Page 1

Cybersecurity English Edition, No. 3 / 2017


7 Awesome Skills that will Make You stand out as a CyberSecurity Pro VIP Interview: Marc German

Authentication, Security, Privacy and IoT

Cybersecurity Trends

Contents 2

Editorial: The Importance of Collaboration in Cyber Defence By Norman Frankel


International Telecommunications Union


Anti-ransomware protection recommendations. By Cătălin Pătraşcu


7 Awesome Skills That Will Make You Stand Out As A CyberSecurity Pro By Marco Essomba


Switzerland: a country where Data Protection rules become a (paying) real asset for individuals By Laurent Chrzanovski


Cyber Authentication: rules for a quick and secure authentication By Michele Gallante


Responding to incidents of sexting and safeguarding young people By Charlotte Aynsley


Cybersecurity: Workforce shortage or lack of HR profiling knowledge in recruitment? By Eduard Bisceanu


London Digital Security Centre update By John Unsworth


Business and industry 4.0 at the core of the 5th Macro-Regional Congress “Cybersecurity - Romania” (Sibiu, 14-15 September 2017) By Laurent Chrzanovski


Security and Privacy in the Internet of Things By Gianluca Bocci


The consequences of a poorly understood and poorly managed cyber-security: a system that deviates from its own duties destined for implosion! Vip Interview with Marc German By Laurent Chrzanovski


The impact of disinformation on the stock market By Massimo Cappelli


Useful tips 1

ds Editorial - Cybersecurity Tren

The importance of collaboration in cyber defence 2017 has seen continued evolution in the number of attacks, its deviant forms and the success such attacks are having in extracting funds from private individuals, companies and even public bodies. By the end of the first half of 2017, there had already been at least 1.9 billion data records stolen that are known about, from 918 cyber attacks.

Author: Norman Frankel Chairman, iCyber-Security

The reasons for the continued growth in attacks and why 2018 will continue to see even more attacks, lies in the increasing dependency of our use of internet and accelerating use of connected internet devices which is creating the Means, Motive and Opportunity. Add into the mix the explosive growth in truly democratized and anonymous real-time payments that crypto-currencies bring and we have all the right ingredients for further explosion in crime. The largest attack at the start of the year was Wannacry. Historically, this was one of the most devastating ransomware attacks to date, affecting several hundred thousand machines and crippling banks, law enforcement agencies, and other critical infrastructure. The ransomware exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol. This was followed by NotPetya which started as a fake Ukranian tax software update, and went on to infect hundreds of thousands of computers in more than 100 countries over the course of just a few days. This ransomware used the same exploit behind WannaCry. It caused major financial damage such as costing pharmaceutical giant Merck more than $300 million in Q3 alone, and is on track to hit that amount again in Q4. Then in late October, a ransomware campaign hit Eastern European transport systems and media outlets with a further variant of the Petya ransomware called Bad Rabbit.


This was installed by using a fake Flash installer. The impact hit Bulgaria, Estonia, Germany, Hungary, Japan, Slovakia, Ukraine, and Russia, and was then used to deliver the fake Flash installer to visitors from Japan, Turkey, and Russia, among others. So as we look back on the year we can see significant evolution in Ransomware attacks and we are seeing evidence of self-propagating Malware. The ability to defend gets ever harder with such a rapid pace of attack evolution and ease of distribution. If the above were not enough of a challenge, we are witnessing a frightening acceleration in the democratization of threat. What I mean by this is the ability for anyone, even with basic skills to start an attack. A year ago, it was almost impossible for anyone without strong programming skills to launch a denial of service (DDoS) attack. Today the tools are available on the open internet that would allow even a child to launch an effective DDoS attack. We are witnessing the birth of a megatrend where literally anyone can be attacked and where individuals can easily be the attacker and where the growth of (and popularity of ) anonymous payment systems enables the masking of true identities. Spare a thought for the law enforcement agencies that need to try to make sense of this, defend and bring to justice those perpetrating the crimes. To add icing to the cake we as society are Complacent in our actions. Companies, Schools and Families are rarely openly discussing threats such as cybercrime. Education in the subject in the workplace or home, is virtually nonexistent. Without such awareness programmes and with the human always the weakest link, how are we meant to reach even a very basic standard of defence?. It is not just pure financial crime that we need to be concerned with, in our last edition we explored the startling rise of sexual harassment in the workplace. In this edition, Charlotte Aynsley opens our eyes to the world of sexting which is affecting children even below the age of 10. In the UK, there has been the birth this year of an initiative by the London Digital Security Centre to raise grass roots awareness of basic protection capabilities among the small and medium enterprise sector of firms in London. This initiative whilst a huge challenge to execute on given the over 1 million small businesses in London, collaborates closely with the National

CyberSecurity Centre (NCSC). We have an article which sets out the progress and some of the partners helping the initiative succeed. It is also worth noting that the idea, whilst still in its infancy, has been highlighted as sufficiently good to take national. I have had the pleasure this year to attend two excellent cybersecurity conferences in Europe organized by CyberSecurity Trends, the parent of this publication, supported and endorsed by the United Nations. The first conference took place in Sibiu, Transylvania, Romania in September, now in its fifth year. The second conference took place in Porrentruy, on the Swiss / French border in December, its inaugural event. Both conferences are annual and a third conference is being added in Noto, Sicily in May 2018. In addition to being excellent events with pan-European experts, the conferences are a true mix of Public and Private worlds converging together for two days to work out how to collaborate better. It is only through awareness and knowledge sharing can we be better prepared to defend and react faster. Whilst the conferences have a part Regional theme the dialogue and discussion and networking is truly European. It has been fascinating to mix with and discuss issues with Government bodies, Military and Intelligence Agencies, United Nations think tanks and private companies both large and small. You can find details of future events in these publications and it is highly worth attending as collaboration is key to insight, knowledge and therefore effective preparation and defence. The day prior to the main two day event is set aside for a local child awareness conference where Police Forces and Child Safety experts get together. The Sibiu event in September has over 1,079 children participating. This is a good example of encouraging the next generation to be more aware and to learn from leading thinkers in the space. As we look to 2018, the General Data Protection Regulation (GDPR) is on most minds. In part, this regulation upgrade was designed to encourage collaboration within organisations to protect individual data and privacy, but it seems highly likely that this is not the case. Almost everyone I speak with acknowledges that the problem has been thrown down into the organization usually to the Security or Technical Operations teams. These teams are already often over-stretched due to the increased attack activity seen in the year. Layering on more (sole) responsibility to lead with GDPR compliance makes the role even harder. When we add to this the increased pace

of staff turnover seen this year, due to the growing demand for technical support skills, we get a mess to manage. It is more than likely that a continual environment of crisis could be the theme for 2018 and this will bring side challenges related to individual stress that Companies will need to be aware of. With the above almost certain to happen, 2018 will also likely bring a rash of companies promoting their artificial intelligence and machine learning products. Whilst such tools and platforms can certainly help a business, it only increases the need for a strong culture and greater investment in training individuals. If we are to address complacency then it is Board and the Executives that need to set the tone of the culture to discuss and address these issues. Without an effective culture, collaboration even within the business will fail and breaches will remain common place. The goal of this publication remains to open up knowledge and information sharing across research and commercial activities, so providing a bridge between public and private dialogues, in an aim to help our world operate more safely giving the growing frequency of attacks that seem to endlessly get media attention. If you would like to contribute articles or have suggestions for us to cover in future editions of the magazine, or even wish to purchase hard copy versions of the magazine to give to your customers, please do contact us via email at On our website you can also view publications in other languages / countries and purchase advertorials for future editions. The next edition to be published at the end of March will have a special focus on Artificial Intelligence in CyberSecurity, which probably represents the hottest future growth trend in the industry and on the agenda of CTO’s and CISO’s. 


ends Authorities - Cybersecurity Tr

International Telecommunications Union UN/Geneva 4

Anti-ransomware protection recommendations In recent years, users and organizations of all kinds are facing a computer threat known as “ransomware,” which is nothing more than a malware whose purpose is to prevent victims from accessing files or even the entire infected computer system, until the payment of a certain amount as redemption(“ransom”).

Author: Cătălin Pătraşcu, CERT-RO translated from original Romanian article

Thus, the ransomware has become one of the most troublesome forms of malware, especially because it can cause damage or at least inconvenience to almost all types of users. Most of us have stored on our devices, whether they are PCs or mobile phones, at least some pictures we care for and for which we would most probably be willing to make some effortsin orderto have them recovered, including by paying a sum of money.This is precisely what the individuals involved with the creation and distribution of ransomware malware are counting on, and the international statistics on their earnings show us that this is a very profitable business. In the following lines, there are a number of recommendations / measures for ransomware infection preventing, but also to reduce damage in the event of infection. These measures are taken from the “Guide to Combating Ransomware Computer Threats” published by CERT-RO - the national cyber security and incident response team, from whose draftingteam I was part of.

Prevention measures


Be cautious - This recommendation is generally valid for enhancing the security of the IT systems you use / manage. It is already well-known that the user is the weakest link in the

BIO Head of Office Computer Security and Monitoring, CERT-RO

chain of cyber security, which is why most attacks target the exploitation of the human component (social engineering, phishing, spear phishing, spam etc.).As a result, we recommend that you do not access the links or attachments contained in suspicious email messages before verifying their source / legitimacy. Also, increased attention should be paid to the websites you visit and the online sources you use for downloading or updating the apps. Back up your data - The most effective way to combat the ransomware threat is to periodically backup the data stored / processed by computer systems.So even if the data access is blocked by a ransomware, your data can be quickly restored,and the damage caused is minimal. IMPORTANT! For backup, use an external data storage that is not permanently connected to the system, otherwise there is the risk of the files on that storage mediato also being encrypted in case of ransomware infection. Enable “System Restore”- For Windows operating systems, we recommend enabling “System Restore” for all storage partitions. In case of malware infection or files compromising (even system files) the data can be quickly restored by bringing the system to a previous state. BEWARE! Do not rely solely on this feature because some recent versions of ransomware are erasing data from the “System Restore”. Implement “Application Whitelisting” type of mechanisms - The “Application Whitelisting” involves implementing a mechanism to ensure that only an authorized / known software runs within an IT system. The concept itself is not something newrepresenting practically an application-level extension of the “default deny” approach (not allowed by default) long-used by firewall technologies. Currently, the “Application Whitelisting” is considered to be one of the most important strategies for combating malware threats, and there are already several technical solutions that can be implemented, including by home users, especially in Windows operating systems where implementation can be done using the tools already contained by the operating system: SRP (Software Restriction Policies), AppLocker (the recommended tool from the Windows 7 operating system, with the same purpose as the SRP facility of the Group Policy). Disable program run from directories such as%AppData% and %Temp% An alternative solution to the “Application Whitelisting”kind of mechanism (not as efficient, but which brings a significant security boost) is blocking the program run from directories such as%AppData% and%Temp%, through the security policy (GPO - Group Policy Object), or using a typeof IPS solution (Intrusion Prevention Software).

2 3 4



ends Authorities - Cybersecurity Tr


View file extensions - Some types of ransomware are delivered as known extensions (.doc, .docx, .xls, .xlsx, .txt, etc.), to which the extension .exe is added. This kind of feature of executable files results in extensions like “.docx.exe”,”.txt.exe”, etc. Thus, displaying the file extensions can make it easier to notice the suspicious / malicious files. It is recommended that you never run executable files received by emails. Always update operating systems and applications Updating the applications / programs used is a mandatory measure to ensure a high level of security of the IT system. Most of the time, a non-upgraded software is the equivalent of a backdoor for cyber offenders. Generally, software manufacturers regularly publish updates for operating systems and applications;this way the usersare able to configure their download and auto-installation. Therefore, we recommend that you enable the option for automatic updates wherever possible and consider the most effective way to update other programs (periodic review of the available versions on the manufacturer’s site). BEWARE! Often malware has been delivered as a software update. Carefully check the sources used for software download / update. Use efficient and up-to-date security solutions - An absolute necessity to prevent malware infections is the use of one or more effective and up-to-date security software solutions that have facilities / services such as antivirus, antimalware, anti-spyware, anti-spam, firewall, etc. More recently, some anti-malware products offer dedicated anti-ransomware protection. Use software tools for file monitoring - The use of file monitoring software (access, modification, deletion, etc.) can help to quickly detect suspicious behaviors in computer or network systems. Pay close attention while accessing web commercials - Some of the recent versions of ransomware have been delivered through malware advertisements (malvertising) displayed on popular websites (news, online stores, etc.). We recommend that you avoid advertising as much as possible, and even use “add block” software tools to automatically block the upload / display of commercial ads.





Measures to eradicate and limit effects


Disconnect the external storage media - Remove all external storage media connected to your PC (USB memory, memory card, external hard drive, etc.), remove network cable and disconnect any other network connections (WiFi, 3G, etc.) from your network cable. This prevents damaging the files stored on external storage or network accessible media (network share, cloud storage etc). [Optional]. Create a memory capture (RAM) - If you later want to investigate the incident, and eventually attempt to recover the encryption keys used by the ransomware from

2 6

memory, make a memory capture (RAM), as quickly as possible, before shutting down the PC by using a specialized tool. BEWARE! There is the risk of affecting as many files as possible (or even all) until the process of memory capture is completed. The decision to stop your PC immediately or to initiate a memory capture first needs to be taken according to the priorities (“Is the data more important?”or “Is the possibility of further analysis needed?”). For example, if there is a backup for the data stored on the affected PC, or the files are not considered important, you can make the decision of performing a memory capture. PC Shut down - If you suspect that a PC has been infected with ransomware and you decide not to make a memory capture (see 2), we recommend that you shut it down immediately in order to limit the number of encrypted files as much as possible. [Optional] Make a copy (image) of the HDD - If you are interested in further investigating the incident and possibly trying to recover some of the files using “Data Recovery” tools, make a “bit by bit” copy of your hard drives affected by the ransomware,using a specialized tool. Make an “offline” backup of the files - Boot your computer using an operating system that loads from an external storage medium (CD, DVD, USB memory, etc.). This feature is being offered by most of the modern Linux distributions. Copy all the files you need, including those that have been compromised (encrypted) to another storage medium. Restore the compromised files - The easiest way to recover the files affected by ransomware is to restore them from backups. If such copies are not available, we recommend that you try to recover the files by using “System Restore” or using “Data Recovery” specialized software tools. BEWARE! We recommend that you attempt to recover your data by using “Data Recovery” software only from HDD images (made in accordance with section 4 above). Otherwise, there is the risk of compromising the chances of success of more complex procedures that involve data recovery directly from the storage media. There are solutions for recovering data directly from the storage media, but they require a high level of expertise and special technical endowments. Clean affected computer systems - The safest way to ensure that the computer system no longer contains malware (or malware remains) is to re-install the operating system by formatting all HDDs / partitions in advance. If this is not possible (for example, if it is intended to have the data recovered directly from the affected HDDs), we recommend that you use one or more antivirus / antimalware / antispyware security solutions for system scanning and disinfection. BEWARE! If you intend to try recovering the data from affected HDDs as described in section 6, we recommend that you do not attempt to disinfect them, but use other HDDs to re-install the operating system. Ultimately, if your files have been compromised and no attempt to recover them has been successful, you must be cautious about the possibility of paying the requested redemption in the ransomware message. In addition to encouraging those involved in creating and distributing ransomware, there is no real guarantee that once the payment is done you will actually recover your data. More and more cases of users appear that have not recovered their data, even after paying the requested amount to the attackers.

3 4 5 6


Bibliography [1]. [2]. [3]. 


7 Awesome Skills That Will Make You Stand Out As A CyberSecurity Pro Are you an IT Graduate or Network Security Engineer looking to enhance your career and stand out from the crowd? This article is for you.

Author: Marco Essomba CTO, iCyber-Security Group Ltd

I have been in the network & security space for more than a decade. As a network security engineer, security consultant, and now Founder & CTO at iCyber-Security Group, these products have served me well over the years in order to rise above the crowd. Originally published at

BIO Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation and 2017 runner-up in the UK CyberSecurity Industry Personality of the Year award. He is the founder of iCyber-Security, a UKbased firm that enables organizations in banking, financial technology, healthcare, retail, and the insurance sector to safeguard their digital assets. Follow Marco on: marcoessomba/ or follow on twitter: @marcoessomba Learn more about how to protect your digital assets:

Note that the list below is not sponsored or endorsed by those vendors. It is drawn from my own past experience and it is by no means the absolute truth. I am biased to the extent that I have grown to love the products, I list below over the years.

1. Routing & Switching Technologies What: Cisco is the de-facto vendor for routing and switching with a big chunk of the enterprise market. Why: Given the ubiquitous presence of Cisco routers and switches in the enterprise space it is worth spending the time to learn Cisco R&S well and gain a theoretical and practical knowledge of the product. Where to start: Download a simulator like GNS3 or VIRL http://virl. or Eve-NG:


Focus - Cybersecurity Trends 2. Firewall Technologies What: Check Point Technologies is one of the most popular enterprise perimeter firewalls. Why: The Check Point Firewall adoption remains high with Fortune 500 customers due to its simple and intuitive user interface as well as its powerful inspection engine. Certification and hands on expertise is very desirable. Where to start: Start with Check Point R80 Firewall. It is available to download as a virtual appliance.

3. Intrusion Detection & Prevention Systems What: Sourcefire is now part Cisco. Based on the Snort engine Sourcefire is the IPS/IDS of choice for many enterprise customers. With the recent Cisco acquisition it will continue to grow within the enterprise space. Why: Sourcefire and Snort will teach you lots of tricks when it comes to intrusion detection and prevention going from simple cyber attacks protection to the most sophisticated defence tactics. Where to start: Download a free version of Snort from here. Sourcefire trial is available here.

4. Secure Web Gateways

Why: The increasing number of cyber attacks means security remains a hot topic. Strong authentication is still one of the most effective first line of defence against cyber criminals. Where to start: Start with RSA SecurID. You can request a trial from here or contact me.

7. Operating Systems and APIs What: Linux/Unix and derived flavours are the preferred operating system used as the core engine of a lot of network and security devices as well as back office systems. Why: Mastering Linux/Unix, APIs, and the CLI art will open you to a world of shell scripting, cyber security tools, and other technologies that are essential in order to master the network & security craft. Where to start: Many flavours are available. I recommend Ubuntu as a starting point as it is friendly to beginners. I set-up the iCyber-Academy because of the significant lack of skills, that I noticed as I went into companies to help their staff deal better with the technologies they were using to protect their businesses. Unfortunately more often, I observed this skill gap when I went into a client who had suffered a breach and the staff were unsure of how to contain the problem. I realised that despite being strong technicians the staff often struggled to have both a sound and fast reactive grasp of the technologies and tools they were using and the problem was getting worse as more tools being were bought to protect the companies on an ever wider basis.

What: Clearswift is renowned for its MIMEsweeper Content Inspection Engine that protects email and web transactions against malware. Why: As cyber security continues to be a major challenge for small and large organisations, protecting enterprise data at rest and in motion is hot topic. Where to start: Start with the Clearswift SECURE Web Gateway. Request a demo and trial from here.

5. Application Delivery Controllers (ADC)


What: F5 Networks leads the Application Delivery Controllers (ADC) market. F5 most popular product is F5 LTM which helps enterprises to deliver “Applications Without Constraints”. Why: ADCs are crucial for the delivery of Enterprise Apps in a fast, secure, and resilient manner. Since mobile apps now rule the world F5 ADCs demand will continue to grow. Where to start: Start with the F5 LTM. Request a trial download from here.

Today, iCyber-Academy is one of the leading cyber-security training providers in Europe. We provide an environment where elite consultants can learn, gain accreditation, get mentoring, network and open up additional opportunities to get billable work. Over 100 independent security consultants have been trained. The same environment is available to Companies and over 100 companies have been trained, often on-site. Often our courses are delivered through recognised training companies such as Avnet and Arrow. Our latest development is a 10 month programme (usually a week at a time or a couple of weekends a month) which provides an end-toend full stack training program. This will allow your IT Security Staff and Consultants to acquire the necessary skills needed to take on any type of cyber-security project.

6. Two-Factor Authentication What: RSA is one of the leaders in enterprise twofactor authentication solutions.


Each training session is a combination of theoretical knowledge, practical activities and real life case studies. After completing the program, you will be able to deploy, implement, and architect Cyber-Security solutions, including products from leading Cyber-Security vendors such as F5 Networks, Clearswift, A10 Networks, Check Point, Juniper, RSA, ProofPoint, etc. You will also have the opportunity to be part of a community of elite cyber-security experts, that can deliver expert level technical Professional Services at premium rates. The Academy also offers shorter courses and is working toward unveiling for 2018 an online training environment. Our goal is to address the top end technical training needs, whilst many other worthy Government sponsored training initiatives target the entry level training skills.

The Full Stack Security Course Our end-to-end full stack training program will allow you to acquire the skills needed to take on any type of cyber-security project. Each training session is a combination of theoretical knowledge, practical activities and real life case studies. The training program is composed of 10 modules that can be taken independently or as part of the full package: 01. The Basics of Applications Security 02. How to Design Secure Networks & Applications

03. Web Applications Firewalls 04. Network Firewalls & IDS/IPS 05. Application Delivery Infrastructure - ADI 06. Global Traffic Management 07. Real-time Content Scanning - ICAP 08. Integrating ICAP & ADC 09. SSL Offloading 10. Designing and Building a Fully Integrated CyberSecurity Platform After completing the program, you will be able to deploy, implement, and architect Cyber-Security solutions and you will have the opportunity to be part of a community of elite cyber-security experts, that can deliver expert level technical Professional Services at premium rates. As stated earlier the programme is available through recognised training companies or companies can directly purchase the full stack course for their employees or independent consultants can take advantage of the Academy’s community membership programme to gain additional networking and mentoring opportunities.  Happy learning!


Be prepared for 25 May 2018 – get a GDPR Readiness Review Apply for a GDPR status review based on the context of your own organisation to understand how prepared you already are for GDPR. The review takes into account both processes and technology, and if they are private and secure by design. The review also identifies shortfalls in existing documentation. The Action Plan delivered in your report includes staff training, insurance, breach reporting, disaster recovery and much more that needs to be borne in mind. Your Readiness Report summarises GDPR, the context for your organisation, your own Action Plan, your milestones, available support & Appendices re GDPR relevance to you.  As a business leader, you need to understand how GDPR will impact your organisation, including what preparations are required to align your processes to comply with GDPR.

For further information contact Mark Sipe: / +44 7712 272844.


Focus - Cybersecurity Trends

Switzerland: a country where Data Protection rules become a (paying) real asset for individuals Following – and even enhancing – European Union’s GDPR framework, Switzerland adapted and buffed up its Federal Law on Data Protection.

Author: Laurent Chrzanovski

In most of the European countries, compliance to the GDPR is seen with worry by companies which handle personal data, as the fines in case of data breach will be up to 4% of their yearly incomes. But for the private citizen, GDPR looks like an “after-crash” parachute in case of violation of his/her privacy with, depending of the countries, some ways to receive indemnities from the guilty company or to sue it in courts. On the contrary, Switzerland – besides adopting the same sanctions and fines for breached data holders – proposed a proactive system to all the inhabitants of the country desiring to anticipate and buff up the protection of their data, through public-private partnerships such as the Swiss Internet Security Alliance. As a consequence, a whole range of free-of-charge services to citizens has been set up (free hotlines in case of phishing, identity theft, encryption viruses etc.), yet the most visible and interesting effect of this 6-months (r) evolution has been the birth of innumerable cheap and well-thought out “individual/family internet protection” contracts proposed as an additional service by all kind of Swiss Insurance Companies.


A person with Swiss residence can now add to their Civil Responsibility, Car, Home or Health insurance the “Internet Protection” extension, with yearly fees starting as low as 4 CHF (3.2 EUR) and rising to a maximum of 100 CHF (85 EUR) per year according to the coverage the customer desires. The whole Swiss system is based on an individual compulsory and free-of-charge inscription on the website, a service created by and financed by the insurances fees. There, each individual – and not his insurance – chooses which data he desires to be protected – personal / intimate pictures, texts, passport/ID card numbers, Credit/Debit card numbers and so on. The role of, placed under very strict Federal rules on data confidentiality, is to scan 24/365 the deep web to see if those data are to be found, meaning that they have been compromised. The customer is then immediately called and advised on the procedures to follow and attitude to adopt. As on the net everything is about time, the team at IDprotect will immediately start to deal with the most urgent technical and juridical aspects (fraud, identity theft, client’s assistant to data recovery in case of crypto-ransomware, direct medical assistance in case of a child or teen in the family is victim of grooming/bullying, a.s.o.).


An amazing element, if we take the mid-level and top-level contracts is that for less than a hundred Euros a year an individual is insured as follows: 1. World coverage 2. Help in eliminating all private data leaked 3. Up to 5000 CHF directly paid to replace the damaged device(s) 4. Up to 1000 CHF for undelivered online purchased goods (min. 200 CHF value) 5. Up to one million CHF (850’000 EUR) for lawyer’s costs – free choice of the lawyer –, court costs, forensics costs* 6. Indemnity for direct financial losses (for private professionals) and reputation loss 7. Health expenses unlimited coverage in case of psychological consequences for 5 years 8. 300’000 CHF in case of partial invalidity caused by an attack (blackmailing, etc.) 9. 150’000 CHF to the family in case of death (suicide) * The list of cases covered is impressive: Abusive use of identity Abusive use of bank / credit card credentials Victim of phishing Victim of hacking Victim of blackmailing or threatening to the individual or his family Victim of sexting, grooming, bullying Victim of stolen virtual property: intellectual property, author’s rights, trade marks and names registered individually, stealth or unauthorized use of private images or confidential texts, a.s.o. The most important aspect of the new insurance services proposed in Switzerland is the forecasted ability for individuals to obtain (at their choice) a full protection to fit the possible extent of damages and a constant challenge service (except in the USA or some advanced Asian countries) for Company Insurances. As an example, a “cyber security” insurance for a company in France or Italy, is still based on the gross incomes of the contract buyer, is generally very expensive, and covers a maximum of some millions in case of damage, which is far below the real financial consequences of the most recent global

Laurent Chrzanovski (HDR Postdoc Phd MA BA) is a Professor at the Doctoral and Postdoctoral School of Social Sciences at the University of Sibiu (Romania). Thanks to his work experience in 12 European and South Mediterranean countries, he has since 2010, expanded his fields of research into cyber security, social, behavioral, cultural and geopolitical aspects. As such, he is a member of the ITU (UN-Geneva) cybersecurity expert group and a contract consultant for the same institution, as well as for several Swiss and French think-tanks (PPP). He founded in 2013 and continues to run, the “Cybersecurity in Romania”, a macro-regional public-private platform (www., supported by the ITU, all related public institutions in the host country, as well as many other specialist organizations from France, Switzerland, Italy and the United Kingdom. In the same spirit, he co-founded in 2015 and is editor-in-chief of one of the very few free quarterly cyber-prevention journals (a PPP) designed for the general public. Originally, intended for Romanian audiences, Cybersecurity Trends is today published - with the collaboration of prestigious specialist partners - in multiple languages adapted to French, Italian, English (as of June 2017) and German (as of September 2017) audiences ( cybersecuritytrends). It should be noted that the Congress and the magazine have been promoted and supported by the ITU since 2015 as the “Best Practice Example for the European Continent”. Laurent Chrzanovski is the author / editor of 23 books, of more than 100 scientific articles and as many other texts intended for the general public.

attacks. The reason of this “half-blind” system is that neither the insurance companies nor the companies buying insurance have strict and uniform standards to evaluate the resilience of the infrastructures, the employees’ capacities in security basic knowledge and the effectiveness of the CISO/CSO department. The lack of awareness of the majority of the companies’ boards forms the base of the compulsory under-evaluation extent of the damages. Security being immature as a whole, national insurances cannot reward companies which do perfectly comply to all NIST / GDPR frameworks with fair yearly fees and very high refunds in case of attack, pushing several sectors (banking, finance, critical infrastructures) to contract, where possible, an overseas insurance company.


Focus - Cybersecurity Trends Why is this new-born service predicted to have such a shiny future? There are many simple reasons creating the ecosystem where insurance can engage at a fair price and high refunds without risk, and all of them are met in the 26-Cantons country. Swiss citizens are often mocked as being “overinsured”, which is partially true yet has to be seen, not as a fear but as a knowledge of the costs in case of problems. Civil responsibility protection, healthcare insurance, car insurance, home insurance and many more are compulsory and privately-handled. Among them, the only public one, healthcare, became private


of being honest with the insurances, the companies of this sector are fully beneficiary and provide customers several bonuses, which are almost an exclusive Swiss privilege. E.g. we can quote the full refund of broken glass in a ca (no matter the cause: urban violence or simple driving incident), without any “bonus reduction” on the next yearly fee. Another example is the optional hand-luggage full insurance valid everywhere (bus, train, plane) for less than 50 CHF per year – we were stolen once, and the insurance refunded us in a week not only the full price of the of the photo machine which was inside, but also of the cabin trolley! Being proposed for a very reasonable price as a “plus” to an already contracted - and compulsory by law - healthcare, car or home insurance, the cyber-insurance is ready at a click, benefitting in marketing terms of an already “captive customer” (bonuses) having a long-term relationship with the company. With a knowledge and free choice of “which data to protect” the trust and collaboration between the customer and the insurance is total. Moreover, the insurance platform can use all its assets to scan the net in search of very precise items and reduce at a maximum the duplication of leaked/stolen data when they appear. Without being naïve, several of the services offered are already packed in the compulsory insurances (illnesses, invalidity, death) or in the financial terms most Swiss Banks offer (full credit card data stealth coverage, very limited fee to pay if debit card stolen with PIN, a.s.o.)

3 4 5

- under State supervision for fixing the annual raising of fees, (after a popular referendum held in 1996). Statemanaged insurance programmes are only the loss of job insurance and the invalidity insurance as well as a small pension fund, to be completed with private ones. As a consequence of “everybody being insured” and a general mentality of being collectively responsible


Anyway, these new insurances will make some companies (like aggressive ecommerce ones) very careful with Swiss data of unknown provenience or bought on the grey market. The possibility for Swiss citizens to easily benefit from coverage of lawyer and court costs up to one million CHF will give to Swiss citizens the capacity to sue, if needed, a US company in a US court, an action which is financially impossible to any normal European citizen. 

This edition is brought to you with the support of:

Intelligent Cybersecurity 12

Cyber Authentication: rules for a quick and secure authentication “It is not true we have little time: the truth is that we lose of it” - De Brevitate Vitae, Lucius Anneus Seneca.

Author: Michele Gallante Translated from original article in Romanian

Time never seems to be enough, and if from one side technological evolution sped access to some services, from the other one it had to deal with security problems and dangers. For this reason, we passed from a single “user name” and “password” authentication to

BIO Michele is a practicing lawyer and member of the lawyers’ order in Rome. After getting his Law degree at the University of Rome, he developed a research thesis with the title “Legal dilemmas regarding the use of drones in armed conflicts” at the University of Washington, Law Department, Seattle, USA. After these studies, he obtained a Master Degree in “Homeland Security” at the University ‘Campus BioMedico’ of Rome, where he deepened his knowledge concerning security issues, data protection and confidentiality. After having been a researcher within the Global Cyber Security Center, on legal issues concerning the safety of data processing, Michele is now member and collaborator – for security, data protection and international humanitarian matters – of not a few important associations among which we can quote the Oracle Community for Security, the Federprivacy and the Italian Red Cross.

long and complex procedures with “pin codes” insertion, associated to the user through a “grid card”, the use of tokens (OPT= one-time password) or other tools aiming to prevent e-fraud and which, logically, have slowed down the procedure and even the availability of the service. Of course, the knowledge from the experience gathered with those identification methods (MFA= Multi Factor Authentication) and the necessity to remember many passwords made an obstacle to the propagation of this kind of electronic instruments. In Italy, for instance, e-commerce is slowly growing but cash payments remain preferred, the user perceiving the reliability of the transaction he is going to do as both secure and immediate. For those reasons, the world leaders of the online market are trying to simplify the more than possible use of electronic payments, in order to boost their use and augment their profits. It is sufficient to think how Amazon introduced the single-click method of sale (of course after having associated the credit card credentials), or the new “Dash Button” which allows, through a small physical button, to place the order for the chosen product without even turning the laptop on. In a very near future, mainly banks will see their business switching more and more towards digital payment methods, and hence they are implementing solutions of “Cybersecurity Fraud Prevention”, warrant of the trustworthiness of the system through protected authentications. For solving diverse problematics, may it be for online buyings or for physical or logical access to an infrastructure, we are trying to go towards biometric recognition systems as, by nature, they are directly, univocally and in a time-stable method linked to the individual through a profound relation between body, behavior and identity of the person. Biometry (from Greek “bios” = life and “metros” = measure) is defined as the discipline that studies biophysical greatness in order to identify functionality mechanisms, to measure the valor and to induce a desired behavior in specific technological systems. Conventionally, those authentication systems are extracted from “biological properties, behavioral aspects, physiological characteristics, biological treats or repeatable actions where such characteristics or actions are not only


Focus - Cybersecurity Trends

proper to a certain individual but measurable, even if the methods used in reality to measure them technically comport a certain degree of probability”. (ISO/IEC 2382-37 “Information Technology - Vocabulary - Part 37: Biometrics”). For their peculiar specificity, it is necessary to warrant adequate protections when data are handled; as a matter of fact, according to the chosen technique, the context of its use, the number and the typology of the potential users, the modalities and finalities of the treatment can comport specific risks for fundamental rights and freedoms. These recognition systems reflect in an absolute way the requisites of exclusivity (distinctive capacity for each person), permanence (inalterability in time or slow modification) and universality (presence in every individual) but, unfortunately, they are still too weak and vulnerable. For instance, if, in the case of stealth or loss of the traditional login credential, it is possible, simply, to enable new ones, the biometric data is impossible to change (besides its natural mutation in time), resulting unique of its kind. A fundamental factor will hence be


to add an appropriate cryptography to keep safe this information. The risks related to biometric data impose, in coherence with the European Norm eIDAS ruling the identifications, authentications and digital signatures, the obligation to inform the Warrant of Privacy about violations of data or informatics incidents within 24 hours of being aware of the fact – following the scheme of the guidelines of the General Normative enforced in the biometric field (12th of November 2014, Annex B) – at the email address indicated by the national authorities (ex.: in Italy, databreach.biometria@ Among the different categories of biometric data (Table 1), the recognition system based on fingerprint represents around 90% of the already used technologies, which win market shares day after day. As examples, we can quote their use on diverse mobile devices, for enabling the access to information services or also the ones designed to grant physical access into infrastructures (such as banks, libraries or reserved areas in companies). In any case, the Warrant imposes that this type of recognition can be used only to “facilitate scopes”, and always with the approval of the concerned person and above all with the obligation to grant alternative access modes for anyone refusing to benefit of such biometric instruments. From a juridical point of view, the use of biometric data imposes to respect some principal aspects of the law (permission, necessity, finality

and proportionality) as we speak of personal “semi-sensitive” data, able to make an individual identified or identifiable. Prior to the enrolment phase (acquisition of the biometric record, its memorization and its extraction to generate the archived reference data) the citizen must be given by the data taker the compulsory informative sheet concerning the desired finalities (f.i. the use of the fingerprint to access a reserved area cannot be used to control the access time of the employees), the methods of processing, the precautions used (security measures implied) and, last but not least, the timeframe of preservation of the data. Following several state Privacy Rules, it is necessary to obtain from the Warrant authority a preliminary verification of the informative sheet, some few sectors being exempted. Important news is awaited after the enforcement of the European rules GDPR (General Data Protection Regulation) and PSD2 (Payments Service Directive 2), to become compulsory in 2018. The Union’s privacy rule, besides defining which data is important to be protected (f.e. the biometric data becomes part of the category of the sensitive data), requires also a risk analysis to avoid discriminatory uses of this instrument, which could quickly transform from a security resource into a generalized control instrument to gain information on health, ethnics or race. It is requested, as such, to privilege the use of biometric systems which require the willing cooperation of the concerned person and, when possible, with the minor quantity of information associated, in a way to reduce a hypothetic reconstruction of the record during its treatment phase. Very important is also the rule on electronic payments, which requires “strong” authentication to warrant the security of the transactions. Since February the 23rd, 2017, the Final Report (Draft Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under Article 98 of Directive 2015/2366) specifies all the technical norms regarding authentication and communication. From the abovementioned rule we can deduce the obligation of every member State to watch over the service providers in order that they apply strong client authentication when: one accesses one’s paying account online; one makes an order of payment online or whenever one makes an action, through a distant channel, which can imply a risk of payment fraud or other forms of abuse. The introduction of the new payment services (PISP and AISP) will have to be made contemporaneously with the application of new systems able to warrant security without possibility of error. Unfortunately, a delicate topic related to the biometric systems is represented exactly by the possibility of an error. As a matter of fact, the used technology has a certain predisposition to errors during the phase of recognition, when the system generates a pointing named “score” based on how much the template is similar to the reference record acquired during the enrollment phase. The “score” is set in front of a predefined minimal pointing, named “matching score”, which can vary according to the settings of the different devices. On this very point, the Working Group of the European Warrants, in its Opinion n. 3/2012 on biometric technologies developments affirmed that “with a correct setting of the system and an exact adjustment of the settings it is possible to reduce errors to a minimum”. If we consider these considerations, the margin of error should hence take into account the finality of the treatments, in a way that an elevated

FRR (False Acceptance Rate) could be set in relation to the security only in certain precise cases. For what regards the data conservation, the regulations do not specify a particular methodology of archiving. For instance, the data could be kept by the individual, preserved in a centralized database (like a Hardware Security Module), into digital workplace tools, or even on the same secure biometric acquisition devices (like a token or a smart card) hence placed under the direct and exclusive responsibility of the users and warranted by adequate cryptographic capacities, certified for the requested functionalities in conformity with the technical norms ISO/IEC 15408 or FIPS 140-2. The raw biometric data generated during the process of biometric capture will have to be erased from the temporary memory zones in order to guarantee an absolute security and confidentiality. The recognition of the user, hence, can be based on a biometric verification (process during which the individual declares his/her identity and the system makes a control between the recorded biometric model and the memorized one corresponding to the declared identity) also called “one-to-one confront” or on a biometric identification (process during which the system confronts the given model with all available models to individuate the subject’s identity) “oneto-more confront”, a much more complex operation. In both cases, as it is underlined by the ENISA recommendations, the data has to be protected by cryptographic instruments or in databases supporting record or column encryption. In a near future, we foresee avant-garde projects, like the PIDaas program (Private Identity as a Service), which implies the implication of employees of the Information System Consortium who, to be able to see a salary transfer or other documents, may use the biometric recognition. In the same way we should read the statement made by Augustin de Romanet, Head of Aéroports de Paris, who declared, speaking about biometric recognition, that “in perspective it is a solution we could probably look forward”, a sentence recorded before de Romanet’s trip to Ben Gurion - Tel Aviv airport to study the methods used by the security forces there. As we have seen, a proper discipline is not yet enacted, but certainly the new regulations to be enforced in 2018 will set the basies for a clear, transparent and uniform interpretation of this topic. It is clear that the quickness of authentication will be an essential driver to seduce the market in this direction, but data security, to be understood as integrity, availability and confidentiality, is a fundamental right which has to be protected at all costs. 


Focus - Cybersecurity Trends

Responding to incidents of sexting and safeguarding young people There are currently huge challenges for police, schools, parents and social care in managing incidents of sexting. Recent data from the NCA CEOP found that of 265 schools in their network surveyed 60% of them had had an incident in the last year which totalled 960 instances, 52% had dealt with 1-4 incidents and 24% had dealt with 10 or more. 43% of those had reported the incident to the police. The peak age for the sharing was 14. Author: Charlotte Aynsley

With more and more children having devices earlier and earlier and sharing becoming easier, it’s crucial that we protect children and young people. With that in mind schools, colleges, parents and police need to be supported in managing these incidents. In September 2016, The UK Council for Child Internet Safety (UKCCIS) released new guidance for schools on sexting – the sharing of sexually explicit images and messages among young people. Charlotte Aynsley, director of E-Safety Training and Consultancy, was responsible for writing the guidance, and went on to develop training for schools and other professionals working with children. One of the many challenges in this area was that children were being criminalised for sharing images with their peers when there was no “intent” or coercion. The guidance seeks to address this through supporting schools in managing risks and responding to incidents proportionately. This has been brought to life through a training package that Charlotte has set up. The half-day training focuses on “youth-produced sexual imagery” – pictures, as opposed to text,


shared from one young person to another usually via the internet on a smartphone. “We touch on issues such as if a child was to be coerced or blackmailed into sharing a picture by an adult, but the focus is around children sharing images on a peer- to-peer basis,” explains Charlotte. “They might have been coerced into sharing it with one person who has shared it with others, or a picture in a romantic context has been shared much further. “Younger children are sharing imagery in a jokey way – because they think it is funny to take a picture of their «bits» and send it to their friends. If that was onward shared or intercepted, the consequences for that child could be severe.” “We support schools in making these important decisions. The training works best when we have multidisciplinary teams so police, social care and schools all considering and agreeing on their responses”. In January 2016, the Home Office introduced a new outcome code for incidents like sexting, outcome 21, where police feel it is not in the public interest to pursue a criminal justice route. Police are able to fulfil their duties by recording the incident but not taking any further action if it is not required. This should go some way to ensuring children are not wrongly labelled sex offenders – before then, a child caught sharing an image of themselves could have been put on the sex offenders register, explains Aynsley. However, many incidents are still being referred to the police because schools are uncertain what to do. For this reason, the training is highly practical and hones in on the action teachers and others should take if they become aware of sexting or an incident is reported to them by a child.

“What we’re essentially saying to schools is you can deal with this is you have been through the right checks and balances and risk assessments.” “You don’t have to make a referral or a report to the police, and here are some of the types of incident you can deal with providing you have gone through the safeguarding checks and balances.” The course includes getting participants to think about how they would respond to different types of incidents and whether or not an external referral is needed, steps that can be taken to remove images from social networks, and key dos and don’ts when it comes to viewing images. While the aim is to safeguard children, the training is also about ensuring professionals protect themselves so for example never printing, copying or sharing images and ensuring that they always follow their safeguarding and child protection policy and procedures. The training has been delivered in various areas of the UK and has been hugely successful in impacting on practice.

Feedback from Sussex police highlighted that the training helped them to support colleagues, clarified issues and helped them in identifying where further support could be found. Additional feedback gathered by E-Safety Training and Consultancy shows 95 per cent of professionals who completed the training in Nottinghamshire said they were “highly satisfied”. Participants said it helped them think about their practice, provided clarity and gave them confidence in dealing with incidents. So far, the course has been delivered to over 400 of schools in Nottinghamshire, Dorset and Sussex, Tameside, the North East and the South West with a multi- agency training session in Kent for social workers, health professionals and police. The key lessons apply to all children’s professionals, says Aynsley, although schools have some “special powers” under the Education Act 2011, around viewing and confiscation the approach is fundamentally the same. The training is available to all children’s professionals nationally and internationally. Please contact Charlotte for further information

BIO E-safety Training and Consultancy Biography Charlotte has a board range of experience in the field of internet safety - for 10 years she led Becta’s advice and support to Government, local authorities and schools on keeping children safe online. She also worked with Dr Tanya Byron on her review of Safer Children in a Digital World - leading the implementation and co-ordination of the education recommendations in the Review as part of the UK Council for Child Internet Safety (UKCCIS). In April 2010, Charlotte became Director of Practice at the children’s charity – Beatbullying, where she was responsible for the innovative Cybermentors programme, a peer to peer online support service for children and young people. In 2011, Charlotte was seconded to NCA CEOP where she conducted a review of CEOP’s educational programmes and made recommendations to CEOP’s board on the future direction of the Thinkuknow programme which has been delivered to thousands of professionals across the country. In 2013 Charlotte started her own non profit organisation - E-safety Training and Consultancy and she has worked on several high profile programmes and initiatives including the NSPCC’s Share Aware campaign, The It Starts With you online safety campaign from Walt Disney/Club Penguin, Parent Zone’s Parenting in the Digital Age programme, the Keeping Children Safe online safety guide and created the Sexting in schools – what to do and how to handle it document. She has spoken about online safety at several key national and international events including the UN and supported local authorities, the police, children’s organisations and international NGO’s in educating parents, children and young people on all things online safety related. In 2016 Charlotte worked with UKCCIS and NCA CEOP authoring national advice on responding to incidents of sexting – Sexting in schools and colleges: Responding to incidents and safeguarding young people. Since the advice has been published she has delivered training to over 400 professionals supporting them in planning their response to incidents of sexting.


Focus - Cybersecurity Trends

Online Safety Event 28.04.17 Feedback Overview How would you rate your overall satisfaction of the training?

What did you find least useful?

How would you rate your overall satisfaction of the training? Very Satisfied



Not Satisfied







What did you find least useful?


Different types of schools in attendance



What did you find most useful about the training?

Lack of time

Could have better explained traffic light tool





Would you be interested in future online safety/sexting training?

What did you find most useful about the training? Up to date information/ policy

What does Local response and doesn’t context need to be referred

Discussion of scenarios

Good resources






RAG resource

Meeting other professionals/ building relationships

Great delivery

More confidence in dealing with issues








Would you be interested in future online safety/sexting training? Yes

Yes, could link with changes to Schools Officers





How did the training inform your practice?

Are there any future training workshops you would like to attend? Yes

Not at the moment



6b. If so, on what topic?

How did the training inform your practice? Useful to have up to date information

Update school policy on sexting

More confidence in reporting to/ liaising with police


Training for colleagues






Sexting’s relevance to Primary Schools

Sexting’s various forms

What point the police should get involved

Experimental and aggravating behaviour

Information for parents






Where support can be obtained 1

6a. Are there any future training workshops you would like to attend?

If so, on what topic? Anything regarding helping young people

Safety online



Community liaison



Practical search and seizure advice


Restorative work





Proactive working

Legal highs



The law and Difficult Prevent young conversations people 1




Focus - Cybersecurity Trends

Cybersecurity: Workforce shortage or lack of HR profiling knowledge in recruitment? from C-Level or HR pillars, usually from non-IT based businesses/organizations. This might look great, comparing with the lack of concerns for security from these categories of people for many years in the past. But we still have a big problem…. the way some HR professionals or even C-Level are researching the workforce market for professionals is telling something about their level of understanding related to the skills they need in the field.

Author: Eduard Bisceanu

One of the most current topics in the (cyber) security community discussions lately is the workforce shortage in the field. Since it is obvious that is a real problem to find an appropriate security team for almost all businesses, there are still a lot of things to be clarified in order to have a common understanding on this issue. First, i am frequently asked to recommend people for such jobs, but usually i am asked not for a security professional, but for a “hacker”, an IT Security, network security or other different similar acronyms. The questions like this are coming

BIO Eduard Bisceanu is a recognized expert in cybersecurity, his skills covering also information security management and electronic communications, investigation of complex digital crimes, analysis, evaluation and response to cyber-threats. After a 16-years career within the Romanian Intelligence Services (SRI) and of the CERT-RO, being one of the first officers tackling cyber threat issues at a national level. He worked as CSO for Unicredit Bank before joining Microsoft Romania, where he is National Technology Officer.


Since I don’t want to upset the HR professionals or the executives I know, but still be very honest in what I have to say, I would not comment more on the reasons behind the lack of clear view when they are recruiting (cyber) security personnel, I will write down some general advises/questions I am always giving when being asked about the topic: what is the security maturity level of the organization you are recruiting for? are they aware about any security maturity model or are they fallowing any security management standard/framework? if the organization is well positioned related to the above question, the HR professional should rely exclusively on the security manager of that organization for writing down job descriptions for the entire security team and to interview them from skills/knowledge perspective. if the recruiting process is done for companies at the early stages of building a security governance framework, they first need an evaluation of the exact category of skills and knowledge would be appropriate to be researched by the HR professional on the workforce market. This action is nothing an HR professional is able to accomplish ever. if there is a need for security determined by other reason than compliance, then the right name for that reason is a RISK if you know the risks your business/organization is exposed to, write them down and there will be the first filter for searching for security professional.

small businesses/organizations and corporate environment/big organizations have different needs in terms of resources allocated for securing their operations. anyway, everybody needs a risk based approach, and also only based on such assessment, one can determine what are the size of the security team to be hired and what are the skills needed within that team. This is also NOT a HR task once the need is well described, i would recommend to look closely to the profile of the needed professional based on the identified need. If there is a need for a specific skill in security (network security, application security, information security and so on), then who will manage this category of personnel and who will assess their work? does the organization need a security manager then? then look for an experienced security manager, not for a “hacker”, not for an IT engineer, developer, incident handler or any other technology hands on people. They might be excellent professionals, but they will generally be unable to understand the business you are recruiting them for, general security risks landscape and they will never be able to speak the business and executive language needed in order to build and run a security framework adapted to the business and operational goals. recruit based on needed skills gap, but also based on TRUST TRUST is something where security professionals can better cooperate with HR ones :) security manager is a job itself, so, don’t hire experienced managers for security, look for security managers. Their CVs and professional achievements speak for themselves. A simple and real world test for a security manager is to explain (ad hoc, by speaking and writing it) a complex cyber security topic to a non-technical executive and to be able to sustain the same complex topic with a hands-on expert in an IT Security discipline. reduce compliance burden for security teams - compliance is important but is not similar with security. knowing that salaries are a big topic, i would simplify this topic also: assess on how critical is security for your business/operations and invest in it accordingly. An underpaid security role could not be filled by a top professional in the field or could easily become a risk. the security manager (CSO, CISO…) should report to the right role in the organization in order to be empowered with the appropriate decision and visibility. assess investments in security based on a risk based approach - if you hire the right security manager, this should be easy to have it - it is the first task to be achieved by a professional occupying this role. a lot of business flows are generating or are exposed to security risks - make sure the security team is involved to evaluate/assess it. top management is a valuable target for criminals and other kind of actors posing security risks to your organization - that is why is very important to rely on security teams - sometimes, some risks need to be approached even in top managers’ personal environment. don’t invest money in IT environment without security assessments - even you have the best IT team in the world, their focus is usually on functionality and efficiency, not necessary on securing the IT environment. invest in security education according to the roles. A huge amount of successfully breaches and cyber-attacks are still using humans as attack vectors, still being the big vulnerability. Education remained one of the only control to mitigate this risk.

even though I believe that everybody deserves a second chance, i don’t generally believe in “ethical hackers” who learned security by being criminals first or companies promoting themselves with such professionals. There is nothing to be proud of when you have a criminal record. There are great security wise professionals who have earned their alumni by studying and researching without stealing other people data or money. And…. if such a person has a criminal record, he/she wasn’t so good as they might think of.

My personal belief is that, when recruiting a (cyber) security professional, an HR specialist should be supervised by a security manager or by an external high level security expert. Build a security team, risk and business goals adapted is leading to an appropriate security maturity framework for any organization. The starting points are humans behind security, not technology. If the above comments are too general for you or consider them obsolete, then you don’t need security consulting services, but believe me, based on the discussions I have almost daily on the topic and also based on the conclusions coming out from the big failures in building appropriate security frameworks that we are able to see more and more

often (WannaCry, non Petya, BadRabbit and so on) I can fearlessly say that there are a lot of people in need when is about understanding how to hire people in security - basic points. And yes, I have put cyber between the brackets on purpose… there is no cyber security without business and/or operational security, including physical security and personnel security. 


ends Authorities - Cybersecurity Tr

London Digital Security Centre update The London Digital Security Centre was established to help businesses across the capital operate securely in an increasingly connected digital environment. As a not-for-profit organisation set up by the Mayor’s Office for Policing and Crime, the Centre works closely with the police and other partners in delivering the Mayor’s vision and maintain London as the best city in the world to visit, invest and study in. Author: John Unsworth,

CEO London Digital Security Centre

However, according to a recent report published by the Department for Digital, Culture, Media and Sport, 46% of businesses have experienced at least one cyber attack in the past 12 months. Despite widespread media coverage of major incidents such as WannaCry, awareness about how businesses can protect themselves against the most common types of cyber attack remains low. This is where the Centre comes in by working closely with local communities to raise awareness of the risks they face and by providing independent and impartial advice to reduce their vulnerability to cyber crime. The London Digital Security Centre does this in a number of ways. Regular events held across London’s Boroughs targeting small to medium sized businesses, have proven to be extremely successful. Members of the Centre’s team, accompanied by police officers, visit businesses in the community to help them risk assess their digital security. Changing the way businesses think about digital security and implementing a few simple measures provided free by the Centre, can prevent the majority of cyber crime attacks; a recent report by the National Cyber Security Centre (NCSC) highlighted 80% of all cyber attacks are preventable. Since April, the Centre has delivered ‘In Your Community’ events across 8 London Boroughs and engaged with over 3,000 individuals and 2,000 organisations. Over 400 risk assessments have been carried out and the results fed back to each business. Further events are planned in early 2018. But it’s not just in visiting local business where the Centre has succeeded. Bringing together a wide range of organisations, cyber experts, trade associations and academics has helped raise the profile of digital security


and provided much needed clarity to businesses. At a recent event in Leicester, where over 100 local businesses attended, delegates learned from a variety of guest speakers about how they could use the internet to develop their business, but without exposing themselves to unnecessary risk. The Centre is now working closely with a number of top universities in the UK to develop an evidence base about what works in cyber security. Looking forward, there are some exciting developments ahead for the Centre. As the cyber security market becomes increasingly cluttered, customers are becoming increasingly confused about what security products are right for them. The Centre recognises this challenge and has been working with Secured By Design, the flagship police initiative, to develop a new accreditation scheme. Over the coming months, our partners and other stakeholders will have the opportunity to be involved in the scheme’s development. Expected to be launched in March 2018, it will be the first police backed accreditation scheme of its kind in the digital security marketplace. There has also been interest in rolling out the London Digital Security Centre model across other parts of the country and other global cities. Constructive discussions and development plans have been undertaken with a number of police forces outside of London and will continue into 2018. Of course, some companies will require additional products and services over and above those provided for free by the Centre. This is why London Digital Security Centre created its own Marketplace which contains a small number of carefully selected cyber security companies. These companies have been selected by Centre on the basis of their offering to the SME community; capability and pricing model. SME’ using one of our Marketplace partners can be reassured that they will be buying products and services that are relevant and help increase their security posture. The Centre continues to work closely with its partners in achieving its core aim. Over the following pages, a number of our growing marketplace partners provide a brief explanation about why they work with us, what they offer, and what they believe are the biggest challenges that SMEs face today. Please visit their websites. You can find more about the London Digital Security Centre and our partners here: You can also follow us on Twitter and LinkedIn. The articles that follow are from some of the selected partners that made it through our selection process in the summer of 2017.

Securonix What products do you provide? Securonix, the leader in User & Entity Behavior Analytics (UEBA), helps companies detect insider and outsider threats by enriching data and applying Behavioral Analytics to existing information security, application and identity data. If you are working to stop data exfiltration, privileged account misuse, ransomware or inappropriate cloud usage, Securonix have an approach worthy of consideration. Not only can Securonix help bubble the “bad” or “most risky” behaviours to the top, they also provide super fast, natural language search capability on years worth of data. Securonix’s value proposition includes the potential to reduce costs by offering the opportunity to eliminate legacy technologies. Why did you sign as an LDSC partner? We joined LDSC because we believe organisations of any size should have access to the very best security solutions at a cost that suits their budget. Currently SMEs struggle with an ever changing threat landscape that demands up to date threat hunting capabilities and the cyber team resources to manage this area which is expensive and often outside of a typical SME budget. With Securonix in the Cloud we are able to offer a full service of software and manpower to keep smaller companies and their customers safe. What do you believe the biggest future challenges for an SME are? As cybercrime evolves and threats become more sophisticated, Securonix in the Cloud means SMEs will have all the benefits of a leading edge threat hunting team at their fingertips. What would you like to see the London Digital Security Centre achieve in the next 12 months? We hope that by joining and supporting LDSC we will be able to offer a flexible and affordable solution to all LDSC members who are looking to bolster their cyber security and insider threat capabilities.

Xcina What products do you provide? Xcina Consulting Limited provide Data Protection Services and Cyber Security Services. Why did you sign as an LDSC partner? We believe in the London Digital Security Centre’s core message of making London a safer place to do business and believe that if small to medium enterprises are educated and advised correctly, London will become the safest place in the world to do business. What do you believe the biggest future challenges for an SME are? At Xcina, we think probably one of the biggest challenges to an SME currently is being able to raise their game sufficiently to ensure security risks are addressed effectively and sustainably. Doing enough just to comply with the law represents a significant challenge for many SMEs. Therefore, staying ahead is probably one of the biggest challenges an SME will face going forward, as the pace of change and evolution of the security threat accelerates.

What would you like to see the London Digital Security Centre achieve in the next 12 months? Over the next 12 months, we would like to see the London Digital Security Centre raise more awareness so that everyone talks about the Centre as a normal everyday occurrence.

Assuria What products do you provide? Assuria is a UK developer of SOC-enabling software which provides the key components for a multi-tenanted unified threat management system. We are now taking this capability and democratising cyber security for the SME market. For the first time it will be possible for organisations of all sizes to access world-class services at an affordable price. Growing cyber threats require matching defensive capability and yet the majority of SMEs are only just waking up to the need for protective monitoring within their business. Why did you sign as an LDSC partner? The LDSC provides a significant educational role and, as a neutral and trusted source, can promote the importance of cyber security to the UK economy. Whilst central government through the likes of the NCSC are offering good advice, getting the message across to the millions of small businesses throughout the country can only be achieved by a local presence. What do you believe the biggest future challenges for an SME are? After education comes implementation - but even having understood the risks they face, the SME still has the challenge of choosing the best way of solving their problems and keeping themselves safe. Having been carefully vetted by the LDSC, SMEs can be confident that the Assuria service will deliver the benefits they are looking for at a price they can afford. Of course the threat landscape is constantly evolving and SMEs will struggle to keep up given the complex nature of the environment. The challenge is to use an approach that allows them to focus on their business whilst giving them the assurance they need that they won’t wake up one morning to find themselves subject to a catastrophic exploit. What would you like to see the London Digital Security Centre achieve in the next 12 months? Assuria believe that in conjunction with the LDSC we can make London and the whole country a safer place to do business by helping SMEs to protect themselves against cyber criminals.

Data2Vault What products do you provide? Threats from Cyber attacks are increasing, fraudsters are becoming more sophisticated in their activities and the consequences of successful Cyber crime are becoming more devastating to the organisations that are breached.


ends Authorities - Cybersecurity Tr One of the biggest challenge SME’s face in combatting Cyber threats is the allocation of limited resources. Anything that diverts them from growing their business is seen as an overhead, but the cost of ignoring the Cyber crime threat, could be catastrophic. Data2Vault are a Managed Service Provider offering advanced Data Protection and Data Insurance. We are the last line of defence when a Cyber breach occurs, or data is lost, because we recover data, applications and complete systems to “help keep the lights on”, underpinned by an Allianz underwritten Data Insurance policy, and we put these protections in place with minimal overhead on the organisation. Why did you sign as an LDSC partner? We joined London DSC to help Board Directors and business owners recognise data loss is a business risk, NOT a technology risk. Implementing Cyber security technology is only one part of making their businesses safer to operate online, and by adding staff training, user awareness programmes and ultimately transferring the residual risk of data loss with Data Insurance, an organisations unique data assets are safeguarded. What do you believe the biggest future challenges for an SME are? Even the best run companies, investing in the all the right areas to protect against a successful Cyber attack can suffer a data breach or data loss, because you can never achieve zero risk. There is always a residual risk. Quantifying the impact that losing critical data has on the business, and then addressing the residual risk of data loss by either accepting it (self-insuring), or transferring the risk through a Data Insurance policy is our aim. Data Protection by Design. For more information contact, call 0333 3442380 or complete the online Data Insurance fast quote at

Yubico What products do you provide? Yubico is the leading provider of modern authentication and encryption hardware for individual users and enterprises. The company’s core invention, the YubiKey, delivers strong two-factor authentication, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data inside standard servers. What do you believe the biggest future challenges for an SME are? For small and medium enterprises (SMEs), security can often translate to sacrificing valuable resources: bandwidth and budget. And in an age where Equifax’s of the world make media headlines, it can be easy to back-burner an otherwise daunting implementation, because who’s really going after the “little” guys? What’s often overlooked is the ease in which corporate accounts can be hacked. Nearly 80% of breaches are a result of phishing, and with rising levels of sophistication and targeting, they are nearly undetectable by even the most trained eye. One employee account can open far more access to an enterprise than one might imagine -- look at Deloitte.


Why did you sign as an LDSC partner? With security headaches top of mind for SMEs, Yubico’s partnership with the London Digital Security Centre (LDSC) is a powerful union. Every bit of Yubico’s work is focused on making strong security easily accessible to everyone - whether through simple, convenient user experiences or price tags within reach of every organization - and LDSC shares this mission. Moving forward, the security landscape will only continue to rapidly change with new attack vectors popping up left and right. This is undoubtedly overwhelming in a predominantly digital world, but specifically so for businesses with more limited resources. It will be imperative that organizations within the cybersecurity ecosystem join forces to further educate, encourage, and empower business communities to tackle online security and safety. Fortunately, through efforts of organizations such as LDSC, it’s not a far fetched idea to see significantly more cyber-equipped SMEs within a year’s time.

Panaseer What products do you provide? Panaseer is a London-headquartered cyber security data analytics company. Panaseer has developed a big data analytics software platform designed to automate identification, measurement, communication, and mitigation of cyber risk. The Panaseer® Security Data Lake gives data-driven CISOs the continuous visibility and automated reporting capability they need to seamlessly optimise cyber hygiene across their environments and rapidly answer cyber risk questions from executives and regulators. Why did you sign as an LDSC partner? The London Digital Security Centre marketplace is a fantastic initiative as it gives London businesses a way to evaluate the cutting edge cyber solutions that are on their doorstep and crucially get on the front-foot in the fight against cyber crime. What do you believe the biggest future challenges for an SME are? In the most part small business are far less likely to be targeted than larger enterprises, as the potential return on an attackers investment is smaller. The SMEs major weakness is likely to be a lack of awareness, and lack of good hygiene to stop the majority of commodity attacks. As outlined above for small businesses, with no special reason to be targeted, the common risks are data theft (theft of employee data, credit card information, customer information etc.) and fraud (unauthorised wire transfers, stealing banking credentials, ransomware attacks). The risk of these is hugely reduced when the SME has good cyber hygiene. Small businesses should always automatically install service updates to their operating systems, and be on a fully licensed and supported operating system. In the good old days, we didn’t used to update our software because it often broke - the risk lay in the

update. But now that software-testing processes are more robust, your risk lies in not updating the software because that leaves it vulnerable to attackers. What would you like to see the London Digital Security Centre achieve in the next 12 months? We would like to see the marketplace extended to become a best-in-breed vendor ecosystem that businesses from all sizes, from SMEs to enterprises, can call upon to compare products and services aligned to their needs.

Thinking Safe What products do you provide? ThinkingSafe is the leading GDPR Compliance Cloud Service in the UK, with over 15 years of experience protecting information in the cloud with end-to-end “zero-knowledge” encryption. Our GDPR Compliance Solution is simple and easy to use, encrypting confidential documents within forensic archives, and allowing data controllers to delegate access to named individuals within and across organisations, supporting compliance with all GDPR requirements. Why did you sign as an LDSC partner? ThinkingSafe is committed to helping the London Digital Security Centre to make the UK the safest place to do business online, and is particularly focused on delivering simple and easy to use cloud services, which allow business users to manage confidential information securely. What do you believe the biggest future challenges for an SME are? We believe the biggest challenge for SMEs is how to manage confidential information securely, because business owners are currently overloaded with unnecessary technical arguments, when what they really want is simple and easy to use solutions, which make the business more effective, and also deliver the security required. We believe this is part of a broader challenge for SMEs, which is the need for business owners and delegated personnel to manage information securely, without technical restrictions or assistance. Business has always been about people and the relationships between them, and possession of information has always conferred power, so it is no surprise that others want to take this from us. The only real surprise is that we have allowed technology to limit our use of this power, rather than demanding that technology helps us to exercise our power by allowing the business to control how this valuable information is used. What would you like to see the London Digital Security Centre achieve in the next 12 months? ThinkingSafe would like the London Digital Security Centre reach out to all businesses in the capital and across the UK, promoting simple and cost effective actions, which allow them to manage and share confidential information with their customers, suppliers and colleagues more securely.

IASME What products do you provide? The IASME Consortium is one of 5 Accreditation Bodies appointed by government to assess against the Government backed Cyber Essentials certification. IASME also assesses against its own highly regarded and award-winning governance standard which includes the GDPR requirements. Why did you sign as an LDSC partner? IASME and London Digital Security Centre share a common vision to make it easier for SMEs to identify, access and implement solutions which make a real difference in the defence against cyber security threats. The support of The Mayor’s Office, the Met Police and the City of London Police provides added reassurance and outlines just how seriously businesses should be taking this very real 21st Century threat. What do you believe the biggest future challenges for an SME are? With so many priorities, not least ensuring the continued profitability of their businesses, one of the biggest challenges for SMEs is finding the time and resource necessary to give cyber security the consideration it demands. The Centre plays a key role in this dichotomy by helping identify solutions relevant to individual businesses then facilitating introductions to providers who can implement those solutions. One of the biggest future challenges is approaching extremely rapidly! The General Data Protection Regulation will place a greater onus on businesses to protect the personal data they hold and ensure any personal data transferred is done so in a secure manner. The penalties for not doing this will be significant. The Information Commissioner has already stated that cyber security and GDPR are inextricably linked. In that regard, the work of the Centre and its partners will help SMEs meet the requirements of this important new regulation. What would you like to see the London Digital Security Centre achieve in the next 12 months? When we first met with the London Digital Security Centre they outlined their very ambitious targets in terms of the numbers of businesses they will assist. We’d love to see the Centre exceed those targets and for IASME to help them achieve this. In partnership, we can make a real difference towards ensuring the continued prosperity of the UK as a leading digital economy.

Alliantist What products do you provide? We are Alliantist and we build SaaS platforms in the UK for managing information security, data protection, and highly secure online collaboration. Our platform is a secure cloud-based information security management system. It has powerful built-in tools and


ends Authorities - Cybersecurity Tr frameworks to help organisations all over the world describe and demonstrate their compliance with regulations and certifications like GDPR and ISO 27001. also contains proven policies for organisations to add to or adapt, then ultimately adopt into their own working environment. is used by Why did you sign as an LDSC partner? The Centre to help them achieve their own GDPR goals. Our aim is to make good information security and data protection management available to organisations of all sizes so that they can stay secure, demonstrate how they can be trusted, and continue to grow as a result. There are a lot of synergies in the missions of The Centre and Alliantist. What do you believe the biggest future challenges for an SME are? Building the right mentality towards data protection and information security. We’re moving away from an era of tick-box compliance to one where we understand and mitigate the risks to our own and others information, genuinely living and breathing those principles. We’re also seeing a shift from seeing compliance as a chore, to it being an attractive business differentiator and opportunity for growth. Being considered by customers and prospects as part of a secure supply chain...and that means offering assurances of their own GDPR compliance and sound information security management, but also that of their own key suppliers. What would you like to see the London Digital Security Centre achieve in the next 12 months? We would like to see The Centre evidence a positive shift, not just in the digital security of organisations, but in the board level mindset towards responsible information security management.

Zonefox What products do you provide? Based in Edinburgh, ZoneFox is a cybersecurity company that focuses on detecting insider threats, targeted attacks, and other fraudulent activities. Through ground-breaking and sophisticated UEBA and machine-learning technology, it provides rapid, actionable insights around user behaviour and data flow, empowering smart security decisions and a strong security posture. I spun the company out of my PhD at Edinburgh Napier University, so R&D is entrenched in its roots. Our hosted platform breaks the mould for UEBA solutions, putting our powerfully unique machine-learning technology directly into the hands of businesses of all sizes. Why did you sign as an LDSC partner? We were delighted to sign as an LDSC partner, as we treat cybersecurity education with utmost importance, firmly believing that working with wider groups is the best way to share knowledge. What do you believe the biggest future challenges for an SME are? When it comes to the biggest challenges currently faced by SMEs, there’s no doubt that the staggering lack of resources to tackle


security issues plays a big part. Such resources can range from tech support to the appropriate training required to make people who might not be infosecurity -minded aware of the risks of, say, opening a phishing email – and how to spot such an email in the first place. As such, for the future, SMEs must grapple with the challenge of raising greater awareness of such cybersecurity issues and implementing a robust education programme for this purpose. Generally, humans are pack animals; if we all work together, then we’re all better off, and the same principle applies when it comes to cybersecurity education. What would you like to see the London Digital Security Centre achieve in the next 12 months? In terms of what we’d like to see the LDSC achieve in the next 12 months, above all, there must be a continued, proactive focus on educating people – whether through practical demonstrations or industry experts they can talk to. Ultimately, it’s paramount to be passionate when engaging other people in security.

BLOCKPHISH What products do you provide? BLOCKPHISH provide a proven solution to the most significant cyber threat facing organisations today; phishing emails. By sending simulated phishing emails to staff and following up with innovative learning, the BLOCKPHISH approach reduces organisations’ susceptibility to this cyber-crime by over 90%. What do you believe the biggest future challenges for an SME are? Cyber criminals are targeting SME’s in London relentlessly, and losses to fraud have exceed £1.4Bn in the last three years alone. This trend looks set to continue, and creating a cybersecurity-aware workforce is the key to preventing losses. Why did you sign as an LDSC partner? BLOCKPHISH are committed to working with LDSC to help reduce fraud and cyber crime in London.

iCYBER-SECURITY GROUP What products do you provide? We provide a range of services that range from our iCyber-Shield Cyber Defence Platform, that uses software to drive cognitive automation in the cybersecurity space. This helps companies react faster and defend better against cyber threat, at lower costs than currently possible with human technical resources. This platform works with your existing investments in security vendor technologies that you have chosen. We also provide training at a technical level through our iCyber-Academy, which also publishes in the UK and Ireland, the cybersecurity trends magazine. We also offer consulting advice on how best to put the right security and network architecture in place as well as recommending the right choice of vendor solutions to fit your organisations needs

and budgets. Currently with GDPR a hot topic, our GDPR Readiness Assessment Programme enables a business to rapidly pinpoint what they must focus on with a rapidly reducing deadline date approaching. Why did you sign as an LDSC partner? LDSC have a worthy goal to make aware and educate businesses in London to the growing risks of cyber crime. Many attacks arise due to human error rather than a lack of technology so awareness is a key first step. Our Academy and this Magazine strives to achieve the same goal. We also like that LDSC seek to champion value solutions for SMEs and we believe our iCyber-Shield Cyber Defence Platform has a role to play here, especially as the cost of getting the right technical resources are sky-rocketing in the current environment with the demand for skills far out-stripping supply. What do you believe the biggest future challenges for an SME are? SME’s are in a really tough place. With a lack of time, lack of resource and lack of budget and with accelerating evolution in attacks and regulations aimed at improving organisations security to protect individuals data there is a lot to do. The sheer pace of new vendor solutions and the price of technical resources which has risen this year alone by over 30% means that SMEs are realistically outpriced in getting help. However many of the basic efforts to protect your business need minimal technical spend, the right advice is key. LDSC provides an easily accessible set of resources to keep businesses safer. What would you like to see the London Digital Security Centre achieve in the next 12 months? We would like to see LDSC achieve its ambitious goals to get an awareness outreach programme succeed in London. We would also like to see LDSC put on more networking events for the mid-size enterprise sectors.

Symantec What products do you provide? Symantec Corporation, the world’s leading cyber security company, helps organizations, governments and people secure their most important data wherever it lives. Organisations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton and LifeLock product suites to protect their digital lives at home and across their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats.

APMG International What products do you provide? We are a global accreditation and examination institute, with a diverse portfolio of certification schemes including internationally

renowned solutions for project, business and IT Management, Public and Private Partnerships and Cyber security. Three of our products and services are offered on the LDSC MarketPlace; an online cyber security training platform (MITIGATE), the UK Government’s Cyber Essentials scheme and the UK MOD developed Cyber Defence Capability Assessment Tool (CDCAT®). In addition, there is currently a free MITIGATE Social Engineering module, and a discount for Cyber Essentials certification available to members. Why did you sign as an LDSC partner? LDSC are championing cyber security from the ground up, particularly in support of SMEs. They approached APMG to become a preferred partner, having identified us as a trustworthy, competent and established organisation with a world-class cyber portfolio that meets the needs of organisations of all sizes. What do you believe the biggest challenges to an SME currently is? SME’s are bombarded with an enormous volume of advice and information, and it is difficult to identify relevant areas to focus on, to keep their business secure. Often, an expert is required to identify what the business needs are, in an area as detailed, technical and continuously evolving as cyber security. It can be easy to invest in the wrong area, and not actually achieve what your business requires to be secure. Some businesses may not need to spend anything – others may need to invest in key areas to protect valuable assets and information. Reliable and trustworthy advice is required – and the LDSC-approval gives that assurance that the businesses you are dealing with can be relied upon for high quality advice and services. What do you believe the biggest future challenges for an SME are? Cyber security is evolving at such a fast pace, that keeping ahead of the threat will always be the biggest challenge. Identifying the right products/training/services that can help with this will be a wise investment for any business. More and more organisations require their partners and suppliers to demonstrate good cyber hygiene before they will enter into a contract. What would you like to see the London Digital Security Centre achieve in the next 12 months? If the importance of cyber security is successfully conveyed, and awareness is raised - with more people, and small businesses understanding the complexities (or knowing where to go to find out) – that will be a great achievement.

PAV IT Services What products do you provide? PAV i.t. Services is an IT managed services provider specialising in security solutions to help businesses of all sizes better protect themselves against cyber crime. One of our principal services is a cyber security audit, which provides a road map™ for SMEs to highlight the most effective steps they need to become more cyber resilient. PAV also delivers user awareness and phishing simulations to help ensure that employees become a company’s strongest defence against cyber crime rather than its weakest link.


ends Authorities - Cybersecurity Tr What do you believe the biggest future challenges for an SME are? One of the biggest challenges to SMEs is to understand where and how they are vulnerable to a cyber attack, which is why we advise them to start with a cyber security audit. This makes sure that they are equipped with the right knowledge to effectively manage risk and allocate resources. The vast number of security products and services on the market makes it very challenging for SMEs to decide which security solutions they need to respond to their specific risks and requirements. This situation will increase in the future as the threat landscape diversifies and cyber criminals find new vulnerabilities to exploit. SMEs will need to stay abreast of these challenges by using their limited resources in the most effective manner. What would you like to see the London Digital Security Centre achieve in the next 12 months? PAV would like to see the London Digital Security Centre continue to build upon the momentum it has generated since its launch. Engaging with SMEs in order to help them better protect themselves against cyber crime is fundamental for London businesses to gain the maximum benefit from the opportunities provided by an increasingly digital economy. We would like to support the London Digital Security Centre in increasing this engagement with London businesses to reach a larger number of companies over the next 12 months.

Sims Recycling Solutions What products do you provide? Sims Recycling Solutions (SRS) is an industry leading IT Asset Disposition (ITAD) and recycling company. We help clients solve the challenge of sustainable management of their IT assets, while minimising data risks, maximising value recovery and ensuring compliance. SRS manages returns, recalls, refreshes, redeployment and disposal of IT and networking equipment. We offer secure and compliant ITAD solutions, allowing companies to reuse and recycle their equipment in the most environmentally friendly and commercially viable way. Why did you sign as an LDSC partner? SRS signed up as LDSC partners to be part of a proactive and positive journey towards making London the safest place in the world to conduct business. The LDSC is the first organisation to bring together the best service providers in every aspect of cyber security and data protection and offer their services collectively to the market. This is an opportunity for all businesses, regardless of their size or industry, to access a holistic suite of data protection services from industry leading vendors. SRS is proud to be part of this. What do you believe the biggest future challenges for an SME are? Not all risks are high tech. The challenge for SMEs is to put in place appropriate online security and controls to protect against cyber threats as well as those potential threats that come from disposing of end of life IT equipment via unsecure channels.


The biggest future challenges are going to arise from the current pace of change in the technology and data regulatory landscapes. Where is the next threat coming from, and what is the commercial impact of a data breach going to be. Without appropriate technical and organisational security controls in place fines and reputational damage could severely cripple an SME. What would you like to see the London Digital Security Centre achieve in the next 12 months? Together with the LDSC, SRS is excited to be part of making London the safest place in the world to conduct digital business. The LDSC has brought together a cohort of industry-leading product partners who can offer any organisation, large or small, the tools, services and support it needs to run their business in a secure and sustainable way. SRS is looking forward to seeing LDSC rolling this product portfolio out to the market and engaging businesses across the capital in to take action to protect themselves against cyber security and data protection risks.

Estatom What products do you provide? Estatom is a UK Headquartered, advanced software development company. It has produced a small, fast and secure OS combined with an intelligent, integrated, amorphous database. FORNAX. Fornax combines a granularity in access control, formidable security, a tiny footprint, distributed computing capabilities and an unrivalled speed of operation. It delivers efficiency, correctness, security and usability in and for current and future technologies. What do you believe the biggest future challenges for an SME are? Current and future challenges for business are that we live in a new era centred around networks & connectivity which demands new ways to process, store, secure & manage data. The old ways of working are not sufficient and businesses require new solutions to manage legacy, security, resiliency and capacity. What would you like to see the London Digital Security Centre achieve in the next 12 months? The LDSC (and all parties) need to promote that a new way of doing things is required and that additional abstraction layers on an already complex technology stack is not the answer. 


Business and industry 4.0 at the core of the 5th Macro-Regional Congress “Cybersecurity - Romania” (Sibiu, 14-15 September 2017) Under the High Patronage of the Swiss Ambassador to Romania and organized in cooperation with the International Telecommunication Union (UN-Geneva), the 5th edition of the Central-European PublicPrivate Dialogue Platform took place in Sibiu.

Author: Laurent Chrzanovski

The audience was mostly made up of ICT service providers and business people, responsible for informatics within the public and the private sectors. The congress attracted for the third consecutive year chief executives of the largest factories in the region and critical infrastructure companies (production, transport and storage of gas, electricity or oil) from Romania. The presence of the General Managers in person, and not of the security officers as in the previous editions, is the proof of an expected and hoped for evolution for the dialogue that is the cornerstone of this Sibiu Congress, one of the rare manifestations that neither has a technical, nor a marketing character. The participation of such VIPs is due to a fairly natural reason: WannaCry and Not-Petya hit Europe in May and June of 2017, generating billions of euros in losses in sectors previously believed to be potential targets of organized crime only during financial transactions or for gaining access to databases. Some of the most eloquent speakers have explained in detail the vulnerabilities of our digital ecosystem.

Vulnerabilities so large that a single devastating virus, Not-Petya (or Goldeneye) “simply launched on the Internet” and not specifically created for a particular enterprise, has caused direct damage, without counting indirect consequences, to an unimaginable scale. A lot of concrete examples were given, including the case of the industrial giant SaintGobain1 (220 million euros of direct losses 4.4% of profit - only in the first semester and 3 days of work with pens and paper2), Mondelez’s food industry giant (-3% of turnover in Q2) or Maersk shipping leader (losses worth 300 million euros). Designed specifically for industry executives, the presentations of representatives of the specialized institutions of the Romanian State (Police, intelligence services, the National Computer Security Incident Response Team, the National Authority for Management and Regulation in Communications) provided the whole country’s detailed analysis. The public has received a preview of the up-to-date situation six months before the mandatory national reporting by each Member State of the Union, drawn up at the end of each year and published in the first months of the following year. Then, documented security leaders addressed crucial issues for the business and industry world, which have a significant delay in the non-technical understanding of the global Internet insecurity.


Focus - Cybersecurity Trends When the best army is being successfully attacked

BIO Laurent Chrzanovski (HDR Postdoc Phd MA BA) is a Professor at the Doctoral and Postdoctoral School of Social Sciences at the University of Sibiu (Romania). Thanks to his work experience in 12 European and South Mediterranean countries, he has since 2010, expanded his fields of research into cyber security, social, behavioral, cultural and geopolitical aspects. As such, he is a member of the ITU (UN-Geneva) cybersecurity expert group and a contract consultant for the same institution, as well as for several Swiss and French think-tanks (PPP). He founded in 2013 and continues to run, the “Cybersecurity in Romania”, a macro-regional public-private platform (www., supported by the ITU, all related public institutions in the host country, as well as many other specialist organizations from France, Switzerland, Italy and the United Kingdom. In the same spirit, he co-founded in 2015 and is editor-in-chief of one of the very few free quarterly cyber-prevention journals (a PPP) designed for the general public. Originally, intended for Romanian audiences, Cybersecurity Trends is today published - with the collaboration of prestigious specialist partners - in multiple languages adapted to French, Italian, English (as of June 2017) and German (as of September 2017) audiences ( cybersecuritytrends). It should be noted that the Congress and the magazine have been promoted and supported by the ITU since 2015 as the “Best Practice Example for the European Continent”. Laurent Chrzanovski is the author / editor of 23 books, of more than 100 scientific articles and as many other texts intended for the general public.

The “most wanted” intruder Nicola Sotira (Chief Information Officer at Poste Italiane, Rome) presented the smartphone’s usefulness in marketing, internal and external communication, and in a range of services available from e-banking to smart payments or remote control. A smartphone carried around 24/7 by its owner is the dream of an entrepreneur and the nightmare of his / hers security officer: at the moment, it is the most vulnerable and most often attacked technology tool in absolute terms.


Ido Naor (Kaspersky Labs Tel Aviv) traced the lead of a terrorist infiltration group that was about to succeed. On the social networks, a group of young and cute “Canadians” preparing to make a “study visit” to Israel targeted highly specific young recruits from IDF (Israeli army) stationed in the barracks near the Gaza Strip. Social engineering has succeeded, and many Israeli soldiers corresponded with “Canadian girls” and then downloaded a video and audio chat package containing ... a Trojan that would have allowed the terrorist group involved to use to their advantage the smartphones of these young people as genuine microphones, photo and video cameras. Only the vigilance of the senior officers and the intelligence officers made possible the cooperation between IDF and Kaspersky Labs. They immediately noticed several outdated Hebrew formulas of the “Canadian” texts, the strange display of a musical application in the downloaded package, and code lines that were aiming directly at ... Gaza. If the IDF recruits, trained to be on permanent alert and to detect suspicious behaviors, could fall into the classical trap of the “cute girl”, let us only imagine the damage that a similar operation might produce in a Western enterprise, where success would have been ensured due to the lack of security culture.

A defense on seven levels and no one currently knows more than two Marco Essomba (CEO, iCyber-Security, Reading), in his speech, Full Stack Cybersecurity Defense, insisted on the need to thoroughly reform the organizational chart and the way in which large companies and industries operate. A holistic vision of the leadership assisted by a security expert and trans-departmental training are vital to tackling the increasingly sophisticated attacks that target all business processes, from finance to manufacturing, and where the human component is the most vulnerable of all. In these “7 levels” of defense, it is crucial to have teams motivated by the new generation of executives, especially among engineers, who know and explain at least 3 levels - or layers - each, thus ensuring the necessary connection with the specialists of the other levels and with niche professionals whose only goal is to be the best on the niche entrusted. Over the course of two days, more than 20 speakers from 10 countries drew attention to several specific issues where business and industry do not have the right knowledge. For example, when developing the criteria for hiring a new responsible security officer for the specificity of the enterprise in question, or when choosing among the state-of-the-art defense tools the one most adapted to the ecosystem of that enterprise, especially when the latter owns and uses significant amounts of data and services in the cloud or when is remotely interacting with transport and production units. The last session of the Congress, under the aegis of Vallée de l’Energie and the Chamber of Commerce and Industry of Belfort, was exclusively devoted to the theme of “Industry 4.0”.

An overview of the dangers and vulnerabilities was presented to the public, as the result of the collaboration between the organizers and the speakers, whose subjects have been intertwined in a pleasant way and have ensured the success of the meeting. The presentation of the Deputy Director of Cyberint (the special center of the Romanian intelligence service) focused on the current and future blockages caused by the strategic vision related to the creation, over a decade ago, of the category of “critical infrastructures” or “enterprises of strategic interest”, i.e. those for which the state must contribute to ensure their defense. In the field of cyber incidents and crime, this doctrine, whose implementation, although more generous, is currently poorly understood and leads to a reluctance on the part of many entrepreneurs to collaborate with Cyberint or to seek the help of CERT-RO, both state services, in addition to the Police. But if an industry - with its sum of suppliers – with tens of thousands of employees goes bankrupt as a result of an attack, the social consequences would reach a strategic amplitude equal to that of an attack on a region’s electrical network. Jean-Luc Habermacher (Vallée de l’Energie) and Jean-Gabriel Gautraud (Bessé Conseil) presented the views of a risk manager and of an insurance advisor, showing how advisers to industrial group administrations still consider cyber security an exclusively technological issue. Without the culture of safety and security, without a physical, human approach and constant surveillance of each connected object - even the packing machine at the end of the production chain - each connected terminal becomes both a prey and an aggressor in the hands of an offender, since the devices and the robots were not designed for the security they provide, but for the efficient fulfillment of a precise task. Virgil Stănciulescu, responsible at ANCOM (the National Authority for Management and Regulation in Communications), has warned the enterprises, especially the industries, about the exponentially increasing exposure area to malicious attacks that they generate through their own decisions; for example, by installing excessive IoT collectors or by equipping with state-of-the-art robots, automatically refining machines that take their info over Big Data and communicate via multiple channels with both the factory environment and the outside world.

Marc German (IHEDN) and Jean-Jacques Wagner (IUT Belfort), in their presentation Competitive intelligence and cyber security are two sides of the same coin of an enterprise’s endurance have analyzed the world of international competition, where morality and ethics are very rare elements. Data protection, physical and cyber-security of own’ sites, as well as gathering information about the competitors’ plans and development opportunities are actions reserved for intelligence specialists who can manage them simultaneously and professionally together with their teams. By balancing an internal team of qualified professionals, employers often cede to the attractive prices of outsourcing the analytical or defense services. This decision increases the degree of inaccuracy and risk, seriously compromising both security and the basis of strategic decisions that are to be taken later on.

The unparalleled networking atmosphere, a congress brand, and its adaptation to the most important themes of the moment viewed from an international perspective that allows true debate of ideas and cultures are values that have made this congress to be requested for and adapted to other regions of the continent. Thus, the first edition dedicated to Western Europe has took place in Porrentruy (Switzerland) (Cybersecurity - Switzerland, 7-8 December 2017), and the first edition dedicated to the Mediterranean will take place in Noto (Sicily, Italy) (Cybersecurity - Mediterranean, May 10-11, 2018), while the Sibiu congress is still being held annually in midSeptember. 

1 2


ds Focus - Cybersecurity Tren

Security and Privacy in the Internet of Things

Author: Gianluca Bocci Translated from original article written in Italian

BIO Gianluca Bocci, dipl. in Engineering from Sapienza University(Rome) holds a Master of the BioMedical Campus of Rome in “Homeland Security - Systems, methods and toolsfor security and crisis management”. He is now Security Professional Master within the Protection of the Information for the Company’s Protection at the Corporate Affairs direction of the Poste Italiane. He holds CISM, CISA, Lead Auditor ISO/IEC 27001:2013, Lead Auditor ISO/IEC 22301:2012, CSA STAR Auditor and ITIL Foundation v3 certifications; he backs the activities of the CERT and of theCyber Security District of the Poste Italiane. Within this frame, he has a long experience in security of mobile applications, leading also R&D activities for the academic world. Before joining Poste Italiane, he has been Security Solution Architect for different multinationals of the ICT field, where he backed the commercial units by engineering the techno-economical offer delivered to the customers of the Enterprise category. He always paid particular attention to aspects related to Security Information and Event Management, Security Governance, Compliance as well as Risk Management.


Reading the McKinsey Global Institute’s 2013 report, we are able to see that different technologies, some already well-known, some less noticed, would be disruptive ones in the following years and would deeply modify each one’s lifestyle but also the global markets and economy1. Among the listed technologies, we find the mobile ones, AI, Big Data, advanced robotics, Internet of Things and many others which, if used alone or combined between them, would allow new business models and innovative services in many production sectors. Nevertheless, each of those novelties has a dark side, i.e. new risk typologies which, immediately, would oblige us to think about security and privacy aspects. In the analysis we propose here, we will follow the abovementioned topics and will go in-depth in seeing IoT as a convergence phenomenon between the virtual world based on the web and the world of physical “intelligent” objects, which, when interacting with the exterior world, transmit and receive data. These, when analyzed, would allow to generate added-value and support to the decisional processes. Following Goldman Sachs’ vision, IoT tools are characterized by a series of attributes which are synthetized into the acronym S-E-N-S-E2 - Sensing, Efficient, Networked, Specialized and Everywhere: “Sensing” refers to the application of sensors (for instanceair pressure, temperature, etc.) on every single “thing”, hence the capacity to generate big quantities of data; “Efficient” refers to the possibility to add “intelligence” and “efficiency” to processes, using the collected data; “Networked” defines objects non-stop connected to the web, in any circumstances;

“Specialized” considers the specificity of the IoT tools and, more over, the solutions achieved in a totally “vertical” way in comparison with what happens in traditional IT systems. As a matter of fact, the logic of “reusability” can hardly be applied by a project or a solution IoT of created for a Healthcare need and wished to be transformed for an industrial use. “Everywhere”, at the end, is an allusion to the invasion such objects are making and will make exponentially in our daily life and in business processes. According to the Osservatorio Internet of Things of the Milan Polytechnics University3, the number of intelligent web-connected tools will reach, by 2020, 25 billion units; a convergence dramatically transforming the global communication pattern, where data and information are not only produced exclusively by individuals but also by “things”. In the banking sector, for payments, “wearable” tools will be more and more used, like watches; the insurance sector will also broadly use those new technologies in order to verify the driving inhabits of its clients and propose personalized contracts; the same sector could also gather other benefits from the IoT, like monitors able to protect an environment and the people within (Smart Home& Smart Building).

If we take urban landscape, the IoT can help with optimal traffic management, for instance by adjusting the traffic lights with the help of the data given by the street cameras, or anticipating to the drivers the possible alternatives to avoid the most jammed streets they are heading(Smart City). The very automotive sector is the one in full ferment with applications dedicated to comfort, security and infotainment (Smart Car). Starting from those examples, we could draw similar parallels inmany more business fields where the IoT seems by now, and more and more, to become a reality(eHealth, Smart Factory, Smart Agriculture, Smart Asset Management, Smart Logistic, Smart Metering & Smart Grid, etc.). Those considerations made, it remains evident that the sustainability of the innovative business models and services using IoTis tightened to the solving of important challenges to be faced, like security and privacy.

The IoT Security The dimension of the IoT phenomenon offers an immense attack surface for those wishing to use it to undertake illegal activities in the cyber space, and this independently of their intentions. TrendMicro’s forecast4, done for 2017, is certainly not comforting. We are awaiting malwares similar

to the Mirai, which, used to compromise IoT devices, will allow DDoS attacks of hundreds and hundreds of Gb/s, very close to those which happened during the last quarter of 2016. The CheckPoint research5 comes to the same conclusions, underlining that many attacks will exploit IoT devices and will head more and more to the industrial world.The McAfee Labs’ report on threats6 reveals very interesting analysis, where the authors point out that new compromising techniques of IoT devices will exploit the firmware by directly inserting into it the malware code, making hence its recognition much more difficult. The same report underlines that those new techniques will allow malwares to enjoy extraordinary privileges, acting without limits thanks to the fact that inside the kernel, the security controls are minimal. Often, the IoT devices are compromised, being used as proxy and able, in a second phase, to deliver a full-scale attack directed to the targeted system interesting the criminals. These security problems, in general, depend however on the articulated system of the diverse operators leading the IoT industry and from multiple factors depending on the organization, the processes, the technologies as well as the cultural aspects of the involved resources. Among the operators, we find “in primis” the producers of the intelligent devices, then the service providers who, almost always, imply installers and hard- and software companies, called in to build the desired service itself; last but not least, we have to take into account all the diverse typologies of users benefitting of those new tools. The device producers are typically focused on realizing those objects with new functions and affordable - or low - cost; they often use “embedded” OS with a limited computationalcapacity damaging the possibilities of updating/patching them. They also adopt inadequate authentication and authorization systems and deliver limited configuration possibilities. Then comes the problem of the interoperability of these devices which are extremely heterogeneous between them, often using different communication


ds Focus - Cybersecurity Tren

protocols. Not a few of the abovementioned problems should be concerning not only the producers, but also the big service providing companies which should create a healthy pressure to the constructors of IoT devices pushing them to take into account the security and privacy aspects. For instance, the choice of the producers, installers, as well as system integrators could be done on the base of the most highly qualified on the market, responding to precise demands and warranting privacy and security; the market opens bids and their contractual part could exclude those who are not in line with these obligations. The service providers should also face the IoT projects according to a risk-based type approach, in order to be from the beginning aware of which modifications they shall enact to deliver a secure service – at the organizational, process and technological levels. For this reason, even if we come to the common IT infrastructure (the back-end component), a maximal attention should be focused to warrant the security but also the sustainability of the service itself.

If we want to emphasize how the IoT and its related services could be a success, we must underline that a lot will depend on other factors and in particular of the adjustment of its operational model through an IT transformation which could need dedicated hardware, evolved software to analyze and correlate huge quantities of data, storage and network technologies and all that without barriers or limits of scalability. The IoT security involves also the end users who will be able to play an active role in the development of this technology if rendered more conscious of its problematics, for instance through awareness campaigns or specific training programs dedicated to those in charge of the new coming elements. As a matter of fact, very often, the users of IoT devices are not performing, when they are available, the minimal configurations such as changing the

default password or the installation of protection tools dedicated to the mobile devices to be used to interact and exchange data with the intelligent things, for instance antiviruses, local firewalls etc.; there are even users who, for different motives, enact rooting or jailbreaking techniques on their own smartphones and tablets, totally unaware that by undertaking those actions, they jeopardize the security schemes designed by the producer, expose the handled data to heavy risks and can rend vulnerable without, even knowing it, the very intelligent object which can be remotely hacked and controlled by a third part. In a mirror, we can observe how mobile devices and, in general, the mobile internet paradigm, are constituting a technological driver for the IoT since it allows whoever, men and objects, to be always connected and to exchange information through the specifically developed applications.

Privacy of the IoT The IoT provider, for all these motives, should act systematically and since the beginning to control the delivery of the system during its production and then during the next steps, offering also a periodic service and program of security, which should include the monitoring of the systems, the vulnerability assessment enactment and penetration tests. Those last should also be performed on the interface used to interact with the intelligent objects, which are often using mobile technologies and specifically smartphones and/or tablets‌


The IoT is raising huge issues on privacy matters, many more than those emerged from the traditional IT systems. We will underline some of them in a non-exhaustive way: Not always, the users realize they have to deal with devices able to interact with the net and, through it, exchange data which can enter the personal intimacy zone. Not always, or almost never, do the users have control of the data flux; they do not even realize if connections are activated, towards who and which data are transmitted.

Often, we witness a total lack of transparency between the raw data collected by the device, then sent to third parts and those eventually shown to the user. Those devices, whose aim is to warrant an enhanced autonomy to the batteries, avoid using any crypto system to transmit data The information collected by a device, even if anonymized, could be combined with information produced by other devices, enabling them to identify the user. All the above-mentioned results into a major risk to make public personal data, or even sensitive data, in a way which is completely unknown to the user. A huge problem is that, if it all started with the use of wearable devices, this trend will boom in accordance to the daily increase of IoT use in a broad number of sectors. As an example, if we look at a Smart City, the enormous amount of information collected by the video cameras could be analyzed with

techniques allowing to define inhabits and lifestyle of individuals. The results of such analysis could spot high incident probabilities for persons passing in a defined area; adding the registration numbers of the vehicles and the routes driven through time, profiles could be created and used for the benefits of insurance companies when renewing or signing a vehicle insurance policy contract. Other examples could be referring to all those devices allowing to collect information on our health and/or our sports performances, information which in a way or another could end up at the insurance companies and the pharmaceutical industry.

Without going further with other examples, we can assert once more that privacy is without any doubt a major challenge for the IoT. In this sense, we already pointed out how some companies providing IoT-based services should act to reduce this specific risk, adding that they would be helped to do so by the new EU Directive UE 2016/679 on personal data protection. Through this rule, the European Commission intends to buff up and to unify the protection of personal data within the borders of the EU, through a simplification doubled by a unification of all pre-existing European and National laws framed within the previous directive (95/46/CE) which will be abrogated since May 25th, 2018. Thanks to this new rule, even the IoT device producers will have to comply to the new regulationsprovided for the protection of the personal data, in order to avoid the stated administrative sanctions. Between the most important indications, we can mention: The obligation to analyze the treatment of personal data during their entire life cycle, from the collecting moment to the erasing one, starting from the project phase and adopting technical and organizational measures such as minimization and pseudonymization, all according to the Principle of Privacy by Design. The obligation to adopt pre-defined settings as well as default settings of the informatics systems in order to warrant the protection of the personal data with the possibility, for the user, to make only manual modifications in the phase after the launch of the product, all according to the Principle of Privacy by Default. The evaluation of the impact on privacy to define the needs and the proportionality of the personal data treatments, in addition to the risks linked to the rights and freedoms of private individuals, a process which will allow to evaluate, since the project phase, the best security measures to be adopted in order to reduce the risks to acceptable levels. We can conclude remembering that the joint action of the new European Directive and the pressure that could come in diverse forms from huge organizations desiring to develop their own business with IoT technologies will come in favor of the regulation of this very specific sector, which is considered as strategic for the whole global economy.  1 “disruptive technologies: advances that will transorm life, business, and the global economy� 2 3 4 5 html?refresh_ce 6


Trends VIP Interview - Cybersecurity

The consequences of a poorly understood and poorly managed cyber-security: a system that deviates from its own duties destined for implosion! VIP Interview with Marc German, Business Diplomat and Computer Crime Expert Author: Laurent Chrzanovski

Marc German

Laurent Chrzanovski : Describe your career. Marc German : I have started my international career 30 years ago in offsets. I have carried out numerous missions in states that did not have regulated relations with the West, such as the USSR. Being an advisor to French societies and early interested in what was then to be called Competitive Intelligence, I have initiated numerous industrial and commercial partnerships, within the opportunities that arose after the fall of the Berlin Wall. Recently, in 2008, in a prospective approach, I have set up a strategic focus group called “Reflextrat�, aimed at stimulating in particular the success and the development of innovative enterprises in emerging markets, while also contributing to the eradication of inappropriate practices within businesses and institutions. Laurent Chrzanovski : How did you become interested in cyber security? Marc German : Given the fact that today everything is computerized and everything is happening on


the Internet, aware of the new challenges linked to the security of the increasingly complex IT projects and being an auditor at the CNAM’s Criminology Department, I focused myself on the fight against crime cyber. Laurent Chrzanovski : Which aspects of the cyber world are you preoccupied with today? Marc German : The quality of the source code is the first level of IT security. Indeed, a code error that causes a malfunction of the application is called a bug, a visible error that can be corrected, but this process is costly; instead, a code error that does not cause malfunctions and that can not be seen is called a breach and represents the nightmare of businesses and administrations, because its consequences may be even more expensive ... But not only the technical part of cyber security requires a technical response, but behavioral issues which are also more complicated because,

as usual, in terms of safety and security, human behavior is the weak link, so the eradication of inappropriate practices becomes imperative. Laurent Chrzanovski : How do you evaluate the status of awareness within the businesses where you have been or are still active? Marc German : Today, businesses and administrations understand that they need to get out of the state of addiction to major companies Microsoft, Oracle, and SAP - who produce the tools they need to adapt to, which have a low performance and reliability and are very expensive. Nowadays, some disruptive technologies allow for the creation of efficient specific instruments that correspond to new economic models. Thus, the IT tools of enterprises can become, from cost-generating assets, a source of profit.

Laurent Chrzanovski : What about in the field in which you generally evolve? Marc German : The lack of “behavioral hygiene” of end users persists in a dramatic way. Software can be used on a terminal and on a highly secured network, but if the user is charging here his or her personal phone or tablet, this degrades de facto the whole system, by creating an access point. BYOD (Bring Your Own Device) is an aggravating phenomenon. Laurent Chrzanovski : What, in your opinion, are the odds of resistance of Industry 4.0? Marc German : The ability of businesses and administrations to protect themselves from the rules dictated by major software and Enterprise Resource Planning (ERP) developers, created by service companies whose turnover is due in excess of 70% to their maintenance services. The former provide solutions that do nothing, because the specific business needs of enterprises are not fully covered and end-users need to adapt to inappropriate tools for their work. The latter, having an economic model based on “man-day” sales, are pleased with the inadequacy of the former, because their incomes come from inoperable software deliveries: the worse they work, the higher the maintenance revenues. The worst thing is that neither administrations nor companies are the owners of these poor, inadequate and expensive IT tools. The main challenge of the Industry 4.0 resistance is the promotion of disruptive technologies that allow the production of specific tools that are fully adapted to occupations. These technologies exist and allow not

BIO Business diplomat and prospective expert, Marc German directs several international networks focused on industrial partnerships. Specialist in criminal risk and crisis managements, Marc founded, in 2008, a strategic think tank, “Reflextrat”, dedicated in particular to stimulating the success and emergence of innovative enterprises in emerging markets. This “think tank” has developed advanced tools, enhancing the works developed by the École Française de Prospective (CNAM), a recognized international institution for its ability to decrypt complex issues to better understand the future... Pioneer in competitive intelligence during the past 30 years, Marc German has conducted missions on the ground in France and abroad, consistently assuming obligations to provide results. Throughout his international career, he also participated in the creation, launching and development of successful companies in various sectors (aeronautics, defense, energy, the Internet ...). Appointed senior executive consultant for some of the biggest French companies, he was in charge for evaluating the opportunities disclosed by the fall of the Berlin Wall. Within this frame, he initiated several industrial and business partnerships, ensuring an optimal coordination between the institutional and private actors as well as between the personalities from the academic, politic and media fields. Pioneer in Diplomacy for Business, he has been involved as solution-maker in all the key steps of a market development, in compliance to the needs of his employers, be them be private players or governments: counter-intuition partnerships, innovative finance systems, complex operations leadership, offsets, asymmetric solutions developments, always keeping a special eye on the eradication of bad practices within the institutions and companies … Forerunner in Business Diplomacy, he has been involved in the creative industry as a solution provider and has intervened in all key market stages according to the specific needs expressed by government or private representatives (counter-intuitive partnerships, innovative financing, complex operations management, offsets, asymmetric solutions ...), while contributing to the eradication of inappropriate practices in enterprises and institutions. Auditor at the CNAM Criminology Department, he advocates for including the notion of «economic crime» in the Criminal Code covering a larger sector than Article 432-10, going as far as defending small shareholders ... Since 2010, Marc GERMAN is Treasurer of the Association France Moyen-Orient de la Legion d›Honneur. In 2014, aware of the new European challenges related to the security and safety of highly complex digital projects, Marc German created an innovative company delivering Digital Services (Entreprise de Services du Numérique), capable of using disruptive technologies efficient in software creation at the highest quality standards, both for large companies and for administrations.


Trends VIP Interview - Cybersecurity is not a new form of crime, it is the transposition of classical crime into the field of cybernetics, and criminals only adapt their way of action to a new instrument, a new vector and a new playing field.

only to exit from the “man-day” sinister model, but also honorable services that in turn allow users to enjoy computer services in support of their job and not vice versa. In terms of behavior, the emphasis should be placed on tailored training and end-users responsibility ... Huge program! Laurent Chrzanovski : Which areas of the digital world security seem to you to be the most overlooked compared to physical behaviors? Marc German : In terms of physical behavior, the problem is primarily endogenous; the “enemy” lies primarily in the interior! Laurent Chrzanovski : In your opinion what should the digital defense culture be like in an enterprise and what is the form it should take? Marc German : It is a transversal responsibility, under the aegis of the “investor / owner”, because it is a threat to the vital processes of the administration or the enterprise. Laurent Chrzanovski : In your view, why, in terms of the great powers, have the transition to digital and new security stakes in Europe been ignored for so long? Marc German : The Europeans do not have vision and strategic thinking and have difficulties in properly defining the problem they are facing; what happens in the case of terrorism is also true of cyber security. Semantic changes or reversing the meaning of words perverts the thinking. The cybernetic sector is the transposition of informatics into the real world without being its replica. Cybercrime

Laurent Chrzanovski : Is it still possible to reinstate a vigilante spirit on a continent that has known peace since 1945 without being accused of “big brother” or bellicose behaviors? Marc German : It is not about adopting an opportunistic policeman position in response to a fashion; resilience is a real strategic stake. Laurent Chrzanovski : Why are we so insensitive to the good practices of our neighbors in the EU when they prove their efficiency, and why do we need to reinvent the wheel in each and every state? Is there a lack of knowledge? The ego policy? Marc German : All cybernetic actors consider cyber security a new market with potential for economic growth and financial gains, as a new Eldorado ... Or, as I mentioned earlier, the worse the system works, the more the problems are being reinforced and these actors are getting stronger. In France more than elsewhere, the system is sick and closed ... Senior IT officers move indifferently from the world of software publishers or services to positions of director of computer systems of large groups, it is the paradise of conflict of interests, unscrupulous co-option, and great sharing between friends ... We are facing a real economic crime because administrations, businesses and, ultimately, taxpayers are paying the bill. The fate of this system that deviates from its own duties can only be the implosion! 

We are a leading UK based CyberSecurity firm providing state of the art Application Delivery Networking and CyberSecurity solutions to clients in banking, retail, finance, and insurance, enabling them to leverage the power of their digital Infrastructure to beat the competition. Website: Twitter: @icybersecurity_



Our renown-training academy provides bespoke training to ensure that your engineers have the skills to protect your business against the growing number of relentless cyber attacks. That expertise is what gives us unique insight and the ability to work in complex multi-vendor ecosystems in order to deliver the best solution to our clients.

Griffins Court, 24-32 London Road, Newbury Berkshire, UK, RG14 1JX, +44 (0) 800 086 9544


The impact of disinformation on the stock market This article intends to share a reflection more than to provide answers, as it raises a number of interrogations any responsible of Information Security should ask himself in the short and long term.

Author: Massimo Cappelli

Information Security is defined as a collection of processes and methodologies, designed and implemented to protect private information, sensitive or confidential, may they be digital, printed, or in any other form, against the unauthorized access of their use, misuse, divulgation, destruction, modification or damage. Often, Information Security is identified with IT security, yet the last concerns only a part of the activities to be done, as the information travels through different means and not only through digital networks. The evaluation of the risk pending on information should not be based only on considerations

BIO Massimo is Operations Planning Manager within the GCSEC. He coordinates, as PMO, research and education activities of the foundation. Since January 2017, he leads the CERT and Cyber Security of the Poste Italiane within the Information Protection Department. After economic studies, he obtained PhD in “Geoeconomics, Geopolitics and Geohistory of border regions” focus on Critical Infrastructure Protection Programme and a Master in “Intelligence and Security Studies”. In the previous experience, he assumed the role of Associate Expert in Risk Resilience and Assurance in Booz & Company and Booz Allen Hamilton.

of merely “IT type”, but has to be a process including the evaluation of places as well as persons too. This has been clearly demonstrated by Kevin D. Mitnick in his 2001 best-seller “The art of deception”, where he shows a series of cases where it is possible to recover useful information for one’s own goals, simply speaking with people and collecting parts of information which, once brought together, create a solid base of credentials enabling the access to further information. For this, in some realities, we use the term of “information protection”, exactly to indicate those processes and methodologies included within Information Security, but with a much wider perimeter in comparison to IT security. In the biggest part of the cases, the protected informations are those of the company. Our attention is looking inwards: information on clients, contracts, strategies, and so on. The first question is then to define the perimeter of competency. Is it sufficient to monitor the use and the protection of the internal information? Probably not. To protect one’s own company, it is compulsory to also look outwards, to those threats which could anyway harm the reputation of our brand or of our business. Some examples to be used could be the phishing websites or the profiles of fake consultants pretending to belong to the company in order to steal information or credentials from the client. All the banking institutions do monitor the web to spot and block the phishing websites, i.e. they look outwards to the perimeter to block any toxic news for the company. But is it sufficient to monitor and to verify only the unauthorized use or the abuse of the trademark? Or do we have other aspects to take into consideration? In the last years, the newspapers were flooded by articles, discussions and declarations on the “fake news” phenomenon, used for disinformation, mainly in the political field or for direct economic gains. As an example, the “endorsement” of Pope Francis of the candidate Donald Trump was shared and commented more than 960.000 times on Facebook. Who knows if this small element did have an influence on the candidate’s election or not? It happened to all of us to see that a friend or a colleague was reporting to us fake news. Probably, we also were victims and unconscious transmitters of at least one fake news, read on social network, quickly, between a croissant bite and a coffee sip at the bar. Disinformation can occur through an incomplete representation of the facts, a fake representation of the facts or a manipulated representation of the facts. The objective of the agent spreading the disinformation is to push the news as


Focus - Cybersecurity Trends Another case, in 2013, had a systemic impact. The Tweet published on the Associated Press (AP) account, stating that an attack took place at the White House and that President Obama was wounded, “burnt” more than 130 billion USD in the NY stock exchange, before it has made been public that the AP account had been hacked.

far as possible on all communication means, driving the readers into a precise conviction. Disinformation has a simple scope: to address the reader to a determinate position, may it be in favor or against an argument. It is created to generate a feeling of empathy or of repulsion. This feeling, sometimes, can lead to concrete actions such as protests, boycotts or manifestations. If we stay focused on the last American elections, we can give as an example a soft drink case. On mid-November 2016, a blog of American conservatives reported an interview with the CEO of the society producing this soft drink, in which he would have declared (obviously at the conditional form): “CEO Tells Trump Supporters to Take Their Business Elsewhere”. The news was completely distorted both from its source and by who forwarded it, but its impact on the company seems to have been real, both in terms of appreciation of the company and in terms of value of its title on the stock exchange. The agreement ranking (sentiment) towards the company sunk by 35%. The title price, the same day of the “news” publication, sunk by 3,75% and by more than 5% in the range of the whole months. It is still possible that the two reactions could have been dissociated, yet it remains a very important study case for the analysts of brand reputation and communication. Out of the electoral context, another case which made history was the one which concerned a pharma company we will name XY. In January 2012, an article appeared on Seeking Alpha, a finance-specialized website. It stated that the company XY, listed on Wall Street, was working on the development of a treatment against cancer, cheaper and more competitive than the ones of its concurrence. In five months, the company’s title totalized an increase of 263% of its value, maybe because of the publication of that news. The SEC (Security & Exchange Commission) discovered that in fact the article had been commissioned by the same pharma company XY, through an indirect payment. As a result, the stock exchange rate of the title sunk abruptly. This technique, in the past, was known as “Pump & Dump”, which meant to “pump” the title value thanks to fake news leaving to understand that huge increases of the value will take place, and then “dumping” it once the desired value was reached. It is one example of financial fraud where the worse informed people pay the consequences.


Let us suppose, hypothetically, that we are company Beta, desirable on the market as we are present in various geographic areas, we have consolidated infrastructures with solid trade deals and a monopolistic position on some markets. The title value is high and potential variations could be very costly to the actual stock-holders. If the Alpha company would be interested in the Beta one, wishing, with unfair means, to buy a part of my titles to have influence on my strategies or to consolidate its own presence inside Beta, could it use disinformation to lower the value of my title and buy more of them? Disinformation activities can be on the short or long term. Probably, if we were speaking with an English CEO or with an Asiatic CEO, even their own conceptions of “short” and “long” terms would raise many questions.

Option 1: If I was the Alpha company, I could publish from several sources a fake declaration of the Beta Company’s CEO, like in the case of the soft drink we quoted before. This initiative could lead to a lower value of the Beta company stock title. The Alpha company could then profit of the moment to buy a part of the titles for a ca. 5% cheaper price than the normal one, buying them indirectly and at different moments not to raise the attention. Option 2: If I was, again, the Alpha company, I could also publish information on the Beta company, similar to those we saw on the pharma company case. In this option, the objective would still be to buy titles, but through a process of discredit of the targeted company. Investors could lose their trust after reading fake news on the future winning strategies of the company, then denied, and hence make the speculation bubble explode. There are various controls of the vigilance commissions, but I bet that with due precautions and, if well planned, different modes to buy, even indirectly, titles, without being unveiled do exist, even more if they are backed by governments.

Option 3: The disinformation activity could also be led on the long term, using fake profiles. Let us suppose we can dispose of a certain quantity of fake profiles on diverse social media and let us suppose that those fake profiles start to share poor information on the Beta company: service disruptions, mediocre quality of the products, untrusty employees, management scandals. Those fake news, as many little drops, would be massively reversed into an ocean of information, polluting it. This information quantity is hard to cream off. We can remember the sentiment analysis that could bring the fake news, sinking the trust on the products and hence their sales. The products sold on eCommerce websites do bear all the client’s “recensions”. So, we can defy anyone not to think twice before buying a product after reading two positive and one negative recension, or the way other. The negative recension will influence the reader’s psyche much more than the positive ones. And if, instead of a company, it was a country? A country which could be, logistically speaking, a ramp for economic initiatives or for the transit of important international infrastructures. To discredit the country’s reliability as well as the one of its rulers could happen through disinformation campaigns on fiscal politics, low quality tourism, to put it shortly on all those indicators which could help destabilizing or impoverishing that country, allowing then a “sacking” of its resources or infrastructures. Its GDP would fall because of the lack of tourism revenues or of the internal investments into productive activities. The GDP fall leads to a fall of the tax incomes, which leads to a lack of covering the costs of infrastructure maintenance. But to cover this lack of covering and to maintain its infrastructure, the country is obliged either to sell a part (or all) of it or to take further debts. All that being, of course, a worked hypothesis. The financial market is subject to key information it receives and tries to convert into value. We must also bear in mind the High Frequency Trading systems using mathematic algorithms; some of them already equipped with capacities of quantitative Big Data analysis and of news parsing system to monitor the news in real time and adjust the values of the transactions, taking into account other information than pure financial ones. The presence of outnumbered information where reliability is not verified and whose source is not classified according to its own reliability can lead, in the future, to bigger and bigger distortions of the market, as well as politics of expansion - even geo-economical - through the use of information. The High Frequency Trading systems will be more powerful even and will be more and more confident on their own analysis and judgements made on Big Data. If we add that, in a nearby future,

even the individual investors will have a broadened possibility to invest with higher frequencies, we can only deduce that a correct use of information has become vital for the markets. How to protect ourselves? This is the last interrogation we raise in our essay. Certainly, all actors should take part into the protection of the financial system. To blame and prosecute the publishers of “fake news” is an activity, by itself commendable, but which would request timeframes which are not in accordance with the markets’ volatility. Certainly, it would be possible to impose some rules on the selection of the sources by the High Frequency Trading systems, through a reliability certification based on the reliability of the information issued by a source during the time. In this way, we could avoid running the risk of impacting with polluting sources but we would not solve the potential problems of compromised accounts such as in the Associated Press case. From a company point of view, a fundamental rule is to “communicate first”. It is the basic rule to manage a crisis, but in a society so invaded by information, it must become a daily activity. In the book “Deception – Disinformazione e propaganda nelle moderne società di massa”, the author argues that “the speed is an essential element, because what matters is the first affirmation: all further denials have no efficacy”. It is hence urgent that companies start to build structures able to monitor social media, to analyze information published there and to verify their potential impact on the company in order to make anticipated moves through press communiqués devoted to define clearly the position of the company. By monitoring the social media, we do not mean only the “classical social media”. The analysis must be led also on a multi-dimensional level, i.e. by verifying that there are no diverse ties leading back to the same nest, the very source of a disinformation attack. We do not have to pursue the news to confine it, deny it or correct it. A badly dealt information can quickly transform into a Hydra of Lerna. A clear, official position of the company, well-structured and widely diffused, will rid stakeholders of doubts and uncertainties. In order to do this, we have to build a capillary communication system able to catch all the levels of stakeholders. The information must be simple, linear and easy to understand, with different levels of detail based on the needs of the stakeholders we want to reach: financial analysts, consumers’ associations, consumers, vigilance institutions and so on. In the information era, the very same information is the best weapon we can use. Thus, the perimeter of the protection of the information, for the companies, could be widely broadened. This could ask for additional efforts and always more transversal competences, with quick-response teams delivering not only technical but also communication solutions, helping the press office and the communication office to lead information operations in order to contrast disinformation. 


ends Useful Tips - Cybersecurity Tr

The National Cyber Security Centre (NCSC) ( Incident advice and guidance

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security. It is part of GCHQ. The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). The NCSC’s main purpose is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. It works together with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management. This is underpinned by world class research and innovation.

What is a cyber security incident ? The UK NCSC defines a cyber security incident as : A breach of a system’s security policy in order to affect its integrity or availability The unauthorised access or attempted access to a system Activities commonly recognised as security policy breaches are : attempts to gain unauthorised access to a system and/or to data the unauthorised use of systems and/or data modification of a system’s firmware, software or hardware without the system-owner’s consent malicious disruption and/or denial of service The NCSC defines a significant cyber security incident as one which may have : impact on UK’s national security or economic wellbeing the potential to cause major impact to the continued operation of an organisation


Cyber security incidents can take many forms: denial of service, malware, ransomware and phishing attacks. Is it an incident? If you are experiencing unexpected or unusual computer network issues, we recommend that you contact your system administrator or service provider to identify the root cause of the issue. If a cyber security incident is confirmed, please consult the NCSC guidance for detailed advice. Personal attack. There are a number of crimes which we do not define as cyber security incidents. Cyber bullying, threats via email, text or instant message are all examples. If you are in the UK, you should report these to the police. You can contact them by telephone on 101, or see the website for further information. Fraud Action Fraud is the UK’s national fraud and cyber crime reporting centre. If you believe you have been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website.

Contacting the NCSC Incident Management team If you feel you are the victim of a significant cyber security incident you can report this to the NCSC (

Get Safe Online ( The website is the UK’s leading source of unbiased, factual and easy-to-understand information on online safety. It is a unique resource providing practical advice on how to protect yourself, your computers and mobiles device and your business against fraud, identity theft, viruses and many other problems encountered online. It contains guidance on many other related subjects too – including performing backups and how to avoid theft or loss of your computer, smartphone or tablet. Every conceivable topic is included on the site – including safe online shopping, gaming and dating … so now you really can stay safe with everything you do online.The site also keeps you up to date with news, tips and stories from around the world.

10 Steps To Cyber Security at-a-glance: An effective approach to cyber security starts with establishing an effective organisational risk management regime (shown at the centre of the following diagram). This regime and the 9 steps that surround it are described below.

Get Safe Online is not only a website, however, as we also organise national events - such as Get Safe Online week - and work closely with law enforcement agencies and other bodies in support of their outreach activity, internal awareness and customer online safety. Get Safe Online is a public / private sector partnership supported by HM Government and leading organisations in banking, retail, internet security and other sectors.

Get Safe Online Code of Conduct:

And simple steps…

01 02 03 04 05 06 07 08 09 10

Make sure your computer has up-to-date internet security software, switched on. Don’t reveal personal information on social networking sites. Regularly backup the data on your computer and smartphone/tablet. Never reveal your password or PIN when asked to do so by email or on the phone. Make sure your wireless network is secure at all times. Be careful who you are selling to and buying from on auction sites. Choose strong passwords, change them regularly and don’t tell anybody what they are. When shopping, paying or banking online, always make sure the website is secure. Always download the latest software and operating system updates when prompted. Remember your smartphone is also a target for viruses and spyware. 


Trends - Cybersecurity Trends A publication get to know!


edited by:

Copyright: Copyright © 2017 Pear Media SRL, Swiss WebAcademy and iCyber-Security. All rights reserved. Redaction: Laurent Chrzanovski and Romulus Maier (all editions) For the iCyber-Security edition: Norman Frankel ISSN 2559 - 6136 ISSN-L 2559 - 6136 Addresses: Bd. Dimitrie Cantemir nr. 12-14, sc. D, et. 2, ap. 10, settore 4, 040234 Bucarest, Romania Tel: 021-3309282 / Fax 021-3309285 Griffins Court, 24-32 London Road Newbury Berkshire, RG14 1JX, UK +44 800 086 9544


Cybersecurity Trends 3/2017 EN  

Cybersecurity Trends 3/2017 EN

Cybersecurity Trends 3/2017 EN  

Cybersecurity Trends 3/2017 EN