ISSUE 30 | SEPTEMBER 2018 www.tahawultech.com
BUILDING
DEFENCES
INJAZAT DATA SYSTEMS CEO KHALED AL MELHI ON SECURING THE DIGITAL FUTURE Multi-factor authentication
Data encryption
Red teaming
Special discount for readers! Save $300 on standard registration with code CPI
Gartner Security & Risk Management Summit 2018 October 22 - 23 / Dubai, UAE gartner.com/me/security
Securing Digital Business: Adapt. Transform. Scale. Discover the latest research and recommendations to transform your security strategy and build resilience across the enterprise. Special discount for readers! Save $300 on standard registration with code CPI
Š 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. For more information, email info@gartner.com or visit gartner.com.
CYBER EXPOSURE PARTNER
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015)
CYBERSECURITY SOLUTIONS PARTNER
CONTENTS
The Cyber Exposure Company
Publishing Director Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Managing Editor Michael Jabri-Pickett mjp@cpimediagroup.com +971 4 440 9158 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Mhar Delaben marlou.delaben@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130
10
Senior Sales Manager Sabita Miranda sabita.miranda@cpimediagroup.com +971 4 440 9128 Sales Manager Nasir Bazaz nasir.bazaz@cpimediagroup.com +971 4 440 9147 Business Development Manager Youssef Hariz youssef.hariz@cpimediagroup.com +971 4 440 9111
BUILDING DEFENCES
PRODUCTION Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107
Injazat Data Systems CEO Khaled Al Melhi discusses how the company aims to enable a secure future
DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100
06
Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409
ACCESS GRANTED Is multi-factor authentication key to ensuring a strong defence against threat actors?
14
Printed by Al Ghurair Printing and Publishing Regional partner of
20
© Copyright 2018 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
A WHOLE NEW BALLGAME Why sports organisations need to put focus on cybersecurity COMBATTING BIAS The reality behind ageism in the cybersecurity industry
28
RED TEAMING (PART 2) FireEye’s Mohammed AbuKhater delves into the different techniques and tools red teams use
32
36
LOCK YOUR DIGITAL TREASURES Why data encryption is vital for security
HUNTING FOR THREATS Gartner’s Anton Chuvakin on how to spot the next hack
NEWS
ESET ANNOUNCES NEWENTERPRISE SECURITY SOLUTIONS Oman has reportedly warded off over 880 million cyber-attacks on government networks in 2017, three times more than 2016 Juraj Malcho, ESET when the country recorded 279 million such attacks. While 1.41 million attacks specifically targeting government websites were successfully prevented in 2017, which came down from 1.75mn in 2016, according to Information Technology Authority’s (ITA) Annual Report 2017. According to the International Telecommunications Union’s (ITU) Global Cybersecurity Index (GCI) 2017, Oman is among the top five most cybersecure countries in the world and first in the Arab world. Oman’s ITA has two main divisions focus on cybersecurity: Information Security Division (ISD), which is responsible for the security of government entities, and the Oman Computer Emergency Readiness Team (OCERT), which is responsible for the security of cyberspace in Oman and public awareness in the field.
55%
of EMEA employees are not regularly thinking about cybersecurity Source: Aruba, a Hewlett Packard Enterprise Company
4
09.2018
UAE CRACKS DOWN ON CYBERCRIME WITH TOUGHER PENALTIES
Sheikh Khalifa bin Zayed Al Nahyan, UAE President
Cybercriminals in the UAE could face up to AED 4 million in penalties and up to 25 years jail term under the new law issued on Monday. UAE president Sheikh Khalifa bin Zayed Al Nahyan, last month, issued Emiri Decree No. 02 of 2018 amending the UAE Cybercrimes Law. According to the Decree, Article Nos. 26, 28 and 42 of Federal Decree-Law No. 05 of 2012 on Combatting Cybercrimes will be replaced with updated provisions. The amendments, which have been passed as Emiri Decree No. 02 of 2018, have increased
the penalties for setting up or running a website that incites hate, or publishing information that incites hate to up to five years in jail and a fine of AED 500,000 to one million. According to the new law, first time offenders may receive ‘electronic probation and monitoring’, and be prevented from using IT for the same time period instead. Publishing or electronically transmitting information, news or cartoon drawings or any other pictures which may endanger the national security and the higher interests of the State or afflicts its public order, or attacks on any member of the judicial courts system, is punishable by ‘temporary imprisonment’ and a fine of up to one million dirhams. One of the amendments stipulates that an imprisonment period of at least ten years and not exceeding 25 years, and a fine not less than AED2 million and not in excess of AED4 million will be given to those who are publishing information for the use of terrorist groups, recruiting for the same or sharing data on manufacturing explosives or other devices used in terrorism.
AMAZON’S SMART HOME SECURITY FIRM SIGNS RETAIL DEAL IN UAE and makes Ring’s home Smart home security security solutions firm Ring has announced more readily available that it is collaborating to homeowners in the with Hitches and Glitches UAE,” said Mohammad (H&G), a Dubai-based, Meraj Hoda, vice technology-led home president, Business maintenance company, Development – Middle which is part of the Farnek East at Ring. Group. Mohammad Meraj Hoda, Ring Earlier this year, As part of the and Lukas Eigenmann, H&G Ring was reportedly collaboration, H&G will acquired by global e-commerce firm retail Ring products via its online store Amazon.com in a $1 billion deal. and install Ring’s smart home security The Ring products that H&G will retail products in residential communities in and install include the Floodlight Cam, the UAE, providing effective, easy-tothe first motion-activated security camera use, affordable solutions for securitywith two-way audio, HD video, built-in conscious homeowners and tenants. floodlights and a siren; the Spotlight Cam “People in the Middle East are taking Battery, a long-lasting battery-powered HD home security into their own hands to camera with two-way audio and a siren; the help protect and secure their family Spotlight Cam Wired with two-way talk and and property. Ring’s mission is simple: a siren solution; and the award-winning to reduce crime in neighbourhoods. Ring Video Doorbell 2 that helps you Partnering with local service providers communicate with visitors from anywhere. like H&G helps us expand our reach
www.tahawultech.com
NEWS
MICROSOFT STOPS RUSSIAN HACKING OF CONSERVATIVE GROUPS Microsoft has revealed that it has recently prevented hackers associated with Russian government from trying to steal user information from conservative groups that promote democracy and advocate for cybersecurity. In a blog post, the firm elaborated that its digital crimes unit (DCU) acted on a court order, disrupting and transferring control of a total of six internet domains created by a group known as Strontium, also known as Fancy Bear or APT28, which is associated with the Russian government. Microsoft wrote in the blog, “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.” The attackers created websites to mimic three US Senate websites along with the Microsoft’s Office 365 website and the sites of
International Republican Institute and the Hudson Institute. The International Republican Institute promotes democratic principals around the globe and has a board of directors that includes six Republican senators and a senatorial candidate. The attackers created websites and URLs that closely resembled the sites that their victims would expect to receive email from or visit, Microsoft said. The type of attack is known as “spear fishing,” in which the hackers trick victims to enter their user name and password into the fake site in order to steal their credentials. “To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains,” Microsoft said on the blog.
TREND MICRO EMPOWERS SECURITY TEAMS WITH ADVANCED ANALYTICS Trend Micro has introduced advanced analytics capabilities for its network security solution, Deep Discovery. In addition to detecting and analysing advanced threats on the network, customers will be able to streamline investigation and response with automated analysis and correlation of network events, while maximising organisations’ limited IT security resources. Organisations today are being squeezed on both sides, by an endemic cybersecurity skills shortage and increasingly determined threat actors, driving a heightened fear of missing new threats. They desperately need a way to simplify and prioritise threat information, accelerating detection and response. “Nobody likes to be blindsided. Security professionals need to be able to see what is happening across www.tahawultech.com
their network and respond quickly when needed. They need to be able to filter the noise so they can focus on critical tasks,” said Eric Skinner, vice president of solution marketing for Trend Micro. “The new network analytics capabilities of Deep Discovery do just that, empowering organisations struggling with skills shortages to keep themselves protected and productive.” Deep Discovery has enhanced the sharing of advanced threat information or indicators of compromise (IOCs) by leveraging standards-based formats and transfers (STIX, TAXII, YARA). All compatible security solutions an organisation uses, including the entire Trend Micro product family and third-party products, will have the up-to-the-minute threat intelligence. This simplifies IOC management for stretched IT teams.
CYBERATTACKS TARGETING UAE ENTITIES DOWN 39%: TRA
A total of 274 cyber-attacks targeted government, semi-government and private sector entities in the UAE during the first seven months of the year, according to the latest statistics from the Telecommunications Regulations Authority (TRA). According to the authority, the cyber incidents are 39 percent down as compared to the corresponding period in 2017 The decline in reported attacks is attributed to the efforts made by the Computer Emergency Readiness Team, who is in charge of foiling all cyber-attacks against websites operating in the country. The survey conducted by the TRA on the impact of the malignant exploits monitored from January through July, 150 offensives caused medium damage, 85 were of low detriment, while 39 were critically harmful. All of these were aimed at defacing and blocking websites, in addition to other fraudulent purposes, according to the TRA statistics. At the monthly level, 31 attacks were recorded in July against 42 on the same month last year, 12 of which were classified as having medium impact, 12 low and seven serious. Cyber attacks seek to deface and block government websites, including denial of service, hacking, deception, fraud, and identity and document theft.
09.2018
5
FEATURE
ACCESS GRANTED In an era when attack surfaces are growing, points of access are multiplying, and cyber-attackers are getting smarter, password-only authentication is increasingly becoming a thing of the past.
6
09.2018
www.tahawultech.com
FEATURE
A
ccording to a recent study conducted by the IBM Institute for Business Value, 94 percent of C-suite executives expect their company to have a significant cybersecurity incident in the next two years — and less than 20 percent have a high level of confidence in their preparedness to combat these threats. While password solutions are simple and comparatively easy to implement, they are becoming less and less reliable in protecting our data and identities. Passwords are simply no longer enough to combat the cyber threats that exist today and any organisation relying on it is placing its business and reputation at risk. Today, more and more organisations are utilising multi-factor authentication (MFA) to prevent their systems from being compromised. MFA is seen as a complex and potentially more secure solution as it typically requires additional verification such as biometrics to include voice, retina or fingerprint recognition making it harder for an attacker to bypass an organisation’s system. “The most popular method being used is two-factor authentication which essentially makes use of a password in combination with a unique device like a security token, or unique code sent to a mobile phone,” says Wisam Yaghmour, regional sales director for MEA of USbased identity solutions firm HID Global. According to Yaghmour, smart cards and biometrics used in conjunction with passwords are also becoming popular methods of MFA and are being used widely to access premises. “MFA methods are usually restricted to accessing highly secure premises or mission-critical data. It is complex, but is more secure than two-factor authentication as it provides an added layer of security which makes it difficult to crack,” he explains. Verizon’s 2017 Data Breach Investigation Report (DBIR), revealed that 81 percent of hacking-related www.tahawultech.com
MFA methods are usually restricted to accessing highly secure premises or mission-critical data. It is complex, but is more secure than two-factor authentication as it provides an added layer of security which makes it difficult to crack. - Wisam Yaghmour, HID Global
breaches leveraged either stolen and/or weak passwords, which was up from 63 percent in the previous year. “This alarming trend clearly shows that today’s security isn’t working,” says Kamel Heus, regional manager for the Middle East and Africa at identity and access management solution company Centrify. “For our customers, we aim to ensure that the breach stops here by providing a single platform to secure each user’s access to apps and infrastructure in today’s boundaryless hybrid enterprise.” In the region, MFA solutions play a crucial role in helping large organisations validate identities and control access to critical information, says Yaghmour. A study conducted by HID Global in the Middle East showed that ninety-five percent polled C-level executives and senior IT decision-makers said that MFA was a fundamental requirement at their organisation. “This demonstrates the reliability and robust adoption of the technology,” he says. “It provides intelligent-based authentication capabilities to ensure simplified and secure access to data and cloud applications.” Currently, organisations across the banking and financial sector,
governments, large enterprises especially oil and gas, energy and utilities are making use of MFA technologies. “This solution is a popular choice for these organisations as it allows employees access to multiple platforms such as mainly collaboration solutions such as emails, databases and CRM’s, sensitive data and mission-critical applications.” The new perimeter Employees, partners and contractors are able to access data from anywhere at any time, and combined with the fact that the traditional perimeter is dissolving, more work is being done to protect the identities of people (or devices) accessing information. “Therefore, organisations in the region are being more vigilant when it comes to accessing their critical assets. We see that companies are being stricter in the way people are accessing data within the company boundaries or from outside,” says Heus. “There is no magic answer to defeating cyber threats, but with the right strategy, strong security policy and active engagement of all employees, the risk of a cyber-attack can be reduced.” Implementing strong security controls 09.2018
7
FEATURE
and access policies are paramount to minimising the risk of loss – of credibility, revenue or even a dip in stock price as evidenced by the Day One market reaction to the recent Equifax breach. Heus suggests implementing a Zero Trust approach, which urges organisations to assume that everything from users to endpoints to resources to devices is untrusted and must always be verified to decrease the chance of a major breach. “Centrify’s Zero Trust Security assumes users inside a network are no more trustworthy than those outside the network. It presumes that everything (users, endpoints, networks, resources) is untrusted and must be verified first so that security is not compromised,” he explains. “The notion of a robust perimeter no longer exists and, thus, by combining identity assurance, and endpoint posture to grant access through a privilege model, lateral movement, phishing attacks, and other common attack vectors are reduced substantially.” A Zero Trust policy is centred around continuously verifying users and their devices, limiting access and learning from user behaviour will most likely stop breaches/cyber-attacks, says Heus. This process involves four key elements: verifying the user; verifying their device; giving just enough access; and learning and adapting.
STRENGTH IN NUMBERS According to HID Global MEA regional sales director Wisam Yaghmour, MFA involves three authentication factors that have to be used in combination, this include the following: the Possession factor – this is usually a hardware/ device like a token or smart card that the user physically has in their possession; the Knowledge factor – this is what the user knows, usually a username or password; and the Inherence factor – this is a user’s identifiable characteristic unique to the user such as biometrics, voice or iris scan. “Using all three factors in combination provide a highly secure authentication method that is difficult for hackers to bypass. However, which method is better depending on various factors like cost, convenience, complexity, nature of the organisation and the information being secured,” he explains. Businesses should take a holistic approach towards the securing their data, says Yaghmour. An organisationwide security practice needs to be adopted to prevent unauthorised access to high-value data:
The notion of a robust perimeter no longer exists and, thus, by combining identity assurance, and endpoint posture to grant access through a privilege model, lateral movement, phishing attacks, and other common attack vectors are reduced substantially. - Kamel Heus, Centrify
8
09.2018
1. Deploy efficient network security solutions is key as it encompasses security solutions that will protect the network through to the endpoints. 2. Educate employee on best security practices 3. Introduce Identity and Access Management solution – this will help apply fine-grained controls and allow you to control access to missioncritical data to the right employees 4. Encryption for data protectionemployees are free to work from smartphones, laptops, and remote workstations. A lack of encryption on these devices can lead to a data leak 5. Create a BYOD policy - The trend of BYOD helps companies in improving employee productivity in a cost-effective manner, but, it also opens the door for unauthorised access to sensitive data. So, it’s a good practice to have a strict BYOD policy in mind. This way, sensitive information can be kept securely in the personal devices of employees. 6. Create a strategy in case your business encounters a data breach.
Heus also urges organisations to implement a cyber hygiene awareness and education initiative for their staff to help them spot the warning signs of a phishing attack and social engineering. “Most importantly, they need to use MFA on both a privileged and enduser level to stop the breach, without burdening the user. This is paramount to cybersecurity success.” Ultimately, it is important to remember that with any security solution attackers are going to attempt to find new ways to penetrate our systems. But MFA can give organisations additional layers of security that will make a breach harder to achieve. www.tahawultech.com
REDEFINING technology transformation
+971 4 440 9100
@TahawulTech
info@cpimediagroup.com
www.tahawultech.com
facebook.com/tahawultech
twitter.com/tahawultech
linkedin.com/in/tahawultech
COVER STORY
BUILDING DEFENCES As a Mubadala-owned company Injazat Data Systems has dedicated its wealth of expertise towards developing innovative solutions and delivering services that empower the success of digital organisations. In an exclusive interview, CEO Khaled Al Melhi, discusses how the Abu Dhabi-based firm is pioneering initiatives to support the UAE’s smart and safety vision and why security is a vital factor to the success of this endeavour.
W
hat has been your key focus since taking the reins at Injazat Data Systems last year? What have been the major highlights at the company over the last 12 months? I have been fortunate to be given the opportunity to lead a company of Injazat’s pedigree and track record. At the time of inception Injazat’s mission was to build world class IT managed services capabilities in Abu Dhabi and offer these services to clients to help them meet their growing IT needs securely and professionally. Looking back at Injazat’s achievements in the last 13 years, I am happy to say that Injazat has accomplished its mission to date. So, my key focus when I took office in early 2017 was to talk to our customers to understand their future needs and challenges. Digital disruption is one common area of threat, however, it is also an opportunity. In essence, I 10
09.2018
found that our customers are looking for partners to help them digitally transform and solve complex business problems. Taking on this challenge made a lot of sense to us given our deep technology expertise and position as a trusted organization. These conversations have lead us to set a new vision and mission for the company. Injazat’s new vision is to be the region’s leading digital transformation partner. Our mission is to help transform the way our clients work by providing innovative, business-focused and secure technology solutions whilst supporting the sustainable diversification and growth of the UAE economy. To be honest, I was impressed by the ability of the business to grow and adjust to the new strategy. We launched our new strategy in early 2017 and in the same year we were able to close a major DX Solution project, Hassantuk, and this year we closed another DX Solution in healthcare which is the Abu Dhabi Health Information Exchange. We made a lot
of progress in building our DX Advisory capabilities, signed several partnerships, new customers and launched new services in security and cloud. We expect Injazat to grow by over 60 percent in 2018 and will continue to grow at double digits for the next few years. These are very exciting times for us and I am deeply proud of the efforts of all our team. As a regional technology and IT security player, how does Injazat Data Systems aim to supporting the UAE’s smart and safe city vision? Smart and safe city is among the five verticals we are focused on in our new strategy – others include education, healthcare, defense/industry and BFSI. For years we have been working with the Ministry of Interior to design and build Hassantuk, an initiative to connect building management systems across the UAE using Internet of Things technologies to an automated central command centre to automatically www.tahawultech.com
COVER STORY
Our mantra is to constantly deliver best-of-breed services leveraging cutting edge technology and our digital advisory team follows in order to support and motivate our customers to drive change successfully.Â
check the health of fire systems in critical buildings, verify actual incidents and support Civil Defense in their deployment. We signed the agreement in 2017 and the system is now live in hundreds of buildings and will be fully deployed in less than three years. We are committed to continuously build on this experience and to provide other innovative solutions to the UAE and regional governments and residents. We are expanding our partnerships in this area and are currently working on other smart city initiatives. How important is security’s role in helping regional organisations succeed in their digital transformation journey? How can Injazat Data Systems support companies in such endeavours? Digital Transformation (DX) has gained substantial momentum globally and has rapidly become the centre of attention for senior management across all industries in the region. DX is a cornerstone of an end-customer’s experience, which is driven mainly by consumer passion and enthusiasm for digital services. In addition, with this region having one of the highest social media and mobile subscription rates in the world the association that is formed between exposing personal information and digital service delivery amplifies the need for security. Increasingly, www.tahawultech.com
09.2018
11
COVER STORY
controlled access, information privacy, and strict data retention policies are being integrated to ensure that information is always kept safe and accessed only when needed and by the intended parties. The reliability and security architecture of any organisation’s infrastructure is key to reaching this digital destination. Injazat is already the region’s leading provider of secure and robust managed infrastructure and hosting services.
Cutting-edge technology, hardware and security are only a part of what we provide to our customers in a manner that meets and exceeds all their computing requirements. Our mantra is to constantly deliver best of breed services leveraging cutting edge technology and our digital advisory team follows in order to support and motivate our customers to drive change successfully. Our DX advisory team relies on two key strengths to succeed within
Injazat’s new vision is to be the region’s leading digital transformation partner. Our mission is to help transform the way our clients work by providing innovative, business-focused and secure technology solutions whilst supporting the sustainable diversification and growth of the UAE economy.
12
09.2018
any environment: firstly, we have an ecosystem of subject matter experts with varying backgrounds ranging from technology and enterprise architecture to change management, industry domain knowledge and strategy; more than that, the trust which the Injazat brand has earned through successful delivery of numerous engagements. It is also worth mentioning that our external partnership model encompasses world-class strategy consulting firms that have invested in sharing their resource pools with Injazat. That is a winning combination that is not offered by any other company in the region. How do you think artificial intelligence (AI) and blockchain will redefine the security landscape? AI and blockchain proficiency will depend on choosing what particular problems our clients have in cybersecurity and what business challenges they want AI to solve. Today at Injazat, we have begun several initiatives harnessing either new AI features that have been introduced www.tahawultech.com
COVER STORY
Injazat is well-funded and has an objective to support the diversification and growth of the UAE. Therefore, we take a long term holistic view in developing capabilities and opportunities. We are ready to partner with our customers and happy to have “skin in the game” in the right opportunities.
opportunities. We are ready to partner with our customers and happy to have “skin in the game” in the right opportunities. We also enjoy a great reach in the UAE and abroad through our work and shareholder Mubadala Investment Company (MIC).
in our existing cybersecurity solutions portfolio or those AI solutions that are incorporated into newly introduced services. These solutions are at enhancing the overall efficiency and effectiveness of our next generation security operation centre and at improving the overall security maturity status of our clients. In either way, we are keen to understand and build use cases to walk our clients and the market through various ways in which AI and blockchain will redefine the cybersecurity landscape. What differentiates Injazat Data Systems from other players in the market? What is your company’s ethos? In addition to our track record in delivery, Injazat is technology agnostic which means we care first and foremost about selecting the right solution to our clients; as opposed to pushing our own products. Injazat is well funded and has an objective to support the diversification and growth of the UAE. Therefore, we take a long term holistic view in developing capabilities and www.tahawultech.com
What kind of technologies, initiatives and strategies do you aim to introduce and invest into in the coming 12 months? We have been heavily investing in building new capabilities in order to achieve our vision. Injazat’s business now spans 4 key areas: Managed Services - whereby we offer end-to-end infrastructure, applications, security and cloud solutions to our customers. Our focus in this area has been to add more innovative services to our catalogue and improve our efficiency and cost base DX Advisory - this is a new capability offering digital transformation advisory to our customers in partnership with leading strategy consulting companies. Our team today comprises of SMEs in key industries, business architects and change management experts. This team helps our customers throughout the transformation journey Innovation Solutions whereby we provide the place and expertise to our clients and Injazat to test and operationalise new technologies. We are building new capabilities in design
thinking, quick prototyping and agile teams to be able to take a concept from an idea to reality DX Solutions are large complex projects that address industry specific issues. We have signed 2 Build Operate and Transfer (BOT) projects, Hassantuk and Abu Dhabi Health Information Exchange (HIE) whereby Injazat designs, builds and operates these digital infrastructure assets for MOI and DOH respectively. These projects are the ultimate demonstration of Injazat’s vision to partner with its customers to transform their businesses. What advice would you give regional organisations to help them become cyberresilient and succeed in the digital era? Our two cents in this realm are to focus on the crucial pillars that is: 1) having complete visibility within your environment; 2) ensuring the appropriate people, process and technology is deployed; 3) leveraging the new technologies such as Big Data analytics, AI and machine learning to fully optimise the security operation centre; 4) having an effective threat intelligence programme in place; and 5) ensuring that you are measuring what you are managing where proper metrics, reporting, SLAs and KPIs are in place. At Injazat, that is the model we follow, and we continuously work with our clients to include that in their cybersecurity strategy. 09.2018
13
FEATURE
A WHOLE NEW BALLGAME As major sporting events become increasingly digitised, sports organisations are increasingly concerned about cybersecurity. Daniel Bardsley investigates the potential risks posed by digital technologies in sports and how potential victims can help reduce opportunities for attack.
14
09.2018
www.tahawultech.com
FEATURE
“
Greetings citizens of the world. Allow us to introduce ourselves... We are Fancy Bear international hack team. We stand for fair play and clean sport.” These slightly chilling sentences are how the cyber-hacking group Fancy Bear, which is thought to be linked to the Russian government, showcases itself online. Whatever the motivations behind its activities – Fancy Bear is thought to be linked to Russian military intelligence and is said to be doing the Kremlin’s bidding by targeting western nations – the group has certainly shaken up the sporting world by making public information about drug use in sport. Not all of its hacks are linked to sport, but among those that are, one on the World Anti-Doping Agency’s database revealed that the British Tour de France cycle race winner Sir Bradley Wiggins had been give a therapeutic use exemption (TUE) allowing him to take a banned asthma drug. This 2016 bombshell and subsequent investigations have removed some of the shine from the reputation of a rider who also won the world time trial title and who retains the record for the longest distance cycled in an hour. If nothing else, the Wiggins case demonstrates that cyber-security breaches in sports are no trivial matter. “If you look at the types of cyber incidents in professional sport, it’s a pretty long list. It affects teams globally in all types of possible attack scenarios,” says Merritt Maxim, a principal analyst at the research organisation Forrester and author of a recent report entitled “Securing the Internet of Sports”. “It’s a real trend and no organised sport is immune from potentially being victim to attacks like these.” Attacks that are reported in the media are likely to be just a fraction of the total because, for example, many attacks in www.tahawultech.com
If you look at the types of cyber incidents in professional sport, it’s a pretty long list. It affects teams globally in all types of possible attack scenarios. It’s a real trend and no organised sport is immune from potentially being victim to attacks like these. - Merritt Maxim, Forrester
the United States probably fall outside of requirements for notification. With cyber criminals able to easily get hold of hacking tools, sports organisations, employees, teams, individual athletes and even fans are at growing risk result as the sector digitises, with multiple potential vulnerabilities exposed. Digital technology is being used to improve engagement with supporters, sometimes with cloud-based systems that allow teams to ramp up to high volumes when selling tickets, or through the use of apps that update fans during tournaments. “That provides a lot of benefits, but introduces security risks that companies have to think about,” explains Maxim, a keen sports fan himself who follows everything from cycling to winter sports. Ray Kafity, vice president, Middle East, Turkey and Africa at Attivo Networks, says that the Internet of Things (IoT) was radically changing cybersecurity in sports by “adding digital dimensions into every facet of the sporting experience and expanding the attack surface.”
Devices might cover everything from athlete care to device-enhanced viewing, scoring systems and ‘smart’ stadiums. “In addition, stadiums and sports arenas have infrastructure vulnerabilities similar to smart buildings, wherein missing-critical functions are managed by a centralised network that can be compromised,” says Kafity. “A cybersecurity breach in the system can impact the integrity of the game being played, while direct and targeted cyberattacks against sporting events can create a new potential risk to the safety of fans.” Consequences could expand to include sports broadcasting, advertising, insurance, sports merchandise and more. “I think it’s safe to assume it’s a global phenomenon and will continue to affect organisations directly involved with sport or indirectly for the foreseeable future,” says Maxim. Just as the cyber-vulnerabilities are many and diverse, especially at events where tens of thousands of people might be present, so are the motivations behind attacks. 09.2018
15
FEATURE
Political activism is one reason, such as when Tibet campaigners launched an offensive against the website of the 2008 Beijing Olympics. A further motivation is financial gain, with attackers trying to secure the payment information of customers through a website hack. Ticket websites are vulnerable to other types of scams. “In 2015, cyber attackers schemed to hijack online ticket sales of the Rugby World Cup to force resale in secondary markets at increased prices,” says Kafity. Meanwhile, phishing attacks by fraudsters looking to turn a profit may target more than just fans – sportspeople could fall victim too. “Certainly the athletes themselves are potential targets because they have assets. They make a lot of money and, therefore, they may be susceptible to being victims to a phishing attack. If some information is compromised, hackers could use that to do identity theft,” says Maxim. Other incidents involve sporting espionage, such as a well-known example that came to light last year in which the scouting director of the MLB St Louis Cardinals baseball team accessed, for more than two years, the scouting database of his former team, the Houston Astros. He was able to commit this “insider theft” because he had kept hold of his user credentials. Rivals might want to learn about the injuries that athletes on opposing teams have suffered, or to find out about training regimes, data that could also be used to manipulate betting. It is no wonder, then, that reports indicated that some footballers at this year’s World Cup in Russia were told not to use public Wi-Fi for fear that details about tactics, squad selection and the like might be stolen. “Data in sports extends beyond a player’s value in the field. It is also linked to their popularity in bringing crowds into stadiums, viewership and retailing of merchandise,” says Kafity. 16
09.2018
Data in sports extends beyond a player’s value in the field. It is also linked to their popularity in bringing crowds into stadiums, viewership and retailing of merchandise. This kind of data is used to analyse what a player means for the club’s bottom line. Information on player’s compensation could also be targeted and exploited. - Ray Kafity, Attivo Networks
“This kind of data is used to analyse what a player means for the club’s bottom line. Information on player’s compensation could also be targeted and exploited.” A distributed denial of service (DDoS) attack on the Swimming Australia website was blamed on Chinese hackers after a dispute between swimmers from the two countries. “It didn’t cause huge amounts of disruption, but if a rival team doesn’t like what’s happened, they may have cyber [hacks] to cause disruption to a rival organisation,” says Maxim. The key to stopping an attack is, according to Kafity, “early detection and actionable response”, since this can derail incidents before damage is done. “In addition to early detection, sports organizations that invest in tools for threat and adversary intelligence will be able to better understand their security vulnerabilities, quickly isolate attacks, and prevent recurring attacks,” he adds. “Many organisations are turning to deception technology for offence-driven security designed to significantly reduce dwell time and acceleration remediation by tricking attackers into making a
mistake and revealing their presence in the network. “It is widely recognised for its ease of operations, cost efficiency and ability to deploy across a wide variety of attack surfaces.” Certain types of attacks can be difficult to defend against. For example, specialists have said that attacks on sporting event infrastructure are hard to simulate. So, the solution, some have said, may be to outsource defences to organisations that are able to assess the threats and introduce the necessary security barriers while employing the likes of proactive monitoring and threat intelligence. But there are many relatively simple safety precautions that organisations themselves can take. If players are transferred from one team to another, for example, there should be a policy in place to ensure these people cannot continue to access their old club’s systems. Such measures may not be enough to keep the likes of Fancy Bear at bay, but they could be crucial in keeping the spying eyes of rivals away from potentially vital information. www.tahawultech.com
THE REGION’S NUMBER ONE PROVIDER OF IT SOLUTIONS
DRIVE REAL BUSINESS RESULTS WITH OUR LATEST IT TECHNOLOGIES COGNITIVE SOLUTIONS
IOT
CLOUD
SECURITY
ANALYTICS
www.gbmme.com
INSIGHT
NEVER TRUST, ALWAYS VERIFY By Kamel Heus, regional manager, MEA, Centrify
T
he concept of Zero Trust is as profound in cybersecurity as the sweeping transformation generated by the arrival of cloud, mobility, agility, and availability. Gartner projects that worldwide security spending will reach $96 billion this year, yet we continue to read headlines validating that companies can’t address the threats fast enough, regardless of the growing list of vendors and solutions available. What’s even more surprising is that less than 10 percent of that spend is allocated for identity and access management. The revolutionary concept of Zero Trust Security assumes that the threat actor may be already within an organisation and is posing as an employee of the organisation. Or alternatively, has assumed the credentials of an employee of the organisation. The concept of Zero Trust seeks to limit the opportunity of such an internal threat actor to use the assumed employee credentials and breach other parts of the organisation. Previous cybersecurity practices assumed the integrity of a user’s credentials at face value and chose to verify them subsequently. In the new paradigm, any user is never trusted till both their credentials and device are rigorously verified. Identity access management solutions further grant the user access to the organisation’s resources, but only as much to complete their task, mandated by their job role. In this scenario, the employee or user 18
09.2018
is never trusted to access resources of an organisation that he/she is entitled to. It is assumed that a threat actor can assume the credentials of any user, at any time, and must therefore be limited in their access to an organisation’s assets and resources. In short, the user is never trusted and always verified during their access to an organisation’s assets. The Zero Trust security best practice is applied to all types of users including end-user of IT, privileged user, supplier, customer or partner. It also applies to all types of resources and assets whether through an application or compute infrastructure resource. The Zero Trust security best practice uses a four-step approach The first step is to verify the legitimacy of the user beyond the credentials of their username and password. Multi-factor authentication using personal information or another known device of the employee is the usual add-on practice. The second step is to validate the endpoint or the device being used by the end user. Once an end-user’s device has been enrolled and validated, the same device is associated with some the user to validate an element of trust the next time it is used. However, if the end-user chooses to use another device, from another location, then the credentials of that device will need to be authenticated and enrolled before the end-user can gain access into the organisation using that particular endpoint device. Once authenticated, the third step
grants access to an organisation’s assets, but only as much as required for the task specified by their role. Users can therefore access multiple applications and compute resources only if it is required for their role. The more critical an application or a compute resource, the less access granted to an end user. The same controls exist for all types of users including administrators, who are usually the prime targets for any threat actor because they usually have the “keys to the kingdom.” The underlying control here is to limit lateral access of end users into multiple applications and compute resources, unless required for any specified task. The last step is to make internal systems self-learning and adaptive through machine learning. While organisations need to be increasinglysecure, continuously hindering employee productivity can lead to an anarchical internal work environment. Hence, it is critical that internal cybersecurity applications learn from user behaviour and actually enable their productivity in near normal situations, but raise red flags whenever there is a deviation from the normal. Other learnings that emerge could help chief security officers to moderate and adjust security policies to balance organisational concerns and employee productivity. Organisations adopting a Zero Trust approach will increasingly find that it is the right path forward to rebuild their user and resource access policies. www.tahawultech.com
17th September 2018 Habtoor Grand Hotel & Resort
#FutureSecurityAwards facebook.com/ tahawultech
twitter.com/ tahawultech
linkedin.com/in/ tahawultech
instagram.com/ tahawultech
https://www.tahawultech.com/securityadvisorawards/2018/ For sponsorship enquiries Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 +971 56 787 4778
Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 +971 50 758 6672
Sabita Miranda Senior Sales Manager sabita.miranda@cpimediagroup.com +971 4 440 9147 +971 507782771
NETWORK SECURITY PARTNER
HOSTED BY
Youssef Hariz Business Development Manager youssef.hariz@cpimediagroup.com +971 4 440 9111 +971 56 665 8683
GOLD PARTNER
OFFICIAL PUBLICATION
ORGANISER
Nasir Bazaz Sales Manager nasir.bazaz@cpimediagroup.com +971 4 440 9147 +971 50 101 2027
FEATURE
COMBATTING BIAS:
the reality behind ageism in the cybersecurity industry By Daniel Bardsley
20 09.2018
www.tahawultech.com
FEATURE
F
ew have a longer or more varied experience of cybersecurity than Professor Norbert Pohlmann. In the 1980s, when cybersecurity was still an emerging field, he was working on his doctoral thesis, “Possibilities and Limitations of Firewall Systems.” He founded his own company, KryptoKom, and spent 15 years as a successful entrepreneur before entering academia. He now heads the Institute for Internet Security at the Westphalia University of Applied Sciences Gelsenkirchen in western Germany. In cybersecurity, he recognises that the demand is often for young, relatively recent graduates – like those he trains at the university. “We have a master’s course in Internet security. We started this course maybe 10 years ago. Now, all the young guys coming from university today have a lot of experience. They have lectures in cybersecurity. We teach them what’s really needed,” says the 58-year-old. “The older guys who studied maybe 10-20 years ago, they haven’t enjoyed all these courses. You could say that’s a problem. Not every older guy has the opportunity to have additional courses outside the university.” So, is cybersecurity a young person’s field? Certainly the tech sector as a whole is often seen as being one where opportunities narrow as people age; there have even been stories of workers having plastic surgery to retain a fresh-faced look. The Vancouver-based business analytics company Visier looked at the subject for a 2017 report, “The Truth About Ageism in the Tech Industry.” Based on 330,000 anonymous employee records, the study reported that the average tech worker is aged 38, five years younger than the average non-tech worker. Millennials – those born from around the early 1980s onwards – make up 42.6 percent of the tech workforce, compared to just 26.1 percent outside www.tahawultech.com
We have a master’s course in Internet security. We started this course maybe 10 years ago. Now, all the young guys coming from university today have a lot of experience. They have lectures in cybersecurity. We teach them what’s really needed. - Professor Norbert Pohlmann, KryptoKom
tech. Meanwhile, people born between around the mid-1940s to the mid-1960s, or baby boomers, account for a mere 11.7 percent of the tech sector but 26.7 percent of the non-tech workforce. The report found that there appears to be discrimination in the hiring of workers, with millennials hired ahead of members of Generation X (those born between 1965 and 1980) at a higher rate than in non-tech. “There’s different criteria that could drive it. One could be that younger workers are less expensive, so if you’re looking at your overall workforce composition and you’re trying to hit certain cost targets, you might want to have a larger proportion of younger workers,” explains Josie Sutcliffe, Visier’s vice president for marketing, who was heavily involved in producing the report. But the preference for younger workers may be about more than keeping down the remuneration bill. There is, according to Sutcliffe, a conscious or unconscious bias that youth is associated with innovation or risk-taking, seen as ideal attributes in many tech environments.
“One of the [positives] of younger workers is that they haven’t learnt what doesn’t work, so they may be more likely to try things out and trust things than older workers,” she says. Research by European academics has identified similar biases. When looking at ageism in IT, Dr Ricardo Twumasi, a lecturer at The University of Manchester in the United Kingdom, has found that many areas of the sector are “considered to be a young person’s field”. “Innovation was expected to come from the young rather than the more experienced workers,” says Twumasi, who is part of the university’s Alliance Manchester Business School. Many of the negative stereotypes around older people that hold them back career-wise – being seen as unable to learn new things, less productive, more likely to take time off sick, at greater risk of retiring and leaving the organisation, and overqualified – are, Twumasi says, inaccurate. They are often based on “limited and faulty logic”. “Therefore, these stereotypes and the biases that lead to them need to be challenged,” he explains. 09.2018
21
FEATURE
As long as age biases exist in tech, though, older workers are advised to consider how they market themselves. “If you’re an older candidate, you might want to come equipped to show examples where you’re showing that kind of innovation and pushing the envelope [often associated with younger workers],” says Sutcliffe. Despite the negative stereotypes, employment prospects for mature IT workers are not overwhelmingly bleak. Although Visier identified a bias against the hiring of older people in tech, it also found that salary prospects as employees age are not worse than in non-tech. Also, when people are taken on in tech as older workers, companies do not use their age as a reason to pay them less. In addition, resignation rates among older workers in the technology sector are not higher than those of older workers in other industries. Perhaps most interestingly, Visier identifies what it calls the “tech sage age”: once they hit about 40, workers in tech are increasingly likely to receive a “top performer” rating. By contrast, in the non-tech industries, such ratings become scarcer with age. It is perhaps no wonder, then, that Sutcliffe suggests that companies
THE PSYCHOLOGY OF DISCRIMINATION Unpicking the human brain’s decision-making processes can help us to understand – and eliminate – biases in recruitment. Factors at play include selecting employees similar to oneself (members of the ‘in group’) and making quick, instead of slow, decisions. “We tend to think with rules of thumb, or ‘heuristics’, which make decisionmaking much faster. However, when selecting this is not the place for a quick decision,” says Dr Ricardo Twumasi of The University of Manchester. “We often think we are making a slow analytical decision, rather than a fast one, when we choose quickly, and then select reasons to justify our choice.” Twumasi advises a scientific approach to selection, with rigorous job analysis followed by tests representing the job that will be carried out, and not relying too heavily on an interview. Having diverse assessors is also advised. In addition, care should be taken in the wording and images used in job adverts to ensure they does not indicate that a younger worker is being sought. A candidate’s age or dates of school or graduation should be removed from the application when it is being assessed. “A selection process that is transparent is less likely to be discriminatory and offers defence to a potential legal challenge,” adds Twumasi.
“might want to take a second look at hiring practices” to achieve a more balanced workforce composition. Among the benefits could be a reduction in staff turnover. “There could be a significant cost
Many of the negative stereotypes around older people that hold them back career-wise – being seen as unable to learn new things, less productive, more likely to take time off sick, at greater risk of retiring and leaving the organisation, and overqualified – are inaccurate. They are often based on limited and faulty logic. - Ricardo Twumasi, University of Manchester UK
22
09.2018
saving with rooting out some of the ageism,” says Sutcliffe. “If you say that older workers are more likely to be loyal, that goes a long way to futureproof your organisation, more than if you just hire younger workers who will be more interested in job hopping.” Twumasi notes that, aside from the moral and business cases against age discrimination, there is also the legal case. “More high-profile legal cases involving age [are] being brought to court and covered by the media,” he says. Indeed, in recent years the number of cases brought against Silicon Valley firms on the grounds of age discrimination have outnumbered those linked to race or gender discrimination. In cybersecurity, where skills shortages have been widely identified, it could be especially important to value older workers. Pohlmann suggests that distance-learning courses could help them to learn the latest cybersecurity skills. “We cannot get enough young people helping to make IT more secure, that’s the reason we need older people,” he says. www.tahawultech.com
www.paladion.net
AI-Driven Cyber Security Services
Detect Threats 85% Faster Eliminate False Positives Get Swift Incident Analysis Respond in Near Real-time
Paladion Combines MSS and MDR for a Holistic Approach to [Cyber] Security Services
Partner with Paladion's AI-Driven Managed Detection and Response to stop attackers before there is a catastrophic breach. Visit www.paladion.net or call +91-9741115000
FEATURE
SECURITY IN ACTION Daniel Bardsley examines how cybersecurity firm DarkTrace is applying the latest artificial intelligence technologies to detect and combat cyber threats.
W
ith its old colleges and picturesque river, where tourists like to take relaxed boat trips, England’s ancient university city of Cambridge exudes tradition. But while Cambridge has the secondoldest university in the English-speaking world – it was founded 800 years ago – the city is anything but stuck in the past. It has become a key centre for hi-tech 24
09.2018
start-up businesses, giving rise to the name “Silicon Fen”, the fens being the flat, often bleak landscape near to the city. While there have been plenty of success stories, few Cambridge companies have done better than Darktrace, an artificial intelligencecentred cybersecurity company. The company was founded in 2013 through a tie-up between exintelligence officials and Cambridge mathematicians, and the research-and-
development headquarters are now located in a state-of-the-art building in one of Cambridge’s numerous new business parks. It is here that the experts craft the technology that has allowed Darktrace to secure thousands of contracts across the world, helping the company’s value rocket above $1 billion. “The growth has been absolutely phenomenal. We’re now 700 employees in five years,” says Emily Orton, www.tahawultech.com
FEATURE
Darktrace’s Cambridge-educated chief marketing officer and one of the company’s co-founders. The statistics tell the dramatic story: sales in the second half of 2016 and first half of 2017 totalled about GBP 30.8 million ($40.1 million), up about 80 percent on the previous year, while the company is now valued at about $1.25 billion. The company’s total contract value is around $500 million and while Europe and the United States are the key markets, among its clients is the UAE-based Tristar, a Jebel Ali-headquartered liquid logistics company with operations in 18 countries. Instead of focusing on firewalls, what marks out Darktrace is its use of artificial intelligence (AI) to identify and neutralise threats once they’ve entered a network. “This AI is at the core of the technology. You have to distinguish between the hype and meaningful applications,” says Orton, who is based at Darktrace’s central London offices. “The prevailing approach was a firewall and perimeter to keep the bad guys out. That was no longer a model that was working. There’s so many ways you can get into the network – through the front door or the back door. “There are so many potential vulnerabilities and there’s a range of www.tahawultech.com
GENDER BALANCE AT DARKTRACE Cybersecurity is not known for having a balanced gender ratio, with globally only about 10 percent of people in the field being female. Darktrace bucks the trend: both of the company’s co-CEOs, Nicole Eagan and Poppy Gustafsson, who is also one of the co-founders, are women, and the company’s overall gender ratio is not far off 50:50. Darktrace’s rapid growth has seen each of the co-CEOs rewarded with industry accolades. Last year Eagan was named “AI Leader of the Year” at an awards ceremony run by a London technology magazine, while Gustafsson won the “Entrepreneur of the Year” award from City A.M., a London financial newspaper. Emily Orton, the chief marketing officer and the only other woman among Darktrace’s 19-strong executive team, describes gender balance as “a very hot topic”.
“In a company where the two top jobs are held by women, we are challenging expectations, and that’s very inspiring,” says Orton. Darktrace does not have quotas, with the company instead “looking for the best people for the job”. Role models are important, says Orton, with other senior roles held by women, including the lead position in the Middle East. Orton noted, however, that the number of females in technical fields is still comparatively low, due to their lower representation as students of STEM (science, technology, engineering and mathematics) subjects. Training programmes help the company to deal with the global human resources shortage in cybersecurity. “Part of our culture is to be open for people learning on the job. That allows people to acquire cyber skills that they may not have come on board with,” she says.
09.2018
25
FEATURE
criminal networks. You can buy hacking tools from the internet for $20.” Drawing parallels with the immune system, the company calls its system Enterprise Immune Technology. It monitors the activity of an institution’s network to build up a picture of what is normal, so that deviations can be identified and neutralised. False positives – mistakenly identifying normal activity as suspicious – do happen, but despite the potential downsides, many blue-chip companies have put their faith in the method. The technology has been developed to the extent that it can now deal with intrusions without human input, something that, according to Orton, was critical because ransomware, for example, might take just a matter of seconds to bring a network down. “Increasingly it’s a battle unfolding at computer speed,” she explains. Darktrace now boasts thousands of clients worldwide, about 90 percent of them in the private sector. Reports have highlighted some offbeat wins that Darktrace’s technology has achieved at these diverse clients: a US tech firm told media that it had identified a Russian hack in its systems, while another notable success was highlighting ransomware that could have caused the venerable Church of England to fall victim. Among the public sector customers are parts of Britain’s National Health Service that signed up after the organisation was
DARKTRACE IN THE MIDDLE EAST The Middle East is not yet one of Darktrace’s main markets, but the company opened an office in Dubai in 2017 and is growing operations in the region. Recently it was announced that the Jebel Ali-based liquid logistics company Tristar is using Darktrace as it deploys more Internet of Things (IoT) technology. Europe, Middle East and Africa (EMEA) accounts for about 40 percent of turnover, with most of this in the United Kingdom, while another 40 percent of business is done in the United States. The rest is taken up by the Asia-Pacific region. “We’ve been operating in the Middle East for the past 18 months. We have a team of seven people,” says Emily Orton, Darktrace’s chief marketing officer. This number is roughly double the staff count of a year ago and annual sales growth in the region is about 50 percent. “There’s clearly a lot of interest in protecting critical infrastructure,” explains Orton, adding that oil and
badly hit by the WannaCry ransomware attack of May 2017. Darktrace has so far raised about $180 million from investors, with early backers including Dr Mike Lynch,
AI is at the core of the technology. You have to distinguish between the hype and meaningful applications. - Emily Orton, Darktrace
26
09.2018
gas, manufacturing and transport were key sectors. “These organisations have industrial networks – the networks that run the power grids or public transportation systems. Protecting industrial control systems is a massive priority for their governments. This is definitely important in the Middle East.” In late 2017, the company launched Darktrace Industrial, a business unit focused on using AI to combat threats to infrastructure and industry. “We’re talking about systems that could be 50 years old and they’ve been retrospectively connected to the internet, so they’re vulnerable,” says Orton. Orton says Darktrace “works across all industry verticals, from media to law to non-profit”, but she highlighted financial services as another key sector in the Middle East. “There’s a lot of concern around a systematic cyber-attack against trading platforms or the banking sector,” she says.
the Cambridge entrepreneur who co-founded the enterprise software company Autonomy Corporation. Both of Darktrace’s co-CEOs, Nicole Eagan and Poppy Gustafsson, worked for the investment vehicle, Invoke Capital, that Lynch set up after selling Autonomy to Hewlett Packard. Darktrace’s most recent accounts made public indicate that the company is not profitable, but its continued ability to attract investment suggests positive long-term prospects. But with cybersecurity still expanding rapidly, there are countless new entrants into the market. How will Darktrace deal with the competition? “There’s a lot of investment in this area – that will continue. I think there will be a bottoming-out of the market,” says Orton. www.tahawultech.com
14th October 2018 Emirates Towers Dubai #futureenterpriseawards facebook.com/ tahawultech
twitter.com/ tahawultech
linkedin.com/in/ tahawultech
instagram.com/ tahawultech
www.tahawultech.com/futureenterprise/2018/ For sponsorship enquiries Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 / +971 50 758 6672
Youssef Hariz Business Development Manager youssef.Hariz@cpimediagroup.com +971 4 440 9111 / +971 56 665 8683
IT SOLUTIONS PARTNER
Sabita Miranda Senior Sales Manager sabita.miranda@cpimediagroup.com +971 4 440 9128 / +971 50 778 2771
TRANSFORMATION AND TECHNOLOGY SPECIALIST PARTNER
TECHNOLOGY PARTNER
ENTERPRISE SOLUTIONS PARTNER
Nasir Bazaz Sales Manager nasir.bazaz@cpimediagroup.com +971 4 440 9147 / +971 50 101 2027
CLOUD AND MANAGED SERVICES PARTNER
EVENT PARTNERS
HOSTED BY
OFFICIAL PUBLICATION
ORGANISER
INSIGHT
RED TEAMING: WHEN THE COMPROMISE IS DESIRED (PART 2) Last month, Mohammed AbuKhater, vice president, FireEye MEA, explained what Red Teaming is and its goals. In part two of the series, he delves into the different techniques and tools red teams use.
T
he Toolbox of a red team As discussed in our previous article, the Tactics, Techniques and Procedures (TTPs) used by a Red Team vary depending on the goals, the rules of engagement, and the customer’s maturity level. For example, some Red Teams may require advanced notice and approval to access a specific set of systems, while others may allow the Red Team to compromise any system on the network in order to achieve the objective. The following are some tools that a Red Team may leverage to complete their mission: • Mimikatz: A popular tool used for password recovery. It allows the recovery of passwords in plain text from various Windows processes. • FiercePhish: Platform used to automate phishing infrastructure setup. The platform includes phishing email templates, as well as the ability to send mass phishing email campaigns and track the progress of various phishing campaigns. 28
09.2018
• Invoke-Obfuscation: Obfuscates PowerShell scripts to bypass PowerShell security controls and other endpoint security products. • ReelPhish: Creates a phishing page to bypass two-factor authentication. A user is lured by phishing email to a spoofed page where they enter their access data and a two-factor token. The authentication token of the real site finally allows the Red Team access to the network. Note that ReelPhish is configurable for most multi-factor applications. • Nmap: Used selectively for port scanning, and can also be used for host discovery and network enumeration. Most tests are performed manually, though, to actively avoid premature detection. • Native Windows Utilities: Built-in Windows utilities such as nslookup, RDP, WMIC, SC, PowerShell, Netstat, NET, and many more. All these native utilities are used for various phases of the attack lifecycle, including persistence and lateral movement.
• Custom Command and Control (C2): Internally built remote access Trojans (RATs) that use encrypted payloads and communications to for C2 communications into the network. C2 traffic is used to communicate to victim systems from the Internet. Another important aspect of red teaming is to understand the most updated TTPs attackers use today. Intelligence data gleaned from front line investigations provides insight that Red Teams use to build their techniques. Only security companies that have access to such intelligence data can truly test their customers’ defense capabilities. What does a red team do when it has gained an initial foothold? Once a Red Team has gained access to the corporate network, the below sequence of activities will follow: 1. Host-based persistence 2. Active Directory reconnaissance 3. Host-based privilege escalation 4. Lateral movement www.tahawultech.com
As soon as the team’s target is identified in the network and access is secured, C2 servers are leveraged for exfiltration.
5. Network-based privilege escalation (domain admin) 6. Additional reconnaissance to identify critical targets 7. Accomplish objective The methods used to perform these steps can vary from operation to operation. Usually, broad-based scans are not performed, and lateral movement to a new host only takes place if it gives the team access to
valuable credentials. An experienced Red Team often takes advantage of misconfigurations, rather than vulnerabilities. Misconfigurations are usually not detected by vulnerability scanners and provide a direct way for the team to secure domain admin rights. Essentially, it is more challenging to detect whether an attacker has exploited a misconfiguration rather than an attacker running vulnerability scans on the network.
An experienced Red Team often takes advantage of misconfigurations, rather than vulnerabilities. Misconfigurations are usually not detected by vulnerability scanners and provide a direct way for the team to secure domain admin rights.
www.tahawultech.com
What are the requirements to become a Red Team member? Successful red teamers should have a broad knowledge of attacker TTPs. Most red teamers come from backgrounds such as system administration or software development. This background is important because a red teamer needs to know about source code analysis, system administration, networking, programming, reverse engineering, and exploit development. Knowledge in these areas not only helps the Red Team navigate unnoticed in foreign networks, but it also helps them to remain undiscovered for a period of time. This knowledge also helps the Red Team develop the tools it will use on the assignment. Since each network is different, it is advantageous for the Red Team members to have a wide set of skills. This way, the team has more of a chance of overcoming any security controls that they may come up against. Final thoughts On average, a Red Team will obtain domain administrator credentials within just three days after gaining initial access to target environment. Without good detection mechanisms achieved by a successful Red Team engagement, threat actors have plenty of time to explore the target environment, spy the organisation and steal critical data. A Red Team engagement is particularly worthwhile for organisations that need to protect valuable data assets. Attackers will continue to evolve their TTPs, so organisations must keep up. Testing under real-life conditions by a Red Team is a great way to take the next step towards security. It’s better to get a report than to become a headline. 09.2018
29
INSIGHT
FIVE STEPS TOWARD CREATING GREATER CYBERSECURITY Firas Jadalla, regional director, Genetec Middle East, Turkey and Africa (META), shares top tips on how Middle East firms can reduce risks of cyber-attacks.
C
yber-attacks around the world are on the rise. Whether they result in a data breach or a disruption in network or service availability, criminal cyber activity can have a huge financial impact on an organisation. The costs can include cleaning up and restoring a network as well as reestablishing trust with partners and customers alike. According to a 2017 research study conducted by the Ponemon Institute, the average cost of a data breach in the Middle East alone has reached $4.94 million. Whether it involves the theft of millions of customer credit card numbers or theft of Intellectual Property (IP), a cyberattack can impact more than just the bottom line. As we’ve seen from high-profile cases in the news, your organisation’s reputation can be at stake. To mitigate the risks associated with an attack and achieve cyber resilience, you need to develop a comprehensive cybersecurity strategy and partner with trusted vendors. Increasing your organisation’s cybersecurity can seem like a daunting task. But the following five steps can help get you started. They are based on a framework from The US Commerce Department’s National Institute of Standards and Technology (NIST), 30
09.2018
which provides guidelines, standards, and best practices for cybersecurity-related risk management. Here are top five steps Middle East firms can consider to be more cybersecure: Identify. You must pro-actively monitor the market and potential threats and provide ongoing guidance and support to all your employees. Protect. Share cybersecurity best practices and ensure that everyone has access to the latest software, firmware, and cyber protection features. Detect. Monitor your systems closely, and, if you detect a potential vulnerability, share this information with all stakeholders, including those outside your organisation. Respond. In the event of a cyber breach, contain the impact and provide assistance to affected stakeholders as well as employees in your organisation. Recover. Support recovery planning within your organisation so you can restore any affected systems and service. The importance of working with trusted vendors Another important aspect of cybersecurity-related risk management requires assessing your supply chain. In general, effective supply chain risk management (SCRM) is essential for
protecting and ensuring continuity and profitability and requires developing a network of trusted vendors. The same principle applies to the supply chain that provides an organisation with the components that make up their physical security system. It is also crucial for any cybersecurity strategy that you protect your system by building a network of trust. Since any system is only as strong as its weakest point, you need to ask questions about whether or not the manufacturer developing or organisation installing devices on your network are trustworthy. It’s important to remember that in our increasingly connected world, hardening your system against criminal cyber activity is about more than just securing your perimeter. The reason it requires open and transparent communication is because it can impact us all. Cybersecurity must be a true community effort. www.tahawultech.com
17th September 2018, Habtoor Grand Resort, Dubai Speakers
Adam Lalani Group Head of IT Tristar
Ajay Rathi Senior Director of IT Meraas Holding
Faisal Ali Group CIO, Gargash Group
Herbert Fuchs Chief Information Officer ASGC
Ala Majaj Partner at GEEKS.ae
Alia Al Hammadi Director of IT, Emirates Nuclear Energy Corporation
David Ashford Chief Information Officer The Entertainer
Ramir Harisinghari Vice President and Head of Middle East & Africa, HTC
Samina Rizwan Senior Director, Analytics for Middle East and Africa, Oracle
Jon Richards CEO Yallacompare.com
TO REGISTER PLEASE VISIT
www.tahawultech.com/powerof4/
#Power4Tech THE POWER OF 4 FOURTH INDUSTRIAL REVOLUTION FORUM The Power of 4 Fourth Industrial Revolution Forum will put the spotlight on the most pressing business issues of our time. As humans learn to work with smart machines in the digital age, Power of 4 will explore the challenges and opportunities that organisations will face in the new digital era. Join the conversation with over 300 technology experts and find out how the world is being reshaped by a new dawn of technology. Registration is complimentary for the C-Suite please visit www.tahawultech.com/powerof4/2018/register. Hurry seats are limited. For speaking, agenda or sponsorship enquiries please contact: Publishing Director: Natasha.Pendleton@cpimediagroup.com or Mobile: +971 56 787 4778 STRATEGIC VAD PARTNER
ENTERPRISE NETWORKING PARTNER
HOSTED BY
CLOUD AND MANAGED SERVICES PARTNER
ERP SOLUTION PARTNER
OFFICIAL PUBLICATION
EVENT PARTNER
ORGANISER
INSIGHT
LOCK YOUR DIGITAL TREASURES By Dr Aleksandar Valjarevic, head of Solutions Architecture, Help AG Middle East
O
rganisations in the Middle East work in a fastpaced and competitive environment. Data is the new oil, powering growth, efficiency and effectiveness. Translated into actionable intelligence using IT systems, data creates competitive advantage and regional organisations in both the Government and Enterprise sectors have been highly successful in using the power of data and information technology to achieve customer-centric innovation. But, the volume of sensitive data generated by the modern enterprise is a double-edged sword. While it can be used to guide strategic decision making and create personalised experiences for customers, it raises a troublesome question- what happens when data is misused? What happens when a breach takes place? In short, organisations suffer remediation costs, reputation damage, loss of business and more. The inability to protect data also places obstructions to successfully leveraging new technologies such as cloud, big data and artificial intelligence as with their operational benefits, these also 32
09.2018
introduce new threat vectors and changing security paradigms. The average total cost of a data breach for organisations in the Middle East is $5.31 million, as found by research conducted by the Ponemon Institute . This number reflects just how much of a financial impact a single data breach can have- a cost likely to cripple all but the largest organisations. Despite this persistent threat, only 30 percent of companies have a consistent encryption strategy implemented enterprise-wide . How is it that this paradox exists and why has data encryption been largely overlooked in enterprise security strategies? ‘Locking the Doors’ to valuable data Organisations invest heavily in information security, creating layered security architectures and implementing various processes and technical security controls, yet they fail to consistently implement data encryption. If we draw comparisons between information security and physical security in a bank, not encrypting data would be analogous to not locking the bank vault. Yes, there are many physical security measures
already in place- cameras, high walls, electric fences, many layers of doors, security guards, and motion sensorsyet one still needs to lock the vault! The reason organisations overlook the essential digital ‘locking’ with encryption is the perceived complexity of introducing and managing this technology, and its assumed impact on business processes. A fine balance Achieving confidentiality, integrity and availability of data is simply not enough anymore- IT teams need to ensure convenience for users, administrators and managers when implementing any kind of security control, and especially so when implementing data encryption. At Help AG, our advice to enterprises is to implement data encryption solutions for all their sensitive data and in particular personal, financial, health, business operations, trade secrets and intellectual property related data. Also, any data leaving organisational boundaries- such as in the case of cloud services or the outsourcing of functions to third-party service providers- should be included in the encryption strategy. www.tahawultech.com
INSIGHT
This will soon become a mandatory component of security architectures and businesses that fail to implement effective solutions will continue to be easy targets for attackers. Criteria for solution selection Once the data for encryption has been determined, it is essential to implement the right encryption solution. In addition to budgetary factors, there are many criteria which should be given due emphasis. While encryption is an open technology area, it is not without its standards and regulations so trusting proven,
tested and certified solutions is a good start. This narrows the playing field, leaving you to then focus on ease of deployment and management- both of which are essential to ensuring adoption and actual utilisation of the investment. To this end, a system which offers minimal impact on performance and business processes is also imperative as otherwise, it would be difficult to build a business case for the solution and push for enterprise-wide deployment. From a technical standpoint, the solution must cover your organisation’s encryption requirements in multiple
IT teams need to ensure convenience for users, administrators and managers when implementing any kind of security control, and especially so when implementing data encryption.
www.tahawultech.com
use cases and environments, from on-premise to the cloud, from big data to containers, and from application encryption and tokenisation to database encryption. Besides meeting immediate needs, this is necessary from a futureproofing stand point. Also important to the IT team is ease of management and here a solution designed on open-standards simplifies integration with other critical security systems, thereby enhancing the overall security architecture, simplifying utilisation and eliminating operational overheads. Once all these parameters have been given their due consideration and appropriately fulfilled, the support of a skilled and trusted implementation partner offers the final piece of the puzzle, ensuring the solution is configured to the specific needs of your organisation, thereby allowing it to be leveraged to its full potential. By using encryption– both for data at rest and in transit– you can ensure your organisation’s sensitive information is kept safe while still providing all the benefits that the ready availability of quality data presents to the modern enterprise. 09.2018
33
INSIGHT
DISASTER RECOVERY 2.0 By Mohamad Rizk, manager, System Engineers, Middle East, Veeam
U
npredictability is a fact of life, and nature brings plenty of it. Be it flooding, fire or even earthquakes and hurricanes, businesses worldwide can be susceptible to a whole range of natural disasters. Unfortunately, business leaders normally don’t think it will happen to them. They have insurance and believe that is the box ticked. However, just because you might get a financial return if your data centre floods, that’s only part of the problem resolved. What happens to your services and data that keep your businesses running? The likelihood is you’re looking at some form of downtime and service outage, which is going to hit your business in all manner of ways. Whether it is caused by cataclysmic weather, technological malfunctions or human actions, an IT outage can be devastating. But businesses can be put off extensive disaster recovery plans by the perceived cost and complexity. That 34
09.2018
leaves many relying on outdated and untested processes, or worse – without any recovery plan in place at all. Once upon a time, organisations relied on the old ‘ten mile’ rule, to work out the appropriate distance to store data backups. But with recent natural disasters impacting whole cities – or even whole countries – such rules are now redundant. In today’s everchanging environment, businesses can take advantage of the cloud and Disaster Recovery as a Service (DRaaS) to ensure that they are properly protected and always online. Disastrous consequences Businesses can suffer from a whole range of issues when an outage strikes. At the lower end of the scale, there’s the loss of employee productivity. This cost in itself can soon mount up, with Gartner estimating that firms lose on average $5,600 for each minute of downtime. But with the rise of digital, businesses are under more pressure
than ever to deliver an “always on” service, as downtime can have serious consequences for their customers. Think back to UK bank TSB’s threeweek outage in April 2018. Thousands of the bank’s customers reported issues ranging from fines levied on outstanding payments to accounts being drained by fraudsters. Now there has been an eightfold increase in consumers leaving the bank, pushing it into a half-year loss, with a figure of £176.4 million attributed to the technology meltdown. All in all, the financial and reputational consequences of a disaster can be extensive. An unplanned outage can happen to any business, at any time. IT teams have to ensure that they have a redundancy plan in place so that, as and when a company is affected, data remains available and the impact of the incident is mitigated as much as possible. Far from being a ‘nice to have’ or a sign of excessive caution, disaster recovery is a business imperative. www.tahawultech.com
INSIGHT
Safety in the cloud(s) Disaster recovery has often centred on off-site servers, or even tapes, depending on how far back you go. But now, cloud computing offers an excellent alternative to these traditional disaster recovery methods, be it using disaster recovery as a service (DRaaS) from a service provider or simply putting backups in the cloud.. Moreover, when an outage takes place businesses don’t need to wait for on-premise servers to be recovered or incur the delays – and occasionally the risks – of having IT teams travel in person to the recovery site. DRaaS is a valuable cloud-based model. The approach delivers comprehensive disaster recovery by replicating a business’ physical or virtual servers to provide failover. With DRaaS, business-critical applications can be up and running almost instantaneously after an incident. Like other ‘as a Service’ models, DRaaS offers significant advantages for businesses of a range of sizes. The lower costs open up availability for smaller businesses, who could otherwise have struggled to implement such a service in-house. Equally, its scalability benefits the larger enterprises, whose needs might vary depending on the number of servers, applications and databases being used at any one time. And whatever the size of the company, IT teams recover valuable time that might otherwise have been dedicated to back-ups. As a result, DRaaS is an increasingly popular option, with 25 percent year on year growth predicted for the offering over the coming decade. Implementing DRaaS To develop the most appropriate strategy, and to evaluate the role of DRaaS, businesses must consider disaster recovery in the context of their overarching business strategy. The www.tahawultech.com
When it comes to your data and IT services, there is a significant risk a business may never recover if it’s not adequately prepared.
best place to start is with a business impact assessment. It’s important to work out which apps and business processes are most critical to keeping the business available all day, every day. Estimate the maximum amount of downtime the business can stand for each of these business processes before it fails. From there, work out what your ideal recovery targets would be for these apps and processes. Running through some hypothetical scenarios might be helpful. How much data loss can you handle? How quickly do you need to be back up and running? How much would downtime cost the firm, in terms of output and broader consequences? All of these questions will help to define the recovery time objectives (RTOs) for the business and the best approach as a result. Compliance is also an important consideration for scoping a disaster recovery strategy. With both the GDPR and NIS Directive in place, companies must ensure that they understand where specific data will go once shared. Any service provider worth its salt will be fully compliant with the legal requirements of the geographies they operate in. By finding the right platform, businesses can be confident that their strategy is both comprehensive and fully adherent to local laws. A huge point that is often overlooked is that just having a disaster plan is not enough. You should look to
regularly test the viability and quality of your backups to be certain they are completely recoverable, that the plan will function as expected and all data is where it needs to be (off-site, for example). The last thing you want during a disaster is to find that the plan hasn’t been completely implemented or run in months, or worse, discover there are workloads which are not recoverable. Disaster recovery 2.0 It’s critical that businesses resist the temptation to bury their heads in the sand when it comes to disaster recovery. IT outages can happen to anyone – and IDC estimates that 80% of businesses that don’t have a disaster recovery plan will simply fail when one takes place. When it comes to your data and IT services, there is a significant risk a business may never recover if it’s not adequately prepared. We live in a digitally transformed world and many businesses can’t operate without the availability of systems and data. These simple points above can bring about the resiliency organisations need to effectively handle disasters, and prove their reliability to the customers they serve. So, while the full value of DRaaS might not be realised immediately, the right disaster recovery plan could prevent an outage from becoming a catastrophe for your business. 09.2018
35
INSIGHT
HOW TO HUNT FOR SECURITY THREATS By Anton Chuvakin, vice president and distinguished analyst, Gartner
O
rganisations ready to take the next step in threat detection tools and methods should explore the emerging practice of threat hunting as a way to improve their security and monitoring operations. IT security teams are constantly on the lookout for the next hack or vulnerability. As attacks become more advanced and pervasive, the concept and practice of threat hunting has emerged. To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organisations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms. If you can simply write a rule, write a rule. But then you don’t need to hunt. While threat hunting includes the use of various tools and processes people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis and creative thinking skills. Key characteristics of hunting To understand what threat hunting is and how it works, familiarise yourself with the characteristics central to the practice. • Proactive. Hunting is about looking for an intruder before any alerts are generated. 36
09.2018
Proactive in this context refers to taking action before the intrusion alerts, not before intrusions occur. • Clues and hypotheses. Hunting focuses on following clues and ideas, not “cooked” conclusive alerts from tools and rule-based detections. However, hunting informs outputs that can later become rules. • Analyst-centric. The practice is analyst-centric. The tools used by hunters play an auxiliary role in helping them see hidden threats. • Breach assumptions. Hunters assume that a breach or traces of, however subtle, have been left by the attackers in your IT environment. • Interactive and iterative. Although hunting involves a process of following an initial lead or clue, there will likely be many pivots and “side quests”— all in pursuit of intruder evidence. • Ad hoc and creative methodology. Most experts agree that hunting is not about following the rules, but rather a creative process and a loose methodology focused on outsmarting a skilled human attacker. • Knowledge-reliant. Threat hunting relies on both advanced threat knowledge and deep knowledge of the organisation’s IT environment. Organisations then learn more about their IT environment and find the places where attackers hide. Do you need a threat hunter? Threat hunting is suitable for wellresourced security organisations facing persistent and stealthy threats.
Those who hire a threat hunter or team of hunters have typically maximised their alert triage and detection content development processes and matured their security incident response functions. The following questions will help you to determine whether or not you need to hire a threat hunter or team of hunters: • Are you targeted by stealthy advanced threats? • Do you have a legitimate need to push threat response time to before the time of the first alert? • Are you worried about residual risk after security controls are deployed and matured? • Had incidents not started by an alert? • If your answers indicate that you should undertake threat hunting: • Are you able to hire and retain topnotch security personnel? • Have you already improved and optimised detection and response controls and processes? • Do you have a mature security operations centre? • Do you have enough visibility over your environment? Organisations can get started with a consultant, vendor or an existing employee — someone who occasionally conducts ad-hoc hunting activities, but has not yet been formally made a hunter. While outsourcing options do exist, few vendors have the required capabilities. Many are managed security service providers (MSSPs), not managed threat hunting (MTH) providers. www.tahawultech.com
14 - 18 OCTOBER 2018 DUBAI WORLD TRADE CENTRE
Experience Future Urbanism WELCOME TO THE LARGEST TECHNOLOGY EVENT IN THE MIDDLE EAST, AFRICA & SOUTH ASIA
Big on numbers. Bigger on opportunities. At the centre of the global tech revolution and the region’s digital transformation, GITEX Technology Week brings together the most powerful innovations influencing the future – right from AI to Smart Cities to Blockchain.
4.700+
100.000+
6.238
EXHIBITORS
VISITORS
MEETINGS SET
80%
16.000+
9
EXHIBITORS SECURED OVER 2 BUSINESS DEALS
GOVT & CORP BUYERS
VERTICAL CONFERENCES WITH 100+ HOURS OF CONTENT
*2017 onsite survey conducted through a third party company
JOIN US NOW AT GITEX.COM WITH THE EARLY-BIRD PRICES UNTIL 30TH SEPTEMBER 2018 FOLLOW US
To Exhibit
#GITEX2018
contact the team on +971 4 308 6566/ 6022/ 4090/ 6282/ 6077 gitexsales@dwtc.com
Organised by
Co-located with
INSIGHT
A NEW THREAT IN THE HORIZON By Sreeraj Gopinathan, head of Threat Anticipation Services, Paladion
C
onsider yourself warned: There is a new threat blowing up in the news, and it’s capable of exploiting most computing devices in operation today. What is NetSpectre? Recently discovered by a team of security researchers, NetSpectre is a variant on the new Spectre family of attacks. Spectre attacks take advantage of a chip feature called “speculative execution”. Speculative execution was originally designed to improve CPU performance. But cybercriminals have developed a way to exploit this feature. Now, cybercriminals can develop Spectre attacks that exploit this feature, and trick computers into leaking sensitive information. First, nearly every modern computing device is vulnerable to them. The speculative execution feature that they exploit is found in Intel, AMD, and ARM chips. These chips are present in computers, mobile devices, cloud servers, and almost any other device you can think of that has been produced since 1995. Second, while Spectre attacks can potentially be patched, they may not be able to be solved via software improvements alone. To fully mitigate this exploit, it is likely you need to change a device’s processor architecture, at the hardware level. Earlier versions of Spectre attacks were dangerous enough. But now NetSpectre has emerged, and it carries 38
09.2018
with it a new feature that suggests Spectre attacks are about to become even more dangerous than they originally appeared. What makes NetSpectre so dangerous? On the surface, NetSpectre operates like many other Spectre attacks. As the Hacker News explains, with NetSpectre, a cybercriminal can, “write and execute malicious code… to extract data from a previously-secured CPU memory,” giving that attacker access to “passwords, cryptographic keys, and other sensitive information”. Now, previously-known variants of Spectre attacks had a limitation: the attacker needed to get the victim to first download and execute malware onto their computer, or to access an insecure website that was running malicious JavaScript, before they were able to launch their Spectre attack. But NetSpectre does not share this limitation. NetSpectre can be launched over a network, which includes LANs and between virtual machines in Google’s Cloud. As Bleeping Computer explains, NetSpectre, “can simply bombard a computer’s network ports and achieve the same results, “as previous, more involved Spectre attacks. NetSpectre itself can only exfiltrate data at relatively low speeds, and thus requires a substantial amount of time to achieve its objectives. But it carries a frightening promise: this new threat demonstrates a potentially devastating,
previously-unknown, exploit in the majority of the world’s computing devices. And you can bet that cybercriminals are hard at work developing new, faster, and even more dangerous threats to exploit this same vulnerability. How to beat back NetSpectre, and it’s next evolution The good news is: You’re not alone in your fight against NetSpectre and its variants. Google remains hard at work, funding research to discover new Spectre exploits before they appear in the wild. And earlier this year, Intel released a series of patches that began to mitigate their speculative execution vulnerabilities. These patches appear to close the NetSpectre vulnerability. So if you have been aware of these emerging Spectre attacks—and updated your systems accordingly—than you should be protected against NetSpectre. But if you have not updated your systems accordingly, or if you are unsure if you have patched this vulnerability, then please take some time today to do so. While it is heartening to hear that the OEMs behind these vulnerabilities are attempting to correct them, cybersecurity is an “all hands on deck” activity. Whether you are a business owner, a security professional, or simply an individual user, you share some responsibility for ensuring your network’s safety. And that begins with continued awareness of what threats are emerging, and how to protect yourself against them. www.tahawultech.com
STEP UP TO TH 5 GENERATION CYBER SECURITY THE FUTURE OF CYBER SECURITY IS HERE
CLOUD MOBILE T H R E AT P R E V E N T I O N LEARN MORE: checkpoint.com
Reliable fast connections for all...
Building & Industrial Cables Norden manufactures a wide range of screened and unscreened cables needed for signalling systems, Audio, control and instrumentation purpose. These cables report and monitor process variables ranging from transducers to environmental controls and computer inputs. Stranded or solid copper conductors used in Norden cables maintain high system accuracy and sensitivity. Maximum rejection of electromagnetic noise is achieved by screening & twisting of insulated conductors.
Coaxial Cable Multi Conductor Control & Signal Cable Multi Conductor Multimedia Control Cable BMS, Lighting control systems & EIB, EIA RS-232/422/423/485
Middle East & Africa
Norden Communication Middleast FZE
P.O. Box. 341072, Dubai Silicon Oasis, Dubai, UAE Tel: +971 04 3926391. Fax: +971 04 3926395 sales@nordencommunication.ae
nordencommunication