STOPATTACKS Before they stop your business. #ExpectTheUnexpected
Discover the all new security, continuity and deliverability for email and learn how to secure your business with the Retarus Enterprise Cloud. Meet Retarus at it-sa 2019 in Nuremberg. From 8 - 10 October in Hall 11.0, Stand 520. Get your free ticket for it-sa 2019: retarus.de/it-sa
contents
cybersecurityeurope
INDEX Cyber security governance in organisations is changing: European executives are now taking a greater role in strategic decision-making. 08 editor’s view
The maintenance of cyber security is proving costly for all European organisations. Some form of tax credit for GDPR compliant companies would offset the overhead and encourage GDPR laggards to catch-up.
10 it-sa 2019 welcome
Event Director Frank Venjakob sets the scene for the event that has established itself as the ‘Home of IT Security’, and considers the challenges digital transformation presents for European organisations.
12 IT-SA 2019 floorplan
Our at-a-glance floorplan will help maximise your time at it-sa 2019, and ensure that you find key exhibitors and speaker presentations.
EVENT NEWS
16 news round-up
Organisations on risky app installation spree… Digital complexity poses bigger risk than human error… European companies unable to detect cloud attacks… 30% of companies are still not GDPR compliant... Europol partners with NTT Security. Deutscher inhalt vorhanden
21 VIEWPOINT: LESSONS LEARNT FROM A PPP ON CYBER SECURITY
FOCUS
A European Public-Private Partnership in cyber security has sparked a discussion on the importance of attaining a good level of digital autonomy, explains ECSO’s Luigi Rebuffi. Europe must now act quickly: cyber security is fast becoming the security of everything.
THE NETHERLANDS 34 The Low Countries are on high alert as the Dutch nation seeks to make the Netherlands Europe’s cybersecurest place for the conduct of business. However, the country’s digital dependency also represents a tantalising target for gathering cyber threats.
O4
26 How to build a threat intelligence strategy
Truly effective enterprise Threat Intelligence programmes must make information sharing – at all levels of an organisation - a top priority for full-function cyber defence strategies. Here’s how it can work for you.
44 MALICIOUS BOTS will eat your business
‘Bad’ bots will screw up your business ops from several directions at once, so it’s important to know all the different types out to get you.
50 cyber security europe Deutsche Inhalte
Als Teil der it-sa 2019 Ereignis präsentieren wir Ihnen 16 Seiten redaktionellen Inhalts in deutscher Sprache, mit Artikeln zu drei Schlüsselthemen des europäischen Cybersicherheitsmanagements: böswillige Bots Seite 52, Gesichtserkennung Seite 58 und den Stand der Datensicherheit in Europa Seite 64.
INTERVIEW
ARNE SCHÖNBOHM, BSI 70 The national cyber security authority for Germany, the Federal Office for Information Security (BSI), is leading initiatives to make certification key to the country’s digital cyber defence strategy, explains its forthright President Arne Schönbohm in our exclusive Q&A.
O5
contents
cybersecurityeurope
Director Alexander Collis Managing Editor James Hayes Creative Director – Digital/Print Lee Gavigan Operations and Production Alena Veasey Accounts Controller Martin Reece Project Services Alex David, Jeffery Hoffman, Helen Sinclair
Cyber Security Europe is produced and published by World Show Media Ltd Tel: +44 (0) 203 960 1999 Fax: +44 (0) 845 862 3433 Website: worldshowmedia.net For all sales enquiries: alex.david@worldshowmedia.net For all corporate enquiries: corporate@worldshowmedia.net
76 COVER STORY: FACIAL RECOGNITION
Facial recognition is being tipped as the biometric modality of choice for physical premises security. But will enterprise employees countenance a daily face scan? And what are the cyber security challenges facial recognition systems face in order to ensure that its data is kept secure?
84 data security enters UNKNOWN TERRITORY
PAIN AND PERKS
The latest edition of IDC/Thales European Data Threat Report surveys the cyber security challenges organisations in four key countries across the continent.
92 EXECUTIVE STRESS: IN THE FIRING LINE
Executives with cyber security responsibility and their confreres must tackle an escalation of occupational stress before chronic mental strain leads to indecisive thinking, dependency problems, personal burnout, possible job losses, and – ultimately – IT security failures.
98 BUSINESS EMAIL compromise: money on the move
Business Email Compromise - BEC - pays big. Concerted attacks that use bogus emails, social engineering and human response exploits have enabled scammers to seamlessly defraud global organisations of (wait for it) €23,613,082,890 since 2016. We explain how it works.
Cyber Security Europe is published by World Show Media Ltd and provides business and government executives with the intelligence and insight required to prepare their organisations for the ever-changing cyber threat landscape. Copyright © 2019 World Show Media. All rights reserved. No part of this publication may be reproduced, stored in any retrieval system or transmitted in any form or by any means, electronic, photographic, recording or otherwise, without the prior permission of World Show Media and it-sa. The ‘it-sa’ trademark is owned and protected by NürnbergMesse GmbH. While every effort is made to ensure information is correct at the time of going to press, neither the publisher nor event organisers can be held responsible for any errors, omissions and changes to the event programme and publication content.
IT-SA programme highlights 104
O6
it-sa 2019’s Supporting Programme provides a wide range of knowledge gain opportunities. Here are the Editor’s Picks from the three days of presentations.
Sign-up for Cyber Security Europe’s free e-newsletter – browse to: cseurope.info/subscribe
cybersecurityeurope
advertorial
BE STRONGER TOGETHER Businesses must partner with colocation data centre partners capable of enabling business models ready for today’s smart economies. WE LIVE IN A TIME OF EVER-GROWING CYBER THREATS. THE RAPID TECHNOLOGICAL CHANGE IS a contributing factor especially: with disruptive digital business models based on ecosystems and possibly billions of interconnected IoT devices everywhere. It is necessary to take the right action and establish a comprehensive cybersecurity strategy that’s consistent with the emerging smart economy. Today, it is the business model, not the product, which defines whether a company is going to be successful. To cope with the unprecedented amount of data, small and medium-sized businesses, in particular, need to work with colocation partners. These have to provide highperformance and scalability, and ensure topmost security standards for hardware and software. Moreover, the colocation data centres must supply high availability, uninterruptible power supply (UPS), camera surveillance, multi-level access control, 24-hour security service, as well as comprehensive fire protection and up-todate cybersecurity protection. Globally-recognised certificates help customers to determine whether a provider fulfils all these requirements. The Germany-based colocation data centre provider maincubes, for example, holds several certificates from TÜV, along with the ‘IT Security made in Germany’ certificate by TeleTrust, Germany’s federal association for IT security. This shows that maincubes meets the highest security standards. COMPANY INFO
They include the EU General Data Protection Regulation and the Bundesdatenschutzgesetz, Germany’s data protection law. The company will be also at it-sa 2019 in Hall 9/9-507. Colocation data centre providers need to establish a cybersecurity strategy which follows the ‘ecosystem approach’. A digital ecosystem enables an environment in which its members are not isolated entities but interconnected – always sharing and exchanging information. With partners, maincubes has therefore developed secureexchange®, a secure platform which offers particularly secure and efficient ecosystems for connectivity and cloud services. As a colocation service provider, maincubes is thus the perfect partner for hybrid cloud scenarios.
MAINCUBES
maincubes is part of the German investor and real estate developer Art-Invest, which is part of the German construction conglomerate Zech Group. maincubes offers colocation services and secure ecosystems through its data centers based in Frankfurt and Amsterdam, and a network of high-availability data centers in Europe.
maincubes’ secureexchange® is a secure digital platform that enables the company’s customers and partners to use sophisticated IT services worldwide.
CONTACT DETAILS For more information please go to: | maincubes.com | info-de@maincubes.com
07
viewpoint
cybersecurityeurope
Cyber security is proving costly for European organisations. Tax credits for companies with GDPR compliance would offset the overhead. ONE OF THE MORE STRIKING POINTS TO EMERGE FROM THIS ISSUE’S EUROFOCUS review of cyber security characteristics in the Netherlands (page 34) is that country’s state-level commitment to the criticality of cyber security to both economic stability and economic attractiveness. It’s a commitment that’s hardwired into many articles of the Dutch state legislature. This admirable stance is one that all nations should study, be influenced by. Despite their wealth, European economies rely heavily on investment coming in from far beyond their borders. Such funds – be they in renminbi, real or rupee – look for assurance of a fullyassured return on investment – a return that will not be compromised or diminished because of successive cyber crime activity. Experts often refer to the ‘evolution’ of cyber threats; in fact, in many instances, threats are not so much evolving as devolving. I call it metamorphis (not really a proper word, I know – please don’t email): by it I mean that threats have changed shape, have become more automated. Attacks that used to be perpetrated by human agents are now perpetrated by software entities. These nimble massed-attackers have now developed to become largely self-managed, and – according to some industry commentators – largely out of control. Expect this automated threat to worsen when your Black Hatted foes deploy Artificial Intelligence tools. REACH OUT
This issue’s feature on malicious bots (see pages 44 (English) and 52 (German)) provides ample insight into the direction this challenge has taken. They proliferate and spread and prevent Europe’s economies from achieving their fullest potential. They infiltrate and de-energise digital processes that should be enabled to boost common prosperity. Europe needs innovative new initiatives that will bring much-needed continuity to the good
Attacks that used to be perpetrated by human agents are now mounted by malicious software entities. cyber fight. Forms of tax credit for companies that have proven compliance with IT security and data protection legislation, such as GDPR, for instance, could be implemented across states where the regulation applies. Such a scheme would demonstrate continuity of purpose among European states and organisations. It would also act as a message of support from states toward responsible organisations that have spent billions of their funds to secure themselves against threats that, arguably, governments should have tackled head-on years ago. James Hayes
FEEDBACK TO CYBER SECURITY EUROPE
Cyber Security Europe magazine is committed to engagement with its readership: if you have any feedback on this issue, I’d be pleased to receive it via email at the address given right.
O8
CONTACT DETAILS Contact our editorial team via the Managing Editor: | james.hayes@cseurope.info
CyberSecurity
MEET US AT IT-SA 2019! Securing Critical Business
Airbus CyberSecurity provides a wide range of training and consulting services to maximise your security posture. Our services can be tailored to the specific needs of your organisation and help you achieve compliance with national and international standards. The content of courses can be crafted for a range of audiences - from technical experts to operational managers, and include operational exercises on our self-developed cyber range. Our consultancy services can range from vulnerability audits to full architecture design and implementation, whatever is needed to help you build a resilient network and organisation. For your leap into the digital future.
Contact us :
Contact.cybersecurity@airbus.com www.airbus-cyber-security.com
HALLE 10.1 STAND 428
welcome
cybersecurityeurope
WELCOME it-sa 2019’s Director Frank Venjakob sets the scene for the event that’s established itself as the ‘Home of IT Security’. DIGITAL TRANSFORMATION IS A TREND THAT IMPOSES MANY NEW CHALLENGES on companies, organisations and public bodies – above all, the question of how to make digital business processes secure. IT security is the foundation that digitalisation builds on. Ultimately, trust is the prerequisite for every business relationship. This is why cyber security has long since moved into the boardroom. Meanwhile, corporate executives with vision are identifying IT security as a business enabler. Working with security experts, they ensure that the potential of the digital transformation process is leveraged securely. To achieve this, dialogue, collaboration and professional knowledge-sharing are now more important than ever. And that is exactly where it-sa comes in. The participating companies offer a unique overview of the global market. Nowhere else will you find so many IT security providers at one fair. The Basque Country, the Netherlands, Austria and the Czech Republic are flying the flag for their respective nations with their own pavilions, while the special display area Startup@it-sa offers a dedicated platform to young companies. Five open forums, with presentations and discussion panels, provide additional sources of information on the issues that matter to decision-makers, such as IT security in Industrie 4.0, Artificial Intelligence or ‘the human factor’. BIOGRAPHY
Around 350 presentations scheduled between the 8th and 10th of October also include the ‘itsa insights’, which I particularly recommend to you. These product-neutral talks and discussion panels bring together experts from associations and organisations to explore topical issues like data protection when using Artificial Intelligence, automation for digital forensics and monitoring, or cyber resiliency.
To ensure digital transformation is secure, knowledge-sharing has become more important than ever. If you want to broaden your specialist expertise then Congress@it-sa is your best port of call. It features around 30 lecture series, the congress accompanying the trade fair is even more extensive than in previous years. And last, but not least, 12 start-ups will showcase the future of cyber security at UP19@it-sa. On the day before the fair they will pitch for the second UP@it-sa Award at the CyberEconomy Match-Up event. You too can take advantage of it-sa 2019 to learn how to lead your company securely into the digital future! Frank Venjakob
FRANK VENJAKOB, DIRECTOR IT-SA, NÜRNBERGMESSE Frank Venjakob and his team have been responsible for it-sa since 2013. He played a major role in shaping what is now the world’s largest trade fair for IT security, especially its supporting program.
10
DETAILS For more information please go to: | it-sa.de/en
expo plan
cybersecurityeurope
NCC West Rotunde
This at-a-glance floorplan will help maximise your time at it-sa 2019, and ensure that you find key exhibitors and speaker presentations. THE IT-SA SUCCESS STORY CONTINUES: VISITORS TO THIS YEAR’S EXPO AND CONGRESS can look forward to meeting more than 700 exhibitors across four of the Nuremberg Exhibition Centre’s halls. The floorplan will help you to pre-plan your visit and see where the it-sa 2019 halls fit in to the grand scheme at the Nuremberg Exhibition Centre. Simply use the QR Code link shown here below to take you to the official it-sa 2019 interactive floorplan; then, once there, click on the blue-coloured halls (9, 10.0, 10.1 and 11.0) to gain a more detailed view of the respective floorplans. Click again to access individual exhibitor profiles.
EXPO GUIDE
WI-FI AND STORAGE Free Wi-Fi access will be available during it-sa 2019. Visitors can find lockers in the entrance areas – and they can leave coats, jackets or items of luggage in the cloakrooms for a fee of €2 per item.
12
U-Bahn / Subway Messe
Please use the QR Code app’s from your mobile devices to access all of the it-sa floorplans.
0
50
Fachmesse | Trade Fair Kongress | Congress
S 10
NCC Mitte
NCC Mitte
S 8/9 S 6/7
S9 Mitte
NCC Mitte
S9
Messepark
VIP West Mitte
Service Center Mitte
S1 Mitte
Operation Center
Betriebshof
Parkdeck SĂźd
100m
advertorial
cybersecurityeurope
UPDATED MEANS PROTECTED Ensuring cyber security updates across big estates of networked devices is a challenge – device management software can help, says Axis’s Edwin Beerentemfel. NETWORK ADMINISTRATORS ARE NOW UNDER SIGNIFICANT AND INCREASING PRESSURE TO ENSURE THAT THEIR DATA NETWORKS are designed and operated securely. So it is important that they have the right knowledge and tools to manage cybersecurity throughout the life-cycle of the system. This article explains how cybersecurity best practices specific to managing their network devices, as well as how device management software, can be shown to empower administrators to efficiently achieve their cybersecurity goals. The escalation in the number of network devices drives the workload of network administrators. Often, this not only adds to already stretched work and time schedules, but can potentially result in compromised security. Recent Axis field tests compared the time required to perform some basic device management tasks on a network of 200 cameras.
CONSTANT AWARENESS OF VULNERABILITIES YOU FACE These basic tasks – the installation of add-on applications (ACAPs), upgrading firmware, configuring devices and hardening devices – took 106 hours to complete when manually using a camera web interface. However, the time required was reduced to just 30 minutes when using device management software. Broadly speaking, businesses should approach cybersecurity readiness in two steps. Awareness is the first step. If your business is not aware of
potential cyber vulnerabilities, threats and issues, it cannot do anything to prevent them. This requires enterprises to adopt a continuous learning and improvement mentality. It’s about continually educating yourself and embracing a good cybersecurity culture within your organization. In this context, suppliers need to work according to clear vulnerability management policies, processes and best practices. Step two is mitigation: once aware of a potential problem, what can your business do to resolve it? If we assume that a business cannot fix something by itself, outside support and assistance are often required.
Device management tools provide a means to access to a real-time inventory of network devices. A good starting point when selecting vendors and partners is to look at those that have a track record of cyber maturity: Vendors that understand the threats and ways to counter those threats. Vendors that have control over their own offerings, have experience and apply best practice routines properly when needed. Vendors that are open, transparent and provide long-
AXIS COMMUNICATIONS Axis Communications offers intelligent security solutions that enable a smarter, safer world. As the market leader in network video, Axis drives the industry by launching innovative network products based on an open platform – delivering high value
to customers through a global partner network. Axis has longterm relationships with 90,000 global partners around the world.
DETAILS To find out more about Axis Communications please visit: | press-meur@axis.com | axis.com
14
term support of patching firmware for the products you have selected. Vendors that are able to offer tools that enable you to apply the security controls you need to mitigate threats you face – e.g., through device hardening and device management.
KEEP A COMPLETE DEVICE INVENTORY A fundamental aspect of ensuring the security of an enterprise network is maintaining a complete inventory of the devices on it. When creating or reviewing an overall security policy, it is important to have knowledge and clear documentation about each device, and not just critical assets. That is because any single overlooked device can be a means of entry for attackers. You cannot protect devices which you have overlooked or are not fully aware of. Device management software gives network administrators an automated means to gain access to a real-time inventory of network devices. It lets them automatically identify, list and sort the devices on a network. Just as importantly, it also lets them use tags so that they can group and sort devices based on criteria that suit a business’s unique requirements. This makes it easy to gain an overview of, and document, all devices on your network.
PROTECTION AGAINST NEW VULNERABILITIES New vulnerabilities are continuously being discovered. While most are non-critical, occasionally a critical vulnerability is
discovered. A camera, like any other software-based device, needs to be patched to prevent adversaries exploiting known vulnerabilities. It is important that network administrators stay on top of these threats by staying up-to-date with new developments and following industry best practice. It is essential to always update quickly once this firmware becomes available, as attackers may try to exploit vulnerabilities that have been discovered. Moreover, rapid deployment of new firmware boosts operational capabilities and removes bottlenecks related to the manual roll-out of new release upgrades. Patching firmware in a system that is operational could introduce unexpected behavioral issues. It is strongly recommended to use LTS (Long-Term-Support) firmware for security patching. Once again, the larger the network the more effort it will take to update all your devices. Axis Communications field tests reveal that on a network of 200 cameras, upgrading the firmware using a manual web interface would take 1,000 minutes compared to just 10 minutes using device management software. In addition to the time saved, automatic notifications of new patch releases help ensure that the software is updated promptly – minimizing your network’s exposure to attack.
EFFICIENT, EFFECTIVE DEVICE MANAGEMENT Effective device management software not only helps to ensure cybersecurity but delivers efficiencies that grow exponentially as you add more devices to your network. By saving your network administrator time managing the network, you can free them up to fulfil other aspects of their job role, and to use their expertise to deliver additional benefits to your business. They will also have more time to stay on top of industry best practice and emerging threats – an essential part of maintaining a secure network. Edwin Beerentemfel is Manager Business Development Middle Europe at Axis Communications. Do you want to experience Axis? Join us at it-sa 2019 in Nürnberg, Germany, 8-10 October, in Hall 10.0/10.0-423. View our it-sa 2019 profile: it-sa.de/en/ausstellerprodukte/ itsa19/exhibitor-44775046/axis-communications-gmbh
15
NEWS & products
cybersecurityeurope
A selection of news and updates from it-sa 2019, plus additional technology updates for cyber-savvy executives
NEWS ROUND-UP
Organisations on risky app installation spree… Digital complexity poses bigger cyber risk than human error… European companies unable to detect cloud attacks… Extra security for Europe’s financial services sector.. 30% of Europe’s companies are still not compliant with GDPR... Europol partners with NTT Security…
ANLEITUNG FÜR RESPONSE TEAMS Die Europäische Agentur für Netz- und Informationssicherheit (vormals ENISA) hat einen Report mit dem Titel „Secure Group Communications for Incident Response and Operational Communities” herausgegeben. Dieser Report hat das Ziel, Methoden und Kriterien bereitzustellen, um Cybersecurityexperten und Teams zu helfen, auf Größe und Bedarf ihrer Firmen zugeschnittene Lösungen zu erstellen. Laut Schätzungen der Agentur gibt es in Europa mehr als 415 Cyber security teams. Typischerweise tauschen sich solche Teams miteinander über Bedrohungsszenarien und Schadensanalyse, über Anzeichen von Kompromittierungen oder über andere sicherheitsrelevante Ereignisse aus, oder teilen Teile von relevanter Schadsoftware. Der Report ist hier verfügbar: | enisa.europa.eu
EVENT BRIEF
UNSECURED APPS NOW POSE BIGGEST SECURITY RISK Organisations install as many as 10 new applications on enterprise networks each day, yet fewer than 15% of those have policies in place to manage their security – putting sensitive enterprise data at risk. According to a spot survey of 217 IT security practitioners by Gigamon, 26% of organisations have ‘no idea’ how many applications are added to their network each day, while 11% do not know if tools are deployed to manage apps’ security. The study asked which app types bring in the most malware in: social media types were cited as the worst culprit. “These apps can have access to sensitive corporate data which could put an organisation at risk if it fell into the wrong hands,” commented Gigamon Security Engineer EMEA Ollie Sheridan. | gigamon.com
UP19@IT-SA AT IT-SA 2019 From the 8th to 10th October 2019 more than 700 international exhibitors will showcase their IT security solutions at this year’s it-sa. The trade fair and accompanying congress attracts visitors with
16
a programme which offers many sources of key information, with presentations in both English and German. c-suite executives, IT
SAVE THE DATE Nuremberg, Germany
6 - 8 October 2020 it-sa.de
NEWS & products
cybersecurityeurope
„VERY ATTACKED PEOPLE“ SIND OFT SEHR SICHTBARE MENSCHEN, WARNT EIN REPORT Laut dem letzten Human Factor Report von Proofpoint attackieren Cyberkriminelle immer häufiger Menschen anstatt Systemen und Infrastruktur. Mehr als 99% der von der Studie analysierten Bedrohungen benötigen menschliche Interaktion um ausgeführt zu werden – Makros aktivieren, Dateien öffnen, einem Link folgen oder Dokumente laden. Bedrohung richten sich oft an Personen, die Proofpoint als „Very Attacked People” (VAP) bezeichnet, also Personen, die tief in ihren Organisationen verankert sind. Dies sind entweder Gelegenheitsziele oder Menschen mit einfach zu findenden Adressen und Zugriff auf Gelder oder sensible Daten. 36% der Identitäten von VAPs ließen sich einfach über die Webseiten ihrer Betriebe, über Social Media, über Publikationen und ähnliches feststellen. Die Identitäten von VAPs, die gleichzeitig VIPs sind, konnten in 23% aller Fälle mit einer Google-Suche gefunden werden. Feature: ‘Business Email Compromise’ – siehe Seite 98. | proofpoint.com
EXTRA SECURITY FOR FINANCE SERVICES The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) have signed a Memorandum of Understanding combat cyber crime within Europe’s financial services sector. The agreement will be to facilitate the law enforcement response to financially motivated cyber criminals targeting banks and other financial institutions through a ‘symbiotic’ intelligence-sharing network. The MoU will aim to foster a pan-European approach to intelligence sharing, and ensure the cross-border cooperation necessary for the detection, prevention and reduction of cyber crime. In addition to facilitating information sharing, the agreement will also enable education and resilience through training and informational summits. “Through a collaborative peer-to-peer network, FS-ISAC and EC3 are enabling intelligence sharing to better safeguard the global financial system,” says FSISAC Managing Director Ray Irving. | fsisac.com | europol.europa.eu
EVENT BRIEF
CONNECTED DEVICES: DAS NÄCHSTE ZIEL Cyberkriminelle Kreise diskutieren immer neue Arten und Wege, eine große Anzahl von connected devices zu kompromittieren und für verschiedene Betrugsszenarien zu benutzen. Forscher von Trend Micro analysierten Webforen in englisch-, spanisch-, portugiesisch-, russisch- und arabischsprachigen Untergrundmärkten, um Pläne von Kriminellen, connected devices anzugreifen und zu monetarisieren zu beobachten. Laut Trend Micro sind die am meisten fortgeschrittenen Märkte in den russisch- und portugiesischsprachigen Foren. Dort liegt der Schwerpunkt der kriminellen Aktivitäten vor allem darauf, den Zugang zu kompromittierten Geräten – insbesondere Routern, Webcams und Drucker – für ein breites Spektrum von Angriffen zu verkaufen. it-sa Hall 9 | Stand 9-434 | trendmicro.com
UP19@IT-SA AT IT-SA 2019 security officers, as well as the developers and vendors of products and services related to cyber security, come together to exchange information, knowledge and insight. They also come to discover
18
what’s up-and-coming. UP19@itsa, the trade fair’s showcase for start-ups in European IT security, takes place for the second time.
‘IT-SA INSIGHTS’ EDITOR’S PICKS HK2 Comtection: How the new IT Security Law Affects Companies (ITSiG 2.0) Date: 08.10.2019 Time: 12:00-12:17 Where: Forum 11
EUROPOL KOOPERIERT MIT NTT SECURITY Das Europäische Cyberkriminalitätszentrum (EC3) von Europol hat als Teil seiner Mission, Informationen zur weltweiten Verhinderung von Cyberkriminalität mit Industrie und Strafverfolgungsbehörden zu teilen, eine Absichtserklärung mit NTT Security unterzeichnet. Die Erklärung definiert einen Rahmen für den Austausch strategischer Threat Intelligence mit Bezug auf Sicherheitstrends und auf bewährte Verfahren. NTT Security wird der EC3 dabei helfen, die Maßnahmen gegen Cyberkriminalität zu verstärken, und einen Beitrag zum jährlichen Bericht über die Bewertung der Bedrohungslage durch organisierte Kriminalität im Internet leisten. „Europol arbeitet an allen Aspekten von Cyberkriminalität – vom Ausschalten von Botnetzen bis zum Dark Web,“ sagt NTT Securitys Senior VP EMEA Kai Grunwitz. „Unsere Partnerschaft verstärkt die unerlässliche Rolle von Threat Intelligence,“ it-sa Halle 9 | Stand 9-542 | hello.global.ntt | europol.europa.eu
30% OF EURO FIRMS STILL NOT GDPR OK Almost a third of the polled European businesses are still not compliant with GDPR, with only 57% of polled businesses confident that their business follows the regulation, and a further 13% unsure either way. According to a new survey conducted on behalf of tax and audit consultant RSM, the compliance gap is not down to any single issue, with middle market businesses struggling to understand and implement a whole range of areas covered by the regulation; 38% of non-compliant businesses ‘do not understand when consent is required to hold and process data’, 35% are ‘unsure how they should monitor their employees’ use of personal data’ and 34% ‘don’t understand what procedures are required to ensure third party supplier contracts are compliant’. GDPR is, however, having a positive impact on cyber security: 73% of European firms reckon GDPR compelled them to improve their customer data management, while 62% say it caused them to increase their IT security spend. | rsm.global
Young companies that are based in Germany, Austria and Switzerland pitch about their innovations, and then a jury decides a shortlist of
entries and evaluates the overall proposition of each entry, including sales and marketing strategies. The winner of the UP19@it-sa Award will be announced by public vote. | it-sa.de/en/up19
Cybercrime Institute: Risk and Challenges of Cyber Attacks for Euro Economy Date: 08.10.2019 Time: 13:40-14:20 Where: Forum 10.1 cirosec: Artificial Iintelligence in the Security Context: Curse or Blessing? Date: 09.10.2019 Time: 12:30-13:00 Where: Forum 9 European Dig. SME Alliance Project Cyberwatching.eu Date: 10.10.2019 Time: 13:20-14:00 Where: International Forum 10.1 The CISO (Chief Info. Security Officer) Alliance: the ‘Network’ for IT Security Officers Date: 10.10.2019 Time: 13:15-13:45 Where: Forum 11 Keybox: Data security on blockchain basis Date: 10.10.2019 Time: 14:00 - 14:00 Where: Forum 10.1 Costard: GDPR for cloud applications Date: 10.10.2019 Time: 14:00 - 15:00 Where: Forum 10.1 WAXAR Data Saving Systems: Backup technology for industrial control systems Date: 10.10.2019 Time: 14:00 - 14:30 Where: Forum 10.0
19
NEWS & products
cybersecurityeurope
BREAKS IN CLOUD ARE GOING UNSEEN: REPORT Many European companies are unable to detect abnormalities in their cloud environment, while 37% have already experienced a cyber attack on their cloud environments, a study has found. Outpost24’s survey of 300 IT security professionals suggests that 27% of organisations polled do not know how soon they could tell if their cloud data was compromised, while 11% reported a compromise on their on-premises data would be quicker to detect, which indicates that some still rely solely on cloud service providers to protect their cloud data, Outpost24 says. The study asked respondents about how many of their products/applications run in the cloud: 34% said more than half, while 15% said that all are 42% of security professionals believe that their on-premises data is ‘more secure than their cloud hosted data’, while 19% of those polled only conduct security testing on their cloud environment annually. | outpost24.com
KOMPLEXITÄT IST DIE GRÖSSTE BEDROHUNG Das schwächste Glied in der IT-Sicherheit steht im Mittelpunkt der diesjährigen itsa Special Keynote des Journalisten und Experten für Cyberkriminalität Misha Glenny. Er wird die Vorstellung in Frage stellen, dass der Mensch der größte Fehler in der IT-Sicherheitskette ist, und argumentieren, dass die zunehmende Komplexität der digitalen Infrastruktur die größte Bedrohung darstellt. Glenny wird außerdem vom Senior Management einen Mentalitätswechsel fordern: „Nur durch eine umfassende Sensibilisierung für digitale Bedrohungen kann der Fortschritt von Hackern, die für das organisierte Verbrechen arbeiten, gestoppt werden” Glennys Keynote Präsentation findet am Donnerstag den 10. Oktober von 12:00 – 13:00 im International Forum 10.1 der NürnbergMesse statt. | it-sa.de/special-keynote
IT-SA 2019
DOWNLOAD THE IT-SA 2019 APP The it-sa 2019 app can help maximise what the event has to offer in terms of exhibitors and products: it enables connected visitors to conveniently search for exhibitors by carrying out a full-text search, and then add them to their watchlist and have their stands, as well as individual favourites, marked on the floor plan. The app provides many useful features, such as push notifications/ updates (visitors will be informed of all changes that affect exhibitors and events on their ‘saved’ list, as required), location-based messages via Bluetooth (iBeacon) on the exhibition site (if required), location-based messages on the exhibition site, plus an integrated car finder. | it-sa.de/en/exhibition-info/app
INDUSTRIAL INTERNET CONSORTIUM (IIC) SUPPORT PROGRAMME The IIC has launched a programme to stimulate Industrial Internet of Things adoption across industry. The IIC Accelerator Program encompasses initiatives to appeal to users of IoT tech who want to discuss
20
challenges with peers, get advice from IIC experts, or seek guidance to solve technological problems. | iiconsortium.org
Words | Luigi Rebuffi
Part of today’s discussion of cyber security in Europe revolves around the idea of increasing strategic autonomy – but while there is a clear understanding on the need to increase it, as it would be impossible to live in a full autarchy, we seem to lack understanding on how to achieve this goal. Let’s start from the beginning. First of all, ECSO defines the European cyber security as our common science, knowledge, trustworthy processes, products, services and infrastructures to protect (in a sustainable way) our nations, industries and economies, citizens and institutions against damaging cyber-attacks while respecting our European Values. In simpler termss, cyber security is protecting and securing our digital ecosystems from malicious attacks. Being able to reach 100% effective (cyber) security remains an illusion especially when other hinderance factors come into play such as weak entrepreneurialism culture compared to other regions, market fragmentation and a lack of co-ordinated investments supporting innovation in Europe. In addition, cyber security remains a national prerogative when it comes to the protection of strategic and critical infrastructures, cyber defence, and national education programmes, among other areas. In 2019, cyber security equally challenges the concept of sovereignty: this opens the way towards the establishment of common international responses, protection, prevention and recovery mechanisms from attacks on shared vulnerabilities. The resilience of our digital world is supported by digital technologies that are also able to influence our economy, society and political systems. It is by studying the ‘DNA’ of its supply chains that Europe will be able to identify strategic areas where trusted digital technologies and leadership must be ensured. It is also where a certain level of autonomy must be attained to guarantee the ability to independently set objectives and act upon them (see EPSC Strategic Notes, ‘Rethinking Strategic Autonomy in the Digital Age’, Issue 30, July 2019, for more detail). Indeed, the control over technologies and services has become extremely important, in sensitive areas/applications of the important European supply chain. The establishment of a European PublicPrivate Partnership in cyber security led by the ECSO and the European Commission (EC) was a first important initial building block. It not only kick-started today’s discussion on the importance of attaining a good level of digital autonomy, but also introduced a new holistic approach to pan-European cyber security based on what could be termed multi-stakeholderism. This legacy must remain part of the future European institutional and regulatory framework. Cyber security industry and innovation must be supported by comprehensive industrial strategies. It must also have the
support of agile investments mechanisms geared to respond to effective market needs as well as facilitate the growth and competitiveness of Europe’s industrial and technological base so needed to increase its strategic autonomy. It is time for Europe to act fast because in just a few years cyber security is bound to become the security of everything. Building a strong European Community, in public sector and private sectors, working together in a trusted environment followed by substantial investments in strategic European solutions – these are the first steps towards our common cyber-secure future. Luigi Rebuffi is Secretary General at the European Cyber Security Organisation (ECSO), a fully self-financed non-forprofit organisation under the Belgian law, established in June 2016. Member organisations include a wide variety of stakeholders. ECSO represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual PublicPrivate Partnership (cPPP).
It is time for Europe to act fast – because in just a few years time, cyber security is bound to become the security of everything.
CONTACTS For more information visit: | ecs-org.eu
21
VIEWPOINT
LESSONS LEARNT FROM A PPP ON CYBER SECURITY
CONTRIBUTORS
cybersecurityeurope
EDITORIAL CONTRIBUTORS Cyber Security Europe’s panel of contributing writers come from solutions vendors, sector agencies, and journalistic market-watchers. ISIDOROS MONOGIOUDIS Isidoros Monogioudis is a Senior Security Architect at Digital Shadows. A former head of the cyber operations section for the Hellenic National Defence general staff, Isidoros is a seasoned cyber security analyst, engineer and architect, with a background in CIS technologies. He has wide experience in addressing and defining cyber security requirements for projects in diverse multinational environments such as the European Union and NATO. He holds advanced skills in red/ purple teaming exercises with strong expertise in adversarial TTPs analysis and simulation. His specialties include being a GIAC-certified cyber security expert, and an Offensive Security Certified Professional (OSCP).
LUIGI REBUFFI ECSO’s Secretary General and Founder Luigi Rebuffi graduated in Nuclear Engineering at the Politecnico di Milano. Rebuffi then worked in Germany on the development of high-power microwave systems for the next thermonuclear fusion reactor. He continued his career at Thomson CSF/Thales in France, with responsibility for European Affairs (R&D) in different sectors – telecoms, industrial, medical, scientific – and in 2003 became Director for European Affairs for civilian activities. Rebuffi suggested the European Organisation for Security and co-ordinated its establishment in 2007. He contributed to the creation of ECSO, and has been an advisor to the EC for the EU Security Research Programme.
DETAILS For more information: | digitalshadows.com
DETAILS For more information: | ecs-org.eu
AUTHORITY
ARNE SCHÖNBOHM
Arne Schönbohm has been President of the Federal Office for Information Security (BSI) since 2016. He studied international business administration at the International School of Management. Between 1995 and 2008 he held senior positions within EADS Germany (now Airbus), most recently as Vice President/ Commercial and Defence Solutions for EADS Secure Networks. From 2008 to 2016 he was CEO of BSS AG, which advises organisations in the fields of digitalisation, cyber security and data protection. In addition, Mr Schönbohm served as president of Cyber-Sicherheitsrat Deutschland e.V.,
22
a politically neutral association, that advises companies, public authorities and policymakers on matters of cyber security. Arne Schönbohm has authored several books, including Deutschlands Sicherheit – Cybercrime and Cyberwar (2011). DETAILS For more information: | bsi.bund.de
PAULA JANUSZKIEWICZ Cyber Security Europe guest contributor Paula Januszkiewicz is one of the most high-profile international IT security experts. As the Founder and Chief Executive Officer of Warsawheadquartered CQURE Inc., she shares her expertise with the IT security community, and provides advice to clients all over the world. Paula Januszkiewicz has already received the Enterprise Security MVP (Microsoft Most Valuable Professional) accolade and is an honourable Microsoft Regional Director. Additionally, she is one of the few people who have been granted an access to a source code of Microsoft Windows. Januszkiewicz has been the keynote speaker at well-known symposia EDITORIAL
and developer conferences in the United States, Asia, Africa and the Middle East, and she was a Special Keynote speaker at the it-sa 2018 IT Security Expo and Congress. In her Summer 2019 Issue article for Cyber Security Europe, Januszkiewicz argued the case for a ‘back to basics’ approach to organisational cyber security practice and awareness: her five-point framework for data protection re-emphasised the value of straightforward and routine IT security procedure rules, such as ensured software updates, ensured data backups and training, plus the avoidance of temporary workaround solutions and complacency. DETAILS More information: | cqure.pl
JAMES HAYES
As an editor and journalist, James Hayes has specialised in the business computing and enterprise ICT sectors. His previous editorships include Datacom, Network News, Communications News, Information Professional, and European Ecommerce. Until 2015, he was Technology Editor of Engineering & Technology (E&T) magazine. He has written about enterprise cyber security issues for publications such as InfoSecurity Professional, Cloud Security Insights, Networking+, Charity Digital News, Land Mobile and the London Business Magazine. Hayes has also contributed
to the Greenhaven study aid ‘Cyber Terrorism & Ransomware Attacks’, and is the editor of the Penetration Testing: a Guide for Business and IT Managers (BCS, The Chartered Institute for ITCREST). He has presented at many security industry conferences. DETAILS For more information: | cseurope.info
‘EDMUND BURR’ ‘Edmund Burr’ is an independent technology writer and consultant specialising cyber security issues. He has acted as a consultant for cyber security discovery projects for professional bodies and trade associations in the UK and US. He was editor of the first European thought leadership review of automotive cyber security and risk perspectives for connected vehicles (2015), as published by the Institution of Engineering and Technology (IET) and UK Knowledge Transfer Network. Burr has written about hacker psychology, malicious bots and insider threats. He is also writing an alternative history of computer and communications security.
JIM MEYERS As a Europe-based freelance technology and techno-culture journalist, Jim Meyers has written about a variety of technology and non-technology related topics. His areas of interest range from earthquake forecasting tech and Quantum Computing, to the development of Unified Communications and IT professionalism issues. Meyers also has a special interest in the history of video – and televisual recording technologies and digital restoration. He has been security manager for a major literary festival, and has written scripts for BBC radio. Meyers is currently researching a European vacation and recreational travel guide specially designed for information and communications technologists.
DETAILS For more information: | cseurope.info
DETAILS For more information: | cseurope.info
23
Your experts in IDentity Security
Certificate Management Solutions SwissSign
Microsoft CA
QuoVadis
EJBCA
CA Connector
SCEP Notifications
Approval NDES
CERT MANAGER
Provisioning Agents
Workflow Engine
Enrollment
Microsoft Autoenrollment MDM Enrollment
Rules Engine
ACME
IOT
EST
DEVICES
Admin/Operator Dashboard
Corporate Certificate Management
Card Technologies
ID Access Management
PKI Solutions
Card Management
Secure E-Mail
We design, develop, integrate and maintain ID Security Solutions for your business. SWIT ZERL AND intelliCard Solutions AG Untere Bahnhofstrasse 2 CH-8640 Rapperswil-Jona +41 (0) 55 552 04 00
Mobile Authentication
Visit us on:
GER M ANY intelliCard Labs GmbH Max-Stromeyer-Strasse 116 D-78467 Konstanz +49 (0) 7531 945 45 00
www.id-security.com
Hall 10.1 Booth 610
ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1dffddjägjOJD6785ggpojjklejgp 1sgf6rhrFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägj rjw+31jg+431klöjwhwdfpih551EFOUE1966rggjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF gjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF9351EFOUE1966rg1djägjOJD6785ggpojjklvjk wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg85ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§% gpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih5 326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpo p8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7 örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§ n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAejgp8ioeFPw832 w+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SN 424eowptuuuudufwp498ß2lwr23igr84jfi2jifgwpniewt+woep03570sfjekw34125u32035423ß0349kwp,d2ßjfs32ßksdfsefüüIwfwoQgh 1sgf6rhrFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägj df§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw 431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n25 6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwd ejgp8ioe1klöjwhwdfpih5dsgrhvegewhh551EFOUE1966rg1djägjOJh551EFOUE1966p23f20lsdf§%SghdNF93n253ßtojsd1wjdkjak23j3örj Pw8326h64u4ejgp8ioefp2f230lsdf§%SNF93n253ßtojsd1h551EFOUE1966rgwjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966r df§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwffd477dfrttu5ih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6 1jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpgtrhthtrojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§ JD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326hetrhrhe74862fbrt64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtjkzojsd1wjdkjak23j3ö rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n25dgsaws6dijßtojsd1wjdkfgjak23j3örjw+31jg431klöjwhiwdfpih551EFOUE1966r 30lsdf§%SNF93n253ßtojsd1wjdkjak23jdgs73i 9prw3jbj h3örjw+31klöjwhwdrwfpih551EFOUE1966rg1djäggjOJD6785ggpojjklvjk2gh6 3örjw+31jg+431klöjwhüüerz04636ß kopro34ß6i 6346 65 ghwdifpih551EhuFOUE196JJZdjägjOJD678i8gktj5ggpojjklht7vjk2gh6rt7gf1s 431klöjwhwdfpih551EFOUE1966rg1473m 97n r5 e57 57uidjägjOJ67i5ggpojjlklvjk2gh6rt7gf1sgf6rhrAKFPwl8j326h64uli4ejgp8ioefp23 1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFfz68m879etPwii326h64u4iejgp8ioefp23f230lsdf§%SNF9i n253ßtojsjjd1wjdkjak23j3ö 1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNetwefF93l253ßtojsdii1ijdkjak23j3örjw+31jg+431klö whwdfpirthh51iFOUE1966 30lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31dggewet56i7jg4i31klöjwhktdfpih551EFOUE1966rg1djägjz OJD678h5ggpojjklvjk2gh6 dgw46859eufghgjj,ßü+fzrweg68ß908örjw+31jg+431klöjwhwdfpih5u7t51EFOUE196dfrhtuui80opz6rg1djä5ggpokjk3ehvjkgh6rt7gf1s 3örjw+3jg+431klöjwhwdfpih551EFOUEsawt5790890\801966O8765gg6pojiklvjk2gh6rt7gf1sgf6rr5ihrAKFP832ih64u74jgp8ioefp23f 966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKghkkFPw8326hi64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3ör 326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtodtutu ui878jsd1wjdkjak23ij3örjw+3jg+43klöjwhwdfpih55EFOUE1966rgdjägjOJD678 n253ßtojsd1wjdkjak23j3hjxkjtzlipörjw+31jg+431klöjwhwdfpih5f1EFOUE1966rg1djägjOJD6785ggpojjkl6rt7gf1sgf6rhrAKFPw8326h66 sdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+1klöjwhwdfpihgi2hOJDd67iggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8io 51EFOUE1966rg1d551EFOUE1966rg1drg1et4877djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§ OJD6785ggpojjklvjk2gh6rt7gf1sgwqte r56 789098ßf6rhrA FPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkja1966rgd hwdfpih55EFOUE1966rgdjägjOJD6785ggpojjklvjk2gh6rt7g§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFsgf6r 2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojklvjk2gh6rt7 3f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jghri+hwdfpih551EFOUE1966rgdjägjOpD6785ggpojjklvjk2gh6rt7gf1s6rhrAKFPw whwdfpih55EFO§%SNF93n253ßtojsd1wjdkjak23j3örjwUE1 D6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8§%SNF93n25 F93n253ßtojsd1wjdkjak23j3örjw+3jg+43klöjwhwdfpih55 hrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkefGÜ löjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gfSNF93n253ßtojsd1wjdkjak23ij3örjw+3O)jg+43klöjwhwdfpih551EFOUE1 230lsdf§%SNF93n253ßtojsd1wjdkjh6rt7gf1sgf6rhrAKFPlw+31jg+431klöjwhwdfpih551EFOUE1966rgdjägjOJD6785ggpojjklvjk2gh6rt7 örj326h64u4ejgp8ioefp23f230lsrak23j3örjww+3EFOU E 1 gdjägjkkOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPgf1sgf6rhr4ejgp8ioef 66rg1d9 6 9 6 9 6 jägjOJhalleotr456jg+43klöjwhwdfsveD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§ OJD6785ggpojjklvjk2gh6rt7halleotr456jg+43klöjwhwdfgfFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3ö gf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%S1sgf6rhNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE191sg 8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3ö468z0431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sg h1sgf6rh1sgf6rh3j3örjw+31jg+431klöj1sgf6rh1sgf6rhe4hiwdfpih551EFOUE1966rg1djägjOJD6785ggpojjkl0lsdf§%SNF93n253ßtojsd gp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3öddgjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f JD6785ggpojjklvjk2gh6rt7gf1sgf6rhjw+31jg+431klöjwhww8326h64u4ejgp8ioefp23f230lsdf§%SNF93n25fe3ßtojsd1wjdkjak23j3ör gf6rhrAKFPw8326h64u4ejgp8ioefpfpih551EFOUE1966rg1 NF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966r rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n25331jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7 %SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpglöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7gf1sgf6 rjw+31jg+431klöjwhwdfpih551EFOUE1966rggjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF gjOJD6785ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF9351EFOUE1966rg1djägjOJD6785ggpojjklvjk wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg85ggpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§% gpojjklvjk2gh6rt7gf1sgf6rhrAKFPw8326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih5 326h64u4ejgp8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpo p8ioefp23f230lsdf§%SNF93n253ßtojsd1wjdkjak23j3örjw+31jg+431klöjwhwdfpih551EFOUE1966rg1djägjOJD6785ggpojjklvjk2gh6rt7
Sichere Passwörter jetzt!
81 % aller Datenlecks haben unsichere Passwörter als Ursache – steuern Sie jetzt mit LastPass dagegen!
Enterprise Passwort Management Gemäß BSI C5
Zero Knowledge Sicherheitsmodell Vereintes Identitätsmanagement Bewährt bei 47.000 Kunden Test-Fazit: empfehlenswert
Ausgabe 10/2017
17YT57
LastPass Premium
Jetzt hier informieren: www.lastpass.com
FEATURE
STRATEG OPERATIONAL THREAT DATA FEEDS
cybersecurityeurope
MACHINE LEARNING
FRAUD PREVENTION
MANAGE TACTICAL BROWSER EXTENSION,
DATA
Effective enterprise Threat Intelligence programmes must make information sharing – at all levels of an organisation – a top priority for full-function cyber defence strategies.
AS THEY ACQUIRE GREATER LEVELS OF RESPONSIBILITY FOR THE CYBER GOVERNANCE OF THE ORGANISATIONS they run, cyber-savvy senior executives can not only have oversight of their enterprises’ security operations’ Threat Intelligence (TI) activities, but also direct input into them. This is because there are points of intersection between business intelligence and cyber threat intelligence – points that cyber experts won’t see, but the business-minded will. TI is based on the collection of intelligence using open source intelligence (‘OSINT’), social media intelligence (‘SOCMINT’), human intelligence (‘HUMINT’), technical intelligence or intelligence from the Deep Web and the Dark Web. TI’s main objective is to research and analyse trends and technical developments in key threat IN BRIEF
areas such as cyber crime, cyber espionage, and hacktivism. By definition, executives in both public and private sector entities deal with business risk – but it’s not always easy to ascertain it fully. The market for assessing some elements of business risk is relatively mature. For example, most firms will build-in redundancy to data centre operations and/or back-up data the cloud. However, digital risk, and particularly that which manifests from outside an organisation‘s traditional boundary, is less understood and is a critical missing part of a company‘s overall risk profile.
It is most vital that all leadership teams keep their IT security counterparts up-to-date on the information that must be protected. As organisations become more digitally-interconnected to their supply chain, customers, and partners, new types of risk have emerged. Unmanaged, these can lead to the loss of sensitive corporate data, violation of privacy laws, and damaged reputations. When surveyed by the Ponemon Institute for its Bridging the Digital Transformation Divide report (2018), 72% of
NATION SHALL SPEAK CYBER INTEL UNTO TO NATION... In the context of Threat Intelligence, private sector organisations can learn from nation states. In many ways, the world’s nation states are ahead of their commercial counterparts – international networks
26
such as Europol, called ‘Five Eyes’ between the United Kingdom, Canada,
and the soarrangement States, United Australia and
GIC
EMENT
New Zealand, have meant close cooperation to counteract organised crime and terrorism. Many would back the idea that the commercial
sector needs to copy some of these cross-national arrangements for mutual, shared security benefit. Multinational businesses are well-placed to lead on this, and can leverage existing info channels.
27
FEATURE
cybersecurityeurope
leaders agreed that the rush to digital transformation increases data breach and cyber security risks, and 65% agreed that the digital economy significantly increases the risk to intellectual property. These risks can directly impact business leaders. In North America, some 32% of breaches lead to a c-level leader, manager, or president losing their job, the report’s findings indicated. While 77% of business leaders understand the need to manage digital risk, they face a sizeable challenge to understand the impact of digitisation and create a coherent approach to protect against digital risks. Given the high importance to business leadership, how should senior executives work with security teams to assess overall cyber threats to their business? First the burden to manage digital risks should not fall on a single department, and these new challenges extend beyond the purview of the security team. In an increasingly stringently regulated commercial environment, attempts to manage risk without involving legal, fraud, and compliance teams will not provide an understanding of business risk. However, by the same token, these teams do not necessarily have the skills and resources to monitor overall risk effectively and to communicate it to the board. There are several approaches to blur the lines between departments and remove these operational ‘silos’. First, Integrated Risk Management (IRM) seeks to combine security risk and business risk. In this digital era, digital risk is a key component
28
of Integrated Risk Management. Additionally, McKinsey & Company has outlined a framework for greater interaction between different c-level roles. The proposed ‘strategic security partnership’ is a framework for CISOs, CIOs, and CROs to work together and move to a collaborative, enterprise-wide approach to risk. By doing so, silos are broken down, friction is reduced, and risk becomes embedded in the CISO’s threat management programme. It’s critical that senior executives provide the proper guidance and missing context for intelligence data that is not initially defined. Senior executives should, therefore, be part of the intelligence lifecycle process. Especially when it comes to critical threats, their impact evaluation and business continuity plan should reflect the importance of their engagement.
Because intelligence sharing is still at a very early stage, many organisations do not know what kinds of ‘intel’ they should share. They must use tooling coming from risk management; and they should also improve the efficiency of this process with crisis management exercises simulating the threats and the associated impact. Exercises should be conducted in order to improve their decision-making process and efficacy during stressed conditions. Other intelligence data coming from closed sources (i.e., business/executive-oriented) should also be evaluated and integrated very carefully. In the right circumstances, an effective cyber security team will understand most of the generic threats their business faces. However, there are some – potentially the most damaging to their organisation – which are more specific. These require close interaction between leadership and security teams. It is here that senior executives can take the lead on understanding what it considers to be their critical assets. This will vary from organisation to organisation. For a technology or pharmaceutical company, it might be their patents and intellectual property. For a retail company, it may be upcoming product names and their customer websites. For an investment bank, it might be a pending merger or acquisition. Exposure of these assets often leads to business risks, such as loss of revenue, reputation or competitive advantage. Adversaries will make use of this online exposure; using exposed credentials to conduct account
takeovers, leverage intellectual property to conduct corporate espionage, impersonating brands to launch phishing attacks, and exploit vulnerabilities in external infrastructures. Organisations must, perforce, think about the type of sensitive data they hold, and how this might be appealing to a range of threat actors. From there, organisations can think about the way’s adversaries might access this information, and where they might be exposed. This is not, however, a static exercise. It is vital that leadership teams keep their security counterparts up-to-date on the information that must be protected. By the same token, what can be done/is being done to share TI between European businesses (i.e., encouraging more organisations with vertical sectors to join forces to share knowledge on a structured basis), and what needs to be done to make this more effective as a line of cyber defence. TI sharing is a vital element in cyber defence. However, it is difficult to achieve, and trust issues remain despite huge efforts. Initiatives typically flounder on what information specific information to share. Security risks and breaches can be embarrassing as well as linked to sensitive market or brand information that could damage reputation and credibility. This, in part, explains an understandable reluctance on the parts of many to publicise incidents further.
INFORMATION SHARING frameworks CALL FOR CULTURAL CHANGE Next, there comes the question of how can we improve this. Part of the solution – especially for business and the broader private sector is an organisation or entity that could assist in sharing by filtering sensitive data. The UK National Cyber Security Centre (NCSC) runs the Cyber Security Information Sharing Partnership (CiSP). This is a joint industry and government initiative that was set up to exchange cyber threat information in real time, ‘in a secure, confidential and dynamic environment’. In doing so the CiSP aims to increase engagement with industry and government counterparts in a secure environment and provide early warning of a range of cyber threats. It also opens the ability for organisations to learn from each other’s successes and mistakes. Furthermore, CiSP provides a useful framework; but it is only as good as the organisations which contribute to it. Greater engagement across the board will improve its usefulness as we enter the 2020s and confront the next-generation of cyber threats. There’s also a newer equivalent to CiSP for information exchange known as MISP. This is an open source TI platform. It’s geared toward gathering, sharing, storing and correlating ‘Indicators of Compromise’ of targeted attacks, TI,
financial fraud information, vulnerability information, and also even some counterterrorism information. Increasingly used by organisations worldwide (6,000+ to date), MISP is also highly regarded within NATO states. There are other initiatives well worth a mention, where the sharing of information between competitive organisations has been beneficial. Insurance companies that operate within the UK share information on suspected fraudsters via the Insurance Fraud Bureau (IFB). As well as day-to-day fraud prevention, the IFB can also become involved with the disruption of organised crime networks. It will also co-ordinate action on behalf of the industry – and that includes potential enforcement action. Although arguably not as advanced as the insurance sector, Europe’s banks similarly share certain key information with credit ratings agencies to help mitigate their risk and that of customers. C-suite and board-level executives who see tangible value in information sharing should know that it requires cultural and organisational change. To go about doing so requires training to identify what information needs to be shared, in order to improve cyber security across the entire sector. Certain threats such as those relating to impersonation, fraud and extortion, can provide useful information for risk mitigation to the wider business community, and competitive concerns about sharing it should be set aside. The strategic implementation of information sharing frameworks that
29
Sources: Left: Practical Guide to Reducing Digital Risk: Tools and Approaches for Security, Intelligence, and Fraud Teams (Digital Shadows, 2019). Right: Bridging the Digital Transformation Divide (Ponemon Institute).
FEATURE
cybersecurityeurope
UNDERSTAND THE THREAT ACTOR SPECTRUM
UNDERSTAND INTERNAL/EXTERNAL RISKS
Below: Threat actors behaviour as reflected in the diagram shows their corresponding capability level from the lowest level (hacktivist) to the highest (nation state). Each actor group is characterised from common tactics and techniques with specific capacity and capabilities. From knowing and understanding this behaviour, defence activities become more relevant/efficient. This sorting reflex also shows how targeted the attacks originating from those actors have become: hacktivist activities are widely targeted, while nation state targets are very carefully selected. Threat actors’ goals, depending on target selection and campaign objectives, extend from Fraud (criminal) to Espionage (nation state). Right: IT practitioners surveyed indicated how a review of internal IT processes, and of global change dynamics, can provide valuable TI.
80% 70%
72%
60%
65%
50% 40% 30% 20% 10%
THE RUSH TO DIGITAL TRANSFORMATION INCREASES DATA BREACH & CYBER SECURITY RISKS
THE DIGITAL ECONOMY SIGNIFICANTLY INCREASES RISK TO INTELLECTUAL PROPERTY
0% ESPIONAGE THEFT
PROXIES
HACKTAVIST CRIMINAL
INSIDER
SABOTAGE
NATION STATE
DISRUPTION DISINFORMATION FRAUD INCREASINGLY TARGETED
INCREASING CAPABILITIES
provide the right context and the required structure, can also help. The STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications are established for that purpose, and greatly assist in automating the delivery of cyber threat information. Both STIX and TAXII are well regarded, and backed by an active community of developers and security analysts. Organisational leaders should also give due consideration to the MITRE ATT&CK knowledgebase to better understand the tactics techniques and procedures of cyber threat actors. MITRE is a globallyaccessible knowledge base of adversary tactics and techniques based on realworld observations. Use of it can help with the development of specific threat models and methodologies across vertical sectors. Frameworks and co-ordination entities are a significant step forward. However, understanding the context of certain threats remains a limiting factor. Because intelligence sharing is still at a relatively early stage, many organisations either do not know what to share or don’t know what technical or other contextual data need to be added to it or in order to contribute to overall cyber defence improvement. Proper education of what information can or should be shared therefore needs to be integrated into the
30
BEHAVIOUR
overall threat intelligence sharing concept. This will ensure that companies will not share potentially sensitive information and will make employees who share information be more confident of what to share, without the fear of exposing risk. Another sometimes overlooked consideration is the fiscal cost information sharing may have on organisational budgets and overheads. Information sharing should be part of the TI function. As such, there is not additional financial cost or resource overhead. Being part of the process means the associated analysis will always consider and utilise information
Senior execs should be part of the intelligence lifecycle: business continuity plans should reflect the importance of their engagement. shared from other sources, and will always have/use the right components and procedures, in order to make their own information shareable with other entities. Common protocol and data structure should be also part of the technical/non-functional requirements. Organisations should also strive to improve the quality of information they can acquire in relation to TI. As mentioned at the start of this article, this is based on the collection of intelligence using OSINT, SOCMINT, and HUMINT, plus technical intelligence or intelligence from both Deep- and Dark Webs. TI plays a vital role to help organisations understand how threat actors can target their organisation and the methods they use. When the understanding of threat is combined with an organisation’s unwanted exposure, it can limit the opportunities. This approach, known as ‘Digital Risk Protection’, seeks to provide rapid event detection and remediation capabilities so companies can fix issues before bad actors exploit them.
ACCREDITATION Words | Isidoros Monogioudis, Senior Security Analyst, Digital Shadows.
| digitalshadows.com. Images | Shutterstock
s Sie finden un
in
an d Halle 10.1 St
710
Schreiben Sie Ihre Story weiter. Möchten Sie die IT der KfW in einem agilen Umfeld mitgestalten? Suchen Sie interessante Aufgaben, von der Anwendungsentwicklung über Betrieb, Security bis hin zur Mitarbeit in großen Projekten? Und das in einer stabilen Arbeitsumgebung mit langfristiger Perspektive? Dann sollten wir auf der it:sa ins Gespräch kommen! Sie finden uns in der Halle 10.1 am Stand 710. Werden Sie Teil von etwas Großem: kfw.de/karriere
advertorial
cybersecurityeurope
WHEN WORLDS COMBINE Security Operations Centres can now provide cyber oversight for both enterprise IT and industrial control systems, explains Airbus CyberSecurity’s Steve Rymell. CYBER SECURITY SHOULD ALWAYS BE ALIGNED WITH THE STRATEGIC NEEDS OF THE BUSINESS AND ITS RISK APPETITE – OTHERWISE YOU could be safeguarding assets that have little value for the company or, worse still, leave critical assets without protection. Coupling the organisation’s cyber security with its strategic needs can also help reduce implementation, operation and maintenance costs significantly. Understanding your security architecture, no matter how complex or simple it is, requires adequate orchestration and monitoring. This should include maintaining tools and procedures to allow for the best protection, enabling complete visibility of the processing and security environment and support to the technical, tactical and strategic decision-making process. To make this happen, there needs to be a central point for cyber security within the organisation, and the Security Operations Centre – SOC – is just that. The SOC manages technology and processes that allow analysis of data to be obtained from various controls and external sources of information, for threat prevention, anomaly understanding and incident response. One of the most valuable benefits is that it delivers key performance indicators to enable both normal company operations to be safeguarded and security improved. It uses a complex system of both prevention and protection capabilities to increase the reliability and security of daily
operations. The core of the protection is like defending any network and includes intrusion detection, SIEM (Security Information and Event Management) automation, network design and segmentation, as well as the management of employee privileges and robust authentication. It also includes a mix of state-of-the-art technology, procedures, policies and relationships. There is a general understanding among cyber security professionals that it is nigh impossible to prevent a hacker from accessing a given system. However, what IT professionals can control is the extent to which the attacker can navigate across networks without being detected – hence why it is crucial to have the SOC as a centralised realtime defence. One of the most common forms of attack used by cyber criminals is phishing emails. If a SOC was employed, the team would identify and remediate the threat as quickly as possible. In addition to this, the SOC will also carry out forensics, tracing back through the attack lifecycle to locate the source of threat. This will give a better understanding of why it was successful, and of how the organisation can prevent it from happening again in the future. Critically, the SOC must be managed by experts with a holistic vision, to effectively maintain technical relationships on a global scale that allow it to perform intelligent analysis, adding value to its service, and enabling it to detect threats or prevent attacks.
Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military, organisations and critical national infrastructure from cyber threats. We provide a global cyber defence approach that aims to protect, detect and respond to cyber threats with a portfolio that includes
managed services, consultancy, training, industrial control systems, platform security and high grade encryption. Pictured below: Steve Rymell, Airbus CyberSecurity.
DETAILS For more information please go to: | airbus-cyber-security.com | contact.cybersecurity@airbus.com
32
Although technological and procedural needs are similar for both the world of IT and Operational Technology (OT), the priorities for the OT environment are radically different. The OT world is comprised of specialist technology. This includes electronic devices with different operating systems (many of them legacy), different logic programming, special protocols for industrial needs and industrial control systems As far as cyber security is concerned, the fundamental pillar for OT is the operation’s availability. Frequently, an incident in the OT infrastructure can be catastrophic and it is necessary to have professionals with experience both in IT and OT systems – a very scarce skillset. Cyber criminals know about both IT and OT worlds, and fully understand the sensitivity of OT networks and systems. For this reason, it is important to converge both IT and OT security into the SOC. This will also help the organisation meet the growing list of industrial compliance and regulation standards, which can also act as a baseline of defence against basic weaknesses and security threats. A convergent SOC must cover all levels of the protection model for industrial control systems, maintain a high visibility of all layers, and be able to perform multi-vector threat analysis and response. Above all, the work should not only be done by SOC specialists but should also provide facilities for collaborative work with the company’s expert operational personnel. Dialogue between security specialists and operators is
essential for the development of a solid understanding of critical assets, how they work, how they are connected, and how they could be fixed.
WHY TRUST IS NOW PARAMOUNT A convergent SOC with experienced personnel is important; however, it will not be able to fulfil its mission without trust. SOC teams must provide an uninterrupted service, and handle several business models (in-house, ‘as a service’, hybrid), taking into account that, in most cases, better return on investment comes from the ‘as a service’ model.
Cyber criminals know about IT and OT – so it’s important to converge the security of both into the SOC. The best way to protect the infrastructure of the industrial sector, avoid ‘alert fatigue’ and get a better return on investment is to have a specialised SOC. With a dedicated SOC at the heart of security, organisations will be given the chance to act in advance of incoming threats. Steve Rymell (pictured left) is Head of Technology at Airbus CyberSecurity. Airbus CyberSecurity is at the it-sa 2019 IT Security Expo and Congress – Hall 10.1 / 10.1-428.
33
EUROFOCUS
cybersecurityeurope
HOLLAND The Low Countries are on high alert as the Dutch seek to make the Netherlands Europe’s cyber-securest country for business.
THE NETHERLANDS, LIKE OTHER NATIONS IN EUROPE, IS CONFRONTED BY TWO ESTIMABLE CYBER SECURITY CHALLENGES. One of these is well known: how to protect its citizens, society and economy from harm posed by cyber criminals, state-sponsored agents, and other malevolent online threats. The second challenge is to make its financial environments secure for the safe conduct of the trade and investment its economy needs. As Europe’s economies rely increasingly on investment from around the world to fund economic growth and sustainability, concern grows that venture capitalists from outside the continent will be deterred from economies beset by cyber threats. Or, to put it another way, they are more likely to invest in economies known to be digitally protected places for business venture. Furthermore, the Netherlands itself is a vibrant digital consumer market. By 2017 the Netherlands had an internet penetration rate of 98% (against a European average of 87%), according to Statistics Netherlands-CBS. Additionally, the Netherlands is a frontrunner in online banking with more than 80% uptake, and its citizens and businesses represent Europe’s fourth largest ecommerce market. Despite its comparatively modest size and population, as the country becomes more connected and its economic future becomes more digitally-dependent, it must also address cyber security and become a ‘safe place to do business’. FACTS
AMSTERDAM INTERNET EXCHANGE The Netherlands saw the strategic value in positioning itself as the Internet gateway to the European continent and its markets. The Amsterdam Internet Exchange (AMS-IX) was established in 1994 as a not-for-profit,
24 34
neutral, and independent peering organisation, now interconnects with more than 800+ communication networks: Internet Service Providers,
telecoms carriers, mobile operators, content providers, web hosting and cloud companies, TV broadcasters, gaming companies and other digital
businesses. AMS-IX has expanded to five continents, and is probably now the world’s largest Internet exchange. Its status means that it’s probably one of the parts of Dutch national infrastructure most targeted by attackers.
35
EUROFOCUS
cybersecurityeurope
The Netherlands government has historically made this issue central to its national cyber doctrine: a cyber-secure digital environment helps national and international economic growth, and attracts money from overseas. “If we are to continue to be able to exploit the opportunities of digitalisation in the longterm, we must be able to securely navigate the digital world,” said the Netherlands’ Minister of Justice and Security in the introduction to his country’s National Cyber Security Agenda. “Cyber security is now the foundation for all successful entrepreneurship and administration and for confidence in the digital domain: this shared interest means that we are mutually dependent and share responsibility for national security.” The Dutch embarked on this programme emboldened, arguably, by their digital maturity: the country embrace the internet revolution of the 1990s much faster – and more enthusiastically – than any other EU state, both in terms of state endorsement and social adoption. Much of its national cyber security policy is framed in the context of economic defence. A 2017 assessment by the Potomac Institute for Policy Studies – entitled Netherlands Cyber Readiness – declared that the country has become one of the world’s ‘most technologically advanced and highly connected countries’, one that it ranks among the top 10 most connected countries globally. The Dutch National Cyber Security Centre (NCSC)’s Cyber Security Assessment Netherlands 2018 study quotes the Dutch Government’s ‘Economic and Social Need for More Cyber Security’ report as noting that the Netherlands has developed into one of the most IT intensive economies in Europe: this it owes to its well-developed digital infrastructure. However, this lead has also
36
meant that the county has suffered greater exposure to digital threats and digital risks earlier and more extensively than other European nation states. Of course, none of the developed world’s economies are now immune to the cyber threat scourge; and even though much cyber attack activity emanates from internal economic competitors, as a centre for global financial activity, it’s not surprising if the Netherlands’ financiers, industrialists, and its homeland security agencies, have profound concerns about the impact it has on their national economic health.
NATIONAL ROLE IN EUROPEAN CYBER DEFENCE Digital maturity also brings extra levels of state responsibility. Countries are highly dependent upon each other precisely because the digital domain has a cross-border nature. The Amsterdam Internet Exchange (AMS-IX) is the world’s third-largest Internet exchange point by size (maximum throughput 6,663Gbps): thousands of businesses rely on it. Attacks on Dutch digital infrastructure by malevolent Dutch or foreign threat actors would result in huge problems in other countries around the world. Those countries could hold the Netherlands accountable at a national state level. The governance of this mighty status has become more crucial since 2016, the Potomac Institute for Policy Studies Netherlands Cyber Readiness report suggests. This is because the Netherlands could ‘bridge’ the UK and Europe during the former’s transitional relationship with Europe due to Brexit: ‘The Netherlands has also the opportunity to position itself as a more politically stable country for conducting business during a time of increased populist movements throughout Europe’, the report avers. Yet despite this aspiration, the Netherlands faces high levels of cyber crime, industrial espionage, disruption of critical services, and other malicious cyber activities. So, the Dutch take their stately cyber security responsibilities very seriously. The Netherlands is also host to a multitude of important panEuropean cyber security bodies and law enforcement agencies. They include the already-mentioned NCSC (the Netherlands central information hub
FOCUS
NETHERLANDS CYBER CRIME TRENDS SNAPSHOTS
OTHER
16%
17% INDUSTRY
UTILITIES
PUBLIC SECTOR
SMES 4%
FINANCIALS 9%
11%
15% IP INTENSIVE
Expected cyber risk per sector: although the expected risk has decreased slightly, the value-at-risk level has increased for most industries, which implies higher uncertainty factors. A 2017 study by Deloitte, Cyber Value at Risk in the Netherlands, found that most sectors that experience high levels of cyber risk are had experienced similar levels of exposure to the previous year; Technology, Electronics & Life Sciences; Security, Defence & Aerospace; Public and Banking. Deloitte saw significant rise in threat levels for Business & Professional Services (due to more accurate modeling of the risk of losing their license to operate), and Utilities (due to increased activity of Strategically Motivated actors in this domain).
28%
The Cybersecurity & Cybercrime survey is a new pilot study that was conducted by Statistics Netherlands-CBS in collaboration with the Dutch national police force toward the end of 2018. In total, 100,000 Netherlands citizens were surveyed, of who more than 38,000 participated. Primarily, the survey aimed to map cyber crime victimisation among citizens as accurately as possible.
DUTCH CYBER CRIMES BY CRIME TYPE
DUTCH CYBER CRIME VICTIMS BY AGE RANGE
Crimes relating to money or property theft affected 4.6% of the sample. Hacking affected 1.8%; 1% fell victim to identity theft without incurring financial loss.
At 12%, young internet users between the ages of 12 and 25 were most likely to fall victim to cyber crime. Among the over-65s, this share was less than 4%.
Source: Statistics Netherlands Cybersecurity & Cybercrimesurvey (2018).
Source: Statistics Netherlands Cybersecurity & Cybercrime Survey (2018).
TOTAL
PROPERTY CRIME
12 TO 17YRS 18 TO 24YRS
HACKING
25 TO 34YRS INTERPERSONAL INCIDENT, NOT SEXUALLY-ORIENTATED
35 TO 44YRS 45 TO 54YRS
INDENTITY THEFT WITHOUT FINANCIAL LOSS
55 TO 64YRS 65 TO 74YRS
INTERPERSONAL INCIDENT, SEXUALLY-ORIENTATED
75 YRS AND OVER 0
1
2
3
4
0
MORE INFORMATION
2
4
6
8
10
12
FULL REPORTS AVAILABLE AT...
Netherlands Cyber Readiness 2017 | potomacinstitute.org/academic-centers/cyberreadiness-index Cyber Value at Risk in The Netherlands 2017 | deloitte.com/nl/nl/pages/risk/articles/cyber-securitycyber-value-at-risk-in-the-netherlands-2017.html
37
EUROFOCUS
cybersecurityeurope
and centre of expertise for cyber security), the Hague Security Delta (HSD), Europol and its EU European Cybercrime Centre (EC3), the European Network for Cyber Security (ENCS), the NATO Communications & Information Agency, Netherlands Defence Intelligence and Security Service (DISS), and the Cyber Security Academy (CSA). Just about all of these are located in or near The Hague. It’s probable that having them at work within its borders has, on occasion, drawn Dutch cyber threat counteraction into the public arena. The most high-profile recent example of this is April 2018’s disruption by DISS of a cyber operation being carried out in The Hague by a Russian military intelligence team. Their target was the Organisation for the Prohibition of Chemical Weapons (OPCW). This body’s mission is to implement the provisions of the Chemical Weapons Convention. The Russian operatives had set up in a car close to the OPCW headquarters as they prepared to hack into its IT infrastructure via its Wi-Fi network, reportedly. Before they could strike, they were apprehended by DISS officers. The Russians, who reportedly travelled on diplomatic passports, were subsequently deported back to their homeland. “Our exposure of this Russian cyber operation is intended as an unambiguous message that the Russian Federation must refrain from such actions,” commented Dutch Defence Minister Ank Bijleveld. “The Netherlands is responsible for protecting international organisations within its borders, and that is what we have done.”
38
The growth in cyber security systems in The Netherlands, can (at least partly) be attributed to the gamut of national laws and regulations that contain security obligations and requirements, notably the Wet Bescherming Persoonsgegevens, and the EU GDPR (General Data Protection Regulation). National policy guidelines also feature in the National Cybersecurity Strategy as well as a Defence Cyber Strategy, which are both implemented by the NCSC. Additionally, the Dutch Parliament has approved the installation of a Digital Trust Centre (DTC) that will serve to improve cyber security of ‘non-vital’ sectors – e.g., cyber-vulnerable SMEs.
ECONOMIC IMPACT TO BUSINESSES Despite – or possibly because of – its redoubtable cyber defensive stance in both policy and practice, the Netherlands is subject to a high volume of cyber attacks. And, in terms of financial losses, it hurts. As long ago as 2014, McAfee reported that cyber crime cost the Netherlands at least €8.8bn per year. Deloitte’s 2017 study Cyber Value at Risk in the Netherlands estimated that the Dutch economy loses an expected €10bn in value per year, or approximately 1.5% of its GDP, to cyber criminals. The size of this impact is, in part, reflective of the extent to which the Netherlands’ economy has become
The Dutch embraced the internet revolution of the late-1990s much faster – and more enthusiastically – than any other EU state.
digitalised in recent years. This is about the same estimated amount suffered by the UK, which has a much higher value GDP. Many of the Netherlands’ organisations are challenged by maintaining effective cyber defences against onslaught after onslaught, at a time when they are also having to wrestle with digital transformation. For most large Dutch organisations, the uncertainty and impact created by cyber risk are significant, but – reports suggest – do not nullify the benefits of their transitioning business operations to wholly digital enabling technologies (see ‘Into the Unknown’, page 84). How sensitive this balance is is reflected by Deloitte’s view that, of the expected loss, approximately 75% - or €7.5bn - is loss of opportunity, and in turn, about 65% of that is long-term impact that materialises more than a year later. Of the total expected impact of €10bn per year, Deloitte attributes €9bn to large organisations, and the remaining €1bn is borne by SMEs (while accounting for 30% of total GNP income). And then there is the fallout of GDPR enaction. When the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DDPA) released its GDPR fining policy, it was the first EU information commission to do so. While the DDPA has yet to explicitly state how it will categorise GDPR violations, it has made public a list of what it calls ‘relevant factors’ to determine a severity of a violation. Factors include the duration of the infringement, the number of data subjects (people) affected, how quick the company reacts, and what type of personal data is involved. The DDPA did not issued its first GDPR penalty until July 2019. A fine of €460,000 was imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records.
CRITICAL NATIONAL INFRASTRUCTURE EXPOSURE The Netherlands’ name originates in the native-language reference to its low elevation and flat topography, with only about 50% of its land exceeding around 1m above sea level, and nearly 17% of Dutch territory actually falling below sea level. The country depends on its extensive system of canals, locks, and flood defences to manage its geographical challenges. As such, the Netherlands’ water control infrastructure constitutes a major part of its crucial national infrastructure – and is thus a primarily target for cyber attackers who could exploit vulnerabilities for the purposes of extortion, or just to malicious ends. High-profile concern was raised in a report published earlier this year (2019), the Dutch Court of Audit declared that the Netherlands waterworks systems is not sufficiently protected against cyber attacks. The report was acutely wide-ranging in its criticism of the slow progress the Rijkswaterstaat – the Dutch Directorate-General for Public
Works & Water Management – is making toward making its infrastructure more cyber secure. Several of the waterworks managed by Rijkswaterstaat have been designated as ’vital’ (i.e., critical), which means that an attack on any of these can have major consequences for the Netherlands, and could prove much more of a risk than unforeseen natural disaster or technological malfunction. The waterworks function on automated systems that mostly date from the 1980s and 1990s; this maturity leaves them largely unsecured against contemporary cyber threats. Furthermore, these legacy systems have, over time, been connected to centralised IT networks, to make them remotely controllable. Security on these systems was similarly not designed to be secure against malicious digital interference. The Court of Audit also found that not all these vital waterworks are connected to Rijkswaterstaat’s Security Operations Centre (SOC): ‘As a result, there is a risk that Rijkswaterstaat will not detect a cyber attack or detect it too late’, warned the report. In its conclusion, the Court of Audit has advised the Dutch government Infrastructure and Water Management to investigate the current threat level against the waterworks and report back on whether additional people and resources are needed to close the risk gap.
ACCREDITATION Words | James Hayes Photography | Shutterstock
39
www.sans.org/emea
The World’s Largest and Most Trusted Cyber Security Training and Certification Provider SANS MUNICH NOV 2019 18 - 23 NOV
SANS VIENNA JAN 2020 27 JAN - 1 FEB
SANS FRANKFURT DEC 2019 9 - 14 DEC
SANS ZURICH FEB 2020 24 - 29 FEB
SANS extensive training curriculum includes: Digital Forensics Incident Response Pen Testing Secure Software Development
Security Awareness Cyber Defense Management Audit Industrial Control Systems
“Learned a lot on the first day and this is a six day course. Imagine what we will learn and benefit from after we complete the course!” LEE KIN SANG, DEUTSCHE BANK. SEC501
+44 203 384 3470
www.sans.org/emea
emea@sans.org
@sansemea
Kevin Lemmer
Security Analyst at Bosch CERT
Ever since Robert Bosch founded the “Workshop for Precision Mechanics and Electrical Engineering” in Stuttgart in 1886, the company – today known as Bosch – is characterized by innovative strength. As a leading IoT company, Bosch today offers innovative solutions for smart homes, smart cities, connected mobility, and connected manufacturing. It goes without saying that security plays a huge role in those innovations, which led Kevin Lemmer to stay at the company after his internship. Kevin Lemmer is quite the rookie at security, he is the first to admit. “A year and a half ago I graduated from Stuttgart Media University. I studied Computer Science and Media. There wasn’t a focus on security in particular, but I did my internship at Bosch and got into security when I was working in the antivirus-team.” He wrote his bachelor thesis in the field of Cyber Threat Intelligence whilst he was at Bosch, made many connections with colleagues while he was working there and when he graduated, was offered a job as a security analyst.
“There are so many things related to security. It is really hard. You have to continuously work to gain and keep knowledge and expertise” Security is hard “It is hard,” says Lemmer, who followed the SEC504 course (Hacker Tools, Techniques, Exploits, and Incident Handling) at SANS a few months ago to get up to speed in his new field of expertise. “There are so many things that are related to security. If you really want to be good at it, you better know all the products in use, all the system and network components
CASE STUDY “You have to continuously work to gain and keep knowledge and expertise” including their configurations in detail. Plus all the latest relevant security knowledge that you have to keep up to date.” But Lemmer is determined. “You have to educate yourself and luckily I have colleagues that push me to a next level, so I can elevate my skills.” He also praises his employer for sending him to the SANS course. “I am grateful Bosch sends me out to different courses to help me gain the knowledge I need for my job.” Improving quality of life The Bosch Group is a leading global supplier of technology and services. Its operations are divided into four business sectors: Mobility Solutions, Industrial Technology, Consumer Goods, and Energy and Building Technology. The company uses its expertise in sensor technology, software and services as well as its own IoT cloud to offer its customers connected, crossdomain solutions from a single source. The Bosch Groups strategic objective is to deliver innovations for a connected life. Bosch improves quality of life worldwide with products and services that are innovative and spark enthusiasm. Huge skillset That enthusiasm and drive can be found in Lemmer as well. “The team I work for takes care of the Bosch IT infrastructure. We do a lot of incident response, including network and host forensics, vulnerability management, and malware analysis. If any kind of potential security incident happens, like a system is compromised or we see suspicious network traffic, we step into action.” Therefore, Lemmer is highly motivated to keep up with his teammates. Lemmer would also like to get additional training and take a course in incident response and forensics at SANS.“I have this colleague, and he has been doing forensics for decades now. His skillset is impressive, and he is somebody that I really look up to.”
“The cheat sheets by SANS are absolutely brilliant!” Awesome teacher Lemmer is really enthusiastic about the previously mentioned SANS course he followed a few months ago. “The teacher was awesome! Not like in school, but super knowledgeable with a great skills perspective. He shared a lot of personal insights on security issues. Also from a didactic point of view, the course was very professional.” The free resources SANS offers, like the Reading Roomand webinars, are frequently used by the young security analyst. “If I come across something I don’t know yet, I prefer using SANS resources to do research for the challenge I’m faced with. Also, the cheat sheets they provide are absolutely brilliant.” Netwars and table top exercises The one thing Lemmer regrets is that there wasn’t enough time to really built relationships during the course. “We attended with a few colleagues, and you know how that goes. People that already know each other, have a tendency to stick together.” His favorite part of the SEC504 course? “Definitely Netwars. We were all in the same room and had to solve various challenges. Another thing I really liked was the table top exercise where we acted like there was a real incident, but only had pen and paper to resolve it. That was a great idea, that I took back to our own company.” Lemmer is still young, but very ambitious in his new field. “I want more experience in the field of forensics, and after that I would really like to learn more about penetration testing and eventually move up to a strategic level.” We’re sure this won’t be the last we hear of Kevin Lemmer.
SANS COURSES THAT KEVIN HAS TAKEN: SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
V I S I T S A N S O N S TA N D 9 -3 5 6
Protected data without performance losses Mobile working & data security are hot topics. Thanks to mobile storage solutions, employees have access to data whenever they need it. However, this mobility & accessibility carries underestimated risks for corporate IT security. In the age of cloud, securing & encrypting physical storage devices is still a priority. Although the cloud has become more secure, employees still store data and documents locally on their hard disks & USB drives. The mobile workplace, the risk for unwanted data processing or data theft is enormous whether this is due to human error, negligence or malicious intent. With the loss of data, companies are faced with potential fines and damage to the reputation. Comprehensive encryption of mobile storage devices is imperative. Advantage of full encryption of a laptop using selfencrypting drive technologies (SEDs) and USB sticks with hardware-based encryptIon: The encryption is stored directly on the storage device, making it impossible to read the data Efficient protection against malicious program codes and common attacks. Hardware-based encryptions use their own processor mounted directly on the drive. Since the encryption happens directly on the hard drive, regular software updates and a considerable administrative effort are omitted.
Efficient management of the encryption brings significant benefits The Trusted Computing Group (TCG) offers an internationally acknowledged framework for efficient integration into everyday work. When using TCG Opal-compatible drives such as the Kingston UV500 family, the company not only gets the benefits of a SED, but also has access to a manageable framework. This provides protection and security for the data. Operating costs are reduced as the deployment of encryption is significantly more efficient. When it comes to data security both in the office and in the mobile workforce, it is key to companies how they prepare to mitigate the risk of data loss. With over 30 years of experience, the storage manufacturer Kingston Technology is a reliable and powerful partner in mobile data security solutions. The SED solutions are DSGVO-compliant, TCG opal compatible and offer an enterprise and user-friendly solution. It protects data without performance losses.
Christian Marhoefer Regional Director, DACH Kingston Technology Europe LLP
www.kingston.com Š2019 Kingston Technology Europe Co LLP and Kingston Digital Europe Co LLP, Kingston Court, Brooklands Close, Sunbury-on-Thames, Middlesex, TW16 7EP, England. Tel: +44 (0) 1932 738888 Fax: +44 (0) 1932 785469. All rights reserved. All trademarks and registered trademarks are the property of their respective owners.
cybersecurityeurope
advertorial
Defending your data against ransomware calls for a holistic approach to your cyber security strategy, according to Cybereason’s Sam Curry. A SLEW OF HIGH-PROFILE RANSOMWARE ATTACKS IN 2019 IN EUROPE ALONE, with several municipalities having agreed to handover cash ransoms, begs the question of where to pay – or not to pay – to have your files decrypted. What does paying a ransom mean? It means that your data will be returned, following the risky assumption that criminals will honor a deal. This does not guarantee that normal operations can resume, but it does mean that the healing process can begin. If you’re a hospital that has patients on the table with surgeons unable to continue surgery, recovery is a big deal. What do you do after you have re-established critical operations? Do you report the incident – and if so, to who? Do you engage in rebuilding operations as they were before? Or do you seek to learn from the incident and start a new, painful journey? It also means that the ‘dark side’ gets an influx of cash. This is not insignificant, because it proves the business model of the ransomware writers, and the criminal networks that they are tied into. It enables them to hire more people, make new deals, and ramp-up operations.
many forms of cyber THREAT Counteraction In the private sector, ransomware infections trigger a crisis and immediate risk-based decisions. Those organisations prepared for an eventual attack will do better than those that are caught flat-footed, so to speak. COMPANY INFO
The ultimate goal for defenders has to be the maintenance of resilience and the removal of fragility. The key capabilities should be to identify ransomware early, to know if a breach has occurred or not – you can have one without the other – to limit its spread, to recover data from backups, to resume operation, and to prevent re-infection. If we can reduce the recovery time to zero, we won’t need to pay the ransoms; we will be able to ignore them. We are not there yet – but we can work on getting closer. We can practice. We can seek to improve all of these capabilities incrementally. Sam Curry (pictured below) is Chief Security Officer at Cybereason.
CYBEREASON
Cybereason was founded by former intelligence officers in the Israeli Defense Forces. Its flagship product, the Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers Endpoint Detection and Response, Next-Generation Antivirus,
and active monitoring services. The Cybereason suite of products provides visibility, increases analyst efficiency and effectiveness, and reduces security risk.
CONTACT DETAILS For more information please go to: | cybereason.com | cybereason.com/contact-us
43
BÖSARTIGE BOTS
Price scraping Price scraping means ‘scraping’ (copying) price information from an e-tailer’s webstore. It is most common in sectors where product lines are easy to compare, and purchase decisions are usually price-sensitive. Armed with real time pricing data provided by the bots, a price-scraping perpetrator gains an advantage by dynamically adjusting its own product prices in order to match or undercut its competitors. Content scraping Content scraping is the use of bots to duplicate proprietary aggregated online copyrighted or trademarked content, such as directories or reference guides, and then reuse it for illegitimate purposes. It can be characterised as intellectual property theft or plagiarism. The practice can be damaging to websites that invest resources in the aggregation and monetisation of big databases – online local business listings or online product catalogues, for example. If the scraped content is made freely available in the public domain, the original data owner’s business model is undermined; and if the scraped content is used to spam or for email fraud, their market reputation is damaged. Denial of Service attacks According to Neustar’s Global DDoS Attacks Insights Report (2017), a DDoS attack at peak times can cost a targeted enterprise at least $100,000 per-hour in lost revenue. The cost of undermined customer and advertiser relationships is harder to quantify, but likely causes just as much damage. Botinfected devices exhaust resources with DDoS attacks. Ransom DDoS attacks – where companies being extorted for protection money – are also on the rise, Neustar says. Forrester’s Stop Bad Bots From Killing Customer Experience report notes that bot-infected devices can strain IT security resources with DDoS attacks, and weaken their ability to guard against other forms of cyber assault. The proliferation of IoT devices and ‘bot-for-hire’ services (bad and good) has made DDoS an attractive attack method for cyberattackers. They launch DDoS attacks by infecting connected devices with bots. They then direct them to disrupt routine customer traffic and applications. The Mirai botnet targeted domain name service provider Dyn, in a DDoS attack that made the websites of many Dyn customers inaccessible. Dyn lost up to 8% of its customerbase as a result, some reports suggested. Denial of inventory Denial of inventory, known also as ‘inventory hoarding’, causes product items to be automatically held in online shopping trolleys without intention to purchase. With legitimate buyers prevented from purchasing the apparently ‘out of stock’ items, the targeted retailer loses revenues from sales to actual customers — with bots often picking the retailer’s most popular products. As well as ongoing loss of sales, if these attacks happen often enough the seeming perpetual absence of inventory can undermine the website’s credibility and kill repeat custom. Card testing fraud In this form of bad bot attack, cyber criminals first test stolen credit card details by making small online purchases on smaller, more vulnerable ecommerce sites. They must check the validity of the credit card details, and this tactic allows fraudsters to go mostly unnoticed by fraud detection solutions. Once they confirm the credit card is valid, they proceed with making higher-value purchases with larger online retailers. The given fraudster is now a recognised customer, so there’s a chance the order will not be flagged to the legitimate card holder as being suspicious. Typically, criminals use bots to test the card information, then target merchant sites that provide automated responses that provide decline details. With this information, payment protection specialifist Verifi explains, fraudsters can adjust the credit card details to increases their chances of success. For instance, when a merchant website indicates that a card’s expiration date is incorrect, a fraudster can use the Dark Web and other tactics to determine the correct expiration date. These bot-driven transactions cause losses to retailers through chargebacks, logistics costs – and lost shipped goods. Credential stuffing Credential stuffing uses bots to make repeated account access attempts by rapidly ‘stuffing’ stolen credentials – username and password combinations – into the login fields. When the logins succeed, attackers take over the accounts, and use them for nefarious purposes. Because so many account owners use the same credentials for their accounts, the success rate and pay-off for attackers can be high, while the bots do all the grunt work. Many organisations do not realise, says Martin McKeay, Senior Security Advocate at Akamai, that credential abuse and account
-ILAM
SUOICILAM
cybersecurityeurope
FEATURE
‘Bad bots’ will screw up your business operations from several directions at once, so it’s important to know the different types of bots intent on cramping your commerce. EVEN THOUGH THE LEVEL OF MALICIOUS – OR ‘BAD’ – BOTS AS A PROPORTION OF INTERNET TRAFFIC SEEMS TO HAVE decreased slightly over the last year (2018-2019), the harmful impacts they have on business operations continue apace. Bad bots are also diversifying in respect to the commercial sectors they target. According to bot mitigation specialist Distil Networks, just about every business and industry vertical now has its own bad bot problem and bot operators syndicate. Bad bots are software programs created or used by cyber threats to automate their various attack plans. Business operations are particularly exposed to this threat because bad bots have a deleterious effect across a range of commercial activities. They interact with applications in the same way a INSIGHT
legitimate user would. They enable cyber attackers, competitors and fraudsters to perform an array of malicious activities. And because it is largely an automated phenomenon, there’s no let-up in the problems they cause – which places additional pressure on already stretched cyber defences. If a 2018 report from the Ponemon Institute and Radware is correct, more than 52% of all web traffic now emanates from automated sources such as bots – of both good and bad variety. For some businesses, it can constitute as much as 75% of the traffic visiting their websites. Much of this automated traffic is categorically benign, or ‘good’ bots. It provides critical customer services and represents standard engagement models, such as search engine traffic, chatbots, virtual assistants, and suchlike. Bad bots,
‘STOP BAD BOTS FROM KILLING CUSTOMER EXPERIENCE’: FORRESTER (2018). ‘Business-logic bots learn company policies and processes. Applications that give information about your products and services to potential customers often contain business logic, which bad bots learn and exploit. Attackers could use bots to create a series of customer profiles and learn how a loan processor sets interest rates or how an insurance firm decides what policies to recommend. Competitors could use this info to undercut prices; criminals might use it to manipulate a customer service agent.’
45
FEATURE
cybersecurityeurope
BAD BOT VS. GOOD BOT VS. HUMAN TRAFFIC BY VERTICAL SECTOR By examining traffic from various industries across 2018, a deeper insight into the bot problem is revealed. As more organisations add bot management to their security profile, a larger data set can be gathered across a wider range of verticals – business and industry, private and public sectors. Source: Distil Networks 2019 Bad Bots Report. 57.2
57.1
54.5
57.1
69.5
63.6
43.0
0.1
1.2
25.9
25.8
78.5
however, can be used for a range of nefarious purposes, such as steal (or ‘scrape’) website information, commit fraud, or skew performance metrics. And in the course of doing all this, they disrupt a business’s ‘good’ customer traffic. Bad bots affect all types of applications, including web, mobile, and APIs. Although IT security leaders are in the frontline of deploying ways to deal with bad bots, business leaders should also be concerned about their impact, for several key reasons. First, bad bots compromise the security of enterprise applications. Malicious online attackers can use bots to gain access to applications, gain proprietary knowledge about a business, and then misappropriate commercially-valuable data. Second, bad bots degrade internet availability and performance. Botnets made up of thousands of bots make it easy to mount distributed denial of service (DDoS) attacks. These attacks cause critical applications to experience lowered performance and availability. They can even bring down critical support systems. Just the presence of bad bot web traffic mixed in with legitimate traffic can cause performance issues for online customers. In one case, a company that eliminated bad bot traffic saw web traffic decrease by 66%, while their website page speed and performance doubled (as Business Computing World reported in 2017). Bad bots also distort the information senior managers use to make business decisions. In the digitalised marketplace, enterprises make many decisions about how to best serve customers by using
33.3
30.0
29.9
26.9
HUMANS
0.8 INSURANCE
IT & SERVICES
EDUCATION
TICKERTING
FINANCIAL
20%
6.4
0.5
AIRLINES
34.4
GAMBLING & GAMING
37.9
DIGITAL PUBLISHING
39.3
9.7
GOVERNMENT
42.2
11.1
5.0
ADULT ENTERTAINMENT
40%
3.5
MARKETING & ADVERTISING
1.6
46
73.0
30.0
60%
0
74.0
20.7
GOOD BOTS
56.2
KEY : BAD BOTS
80%
data about who they are, when they buy, and what they buy. Such calls are often made ‘on the fly’ and informed by data streams analysed in real-time. Marketing teams reward bigger advertisement budgets to the last site a customer visited before purchasing a firm’s products or services; and customer experience (or ‘CX’) specialists use data about customer behaviour to push engagement. Bad bots that interact with a company’s applications alongside their customers skew this data. This causes these decisions to be misinformed or plain wrong, analytical insights and opportunities missed.
HOW THE BOT PLAGUE BITES BUSINESS
As Globaldots’ 2019 Bad Bot Report wryly points out, for a business whose websites, mobile apps, or APIs are the target of malicious bots, the adverse impacts pile up one against another. Not only do such targeted enterprises have to deal with the competitive pricing pressures that result from bad bot actions like data scraping – more about that later – but they also must maintain infrastructure uptime and redundancy so that real customers aren’t inconvenienced by the invasive traffic. In addition, they also suffer from skewed decision-making metrics, because their web traffic has been ‘polluted’ by bad bots, as Globaldots puts it. Meanwhile, as Distil Networks’ recent bad bots study points out, mitigation of bad bot intrusion is just as fiddly and resource-draining as the bots themselves. For instance, one method would be to positively ID every single website visitor – human and/or bot. Sales executives will know that a priori requests for identity validation can inhibit or deter customer engagement, so this method has limited appeal, even if proven effective. Malicious attackers make use of bad bots to actively compromise customer touchpoints to ruin customer experience and commit fraud. Altogether, these bots can create a negative brand perception for your company. Therefore, organisations of all types and sizes should be prepared to defend against bot attacks in all their forms. Airlines, financial services, and healthcare are among the sectors that malicious bots target the most, analysts say. Between 2016 and 2017, bad bots also caused an estimated €5.83bn ($6.5bn) in corporate losses from digital advertisement fraud, reports a study by the Association of National Advertisers (Bot Baseline: Fraud in Digital Advertising). Many senior executives will be aware of the threat posed by bots, but will be less familiar with the full gamut of bot types and bots attack vectors – i.e., the path or means via which attacks can be channelled. When reviewing the following checklist bear in mind that it’s quite feasible for a company to be attacked by bots across several vectors simultaneously.
BAD BOT VS. GOOD BOT VS. HUMAN TRAFFIC
MALICIOUS BOT ATTACKS COST MORE EACH YEAR
In 2018, 37.9% of all internet traffic wasn’t human, and there were year-over-year decreases in both bad bot (-6.4%) and good bot (-14.4%) traffic.
As a type of cyber crime attack, bad bots pose one of the lowest strike rates, but their overall impact on businesses is growing fast.
CHANGE IN BAD BOT TRAFFIC FROM 2017 -6.4%
GOOD BOTS 17.5%
Sources: GlobalDots 2019 Bad Bot Report; Accenture Security Cost of Cybercrime Study.
MALWARE (+11%) WEB-BASED ATTACKS (+13%) DENIAL OF SERVICE (+10%) MALICIOUS INSIDER (+15%)
BAD BOTS 20.4%
HUMAN 62.1%
CHANGE IN GOOD BOT TRAFFIC FROM 2017 -14.4%
PHISHING & SOCIAL ENGINEERING (+8%) MALICIOUS CODE (+9%) STOLEN DEVICES (+12%)
CHANGE IN HUMAN TRAFFIC FROM 2017 +7.5%
RANSOMWARE (+21%)
KEY : 2017
2018
BOTNETS (+12%)
US$ MILLIONS 0.5
PRICE SCRAPING Price scraping means ‘scraping’ (copying) price information from an e-tailer’s webstore. It is most common in sectors where product lines are easy to compare, and purchase decisions are usually price-sensitive. Armed with real time pricing data provided by the bots, a price-scraping perpetrator gains an advantage by dynamically adjusting its own product prices in order to match or undercut its competitors. CONTENT SCRAPING Content scraping is the use of bots to duplicate proprietary aggregated online copyrighted or trademarked content, such as directories or reference guides, and then reuse it for illegitimate purposes. It can be characterised as intellectual property theft or plagiarism. The practice can be damaging to websites that invest resources in the aggregation and monetisation of big databases – online local business listings or online product catalogues, for example. If the scraped content is made freely available in the public domain, the original data owner’s business model is undermined; and if the scraped content is used to spam or for email fraud, their market reputation is damaged.
1
1.5
2
2.5
3
DENIAL OF INVENTORY Denial of inventory (known also as ‘inventory hoarding’) causes product items to be automatically held in online shopping trolleys without intention to purchase. With legitimate buyers prevented from purchasing the apparently ‘out of stock’ items, the targeted retailer loses revenues from sales to actual customers — with bots often picking the retailer’s most popular products. As well as ongoing loss of sales, if these attacks happen often enough the seeming perpetual absence of inventory can undermine the website’s credibility and kill repeat custom.
Bad bots distort the information managers use to make business decisions. Decisions become misinformed, opportunities missed.
DENIAL OF SERVICE ATTACKS According to Neustar’s Global DDoS Attacks Insights Report (2017), a DDoS attack at peak times can cost a targeted enterprise at least $100,000 per-hour in lost revenue. The cost of undermined customer and advertiser relationships is harder to quantify, but likely causes just as much damage. Bot-infected devices exhaust resources with DDoS attacks. Ransom DDoS attacks – where companies being extorted for protection money – are also on the rise, Neustar says. Forrester’s Stop Bad Bots From Killing Customer Experience report notes that bot-infected devices can strain IT security resources with DDoS attacks, and weaken their ability to guard against other forms of cyber assault. The proliferation of IoT devices and ‘bot-for-hire’ services (bad and good) has made DDoS an attractive attack method for cyber-attackers. They launch DDoS attacks by infecting connected devices with bots. They then direct them to disrupt routine customer traffic and applications. The Mirai botnet targeted domain name service provider Dyn, in a DDoS attack that made the websites of many Dyn customers inaccessible. Dyn lost up to 8% of its customer base as a result, some reports suggested.
CARD TESTING FRAUD In this form of bad bot attack, cyber criminals first test stolen credit card details by making small online purchases on smaller, more vulnerable ecommerce sites. They must check the validity of the credit card details, and this tactic allows fraudsters to go mostly unnoticed by the fraud detection solutions. Once they confirm the credit card is valid, they proceed with making higher-value purchases with larger online retailers. The given fraudster is now a recognised customer, so there’s a chance the order will not be flagged to the legitimate card holder as being suspicious.
47
FEATURE
cybersecurityeurope
Typically, criminals use bots to first test the card information, then target merchant sites that provide automated responses that provide decline details. With this information, payment protection specialifist Verifi explains, fraudsters can adjust the credit card details to increases their chances of success. For instance, when a merchant website indicates that a card’s expiration date is incorrect, a fraudster can use the Dark Web and other tactics to determine the correct expiration date. These bot-driven transactions cause losses to retailers through chargebacks, logistics costs – and lost shipped goods. CREDENTIAL STUFFING Credential stuffing uses bad bots to make repeated account access attempts by rapidly ‘stuffing’ stolen credentials – username and password combinations – into the login fields. When the logins succeed, attackers take over the accounts, and use them for nefarious purposes Because so many account owners use the same credentials for their accounts, the success rate and pay-off for attackers can be high, while the bots do all the grunt work. Many organisations do not realise, says Martin McKeay, Senior Security Advocate at Akamai, that credential abuse and account checkers “may actually outnumber legitimate login attempts by a factor of greater than four-to-one”. SPAM RELAY F5 Labs defines ‘spam relay’ as malicious actions that involves any type of unwanted ‘spammy’ behaviour. It includes the filling of inboxes with unwanted email containing malicious links, writing and posting bogus product reviews, creating fake social media accounts to post false or biased content, racking-up page views (for example, on a YouTube video) or followers (such as on Twitter or Instagram), writing provocative comments on forums or social media sites to stir-up controversy, vote rigging (of which more below), etc. CLICK FRAUD Click fraud typically involves a form of advertising fraud – the fraud being that a bad bot, not a human, is clicking on an advert, and therefore has no intention to purchase the advertised product or service. In reality, the goal is to boost revenue for a website owner (or other fraudster) who gets paid based on the number of adverts clicked. Such bots skew data reported to advertisers, warns
48
F5 Labs in its article, ‘Good Bots, Bad Bots, and What You Can Do About Both’. They also cost companies money, because they end-up paying for non-human clicks. And, of course, those companies derive no revenue from the fakey ‘shoppers’. Click fraud can also be used by companies to drive-up the advertising costs of their competitors. Click fraud accounts for wasted spending estimated at more than €1.24bn in 2016, and is set to grow, reckons Forrester’s Stop Bad Bots Killing Customer Experience. Forrester further states that manipulation of video traffic constitutes the largest click fraud: in 2016, a security company exposed a bot that ‘watched’ video advertising to ‘earn’ around €2.7m-€4.5m per day. INTELLIGENCE HARVESTING According again to F5 Labs’ article ‘Good Bots, Bad Bots’, Intelligence Harvesting involves the scanning of web pages, Internet forums, social media sites, and other content, to find legitimate email addresses and other information that attackers can use later for spam email, fraudulent advertisement campaigns, or even phishing attacks. Many organisations instruct their employees not to include personalised email addresses on webpages or presentations posted online, if avoidable. CHECKOUT-ABUSE BOTS Some bots may actually purchase products and services, but as they do, they disrupt legitimate customer engagement. In October 2017 Checkoutabuse bots purchased some 30,000 tickets to the musical Hamilton from ticket sales and distribution company Ticketmaster by spoofing unique customer identities (some bots can create fake new accounts). Similarly, so-called ‘Sneakerbots’ are specialised bots used to buy-up limited edition sneakers (or trainers). The highly-prized footwear is then resold on auctions sites at inflated prices. This might sound small fry, but (as Forrester points out) it’s driven by a high-value resale market that was estimated to be worth more than $1bn in 2016 – or so the Financial Times has claimed (22/11/18). ‘Sneakerbots’ are available for prices as low as €8-€9 for browser extensions, and up to €400-€500 for standalone software programs.
ACCREDITATION Words | Edmund Burr Photography | Shutterstock
FEDERATED IDENTITY MANAGEMENT. ROLE-BASED ACCESS. OPEN SOURCE. DAASI International is an expert of open sourcebased federated Identity & Access Management (IAM) in Europe. The IT service provider manages a variety of
A comprehensive open source solution for Identity Governance and Administration created by Evolveum. DAASI International is the German gold partner and helps to implement the software, either with standard configuration, or as customized solution.
A flexible access management software which helps increasing security and decreasing costs within your organisation. As an official OEM partner, DAASI International assists you to design and implement your optimal implementation of Gluu.
The reference implementation of the IETF standard LDAPv3. OpenLDAP can serve as a highly scalable, high-performance authentication server in your IT infrastructure complementing or replacing already deployed directory technology.
The most commonly deployed product for federated IdM worldwide – and completely open source. DAASI International helps to adjust Shibboleth to your organisation‘s needs, e.g. with plugins to enable two-factor authentication (2FA).
Modular and highly flexible. didmos is an identity and access management framework developed and created by DAASI International. Its modular structure makes it possible to create an individual IAM solution for each customer.
An open source work platform that brings essential business applications together, e.g. CRM and instant messaging. Crust IAM, built and maintained by DAASI International, enables you to manage all users and apps on your infrastructure.
advanced technologies and solutions and offers them to a wide range of customers, including companies, higher education and public instituitions. Within an international network of partners, DAASI International provides professional services like consulting, integration and development as well as support and training for, among others, the following open source products:
GET IN TOUCH
October 8th-10th Hall 10.0 / Booth 404 Direct Exhibitor: Baden-Württemberg International
www.daasi.de
willkommen
cybersecurityeurope
FOKUS 16 Seiten deutscher Inhalt unserer it-sa 2019 Ausgabe mit einem Schwerpunkt auf drei Themen zu Cybersecurity Governance.
DER INHALT
DIE IT-SA 2019 VORSCHAU ENDET HIER, ABER DIE THEMEN DER MESSE WERDEN weiterhin nachhallen – nirgendwo mehr als im Gastgeberland Deutschland. Als die größte Volkswirtschaft und Industrienation Europas ist Deutschland einer immens großen Zahl von Cyberbedrohungen ausgesetzt. Laut einer Studie des Branchenverbandes BitKom sind 65% aller deutschen Hersteller Opfer von Cyberangriffen gewesen, mit einem geschätzten Schaden von 43 Milliarden Euro. Genau dieses Ausmaß an Risiko macht die it-sa 2019 so essentiell – für Deutschland und darüber hinaus. Der Schwerpunkt der deutschsprachigen Artikel in diesem Abschnitt liegt auf Problemen in der IT Security, die Europas Wirtschaftsbetriebe momentan bedrohen. Böswillige Bots haben beispielsweise immer größere Einwirkungen auf geschäftliche Operationen und greifen eine stetig wachsende Anzahl von verschiedensten Wirtschaftssektoren an. Nahezu jeder Sektor in Wirtschaft und Industrie hat inzwischen sein eigenes Botproblem – daher ist es zwingend erforderlich für Führungskräfte, sich mit diesen Bedrohungen zu beschäftigen. Ein anderes Thema aus diesem
50
Zusammenhang ist der Bereich der Gesichtserkennung. Moderne Gesichtserkennungstechnologien werden immer attraktiver, um den Zugang zu Arbeitsplätzen zu sichern. Jedes digitale Angriffsszenario kann zu langen Unterbrechungen der gesamten Arbeitsabläufe mit extrem kostspieligen Konsequenzen führen. Im Großen und Ganzen ist die Analyse von paneuropäischen Trends immer instruktiv. Der Data Threat Report reflektiert die Veränderungen von
Als größte Volkswirtschaft Europas ist Deutschland Cyberbedrohungen ganz besonders ausgesetzt. Datensicherheitsanwendungen in den wichtigsten europäischen Ländern auf dem Weg in die unbekannten Cyberterritorien der 2020er Jahre. Außerdem bietet der Report die neuesten Erkenntnisse über den Status und die Einsatzbereitschaft von Cybersicherheitstechnologien in ganz Europa, mit einem Schwerpunkt auf das vereinigte Königreich, Deutschland, Schweden und die Niederlande.
52 BÖSArtIGE BOT
Bösartige Bots können Ihr Unternehmen aus verschiedenen Richtungen auf einmal angreifen. Daher ist es wichtig, die verschiedenen Arten von Bots zu kennen. Wir beschreiben hier die üblichen Verdächtigen und erklären, wie sie Ihren Geschäften erhebliche Schäden zufügen können.
58 GESICHTSERKENNUNG
64 DATENSICHERHEIT IN EUROPA
Durch neue Deep Learning Technologien kombiniert mit einer Datenflut, die mit Hilfe von Cloudanwendungen analysiert werden kann, hat die Gesichtserkennung große Fortschritte gemacht. Allerdings bringt dies Herausforderungen in der Cybersicherheit mit sich.
Die europäische Ausgabe des Data Thread Report beschreibt den Stand von Cybersicherheit in Europa. Der Report beschreibt die Schwierigkeiten von Europas Regierungen und Unternehmen beim Erhalten adäquater Sicherheit und mit den Heraus- forderungen von transformativen Veränderungen.
51
BÖSARTIGE BOTS
PREIS-SCRAPINGPreis-Scraping bedeutet “Scraping” (Kopieren) von Preisinformationen aus dem Webshop eines E-Händlers. Dies ist vor allem in Branchen der Fall, in denen die Produktlinien leicht zu vergleichen sind und die Kaufentscheidungen in der Regel preissensibel sind. Ausgestattet mit Preisdaten in Echtzeit, die von den Bots bereitgestellt werden, können sich böswillige Wettbewerber Vorteile verschaffen, indem sie auf jegliche Preisänderungen reagieen und ihre eigenen Produktpreise dynamisch anpassen, um mit ihren Konkurrenten mitzuhalten oder diese zu unterbieten. CONTENT-SCRAPING Content Scraping ist die Verwendung von Bots, um proprietäre, aggregierte, urheberrechtlich geschützte oder markenrechtlich geschützte Online-Inhalte, wie Verzeichnisse oder Referenzleitfäden, zu duplizieren und sie dann für illegale Zwecke wiederzuverwenden. Es kann als Diebstahl geistigen Eigentums oder Plagiat bezeichnet werden. Dieses Verfahren kann Websites schädigen, die Ressourcen in die Aggregation und Monetarisierung großer Datenbanken investieren - zum Beispiel lokale Online-Business-Listings oder Online-Produktkataloge. Wenn der gescrapte Inhalt jedermann frei zugänglich gemacht wird, wird das Geschäftsmodell des ursprünglichen Datenbesitzers untergraben; und wenn der gescrapte Inhalt für Spam oder E-Mail-Betrug verwendet wird, wird dessen Ruf auf dem Markt beschädigt. DENIAL-OF-SERVICEANGRIFFE Laut Neustars Global DDoS Attacks Insights Report (2017) kann ein DDoS-Angriff zu Spitzenzeiten ein gezielt ausgerichtetes Unternehmen mindestens 100.000 US-Dollar pro Stunde an verlorenen Einnahmen kosten. Die Kosten der unterminierten Kunden- und Werbetreibendenbeziehungen sind schwerer zu quantifizieren, verursachen aber wahrscheinlich ebenso viel Schaden. Durch DDoSAngriffe verbrauchen Bot-infizierte Geräte Ressourcen. Auch Ransom DDoS-Angriffe - bei denen Unternehmen um Schutzgeld erpresst werden - nehmen zu, sagt Neustar. Forrester’s Bericht ‘Stoppen Sie schlechte Bots, die das Kundenerlebnis zerstören” stellt fest, dass bot-infizierte Geräte IT-Sicherheitsressourcen mit DDoS-Angriffen belasten und ihre Fähigkeit, sich vor anderen Formen von Cyberangriffen zu schützen, schwächen können. Die Verbreitung von IoT-Geräten und Bot-Vermietungsdiensten hat DDoS zu einer attraktiven Angriffsmethode für Cyber-Angreifer gemacht. Sie starten DDoS-Angriffe, indem sie angeschlossene Geräte mit Bots infizieren. Sie weisen sie dann an, den routinemäßigen Kunden-verkehr und die Anwendungen zu unter-brechen. Das Mirai-Botnet zielte auf den Domain-Namen-Dienstleister Dyn in einem DDoS-Angriff, der die Websites vieler Dyn-Kunden unzugänglich machte. Dyn verlor dadurch bis zu 8% seiner Kundenbasis, wie einige Berichte zeigen. VERWEIGERUNG DES LAGERBESTANDES Bei diesem Angriff halten Bots Produktartikel automatisch in Online-Einkaufswagen, ohne Absicht zu kaufen. Da legitime Käufer daran gehindert werden, die scheinbar nicht vorrätigen Artikel zu kaufen, verliert der betreffende Einzelhändler Einnahmen aus dem Verkauf an tatsächliche Kunden - wobei Bots oft die beliebtesten Produkte des Einzelhändlers auswählen. Neben dem anhaltenden Umsatzverlust kann, wenn diese Angriffe oft genug vorkommen, das scheinbare ständige Fehlen von Inventar die Glaubwürdigkeit der Website untergraben und wiederholte Käufe unterbinden.KARTENTEST-BETRUG In dieser Form des Botangriffs testen Cyberkriminelle zuerst gestohlene Kreditkartendaten, indem sie kleine Online-Käufe auf kleineren, anfälligeren E-Commerce-Seiten tätigen. Sie müssen die Gültigkeit der Kreditkartendaten überprüfen, und diese Taktik ermöglicht es Betrügern, von Betrugserkennungslösungen weitgehend unbemerkt zu bleiben. Sobald sie die Gültigkeit der Kreditkarte bestätigt haben, kaufen sie bei größeren Online-Händlern höherwertige Waren ein. Der genannte Betrüger ist nun ein anerkannter Kunde, so dass die Möglichkeit besteht, dass die Bestellung dem legitimen Karteninhaber nicht als verdächtig gemeldet wird. Normalerweise verwenden Kriminelle Bots, um die Karteninformationen zu testen, und zielen dann auf Händlerseiten ab, die automatisierte Antworten mit Informationen zur Ablehnung bereitstellen. Mit diesen Informationen, so der Spezialist für Zahlungsschutz Verifi, können Betrüger die Kreditkartendaten anpassen, um ihre Erfolgsaussichten zu erhöhen. Wenn beispielsweise eine Händler-Website anzeigt, dass
-ILAM
SUOICILAM
cybersecurityeurope
Artikel
Da bösartige Bots versuchen werden Ihren Geschäftsbetrieb auf verschiedene Weise zu vermasseln, ist es wichtig, die verschiedenen Arten von bösartigen Bot-Typen zu kennen. AUCH WENN DER ANTEIL DER BÖSARTIGEN BOTS AM INTERNETVERKEHR IM letzten Jahr (2018-2019) leicht zurückgegangen zu sein scheint, halten die schädlichen Auswirkungen auf den Geschäftsbetrieb an. Auch bösartige Bots diversifizieren in Bezug auf die von ihnen angestrebten Wirtschaftssektoren. Laut Distil Networks, dem Spezialisten für Bot-Minimierung, hat fast jedes Unternehmen und jede Branche heute ihr eigenes Problem mit bösartigen Bots und ein Syndikat von Bots-Betreibern. Schlechte Bots sind Softwareprogramme, die von Cyber-Bedrohungen erstellt oder verwendet werden, um ihre verschiedenen Angriffspläne zu automatisieren. Der Geschäftsbetrieb ist dieser Bedrohung besonders ausgesetzt, da bösartige EINBLICK
Bots bei einer Reihe von kommerziellen Aktivitäten schädliche Auswirkungen haben. Sie interagieren mit Anwendungen auf die gleiche Weise wie ein legitimer Benutzer es tun würde und ermöglichen es so Cyberangreifern, Konkurrenten und Betrügern, eine Reihe von bösartigen Aktivitäten durchzuführen. Und da es sich weitgehend um ein automatisiertes Phänomen handelt, lassen die Probleme, die sie verursachen, nicht nach, was zusätzlichen Druck auf die bereits überlasteten Cyberabwehrsysteme ausübt. Wenn ein Bericht des Ponemon Institute and Radware aus dem Jahr 2018 korrekt ist, stammen inzwischen mehr als 52% des gesamten Webverkehrs aus automatisierten Quellen wie Bots sowohl guter als auch böswilliger Art. Für einige Unternehmen können Bots sogar bis zu 75%
“STOPPEN SIE BÖSARTIGE BOTS, DIE DAS KUNDENERLEBNIS ZERSTÖREN”: FORRESTER (2018). ‘Geschäfts-Logik-Bots lernen Unternehmensrichtlinien und -prozesse. Anwendungen, die potenziellen Kunden Informationen über Produkte geben, enthalten oft Geschäfts-logik. Angreifer könnten Bots verwenden, um eine Reihe von Kundenprofilen zu erstellen und zu erfahren, wie beispielsweise Zinssätze festlegt oder Versicherungspolicen empfohlen werden. Wettbewerber könnten diese Informationen nutzen, um Preise zu unterbieten, und Verbrecher könnten sie nutzen, um Kundenbetreuer zu manipulieren.’
53
Artikel
cybersecurityeurope
SCHLECHTER BOT VS. GUTEN BOT VS. MENSCHLICHEN TRAFFIC NACH VERTIKALEN SEKTOREN
57.2
57.1
54.5
57.1
69.5
63.6
43.0
des gesamten Besucheraufkommens ihrer Websites ausmachen. Ein Großteil dieses automatisierten Datenverkehrs ist kategorisch gutartig, “gute” Bots. Diese Bots bieten wichtige Kundendienstleistungen und repräsentiert Standard-Einsatz-Modelle wie Suchmaschinenverkehr, Chatbots und virtuelle Assistenten. Schlechte Bots können jedoch für eine Reihe von schändlichen Zwecken verwendet werden, wie z.B. zum Stehlen (oder “Scrapen”) von Webseiteninformationen, zum Begehen von Betrug oder zum Verzerren von Leistungskennzahlen. Und dabei stören sie den normalen Kundenverkehr eines Unternehmens. Bösartige Bots betreffen alle Arten von Anwendungen, einschließlich Web, Mobile und APIs. Obwohl IT-Sicherheitsleiter bei der Bereitstellung von Lösungen für den Umgang mit schlechten Bots an vorderster Front stehen, sollten sich Führungskräfte aus mehreren Gründen auch Gedanken über deren Auswirkungen machen. Erstens beeinträchtigen bösartige Bots die Sicherheit von Unternehmensanwendungen. Böswillige Angreifer können solche Bots für eine Reihe verschiedener Angriffe verwenden: um Zugriff auf Anwendungen zu erhalten, proprietäres Wissen über ein Unternehmen zu erlangen und kommerziell wertvolle Daten zu stehlen und zu missbrauchen. Zweitens beeinträchtigen schlechte Bots die Internetverfügbarkeit und -leistung. Botnets, die aus Tausenden von Bots bestehen, erleichtern die Durchführung von verteilten Denial-of-Service (DDoS)Angriffen. Diese Angriffe führen dazu,
0.1
1.2
25.9
25.8
78.5
29.9
26.9
GUTE BOTS
0.8 VERSICHERUNG
30.0
FLUGLINIEN
33.3
GLüCKSSPIEL UND COMPUTERSPIELE
6.4
0.5
DIGITAL PUBLISHING
34.4
VERWALTUNG
37.9
ADULT ENTERTAINMENT
KARTENVERKAUF
FINANZWESEN
20%
39.3
9.7
MARKETING & WERBUNG
42.2
11.1
5.0
BILDUNG
40%
3.5
IT & SERVICES
1.6
54
73.0
30.0
60%
0
74.0
MENSCH
56.2
20.7
LEGENDE : SCHLECHTE BOTS
80%
Source: Distil Networks 2019 Bad Bots Report.
Die Untersuchung des Traffices in 2018 gibt einen tiefereren Einblick in die gute Bot/schlechte Bot/menschliche Kluft. Da immer mehr Unternehmen Bot-Management zu Sicherheitsprofil hinzufügen, kann ein größerer Datensatz über den, öffentlichen und den privaten Sektor gesammelt werden. Quelle: PwC Global Economic Crime & Fraud Survey 2018.
dass kritische Anwendungen eine geringere Leistung und Verfügbarkeit erfahren. Sie können im schlimmsten Fall sogar kritische Unterstützungssysteme vollständig zum Erliegen bringen. Allein das Vorhandensein von bösartigem Bot-Webverkehr, gemischt mit legitimem Verkehr, kann zu Leistungsproblemen für Online-Kunden führen. Ein Unternehmen, das den Verkehr mit schlechten Bots eliminiert hat, verzeichnete einen Rückgang des Internettraffics um 66%, während sich die Geschwindigkeit und Leistung der Webseiten verdoppelte (laut einem Bericht der Business Computing World in 2017). Bösartige Bots verzerren auch die Informationen, die Führungskräfte verwenden, um Geschäftsentscheidungen zu treffen. Auf dem digitalisierten Marktplatz treffen Unternehmen viele Entscheidungen darüber, wie sie ihre Kunden am besten bedienen können, indem sie Daten darüber verwenden, wer sie sind, wann sie kaufen und was sie kaufen. Solche Aufrufe erfolgen oft spontan und werden durch in Echtzeit analysierte Datenströme informiert. Marketing-Teams zahlen größere Werbepreise für die letzte Website, die ein Kunde vor dem Kauf der Produkte oder Dienstleistungen eines Unternehmens besucht hat; und Spezialisten für Kundenzufriedenheit (oder „CX”) nutzen Daten über das Kundenverhalten, um das Engagement voranzutreiben. Bösartige Bots, die zusammen mit ihren Kunden mit den Anwendungen eines Unternehmens interagieren, werden eingesetzt, um diese Daten zu verzerren. Dies führt dazu, dass diese Entscheidungen fehlinformiert oder schlicht falsch sind, und analytische Einsichten und Möglichkeiten verpasst werden.
WIE DIE BOT-PLAGE DAS GESCHÄFT ERSCHWERT Wie der Bericht von Globaldots im Jahr 2019 zum Thema schlechte Bots ironischerweise hervorhebt, stapeln sich die negativen Auswirkungen für ein Unternehmen, dessen Websites, mobile Anwendungen oder APIs Ziel bösartiger Bots sind, aufeinander auf. Solche gezielten Unternehmen müssen nicht nur mit dem wettbewerbsorientierten Preisdruck, der sich aus schlechten Bot-Aktionen wie dem Datenscraping ergibt, fertig werden mehr dazu später -, sondern müssen auch die Betriebszeit und Redundanz der Infrastruktur aufrechterhalten, damit echte Kunden nicht durch den invasiven Datenverkehr belästigt werden. Darüber hinaus leiden sie auch unter verzerrten Entscheidungsmetriken, weil ihr Webverkehr durch schlechte Bots „verunreinigt” wurde, wie Globaldots es ausdrückt. Wie die jüngste Studie von Distil Networks zum Thema schlechte Bots zeigt, ist die Minderung des Eindringens schlechter Bots genauso umständlich
BÖSARTIGE BOT-ANGRIFFE KOSTEN JEDES JAHR MEHR
2018 waren 37,9% des Traffics nicht menschlich. Es gab einen Rückgang von schlechtem (-6,4%) und gutem (-14.4%) Bot-Verkehr.
In Bezug auf die verschiedenen Arten der Cyberkriminalität stellen schlechte Bots eine der niedrigsten Trefferraten dar, aber ihre Auswirkungen auf die Unternehmen nehmen insgesamt schnell zu.
SCHLECHTE BOTS: VERäNDERUNG IM TRAFFIC SEIT 2017 -6.4%
GUTE BOTS 17.5%
Sources: GlobalDots 2019 Bad Bot Report; Accenture Security Cost of Cybercrime Study.
BOTS UND MENSCHLICHER TRAFFIC
MALWARE (+11%) WEB-BASIERTE ANGRIFFE (+13%) DENIAL OF SERVICE (+10%) BÖSARTIGE INSIDER (+15%)
SCHLECHTE BOTS 20.4%
MENSCHLICH 62.1%
GUTE BOTS: VERäNDERUNG IM TRAFFIC SEIT 2017 -14.4%
PHISHING & SOCIAL ENGINEERING (+8%) MALICIOUS CODE (+9%) GERäTEDIEBSTAHL (+12%)
MENSCHLICH: VERäNDERUNG IM TRAFFIC SEIT 2017 +7.5%
RANSOMWARE (+21%)
LEGENDE : 2017
2018
BOTNETS (+12%)
US$ MILLIONEN 0.5
und ressourcenaufwändig wie die Bots selbst. Eine Methode wäre zum Beispiel, jeden einzelnen Website-Besucher - Mensch und/oder Bot - positiv zu identifizieren. Vertriebsleiter werden wissen, dass a priori Anfragen zur Identitätsvalidierung die Kundenbindung hemmen oder verhindern können, so dass diese Methode nur begrenzt attraktiv erscheint, auch wenn sie sich als wirksam erwiesen hat. Böswillige Angreifer nutzen Bots, um Kundenkontaktpunkte aktiv anzugreifen, um die Kundenerfahrung zu ruinieren und Betrug zu begehen. Insgesamt können diese Bots eine negative Markenwahrnehmung für Ihr Unternehmen erzeugen. Daher sollten Unternehmen aller Art und Größe bereit sein, sich gegen Bot-Angriffe in all ihren Formen zu wehren. Fluggesellschaften, Finanzdienstleistungen und Gesundheitswesen gehören zu den Sektoren, die von bösartigen Bots am meisten angegriffen werden, sagen Analysten. Zwischen 2016 und 2017 verursachten bösartige Bots auch geschätzte 6,5 Milliarden Dollar [5,83 Milliarden Euro] an Unternehmensverlusten durch Betrug mit digitaler Werbung, berichtet eine Studie der Association of National Advertisers (Bot Baseline: Fraud in Digital Advertising). Viele Führungskräfte sind sich der Bedrohungen, die durch Bots entstehen, bewusst, sind aber weniger mit der gesamten Bandbreite der Bottypen und Bots-Angriffsvektoren vertraut, also mit den Wegen und Mitteln, über die Angriffe durchgeführt werden können. Bei der Durchsicht der folgenden Checkliste ist zu beachten, dass es durchaus möglich ist, dass ein Unternehmen durch Bots über mehrere Vektoren hinweg gleichzeitig angegriffen wird.
1
1.5
2
2.5
3
CONTENT-SCRAPING Content Scraping ist die Verwendung von Bots, um proprietäre, aggregierte, urheberrechtlich oder markenrechtlich geschützte Online-Inhalte, wie Verzeichnisse oder Referenzleitfäden, zu übernehmen und sie dann für illegale Zwecke wiederzuverwenden. Es kann auch als Diebstahl geistigen Eigentums oder als Plagiat bezeichnet werden. Dieses Verfahren kann Websites schädigen, die Ressourcen in die Aggregation und Monetarisierung großer Datenbanken investieren zum Beispiel lokale Online-BusinessListings oder Online-Produktkataloge. Wenn der gescrapte
Böswillige Bots verändern Informationenen. Dies kann zu falschen Entscheidungen und verpassten Gelegenheiten führen.
PREIS-SCRAPING Preis-Scraping bedeutet “Scraping” (Kopieren) von Preisinformationen aus dem Webshop eines E-Händlers. Dies ist vor allem in Branchen der Fall, in denen die verschiedenen Produktlinien leicht zu vergleichen sind und die Kaufentscheidungen in der Regel aufgrund von Preisen getroffen werden.. Ausgestattet mit Preisdaten in Echtzeit, die von den Bots bereitgestellt werden, können sich böswillige Wettbewerber Vorteile verschaffen, indem sie auf jegliche Preisänderungen reagieren und ihre eigenen Produktpreise dynamisch anpassen, um mit ihren Konkurrenten mitzuhalten oder diese noch zu unterbieten.
Inhalt jedermann frei zugänglich gemacht wird, wird das Geschäftsmodell des ursprünglichen Datenbesitzers untergraben; und wenn der gescrapte Inhalt für Spam oder E-Mail-Betrug verwendet wird, wird dessen Ruf auf dem Markt beschädigt. DENIAL-OF-SERVICE-ANGRIFFE Laut Neustars Global DDoS Attacks Insights Report (2017) kann ein DDoSAngriff zu Spitzenzeiten ein gezielt ausgerichtetes Unternehmen mindestens 100.000 US-Dollar pro Stunde an verlorenen Einnahmen kosten. Die Kosten der unterminierten Kunden- und Werbetreibendenbeziehungen sind schwer
55
Artikel
cybersecurityeurope
zu quantifizieren, verursachen aber wahrscheinlich ebenso viel Schaden. Durch DDoS-Angriffe verbrauchen Botinfizierte Geräte Ressourcen. Auch Ransom DDoS-Angriffe - bei denen Unternehmen um Schutzgeld erpresst werden - nehmen zu, sagt Neustar. Forrester’s Bericht Stop Bad Bots Killing Custonmer Experience stellt fest, dass bot-infizierte Geräte IT-Sicherheitsressourcen mit DDoS-Angriffen belasten und ihre Fähigkeit, sich vor anderen Formen von Cyberangriffen zu schützen, schwächen können. Die Verbreitung von IoT-Geräten und Bot-Vermietungsdiensten hat DDoS zu einer attraktiven Angriffsmethode für Cyber-Angreifer gemacht. Sie starten DDoS-Angriffe, indem sie angeschlossene Geräte mit Bots infizieren. Sie weisen sie dann an, den routinemäßigen Kundenverkehr und die Anwendungen zu unterbrechen. Das Mirai-Botnet zielte auf den Domain-Namen-Dienstleister Dyn in einem DDoS-Angriff, der die Websites vieler Dyn-Kunden unzugänglich machte. Dyn verlor dadurch bis zu 8% seiner Kundenbasis, wie einige Berichte zeigen. VERWEIGERUNG DES LAGERBESTANDES Bei diesem Angriff halten Bots Produktartikel automatisch in Online-Einkaufswagen, ohne Absicht zu kaufen. Da so legitime Käufer daran gehindert werden, die scheinbar nicht vorrätigen Artikel zu kaufen, verliert der betreffende Einzelhändler Einnahmen aus dem Verkauf an tatsächliche Kunden - wobei Bots sich natürlich oft darauf konzentrieren, die beliebtesten Produkte des Einzelhändlers auswählen. Neben dem anhaltenden Umsatzverlust kann, wenn diese Angriffe oft genug vorkommen, das scheinbare stän-
56
dige Fehlen von Inventar langristig die Glaubwürdigkeit der Website untergraben und wiederholte Käufe unterbinden. KARTENTEST-BETRUG In dieser Form des Botangriffs testen Cyberkriminelle zuerst gestohlene Kreditkartendaten, indem sie kleine Online-Käufe auf kleineren, anfälligeren E-Commerce-Seiten tätigen. Sie müssen die Gültigkeit der Kreditkartendaten überprüfen, und diese Taktik ermöglicht es Betrügern, von Betrugserkennungslösungen weitgehend unbemerkt zu bleiben. Sobald sie die Gültigkeit der Kreditkarte bestätigt haben, kaufen sie bei größeren Online-Händlern höherwertige Waren ein. Der genannte Betrüger ist nun ein anerkannter Kunde, so dass die Möglichkeit besteht, dass die Bestellung dem legitimen Karteninhaber nicht als verdächtig gemeldet wird. Normalerweise verwenden Kriminelle Bots, um die Karteninformationen zu testen, und zielen dann auf Händlerseiten ab, die automatisierte Antworten mit Informationen zur Ablehnung bereitstellen. Mit diesen Informationen, so der Spezialist für Zahlungsschutz Verifi, können Betrüger die Kreditkartendaten anpassen, um ihre Erfolgsaussichten zu erhöhen. Wenn beispielsweise eine Händler-Website anzeigt, dass das Ablaufdatum einer Karte falsch ist, kann ein Betrüger das Dark Web und andere Taktiken nutzen, um das richtige Ablaufdatum zu bestimmen. Diese bot-gesteuerten Transaktionen verursachen den Einzelhändlern Verluste durch Rückbuchungen, Logistikkosten - und verloren gegangene Waren. CREDENTIAL STUFFING Credential Stuffing verwendet Bots, um wiederholte Kontozugriffsversuche durchzuführen, indem gestohlene Benutzernamen und Passworte schnell in die Anmeldefelder “gefüllt” werden. Wenn die Anmeldungen erfolgreich sind, übernehmen Angreifer die Konten und verwenden sie für schändliche Zwecke. Da so viele Kontoinhaber die gleichen Anmeldeinformationen für ihre Konten verwenden, können die Erfolgsrate und die Auszahlung für Angreifer hoch sein, während die Bots die ganze Routinearbeit erledigen. Viele Organisationen wissen nicht, sagt Martin McKeay, Senior Security Advocate bei Akamai, dass der Missbrauch von Anmeldeinformationen und Kontoüberprüfern „tatsächlich die Anzahl der legitimen Anmeldeversuche um einen Faktor von mehr als vier zu eins übersteigen kann”. SPAM-RELAY F5 Labs definiert „Spam-Relay” als bösartige Handlungen, die jede Art von unerwünschtem „Spam”-Verhalten beinhalten. Dazu gehören das Füllen von Posteingangsfächern mit unerwünschten E-Mails, die manchmal auch bösartige Links enthalten, das Schreiben und Posten von gefälschten Produktbewertungen, das Erstellen von gefälschten Social-Media-Accounts,
um falsche oder voreingenommene Inhalte zu veröffentlichen, das Erhöhen von Seitenaufrufen (z.B. auf einem YouTube-Video) oder der Anzahl von Followern (z.B. auf Twitter oder Instagram), das Schreiben von provokativen Kommentaren in Foren oder Social-Media-Sites, um Kontroversen zu schüren, Manipulation von Onlineabstimmungen usw. KLICKBETRUG Klickbetrug beinhaltet typischerweise eine Form von Werbebetrug – der Betrug besteht darin, dass ein bösartiger Bot, nicht ein Mensch, auf eine Anzeige klickt und daher nicht die Absicht hat, das beworbene Produkt oder die Dienstleistung zu kaufen. In Wirklichkeit besteht das Ziel darin, die Einnahmen für einen Website-Besitzer (oder einen anderen Betrüger) zu steigern, der entsprechend der Anzahl der angeklickten Anzeigen bezahlt wird. Solche Bots verzerren die Daten, die den Werbetreibenden gemeldet werden, warnen F5 Labs in ihrem Artikel Good Bots, Bad Bots, and What You Can Do About Both. Sie kosten Unternehmen auch Geld, weil sie am Ende für Klicks bezahlen, die nicht von Personen stammen und natürlich nicht zu Einnahmen aus den gefälschten „Käufern” führen. Klickbetrug kann auch von Unternehmen genutzt werden, um die Werbekosten ihrer Wettbewerber zu erhöhen. Klickbetrug ist für verschwendete Ausgaben verantwortlich, die 2016 auf mehr als 1,24 Milliarden Euro geschätzt wurden, und wird voraussichtlich wachsen, so die Einschätzung von Forrester’s Stop Bad Bots Killing Customer Experience. Forrester erklärt weiter, dass die Manipulation des Videoverkehrs den größten Klickbetrug darstellt: im Jahr 2016 entlarvte ein Sicherheitsunternehmen einen Bot, der sich Videowerbung „ansah”, um etwa 2,7 Mio. € - 4,5 Mio € pro Tag zu „verdienen”. INTELLIGENZGEWINNUNG Laut F5 Labs’ Artikel Good Bots, Bad Bots beinhaltet die Intelligenzgewinnung das Scannen von Webseiten, Internetforen, Social Media Seiten und anderen Inhalten, um legitime E-Mail-Adressen und andere Informationen zu finden, die Angreifer später für Spam-Mails, betrügerische Werbekampagnen oder im schlimmsten Fall für gezielte Phishing-Angriffe verwenden können. Viele Unternehmen weisen ihre Mitarbeiter daher an, keine personalisierten E-Mail-Adressen auf Webseiten oder Präsentationen, die online veröffentlicht werden, zu erwähnen, sofern dies vermeidbar ist. CHECKOUT-MISSBRAUCHS-BOTS Einige Bots können tatsächlich Produkte und Dienstleistungen kaufen, unterbrechen dabei jedoch die legitime Kundenbindung. Im Oktober 2017 kauften Checkout-Missbrauchs-Bots beim Eintrittskartentvertriebsunternehmen Ticketmaster rund 30.000 Tickets für das Musical Hamilton, indem sie eindeutig identifizierbare Kundenidentitäten gefälscht haben (haben wir
erwähnt, dass einige Bots gefälschte neue Konten erstellen können?). Ein anderes Feld sind so genannte „Sneaker-Bots” – spezialisierte Bots, mit denen man hochpreisige Modeturnschuhe (Sneakers) in limitierter Auflage aufkauften kann. Die hochkarätigen Schuhe werden dann auf Auktionsseiten zu überhöhten Preisen weiterverkauft. Das mag sich vielleicht nach wenig anhören, aber (wie Forrester betont) diese Praxis wird von einem sehr starken Wiederverkaufsmarkt angetrieben, der für das Jahr 2016 auf mehr als einer Milliarde Dollar geschätzt wurde – laut Financial Times (22.11.18). „Sneaker-Bots” sind für Preise von nur 8 € bis 9 € als einfache Browser-Erweiterungen und als eigenständige Softwareprogramme für Preise von 400 € bis 500 € erhältlich. GESCHENK- UND KREDITKARTENBETRUG Angreifer verwenden Bots, um gezielt in Geschenkgutschein-Konten einzudringen, und dort dann nach Zugangsdaten zu suchen. Als nächstes erstellen sie mit den Daten gefälschte Karten, um den Barwert des Gutscheins zu stehlen. Im Falle von Kreditkartenbetrug verwenden Angreifer gezielt Bots, um die gestohlenen Kreditkartendaten zunächst mit einer Reihe von kleinen Transaktionen im Bereich von wenigen Euros nahezu risikolos zu testen. Wenn dies gelingt, verwenden Hacker die gestohlenen Zugangsdaten, um größere Einkäufe zu tätigen oder um kompromittierte Konten mit Bargeld vollständig zu leeren.
QUELLENANGABE Text | Edmund Burr Fotografie | Shutterstock
57
ma fac ep
r in
ma
da t a v e r i f i c a t i o n
tc h
t h ema t i c
b i o me
tric
a //
-///// // ///
>
l D i g i t a l bi l d Live fo Erfassung
mat he m
r mu
a tis d o w n l o a d i n g
l
c
h eF a
or <///////////// //
///>
mel
Gesich tserken nung
< / -/ / >
INFO
WAS IST GESICHTSERKENNUNG? Gesichtserkennung ist eine biometrische Softwareanwendung, die Personen eindeutig identifizieren oder überprüfen kann, indem sie Muster vergleicht und analysiert, die auf Gesichtskonturen basieren. Die Technologie
58
hat Aufmerksamkeit erregt, da sie für Strafverfolgung sowie für die Sicherheit in Unternehmen geeignet ist. Die meisten Systeme
cybersecurityeurope
b i o me
tric
< ///////////// //
///> I d e n t i
f i c a t i o n a u
t ho r i s
Artikel
e d
D i g i t a l bi l d Live Erfassung Für d
Gesichtserkennungs als erste Verteidigung gegen Eindringlinge am Arbeitsplatz ist Informationssicherheit entscheidend.
ig i t a l i
m
a
g
e
l ive c a p t u r e fac e p
r int
da t a Verific at ion m a t ch
DER EINSATZ VON GESICHTSERKENNUNGSSYSTEMEN IM UNTERNEHMENSMASSSTAB HAT SICH IN EINIGEN Anwendungsfällen als umstritten erwiesen, insbesondere bei Anwendungen im Bereich der Strafverfolgung und Verbrechensaufklärung. Einige Leute, so scheint es, werden diese Technologie einfach nicht akzeptieren. Als im August 2019 eine Untersuchung der Financial Times ergab, dass die gesichtserkennende CCTV-Überwachung in einem 67 Hektar großen öffentlichen Gelände im Londoner Stadtteil
Gesichtserkennung den Ärger einiger zu wecken scheint, zeigen andere Sektoren eine Präferenz für diese Art der individuellen Identifizierung für eine Reihe von Sicherheitsbedürfnissen - insbesondere in den Bereichen Gebäude- und Arbeitsplatzsicherheit in hochwertigen Geschäftszweigen, wie beispielsweise in Einrichtungen, in denen rund um die Uhr Finanztransaktionen stattfinden. Solche Systeme sind spezielle Kombinationen aus hochleistungsfähiger Hard- und Software und unterscheiden sich von den
Innovation im Bereich der Gesichtserkennung wird von zwei Faktoren vorangetrieben: Deep Learning und die Flut von Daten, die in der Cloud günstig verarbeitet werden können. mat he m a ti s c
h eF
King’s Cross heimlich Gesichtserkennung verwendet, um Tausende von Fußgängern zu verfolgen, wurden Bedenken sowohl vom staatlichen ICO als auch von zivilgesellschaftlichen Organisationen geäußert. Aber während das Thema der Überwachung des öffentlichen Raumes mit
beliebten smartphone-basierten Gesichtserkennungs-Apps wie denen von Facebook und Google. Viele Anbieter von hochwertigen schlüsselfertigen Systemen schließen aufkommende Technologien wie Künstliche Intelligenz (KI) in den Gesichtserkennungsmix ein, mit
or mel < / -/ / >
funktionieren auf der Grundlage der verschiedenen Knotenpunkte im menschlichen Gesicht. Die Werte, die anhand der mit Gesichtspunkten einer
Person verknüpften Variablen gemessen werden, helfen bei Identifizierung oder Überprüfung und können von Anwendungen zur genauen und schnellen Identifizierung von bestimmten Personen verwendet werden.
59
Artikel
cybersecurityeurope
dem Ziel, ihre Systeme immer genauer zu gestalten. Ein Bericht von NIST besagt, dass in den letzten sechs Jahren massive Fortschritte bei der Genauigkeit erzielt wurden und die im Zeitraum von 2010 bis 2013 erzielten Verbesserungen übertreffen. Laut einem Bericht von Fortune aus dem Jahr 2019 ist die Innovation in der Gesichtserkennung auf zwei Faktoren zurückzuführen, die die KI in einem breiteren Sinne verändert haben. Der erste ist die aufstrebende Wissenschaft namens Deep Learning. Der zweite Faktor ist eine beispiellose „Flut” von Daten, die mit Hilfe von Cloud Computing kostengünstig gespeichert und analysiert werden kann. Obwohl dieser Trend eher einen Wert im Bereich des Scannens von großen Menschenmassen widespiegelt, hat er doch einige Anwendungen für Gesichtserkennungssysteme, die vor Ort für Sicherheit sorgen sollen. Diese Anwendungen können überprüfen und bestätigen, dass ein Gesicht, das durch den Haupteingang kommt, zu einem bekannter Mitarbeiter gehört; und sie können gleichzeitig das Gesicht mit einer Datenbank von Personen abgleichen, die ein Arbeitgeber aus dem Betrieb fernhalten möchte. Und obwohl die Wirksamkeit solcher Systeme bei der korrekten Identifizierung einzelner Gesichter immer noch nicht 100%ig ist und gelegentliche Fehler produziert, wird sie vom Markt offensichtlich für viele Anwendungsfälle doch als gut genug angesehen. Laut einem kürzlich veröffentlichten Bericht des Marktforschungsunternehmens
60
MarketsandMarkets, wird erwartet dass der globale Gesichtserkennungsmarkt nach Komponenten, Anwendungsbereich, Sektor und Region, von 2,85 Mrd. € (3,2 Mrd. $) im Jahr 2019 auf 6,24 Mrd. € (7,0 Mrd. $) bis 2024 wächst, bei einer jährlichen durchschnittlichen Wachstumsrate von 16,6% im Prognosezeitraum. Ein weiteres Forschungsnstitut, Reports and Data, schätzt, dass der Marktwert bis 2026 10,07 Mrd. € (11,30 Mrd. $) erreichen wird. Der Marktbeobachter sagt, dass Wachstum vor allem mit einer steigenden Nachfrage nach Überwachungssystemen zur Verbesserung der Sicherheit sowohl von öffentlichen als auch von privaten Gebäuden verbunden sein kann.
Ein „Denial of Service” Angriff auf ein Gesichtserkennungssystem kann Mitarbeiter daran hindern, ihren Arbeitsplatz zu erreichen. Letztere gelten als deutliche „Faktoren für das Branchenwachstum”. Das BFSI-Segment (“Banking, Financial Services, Insurance”) macht 2018 den größten Anteil von 29,2% des Marktes aus: Jede noch so kleine lokale Sicherheitswarnung auf Börsenparketts und anderen Zentren der Finanzabwicklung kann die Betriebsabläufe empfindlich stören und dadurch Millionenverluste verursachen. Das Wachstum wird auch mit dem technologischen Fortschritt bei der Implementierung der Smartphone-Technologie verbunden sein, die inzwischen immer häufiger app-basierte ID-Tools für den persönlichen Zugriff unterstützt. Es wird außerdem er-wartet, dass die Gesichtserkennung mit anderen Formen der biometrischen Identifikation, wie zum Beispiel der Spracherkennung, zusammenfließt: Die Mitarbeiter der 2020er Jahre werden sich wahrscheinlich daran gewöhnen müssen, dass ihre Gesichter und Stimmen von automatischen Systemen überprüft werden, bevor sie ihren Arbeitsplatz betreten können. Der Technologieanbieter Gemalto bezeichnet die Gesichtserkennung in diesem Zusammenhang als “die natürlichste aller biometrischen Messungen”. Obwohl die Aussichten für den Gesichtserkennungsmarkt gut aussehen, wird die Technologie eine weitere Akzeptanzhürde überwinden müssen: ihre Cybersicherheit. Gesichtserkennung ist schließlich die Analyse von Daten, und alle Daten, die die Grundlage der Sicherheit bilden, sind für Cyber-Bedrohungen attraktiv. Zunächst erschien die Möglichkeit, die Identität einer
LEITFADEN
ICO POLICY POSITION
Die britische Informationskommissarin Denham zur Position des ICO in 2019 zur Gesichtserkennung.
Im Juli 2019 veröffentlichte die britische Informationskommissarin Elizabeth Denham die Positionierung des ICO zum Thema Gesichtserkennung. Denham bestätigte, dass die Live-Gesichtserkennung (LFR) für das ICO jetzt ein vorrangiges Anliegen ist. LFR “stellt eine deutliche Veränderung gegenüber dem alten CCTV dar”, sagte Denham, “ich glaube, dass wenn man die Invasivität von LFR betrachtet, es nachweisbare Beweise dafür geben muss, dass die Technologie verhältnismäßig und wirksam ist.”
Person über physiologische biometrische Sensoren zu verifizieren, als eine vielversprechende Alternative zur Zwei-Faktor-Authentifizierung, so der Bericht: Zusätzliche Formen von Authentifizierung erschweren es Angreifern, die versuchen, mit Hilfe von Identitätsdiebstahl auf Ressourcen zuzugreifen. „Aber in den letzten Jahren hat sogar die biometrische Authentifizierung zu bröckeln begonnen”, warnt der neueste Cybersicherheits-Prognosebericht der Firma Forcepoint. „Die Realität ist, dass die Gesichtserkennung schwerwiegende Schwachstellen aufweist - und deshalb glauben wir, dass Hacker im Jahr 2019 massiv Bilder von Gesichtern der Öffentlichkeit stehlen werden”. Das ist in der Tat schon geschehen. Das Sicherheitsanalyseunternehmen Gemini Advisory hat in einem Bericht in Fortune.com mitgeteilt, dass beobachtet wurde, wie Gesichtsprofile aus Indiens nationaler Biometrie-Datenbank gestohlen und auf Websites im sogenannten “Darknet” verkauft wurden. Gemini Advisory hat bisher noch keine Datenbanken mit amerikanischen Gesichtern zum Verkauf angeboten gesehen, fügte aber hinzu: „Es ist nur eine Frage der Zeit”. Sollte so etwas passieren, könnte beispielsweise eine gestohlene Sammlung von Kundengesichtern eines Hotels oder Einzelhändlers Cyberkriminellen helfen, verschiedene Identitätsdiebstähle oder Formen von Betrug durchzuführen. Weitere Fragen der Cybersicherheit lassen sich in drei allgemeine Bereiche einteilen. Erstens besteht die Sorge, dass ein Gesichtserkennungssystem aus der Ferne gehackt werden könnte und gefälschte ID-Profile in die Datenbank der “genehmigten Gesichter” aufgenommen werden könnten. Wenn dies erfolgreich ist, kann ein böswilliger Eindringling Zugang zu Gebäuden erhalte, da er vom Gesichtserkennungssystem als genehmigt erkannt wird und Einlass erhält. Einmal im Gebäude angekommen, wäre solch ein Eindringling dann gut positioniert, um Insider-Cyber-Angriffe auf interne Systeme mit eigener Technologie oder über kompromittierte In-Situ-Endpunktgeräte, die bereits mit dem Netzwerk verbunden sind, durchzuführen. Ein weiteres Problem der Cybersicherheit wäre die Möglichkeit eines Denialof-Service-Angriffs auf ein cloudbasiertes Gesichtserkennungssystem. Ein solcher Angriff kann eine Organisation daran hindern, jemanden in ihre Räumlichkeiten einzulassen - Mitarbeiter kämen nicht an ihre Arbeitsplätze und wertvolle Arbeitszeit wird vergeudet.
QUELLENANGABE Text | Jim Meyers Fotografie | Shutterstock
Jede Organisation, die Software einsetzt, die imstande ist ein Gesicht in einer Menge zu erkennen und dann große Datenbanken mit Personen scannt, verarbeitet “persönliche Daten”. Studien (z.B. von der South Wales Police und der Metropolitan Police) stellen die “weit verbreitete Verarbeitung biometrischer Daten von Tausenden von Menschen im Alltag dar”, fügte Denham hinzu. “Und das ist eine potenzielle Bedrohung für die Privatsphäre, die uns alle betreffen sollte.” Gesichtserkennungssysteme müssen noch an der „Vermeidung von inhärenten technologischen Vorurteilen arbeiten eine Vorurteile, die zu falschen Übereinstimmungen bestimmter ethnischer Gruppen führen können”. Obwohl sich das Datenschutzrecht für Handelsunternehmen, die Live-Gesichtserkennung einsetzen, unterscheidet, ist die Technologie dieselbe und der eventuell auftretende Eingriff könnte sich dennoch nachteilig auswirken. Im Jahr 2019 erweiterte das ICO seinen Schwerpunkt und betrachtete die Verwendung von LFR im öffentlichen Raum durch private Organisatione, und in Bereichen, in denen sie mit Polizeikräften zusammenarbeiten. Die Regulierungsbehörde wird „in Erwägung ziehen, regulatorische Maßnahmen zu ergreifen, wenn festgestellt wird, dass das Gesetz nicht eingehalten wird”.
61
WALLIX: DER WEG ZUM FÜHRENDEN EUROPÄISCHEN CYBERSECURITY-UNTERNEHMEN – PERFEKTIONIERT DURCH DIE ÜBERNAHMEN VON TRUSTELEM UND SIMARKS SCHAFFEN SIE FÜR IHR UNTERNEHMEN DIE MÖGLICHKEIT, IN EINER VERTRAUENSWÜRDIGEN UMGEBUNG ZU WACHSEN, INDEM SIE IDENTITÄTEN, ZUGRIFF UND DATEN SCHÜTZEN. WALLIX, der europäische Experte für privilegierte Kontenverwaltung (PAM, Privileged Access Management), hat vor kurzem zwei große Akquisitionen getätigt und Trustelem sowie Simarks erworben. Damit hat WALLIX die WALLIX Bastion Privileged Access Management Lösung um neue Funktionen erweitert. So wird Trustelem zu WALLIX Identity, einer Identity-as-a-Service (IdaaS)-Lösung, die
Single
Sign-On
(SSO),
Multifaktor-Authentifizierung
(MFA)
und
Benutzerzugriffskontrolle für alle Fernzugriffe (Verlagerung von Standorten, Subunternehmen, Auditoren, etc.) bietet. Mit der Akquisition von Simarks kann WALLIX ein weiteres Marktsegment abdecken: den Markt für Endpunkt-Privilegien-Management. Mit der neuen Privilege Delegation Elevation Management (PEDM) Funktion in WALLIX Bastion werden
Sicherheitsregeln
implementiert,
die
den
Umfang
der
Administratoraktivitäten einschränken und alle Server und Workstations schützen. Dies funktioniert über einen Ansatz der geringsten Privilegien, die der Nutzer zur Erfüllung seiner Aufgaben benötigt. So können den privilegierten Benutzern und Programmen die richtige Berechtigungsstufe zugewiesen werden, um bestimmte Aufgaben auszuführen. Mit diesen beiden Akquisitionen geht WALLIX weit über die funktionale Erweiterung von WALLIX Bastion hinaus. WALLIX verfügt nun – durch die Schaffung und Konsolidierung von Lösungen rund um Identitätsschutz, Zugangssicherheit und Datenschutz – über eine neue, deutlich stärkere Position
identity
auf dem Markt für Cybersicherheit. Außerdem hat WALLIX mit WALL4iOT sein Angebot an Cybersicherheit im industriellen IoT Umfeld erweitert. Dabei handelt es sich um eine gemeinsam mit unserem Partner Alleantia entwickelte Lösung. WALL4iOT ist ein sicheres Industrie-
access
Gateway, das Produktionsdaten von Industrieanlagen an Anwendungen sendet, die in der Cloud gehostet werden- zur besseren Überwachung, Wartungsplanung und Produktionsanalyse von Industrieanlagen.
data
WWW.WALLIX.COM
cybersecurityeurope
advertorial
DAS DILEMMA MIT DEN CYBER-VERSICHERUNGEN Eine effektive Cyberversicherung deckt sowohl technologisches als auch menschliches Versagen ab, sagt Sascha-Michel Kessel von der SCHUNCK GROUP. DIE ORGANISIERTE KRIMINALITÄT VERLAGERT IHR GESCHÄFT IMMER WEITER in den digitalen Raum. Milliardenumsätze durch Cyber-Kriminalität sind mittlerweile keine Utopie mehr, sondern Realität. Das FBI spricht erstmals davon, dass die Umsätze im Cyber-Raum höher sind, als im internationalen Drogenhandel. In Unternehmen wird auf unterschiedlichste Weise versucht, die Informationssicherheit auf einem hohen Niveau zu halten und sich gegen Cyber-Attacken zu wappnen. Dennoch werden immer mehr Unternehmen Opfer von CyberAttacken, Datenverlusten oder auch innerbetrieblichen Versagens. Daraus resultiert mindestens eine wesentliche Beeinträchtigung des Geschäftsbetriebs – meist gehen damit zusätzlich ein erheblicher Kostenaufwand und oftmals auch rechtliche Auseinandersetzungen mit Kunden, Auftraggebern oder Behörden einher. Nicht selten leidet auch die über Jahre aufgebaute Unternehmens-Reputation unter einem solchen Vorfall. Ein Cyber-Schaden ist ein “Fass ohne Boden”. Die Kosten eines Cyber-Schadens variieren sehr stark und sind im Rahmen eines eigenen Risk-Managements nur schwer zu ermitteln. Um für den „worst case“ vorbereitet zu sein haben viele Unternehmen in den letzten Jahren Cyberversicherungen abgeschlossen – und somit erste Schritte zu umfassender Risikoabsicherung getan. Aber wie so oft, liegt auch bei der Cyberversicherung der Teufel im Detail – in diesem Fall im Versicherungskonzept. Bei einem Hacker-Angriff sind
UNTERNEHMENSINFO
viele der entstehenden Kosten im Rahmen einer gängigen Cyberversicherung abgesichert. Die häufig unterschätzte Herausforderung bei Hacker-Angriffen stellen weniger die Technikkosten dar, sondern vielmehr das menschliche Versagen im Regelbetrieb. Mehr als 60% der bekannten Cyber-Schäden werden durch eigene Mitarbeiter verursacht oder vergrößert. Die Gründe hierfür sind Fahrlässigkeit, Unterlassung oder oftmals auch Vorsatz. Bei Vorsatz oder wenn innerbetriebliche Prozesse versagen, sehen viele Cyberversicherungen erhebliche Einschränkungen in der Deckung vor. Sei es im Hinblick auf die Versicherungsfalldefinition, Ausschlüsse sowie Obliegenheiten an die IT-Infrastruktur oder an das Personal. Hier drohen teure Deckungslücken. Seit 2014 entwickelt die SCHUNCK GROUP individuelle Versicherungskonzepte für Cyber-Risiken. Anders als im Markt üblich werden unsere Versicherungslösungen gemeinsam mit Spezialisten aus der Informationssicherheit entwickelt und berücksichtigen mehr als andere Konzepte den „Faktor Mensch“. Unser kompatibles Deckungskonzept kollidiert im Schadenfall nicht mit den internen IT-Prozessen und gewährleistet eine reibungslose Schadenregulierung. Mit dem CyberRisk Elite Versicherungskonzept bietet die SCHUNCK GROUP eine marktführende, an den individuellen Bedürfnissen von Unternehmen ausgerichtete Absicherung für den Schadenfall und danach. Sascha-Michel Kessel (Bild unten) ist Leiter des Competence Center Cyber der SCHUNCK GROUP.
SCHUNCK – MEHR ALS NUR VERSICHERT
Die SCHUNCK GROUP ist ein internationaler Versicherungsmakler und bietet seinen Kunden Lösungen zu den Themen Risiko- und Versicherungsmanagement, Altersversorgung sowie Schadenmanagement. 100 % Kundenfokus und voller Einsatz für die beste Versicherungslösung sowie Topservice – das ist SCHUNCK.
Dabei verbinden wir Fach-, Branchensowie IT-Kompetenz mit dem Ziel, das komplexe Versicherungsgeschäft für Sie verständlich und die Welt unserer Kunden einfacher zu machen.
KONTAKTDATEN Weitere Informationen finden Sie unter: | schunck.de | cyber@schunck.de
63
Artikel
cybersecurityeurope
Die C-Suite hat Schwierigkeiten, das CyberSicherheitsniveau in Zeiten der digitalen Transformation aufrechtzuerhalten.
DIE EUROPÄISCHE AUSGABE DES IDC DATA THREAT REPORT (GESPONSERT VON THALES) SPIEGELT DIE UMFASSENDEN VERÄNDERUNGEN IN DER ANWENDUNG ZUR Datensicherheit in ausgewählten Ländern wider. Sie bietet wichtige Einblicke in die Art der Bereitstellung und Einsatzbereitschaft der Cybersicherheit in der gesamten Region und ist eine der wenigen Quellen gesamteuropäischer Intelligenz, die Informationen sowohl für technologieorientierte Führungskräfte als auch für Nicht-Techies enthält. Der Bericht basiert auf einer Umfrage des IDC unter 1.200 hochrangigen Führungskräften, die für die Entscheidungsfindung im Bereich der Datensicherheit verantwortlich sind bzw. Einfluss darauf nehmen. Der europäische Bericht konzentriert sich auf die Ergebnisse von 400 europäischen Befragten (je 100 aus dem Vereinigten Königreich, Deutschland, Schweden und den Niederlanden) und liefert Vergleiche und Kontraste zwischen regionalen Märkten. Sie repräsentieren eine Reihe von vertikalen Sektoren, sowohl öffentliche als auch private. Außerdem repräsentieren die Befragten ein breites Spektrum an Unternehmensgrößen, wobei die Mehrheit der Unternehmen zwischen 500 und 10.000 Mitarbeitern liegt. Die digitale Transformation (manchmal kurz DX genannt) hat grundlegende Auswirkungen auf die europäische Wirtschaft. Die digitale Transformation ermöglicht es, die Kundenzufriedenheit zu INFO
WEITERE INFORMATIONEN Die 2019er Ausgabe des IDC/Thales Data Threat Report - European Edition lässt sich hier auf deutsch und englisch kostenlos herunterladen: | thalesesecurity.co.uk/2019/data-threat-report-euro
64
Date nsi che rheit in Euro
t
Artikel
cybersecurityeurope
DIGITALE TRANSFORMATION
VERLETZUNGSRATEN (JEDERZEIT)
36% der Euro-Befragten (verglichen mit 39% weltweit) gehören zu den beiden am weitesten entwickelten Kategorien der digitalen Transformation.
Die Häufigkeit von Befragten in Europa, zu irgendeinem Zeitpunkt Verletzungen erlitten hatten (61%) lag auf dem Niveau der globalen Stichprobe
17%
15%
14%
14%
13%
12%
23%
24%
23%
22%
23%
20%
77%
61%
60%
60%
54%
54%
BRD
GLOBAL
NL
EU
UK
SCHWEDEN
SCHWEDEN
EU
GLOBAL
NL
UK
BRD
Offensiver Einsatz von Digitalen Disruptiven Technologien in der Business-Strategie DigitalE KapazitÄten sind in das Unternehmen und die Produktstrategien Eingebunden
verbessern, und höhere Effizienz und Produktivitätssteigerungen zu erzielen. Sechsunddreißig Prozent der Befragten geben an, dass sie die Märkte, in denen sie involviert sind, „aggressiv durcheinanderbringen” und digitale Fähigkeiten einbetten wollen, die ihnen dann größere organisatorische Flexibilität ermöglichen.
Neue SicherheitsHerausforderungen Die digitale Transformation ist wahrscheinlich auch deshalb komplex und riskant, da sie Fachleuten im Bereich der Informationssicherheit regelmäßig neue Schwierigkeiten bereitet. Sicherheitsexperten müssen sich hier nicht nur mit einem sehr dynamischen Bedrohungsumfeld auseinandersetzen, in dem 61% der europäischen Befragten angeben, dass sie irgendwann im Leben ihres Unternehmens Schäden im Unternehmen erlitten haben, sondern sie müssen auch in einem immer restriktiveren regulatorischen Umfeld tätig sein. Diese sich stetig verschärfenden Probleme sollten Unternehmen gemeinsam dazu anregen, die besten Praktiken für Daten umzusetzen, die ihnen die Grundlage für qualitativ hochwertige und sichere Veränderungsanstrengungen bieten. Die meisten europäischen Unternehmen haben die erste Hürde in Bezug auf die Einhaltung der DSGVO (DatenschutzGrundverordnung) überwunden und ihr Sicherheitsportfolio durch zusätzliche Budgetzuweisungen aufgestockt, die durch die „Angst” vor der DSGVO, durch die Unsicherheit über den Brexit und durch die Notwendigkeit neue, kürzlich erworbene und gebaute Technologien und
66
Quelle: 2019 IDC/Thales Data Threat Report Survey.
Prozesse zu “verinnerlichen”, verursacht wurden. Einundvierzig Prozent der europäischen Unternehmen in der Stichprobe sagen, dass ihre Ausgaben im kommenden Jahr steigen werden, gegenüber 72% im vergangenen Jahr, auch wenn die Bedrohungsvektoren zunehmen, wobei Cyberkriminelle, Cyber-Terroristen und Hackaktivisten die Liste der Sicherheitsbedenken für alle europäischen Unternehmen anführen. Die europäischen Datenumgebungen werden immer komplexer, und diese Komplexität erweist sich als Hindernis für die Datensicherheit. Wie in anderen Regionen verschieben europäische Unternehmen ihre Workloads in verschiedene Cloud-Umgebungen, auch wenn sie daran arbeiten, traditionelle Infrastrukturen vor Ort zu pflegen. Europäische Unternehmen setzen CloudOptionen für sensible Daten und kritische Anwendungen ein (siehe Cyber Security Europe, Ausgabe Frühjahr 2019), was bedeutet, dass sie die CloudSicherheit in den Griff bekommen müssen, ohne dabei ihre IT-Strategien unnötig zu verkomplizieren. Unternehmen müssen einen mehrstufigen Sicherheitsansatz verfolgen, und die Studie des Berichts zum Thema Datenbedrohung zeigt, dass europäische Führungskräfte auf dieses Ziel hinarbeiten. Die europäischen Befragten konzentrieren sich etwa zu gleichen Teilen auf Netzwerk-, Anwendungs- und Datensicherheit, wobei 35% ihres Schwerpunktes auf Netzwerk-, 34% auf Daten- und 31% auf Anwendungssicherheit liegen; diese Zahlen entsprechen weitgehend dem globalen Gesamtbild. Die Befragten haben lange „To-Do”-
Von den befragten europäischen Ländern verfügte das Vereinigte Königreich über das höchste Maß an “angemessener Sicherheit”. Listen mit Plänen zur Einführung einer Vielzahl von Technologien in den kommenden 12 Monaten, aber sie haben Schwierigkeiten, ihre Pläne umzusetzen, wobei sie die Komplexität als ihr größtes Hindernis für die Umsetzung der Datensicherheit ansehen, gefolgt von einem fehlenden Budget und fehlendem Personal für die Technologieverwaltung. Die Risiken der digitalen Transformation bleiben jedoch eine übergreifende Herausforderung. Dies liegt daran, dass durch die digitale Transformation die Gefahr einer Trennung besteht: die Trennung zwischen fortgeschritteneren Unternehmen, die hybride Cloud-basierte moderne Infrastrukturen betreiben, und Unternehmen, die weiterhin von traditionelleren und bestehenden,
ANFÄLLIGKEIT FÜR DATENSICHERHEITSBEDROHUNGEN
ANTEIL DES SICHERHEITSFOKUSES
27% der Befragten in Europa sind der Meinung, dass sie im Bereich Datensicherheit “anfällig” oder “sehr anfällig” sind - weniger als der globale Gesamtwert (34%).
Mehr Anwendungs- und Datensicherheit bedeutet, dass Unternehmen einen ganzheitlichen Ansatz verfolgen und alle Aspekte der IT-Infrastruktur schützen müssen.
42%
34%
27%
26%
24%
17%
SCHWEDEN
GLOBAL
EU
NL
UK
BRD
Quelle: 2019 IDC/Thales Data Threat Report Survey.
33%
31%
30%
31%
30%
30%
34%
34%
35%
34%
34%
33%
33%
35%
35%
35%
35%
38%
SCHWEDEN
UK
NL
EU
GLOBAL
BRD
Anwendungssicherheit datensicherheit Quelle: 2019 IDC/THALES Data Threat Report Survey.
netzwerksicherheit
Unternehmen benötigen daher immer neue, intelligentere und bessere Wege, um die Datensicherheit anzugehen und modernere, auf Hybride und Multi-cloudysteme ausgerichtete technologische Lösungen zu implementieren.
Nationale Prioritäten
perimeterzentrierten Infrastrukturen abhängig sind. Auch wenn es den Anschein hat, dass sich Organisationen im weiteren Verlauf des Transformationsprozesses an einem besseren Ort befinden als die anderen, haben sie dennoch ihre eigenen Herausforderungen zu bewältigen. Sie müssen Sicherheitsarchitekturen auf bestehende Infra-strukturen anwenden und gleichzeitig hybride Cloud-basierte, digital-transformierte Technologien einführen. Ironischerweise kann dies dazu führen, dass IT-Sicherheitsexperten das falsche Ziel anstreben. Diese Sicherheitsexperten glauben, dass sie beim Einführen neuer Technologien immer auf Nummer sicher gehen, werden im Endeffekt aber möglicherweise vor größeren Herausforderungen stehen, wenn es darum geht, eine größere Vielfalt der IT-Infrastruktur zu sichern. Um es anders auszudrücken: je größer die Datenverteilung über eine immer größer werdende Anzahl von Umgebungen ist, desto geringer wird der organisatorische Fokus, um Daten in jeder einzelnen Umgebung zu schützen.
Das Vereinigte Königreich verfügt laut der Studie über das höchste Maß an „angemessener Sicherheit”, während die Niederlande am wenigsten davon hatten. Auf die Frage nach den wichtigsten Faktoren, die sich auf die Entscheidungen über die Ausgaben für IT-Sicherheit auswirken, antworteten 31% der Befragten, dass sie daran arbeiten, „finanzielle Sanktionen aufgrund eines Datenverstoßes zu vermeiden”. Der gleiche Prozentsatz an Befragten bestätigt außerdem, dass sie vor allem durch einen vergangenen Vorfall „motiviert” wurden. Der am häufigsten genannte Auslöser für Sicherheitsausgaben ist allerding die „Implementierung von Best Practices”, ein Faktor, der von 41% der Befragten angegeben wurde. Da viele Unternehmen inzwischen DSGVO-Konformität erreicht haben, haben diese das Gefühl, dass sie mit Bezug auf Datensicherheit ein „ausreichend gutes” Niveau aufweisen, und haben daher ihre Bestrebungen, ein im Bericht vorgeschlagenes „Best Practice”-Sicherheitsniveau zu erreichen, zurückgesetzt.
QUELLENANGABE Text | IDC/Thales Data Threat Report / James Hayes Fotografie | Shutterstock
67
advertorial
cybersecurityeurope
A B2B ‘Cyber-Threat-Platform’ would allow real-time exchange of information between companies and IT security providers, explains DWF’s Klaus Brisch. EACH YEAR, CYBER ATTACKS ARE THE CAUSE OF CONSIDERABLE ECONOMIC DAMAGE: ACCORDING TO A STUDY, WORLDWIDE LOSSES of approximately $600bn were incurred in 2017 alone. In Germany, for instance, damages are estimated at €43.4bn. Furthermore, experts expect the risk of becoming a victim of cyber crime will continue to grow. Increasing digitalisation, for example, leads to more possibilities for cyber attacks. Meanwhile, attackers further enhance their technical efficiency. Most large enterprises have recognised the importance of cyber security. Small- and medium-sized enterprises (SMEs), however, act quite differently. Their assumption is: we won’t be affected – there are other, more interesting targets for hackers to go after. Those in positions of responsibility are unaware that hackers are sometimes not interested in a company itself, but rather in accessing data or computing capacity. This can affect SMEs at any time – and cause longterm damage to their business. It is likely, therefore, that some frightened customers will no longer want to transfer their sensitive data to an affected company. Even though it has become quite normal to regularly install updates to IT systems, and to regularly change passwords, it is clear that this alone does not provide adequate protection against cyber attacks. It is equally important to be immediately informed about security gaps that have been discovered in software programs used – in order to be able to react accordingly.
This, however, is exactly what has not yet been organised in Germany on a national level. There is the country’s Federal Office for Information Security (BSI): an authority whose tasks include, for instance, the provision of information on current IT threats. A specific law (BSIG) even regulates specific communication and information paths for securityrelevant topics and events in IT. Under current legislation, however, only operators of socalled critical infrastructures report their IT failures to the BSI without delay. The BSI also informs and warns only selected economic players about current IT threats. This means that there is no nationwide warning system.
A ‘Cyber-Threat-Platform’ would clearly have legal implications for cyber security companies involved. The so-called IT Security Act 2.0 is now being prepared. Among other things, the current draft provides an extension of the obligation to report IT attacks. This means that the legally standardised exchange of information would then also include the defence, automotive and chemical industries, the media and some other addressees. This can certainly be seen as a step in the right direction. The current draft, however, does not address all the weaknesses
DWF We are a global legal business, transforming legal services
go beyond expectations. Article
through our people for our clients. Led by Managing Partner and
author
CEO Andrew Leaitherland, we have over 27 key locations and
below) is Partner and Global Head
more than 3,100 people delivering services and solutions that
of Technology at DWF.
Klaus
Brisch
DETAILS For more information contact: | dwf.law | klaus.brisch@dwf.law
68
(pictured
that exist, in particular from the point of view of the business community. In the future, the BSI’s information flow – for example, on existing security threats – would remain restricted to certain segments of the economy. This would not be a comprehensive solution. In addition, not all economic players would be obliged to report cyber attacks Further, the BSI lacks networking or regulated co-operation with authorities and offices in other countries. Finally, there is no concept that would bring together providers and users of security services directly.
designed to meet cross-sector requirements It would, therefore, be even more important to create an electronic B2B platform solution that brings together all parties: as many businesses as possible, security authorities and cyber security companies. This could be achieved by an electronic platform that would also allow information to be exchanged between all parties – in real time. Such a ‘Cyber-Threat-Platform’ would then receive alerts on potential threats directly from cyber security companies. The users of the platform, and thus the receivers of such alerts, would then be companies of the private sector as well. Unlike as was the situation in the past, industry and company size would be irrelevant. Of course, government agencies should also be connected to such a platform. They as well could contribute insights or relevant information on security issues. In this context, however, it would be important for these institutions not to have full access to company data, as the impression of government monitoring could arise, which would in turn deter the participation of some companies. It is also important to note that companies reporting an attack on their IT to the platform should be allowed to remain anonymous in order to avoid reputational damage. Nevertheless, it needs to be transparent for all users which companies are connected to the platform. A ‘Cyber-Threat-Platform’ of this type would obviously have a number of legal implications – for example, for cyber security companies involved. They usually compete with each other. Some kind of co-operation agreement would therefore be required, regulating the respective rights and
obligations of the co-operation. It would also be necessary to establish clear conditions for the companies’ participation. These would need to include minimum requirements for technical IT standards in the companies as well as specific codes of conduct for the platform in order not to endanger the users’ reputation and integrity. Corresponding platform solutions are by no means new. Comparable approaches already exist – both on a national and international level. So far, however, they have been limited to clearly defined groups of participants. There are two basic types of platforms. On the one hand, there is the group of Information Sharing and Analysis Centers (ISACs) which are more technically-oriented. These include, for example, the Malware Information Sharing Platform (MISP), which is co-financed by the EU Commission. Here, participants exchange information on malware, imminent IT attacks and possible defensive actions. There are other ISACs, also cross-border, and specifically created for certain vertical sectors, such as the financial industry or energy suppliers. On the other hand, the second type of platforms focus on networking. They intend, for instance, to bring cyber security companies together with companies that want to protect their IT infrastructure. In Germany, for example, there is the Alliance for Cyber Security (ACS) with more than 3,600 participants and the Initiative Wirtschaftsschutz (‘Initiative for Economic Protection’), for whom cyber security is only one of several aspects. Comparable networking platforms also exist in some federal states. All these experiences would certainly be useful when developing the ‘Cyber-Threat-Platform’ as outlined above, so that a technical implementation would be feasible relatively quickly. Such a solution would help to strengthen the industry’s competence with regard to cyber security, to identify threats more quickly and to address them comprehensively. As a result, the economic damage could be limited effectively in a preventive manner. Klaus Brisch is Partner and Global Head of Technology at DWF, with expertise in data protection and privacy law, IT-compliance, cyber security, additive manufacturing and cross-industry innovation.
69
interview
cybersecurityeurope
ARNE SCHÖNBOHM Germany’s national cyber security authority is leading the initiative to make certification key to the country’s defensive strategy. ARNE SCHÖNBOHM IS PRESIDENT OF GERMANY’S NATIONAL CYBER SECURITY authority, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (known as the BSI for short). The agency upholds and promotes IT security throughout the federal republic. Formed in 1991, the BSI is primarily the central IT security service provider for the country’s central government. However, it also offers its services to a range of technology manufacturers, the internet industry, along with private sector and commercial users. The BSI investigates cyber security risks associated with IT operations, and develops preventive security measures. This aspect of its work includes IT security testing and assessment, in co-operation with industry. It also analyses development and trends in IT. In addition, the organisation issues warnings about emergent cyber security threats, such as ransomware. It acts also as a go-between, when security industry researchers discover stolen data in the Dark Net and want to alert the data’s legitimate owners to their loss. This year (2019) has also seen the BSI President drawn into in the public debate over whether telecoms equipment from Chinese vendor Huawei should be permitted to form part of Germany’s national 5G network as it builds-out. BSI experts have found no cause for concern in using Huawei kit. BIOGRAPHY
Arne Schönbohm leads a BSI team of more than 600 employees, based across the agency’s various Bonn headquarters, where its specialist departments also issue a range of technical guidelines, standards and certifications. Along with Polizeilichen Kriminalprävention der Länder und des Bundes (ProPK), the BSI is also a coauthor of the new Digital Barometer, a ‘citizen survey’ of cyber crime in Germany, that was published in September.
The secure handling of information has become one of the key factors for the success of a company. CSE: From your previous experience as a senior business executive, what has proved most valuable in your current role as President of the BSI? ARNE SCHÖNBOHM: The BSI president of the needs to be an advocate in the matter of cyber security. The BSI has established an intensive dialogue with all relevant stakeholders, in particular with the public and private sectors. The German Alliance for Cybersecurity, initiated by the BSI, is a good example for a joint platform that includes valuable recommendations and ‘best practices‚ to protect enterprise networks against cyber attack incidents, for both
ARNE SCHÖNBOHM Arne Schönbohm has been BSI president since 2016. Formerly, he was CEO of BSS BuCET Shared Services AG, which advised the private and public sector on digitalisation, cyber security and data protection.
70
DETAILS For more information about BSI visit: | bsi.bund.de
interview
cybersecurityeurope
technical and non-technical audiences. The German Alliance for Cybersecurity also promotes and organises meetings, workshops and congresses, to foster information exchange. CSE: In many European organisations today, the responsibility for cyber governance is now moving from a solely IT remit to a one that is shared with senior executives in non-technological roles. What effect will this transition have on enterprise cyber governance as we enter the 2020s? AS: This change is a necessary and natural development, I would say. The secure handling of information has become one of the key factors for the success of a company. Subsequently, the corresponding infrastructure – the information technology – has [what could be called] existential meaning for every organisation. CSE: And what do you see is the result of this change in operational terms? AS: This development has certainly changed the perception of governance and of security professionals in many organisations: CEOs used to think that IT experts would prevent – or at least, decelerate – organisational decisions – it was more comfortable to ignore them. Now, they often sit next to the board to influence strategic thinking [around cyber governance].
CSE: How does the BSI now work with the non-technical executive management in German organisations to help improve their understanding of the cyber security threats they face, and to improve their knowledge of enterprise cyber security in practice? AS: Many executives have already realised that information security is a prerequisite for a successful [transformational] digitisation process. Hence, they are more open for arguments and measurements with regard to cyber security than they were three or four years ago. The BSI takes part in various events, working groups or publications – technical as well as non-technical – to improve the awareness
72
in German organisations. We also attend events focused on CEOs and board-level executives, hoping to achieve a drop-down of cyber security understandings to every part of the company. But we‘re not only there to advocate a cause. It is more like a dialogue. CSE: Can you mention a couple of examples of outputs from those deliberations? AS: We were able to take part in a workshop of multiple organisations to develop the National Association of Corporate Directors (NACD) Handbook on Cyber-Risk Oversight – a publication for top managers which sets out principles for more security. Another example is the co-operation of BSI and several associations of major industry sectors. Job profiles in crafting have become more and more affected by digitisation by the time. In this context, we published the ‘Routenplaner’, which helps SMBs with less security-knowledge to find their way towards a secure IT-based business. CSE: In your experience, is there a cyber security ‘knowledge gap’ between senior executives in the enterprise sector and their peers in the industrial sector? AS: There is a difference between [what you might categorise as] Industrial Security and Office Security. The cyber security
recommendations that are applicable for an office environment may not be suitable for, let’s say, Industrial Control Systems – for business continuity reasons, for example. However, the more we digitise and interconnect industrial IT the more vulnerable these systems get and the more executives must take care of these risks. CSE: How important will be securing Europe’s emergent 5G mobile networks against cyber attacks for the successful transition to Industry 4.0 operations? AS: We need 5G networks that are more secure than the current mobile networks. 5G is, after all, supposed to be the technology to enable digital services and developments like Industry 4.0,
autonomous driving or medical support. Based on a catalogue of security requirements, the BSI will therefore check and certify 5G hardware and software for their security. By means of technical security requirements for 5G networks we will ensure the confidentiality, integrity and availability of communication. Important aspects are for instance a well-implemented end-to-end encryption or the redundancy of network components. CSE: The BSI seems more involved in the area of secure certification than are national cyber security agencies in other European states. If that’s correct, can you explain why this is the case? AS: In cooperation with partner organisations from other EU member states, the BSI is putting significant efforts into cyber security certification. Certification helps to raise the bar for attackers. It demands a common minimum degree of security. It enables regulations and procurement to make use of measurable minimum requirements for products and services. It also further enables industry to sell security based on an independent assessment of their offers. It is one of the motors of innovation in the realm of IT security – as security often does not sell by itself. When we mandate the usage of IT for every citizen, we need to make sure it fulfils highest standards to protect private information. The most prominent examples are the German ID card and the German passport, but other areas like Smart Energy, Smart Home, Mobile Security, and Industry 4.0 add to the variety of engagement. CSE: Can certification play a role in the security of critical infrastructure? AS: Yes, it can. The understanding of this importance is commonly shared in Europe, which is reflected by the EU Cybersecurity Act that recently came into force. From our perspective, the most relevant part of this regulation sets up a European Cybersecurity Certification Framework to harmonise certification in Europe and to strengthen the European Digital Single Market. By this we expect consumers, industry, and public administration to benefit from an overall boost to available and effective security. CSE: The world of enterprise IT and information security is subject to a range of recent legislation, such as the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive). Do you see evidence that GDPR, in
CEOs used to think that IT experts would prevent, or at least decelerate, organisational decisions. particular, has positively changed how Europe’s senior executives now approach organisational cyber security strategies? AS: Many organisations were afraid of, or even irritated, by the new laws, although in most cases it was consensus that these regulations were necessary. From our point of view, there won’t be privacy without data security. So GDPR has fostered the introduction of further securityactions in various organisations. But we should not really regard security as a duty. It can also be a chance and competitive advantage. In the future, demand for products and solutions, which include contemporary protection measures, will be higher than for those which do not. CSE: As nation states undertake cyber attacks against politico-economic rivals, to what extent do you see European organisations being caught in the ‘crossfire’? AS: Well, I cannot answer that from a political point of view. Speaking in terms of cyber security, European organisations need to be aware of and cope with the risks of digitisation and protect themselves as optimally as they can, regardless of the identity of a possible attacker. The BSI provides a wide range of information and support to the companies to enhance their levels of cyber security.
ACCREDITATION Words | James Hayes Photography | BSI
73
advertorial
cybersecurityeurope
The new Society 5.0 social model is technology-driven and encompasses a wide range of smart application scenarios, explains NTT Security’s Kai Grunwitz. THE JAPANESE GOVERNMENT COINED THE TERM SOCIETY 5.0, WHICH STANDS FOR AN INTELLIGENT, ENTIRELY CONNECTED AND sustainable civilisation. The foremost goals of the Society 5.0 are an improved living environment, as well as enhanced quality of life. Digital infrastructure, platforms and services form the fundamentals of Society 5.0. They are based on smart technology such as Artificial Intelligence (AI), robotics, Internet of Things (IoT) and blockchain, as well as Augmented- and Virtual Reality or Robotic Process Automation (RPA). These technologies have reached a maturity that will enable the largest social and economic upheaval since the Industrial Revolution. Artificial Intelligence (AI), in its specific forms such as Machine Learning (ML) or Deep Learning (DL), has already found its way into the most diverse areas of life. Amazon Alexa and Apple Siri are good examples of this. Increasingly, AI and ML are being used in areas where large amounts of data have to be analysed and evaluated. AI systems are in a better position than people to analyse massive amounts of data, correlate them with a wide variety of reference points, and thus create a better foundation for decision-making. With error rates of less than 5%, machines are now able to achieve even better results than humans in areas such as facial- and speech recognition. That said, the use of smart technologies in relation to the implementation of Society 5.0 certainly has considerable effects on the individual. Typical
COMPANY INFO
examples are found in areas where an increasing number of machines and robots are being implemented, such as in the manufacturing industry. It is clear that traditional jobs will disappear or massively change in the future. As a result, training, and further development of employees’ digital skills, will become avoidable. However, people will not just feel these changes in the world of work, but primarily in the world they live in. Smart technologies are finding their way into a wide range scenarios: for connecting our means of transportation with ‘Smart Mobility’, for sustainable resource use with ‘Smart Resources’, for setting up ultramodern production plants in the ‘Smart Factory’, for a stream-lined state
The wider opportunities – and the concrete advantages – Society 5.0 promises should be presented. with ‘Smart Government’, and for intelligent health care with ‘Smart Healthcare’. Smart Healthcare in particular offers considerable benefits for the people. Based on new technologies, Smart Healthcare can address a central problem in many industrialised countries, including Germany: demographic change with the threat of an aging society and an already acute nursing crisis.
NTT SECURITY
NTT’s security department is the corporate division specialising in security and represents NTT’s ‘Security Center of Excellence’. With ‘Embedded Security’, NTT is able to provide reliable business solutions for customer requirements in the age of the digital transformation. NTT Security has several Security
Operations Centres, seven research and development centers, more than 2,000 security experts, and handles hundreds of thousands of security incidents annually.
DETAILS To find out more please visit: | nttsecurity.com/de-de | de-info@nttsecurity.com
74
The use of smart technologies in geriatrics will be inevitable, as AI and robotics can bring about significant improvements in the care of the elderly. AI and robotics already enable distinct optimisations in clinical care: from revolutionary diagnostics based on algorithm-supported correlations to the use of surgical robots in operating rooms.
THE CENTRAL TASKS IN IMPLEMENTATION In the execution of Society 5.0, there are three key tasks: achieving social acceptance, promoting the benefits and adapting the education system. Social acceptance is the groundwork to successfully shaping Society 5.0, but most important item in achieving this objective is to explain the benefits. The wider opportunities and concrete advantages that Society 5.0 offers should be presented, along with which opportunities will be embraced and which will not (especially with regard to problematic applications that can be implemented through digitalisation and interconnectivity). Negative examples include the test runs of China’s new social credit system, which for many brings to mind the dystopias of author George Orwell. The surveillance of citizens is digitised and entered into a central database of scores, to which everyone has access. A person’s behaviour is thus punished and rewarded at all times – in most societies not really a desired state and definitely not in line with the shared set of values. Above all, the education system must be geared to the new Society 5.0 – in both research and instruction as well. Due to the increasing digitalisation and connecting of the world, universities and schools have a responsibility to adapt their curricula for digital natives, especially with regard to preparing the next generation for tomorrow’s labour market.
SOCIETY 5.0 AREAS OF CONCERN Points of criticism against Society 5.0 models must also, of course, be considered. The supposed disempowerment of man is an important topic frequently revisited by universal historians, but Society 5.0 is more about the general improvement of the world in which we live than about the restriction of the individual. It is true that through
automation and digitalisation, many formerly important skills are no longer needed and can, to put it pointedly wither away. Studies have shown, for example, that with the rise of navigation systems, fewer and fewer people can read road maps correctly. In this context, however, the question arises as to whether obsolete skills really represent a loss, or whether they create new scope for more sophisticated and demanding activities that benefit people as a whole. To refute another criticism of Society 5.0, it must be understood that a mere belief in technology and innovation is undoubtedly a misguided approach. Social, ethical and legal questions must be considered, and appropriate guidelines created. To simply let AI loose with the highest decision-making authority is certainly not the smartest course of action — as critics rightly state – and would likely lead to ruin. It is therefore necessary to create regulations, draw up directives and put them into action.
‘SECURITY BY DESIGN’ IS AN ESSENTIAL Rules are one thing, but security is another. Society 5.0 also means that considerable amounts of personal data are collected and shared across systems. This means that the integration of sufficient cybersecurity functions from the start of all developments according to the ‘Security by Design’ concept is of the utmost importance – all the way from IoT to cloud security. One thing remains clear: the continued digitalisation cannot be stopped – and neither can Society 5.0. An open and critical debate on the digital future is an absolute necessity for politics, society and industry – not sometime down the road, but here and now. There are still a number of hurdles to overcome on the path to a successful realisation of Society 5.0, but the continued development of Industry 4.0 into a social model that focuses on the people will be unavoidable. Only through this can the future socio-economic challenges be conquered. NTT Security will take up this challenge in several lectures at it-sa 2019. For example, Kai Grunwitz, Senior VP EMEA, will give a talk entitled ‘New cyber risks on the way to smart society and a new social model Society 5.0’ (11:40am12:00pm, 9 October 2019, International Forum 10.1).
75
ma fac ep
r in
ma
da t a v e r i f i c a t i o nÂ
tc h
t h ema t i c
b i o me
tric
a //
-///// // ///
>
l D i g i t a l bi l d Live fo Erfassung
mat he m
r mu
a tis d o w n l o a d i n g
l
c
h eF a
or <///////////// //
///>
mel
Gesich tserken nung
< / -/ / >
BRIEF
FACIAL RECOGNITION: MUGGING UP Facial recognition is a biometric software application capable of uniquely identifying or verifying a person by comparing and analysing patterns based on the personâ&#x20AC;&#x2122;s face contours. Used for security purposes,
76
facial recognition technology has received attention as it has potential for a wide range of applications related to law enforcement, as well
cybersecurityeurope
b i o me
tric
< ///////////// //
///> I d e n t i
f i c a t i o n a u
FEATURE
t ho r i s
e d
D i g i t a l bi l d Live Erfassung Security d
assurance is crucial to win confidence in facial recognition technology as a first line of defence against workplace intruder risks.
ig i t a l i
m
a
g
e
l ive c a p t u r e fac e p
r int
da t a Verific at ion m a t ch
USE OF ENTERPRISE-SCALE FACIAL (FACE) RECOGNITION SYSTEMS HAS PROVED CONTROVERSIAL IN SOME use-cases, probably most notably with applications within the field of lawenforcement and crime detection. Some people, it seems, just won’t countenance it. When in August 2019 a Financial Times investigation revealed that facial-recognitive CCTV surveillance across a 67-acre publicspace development in London’s King’s Cross urban district surreptitiously uses facial recognition to track thousands
which many thousands of people pass through every day,” said UK Information Commissioner Elizabeth Denham. “As well as requiring detailed information from the relevant organisations about how the technology is used, we will also inspect the system and its operation on-site to assess whether or not it complies with data protection law.” But while the topic of public facial recognition surveillance looks set to arouse the ire of some, other sectors are showing a preference for this mode of individual identification for a range
Innovation in facial recognition comes thanks to two factors: Deep Learning plus a glut of data that can now be stored and parsed at low cost with the aid of cloud computing. mat he m a ti s c
h eF
of pedestrians, concern was voiced by both the UK ICO and civil liberties watchdogs alike. “The Information Commissioner’s Office has launched an investigation following concerns reported in the media regarding the use of live facial recognition in the King’s Cross area,
of security needs – particularly in the premises and workplace security in high-value business markets, such as facilities where 24x7 financial trading occurs. Such systems are dedicated combinations of heavy-duty hardware and software, and are distinct from the more popular smartphone-based
or mel < / -/ / >
as other enterprise’s requirements. Most systems function based on the different nodal points on the human face. The values measured
against the variable associated with key points of a person’s face help in uniquely identifying or verifying the person. Applications use data captured from faces, and can accurately identify specified individuals.
77
FEATURE
cybersecurityeurope
facial recognition apps, such as those from Facebook and Google. However, the turnkey systems provided by technology vendors such as NEC NeoFace (pictured above, left and right) and Panasonic FacePro (pictured above, centre). Some vendors of high-end turn-key facial recognition platforms build advanced tech like Artificial Intelligence (AI) into the mix, with the objective of making their systems ever-more accurate. A 2018 report by NIST said that massive gains in accuracy have been made within the last six years and has exceed improvements achieved in the 2010-13 period. And according to a 2019 report in Fortune magazine, innovation in facial recognition comes thanks to two emergent factors that have transformed AI more broadly. The first is the emergent science called Deep Learning. The second factor is an unprecedented ‘glut’ of data that can be stored and parsed at low cost with the aid of cloud computing. Although this trend is more likely to return value in the field of scanning large crowds, it does also have some applications for premises security facial recognition systems.
BRIEF
Although these can check and confirm that a face that comes through the main entrance is a known member of staff, it can also simultaneously check the face against a database of people an employer wants to keep out. And although its efficacy in terms of correct identification of individual faces still falls short of 100% accuracy, the market evidently sees the available solutions as good enough for many use-cases. According to a recently published report by analyst MarketsandMarkets, The Facial Recognition Market by Component, Application Area, Vertical, and Region, the global market is expected to grow from €2.89bn ($3.2bn) in 2019
A service denial attack on a face recognition system could leave an organisation unable to admit anyone into their premises. to €6.34bn ($7.0bn) by 2024, at a CAGR of 16.6% across the forecast period. Another forecaster, Reports and Data, estimates that the market value will go on to reach €10.23 ($11.30bn) by 2026. The market-watcher says growth can be mainly associated with an increase in demand for surveillance systems for enhancing safety and security in both public and private premises: the latter market is deemed a ‘notable factor for industry growth’. The BFSI (banking, financial services, insurance) segment accounts for the largest share of 29.2% of the market in 2018: any in-premises security alerts on trading floors and other centres of financial processing can disrupt operations, costing millions in losses. The growth will also tie-in with technological advancements in the implementation of smartphone technology that supports app-based ID tools for personal access. There’s also an expectation that facial recognition
FACIAL RECOGNITION THAT AIMS TO MAKE ORDERING QUEUES LESS OF A TURN OFF A survey of 2,000 pub/bar drinkers revealed that 75% have walked out due to long queues. Asked if they would stay and order if they knew more exactly how long they could expect to be served, around 65% of those
78
polled said they would. AI Bar from DataSparQ uses facial recognition to make ordering in busy bars faster and fairer. It puts drinks buyers in an
GUIDANCE
ICO POLICY DECISIONS
In July Information Commissioner Elizabeth Denham voiced the ICO’s position on facial recognition.
Denham confirmed that live facial recognition (LFR) is now a high-priority area for the ICO. LFR “represents a step change from the CCTV of old.” Denham continued: “I believe that there needs to be demonstrable evidence that the technology is necessary, proportionate and effective considering the invasiveness of live facial recognition.” Any organisation using software that can recognise a face among a crowd, then scan large databases of people to check for a match in a matter of seconds, is “processing personal data”. will converge with other forms of biometric identification, such as voice recognition: employees of the 2020s will have to get used to having their faces and voices verified before they can enter their workplaces. Technology provider Gemalto has described facial recognition as ‘the most natural of all biometric measurements’. It’s unlikely that interfacing with facial recognition systems will prove any more arduous that greeting a receptionist on entering a building. Employees will not have to pause while their features are scanned and checked, unlike with iris of retinal or fingerprint based biometrics. No longer will they have to touch a pass against a reader to open doors, and the system will be able to raise alerts if anyone attempt to tailgate into a building. “Facial recognition is undergoing something of a revolution,” Patrick J. Grother, Biometrics Evaluator at NIST (National Institute for Standards and Technology) told Fortune.com. “The underlying technology has changed. The old tech has been replaced by a new generation of algorithms, and they are remarkably effective.”
CYBER SECURITY HURDLES Although prospects for the facial recognition market look good, the technology will have to overcome another acceptance hurdle, and that is its cyber security. Facial recognition is, after all, analysis of data, and any data that forms the basis of security is attractive to cyber threats. ‘At first, the possibility of verifying a person’s identity via physiological biometric sensors seemed like a promising alternative to two-factor authentication,’ points out the 2019 Forcepoint Cybersecurity Predictions Report. ‘Fingerprints, movements, iris recognition – all of these [ID vectors] make life difficult for attackers that seek to access resources by stealing someone else’s identity. ‘But in recent years, even biometric authentication has begun to unravel,’ the Cybersecurity Predictions Report warns. ‘The reality is that facial
‘intelligently virtual’ queue, so that bar staff can serve in fairer sequence. The AI Bar Software-as-a-Service solution works by using a webcam,
Trials (such as those conducted by South Wales Police and the Metropolitan Police forces) also represent the “widespread processing of biometric data of thousands of people as they go about their daily lives,” Denham added. “And that is a potential threat to privacy that should concern us all.” Facial recognition has “yet to fully resolve their potential for inherent technological bias – a bias which can see more false positive matches from certain ethnic groups”. Although data protection law differs for commercial companies using live facial recognition, the technology is the same and the intrusion that can arise could still have a detrimental effect. In 2019 the ICO widened its focus to consider the use of facial recognition in public spaces by private sector organisations, including where they partner with police forces. The ICO will consider taking regulatory action where it finds non-compliance with the law.
display screen and Internet connection. It also speeds up ID checks, DataSparQ claims: if a customer looks under 25, the system will prompt them to have their ID ready or let bar staff know if they’ve already been checked.
79
FEATURE
cybersecurityeurope
ANNUAL FACIAL BIOMETRICS REVENUE BY REGION
ANNUAL FACIAL RECOGNITION REVENUE BY SECTOR
Facial recognition devices and licenses will increase to more than 122.8m by 2024. Annual revenue for facial biometrics will increase to $882.5m, at a CAGR of 22%.
Demand is forecast to grow across verticals to 2014. Interestingly, 2019’s sector most controversial sector, Law Enforcement, is not expected to see high uptake.
$1,000
$1,000 North America
$900 $800
Defence
$800
Asia Pacific Latin America
$700
Consumer
$900
Europe
Education Enterprise
$700
Finance
Middle East & Africa $600
$600
$500
$500
$400
$400
$300
$300
$200
$200
$100
$100
Goverment Law Enforcement
$M
2015
2016
2017
2018
2019
2020 2021
recognition has serious vulnerabilities – and that is why we think hackers will steal the public’s faces [sic] in 2019. In fact, it has already happened, albeit only at the behest of researchers.’ However, Threat Intelligence solutions agency Gemini Advisory told a report in Fortune.com that it has seen facial profiles stolen from India’s national biometrics database for sale on ‘dark web’ Internet sites. Gemini Advisory has yet to see databases of American faces for sale, but added, ‘It’s just a matter of time’. In August 2019 a team at vpnMentor discovered a ‘huge data breach’ in security platform BioStar 2, a web-based biometric security smart lock platform. A centralised application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs. As part of the biometric software, BioStar 2 uses facial recognition and fingerprint technology to ID users. The app is built by Suprema, one of the world’s top security manufacturers, with the highest market share in biometric access control in the EMEA region. VpnMentor said that it was able to access over 1m fingerprint records, as well as facial recognition information. A stolen collection of customer faces from a hotel or retailer, for example, could help cyber criminals carry out diverse
80
2022 2023 2024
$M
Sources: Tractica.com (2015).
NGO Retail
2015
2016
2017
2018
2019
2020 2021
2022 2023 2024
identity theft or forms of fraud. Further cyber security issues can be classed into three general areas. First, there is the concern that a facial recognition system could be remotely hacked and have bogus ID profiles added to its database of ‘approved faces’. If successful, this might enable a malicious intruder to gain entrance to a building, then come and go as they please, undetected by the facial recognition system. Once inside offices, the intruder would be well-placed to mount insider cyber attacks on internal systems using their own technology,
Facial recognition is, after all, the analysis of data, and any data that forms the basis of security is attractive to cyber threats. or via compromised in situ endpoint devices already wired into the network. Legitimate staff would assume that an unfamiliar face must be OK, otherwise the face recognition system would have fired an alert. An additional cyber security issue would be the possibility of a denial-ofservice (DOS) attack on a cloud-based facial recognition system that would leave an organisation unable to admit anyone into their premises. Such an incident could have dire impact on finance and travel industries, for instance, where airport staff and aircrew use the same system as passenger security. Meanwhile, facial recognition tech continues to arouse strong views. Barrister and human rights campaigner Martha Spurrier compared the fallout from its use by police forces to putting “arsenic in the water of democracy” in an interview with the Guardian newspaper. The controversy over the use of such technology in public spaces trend is likely to spill into its deployment in other areas. Employers that are have facial recognition under consideration should be mindful of this eventuality.
ACCREDITATION Words | Jim Meyers Photography | Shutterstock
BE SECURE IN THE KNOWLEDGE… Cyber attacks now strike European organisations every day, every hour, everywhere. Businesses, governments, and the other organisations our economies depend on are targeted relentlessly and ruthlessly. With new data protection and corporate governance regulations, along with emerging threat types, and hardline business decisions to make, Europe’s business leaders are directly in the cyber security firing line. More than ever, they have to stay informed about the key information security challenges. Cyber Security Europe is designed in order to meet the information requirement of the top-tier European boardroom and c-suite executives who want to keep updated on today’s increasingly critical cyber security management issues. We provide the essential intelligence, insight and information you need to formulate policy and work successfully with enterprise technologists to deliver highly effective security strategies – and part of your cyber intelligence armoury.
c c
ENGAGEMENT
CYBER SECURITY EUROPE MEDIA OPPORTUNITIES – IN PRINT AND DIGITAL
Cyber Security Europe is the information platform that meets your information requirement in your preferred delivery format. For more details, content, and to subscribe to our newsletter, go to:
| cseurope.info or email corporate@worldshowmedia.net
FOR ALL YOUR EVENT AND EXHIBITION PUBLISHING REQUIREMENTS
ONLINE, DIGITAL AND PRINT EDITING ● DESIGN ● ADVERTISING SALES ● PROJECT MANAGEMENT ● INTERNATIONAL
WORLD SHOW MEDIA Tel: +44 (0) 203 960 1999 | Fax: +44 (0) 845 862 3433 | Website: worldshowmedia.net For all corporate enquiries | corporate@worldshowmedia.net
cybersecurityeurope
advertorial
KEEPING CLOUD SAFE Clear accountability must be put in place to ensure c-level executives are aware of the growing importance of cloud security, explains Thales’ Thorsten Krueger. CLOUD TECHNOLOGY HAS BECOME A FUNDAMENTAL COG IN GERMAN BUSINESS strategies. It is being used for everything from supporting customer sales data to providing the organisational infrastructure. That’s why, to protect businesses and consumers alike, it is of paramount importance to ensure the safe storage of data. With many organisations operating across multiple clouds for agility, cost savings and scalability, each has their own security processes and protocols. It’s no longer a case of understanding one set of rules and solutions. Deploying effective security controls for data flowing between multiple clouds or hybrid systems can be challenging with proprietary tools and APIs. This could lead to gaps around control, visibility, and consistency. Many businesses think the burden of protecting this data lies with the customer. Research from Thales suggests a third (34%) of businesses believe this to be the case, despite 62% of customers actually holding businesses responsible. This uncertainty around culpability also extends to the structure of the organisations concerned, less than 46% clearly define roles of accountability for securing sensitive information in the cloud. Even though GDPR places the burden of data security firmly in the hands of businesses, the confusion that surrounds the issue of responsibility has often left cloud security overlooked. Regardless of the cloud service model or provider, the security of your organisation’s data in the cloud remains your responsibility. COMPANY INFO
The job of implementing or managing cloud technology is often being left to the organisation’s IT leaders or, bizarrely, business line managers. A clear structure of accountability must be put into place to ensure that c-level executives are aware of the importance of data security. Employing someone that’s solely responsible for security is a must. With the ramifications of a data breach hitting a business both financially and reputationally, it’s difficult not to overstate the importance of protecting data in the cloud. To learn how Thales can help you secure your data in the cloud, visit us at it-sa 2019, booth number 9-446. Thorsten Krueger (pictured below) is DACH Regional Director for Cloud Protection & Licensing Activity at Thales.
THALES SECURITY
Thales Cloud Protection & Licensing is a worldwide leader in data protection, enabling organisations to protect and manage their most sensitive information – such as data, identities and intellectual property – wherever it is created, shared or stored. Our solutions enable organisations to move to the cloud
securely, achieve compliance with confidence, and create more value from their software in devices and services that are used by millions of consumers.
CONTACT DETAILS To find out more please go to: | thalesesecurity.com/thales-gemalto | youtube.com/watch?v=AjO954nlviQ
83
FEATURE
cybersecurityeurope
Europe’s c-suites struggle to maintain cyber security levels while their organisations are wrestling digital transformation challenges.
THE EUROPEAN EDITION OF DATA THREAT REPORT – RESEARCHED BY IDC ON BEHALF OF THALES – REFLECTS BROAD CHANGES IN DATA SECURITY APPLICATION IN SELECTED NATIONS. It provides important insights into the nature of cyber security deployment aIt provides key insights into the nature of cyber security deployment and readiness across the region, and is one of the few sources of pan-European intelligence that contains information for both technology-facing executives and non-techies. It’s based on a survey by IDC of 1,200 high-rank executives with responsibility for/influence over, data security decision-making. The European edition of the report focuses on the findings from 400 European respondents (100 each from the UK, Germany, Sweden, and the Netherlands), and provides comparisons and contrasts between regional markets. Respondents represent a range of vertical sectors, public and private. They also represent a broad range of organisational sizes, with the majority ranging from 500 to 10,000 employees. The report highlights how digital transformation (sometimes shortened to just ‘DX’) now fundamentally impacts the pan-European economy. Digital transformation facilitates new and innovative ways to provide an improved customer experience and drive greater efficiencies and productivity gains. Some 36% of European respondents say they are BRIEF
FURTHER INFORMATION The 2019 Thales/IDC Data Threat Report – European Edition is freely available online in English and German language versions. More information: | thalesesecurity.co.uk/2019/data-threat-report-euro
84
Date nsi che rheit in Euro
t
FEATURE
cybersecurityeurope
DIGITAL TRANSFORMATION STANCE
BREACH INCIDENT RATES (AT ANY TIME)
36% of Euro respondents are in one of the top two most advanced digital transformation categories. This trails the global average of 39% fitting into those categories.
Breach incident rates for Europe overall were on par with the global sample, with 61% of Euro respondents reporting that they’ve been breached at any past point.
17%
15%
14%
14%
13%
12%
23%
24%
23%
22%
23%
20%
77%
61%
60%
60%
54%
54%
GERMANY
GLOBAL
NL
EU TOTAL
UK
SWEDEN
SWEDEN
EU TOTAL
GLOBAL
NL
UK
GERMANY
Aggressively disruptive use of new digital technologies & business models to affect markets. Digital capabilities embedded in the enterprise & tightly linked to an agile management vision.
either ‘aggressively disrupting’ the markets they participate in aim to embed digital capabilities that enable greater organisational agility. Digital transformation is also likely complex and risky, as it introduces new difficulties for information security professionals. Not only must security professionals deal with a very dynamic threat environment, in which 61% of European respondents say they have been breached at some point in their company’s life, but they must also function in an increasingly restrictive regulatory environment. Together, these compounding issues should, however, implore organisations to implement the data management best practices that give them the foundation for high-quality, secure transformational efforts. Most European companies have cleared the initial challenge of GDPR (General Data Protection Regulation) compliance, the report says, and stacked their security inventory up using extra budget allocation caused by GDPR ‘fear’, Brexit concerns, and the need to ‘digest’ new technologies and processes recently acquired and built. Forty-one per cent of the European companies in the Data Threat Report sample say their spending will increase over the coming year, down from 72% last year, even while threat vectors are increasing: cyber criminals, cyber terrorists, and hacktivists top the concerns list concerns for all European companies. European data environments are now increasingly complex, and this complexity is proving to be a barrier to data security.
86
source: 2019 IDC/THALES DATA THREAT REPORT SURVEY .
Just like in other geographies, European companies are moving workloads to multiple cloud environments, even as they work to maintain traditional onpremises infrastructures. European companies are adopting cloud options for sensitive data and critical applications (see Cyber Security Europe, Spring 2019 issue), which means they must get cloud security right, but not overcomplicate IT strategies. Organisations must take a multi-layered approach to security, and the Data Threat Report study shows European executives working toward this goal. European respondents are placing an about equal amount of focus on network, application, and data security with 35% of their focus on network, 34% on data, and 31% on application security; these figures map closely to the global total. Respondents have lengthy ‘to do’ lists with plans to implement a variety of technologies over the coming 12 months, but they struggle to implement their plans, and rate complexity as their greatest barrier to data security implementation, followed by lack of budget and staff. Meanwhile, the risks of digital transformation remain an overarching challenge. This is because digital transformation entails a risk of a disconnect between more advanced organisations that run hybrid cloud-based modern infrastructures, and organisations that retain a dependency on legacy, perimeter-centric infrastructure. While it may seem that organisations further along the transformation process are in a better place than the laggards, they still have their own
Asked about the factors that impact security spend, 31% of the poll said they work to ‘avoid penalties resulting from a data breach’. challenges to address. They must apply security architectures across legacy infrastructures while they simultaneously roll-out hybrid cloud-based, digitally-transformative technologies. Ironically, this can lead to IT security professionals aiming at the wrong target. These security professionals believe that they are secure as they roll out new technologies, but they may face more extensive challenges as they look to secure a wider variety of IT infrastructure. Put another way, the greater the data distribution across an ever-increasing number of environments, the less organisational focus is available to protect data in any single environment. ‘Companies require smarter, better ways to approach data security and
VULNERABILITY TO DATA SECURITY THREATS
PROPORTION OF SECURITY FOCUS
However, 27% of European respondents believe they are ‘vulnerable’ or ‘very vulnerable’ to data security issues – much lower than the global total of 34%.
A global trend toward more focus on application and data security means companies need to take a holistic focus and protect all aspects of IT infrastructure.
42%
34%
27%
26%
24%
17%
SWEDEN
GLOBAL
EU TOTAL
NL
UK
GERMANY
source: 2019 IDC/THALES DATA THREAT REPORT SURVEY .
33%
31%
30%
31%
30%
30%
34%
34%
35%
34%
34%
33%
33%
35%
35%
35%
35%
38%
SWEDEN
UK
NL
EU TOTAL
GLOBAL
GERMANY
application security data security Source: 2019 IDC/THALES DATA THREAT REPORT SURVEY .
to implement modern, hybrid, and multi-cloud-oriented technologies,’ the report concludes. The UK had the greatest sense of having ‘adequate security’, and the Netherlands had the least. Asked about factors impacting IT security spending decisions, 31% of European respondents said they work to ‘avoid financial penalties resulting from a data breach’, and the same percentage confirm they are ‘motivated’ by a past incident. Instead, the topcited security spend driver is ‘implementing security best practices’, cited by 41% of Euro respondents. With many organisations having achieved GDPR compliance, they may feel they are at a ‘good enough’ level for data security, and have now reset aspirations to achieve a ‘best practice’ level of security the report suggests. The report zeros in on several specific aspects of data security practice factors that respondents in Germany, Sweden, the UK and the Netherlands are confronted by. here are some selected examples... GROWTH IN SECURITY SPEND The percentage of European respondents polled who report that their security spend is increasing was only 41% for the 2019 survey, which is down significantly from the 2018 Data Threat Report, in which 72% of organisations reported an expected increase in their security budget. European respondents who say their security budget will decrease more than doubled (18% compared to 8%) and the number saying their spend will stay the same doubled (42% compared to 21%) as well. Notably, the 41% who say spending is increasing is lower than the global total, 50% of which said their spend is increasing, indicating that slowing spending is more acute in Europe than in other geographies. Clearly, GDPR has been a watershed initiative, providing global leadership surrounding the issue of privacy and data sovereignty. The question of ‘Who owns data?’ is relevant. The sharp decline of those reporting an increase in security spend though begs the question of whether companies are looking to implement best practice approaches to data security, or are simply looking to achieve compliance through ‘good enough’ approaches, the report says. In many cases European organisations surveyed have sought a stepped approach to GDPR compliance. In the first instance, they have developed consistent data security and compliance processes in order to demonstrate readiness. However, these have often been developed on a manual basis, with plenty of scope remaining to achieve compliance on an automated basis. In other words, data security and GDPR compliance are yet to become operationalised into business-as-usual.
network security
THREAT VECTORS SHIFT FIGURE Some 61% of European respondents to the Data Threat Report that have been breached at some point in their past. Sweden reported the highest breach incident rates at 77%, while Germany was the lowest at 54% (see Figure headed ‘Vulnerability to Data Security Threats’). In contrast, 27% of European respondents believe they are vulnerable or very vulnerable to data security issues, much lower than the global total of 34% within the European countries studied, Swedish respondents felt the most vulnerable with 42% saying they were very or extremely vulnerable to security threats, and Germans felt the least with 17% saying they were ‘very vulnerable’ or ‘extremely vulnerable’. IDC believes this is a reflection of Germany (along with the UK) being one of Europe’s most mature security markets, with Sweden (along with other Nordic countries and the Netherlands) behind. Arguably, this means that Swedish organisations have more room for improvement than their counterparts in Germany or the UK. In addition, smaller nations like Sweden and the Netherlands have traditionally been perceived to be less of a target for malicious actors than organisations in Germany or the UK. Countries like Sweden and the Netherlands must now bring their security up to the level of their global counterparts. Europeans here see the greatest threats overall to be cyber criminals, cyber terrorists, and hacktivists. Insider threats are the lowest-perceived risk factors, although this is somewhat at
87
FEATURE
cybersecurityeurope
odds with other threat type ranking surveys published over the last five years (see Cyber Security Europe Autumn 2018 issue). While the incidence rate of cyber terrorism is quite low relatively, respondents’ concern over it is high. This includes proliferation of state-sponsored cyber attacks and uncertainty about cyber warfare. While few cyber terrorist activities have been occured to date, indications are that the preparation for such activities is quite considerable. ADEQUATE SECURITY Within the European countries studied in the Data Threat Report, the UK had the greatest sense of having ‘adequate security’, while the Netherlands had the least. As mentioned earlier, asked about factors impacting IT security spending decisions, 31% of European respondents said they are working to ‘avoid financial penalties resulting from a data breach’, and the same percentage confirm they are ‘motivated’ by a past. Instead, the top-cited security spending driver is ‘implementing security best practices’, cited by 41% of European respondents. With many organisations now having achieved GDPR compliance, they may feel they are at a ’good enough‘ level when it comes to data security, and have now set their aspirations higher to achieve a ‘best practice’ level of security. CLOUD ADOPTION FIGURE Sixty-seven per cent of the European respondents to the Data Threat Report say they use at least one of the three flavours of cloud – Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) – to store sensitive or regulated data. Ninety eight per cent of European companies are storing sensitive data in digitally transformative environments across at least one of the technologies they were surveyed about.
88
INCREASED COMPLEXITY Data environments are increasingly complex. Workloads that used to be handled by a single on-premises environment are now augmented with multiple IaaS and PaaS environments, as well as many SaaS hosted applications. A new wave of ‘serverless computing’ or ‘function-as-a-service’ adds to this complexity. Even as they relocate new workloads to cloud, enterprises must still maintain mission-critical applications that run on onpremises environments. While the number of European organisations that now run a very large number of IaaS/PaaS environments is lower than the global total (9% of Europeans polled report respondents say they are running four or more IaaS, and 8% are running four or more PaaS environments), the number running two or more IaaS/PaaS environments tracks closely with the global total. Managing multiple cloud instances introduces new challenges for European IT departments. It is enough of a challenge to provide encryption, tokenisation, visibility and access to sensitive data within a single cloud instance, let alone dozens. European respondents rate complexity, lack of budget, and lack of staff to manage as their top concerns over data security.
Europeans here see the greatest overall risks to be cyber criminals, cyber terrorists and hacktivists, rather than insider threats. PERIMETER-, DATA- AND APPLICATION SECURITY In the past, when most data was located on-premises, enterprises placed a great amount of security focus on network security. The focus was on protecting the perimeter, backed up by device-level defences within the firewall. There used to be a ‘two for one’ spending effect in that the money spent on network security also protected the organisation’s data. Now we are seeing a global trend toward more focus on application and data security. No longer is network security ’sucking all the oxygen out of the room’. COMPLIANCE AND REGULATORY CHALLENGES In many respects, Europe has long played a leading role in requiring data privacy and sovereignty, most notably with the EU’s GDPR regulation. Not surprisingly, the study found that European firms are among the most prepared to handle regulatory requirements. Europe had a higher percentage of companies that are using encryption and tokenisation on personal data than the global total, and fewer saying they are not impacted by privacy/sovereignty regulations. Within the countries studied, the UK and Germany are most likely to encrypt personal data, while respondents from the Netherlands are most likely to use tokenisation. ACCREDITATION Words | IDC/Thales Data Threat Report / James Hayes Photography | Shutterstock
Alle Anwendungsfälle. Alle Standards. Alle Geräte.
! s u a r o v e g ü Z 2 r e m Im Mit unseren Lösungen knacken wir auch die härteste Nuss in Sachen anwendenderfreundliche E-Mail-Verschlüsselung für Sie. totemo. Die E-Mail-Verschlüsselungs-Experten.
Besuchen Sie u ns in Halle 9, S tand 412 und gewinn en Sie eine Sch weizer Speziali tät!
Neugierig? Jetzt kostenlos testen! www.totemo.com/kostenlos-testen
An IT manager doesn’t worry about his IT security, that must be Soliton Soliton has been a major game changer in developing cyber security technologies with a strong focus on delivering simplified security solutions. Soliton leads the market by simplifying employees’ ability to access company resources and by taking out the complexity in IT Management. Soliton now presents its latest developments on accessing company resources without leaving any sensitive data on the device, whether access is gained from the internal or external network, through personal or corporate owned devices, and even unmanaged devices. Soliton’s solutions assure a flexible working environment while maintaining the highest levels of IT security.
Visit Soliton at it-sa in Hall 10-1 / Stand 624 Soliton Systems Europe N.V. Gustav Mahlerplein 2, 1082 MA Amsterdam, The Netherlands | +31 20 301 2166 | emea@solitonsystems.com | www.solitonsystems.com
FEATURE
cybersecurityeurope
IN THE FIRING LINE
Executives with cyber security responsibility must tackle the escalation of occupational stress – before chronic mental strain results in IT security failure and job losses.
SURELY ONE OF THE MORE DISTURBING REVELATIONS IN SUNGARD AS’S RECENT THE RESILIENCE IMPERATIVE REPORT IS that, in taking greater responsibility for the cyber governance of the organisations they lead, some c-suite executives are now subjected to blame and abuse when cyber security incidents occur. It’s enough to unstiffen the stiffest of upper lips. Some 45% of the report’s respondent sample said they’d experienced ‘abuse online, verbally, and in some cases physical threats’, while 20% said that such abuse even ‘extends to their family and friends’. Such personalised attacks are just one of range of stresses being heaped upon technical and non-technical chief officers in addition to the day-to-day duress of persistent and malicious cyber attacks. BRIEF
The burnout these accumulated stressors bring can cause acute harm at both collective and individual levels. Although it’s often claimed that some people ‘thrive on stress’, for most of us stress is a performance inhibitor. This is all to the favour of cyber attackers, because stressed-out people do not perform well and/or do their jobs as effectively as possible – and become more liable to slip-up. A stressed work team is unable to watch-out for one of its number who may show signs of inattention. Oversight suffers, and mistakes are made in cyber defence administration. In the wider context, workplace stress and mental health have a major impact on national productivity and economic growth. According to the UK Health and Safety Executive’s Health and Safety at Work summary, 595,000 workers suffered from work-related stress, depression or anxiety (new or long-standing) in 2017/2018, and 15.4m working days were lost due to ‘workrelated stress, depression or anxiety’ over the same period. Both statistics are increases on the previous years. Awareness of the problem in cyber security circles is being raised. The topics of stress and mental health issues caused by cyber security pressures are being openly discussed at conferences and other industry gatherings. Mental health in cyber security were headline topics at events in the
THE EUROPEAN UNION WORKING TIME DIRECTIVE 2003/88/EC This gives EU workers the right to at least four weeks paid holidays per year, rest breaks, and rest of at least 11 hours per day; restricts excessive night work; and provides for a right to work no more than 48 hours per week. Since
24 92
excessive working time is cited as a primary cause of stress, depression and illness, the directiive’s purpose is to protect health and safety.
63
FEATURE
cybersecurityeurope
HIGHS AND LOWS: STRESS AND THE SECURITY TEAM
PERSONAL STRESS INDEX
C-suite respondents to Nominet’s Trouble At The Top report were asked: what is the stress level for the average employee on your organisation’s security team?
Same sample was asked: on scale of 1-to-7, to what extent has job stress affected the areas below: 1 is ‘not at all’ and 7 is ‘a great deal’. Figs. indicated responses of 6 or 7.
70% 61.5
KEY TOTAL USA UK
69.6 53.2
27.0 27.1
36.3
30.1
KEY TOTAL
40%
USA
UK 32.8
26.9
23.3 21.8 24.9
26.5 25.7 27.4
27.4 21.8
24.2 8.3
10.4 6.3
0
0% Tremendous, very high stress
moderate rates
low stress
US in the last 12 months, including the high-profile RSA Conference. At the 2019 event, Dr Ryan K. Louie, a psychiatrist for the Foundation Physicians Medical Group, delivered a keynote presentation entitled ‘Mental Health in Cybersecurity: Preventing Burnout, Building Resilience’. Elsewhere, Dr Louie has explained that organisations should now recognise their frontline cyber security professionals are routinely exposed to unusually demanding workplace situations. “What is unique about cyber security is that there are always emerging threats… coming from left field – things that people don’t know about,” he said in a post-conference interview. “There is also an adversary [and] adversaries are intellectual, innovative, and creative, so there’s that constant need to always be prepared for something.”
REGULATORY COMPLIANCE PRESSURES A conference track at Black Hat and DEFCON 2019 also touched on the topic of ‘post-traumatic stress disorder’ as it can affect cyber security practitioners. The subject is less tenuous than might, at first sight, seem the case, given the number of former military people now employed in the IT security profession. However, there are indications that employers are starting to recognise the attendant risks of frazzled cyber security officers, it will take time for remedial actions to become routine workplace practice. Additionally, it’s important to take account of the fact that executives with cyber security responsibility have more to worry about than the untender
94
0 no stress at all
0
0% relationships at work
relationships outside work
your physical or mental health
your ability to do your job
mercies of cyber criminals and nation-state sponsored attackers, not to mention insider threats (see Cyber Security Europe Autumn 2018 issue). The latest Security Pressures Report from Trustwave points out what a stressful time 2018 was for c-suite or governance boards that held responsibility for legislative compliances focused on secure management of data assets; 2018, of course, saw the actuation of the General Data Protection Regulation (GDPR), and kicked-started a stream of high-profile penalties from national data commissioners, such as the ICO in the UK and Data Protection Authority in Belgium (see Cyber Security Europe Summer 2019 issue).
Thirty per cent of stressed executives find strategic decisions more difficult to make. This puts the future of their jobs into question. ‘Security compliance mandates have become more prescriptive and rigorous over time, even as they typically set forth only baseline protections,’ the Trustwave report authors point out. ‘As a result, they necessitate plentiful skills and resources, of which many organisations are in short supply of.’ This places additional pressures on the people tasked with cyber security operations and governance. Sources of stress for cyber security professionals stem from many factors that are inherently part of working in this field, Trustwave emphasises. For example, it can be difficult to ‘turn work off’ and leave for the day, the confidential nature of the job places constraints on personal connections and outlets, and the enduring talent shortage leaves understaffed teams with an ever-extending list of responsibilities. “The results of The Resilience Imperative report are concerning, but also very clear,” Sungard AS Senior VP Chris Huggett has commented. Cyber disruption has “considerable ramifications” for companies – both as corporate entities and as responsible employers. “In recent years organisations have increasingly focussed on the importance of [their employees’] mental wellbeing. [Our report] findings will cause further scrutiny of any organisation’s ability to be truly resilient,” Huggett adds. A further area of concern to UK companies is the scale of the challenge business leaders face psychologically and emotionally during times of IT disruption. Around half – 54% – of c-level executives in the UK have suffered from stress related illnesses and/or damage to their mental well-being as the result of a technology crisis, The Resilience Imperative reports.
CAN ARTIFICIAL INTELLIGENCE (AI) HELP RELIEVE THE SECURITY STRESS BURDEN? Nominet’s Inside The Perimeter survey found that, from a technological perspective, in terms of the automated AI driven approach being taken by many cyber security vendors to address some of the burden on humans, it seems the CISO is broadly positive: 75% of those questioned agree that it will have a positive impact on their professional well-being.
22.4
53.3
20.4
24.4
OVERALL
UNITED STATES
UNITED KINGDOM
Somewhat 53.3% Dramatically 22.4% No impact 11.3% More stressful 9.8% Not sure 3.2%
Somewhat 55.8% Dramatically 20.4% No impact 11.7% More stressful 9.7% Not sure 2.4%
Somewhat 50.7% Dramatically 24% No impact 10.9% More stressful 10.0% Not sure 4.0%
11.3
9.8 3.2
55.8
11.7
9.7
Inside the Perimeter found that a quarter of surveyed CISOs worldwide suffer from physical or mental health issues due to stress, with just under 20% turning to alcohol or medication to help cope, and more than 50% failing to ‘switch off’ from their work. The report found that every CISO it polled experiences stress in their role. More than 90% say that they suffer moderate or high stress, with 60% saying that they ‘rarely disconnect from their job’. This is hardly surprising given their super-long working hours. Eighty-eight per cent of CISOs quizzed work more than 40 hours a week, while 22% say that they are on-call ‘available 24/7’. All of this is causing a markedly physical response to a very digital problem: 26.5% of respondents say stress impacts their mental or physical health, while 23% say the job is ‘eroding their personal relationships’. Most concerning is the 17% of stress-stricken CISOs who admit they turn to medication or alcohol to deal with job-related frets. The daily round of cyber attacks agitates further anxieties related to professional competence and hierarchical status. Only 52% of CISOs polled by Nominet feel the executive teams value the security team from a revenue and brand protection standpoint. Couple this with the fact that 32% of those questioned believe that, in the event of a breach, they would either lose their job or receive an official warning that could have adverse effects on their reputation for professionalism, and it adds significant individual pressure. It’s not clear why, but a greater percentage of European CISOs think they would receive a warning or be fired in the event of a breach, compared to the US. The second Nominet report, Trouble at the Top: The Boardroom Battle for Cyber Supremacy subsequently surveyed more than 400 c-suite executives from enterprises across the UK and US, rather than Europe. It
10.9
10.0
2.4
“Not only does this highlight how linked senior executives are to their company’s resilience, but also suggests the extent to which they feel personal responsibility as part of such fallouts,” Huggett believes. “Research has also revealed the negative personal impact technology crises can have on [an organisation’s] leadership abilities, with 30% of executives finding strategic decisions more difficult to make, and 24% finding it harder to provide clear direction for the business – putting the future of their jobs into question.” Huggett’s point is augmented by two complementary reports from Nominet – Inside the Perimeter and Trouble at the Top: The Boardroom Battle for Cyber Supremacy (both 2019). These studies review on the impact of cyber stress on the c-suite roles across the table, as well as focusing on the impact on CISOs – who are likely most in the stress firing line in most organisations.
CHIEF INFORMATION STRESS OFFICERS?
50.7
4.0
contains some insightful conclusions for European senior executives, however. It found that the feeling of not being valued is having a damaging effect on the CISO: 27% of those surveyed said the stress of their job is ‘impacting their physical or mental health’. Just as worryingly, 23% admitted that the job had also affected their personal relationships. As more of a professional concern, 28% of CISOs also admit that high stress levels are having an adverse effect on their ability to fulfil their job roles and responsibilities. So, with the pressures mounting for both cyber security chiefs and their c-suite colleagues, the question of an effective response should be addressed. It must be noted that respondents to some surveys around the topic signal that a key contributory factor is lack of funds for cyber security operations. The expectations of cyber security effectiveness as equated to IT security expenditure should certainly be acknowledged by a remedial strategy. “Cyber security involves the ‘human element.’ People have to feel good about themselves before they can perform at their best,” according to Dr Ryan Louie. “What makes the cyber security workforce different is that they must be in their best mental condition to be in the best position to protect [us]. We must understand the stressors that cyber security work has on people, and how to address it.”
ACCREDITATION Words | James Hayes Photography | Shutterstock
95
ME ET U BO ME BOOTHET @ OTH: 1 USS @ 0.1: 10 326 .1-3 26
© ©
by ISL by ISL
Qiata
FEATURE
cybersecurityeurope
Concerted attacks using bogus emails, social engineering
and human response exploits has enabled wily cyber scammers to
defraud global organisations of €23,613,082,890 since 2016
BRIEF
ATTACK FOCUS: BEC AND PAYROLL DIVERSION ARE ON THE INCREASE The FBI’s IC3 unit reports a surge in numbers of BEC incidents concerning the diversion of payroll funds. A company’s Human Resources or payroll departments received spoofed emails appearing to be from employees
98
requesting a change to their direct deposit account. (This differs from the payroll diversion scheme, in which the attacker gains access to
TH E BOG US INVO ICE SC HE ME<///// /////////> </////////// ///////////////////> C EO FR AUD ACC OUN T COM PROM ISE<///// /////////> </////////////> ATTOR NEY IMP ER SONA TION CLIE NT D ATA TH EFT PRE DA TOR PAI N AND LI MIT LE SS HAWK
EYE<///// /////////> </////////////// ////////// ////////////// ///////// /// ///////>
s ig n in to a cco u nt
DE FEN DING AG AI NST TH E SC AM
userename
password
s e c ur e l og in
BUSINESS EMAIL COMPROMISE – BEC – ATTACKS USES FALSE EMAILS ALLIED TO OTHER SOCIAL ENGINEERING TRICKS TO DEFRAUD BUSINESS, PUBLIC SECTOR AND OTHER organisations, most often by tricking employees into raising, authorising, and making payments into accounts of cyber criminals and their cohorts. BEC – known also as ‘CEO Fraud’ and ‘whaling’ (i.e., ‘big phish’) – attacks target specific employee roles within an organisation by sending a spoof emails that maliciously pretend to represent a senior executive (CEO, CFO, etc.) or a trusted customer. The email will contain requests and instructions, such as the initiation and approval of payments or maybe the release of valuable data. “BEC is designed to bypass traditional security filters,” explains Bharat Mistry, Principal Security Strategist at Trend Micro. “It does this by virtue of the fact that threats typically don’t contain malware at all. Instead, it relies on either spoofing the [email] of a senior executive or hacking/phishing their email account and using it to send finance staff a request for immediate fund transfer. From then on, it’s all about using classic social engineering tricks to get the desired outcome – creating a sense of urgency which forces the recipient into acting without thinking.” The impact of BEC attacks have on commercial sector around the world is growing significantly – especially when gauged against other forms of attack and loss that most businesses are subjected to. Between May 2018 and July 2019, the FBI’s Internet Crime Complaint Centre
(IC3) saw a 100% increase in identified global exposed financial losses: the IC3 recorded 166,349 BEC incidents which resulted in victim losses of €23,613,082,890 ($26,201,775,589) - that’s no mean sum. “BEC is a serious threat on a global scale,” FBI Special Agent Martin Licciardo, Special Agent at the FBI’s Washington Field Office, has commented, “and the criminal organisations that perpetrate
The use of actionable keywords and reference terms indicates how BEC attacks often rely on conditioned responses from their victims.
an employee’s direct deposit account and alters the routing to another account.) Typically, HR/payroll staff received emails that appeared to be
from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR/payroll staff generally leads to a scammer’s pre-paid card account.
99
FEATURE
cybersecurityeurope
BRIEF
SPECIFIC TYPES OF BEC Messages that are sent by BEC attack perpetrators most often follow categorical archetypes. As defined by the FBI, there are now three major types of BEC scam...
Account Compromise An executive or an employee’s email account is hacked, and then used to request invoice payments to the vendors that are listed in their email contacts. Payments are then sent to fraudulent bank accounts. Lawyer Impersonation Attackers here impersonate a lawyer or other law firm representative responsible for sensitive matters. These types of attack often occur through email or telephone toward the end of the business day where the target individuals are likely employees without the knowledge, authority or confidence to question the communication’s validity. False Invoice Scheme Companies with foreign suppliers are often targeted with this simple but effective tactic. Attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
BRIEFING
these frauds are continually honing their techniques to exploit more unsuspecting victims.” BEC attacks have “fast become a persistent hazard for businesses,” agrees Tim Sadler, CEO at Tessian: “Taking advantage of the sign-off power senior executives have over substantial payments, hackers are executing highly-effective and targeted attacks, often imitating known contacts to convince individuals to wire money into a bank account belonging to the wrongdoer.” Little wonder, then, that BEC has become such an increasingly popular form of cyber crime. It’s reasonably straightforward to set-up an attack, and you don’t have to possess particularly adept technical skills to pull off a successful scam; chances of being caught are low and, as mentioned, the loots can be high. Three instructive examples of Stateside BEC attacks are worth review: In April 2017 a BEC attack cost Southern Oregon University €1.71m ($1.9m) in unrecoverable funds supposed to go to a building contractor engaged on one of the university’s construction projects. Cyber suspects allegedly posed as the contractor in an email, prompting officials to send their quarterly payment to a fraudulent bank account. University financial administrators made the payment and requested confirmation of receipt. Some three business days later the construction company reported it did not receive the remittance; but it looks like BEC scammers did. In May 2019 Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of €3.34 ($3.7m). The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer. The FBI was contacted, and attempts are being made to recover the funds. A few days later in May, St Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of €1.58 ($1.75m) from the Church’s renovation fund. The scam was a virtual restage of the Scott County Schools BEC attack. The church was contacted by its contractor after not having had invoices paid for two months. The church was under the impression that the payments had been made to schedule. The funds had indeed left the church account, but had been directed elsewhere. An investigation into the BEC attack revealed hackers had gained access to the St Ambrose Catholic Parish’s email system and altered the contractor’s bank and payment transfer details. BEC attack activity showed a 28% increase from 2017, according to figures from Trend Micro’s 2018 report, Caught in the Net: Unravelling the Tangle of Old and New Threats. While the overall number of these email-based attacks was low, the danger lies in how effective each singular attempt could be if
ANATOMY OF A BEC ATTACK BEC scams employ a craftily-plotted combination of attack stages. These entail the targeting of vulnerable individuals, ‘target grooming’ based on carefully-timed interactions, followed up with simple social engineering – all allied to bogus bank accounts and counterfeit emails. Here’s the basic attack procedure, stage by stage...
100
STAGE 1 : TARGET IDENTIFIED
NEWS
Sources of attack collateral could be a published company report, a ‘Meet The Team’ webpage, information contained in a press release.
successful. Whereas phishing attacks are generally launched against a wide swathe of possible victims, more research by the cyber criminal goes into each BEC attack to increase the likelihood of targeted employees being unsuspecting dupes. Trend Micro’s research found that CEOs were the most targeted (in terms of spoofing) executives at 32%, followed by directors (29%), company presidents (10%), managers (6%), chairpersons (3%) and others (20%). The research also suggests (not surprisingly, perhaps) that more BEC attempts were seen in countries considered as international business hubs. Australia (33.9%), the US (29.6%) and the UK (15.1%) were the top three nations. (Data refers to the number of BEC attempts seen, which does not indicate whether the attacks were successful.) The use of actionable keywords and reference terms indicates how BEC attacks rely on conditioned responses from the recipients of bogus business communications. A study of BEC trends by Symantec looked at the 10 most popular keywords used in BEC emails in the last 12 months (2018-2019). Almost all of the ‘call-to-action’ keywords are meant to snag the attention of the recipient or induce a sense of urgency with finance-related themes. ‘Transaction request’ topped the list with 39,368 instances observed, followed by ‘Important’ (37,477) and ‘Urgent’ (33,391). Other terms include ‘Request’, ‘Info’ and ‘Attention’. There were three iterations of ‘Payment’ that rounded up the top 10: ‘Payment’, ‘Outstanding payment’ and ‘Notification of payment received’. BEC scams targeted at the UK and the US were mostly labelled ‘Important’, while most BEC scams directed at Spain, France, and Germany, and Australia had payment-related themes. The vertical sectors BEC attacks are targeted at reveal where perpetrators believe the biggest susceptibilities are to be found. Beazley’s 2018 ‘Breach Briefing’ has also corroborated a sharp increase in the number of BEC attacks in specific types of businesses. According to its findings, BEC accounted
for 24% of the overall number of malicious cyber incidents reported to Beazley Breach Response (BBR) Services in 2018, compared to 13% in 2017. ‘The target of the fraudulent instruction is most often a trusted business partner or someone with internal authorisation to make [payments] on behalf of the victim organisation,’ states the report’s authors. ‘For instance, we often see these incidents occurring in a real estate transaction,
Unlike viruses, Trojans and other malware, the email component of a BEC attack does not ‘advertise its presence’ to threat detectors.
STAGE 2 : TARGET GROOMED
In the attack lead-up period, targets receive routine-looking emails.
STAGE 3 : TARGET ATTACKED
Phishing attack now directed at target that contains payment request or alert.
where lawyers, real estate agents, and title or escrow companies are frequent targets and the cyber criminal can exploit the short timeframe for the closing to take place. In a recent incident, the cyber criminal compromised a broker’s email and sent revised wire transfer instructions, diverting the closing payment’. Furthermore, BEC attacks are evolving as perpetrators start to apply a little lateral thinking and sophistication to their scams. The FBI’s Internet Crime Report 2018 notes that whereas in 2013, BEC scams routinely began with the hack or
STAGE 4 : TARGET DEFRAUDED
Payment made to what seems a legit. business account that is then closed.
101
FEATURE
cybersecurityeurope
BRIEF
SMART BEC’S POTENTIAL TO SYNTHESISE AUTHORISATION What will the future bring for BEC attacks? According to Symantec, as AI and Machine Learning (ML) become more developed, we may see BEC scammers adopting them to make their attacks even more convincing.
AI and ML could be used to power audio-visual ‘deepfakes’ that target or impersonate c-suite executives. Already we have seen deepfakes that use only audio, as it is easier to leverage than both audio and visual elements. A BEC scammer using AI/ML could target an organisation’s senior financial executive or employee who has direct access to the CEO and who could authorise money transfers. When the employee tries to verify the request, the scammer might use audio featuring the CEO – such as earning calls, YouTube videos, TED talks, etc. – to kid the employee into believing it is indeed the CEO’s voice authorising the transfer. The employee could then execute the request in the belief it was legitimate. spoof of the email accounts of CEOs or CFOs, through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for tax status information, and the targeting of the real estate sector. In 2018, the FBI’s Internet Level Complaint Centre – IC3 – received an increase in the number of BEC incidents that requested victims to purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple electronic gift cards for either personal or business reasons. The gift cards were then used to make purchases before the scam is detected. This trend was also tracked by Symantec. Its Security Response team observed that the 10 top themes carried by BEC emails in the last 12 months include: Apple iTunes gift cards (physical) to employees (the scammer requests the potential victim to buy Apple iTunes physical gift cards from a store – the scammer states that these cards will be distributed among employees of the same organisation); Apple iTunes e-gift cards to employees (the scammer requests the potential victim to buy Apple iTunes e-gift cards for employees); and Amazon gift cards (the scammer requests the potential victim to buy Amazon gift cards); Generic gift cards for clients/ partners (the scammer requests the potential victim to buy physical gift cards to be distributed to partners).
102
BEC attacks are acutely frustrating for defensive enterprise IT security practice. Unlike viruses, Trojans and other forms of malware, the email component of BEC does not ‘advertise its presence’ to antivirus and threat detection systems. As cyber security firm Proofpoint’s Q1/2019 Threat Report points out, highly-targeted, low-volume BEC attacks often have no payload at all and are thus difficult to detect for automated safeguards. More headaches follow for cyber governance officers. BEC victims are also confronted with having to go through a potential data breach analysis to ensure that any email compromise has not impacted Personally Identifiable Information (PII) or Protected Health Information (PHI) compliances.
ABUNDANCE OF TARGET DATA AVAILABLE FROM LEGIT SOURCES According to a January 2019 blog post by Agari Data – ‘BEC-as-a-Service Trend Means Just About Anyone Can Launch an Attack’, there are multiple factors that make BEC the scam of choice for cyber criminals. They are mostly related to the abundance of inexpensive or free data available to prospective scammers. Cyber criminals can save time collecting data on executive chief officer role targets with the purchase of lists from legitimate lead-generation database firms that more ordinarily serve legitimate commercial marketers. These large sets of validated data can also be used to send fraudulent emails. For BEC attackers with reduced budgets, Agari Data goes on to report, there are plenty of stolen email addresses and passwords for sale on the dark web. The ongoing stream of data breaches feeds into this pool of stolen data, with 4.5bn compromised records in the first two quarters of 2018 alone. Weak email passwords and lax email archive security add to the problem, as do the necessity to publish some named email addresses into the public domain. For would-be cyber criminals just starting out, and without the ready monies to buy a marketing list or the tech know-how to harvest their own target data for free, there are many dark web habitués who are ready to do the ‘heavy lifting’, and reportedly offer to compromise email accounts for fees as low as €135 ($150) or a percentage of the BEC fraud’s proceeds. The service providers make money, their clients get a passive stream of fraudulent income, and the victims continue to have funds stolen.
ACCREDITATION Words | James Hayes Photography | Shutterstock
FIND US IN: it.sa 2019 NUREMBERG HALL 9 BOOTH 642
INDUSTRY
%
4.0
basquecybersecurity.eus
ED’S picks
cybersecurityeurope
EDITOR’S IT-SA PICKS
With IT security, everyone’s on a learning curve: it-sa 2019’s Supporting Programme provides a wide range of knowledge gain opportunities. Here’s a selection of events of special interest to our editorial team. THE SCOPE OF ‘CYBER SECURITY’ CHANGES EVERY MONTH. New threats call for new solutions from the IT security sector, and new solutions mean additional deployment challenges for IT security practitioners to manage. The it-sa 2018 Supporting Programme has been designed to deliver market education and insight. As well as offering many ways for delegates to widen and improve their knowledge and understanding of key issues, there are unmatched opportunities for them to use these sessions to ask questions and learn from the questions of others. Here, our ‘Editor’s it-sa picks’ selection highlights a few of the sessions that Cyber Security Europe’s editorial team has added to its itinerary.
TUESDAY 8 OCTOBER 2019 EDITOR’S PICK - UNDER THE HOODIE: LESSONS FROM A SEASON OF PENETRATION TESTING 14:30 - 14:45PM - FORUM 9 Leveraging data collected from 180 engagements over the past 12 months, this presentation journeys into the discipline of penetration testing and explores what practitioners and clients should expect throughout a ‘pentest’ engagement. This presentation also discusses the usual internal and external network assessments, physical intrusions, in-person and electronic social engineering techniques, wireless and web applications, and non-production code reviews. Speaker: Matt Rider, Director of Sales Engineering, Rapid 7
8 OCTOBER
EDITOR’S PICK - USING AI IN CYBER ATTACKS - THE NEXT ARMS RACE? 14:20 - 14:40PM - INTERNATIONAL FORUM 10.1 It is evident that advanced automation, Machine Learning (ML) and Artificial Intelligence (AI) have put the strategic advantage firmly back into the hands of the security defenders. However, we are now seeing cyber adversaries starting to use similar methods in their attacks. This presentation will explore how the combination of ML and AI are now used by defenders effectively. It will also review how cyber attackers will likely start to leverage the same technology in the near future. The presentation will, in addition, look beyond the buzzword-hype of AI and ML, and see what advantages. and what tangible value, these advanced technologies actually deliver in day-today security operations. The presentation will reference real-world case-studies of AI-based defences catching and stopping threats ‘in the wild’. It will be illustrated on a practical example of an advanced malware campaign. Founded in 2013 by mathematicians from the University of Cambridge and government cyber intelligence experts in the US and the UK, Darktrace is a leading AI company for cyber security. Speaker: Max Heinemeyer, Director of Threat Hunting, Darktrace Ltd
THE FUTURE OF HACKING: ATTACKS ON CURRENT AND FUTURE TECHNOLOGIES
Founder & CEO of SySS GmbH Sebastian Schreiber will demonstrate speed hacking live on stage. He is going to show how easily the latest wireless alarm systems, electronic locking systems, and wireless presenters can be hacked, and how simple and effective Bluetooth attacks can be. 16:40 - 17:20PM - International Forum 10.1.
104
DETAILS For more information please go to: | it-sa.de/en/events
THURSDAY 10 OCTOBER 2019
WEDNESDAY 9 OCTOBER 2019 EDITOR’S PICK - ONE ALWAYS CLICKS... EMPLOYEES IN THE FOCUS OF THE ATTACKER 10:20 - 10:40AM - INTERNATIONAL FORUM 10.1 Most organisations have very little idea which of their employees receive sophisticated threats, targeted threats, or even large volumes of threats. Using research across thousands of organisations around the world, this presentation will focus on how to identify who the ‘Very Attacked People’ (VAP) are within your organisation (anyone can be a VAP - and they are not always the people you’d expect to be targeted), why they are targeted, and how they are being attacked. This presentation will then provide meaningful steps a security professional can take to protect their people. Speaker: Adenike Cosgrove, Director, International Cybersecurity Strategy, Proofpoint GmbH EDITOR’S PICK - HOW CISOS CAN GAIN TRUST IN THE BOARDROOM 14:40 - 15:00PM - INTERNATIONAL FORUM 10.1 As boards are increasingly interested in the security posture of their organisations, security leaders have the opportunity to empower the board to execute this role effectively. Chief Information Security Officers (CISOs) need to embrace a new approach in communicating about their programs with their executives and board members. Kudelski Security surveyed around 80 CISOs about matters relating to board communication. Their collective responses provide insight into what interests board-level executives the most, and what questions are toughest for CISOs to answer. Speaker: Shiri Band, Global Solutions Marketing Manager, Kudelski Security
EDITOR’S PICK - HOW TO ENABLE WEB AUTHENTICATION STANDARD IN MINUTES ON ANY APPLICATION 11:15 - 11:30AM - KNOWLEDGE FORUM 10.1 This presentation will introduce the audience to the new standard of authentication in the internet, called Web Authentication (or WebAuthn). This standard was recently introduced by The World Wide Web Consortium (W3C). WebAuthn allows local biometric authenticators (such as a biometric mouse or biometric keyboard) to be used in an authentication process on the web. During the presentation, Secfence CTO Marcin Szary will demonstrate how easy it is to enable this standard on any web application with the use of Secfense User Access Security Broker. Speaker: Marcin Szary, CTO, Co-Founder, Secfense sp. z o.o.
THEMES
SUPPORTING PROGRAMME HIGHLIGHTS
‘Congress’ provides the framework for intensive specialist discussions and dialogue; ‘it-sa insights’ provides a range of best practice knowledge share; in the five ‘Open Forums’ exhibitors talk on technical and management issues; ‘Live hacking’ demonstrates how vulnerabilities can be exploited.
Congress@it-sa
it-sa insights
Live hacking
Open Forums
Startups@it-sa
105
MAXXeGUARD Your silent partner in Hi-Security Shredding
Automatic loader for 15 products
Proof of destruction with photographic evidence
Suitable for all digital data carriers
MAXXeGUARD Data Safety BV The Netherlands E: info@maxxeguard.com W: www.maxxeguard.com
STOPATTACKS Before they stop your business. #ExpectTheUnexpected
Discover the all new security, continuity and deliverability for email and learn how to secure your business with the Retarus Enterprise Cloud. Meet Retarus at it-sa 2019 in Nuremberg. From 8 - 10 October in Hall 11.0, Stand 520. Get your free ticket for it-sa 2019: retarus.de/it-sa
Infopulse @ it-sa 2019 8-10 October 2019 NĂźrnberg Hall 10.0, booth 10.0-405 infopulse-scm.com