December 2017
GDS Review > Global Defence Security
Best IT Consulting - Hamburg Lo Verde is a dynamic IT company looking to extend its services into different fields. We invited Vito Lo Verde to provide further insight into the company’s success.
Also In this issue...
Five Website Security Issues You Should Be Aware Of Top 10 IT Security Predictions for 2018 The Importance of Solid and Secure Computer Data Storage
Editor’s Note
, Welcome to the December edition of GDS Review, your source for the latest news, announcements for defence security from across the globe. In recent news, PAREXEL International Corporation, a leading global biopharmaceutical services organization, introduced the Perceptive® Cloud to the life sciences industry, as part of the organization’s recent alliance with Microsoft Corp. In other news, on the 7th December, Blackstone announced that funds managed by Blackstone Tactical Opportunities have acquired a majority share in TITUS, a leading provider of data classification and categorization solutions headquartered in Ottawa. In this edition, we invited Vito Lo Verde from Lo Verde, a dynamic IT company looking to extend its services further afield, to provide further insight into the company’s success. Lo Verde focuses Service consulting in the area of WAN tendering with Security options. Recently, the firm has worked on some interesting projects including SIAM, a Service Integration & Management, Deliverables Catalogue. Also in this month’s issue, Carlos Wardlow has provided consulting services to companies ranging from Fortune 500 to small businesses in the NY/NJ Metropolitan and Central New Jersey areas since 1999. He discusses the importance of physical data protection to ensure complete safety as winter rolls in and extreme weather becomes the norm for many. Lastly, Daren Oliver, cyber security expert and managing director of Fitzrovia IT, explores whether fraudulent emails are getting more difficult to identify and if email communication should be limited for those working in security-sensitive sectors. Here at GDS Review, we hope you enjoy reading this edition during this festive season and we wish you a Merry Christmas and a Happy New Year! Jessica Daykin, Editor Phone: +44 (0) 203 725 6842 Email: jessica.daykin@ai-globalmedia.com Website: www.gds-review.com AI Global Media, Ltd. (AI) takes reasonable measures to ensure the quality of the information on this web site. However, AI will not assume any legal liability or responsibility for the accuracy, correctness or completeness of any information that is available through this web site. If errors are brought to our attention, we will try to correct them. The information available through the website and our partner publications is for your general information and use and is not intended to address any particular finance or investment requirements. In particular, the information does not constitute any form of advice or recommendation by us or any of our partner publications and is not intended to be relied upon by users in making or refraining from making any investment or financial decisions. Appropriate independent advice should be obtained before making any such decision. Any arrangement made between you and any third party named in the site is at your sole risk and responsibility.
2 GDS REVIEW / December 2017
Contents
, 4. News 6. Best IT Consulting - Hamburg Lo Verde GmbH 8. Five Website Security Issues You Should Be Aware Of 10. Half of IT Professionals Question the Safety of Their Personal Data 12. Netsparker Cybersecurity Survey Shows That 80 Percent of Americans at Risk 14. Today’s Threats and Solutions for USB Storage Devices 16. Agritech Businesses In Race To Protect Farmers From Cyber Threats, Says Inmarsat 18. Top 10 IT Security Predictions for 2018 22. Is It Getting Harder To Spot A Spoof? 24. The Importance of Solid and Secure Computer Data Storage 26. Security Key Concern in Implementing IoT For Many Firms 30. Managing the Phishing Threat to Your Organization
GDS REVIEW / December 2017 3
NEWS
,
New OXIAL GDPR EXPRESS provides 100% GDPR compliance for mid-market FS firms New solution brings digitised compliance approach to remove GDPR burden and offer continuous compliance and high level data security.
4 GDS REVIEW / December 2017
NEWS
, Mid-market Financial Services (FS) firms can now benefit from a fast, intelligent and effective solution to achieving GDPR compliance, thanks to the new GDPR EXPRESS from new generation GRC solution provider OXIAL. With the deadline for the EU’s General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, the GDPR EXPRESS solution uses an automated digital compliance approach to offer 100% GDPR compliance. Live and operational in less than 90 days, the new solution is based on OXIAL’s years of experience in risk management, IT security and compliance and reflects the urgency for mid-market FS firms to begin getting GDPR-ready. “GDPR is the most significant change to data protection law in the EU for a generation and the penalties for failure to comply could be catastrophic for some organisations,” said Eric Berdeaux, CEO, OXIAL. “For bigger firms with compliance teams and the resources to allocate sufficient time to GDPR, there should be few problems getting GDPR-ready, but for mid-market organisations it is a different matter altogether. Our GDPR EXPRESS solution removes the burden of GDPR for such businesses, by using a digitised approach to ensure every requirement for GDPR compliance is met.” Compliance is a business function in many organisations that is yet to be significantly altered by digitisation, and OXIAL has placed digital at the heart of its new GDPR EXPRESS solution. It comes with a number of powerful features to help address GDPR, from an initial step-by-step project plan to reporting mechanisms for the regulator and senior management. The GDPR EXPRESS solution encourages compliance to be treated as a continuous process, advised and supported by external experts who will allow an organisation to drive GDPR more efficiently and to reach the desired results from a compliance perspective.
Approached in this way – supported by automation of processes to ensure nothing falls through the cracks – means an organisation knows exactly how GDPR relates to their business and data, and is able to assess what they must change in order to be compliant and gauge where the priorities and responsibilities lay. “A major challenge for mid-sized firms is the sheer volume of data that must be accounted for,” continued Eric Berdeaux. “Data is stored all over an organisation – how do you find it, how do you manage and protect it and how do you ensure it is GDPR compliant? Without the know-how, time and experience of compliance teams in bigger firms, answering these questions is a significant problem and one with enormous consequences should an organisation not be able to do so.” There is also an important security element to GDPR, with enormous volumes of data to keep secure. OXIAL has partnered with cyber security provider Global Data Sentinel (GDS), to keep GDPR data safe. GDS is a cross-domain, zero-knowledge system, so all data within a network or cloud is stored encrypted, meaning even IT personnel cannot see it. GDS resides seamlessly inside in organisation’s existing network, securing data from the getgo, without requiring any additional infrastructure investments. Every organisation – irrespective of where in the world they are located – must comply with GDPR if they hold or collect data on European citizens. To ensure compliance, organisations must keep records that show data is stored and used in the right way. Failure to comply will result in fines of up to €20,000,000 or 4% of an organisation’s annual global turnover, whichever is greater. “Compliance does not begin and end on a fixed date and 25 May 2018 is certainly not the end of GDPR,” said Eric Berdeaux. “Compliance is an on-going process and should be managed as such, including compliance around GDPR. That’s what we are aiming for with our GDPR EXPRESS solution and we believe it can be a game-changer for mid-market firms that are struggling with GDPR requirements.”
PAREXEL Launches Perceptive® Cloud for the Life Sciences Industry Cloud Platform Built on Microsoft Azure Delivers PAREXEL’s Valued Informatics Solutions on a Global, Trusted Architecture; Represents the First Offering of PAREXEL and Microsoft Alliance. PAREXEL International Corporation, a leading global biopharmaceutical services organization, today introduced the Perceptive® Cloud to the life sciences industry, as part of the organization’s recent alliance with Microsoft Corp. Perceptive Cloud elevates PAREXEL Informatics solutions into an enhanced cloud infrastructure built on Microsoft Azure, combining PAREXEL’s extensive industry expertise and innovative technology solutions with the power of Microsoft’s intelligent cloud services and investment in global compliance certifications and enterprise-grade security. The first group of integrated cloud services will include LIQUENT InSight® Regulatory Information Management (RIM), Study StartUp, DataLabs® Electronic Data Capture (EDC), Managed Access Programs, and IMPACT ® Clinical Trial Management (CTMS). “In drug development today, the time to treatment continues to grow longer. This is due, in large part, to the use of conventional, disparate systems that simply digitize manual processes,” said Paul Bidez, Vice President of Regulatory and Clinical Solutions for PAREXEL. “Perceptive Cloud represents an opportunity to automate and streamline workflows and provide greater access to high quality data, simplifying the drug development journey with the objective of ultimately bringing new therapies to patients sooner.”
Perceptive Cloud is designed to respond to the need within healthcare to deliver cost-effective innovation while trusting that sensitive information will stay secure across global environments. Introducing Perceptive Cloud represents the first milestone of the enterprise alliance between PAREXEL and Microsoft aimed at leveraging the cloud to optimize performance and jointly innovate to offer new clinical development solutions and more site- and patient-centric technologies. “Most life sciences solutions to date have been developed with the end result in mind, not the user experience, creating bottlenecks and inefficiencies across the drug development chain,” said Paul Slater, Worldwide Industry Strategist, Pharmaceuticals, Microsoft Health. “Both Microsoft and PAREXEL are committed to developing technologies that better engage patients, sites and sponsors to optimize clinical and operational effectiveness and digitally transform health. The Perceptive Cloud is only the first step in this effort.” PAREXEL Informatics delivers innovative technology solutions to help optimize patient engagement, clinical and regulatory processes, and provides analytics and visualization for PAREXEL’s Connected Journey™ of data-driven services. PAREXEL’s Connected Journey of technology, processes, and expertise supports clinical development and commercialization, with solutions to provide data-driven insights that enable our clients to make critical decisions more quickly.
GDS REVIEW / December 2017 5
PHY17002
,
Best IT Consulting - Hamburg Lo Verde is a dynamic IT company looking to extend its services into different fields. We invited Vito Lo Verde to provide further insight into the company’s success. Providing clients with a wide variety of services, Lo Verde focuses its service consulting on the area of WAN tendering with security options. Recently, the firm has worked on some interesting projects including SIAM, a Service Integration & Management Deliverables Catalogue. Part of the success at Lo Verde is attributable to how it approaches new clients and projects and, as such, Vito explains the techniques he employs to ensure that the overall project results of the company are successful for all parties. “Here at Lo Verde, we have a clear and universal understanding of the project objectives for all the parties involved while talking everything through with clients. Key factors in our success are that we fully identify and define all requirements for the client. “We crucially give a detailed description of the current mode of operation as well as future modes of operations which are trackable by our service providers, supplying all necessary resources and
capacities on the part of the client. We comply with the communication rules with the service providers, ensuring a realistic plan of service provision for transition based on the defined requirements and services of the company.” Discussing the security market currently, particularly within the area of WAN, Vito outlines some of the major challenges and outside influences facing the market and the company itself. “Basically, the issue of digital crime needs to be taken more seriously and thus more emphasis must be placed on the protection of tangible and intangible assets. Regarding organizational security, sensitive areas should be clearly defined and rules should be laid down regarding which employees can access which data. This also includes emergency management and personal security as a company’s security culture should include a regulated system of access data, secure handling of external data sources and rules of conduct for travel. “Lastly, safety certifications are a benefit to the market as, in practice, certifications can contribute to achieving higher
6 GDS REVIEW / December 2017
safety standards at the company by dealing with the subject in detail.” In his concluding comments, Vito summarizes the firm’s overall mission, explaining where he wants to see Lo Verde and its standing in the future. “Ultimately, end-to-end consulting is our business. From the sourcing strategy to tendering, transfer and optimization, we support our customers in the sourcing area throughout the entire process, responsibly and purposefully.”
Best IT Consulting - Hamburg
Company: Lo Verde GmbH Contact: Vito Lo Verde Contact Email: vito@lo-verde.com Address: Valentinskamp 24, Hamburg, 20354, Germany Phone: +49 (40)31112272 Website: www.lo-verde.com
GDS REVIEW / December 2017 7
,
Five Website Security Issues You Should Be Aware Of Joey George discusses the website security issues businesses and individuals needs to be aware of and how to combat them. Technology has become more advanced, and with it, hack attacks in the online world are increasing at an alarming rate. Hackers use known vulnerabilities in third-party softwares to target your website and web server, and use it for their advantage. The effect of this maybe just defacing of your website, stealing your confidential client data, or even worse, use your server resources to perform illegal activities. There are some simple tips you can leverage to strengthen your website software and sleep with peace of mind. XSS or Cross Site Scripting XSS occurs when a hacker embeds scripting code into a web form or url, and run malicious code to change your web visitor’s experience and steal passwords or other data. XSS can also be persistent nature, where an attacker can manipulate a specific web page and show it as a login screen to users. The recent XSS comment hack on Wordpress 4.2 is an example of such permanent loophole.
SQL Injection SQL injection occurs when a hacker uses a web form field or URL parameter to manipulate your database. Almost all web platforms have a database and generally open source CMS platforms maintain dynamic aspects of the website in database. DoS or Denial of Service Attack Denial of Service (DoS) or Distributed Denial of Service (DDos) attacks are by far the most notorious kinds of attacks. That is because, any level of hacker with a small investment can bombard a victim website, with millions of requests, and make them look like they are legit users. This eventually crashes the web server, and makes the site offline, requiring manual intervention to bring it back online. Weak Passwords We should all use complex passwords, because the weakest link is all it takes to break the chain. It is imperative to use strong passwords for admin areas, but equally important for all users to protect the security of their accounts.
8 GDS REVIEW / December 2017
One account compromised can lead to another and that could lead to admin account hacked. It is recommended to have passwords with minimum 8 letters, digits and special characters to avoid quick password guesses. Brute-force Attack These attacks are trial-n-error methods to guess your username and password. Weak passwords are prone to getting hacked easily. Methods like temporary blocking of IP and accounts, and multifactor authentication, help mitigating such attacks. Code Injection Websites with file upload capability, or sites missing proper client and server side form validation, can be dangerous. The risk is that any file uploaded, could contain a script which can be leveraged as root-kit ie. administrator access to your website. Lack of form validation on simple form fields could lead to malicious code being inserted into the database, and could cause undesirable results in your website.
Unencrypted Protocol An unencrypted channel allows man-in-middle attack to steal information from your users. It preferred to use security certificate SSL, whenever passing personal information between the website and web server or database. Debug Mode on Production Server Some developers may accidentally enable debug mode on the live production server, which dumps extensive error logs to the browser. Thus, a hacker can obtain valuable information about the softwares used by the webserver and target his attack much better. It’s crucial to hide as much internal information about server to minimize and delay the attacks. Old Software Versions It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to abuse them.
Five Website Security Issues You Should Be Aware Of
No Backup Plan No matter how much vigilant you are, attackers can find new loopholes to doom your website. So, besides prevention, you should also have a backuprestore plan. Just in case your site is compromised, you should have a team which can quickly restore the last known backup, and avoid reputation and sales loss. Coversine provides a simple affordable solution to all these problems. Your own security professional who will maintain your site’s uptime, performance and security, all-in-one for as low as $10 per month. The subscription takes care of performance checks, and regular updates to softwares and apps as well.
GDS REVIEW / December 2017 9
,
Half of IT Professionals Question the Safety of Their Personal Data IT decision makers across Europe are worried about how many organisations can access their personal data and have low levels of trust in the IT security capabilities of their industry peers. These are key findings from Kaspersky Lab’s study, “From overwhelmed to empowered, the IT department’s journey towards good data health”, which reveals that only half (55 per cent) of IT professionals have faith that other organisations are looking after their personal data properly. This shows an alarmingly low level of trust from a security savvy audience, at a time when personal data protection is coming under increased scrutiny. With the General Data Protection Regulation (GDPR) becoming enforceable in around six months (in May 2018), Kaspersky Lab undertook the study to find out more about the pressures IT decision makers are under to get data protection right, and their abilities to do so. The Europe-wide survey of technology professionals uncovered strong personal
feelings about data protection that raise question marks over how organisations commonly deal with the personal data in their care. Despite a large majority of respondents (73 per cent) saying that the security of their private data is important, two-thirds (64 per cent) are worried about how many organisations have access to their personal information. Even more (67 per cent) are concerned about their personal information being hacked into.
IT decision makers are more likely to be aware of the dangers to personal data, because they see how it is being treated on a day-to-day basis – giving significant weight to any concerns they might have. The research found that one-in-three (32 per cent) are not confident that their own organisation can successfully demonstrate how, and from where, the personal data it holds is sourced – which could have severe consequences under the terms of the GDPR. This lack of faith in good data governance also makes IT decision makers worried about the fate of their own data, in the hands of other organisations, and harbours fears around loss or hacking. Despite this, some parts of Europe show higher levels of trust and confidence among IT professionals than others. For example, three-quarters (76 per cent) of IT decision makers in France trust organisations to protect their data. This is compared to 56 per cent in the UK and just 48 per cent in Germany.
10 GDS REVIEW / December 2017
“Given they deal with the challenges of data security as part of their daily role, it is perhaps no surprise that IT professionals feel strongly about personal data protection. They see threats from all directions and are acutely aware of the repercussions of a security breach,” commented Adam Maskatiya, general manager at Kaspersky Lab UK. “However, it is concerning to see that their experiences have led to them losing faith in organisations and their peers. This clearly indicates that there is a long way to go before businesses are actually treating the data in their care with the respect it deserves – and before the GDPR deadline hits.” The study questioned over 2,000 IT decision makers in organisations with more than 50 employees. The research was conducted in the UK, France, Germany, Italy, Spain, Belgium, Netherlands, Portugal, Sweden, Denmark and Norway.
Half of IT Professionals Question the Safety of Their Personal Data
GDS REVIEW / December 2017 11
,
Netsparker Cybersecurity Survey Shows That 80 Percent of Americans at Risk Data reveals that a fifth of Americans don’t regularly update their computer or smartphone software, and 45 percent fail to update smart home devices. Netsparker Ltd., a leading player in the web applications security industry, has released the results of its 2017 Cybersecurity Survey. The survey of 2,006 U.S. adults, conducted online by Propeller Insights on behalf Netsparker in November 2017, found that most Americans leave themselves open to cyber-attack, that Americans love IoT even if it poses a heightened security risk, and that a third of Americans would hold the maker of a device responsible if a hack occurred, even if outdated software was the cause. Netsparker was founded in 2009 and develops a web application security scanner. The scanner’s accurate scanning technology led to early success, and Netsparker is now a recognized leader in the web application security industry. The firm can identify vulnerabilities in any type of modern and custom web applications, regardless of the architecture or platform they are built with. Upon identifying a vulnerability, the Netsparker scanner uniquely generates a proof of exploit to identify a false positive. Americans at Risk When it comes to cybersecurity, fully 80 percent of Americans admit to behaviors that put them at risk. The most common offenses are: • Using open, unsecured Wi-Fi networks — 40 percent
•
• •
•
Clicking on unfamiliar links on social media — 35 percent Downloading files from thirdparty sources — 31 percent Opening email attachments from unknown sources — 31 percent Failing to install good webbased security software — 28 percent
Additionally, more than a third (34 percent) admit to using the same password for all logins and using weak passwords (33 percent). Fifty-eight percent of Americans use fewer than four passwords for all of their online logins; 15 percent say they are constantly forgetting and resetting their passwords. While Americans may engage in risky behaviors, they also do take measures to protect themselves, which include: • Trying to avoid open, unsecured Wi-Fi networks — 40 percent • Turning off location services from their phone and other devices — 38 percent • Americans would be most concerned if their email (57 percent), computer files (40 percent) or browsing history (30 percent) were hacked. Consumer Perceptions of IoT and Web Application Security When asked which technologies Americans believe are most susceptible to hacking, IoT devices (45 percent) ranked second only to web applications
12 GDS REVIEW / December 2017
and online services (53 percent). Other connected technologies also ranked high: • ATMs — 45 percent • Smart TVs — 35 percent • Connected cars — 32 percent • Artificial intelligence — 26 percent • Medical devices — 22 percent When it comes to smart home devices, more than a fifth of Americans (21 percent) never update them, and an additional quarter (25 percent) don’t realize their smart devices need to be updated. But Americans love IoT devices. Even if they knew IoT devices were at higher risk for cyber attack, only one in five (21 percent) would eliminate all IoT devices from their home. The other 78 percent would continue to use IoT devices—some with more care and others limiting their children’s access. When Hacks Happen Outdated software has been the cause of many large-scale hacks, most recently the Equifax security breach. The survey revealed that, unfortunately, Americans are exposing themselves to these same vulnerabilities. Just over a third of Americans (34 percent) update their computer’s operating system when prompted, but 22 percent don’t realize they’re supposed to
update their operating systems, procrastinate updating, or simply never do it. Another 7 percent only update yearly. Similarly, 40 percent of Americans update their smartphones when prompted, but 19 percent don’t know they’re supposed to update, procrastinate updating, or simply never do it. When hacks do happen because of outdated software, about half (53 percent) of Americans feel the device owner is responsible, but a third (33 percent) feel it is the fault of the device maker, and a fifth (21 percent) feel it is the fault of the third-party security provider. “There are many simple steps that Americans can take to protect themselves against data hacks,” said Ferruh Mavituna, founder and CEO of Netsparker. “Implementing stronger passwords and keeping software updated are two obvious ways. Security scanning is another. Data hacks are the threat that define our age, and consumers must be proactive about keeping their sensitive information safe.” Netsparker is available as desktop software and as a cloud service. It is trusted and used by world-renowned organizations from all industry verticals, including Samsung, NASA, Microsoft, ING Bank and Ernst & Young.
Netsparker Cybersecurity Survey Shows That 80 Percent of Americans at Risk
GDS REVIEW / December 2017 13
,
Today’s Threats and Solutions for USB Storage Devices USB storage systems and devices despite the move onto the cloud. As such, Rajana Zein explores the security implications of using these devices and how to combat these. USB products have been in market since 2000. The ever-growing nature of personal and business data, has led to exponential demand of USB flash drives and external hard disks. From ordinary people to large organizations, all rely on USB drives to keep, transfer and receive documents, pictures, videos and so on. The main reason for popularity of these devices is that they are light, small and inexpensive. A few years ago, it was hard to believe that with a piece of hardware half the size of a bank card, one could hold thousands of documents and pictures right in their pocket. It is worth mentioning that a typical 8 GB USB flash drive has enough space to keep more than 15000 photos (500 KB average photo size). In response to this high demand market, manufacturers strive to produce devices with greater storage space, faster transfer rates and lower costs. For example, a 1 TB USB drive will be available during 2013. USB flash drives use a common standard, which is supported by all modern operating systems, called USB mass storage. As a result, anyone can connect one of them to a Mac, copy some files, and conveniently connect it to a Windows based machine to access those files.
So, are we going to conclude that they have no disadvantages? Absolutely not. They have a lot to offer, but they all have one problem in common: they are dangerous! Antivirus companies report than the AutoRun feature in Microsoft Windows is still among top ten threats. This feature helps programs that are meant to run automatically when a USB drive is connected to a PC, but obviously a malware can be easily executed by it. Most computer viruses copy themselves to removable USB disks, and sometimes, this is their main method of spreading. When a virus, or any other type of malware gets onto a USB disk, there is a high chance that other systems using that USB drive get infected too. Moreover, USB drives, because of high capacity relative to their small size, are the first choice if someone wants to steal valuable or confidential data. Companies and businesses are at risk when employees can duplicate corporate documents on USB drives and take them outside the office. One study showed that the average cost of a data breach, can be as high as $2.5 million. And this is not only for companies. Every individual has private files, or even projects on their computer, with doors open to intruders.
14 GDS REVIEW / December 2017
There must exist some sort of solution to avoid these threats. In today’s software world, there are a few applications that can help everybody secure their USB ports. But not every software solution, is eligible to increase the security of your PCs at home and work. You should be looking for a software that solves above-mentioned problems, has excellent technical support, and gets updated regularly with new features. There are free solutions around, but they all lack some point or another. They are usually written for hobby, and not from a ‘professional’ viewpoint. A wise option is USB Security Suite. It has everything you need to protect your PCs from USB-related threats. USB Security Suite automatically scans any USB disk attached to a computer to prevent viruses from spreading. It can also vaccinate your USB drives, so that they never get infected by other computers. If you need to know what activities (copy, rename, delete, etc.) happen on USB drives of your system, USB Security Suite can monitor and log them. Data theft protection made easy.
Today’s Threats and Solutions for USB Storage Devices
GDS REVIEW / December 2017 15
,
Agritech Businesses In Race To Protect Farmers From Cyber Threats, Says Inmarsat New research finds that almost half of agritech businesses agree that their processes to combat IoT-related cyber threats need improvement.
The Internet of Things (IoT) is set to revolutionise the farming and agricultural sector, but many agritech companies are concerned by the cyber threats associated with the technology. This is according to independent research commissioned by Inmarsat, which found that although the vast majority of agritech companies are moving towards IoT, less than a quarter (23 per cent) are completely confident in their ability to counter the security threats that IoT will bring. Market research specialist Vanson Bourne interviewed respondents from 100 large agritech companies across the globe for its ‘The Future of IoT in Enterprise – 2017’ report. They found that while the majority of respondents had taken steps to address IoT security, with more than half (52 per cent) investing in new security technologies to accommodate IoT, 45 per cent agreed that their processes to counter cyber attacks could be stronger. Moreover, 23 per cent stated that they would need to make heavy investments in their security capabilities to enable their customers to safely exploit IoT. Networks and skills emerged as two key areas in need of improvement. Just 42 per cent
of agritech companies had given special consideration to network security in the development of their IoT solutions, while over half (55 per cent) reported that they needed additional security skills. Commenting on the findings, Chris Harry-Thomas, Director of Sector Development Agriculture, Inmarsat Enterprise, said: “Agritechs are already proving a boon for farmers, deploying technologies like IoT to help them speed up the journey that food takes from ‘seed to bin’ and from ‘farm to fork’. IoT technologies are being leveraged to automate irrigation and fertilisation systems on farms, to add new precision to operations and reduce waste, and to automate farming machinery, reducing the need for manual intervention. However, a more technology-dependent and connected farm is a more vulnerable one, without the necessary security protocols. “These threats are not trivial. Whereas an industrial-scale cyber attack in any industry can do significant harm to a business’s bottom line, such an attack in the agricultural sector could see whole crops decimated and have severe consequences for the quality of life of entire populations. It’s therefore critical that agritech businesses can take the necessary measures to counter these risks, and it’s clear
16 GDS REVIEW / December 2017
from our research that there is a significant amount of room for improvement in this area,” he concluded. For agritech companies to develop successful IoT solutions to help their customers thrive in the digital transformation, IoT network security must remain one of their top priorities. Satellite communications networks can play an important role as they are optimised to deal with mission critical communications, connecting things wherever they are on the planet. Agritech companies must also look to establish strategic partnerships with third parties who have the expertise to ensure that connectivity in individual devices, and the fundamental network infrastructure, conforms to the highest security and reliability standards. Inmarsat, the firm that conducted the research, is the leading provider of global mobile satellite communications services. Since 1979, Inmarsat has been providing reliable voice and high-speed data communications to governments, enterprises and other organisations, with a range of services that can be used on land, at sea or in the air. Inmarsat operates around the world, with a presence in the major ports and centres of commerce on every continent.
Agritech Businesses In Race To Protect Farmers From Cyber Threats, Says Inmarsat
GDS REVIEW / December 2017 17
,
Top 10 IT Security Predictions for 2018 Ian Kilpatrick, EVP (Executive Vice-President) Cyber Security for Nuvias Group, predicts how IT security will change as the New Year draws in. A leading and influential figure in the IT channel, Ian Kilpatrick now heads up the Nuvias Cyber Security Practice. He has overall responsibility for cyber security strategy, as well as being a Nuvias board member. Ian brings many years of channel experience, particularly in security, to Nuvias. He was a founder member of the award-winning Wick Hill Group in the 1970s and thanks to his enthusiasm, motivational abilities and drive, led the company through its successful growth and development, to become a leading, international, valueadded distributor, focused on security. Wick Hill was acquired by Nuvias in July 2015. Ian is a thought leader, with a strong vision of the future in IT, focussing on business needs and benefits, rather than just technology. He is a much published author and a regular speaker at IT events. Before Wick Hill, Ian qualified as an accountant, was financial controller for a Fortune 50 company, and was a partner in a management consultancy. Here he shares his predictions for the developments in security that will affect the IT market in 2018.
1. Security blossoms in the boardroom Sadly, security breaches will continue to be a regular occurrence in 2018 and organisations will struggle to deal with them. New security challenges will abound and these will grab attention in the boardroom. Senior management is increasingly focusing on security issues and recognising them as a core business risk, rather than the responsibility of the IT department alone. The coming year will see further commitment from the boardroom to ensure that organisations are protected. 2. Ransomware has not gone away Too much money is being made from ransomware for it to disappear - it won’t. According to Cyber Security Ventures, global ransomware damage costs for 2017 will exceed US$ 5 billion, with the average amount paid in ransom among office workers around US$ 1400. Companies can help prevent ransomware by tracking everything coming in and out of the network and running AV solutions with antiransomware protection. And, of course, you should do regular backups to a structured plan, based around your own business requirements – and make sure you test the plans.
18 GDS REVIEW / December 2017
3. IoT – a security timebomb IoT is a rapidly growing phenomenon which will accelerate in 2018, as both consumers and businesses opt for the convenience and benefits that IoT brings. However, manufacturers are not yet routinely building security into IoT devices and 2018 will see further problems generated through the use of insecure IoT. IoT is a major threat and possibly the biggest threat to businesses in the coming years. Unfortunately, it is not easy, and in some cases impossible, to bolt on security as an afterthought with IoT, and many organisations will find it challenging to deal with the consequences of such breaches. As IoT cascades through organisations’ infrastructures, it is likely to become the ultimate Trojan horse. 4. More from the Shadow Brokers The Shadow Brokers, a hacker group which stole hacking tools from the American National Security Agency (NSA), created havoc in 2017 with the Wannacry ransomware episode. The group has already stated that it will soon release newer NSA hacking tools, with targets that might include vulnerabilities in Windows 10.
Top 10 IT Security Predictions for 2018
GDS REVIEW / December 2017 19
,
There will certainly be further episodes from them in 2018, so patch management, security and regular backups will be more crucial than ever. A major target of these hackers is the data that organisations hold, including PII (Personally Identifiable Information) and corporate data, so protecting the data ‘crown jewels’ inside the network will become ever more crucial. 5. GDPR – have most businesses missed the point? The arrival of GDPR in May 2018 will, of course, be a big story. However, many organisations are missing the main point about GDPR. It is about identifying, protecting and managing PII - any information that could potentially identify a specific individual. This will become more important in 2018 and there will be considerable focus on identifying, securing and, where required, deleting PII held on networks. 6. GDPR Blackmail – the new ransomware? Unfortunately, GDPR will give a great opportunity to criminals, hackers, disgruntled staff and anyone who might want to do an organisation harm. They simply have to ask you to identify what data you hold on them, ask for it to be erased, and ask for proof that it has been done. If you can’t comply, they can threaten to go public – exposing you to the risk of huge fines – unless you pay them money. Watch out for that one! 7. DDoS on the rise It is now possible for anyone to ‘rent’ a DDoS attack on the internet. For as little as US$ 5, you can actually pay someone to do the attack for you! https:// securelist.com/the-cost-oflaunching-a-ddos-attack/77784/. This is just one of the reasons DDoS threats will continue to escalate in 2018, alongside the cost of dealing with them. The dangers of DDoS for smaller companies are that it will leave them unable to do business. For larger organisations, DDoS attacks can overwhelm systems. Remember that DDoS is
significantly under-reported, as no-one wants to admit they have been under attack! 8. Cloud insecurity – it’s up to you Problems with cloud insecurity will continue to grow in 2018 as users put more and more data on the cloud, without, in many cases, properly working out how to secure it. It is not the cloud providers’ responsibility to secure the information – it is down to the user. With the introduction of GDPR in 2018, it will be even more important to ensure that PII stored in the cloud is properly protected. Failure to do so could bring serious financial consequences. 9. The insider threat Historically, insider threats have been underestimated, yet they were still a primary cause of security incidents in 2017. The causes may be malicious actions by staff or simply poor staff cyber-hygiene - i.e. staff not using the appropriate behaviour required to ensure online “health.” In 2018, there will be growth in cyber education, coupled with more testing, measuring and monitoring of staff behaviour. This increasingly involves training and automated testing, such as simulated phishing and social engineering attacks. 10. Time to ditch those simple passwords In 2018, simple passwords will be even more highlighted as an insecure ‘secure’ method of access. Once a password is compromised, then all other sites with that same user password are also vulnerable. As staff often use the same passwords for business as they use personally, businesses are left vulnerable. While complex passwords do have a superficial attraction, there are many challenges around that approach and multifactor authentication is a vastly superior method of access.
20 GDS REVIEW / December 2017
Top 10 IT Security Predictions for 2018
GDS REVIEW / December 2017 21
,
Is It Getting Harder To Spot A Spoof? Daren Oliver, cyber security expert and managing director of Fitzrovia IT, explores whether fraudulent emails are getting more difficult to identify and if email communication should be limited for those working in security-sensitive sectors. Once upon a time, sending and receiving emails was a new-fangled process used to substitute the written letter. Mostly reserved for academic circles, or verifying important information following a spoken conversation, few predicted email communications would flourish as it has over the last two decades. Email has changed the face of human interaction, overtaking the telephone as the number one method of personal and professional information exchange. By the end of 2017, it is estimated there will be 4.9 billion email accounts worldwide with business emails accounting for 929 million mailboxes – a veritable hunting ground for cyber criminals. With the advent of email and the introduction of its successors, such as text and instant messaging services, it has become easier than ever before to contact those who were previously considered ‘unreachable’. Conversations and canvassing over the telephone, which has traditionally been the mainstay for many business operations, has become less frequent and the average email inbox is now littered with loquacious literature. Of course, firing off an email into cyberspace is no guarantee you will penetrate the person
you intend on getting a response from. If anything, it’s the perfect excuse for him or her to ignore your carefully crafted correspondence. As inboxes become more flooded, individuals will naturally screen each email, picking and choosing upon sight who to reply to, based on recognition and associated content. But what has this meant for fraudulent activity? The job of a cybercriminal has intensified over the past few years, requiring them to be increasingly sophisticated and clever in their approach. In the past, criminals have traditionally relied on ‘flood them fast’ email distribution by targeting numerous inboxes with spam notifications purporting to be from businesses such as banks. Awareness campaigns from the businesses themselves have helped to tackle the issue, meaning many quick-thinking consumers have started to grow more savvy, refusing to click on unsolicited links. As a result, cyber criminals have turned to social engineering and the support of realistic looking spoof emails to dupe their targets. These mimic everything from ‘links’ to incredible deals on offer from well-known retailers to emails from trusted contacts, where the sender’s address has been so subtlety adjusted it appears to be legitimate. In fact, so accurate are these emails in their appearance it is calling into question
22 GDS REVIEW / December 2017
whether correspondence from organisations dealing with sensitive data, such as governments, should be using email accounts at all, and whether a more secure method of communication should be adopted. For example, the recent cyberattack on UK Parliament, which resulted in the breach of dozens of inboxes, could have been an incredibly valuable hack for the cyber criminals involved. Highly sensitive content can be sold on for a huge financial gain to those hungry for damaging and destructive data they can use to their advantage. Information in the wrong hands could cause worldwide catastrophe. There is no outright answer to dealing with illegitimate emails and spoof spam. Cutting email out of the equation entirely is not realistic. Of course, fraudulent activity can be kept at a minimum and mitigated by adopting up-todate software and implementing well-planned, comprehensive backup strategies. However, it is human beings themselves that hold the key to unlocking the answers to the current cybercrime conundrum. Research by the Information Commissioner’s Office reported that 93% of incidents investigated at the end of 2015 were caused by human error. Clearly, as fraudsters become more adept at creating cunning ways to cut through the cyber psyche of their
targets, spotting a spoof email will become nearly impossible. Nobody is immune. Re-educating the workforce and raising awareness of the issues surrounding cybercrime are essential. Regular testing and ‘digital fire drills’ for staff should be as much a part of a company’s strategy as their sales and marketing plans. ‘Friendly phishing expeditions’ – where staff are sent ‘spoof’ emails at random to test their reactions are one way of ensuring there are no chinks in your employees’ armour. Only then, once cybercrime awareness officially becomes part of company policy, will we gain some control over addressing the current vulnerabilities. Daren Oliver is managing director of Fitzrovia IT, a London-based consultancy that provides cuttingedge IT solutions from across the globe. For more information, visit www.fitzroviait.com
Is It Getting Harder To Spot A Spoof?
GDS REVIEW / December 2017 23
,
The Importance of Solid and Secure Computer Data Storage Carlos Wardlow has provided consulting services to companies ranging from Fortune 500 to small businesses in the NY/NJ Metropolitan and Central New Jersey areas since 1999. He discusses the importance of physical data protection to ensure complete safety as winter rolls in and extreme weather becomes the norm for many. Are you thinking about computer data storage yet? Because with the rainy season approaching, your backup computer files might be the only thing between secure records and utter chaos. And if you’re thinking that’s a well-placed bit of exaggeration, try asking the residents of Freehold, NJ how many of their personal emails, financial records and pictures they wish they still had. But what happened in Freehold is an excellent reminder of why computer data storage is so vital. When you don’t backup your computer files, you run the risk of losing everything during power outages not just because the power is out and your computer won’t run but because the surges in power can corrupt your files and hard disk. There are ways of protecting your computer at home – a power strip is a good idea, and saving files to a thumb drive is smart – but they’re not comprehensive enough for people who use their computer for more than just creating
documents or updating social media. Offsite backups are a far better idea for keeping your most important files safe and sound. So: what can you do to keep your files safe in the wettest season of the year? We’ve compiled some ways of protecting your computer and its contents so that you don’t end up with a very expensive paper weight the next time a hurricane rolls through town.
be conscious that a computer hacker can wipe out those files a bit easier than s/he could if you use a company that specializes in computer data storage for your home or business.
• Offsite Backups: There are a number of reputable companies out there who can help you protect your information. Outside computer data storage facilities will store your information (for a fee, which can be nominal – or not – depending on the company) at their facility. Be Things to watch out with this so be careful of where your data is and how secure it is. That will be another article.
• USP: That’s an Uninterruptible Power Supply, and it’s a pretty cool gadget. It sends a steady stream of power to your computer even if a storm causes a power surge, giving you time to shut it down correctly. Some of them will even initiate the shut down for you, if you can’t get to it yourself because you are away. It’s one of the better ways of protecting your computer because it keeps the machine and its contents safe. Just make sure to “comparison shop” first, because some of them are a little pricey. Be aware that they do need to be configured properly in order for them to work the way they are meant to work.
• The Cloud: It seems strange to recommend putting all of you stuff into space, but that’s essentially what the Cloud is. You can backup computer files online for free, which is great. Just
• Electricians: How good are your wires? If you live in an older home or if your area is particularly susceptible to sever storms, then all of the computer data storage in the world might
24 GDS REVIEW / December 2017
not be able to save you. May be time to invest on a home generator to help keep your lights on during and after a storm. You never know how long it may take the electric company to get your lights back on. No matter what, remember to backup those computer files ASAP before it is too late. Don’t Wait to Backup Computer Files The most important thing to remember is that sometimes – believe it or not – the weather reports are wrong. Some storms blow right over, while others cause levels of devastation that are almost unimaginable. (Just ask anyone from the Gulf Coast.) The best ways of protecting your computer mean nothing if you don’t implement them. That’s why it’s so incredibly important that you backup computer files often. Offsite backups at reputable companies can keep your files – necessary and precious – safe when the lights go out.
The Importance of Solid and Secure Computer Data Storage
GDS REVIEW / December 2017 25
,
Security Key Concern in Implementing IoT For Many Firms Security concerns along with costs and commitment holding back over half of organisations looking to implement IoT projects according to Wi-SUN Alliance research. While the majority (94%) of IT professionals from organisations that are undertaking Internet of Things (IoT) initiatives say they need to invest in IoT over the next 12 months in order to stay competitive, most admit they have encountered barriers to adoption. These mainly include security concerns, the cost of implementation and commitment from the company’s leadership. The findings are part of a major new report released today by the Wi-SUN Alliance, a global memberbased association driving the proliferation of interoperable wireless solutions for use in smart cities, smart grids and Industrial IoT applications. The research, looking at attitudes to IoT, including the drivers, barriers, challenges and benefits, surveyed 350 IT decision makers in the UK, US, Sweden and Denmark. While all respondents come from organisations that are investing in at least one IoT initiative, just over half (51%) report that they have a fully implemented IoT strategy in place, while more than a third (36%) have one being rolled
out. While enabling IoT is the second most important IT priority for the next 12 months, only just behind improving security, almost all respondents (90%) have struggled to implement a plan, with over a third (36%) saying they find it “very or extremely difficult”. Commissioned by the Wi-SUN Alliance, the research was carried out by Vanson Bourne, an independent specialist in market research for the technology sector, in October and early November 2017. Interviews were done online and via telephone among 350 people in the UK, US, Sweden and Denmark. Respondents came from organisations that were at some stage of implementing at least one IoT initiative; specifically smart cities, smart utilities, or industrial IoT. Respondents were IT decision makers within their organisations and have some level of involvement with their organisation’s IoT initiatives. Security tops the list of major concerns, holding back nearly six in ten (59%), while cost of implementation is also a barrier, delaying around half (46%). More worrying is that while 42% say
26 GDS REVIEW / December 2017
that creating efficiencies for the business is an important driver to implementing IoT initiatives and 37% say the same for reducing operational costs, getting access to funding for projects is a problem, with a third (32%) admitting this is a barrier. The same amount struggle because of reluctance by senior executives in the organisation to commit to IoT projects. As well as barriers, the research also highlights technical challenges that organisations are facing when delivering on IoT initiatives and processes. Security and safety tops the list at 63%, while data management (46%), network configuration (41%) and recruiting the right IoT skills and resources (39%) are also seen as technical challenges. For implementation of smart city and smart utility solutions, proven security with multi-layer protection and continuous monitoring is considered ‘absolutely crucial’ for around half of respondents, while industry-wide open standards are also crucial (45% and 43% respectively).
Security Key Concern in Implementing IoT For Many Firms
GDS REVIEW / December 2017 27
,
The benefits of IoT are also widely recognised, with the majority of respondents citing better business efficiency (54%), improved customer experience (49%) or better collaboration (48%). Nearly half (45%) have seen lower costs and 41% higher customer satisfaction. According to the Wi-SUN research, when organisations are evaluating which IoT technology to move forward with, 58% look for network topology and coverage, while communications performance (53%), industry standards support (52%), and power efficiency (50%) are also sought after. Around half look for reliability (47%) or scalability (44%). “When it comes to the design, development and implementation of IoT projects, especially around smart cities and smart utilities, there are a number of issues that organisations are having to contend with and security is proving to be a particularly significant barrier,” according to Phil Beecher, President and CEO, Wi-SUN Alliance. “The research highlights that more education is needed: there are many network options, but not all provide the features necessary for large-scale outdoor networks, as required by smart cities or utilities. For instance, unlike tower-based networks, such as LoRa, SigFox, Ingenu and NB-IOT, Wi-SUN Field
Area Network (FAN) specifies a wireless mesh network, which not only supports higher data rates and bi-directional data transmission, but can also provide complete coverage with greater resilience and reliability. Wi-SUN FAN networks are also highly secure as only “vetted” devices can join the network, preventing compromised devices from causing disruption of essential services that may include public safety. It is essential that organisations understand the level of security and the associated risks provided by different network solutions, and choose the very highest security levels available for their IoT networks.” The Wi-SUN Alliance, that commissioned the research, is a global non-profit member-based association comprised of industry leading companies. Its mission is to drive the global proliferation of interoperable wireless solutions for use in smart cities, smart grids and other Internet of Things (IoT) applications using open global standards from international standards organisations, such as IEEE802, IETF, TIA, TTC and ETSI. With more than 170 members worldwide, membership of the Wi-SUN Alliance is open to all industry stakeholders and includes silicon vendors, product vendors, services providers, utilities, universities, enterprises and municipalities and local government organisations.
28 GDS REVIEW / December 2017
Security Key Concern in Implementing IoT For Many Firms
GDS REVIEW / December 2017 29
,
Managing the Phishing Threat to Your Organization Wayne Rash talks us through the issues of phishing and how companies can protect themselves. By now you’re familiar with the basic phishing e-mail. You know the one -- it comes from a bank you don’t do business with asking you to verify personal information such as your name, Social Security Number and your existing bank account information. The e-mail may claim the bank it purports to represent has a check to deposit to your account, is trying to clear a check or something else along those lines. These phishing e-mails are easy to spot, their misspelled words obvious and the bogus links show up clearly. They’re also fairly easy to fight. Unfortunately, so many people are on to this kind of attempted identity theft that the phishers have turned to more sophisticated means. They use real bank logos and information they’ve gleaned from elsewhere on the Internet to make it look like they know you, and they don’t ask for personal information. Rather, they ask you to visit a website that will download a virus that will go through your computer and collect whatever information it can find.
But as phishing continues to evolve, detecting phishing e-mails is becoming more difficult. Worse, some phishing e-mails are really the visible part of an APT. They appear to be from someone you know, and they appear to ask for a response regarding something related to work, your finances or something else a friend may know. But spear phishing, as these highly personal phishing e-mails are called, depends on gaining your confidence by using material gleaned from social networks or other sources. When the U.S. Chamber of Commerce was attacked, for example, the attackers went after the e-mail files. Most likely they were looking for e-mail addresses and information from the contents of the e-mails they found to use in a later spear phishing attack. But these attacks may not be after personal finance information; rather, they may be after passwords to other companies’ systems, they may be after the names and e-mail addresses at other companies, or they may be after personal information they can use elsewhere.
30 GDS REVIEW / December 2017
The solution to most spear phishing attacks is first to use the best screening systems you can find. Some next-generation firewalls and most high-end security software can at least warn when they find a suspicious message. In addition, users must be trained never to answer requests for personal information of any kind. The bank is never going to e-mail anyone asking for account information. The IRS isn’t going to e-mail anyone about taxes, and the security staff at another company isn’t going to e-mail anyone about their access information. Should such an e-mail hit your inbox, however, forward that e-mail to abuse@companyname. com. This e-mail address is being protected from spambots. You need JavaScript enabled to view it, and contact the sender directly to see if there’s actually a need for the information. Whatever you do, don’t reply to any e-mails asking for information. If you must supply information, originate the e-mail yourself.
Managing the Phishing Threat to Your Organization
GDS REVIEW / December 2017 31
GDS Review > Global Defence Security
Visit to Subscribe: www.gds-review.com