I see no abatement in the immediate future for malware and ransomware, and we recommend you look for partner who can help your organisation implement data insurance through backups with offline storage and regular validation of restore, should the worst happen. This level of data protection is essential to not only provide the executive team and board with confidence that they are better prepared for this new business environment, but it also provides confidence for the industry and your end users that their digital life is protected and always available. Therefore, a combined approach of having your processes in place, making yourself a less attractive target through routinely carrying out updates and backups, and having a data protection insurance policy — inclusive of a cyber insurance plan and an availability solution in place — is smart business when planning for the future. 02.2018
21
FEATURE
HOW ARE CYBER CRIMINALS USING MACHINE LEARNING? Machine learning algorithms will improve security solutions, helping human analysts triage threats and close vulnerabilities quicker. But they are also going to help threat actors launch bigger, more complex attacks.
D
efined as the “ability for (computers) to learn without being explicitly programmed,” machine learning is huge news for the information security industry. It’s a technology that potentially can help security analysts with everything from malware and log analysis to possibly identifying and closing vulnerabilities earlier. Perhaps too, it could improve endpoint security, automate repetitive tasks, and even reduce the likelihood of attacks resulting in data exfiltration. The problem is, hackers know this and are expected to build their own AI and machine learning tools to launch attacks. Machine learning-based attacks in the wild may remain largely unheard of at this time, but some of the following techniques are already being leveraged by criminal groups. Increasingly evasive malware Malware creation is largely a manual process for cyber criminals. They write scripts to make up computer viruses 22
02.2018
and trojans, and leverage rootkits, password scrapers and other tools to aid distribution and execution. But what if they could speed up this process? Is there a way machine learning could be help create malware? The first known example of using machine learning for malware creation was presented in 2017 in a paper entitled “Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN.” In the report, the authors revealed how they built a generative adversarial network (GAN) based algorithm to generate adversarial malware samples that, critically, were able to bypass machinelearning-based detection systems. In another example, at the 2017 DEFCON conference, security company Endgame revealed how it created customised malware using Elon Musk›s OpenAI framework to create malware that security engines were unable to detect. Endgame’s research was based on taking binaries that appeared to be malicious, and by changing a few parts, that code would
appear benign and trustworthy to the antivirus engines. Other researchers, meanwhile, have predicted machine learning could ultimately be used to “modify code on the fly based on how and what has been detected in the lab,” an extension on polymorphic malware. Smart botnets for scalable attacks Fortinet believes that 2018 will be the year of self-learning ‘hivenets’ and ‘swarmbots’, in essence marking the belief that ‘intelligent’ IoT devices can be commanded to attack vulnerable systems at scale. “They will be capable of talking to each other and taking action based off of local intelligence that is shared,” said Derek Manky, global security strategist, Fortinet. “In addition, zombies will become smart, acting on commands without the botnet herder instructing them to do so. As a result, hivenets will be able to grow exponentially as swarms, widening their ability to simultaneously attack multiple victims and significantly impede mitigation and response.” www.tahawultech.com
FEATURE
Interestingly, Manky says these attacks are not yet using swarm technology, which could enable these hivenets to self-learn from their past behaviour. A subfield of AI, swarm technology is defined as the “collective behavior of decentralised, selforganised systems, natural or artificial” and is today already used in drones and fledgling robotics devices. Advanced spear phishing emails get smarter One of the more obvious applications of adversarial machine learning is using algorithms like text-to-speech, speech recognition, and natural language processing (NLP) for smarter social engineering. After all, through recurring neural networks, you can already teach such software writing styles, so in theory phishing emails could become more sophisticated and believable. In particular, machine learning could facilitate advanced spear phishing emails to be targeted at high-profile figures, while automating the process as a whole. Systems could be trained on genuine emails and learn to make something that looks and read convincing. In McAfee Labs’ predictions for 2017, the firm said that criminals would increasingly look to use machine learning to analyse massive quantities of stolen records to identify potential victims and build contextually detailed emails that would very effectively target these individuals. Furthermore, at Black Hat USA 2016, John Seymour and Philip Tully presented a paper titled “Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter,” which presented a recurrent neural network learning to tweet phishing posts to target certain users. In the paper, the pair presented that the SNAP_R neural network, which was trained on spear phishing pentesting data, was dynamically seeded with topics taken from the timeline posts of target users (as well as the users they tweet or follow) to make the click-through more likely. Subsequently, the system was remarkably effective. In tests involving www.tahawultech.com
In particular, machine learning could facilitate advanced spear phishing emails to be targeted at high-profile figures, while automating the process as a whole.
90 users, the framework delivered a success rate varying between 30 and 60 percent, a considerable improvement on manual spear phishing and bulk phishing results.
common machine learning models. Once a target recalibrates its system to filter out the false alarms, the attacker can launch a real attack that can get by the machine learning system.
Threat intelligence goes haywire Threat intelligence is arguably a mixed blessing when it comes to machine learning. On the one hand, it is universally accepted that, in an age of false positives, machine learning systems will help analysts to identify the real threats coming from multiple systems. “Applying machine learning delivers two significant gains in the domain of threat intelligence,” said Recorded Future CTO and co-founder Staffan Truvé in a recent whitepaper. “First, the processing and structuring of such huge volumes of data, including analysis of the complex relationships within it, is a problem almost impossible to address with manpower alone. Augmenting the machine with a reasonably capable human, means you’re more effectively armed than ever to reveal and respond to emerging threats,” Truvé wrote. “The second is automation — taking all these tasks, which we as humans can perform without a problem, and using the technology to scale up to a much larger volume we could ever handle.” However, there’s the belief, too, that criminals will adapt to simply overload those alerts once more. McAfee’s Grobman previously pointed to a technique known as “raising the noise floor.” A hacker will use this technique to bombard an environment in a way to generate a lot of false positives to
Unauthorised access An early example of machine learning for security attacks was published back in 2012, by researchers Claudia Cruz, Fernando Uceda, and Leobardo Reyes. They used support vector machines (SVM) to break a system running on reCAPTCHA images with an accuracy of 82 percent. All captcha mechanisms were subsequently improved, only for the researchers to use deep learning to break the CAPTCHA once more. Separately, the “I am Robot” research at last year’s BlackHat revealed how researchers broke the latest semantic image CAPTCHA and compared various machine learning algorithms. The paper promised a 98 percent accuracy on breaking Google’s reCAPTCHA. Poisoning the machine learning engine A far simpler, yet effective, technique is that the machine learning engine used to detect malware could be poisoned, rendering it ineffective, much like criminals have done with antivirus engines in the past. It sounds simple enough; the machine learning model learns from input data, if that data pool is poisoned, then the output is also poisoned. Researchers from New York University demonstrated how convolutional neural networks (CNNs) could be backdoored to produce these false (but controlled) results through CNNs like Google, Microsoft, and AWS. 02.2018
23
OPINION
PENNY WISE AND PASSWORD FOOLISH By Morey J. Haber, Vice President of Technology, BeyondTrust
H
ow much money would you spend to secure your passwords from being stolen? If you actually could safeguard all your passwords, would you worry as much about a privileged breach? I think the majority of executives and security professionals would ante up a reasonable sum to make this a reality but that’s not what this article is about. It is about the damage a compromised privileged account could cost an organisation from a momentary perspective and a reputation perspective. If you need proof of this, consider the recent breaches at Equifax and Yahoo. Each one of these affected the company’s stock, executive bonuses, acquisition terms, and even the ability to do basic business like accepting payments in due terms. A compromised privileged password does have a monetary value on the Dark Web for a threat actor to purchase but also has a price that can be associated to an organisation 24
01.2018
in terms of risk. What is the value and risk if that password is exposed and the contents it protects exposed to the wild? A database of personally identifiable information (PII) is quite valuable and blueprints or trade secrets have even a higher value if sold to the right buyer (or government). My point is simple, privileged accounts have a value (some a very high value) and the problem is not always securing them but rather identifying where they exist in the first place. Would you spend a penny, use a free tool, or existing product already in your organisation to find them? Odds are you are already doing this, and you just need to know where to look to get this information. It would be foolish not to. So how do you spend a penny or less to discover privileged accounts and rate their risk? Look no further than your existing operations and security teams. Your existing teams probably have a vulnerability assessment solution capable of performing user enumeration for operating systems,
applications, and databases. Within that data, the results should include accounts and their creation date, last login date, password age, and which groups they belong to – including administrators group or root. The results of these scans are generally ignored by vulnerability assessment teams but invaluable to security teams attempting to gauge the exposure of privileged accounts. If you can discover where privileged accounts exist, you can measure their risk and then monitor for their usage. Any inappropriate access can be highlighted using log management or a SIEM and properly escalated for investigation. Now I know some of my readers may be going – so what? We already do this. That is great, but do you take this to the next level and actually assign a risk to the account? Do you quantify how often it is used, where its used from, and how many people are using it (sharing accounts is a bad security practice – by the way)? This is where a penny becomes important verses being foolish. All privileged accounts www.tahawultech.com
OPINION
So how do you spend a penny or less to discover privileged accounts and rate their risk? Look no further than your existing operations and security teams.
are not equal. Some are worth a penny (figuratively) and others a lot more based on risk. A domain administrator account is of higher value than a local administrator account with a unique password (although that may be good enough to leverage for future lateral movement). Treating every privileged account the same is foolish. You could make the same argument for a database admin account verses a restricted account used with Open Database Connectivity (ODBC) for database reporting. Both are privileged but owning the database verses just extracting data is not the same. Yes, both could be a devastating attack vector responsible for a breach but owning the database is the highest privileges you can get. Therefore, this could potentially allow a threat actor to maintain a persistent stealth presence (if cynical and crafty enough) until the organisation identifies the breach. So, just what should you do to take credential and privileges to the next level: • Identify crown jewels (sensitive data and systems) within the www.tahawultech.com
environment. This will help form the backbone for quantifying risk. If you do not have this currently mapped out, it is an exercise worth pursuing. • Discover all of your privileged accounts using existing tools, free solutions (there are plenty), or via a dedicated privileged solution. • Map the discovered accounts to crown jewel assets. This can be done by hostname, subnets, AD queries, zones, or other logical groupings based on business functions. • Measure the risk of the asset. This can be done using basic critical, high, medium, and low ranking but should also consider the crown jewels present and any other risk vectors like vulnerabilities. Each of these metrics will help weight the asset score. If you are looking for a standardised starting place, consider Common Vulnerability Scoring System (CVSS) and Environmental metrics. • Finally, overlay the discovered accounts. The risk of the asset
will help determine how likely a privileged account can be compromised (via vulnerabilities) and help prioritise asset remediation outside of the account mapping. In the real world, a database with sensitive information may have a few critical vulnerabilities from time to time, in-between patch cycles, and be considered a critical risk when they are present regardless of the accounts identified. When patch remediation occurs, the asset may still be high risk, if privileged access is not managed, and will drop in risk if privileges are session monitored and access controlled. Criticality can be from vulnerabilities or unrestricted, unmanaged, and undelegated access in addition to attack vectors that have workable exploits. Spending a penny to find them and map them is a much safer security mechanism than foolishly leaving them unattended. Thus, a penny wise to understand your privileged accounts verses a password foolish used in a breach 01.2018
25
FEATURE
5 BIGGEST RANSOMWARE ATTACKS OF THE LAST 5 YEARS From CryptoLocker to WannaCry and NotPetya, these attacks illustrate the growth of ransomware.
D
While the last few years have seen a remarkable uptick in this particularly nasty genre of attack software, ransomware
isn’t new. Over the years, ransomware has grown from a curiosity and an annoyance to a major crisis deeply entwined with topsecret spy agencies and international intrigue. And the biggest ransomware attacks of the past half-decade together do a good job of telling the story of ransomware as it’s grown. CryptoLocker It was CryptoLocker, which burst onto the scene in 2013, that really opened the age of ransomware on a grand scale. CryptoLocker spread via attachments to spam messages, and used RSA public key encryption to seal up user files, demanding cash in return for the decryption keys. Jonathan Penn, Director of Strategy at Avast, notes that at its height 26
02.2018
in late 2013 and early 2014, over 500,000 machines were infected by CryptoLocker. CryptoLocker was somewhat primitive, and was ultimately defeated by Operation Tovar, a white-hat campaign that brought down the botnet that controlled CryptoLocker, in the process discovering the private keys CryptoLocker used to encrypt files. But as Penn put it, CryptoLocker had “opened the floodgates” to many other varieties of file-encryption ransomware, some of which were derived from Crypto Locker’s code and some of which was given the CryptoLocker name or a close variant but was written from scratch. The variants overall harvested about $3 million dollars in ransom fees; one such them was CryptoWall, which by 2015 accounted for more than half of all ransomware infections. TeslaCrypt Within a year, though, a new threat arose. Originally claiming to be one
of those CryptoLocker variants, this ransomware soon had a new name — TeslaCrypt — and a clever M.O.: it targeted ancillary files associated with video games — saved games, maps, downloadable content, and the like. These files are at once precious to hardcore gamers but also more likely to be stored locally rather than in the cloud or backed up on an external drive. By 2016, TeslaCrypt made up 48 percent of ransomware attacks. One particularly pernicious aspect of TeslaCrypt was that it was constantly improved by its creators, with some holes that allowed infected computers to be repaired patched by early 2016, making files essentially impossible to restore without help from the malware’s creators. But then, shockingly, those creators did just that two months later, announcing that they were done with their sinister activities and offering the master decryption key to the world. www.tahawultech.com
FEATURE
SimpleLocker As more and more valuable files migrate to mobile devices, so too are the ransomware scammers. Android was the platform of choice to attack, and in late 2015 and early 2016, ransomware Android infections spiked almost fourfold. Many were so-called “blocker” attacks that merely made it difficult to access files by preventing users from getting at parts of the UI, but in late 2015 a particularly aggressive ransomware called SimpleLocker began to spread, which was the first Android-based attack to actually encrypt files and make them inaccessible without the scammers’ help. SimpleLocker was also the first known ransomware that delivered its malicious payload via a trojan downloader, which made it more difficult for security measures to catch up to. While SimpleLocker was born in Eastern Europe, three-quarters of its victims are in the United States, as scammers chase the money. Now the good news: while the SimpleLocker era saw a big rise in Android malware infections, the numbers overall are still relatively low — about 150,000 as of late 2016, which is a vanishingly small percentage of Android users. And most victims get infected by attempting to download porn apps or other dodgy content from outside the official Google Play store. Google is working hard to assure users that it’s very hard to actually get infected by a ransomware. But it’s still a lurking threat. WannaCry CryptoLocker marked the beginning of an era where ransomware was more than just a curiosity. But in mid-2017, two major and intertwined ransomware attacks spread like wildfire across the globe, shutting down hospitals in Ukraine and radio stations in California, and that was when ransomware became an existential threat. The first of the two major attacks was called WannaCry, and “was easily the worst ransomware attack in history,” says Avast’s Penn. “On May 12th, the ransomware started taking hold in Europe. Just four days later, Avast had www.tahawultech.com
One particularly pernicious aspect of TeslaCrypt was that it was constantly improved by its creators, with some holes that allowed infected computers to be repaired patched by early 2016.
detected more than 250,000 detections in 116 countries.” (That really puts 150,000 Android infections over more than a year into perspective.) But WannaCry’s real importance goes beyond the numbers: ReliaQuest CTO Joe Partlow points out that it was “the first wave of attacks that maliciously utilized leaked hacking tools from the NSA” — in this case EternalBlue, an exploit that takes advantage of a defect in Microsoft’s implementation of the SMB protocol. Although Microsoft had already released a patch for the defect, many users hadn’t installed it. WannaCry “blindly took advantage,” of this hole, says Penn, “spreading aggressively across devices on the network because user interaction isn’t required for further infection.” And, Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, points out that “many organizations had the SMB port, 445, openly exposed to the Internet, which helped propagate the worm.” NotPetya If WannaCry had heralded the new age, then NotPetya confirmed it. Petya was a ransomware package that actually dated back to 2016, but just weeks after the WannaCry outbreak, an updated version began to spread that also used the EternalBlue package as WannaCry had, leading researchers to dub it “NotPetya” because it had advanced so far beyond its origins. Speculation abounded that NotPetya wasn’t ransomware at all, but rather a Russian cyberattack on Ukraine in disguise. Either way, though, Varun Badhwar,
CEO and co-founder of RedLock, sees a lesson. “There was a lot of discussion around who could have been behind the WannaCry attack,” he says. “But knowing that information won’t prevent further attacks like it from occurring. Malware exploits and toolkits are easily available on the internet to everyone from script kiddies to organized crime units and state sponsored attackers. The fact that NotPetya spread so rapidly showed that organizations worldwide were still not taking cybersecurity as seriously as they should. Being proactive in monitoring on-premise network traffic and ensuring they’re monitoring the traffic within cloud infrastructure environments could have prevented some of the NotPetya infections. Those with comprehensive network visibility and monitoring tools can automatically detect network traffic on non-standard ports, which have been used to launch such attacks as WannaCry.” Eternal vigilance Indeed, as is the case with so many breaches, the fault could be found not in our code but in ourselves — not in our technical infrastructure but in the way we as IT pros build and maintain it. And then there’s the human factor. “Most ransomware attacks begin with a simple email phish,” says Wombat Security advisor Alan Levine, “often very general and untargeted. They are vaguely addressed and absent of personally attractive content. Thus, it is our end user base, not every technical or procedural defense, but our people who stand between us and potential disaster. Their choices matter.” 02.2018
27
OPINION
DEFENCE STRATEGIES FOR NEW AGE CYBER THREATS By Ashraf Sheet, Regional Director Middle East & Africa at Infoblox
T
oday there is no doubt that cyber security is one of the hottest topics in the realm of Information Technology. With almost every new technology trend there is a new form of cyber-security that evolves with it. With the advent of the relatively new technology initiatives that we are seeing today such as Internet of Things (IoT), next generation data centre (NGDC), cloud adoption whether it is public/ private/hybrid, digital economy, IT Ccompliance, BYoD, shadow IT, and few others â&#x20AC;&#x201C; cyber security has to address all of these trends. With that, security trends such as IoT security, cloud security, NGDC security for SDN & NFV, CBSA security (Cloudbased Services and Applications), and so on are becoming key. Many of these security trends fall under network security, which
28 02.2018 02.2018
www.tahawultech.com
OPINION
can be divided into 3 fundamental security aspects: 1) Infrastructure protection: Modern networks are increasingly comprised of mixed physical, virtual, and cloud components distributed across geographies. As networks grow more diverse, it can become extremely difficult for them to confirm the security of all assets. For example, IT teams may not even know when new devices or virtual machines join the network, much less whether they are noncompliant or contain vulnerabilities. That lack of visibility greatly increases risks for businesses. 2) Malware mitigation and data leakage mitigation: More than 90% of malware uses Domain Name System (DNS) at various stages of the cyber kill chain to penetrate the network, infect devices, propagate laterally, and exfiltrate data. According to recent surveys, 46% of respondents experienced DNS-based data exfiltration and 45% experienced DNS tunneling. Malware and data theft are pervasive largely because conventional cyber security solutions are not designed to protect DNS. 3) Threat containment and operations: Organisations need to be aware of these common operational gaps that are hindering their threat containment efforts: • Siloed threat intelligence. Today’s security teams rely on threat information from disconnected, often conflicting sources. This results in higher false positive rates, increased cost, reduced effectiveness, and erosion of trust. Moreover, information silos between network and security teams can lead to security gaps, slower vulnerability detection, and costly remediation delays. • Lack of threat context. Security personnel are inundated with www.tahawultech.com
You have to basically build security in a fluid manner where layers are fused together and interacting more. So you have to have closed-loop feedback.
thousands of alerts and no clear way to know which ones to act on first. Organisations lack visibility into core network services that can provide context to respond with maximum efficiency to the most critical threats. • Manual processes. The ability to respond to fast-moving cyber threats with certainty and speed is paramount. Yet, many organizations use manual and time consuming processes and analysis to prioritize threats and identify context. This results in longer remediation times or worse still failure to act on threats. Cybersecurity strategies for 2018 There are fundamentally three things we need to change and the first one is the siloed approach. You have to basically build security in a fluid manner where layers are fused together and interacting more. So you have to have closed-loop feedback. If something is detected, you need a system that is able to flag up the issue him so it can be dealt with proactively. Proactivity is the key term here, but that correlation has to exist. The siloed approach has to change. How, you may ask? It has to start with customers! Customers have to basically force their partners and the companies they buy from to say, “Hey look guys, this is just not working. I can no longer afford to run my network security in a siloed fashion.” They need to be held accountable if the security infrastructure the vendor provides is not effective.
The second fundamental change is ‘Threat Intelligence’. Traditionally all the functionality was in the policy enforcement point inside the firewall and all the policies were in there. So when an attack was initiated you were at the mercy of the vendor to give you new firepower with new functionality so you could program additional stuff. That’s obviously not going to work anymore. At the end of day each of these vendors is supplying this threat intelligence information based on what they really think. So how can you have one policy? To get there, customers need to consolidate their threat intelligence into a high integrity curated platform that is backed up by a solid research team and accomplished data scientists. The third fundamental change required is a communication fabric that models threat in the same way. When you’re discussing digital equipment and technology you need to be prescriptive. We don’t all understand what the language is to describe the threat. I mean to the human being it’s easy to say this is a threat. What constitutes a threat? How do you describe it? How do you classify it? What are the actions you take? If we fundamentally change all these three things I’ve mentioned, then will the world be a much safer place? Yes it will. Is it going to be perfect and we’re never going to encounter problems again? No. But it will definitely be more efficient and faster in responding. 02.2018
29
INSIGHT
6 PREDICTIONS FOR 2018 DATA SECURITY One thing that was clear in 2017: In spite of big spending on security solutions, organisations haven’t yet figured out how to protect themselves from data breaches. In response, regulatory bodies are issuing strident security requirements and organisations are looking for new innovations and strategies to better protect information no matter where or how it travels. Here are six predictions for data security in 2018 from Seclore.
1
When it comes to the number and severity of breaches, it’ll get worse before it gets better While cybersecurity is (or should be) on every CEO’s and CISO’s mind, 2018 likely won’t be the year that we see a downturn in the number or severity of breaches. Too many companies are still focused on protecting the perimeter, devices and applications. And with data increasingly traveling beyond the corporate perimeter to third parties, on personal devices, and not only via email, but also through le sharing services...the exposure to breaches will continue. According to the recently published Data Breach Report from the RiskBased Security group, the number of records exposed due to data breaches in the first nine months of 2017 is up 305% compared to the same period in 2016. A while Equifax dominated the headlines in Q3, over 1,400 other breaches quietly made their debut. In 2018 expect to see companies develop
30
02.2018
a more comprehensive security plan by introducing a data-centric security approach to ensure data is protected no matter where it travels or is stored. As well, in addition to the CISO and CEO, expect other members of the executive team including Chief Compliance and Risk Officers and General Counsel to become much more involved in solving the security and regulatory compliance issues.
2
Cybersecurity regulation will become even more prevalent and strident While there were dozens of regional and country-specific data security regulations announced in 2017 two of the biggies were NIST SP 800-171 and GDPR. And not everyone will be prepared for NIST SP 800-171 or GDPR once the clock strikes midnight. There is a noticeable change in the focus of the newer regulations: they are holding organisations responsible for information they share with other third parties that travels and is
stored beyond their own perimeter. For instance, many manufacturing companies and sub-contractors were required to comply with NIST SP 800-171 before December 31, 2017. One of the most notable impacts on companies from NIST SP 800-171 is that companies must protect technical specifications and IP even when it travels downstream to other sub-contractors and suppliers. And when you consider scope of the components that go into creating defence and aerospace products, we are talking about hundreds if not thousands of companies and sub- contractors who are scrambling to determine how to best comply with NIST SP 800-171. Another example of the shift in the latest regulations is the General Data Protection Regulation (GDPR), an EU regulation designed to unify and normalise the data protection framework within (and beyond) the EU. Here again, the regulation is not content to protect EU citizen data within the perimeter or an organisation; it holds www.tahawultech.com
Seize the Digital Business Opportunity Join the most influential gathering of CIOs, Senior IT Executives and Business Leaders from the GCC and MENA regions.
As the GCC and MENA regions enter a new era of government and business transformation, â&#x20AC;&#x2DC;digital-firstâ&#x20AC;&#x2122; has become the new mantra. Gartner Symposium/ITxpo 2018 in Dubai focuses on the leadership, organizational, cultural, business and technology challenges aligned to regional transformation programs, visions and initiatives.
5-7 March, 2018 / Dubai, UAE
Drawing on research and insights from the worldâ&#x20AC;&#x2122;s leading technology research firm, this is your opportunity to validate, enhance and scale your strategies for digital business and growth. Join us in March 2018 and position your organization at the pinnacle of global competitiveness!
gartner.com/me/symposium +971 4 559 2406
INSIGHT
organisations responsible for EU citizen data that is held on servers outside of the EU. And it isn’t enough to prove security over that data, organisations must also be able to revoke access to the citizen data upon request. Despite a lot of talk around each of these regulations, there is still a lot of confusion and not enough resources dedicated to making sure companies are prepared. If companies are not prepared, it can cost them a pretty penny. For instance, repeated non-compliance with the GDPR can invite fines reaching up to 20,000,000 EUR or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Figuring out how to be compliant with not only NIST and GDPR, but all of the other regional and state-level cybersecurity and data privacy regulations will be a top priority for companies in 2018. If you want some additional perspective of the challenge consider this: in North America alone there are 20 sector- specific or national privacy/data security laws, and hundreds of such laws among its 50 states and its territories. California alone has more than 25 state privacy and data security laws. In 2018, we predict that the shift from network, app, and device centric security to data-centric security will enable organisations to address multiple regulations while also improving their own security posture.
3
Shadow IT resources will continue to increase the risk of security breaches for organisations in 2018 According to Gartner, by 2020, a third of successful attacks experienced by enterprises will be via their shadow IT resources. The fact remains that business units will invest in any tool that helps them do their job including le-sharing services and collaboration apps such as What’s App. Companies who shift from a detect and punish strategy to a culture of acceptance and protection will be able to better reduce the risk of breaches from the natural course of shadow IT resource
32
02.2018
Companies who shift from a detect and punish strategy to a culture of acceptance and protection will be able to better reduce the risk of breaches from the natural course of shadow IT resource usage.
usage. Organisations who incorporate the ability to persistently protect data will be able to move beyond trying to control shadow IT resources to embracing productivity enhancing systems without risking corporate value.
4
Companies will be asked about data security standards in RFPs Companies looking to partner with third-party vendors (contractors, vendors, outsourcers, lawyers, consultants, etc.) will ask what security protocols the partner has in place with greater frequency prior to signing on the dotted line. It will not be su cient to protect the servers and network; companies will be asking third-party vendors to ensure their specific files are controlled and that they are able to delete/ revoke access to the les when the relationship ends. As well, the companies will require the third-party to prove control over les through regular audit reports. As such, data security will become a competitive advantage for outsourcers, virtual data room providers, and suppliers of services in an increasing number of deals.
5
Security resources will become even more scarce Companies are already experiencing a scarcity of available security resources, and it will get worse in 2018, reducing their ability to implement and administer new security solutions. In a recent Forbes article it was reported that ISACA, a non-pro t security advocacy group predicts there will be
a global shortage of two million cyber security professionals by 2019. The lack of security resources available on the market will lead organisations to favor security solutions that easily connect to their existing IT and security ecosystem. They will also scrutinize the overhead required to administer a given solution, meaning that simpli ed user and policy administration will be an important capability in any new security solution investment.
6
By 2020, data-centric security solutions such as Enterprise Digital Rights Management (EDRM) will be the only granular, file-level method for protecting files that are shared It is estimated that over 40% of an organisation’s sensitive data flows beyond the traditional perimeter to support necessary business processes. That is a huge security gap when you consider that once that information is opened on the recipient’s device, the organisation has lost control. And that is without taking into account how much information is in the hands of employees who leave the company. Seclore predicts that organisations will develop enterprise-wide data security and governance programs by first identifying data security policy gaps and then implementing solutions that focus on protecting the data itself. We also predict that organisations will look for solutions that can automatically add lelevel protection to documents as they are discovered by DLP solutions, downloaded from ECM and ERP systems, and shared via email and le sharing services. www.tahawultech.com
FEATURE
HOW TO BUILD A CYBERSECURITY STRATEGY Organisations face many threats to their information systems and data. Understanding all the basic elements to cybersecurity is the first step to meeting those threats.
C
ybersecurity is the practice of ensuring the integrity, confidentiality and availability (ICA) of information. It represents the ability to defend against and recover from accidents like hard drive failures or power outages, and from attacks by adversaries. The latter includes everyone from script kiddies to hackers and criminal groups capable of executing advanced persistent threats (APTs), and they pose serious threats to the enterprise. Business continuity and disaster recovery planning are every bit as critical to cybersecurity as application and network security. Security should be top of mind across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cybersecurity controls. 34
02.2018
Management should see that all systems are built to certain security standards and that employees are properly trained. All code, for example, has bugs, and some of those bugs are security flaws. Developers are only human, after all. Security training The human is always the weakest element in any cybersecurity programme. Training developers to code securely, training operations staff to prioritise a strong security posture, training end users to spot phishing emails and social engineering attacks — cybersecurity begins with awareness. All companies will experience some kind of cyber attack, even if strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable
by performing basic security tasks, sometimes referred to as “cyber hygiene.” A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cybersecurity care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible. A good cybersecurity strategy needs to go beyond these basics, though. Sophisticated hackers can circumvent most defenses, and the attack surface — the number of ways or “vectors” an attacker can gain entry to a system — is expanding for most companies. For example, the information and the physical world are merging, and criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, www.tahawultech.com
FEATURE
medical devices, even your IoT fridge. Similarly, the trends toward cloud computing, bring your own device (BYOD) policies in the workplace, and the burgeoning internet of things (IoT) create new challenges. Defending these systems has never been more important. Further complicating cybersecurity is the regulatory climate around consumer privacy. Compliance with stringent regulatory frameworks like the European Union’s General Data Protection Regulation (GDPR) also demands new kinds of roles to ensure that organisations meet the privacy and security mandates of the GDPR and other regulations. As a result, growing demand for cybersecurity professionals has hiring managers struggling to fill positions with qualified candidates. That struggle requires organisations to have a sharp focus on areas of greatest risk. Types of cybersecurity The scope of cybersecurity is broad. The core areas are described below, and any good cybersecurity strategy should take them all into account. Critical infrastructure Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyber attacks. The solution for organisations responsible for critical infrastructure is to perform due diligence to protect understand the vulnerabilities and protect against them. Everyone else should evaluate how an
attack on critical infrastructure they depend on might affect them and then develop a contingency plan. Network security Network security guards against unauthorised intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity. Tools used to monitor network security generate a lot of data — so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learning to flag abnormal traffic and alert to threats in real time. Cloud security The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains: Moving to the cloud is not a panacea for performing due diligence when it comes to cybersecurity. Application security Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organisations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing and penetration testing.
The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances.
www.tahawultech.com
Rapid application development and deployment to the cloud has seen the advent of DevOps as a new discipline. DevOps teams typically prioritise business needs over security, a focus that will likely change given the proliferation of threats. Internet of things (IoT) security IoT refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers and security cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society. Types of cyber threats Common cyber threats fall under three general categories: Attacks on confidentiality: Stealing, or rather copying, a target’s personal information is how many cyber attacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nationstate spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain. Attacks on integrity: Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers. Attacks on availability: Preventing a target from accessing their data is most frequently seen today in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target›s data and demands a ransom to decrypt it. A denial-of-service attack, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable. 02.2018
35
PRODUCTS
Brand: Transcend Product: DrivePro Body 52
Brand: Johnson Controls Product: Axisnetwork audio systems Axis adds to its growing portfolio of smart, network based audio solutions. The new new network audio bridge allows integration between analogue and network audio systems and lets customers benefit from the advantages of a network based system, while keeping current analog hardware. The latest additions from Axis Communications, widen the possible use of audio to enhance business operations and safety and security. The new additions include AXIS C8033 Network Audio Bridge, which makes it possible to play music from an analogue line level source like a mobile, tablet or a professional streaming box through Axis network speakers, or connect a digital audio source such as AXIS Audio Player to play music in an analog speaker system. Axis also announces 2N SIP Mic, a compatible network microphone console for use in public address systems. This smart network microphone console offers 12 configurable buttons and allows for flexible paging in multiple zones, to make live announcements and play pre-recorded messages. What you should know: It is possible to combine all Axis network speakers in one system, with no central electronic equipment needed. Axisnetwork audio systems are based on open standards, which means they are easy to integrate with other systems.
www.tahawultech.com
Transcend’s DrivePro Body 52 body camera features a camera unit connected to the main unit by a flexible cable, allowing for a wide variety of attachment options. The device has been tailor-made for law enforcement, private security, and other professionals, the DrivePro Body 52 is rugged and durable to endure water and shock. The camera features a Sony image sensor to capture highresolution images with extremely fine tonal gradation even in low light. With built-in Wi-Fi, the DrivePro Body 52 allows users to live-stream footage and snapshots to iOS and Android mobile devices.
What you should know: The DrivePro Body 52 is comprised of a main unit and a separate, compact camera unit which can be securely mounted on uniforms or jackets. The camera features a wide 130° horizontal field of view, a large ƒ/1.8 aperture, and a Sony image sensor for high-resolution images with rich color even in low light.
Brand: D-Link Product: DIR-2680 D-Link and McAfee have announced the D-Link AC2600 WiFi router powered by McAfee (DIR-2680), an all-in-one solution that automatically increases security for devices on the home network and delivers on both companies’ vision to address the pressing need for online security as people’s lives become increasingly connected. The comprehensive solution includes D-Link’s high-performance dualband 802.11ac router with MU-MIMO technology that enhances network capacity and efficiency for users, McAfee Secure Home Platform that automatically protects all devices connected to the network, and the Intel Home Wi-Fi Chipset WAV500 Series to deliver robust Wi-Fi connectivity to numerous connected devices at the same time, running a range of highbandwidth applications. The new D-Link AC2600 Wi-Fi router powered by McAfee immediately and
automatically helps secure all connected devices at the network level in a home, including non-display IoT devices, providing an additional layer of protection from potential hackers and for members of the home using devices and accessing online content, said the firm. Designed for families and smart homeowners looking for the ultimate home networking without sacrificing privacy and security, the DIR-2680 keeps connected devices safer from unwanted intrusions and thefts. What you should know: The router has comprehensive parental control features that provide customised protection for children in the household. The DIR-2680 is easily set up with the D-Link Wi-Fi app and can be managed from anywhere with the McAfee Secure Home Platform app. The DIR-2680 AC2600 Wi-Fi router powered by McAfee will be available for purchase in Q2 2018. 02.2018
37
BLOG
HOW AI WILL BE A GAME CHANGER FOR CYBERSECURITY Rajat Mohanty, Co-founder, Chairman of the Board of Directors and CEO of Paladion
A
t the end of 2017, cybersecurity experts published their predictions for 2018. One big theme repeated in many
headlines: · Hackers to exploit AI technology for data breaches in 2018— Symantec · 2018: The gloves are coming of as cybercriminals leverage AI, profiling— CSO · An AI arms race and attacks on cryptocurrency among cyber security predictions for 2018— betanews These experts predict that AI will change the game for cybersecurity in 2018. But when you evaluate the state of cybersecurity at the end of 2017, you see that the game has already changed, and that in 2018 AI will simply intensify this change. Even before attackers deployed AI, enterprise adoption of cloud, mobile, and IoT already opened countless new vulnerability points. Cybercriminals already began to exploit these new angles of attack via sophisticated, highvolume, multi-dimensional attacks. And enterprises were already encouraged to switch to managed detection and response (MDR) services. Traditional prevention-focused, perimeter-based, manual security measures were already obsolete before anyone discussed AI-based cyberattacks. Enterprises were already flooding with hundreds—often thousands—of alerts, and hundreds of thousands of 38
02.2018
malicious files, to analyse every day. And conventional rules-based cybersecurity had already begun to fail against the plethora of unknown attacks—and often unknown attackers—facing enterprises. By the end of 2017, organisations already faced attackers who produced a flood of complex threat data much greater than they could handle with human-only teams. The addition of AI to automate and accelerate cyberattacks will offer a significant problem in 2018. But it is not a new problem—it is an escalation of the data-focused threat landscape we have already been contending with. AI will only deliver one big game change in 2018— cybersecurity providers will begin to deploy their own AI-driven defenses as a standard service. In 2018, at a base level, AI will give cybersecurity providers the power, speed, and precision they require to effectively handle the accelerating influx of threat data produced by modern cyberattacks. AI-driven systems will work much faster than any human could, and give cybersecurity experts the ability to contend with their massive volume of endlessly varied cyberattacks. AI will provide value throughout the entire IT stack, and enhance the entire spectrum of cyber defense activities. It will assist cybersecurity teams as they perform error-free monitoring of the entire IT stack, collect and analyse security data from different data repositories, track various threats, calculate existing vulnerabilities, and
triangulate existing breaches. In the event of a breach, the proper AI-driven system will offer intelligent recommendations for threat response, and allow cybersecurity teams to limit damage from a threat within minutes. Properly deployed, AI will give organisations near-real-time detection to their attacks. And, when properly applied to threat anticipation, AI will provide pre-emptive detection of attacks, by informing organisation about which new threats are likely to strike them, and giving organisations effective preventative capabilities for the first time in years. These capabilities are already deployed by best-in-class modern cybersecurity providers. But as cybercriminals increasingly leverage their own AI to augment their attacks in 2018, these capabilities will be seen as increasingly necessary at every level. 2018 will likely be a year of transition for AI in cyber defense. Many organisations are still using an MSSP, or have developed an internal SOC, which do not offer mature, end-to-end AI capabilities. But as more organisations adopt a managed detection and response (MDR) service, AI will become a standard element of every effective security posture. Organisations are waking to this need. Currently, 56% of organisations are actively deploying or investigating security as a service. That percentage will only increase in 2018, as AI continues to act as a major force in both cyberattacks and cybersecurity. www.tahawultech.com
IoT AND CLOUD INCREASE BUSINESS AND RISK. ORGANIZATIONS TODAY REQUIRE security that protects data wherever it goes â&#x20AC;&#x201C; across the entire network. To mitigate risk from outside your traditional network perimeter, full visibility and coordinated response is required. Fortinet is the only company with security solutions for network, endpoint, application, data center, cloud, and access that work together, sharing common functionality and threat intelligence. This collaborative and intelligent security fabric provides you with powerful, integrated end-to-end protection across the entire attack surface. Fortinet reduces your risk exposure so you can get on with business.
FORTINET SECURITY FABRIC
Adaptive end-to-end network security
www.fortinet.com/whyfortinet