Cybersecurity Trends 1/2017 EN

Page 1

Cybersecurity English Edition, No. 1 / 2017


VIP interviews:

Business recovery during a breach

Mohit DAVAR Gian Carlo CASELLI

End-users: threats, advises, solutions

We are a leading UK based CyberSecurity firm providing state of the art Application Delivery Networking and CyberSecurity solutions to clients in banking, retail, finance, and insurance, enabling them to leverage the power of their digital Infrastructure to beat the competition. Website:


Twitter: @icybersecurity_

Our renown-training academy provides bespoke training to ensure that your engineers have the skills to protect your business against the growing number of relentless cyber attacks. That expertise is what gives us unique insight and the ability to work in complex multi-vendor ecosystems in order to deliver the best solution to our clients. Next Training Course: Web Application Security 19th – 20th August, Reading, UK www.icyber-academy.comÂ

Contact us! Griffins Court, 24-32 London Road, Newbury Berkshire, UK, RG14 1JX +44 (0) 800 086 9544

Cybersecurity Trends

Contents 2

Editorial: A little cyber-culture in a world of cyber-intoxication By Norman Frankel


International Telecommunications Union: Cybersecurity at the center of our attention By Marco Obiso


Business recovery during a breach By Kevin Duffey


The news that won’t lie down By Kevin Taylor


7 reasons why organizations get hacked By Marco Essomba


VIP Interview with Mohit Davar: “Cyber security has to go through the same learning curve as compliance” By Norman Frankel


VIP Interview with Giancarlo Caselli : From the countryside directly to cyberlaundering: the agriculture mafia now targets network security By Massimilano Cannata


Introduction to the EU General Regulation on Data Protection (GDPR) By Isabelle Dubois


Cyber-attacks on fintech companies By iCyber-security team


The O2 SS7 attack By Steve Buck


Time to move beyond Cyber-fear By Alison Hanley


Digital identity and the right to be forgotten By Michele Gallante


The 21st Century and the programmed death of private life at global level By Laurent Chrzanovski


PSD2 a challenge? Evaluation guide By Mihai Scemtovici


Secure Passwords. Maybe„simple engineering is good engineering” By Vassilios Manoussos


London responds to digital threats By London Digital Security Centre


Useful Tips & Bibliographical reviews


ds Editorial - Cybersecurity Tren

A little cyber-culture in a world of cyber-intoxication

author: Norman Frankel CEO, iCyber-Security

I would like to welcome everyone to this, the first English language edition of CyberSecurity Trends, which is a quarterly magazine already published in Europe in French, Italian and Romanian languages. The magazine is proud to have endorsement from the United Nations ITU cybersecurity team. The goal of the publication is to open up knowledge and information sharing across research and commercial activities, so providing a bridge between public and private dialogues, in an aim to help our world operate more safely giving the growing frequency of attacks that seem to endlessly get media attention. This English language version is sponsored by iCyber-Security Group and the iCyber-Security Training Academy. It is iCyber-Security’s mission to give our clients assurance to operate their digital businesses Securely, Effectively and Efficiently. It’s our job to reduce risk, increase availability and optimize network applications performance in the connected world. Yet neither us, nor our clients or partners can reach an optimal security if the whole ecosystem around us offers poor, or no resilience at all. We consider it is the mission for any company like ours to help the relevant institutions and specialists to bring their knowledge to the broadest public possible.


Cybersecurity awareness does not develop alone: there is a strong need for culture and education in this field and governments cannot fulfill alone all the citizens and companies needs. As individuals and as professionals, we are, first of all, humans. It means that without the necessary information, we will continue making mistakes putting us at risk. Nobody, when we bought them, explained to us the amazing capacities, but also the associated weaknesses of the tools and software applications we increasingly use on a daily basis. Weaknesses which leave wide open doors for cyber-criminals. In a moment when the “breaking news” of the mainstream media has found in “cyber” a new perfect topic to use for their shocking headlines: “cyber-wars”, “global attacks”, “compromised systems”, “stolen elections 4.0”, this publication aims to take a broader view. For example we have in this edition articles about how the Italian mafia has now moved into digital crime targeting the agriculture industry and how criminals are exploiting vulnerabilities in our personal banking to move funds for their own benefits. Crime is going digital and only awareness and sharing good practice can realistically help reduce the harmful impact. In this field, re-inventing the wheel at a national scale has often been a common mistake used in governmental and NGO communications. As such we bring to the UK and Ireland market, the only independent publication on this topic endorsed by the UN through its specialized agency, the International Telecommunications Union. Following the examples of the Swiss Association of Information Security (CLUSIS) and the Global Cyber Security Centre Foundation of the Italian Post Office, which developed respectively the French and the Italian version of the journal, iCyber-Security will bring to you the reader not only some of the best English original papers, but also, exclusively, translations of the most relevant thoughts and solutions developed by experts from several EU and non-EU countries, submitted to other editions of the Journal. Cybersecurity and Cybercrime are world phenomena, and having the chance to share experiences from different countries and very diverse ecosystems is a major key for success. Threats targeting the UK, for instance, can be totally new, or, arriving later from other countries. In this sense, the regional information sharing we offer in this journal is an asset. If you would like to contribute articles or have suggestions for us to cover in future editions of the magazine, or even wish to purchase hard copy versions of the magazine to give to your customers, please do contact us via email at On our website you can also view publications in other languages / countries and purchase subscriptions for future editions. The next publication to be published at the end of September will have a special focus on the Connected Internet of Things such as connected cars in the automotive industry.


Dear readers, author: Marco Obiso Cybersecurity Coordinator, International Telecommunications Union (UN-Geneva)


hese years more than ever, cybersecurity is at the center of our attention. I am not making here any reference to the ever increasing recent “breaking news”, on the contrary, I would like to focus on several EU regulations which will positively impact our business and our lives. Both the NIS and the GDPR directives1, whose implementation will have an effect way beyond the EU countries, are there to provide a better safety to States, companies and citizens, whose privacy and intimacy is clearly set as a priority if we examine the GDPR text. At the same time, we witnessed the recent publication of the Tallinn Manual 2.0, a reference volume materializing the great efforts carried out by the thinktank of authors aimed at offering to policy-makers a better understanding of cyber operations and legal contexts. The United Nations’ITU has for several years embarked on a similar journey, focusing on knowledge building and information sharing, through development of good practices and assistance programs, within the framework of the Global Cybersecurity Agenda, hence covering key priority areas such as legal measures, technical and procedural measures, organizational structures, capacity building and international cooperation. Paraphrasing the titles of two ITU publications, if we are in the “quest for cyberpeace” 2 and we wish to see people living in a trusted environment during their day-to-day online experiences in their “quest for cyberconfidence” 3, we need to make available the necessary knowledge. Capacity building starts with being informed on the current situation from the challenges to the possible solution to mitigate and resolve such challenges. The same applies in the cybersecurity arena: cyber dangers can be countered through increased knowledge and proper use of the tools made available to us. Adult awareness is a major challenge, not easier and no less important that children awareness. In this sense, the multiplication of efforts we witness on our continent – we can quote the very well done and easy-to-use CERT-EU app4 – which is there to answer the citizens’ demand to be better and quicker informed on old and new threats and how to defend themselves against them. Another relevant effort that I see is the “Coordinated Vulnerability Disclosure” initiative, within the context of information sharing, a topic which is now becoming a focus in several European states. This is a very important public-private partnership that we hope we will see working as soon as possible.

1 NIS = Network and Information Security (directive); GDPR = General Data Protection Regulation 2 3 4 cf. bibliography at the end of the volume for more details


Focus - Cybersecurity Trends

Business recovery during a breach How to protect reputation and revenue author: Kevin Duffey

BIO Kevin Duffey is Managing Director of Cyber Rescue, a European membership based business that specialises in helping CEOs reduce the harm from cyberattack. Customers range from Swedbank (a leading Scandinavian financial institution) to Vodafone (telecoms) to BTG PLC (healthcare). Kevin is a highly international executive, having run businesses in over a dozen countries and worked in more than thirty countries. He holds a First Class Honours degree in Psychology, and has specialised in technology, management and security. Kevin is deeply experienced in digital security, having overseen implementation of security platforms for national governments and banks in countries including: Finland, Norway, India, Sri Lanka, Sweden. He is a thought-leader in technology, for example having been elected to the GSM Association’s “Hall of Fame” for being among the 100 people who did the most to deliver mobile phone innovation around the world. At Logica, he won the Financial Times award for Mobile Innovation, and founded the Global Mobile Commerce Forum. Kevin is broadly experienced in crisis management, for example he oversaw the evacuation of over 3,000 individuals from Egypt and Libya during the Arab Spring. Similarly, he had oversight of emergency travel advice to over 10,000 individuals affected by the Eyjafjallajökull volcano in 2010. Follow Kevin on: kevduffey/ and


Chief executives worldwide are confronting an urgent new responsibility. While profits and success have flowed from digital transformation, the risk to their reputation and revenues has risen with wave after wave of successful cyberattacks. In the search for profit, many companies have turned to data lakes and digital oceans, using information as their compass, cargo and fuel. But if data is the energy of the digital economy, it follows that data breaches can be explosive. Commercial recovery during a catastrophic cyberattack is increasingly recognised as an essential competence. A Board-level executive must be accountable for how a business recovers from a breach, as every function can be impacted when hackers break through. The shock, speed and ambiguity of a successful cyberattack sets it apart from other crises, so progressive companies are calling on experts to help them rehearse, plan and achieve corporate recovery. Cyber Rescue is a leader in this field, operating across Europe from its London HQ. Cyber Rescue has helped enterprises like Maersk, Vodafone and Swedbank, and many small companies from fintech to pharmaceuticals. In this article, we look at how Cyber Rescue is helping Boards, CEOs and CIOs to confront the challenge of our times: the successful cyberattack. From all the breaches we have assisted with, we have noticed a strong demand for three precise capabilities: 1 cyberattack simulations for executive leaders, to demonstrate risks and responsibilities 2 bespoke recovery plans for each business, to ensure efficient and effective response 3 coaching CEOs during the “golden hours” after a breach, to avoid mistakes made by others. We will consider each of those needs in detail, after considering why businesses are turning to experts. Why now? Computers will never be safe, according to the front page of The Economist this year. But business leaders have been slow to hear that message, since they are typically more interested in “when will our new app

launch” than “is our new app secure?” The IT Directors who build those apps are under enormous pressure to be fast and flexible, with few benefiting from a Board that recognise the risks such pressures create. So increasingly it is the IT Director or CIO who insists that the executive leadership experiences a data breach simulation. Based on our experience it is our opinion that, investing sixty minutes to rehearse the cascade of commercial consequences from a breach is the best investment a Board can make. Further, an effective simulation brings home to the CFO, the COO, Marketing and even HR heads, that they all have a crucial role in leading recovery when the unthinkable happens. In just an hour, the leadership’s understanding of why they need to support IT security is transformed. Simulations can be designed either as introductory Board-level or with more customised and larger enterprise-wide events sometimes running over two days. IT Directors and CISOs initiate about half of the calls that Cyber Rescue receives, with other requests coming from Chief Operating Officers, Chief Risk Officers or CEOs. The rapid growth in publicly reported data breaches is causing non-specialists to recognise the increasing possibility that their business could be next. FBI Director Robert Mueller probably said it best, when he warned that “there are two types of company – those that have been breached, and those that will.” And the exponential growth in publicly reported cyberattacks is shocking many executives into action, especially if they see graphs like this one, from Verizon’s famous annual report on data breaches. Chief Risk Officers are increasingly trying to estimate the chance of their company being hit by a breach. What’s the risk? To help our Members understand emerging risks, we maintain a library of over two hundred recent reports on cyber threats. Our research lead, Dr Chaditsa Poulatova, comments that “while many reports are sponsored by vendors with an interest in highlighting such threats, the numbers should certainly be causing CEOs to reflect on the new risk environment their businesses operate in.” The vast majority of attacks are kept secret. For example, in the UK, a major survey in May 2016 found that 95% of businesses keep their most disruptive data breaches from the public, including 82% who don’t report breaches to the police. That secrecy makes it hard for other businesses to appreciate the scale of the problem. A good indication of the current likelihood of being attacked is given by this finding: some 2.8% of medium sized organisations in Ireland are certain they suffered a data breach caused by malicious attack in the last two years.

Example figures include the 125% annual growth in sophisticated Zero Day attacks, the 71% increase in large DDoS attacks; the 55% growth in Spear Phishing; the 29% growth in Malware and 21% increase in SQL injection attacks.

Interestingly, it’s images instead of statistics that often engage the busy executive. For example, live attack maps attract many visitors.


Focus - Cybersecurity Trends

And there seems to be a rather morbid fascination with quotes made by executives who have been closest to major cyberattacks, as for example: There was this horrible moment where I realized there was nothing at all that I could do. Amy Pascal, ex-CEO at Sony Breach Prevention? How is that working for you? Jason Hart, VP, SafeNet Inc

I am incredibly angry about this data breach and we will institute a thorough review. John Legere, T-Mobile USA

JP Morgan spent $250m dedicated to cyber security. They did everything right, and they still got hacked. Erik Avakian, CISO, Penn State There are 2 types of companies: those that have been hacked, & those that will. Robert Mueller - FBI Director. There’s no conceivable system that can stop 1 person in 100 opening a phishing email and that’s all it takes. Ciaran Martin – Director, GCHQ. It’s important to remember that the vast majority of companies won’t suffer a major breach in the next twelve month. By emphasising this, we highlight that cyberattacks are just one of the business continuity challenges that a company should prepare for. Security Directors and Risk Officers often want us to simulate a data breach for their Board as part of their wider risk mitigation strategy. It makes sense to use any Boardlevel interest in cyber to build resilience to all kinds of challenges a company might face.” Major cyberattacks are a low probability, but very high impact event. And they are much more likely than other scenarios that companies rehearse. For example,


there were 17 deaths from fire in UK office buildings last year, during which thousands of British organisations suffered major breaches. Yet every company holds at least an annual rehearsal of its evacuation for a fire. What should they rehearse to ensure commercial recovery from successful cyberattacks? Business challenges! The Board need to be ready to be blindsided by a breach, to appreciate that authorities may be unable to help and their could be poor internal command and control. Here are some of the issues typically addressed during a simulation. The shock of a breach is often made worse by several factors. For example, you may be told of this Breach by an outsider, most frequently by Law Enforcement (41%) or Third Parties including customers (35%). You may then discover you weren’t told of previous Data Incidents. Even worse, you are weeks behind the attackers, as the average time to discover a breach is 69 days (followed by 70 days of technical containment.) Help from authorities is easier if you already know the right people. But who? There are 31 organisations fighting cyber threats to Financial Services in the UK, where 68% of Directors are unaware of who to call. Some authorities have less resources than they’d like. The UK’s ICO has 30 officers handling 200,000 concerns and 1,000 cases per year. The police have said only 4% of cybercrime is dealt with appropriately. Your chain of command will be stressed by ambiguity during a suspected breach. The UK Parliament is clear on who should lead cyber response in a business. Opinions may fill the gap where facts are missing. Only 45% of security professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days. And decisions must be made fast: 91% of consumers expect “24 hours or less.” Your legal and moral responsibilities might not be immediately clear. For example, law enforcement may ask you not to notify customers, so that the hacker won’t be alerted to their investigations. Extra-territorial laws on protection of citizens from cyberattack mean you may be subject to the requirements of more countries than you operate in. Just a summary of Privacy & Breach Notification laws runs to 425 pages. Serious decisions require money. In the UK, 52% of CEOs think they have cyber insurance, but <10% do. Some 81% of companies with cyber cover in USA have never claimed on it. Claims paid have been on: Crisis Services (78%), Legal Defence (8%) & Settlement (9%)

Will you pay for a big gesture? 53% of Breach Notifications offer Credit Monitoring. And what will be the long term revenue impact? Abnormal churn after a breach ranges from 6.2% in Financial Services and 5.3% in Health, down to 0.1% in Public Sector. The surge in enquiries can quickly turn into even more irate calls from customers who – in their moment of crisis - want to receive the global standard in call centre response, 80% of calls answered in 20 seconds. But after a breach, call volumes can be one hundred times higher than normal. And in addition, you must communicate with Regulators, Suppliers, Press, Staff, Police and Shareholders, and manage Social Media. You will be criticised, even if your company suffered a criminal attack. Customers complain that you notified “too slowly … too fast … without cause … putting us at risk of scammers.” Consumers might say “Credit Monitoring doesn’t help me” or “How will you make this good” or simply “I want to break my contract and leave.” The UK Parliament has called for bigger fines for poor response and a cyber impact on CEO bonuses. The format of a simulation is as important as its content. Some executives can feel nervous about exposing their ignorance in front of their colleagues, for example. Cyber Rescue does a lot to customise the format of a simulation to the individual participants. No one is evaluated in the simulations. Participants are to be put at ease, and assign them to teams. But a simulation isn’t realistic without a bit of pressure. Friendly competition can energise participants, and create a little pressure. But a simulation is an opportunity to learn, to bond and to reflect.”

“Simulations are very positive experiences, even fun” notes Anjola Adeniyi, one of Cyber Rescue’s busy advisors. “I hosted a session we ran for the UK’s Worshipful Company of Information Technologists, an exclusive association of executives and thought leaders who have done the most to deliver the digital world we all now live in. Rather than the traditional death by powerpoint, a simulation creates energy through engagement.”

A key lesson from every simulation is the need for a plan. “All large enterprises have a continuity plan,” notes Patrick Donegan, one of Cyber Rescue’s specialists in the telecoms sector, “but too many assume that it covers the challenges of modern cyberattacks. Without a bespoke plan, under intense pressure, the executive leadership can take a cyber incident and turn it into a commercial crisis through ill-informed, wrong-headed, decisions. They might take too long to inform impacted customers, or raise the alarm prematurely. They might fail to consider how notify affected parties in the correct order and effective manner, from regulators and law enforcement to suppliers, staff and shareholders.” Going into battle, fighting to save your reputation and revenues during a major hack, is like boxing an invisible opponent. You can’t assume that the crisis management

plan you’ve written for situations like a fire or a pandemic will work against a cyberattack. We sometimes quote what Mike Tyson used to say, of his over-confident opponents, ‘everyone has a plan until they get punched in the face!’ Every executive likes to think they’ll make the right decisions during a crisis, and given enough time and information, most of them do. But the speed and ambiguity of a cyber crisis makes for a unique dynamic. A customised commercial response plan, prepared in advance of a major data breach, will make your response much more timely and effective. It provides Directors with simple checklists, templates and instructions about each of the decisions they must face. Crucially, it will document where sensitive data is held, including by third party suppliers and information processors, so that breaches caused by partners are considered during the initial forensic stage of response.


Focus - Cybersecurity Trends

The plan has to be easy for executives to use. A section for each designated executive has to be provided, highlighting the resources they can call upon, the consequences of alternative actions they must choose between, and even the text of communications they may need to issue very urgently. Who you gonna call? One thing that executives can forget when drafting a response plan is that normal business won’t stop during a crisis. The leadership team of a typical enterprise is full highly competent individuals who are already giving everything to their job. They are in essential roles, not redundant positions. So naturally, when a crisis hits, the business may want to bring in one or two specialists to at least help with the workload. Cyber Rescue provides Crisis Coaches to help executives triage and resolve conflicting demands. For example, many organisations discover they have more than a dozen “stakeholders” who expect to be briefed, consulted or notified. Technical staff may be swamped with unreasonable requests for updates, and given conflicting priorities. Legal responsibilities many be unclear, and your communications team may be unprepared. Our library points out that 91% of consumers say they expect notification of a breach in 24 hours or less, but also that it is very harmful to send a badly worded notification. A crisis coach can help the executive team navigate such challenges. The crisis coaches bring wisdom and experience. If there are conflicting views among your executive team,


your crisis coach is a trusted sounding board. If blame or politics might creep into conversations, your crisis coach is a reliable and neutral partner to all. If things start to become over complicated, your advisor will bring you back to basics. You need to anticipate avoidable mistakes that others have suffered. You must consider the commercial consequences of various actions you might take. During the shock and ambiguity of a possible major breach, a Crisis Coach is invaluable. The speed at which response has to be delivered matters. Ideally, a Crisis Coach will start travelling to the Members HQ within 60 minutes of a call finishing. There is a golden hour at the start of your commercial response to a major cyberattack. This is when you establish command and control, standup your response team, identify uncertainties and set priorities. We’ve built Cyber Rescue to respond to such challenges. You probably won’t suffer a major breach in the coming months. A breach is a low-probability, high impact event. Preparing your Board for such an eventuality is beneficial in many dimensions. If you want to energise your GDPR compliance programme, or build resilience to any kind of crisis, if you need to strengthen teamwork within the Board or simply an appreciation of the importance of IT, a simulation is a great place to start.”

The news that won’t lie down Major cyber security breaches capture headlines when they occur – the type of headlines company’s want to avoid. But the financial and reputational damage lingers long after those initial headlines. Kevin Taylor, looks at the long-term repercussions of some high-profile cases.

author: Kevin Taylor

Back in late 2013, American retailing giant Target suffered what was then thought to be one of the largest corporate data breaches in history. The personal details of more than 70 million consumers were compromised in the attack – including the financial data of as many as 40 million people. More than a year after that breach, a class action law suit in St Paul Minnesota resulted in Target being asked to put aside $10m as compensation for those consumers affected.

BIO A respected writer and experienced communications consultant, Kevin (FCIPR) is a well-regarded commentator on business and technology issues in the IT security, telecommunications, and, especially, the mobile market. He is a Fellow and a former President of the UK’s Chartered Institute of Public Relations and has been a board level adviser on reputation to global brand names as well as to technology start-ups. At Robertson Taylor PR, he founded Standing Tall, a network of independent consultants who combine to provide a broad range of marketing and business support services. He also acts as VP Communications at Ensygnia – an innovative newcomer in the mobile identity, authentication and payment market.

Shortly afterwards, Target thought it had agreed a settlement with Mastercard for its losses of $19m in compensation. However, several banks associated with the card company rejected that figure and, at the end of 2015, a final settlement was reached and reported to be some $39m. Furthermore, at around the same time, Target also reached a compensation deal with Visa – and this one chalked up another $67m. As if all that wasn’t bad enough, that original judge in Minnesota even delivered the embarrassing ruling that Target had to up its cyber security game – largely based on the fact that the company was aware of the hack back in 2013 but initially choose to ignore it. In the immediate aftermath, Target would also let 1700 employees go, and close 133 stores. Think that might be the end of it? No. This month, four years on from the original breach, Target is still paying for the consequences and making headlines. A case led by the Attorney Generals of Connecticut, Illinois and New York, has seen the company agree to pay a settlement of $18.5million to some 47 US states and the District of Columbia. In fact, with legal fees and other costs, conservative estimates now put the total financial cost of the data breach to Target at somewhere in the region of $250million. And who is to say the saga has finished. The Target breach occurred when the hackers took advantage of the poor security of a third-party vendor to access the company’s network. After that, it becomes almost an object lesson on what not to do – neither addressing the cause of the breach, nor the fallout from it, straightaway. Four years on the company is still paying the price – both financially and in reputational terms. But if you want an example of how to really mess up the handling of a cyber security breach, then look no further than Yahoo! – A company for whom the exclamation mark could have been invented. Last year, over a tortuous few months news leaked out that Yahoo! had suffered several different attacks. Revealing, in 2016, that a “state-sponsored” attack had affected some 500 million users seemed bad enough. But in July last year, in a filing to the Securities Exchange Commission (SEC), Yahoo! admitted that it had first noticed that breach way back in 2014 – a full two years earlier. Things couldn’t get worse for the company could they? Yes they could, because just a few months later the company had to admit that it had now uncovered an even earlier breach of its security which had compromised (Continue on page 11)


Focus - Cybersecurity Trends


reasons why organizations get hacked As a security consultant and solutions architect helping clients in the European region design and implement security solutions to protect critical network infrastructures, I often ask myself why companies get hacked. A trivial question it may seem but deeply rooted in the fact that we as humans are often the weakest link in complex cybersecurity systems and do make mistakes.

1. Humans are the weakest link author: Marco Essomba

If you are a cybersecurity professional or security enthusiast, this article is for you. I cover 7 reasons why companies get hacked based on my experience working with clients in several sectors including banking, healthcare, insurance, oil & gas, etc. The question is not if your company will get hacked but when. Planning and ongoing preparation is the ultimate protection against cyber-attacks.

BIO Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation and 2017 runner-up in the UK CyberSecurity Industry Personality of the Year award. He is the founder of iCyber-Security, a UK-based firm that enables organizations in banking, financial technology, healthcare, retail, and the insurance sector to safeguard their digital assets. Follow Marco on: marcoessomba/ or follow on twitter: @marcoessomba Learn more about how to protect your digital assets:


Humans are programmed to make mistakes. That’s how we learn. That’s how we have evolved biologically. Look at SpaceX, they made lots of mistakes and eventually mastered advanced rockets and spacecraft technologies. Even with a team of experts, they still manage to crash lots of rockets before docking successfully to the ISS. The same applies to cybersecurity. Mistakes will be made, not if, but when. When that happens, an attack window opens. A hacker may strike within that gap. Even in the most tightly controlled networks, humans make mistakes. This is inevitable, so the best defense is to implement robust security measures, but also plan and prepare for fast remediation.

2. Cybersecurity technology is very strong but expertise is weak With all the stories we hear in the news about several small and large firms being hacked, a naive question may be asked as to why organizations can’t just buy the most secure and advanced solution and be done with security. Things are not so simple. For one, security systems are designed, implemented, and managed by humans. As long as that remains the case, a flaw may always appear in the chain. Moreover, cyber security technology is extremely strong and we are not short of amazing technologies. One only has to look at the many firms providing advanced cybersecurity solutions that deliver robust defenses in many unique ways. Yet the expertise to configure these sophisticated security products for their most optimum performance remain scarce and very niche. Cyber criminals know about this expertise gap and are exploiting it to their advantage.

3. Cyber criminals have the edge Cyber criminals do what they do for fun, money, government and industrial espionage, political reasons, etc. They only have to find ONE flaw

in a system - whether technological or sociological - and it leaves security administrators scrambling to patch and protect against ALL flaws. That is not an even fight! With enough patience and will, even the most secure system can be compromised by dedicated cyber criminals with expertise. What really matters is how fast a company can react to security flaws, patch holes, learn, respond, train, and continue to strengthen security measures and on-going processes against cyber-attacks.

4. Cybercrime pays more Cyber criminals are moving to the ”digital battlefield”. It makes sense since cybercrime appears to be transparent, less risky, and the chance of being caught seems remote. One can look at the recent cyber-attacks at several banks that exploited the Swift banking system with several millions of dollars at risk in what appears to be the greatest cyber theft attempt ever. Online crime is seamless, it’s cyber, and it’s often untraceable. No wonder why this is becoming a safer alternative for traditional criminals.

6. Technology as a whole moves very fast and the pace is relentless With technology moving at lighting speed, it is not surprising that humans can’t keep up with cyber-attacks. Perhaps we should let the ”machines” with Artificial Intelligence (AI) take over cybersecurity administration and let them enforce security – and take humans out of the equation? A bit extreme of course, but not unrealistic. For one, machines can follow rules flawlessly and keep up with the pace of cyber-attacks, as well as adapt much more quickly than humans can. They won’t fall asleep in the cyber battlefield and may prove to be less sloppy than humans at maintaining security standards and processes. But there is still a long way to go before ”Skynet” can automatically defend organizations against cyber criminals without any human intervention.

7. In cyberspace, you only know what you know 5. Humans do fall asleep in the cyber battlefield Security administrators can fall asleep in the ”cyber battlefield”. When that happens, a cyber criminal may strike. Unless processes are put in place to constantly review security systems, improve products, learn from failures, and keep administrators and staff trained, the cyber security defenses in any organization will remain weak against Advanced Persistent Threats (APT).

The challenge of cyber is the ghost like transactions that happen faster than humans can cope with. What is really happening in your network may be a mystery. But with security analytics, knowing what you should know is good. But knowing what you don’t know is better.

The news that won’t lie down (As of page 9) the accounts of some one billion Yahoo! users. Here’s what the company told the SEC: “Based on further analysis of data by forensic experts, we believe an unauthorised third-party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft.” I’m not sure what’s the worst thing here – knowing there has been a breach and keeping quiet about it, or not even noticing that one has happened until more than three years later. The full financial fall-out of these hacks is yet to emerge – except in one area, and that is in terms of the company’s value. Because news of these data breaches emerged at just the time that Verizon was pressing ahead with its acquisition of Yahoo! – and a cool $350million was wiped off the price when the companies finally reached agreement. Indeed, at one point Verizon was angling for something closer to $900million off the asking price. In the aftermath of the emergence of the theft, Yahoo! was busily advising its customers to change their passwords and check for unusual transactions. Three years after the theft, that seems

very much to be a case of shutting stable doors after the horse has bolted. What both these cases show is that while the immediate headlines are damaging, the long-term ramifications are much worse. The compensation cases drag on, the story refuses to go away and a company’s name becomes forever associated with words such as ”hack” or ”data breach”. In the event of an attack, companies have a duty of care to inform any customers potentially affected as soon as possible. To provide guidance about the security steps that customers should immediately take. Further, from a technology point of view companies need to know how they will shut down their systems to combat the breach and ensure their back-up systems mean they can roll-back the clock to a time on their network that pre-dates the attack. How prepared you are for an attack, and how you deal with it when it occurs, matters – as the judge in the Target case has shown. It can limit losses, restrict compensation and help to mitigate against reputational damage. Going forward, companies need to invest not just in stronger cyber security, but also to train their executives in how to respond to breach.


Trends VIP Interview - Cybersecurity

“Cyber security has to go through the same learning curve as compliance” VIP Interview with Mr. Mohit Davar, Chairman of the International Association of Money Transfer Networks author: Norman Frankel

Mohit Davar

It’s been more than a year since the famous Bangladesh Bank cyber heist took place. In February 2016, instructions to transfer $951 million from the Central Bank of Bangladesh to several bank accounts in Sri Lanka and the Philippines were issued via the SWIFT network. Media reports showed that attacks on the network continued throughout 2016. Given the similarities between SWIFT and the money transfer companies, we approached the Chairman of the International Association of Money Transfer Networks (IAMTN), Mr. Mohit Davar, and talked to him about the lessons the members of the IAMTN can learn from the cyber attacks on SWIFT in order to prevent similar occurrences on their systems. First, we asked Mr. Davar for his assessment of the current status of SWIFT security. “I’m sure every time they go through this they are building more and more controls in their processes and in their systems to counteract what has happened”, says Davar. “Of course, that does not prevent something new


happening, and I think the challenge to SWIFT as a messaging service is that ultimately the quality of their system is only as good as the systems of the member banks. So if the attacks will continue to happen because XYZ bank in ABC country has not gotten the appropriate controls, then I think the SWIFT system still remains vulnerable to a great extent, because the gateway is open. That’s a challenge that will take them quite a while to overcome, until all the banks upgrade their systems and make it secure. That’s a challenge similar to the challenges money transfer companies face, particularly those dealing with agents: they can have the best security in their system, but if the agents’ systems are not secure, then there is still a chance that somebody is going to break through the agent’s gate. That is the risk.” Norman Frankel: Is there a certain type of attack money transfer operators should be particularly aware of, and to which they should give priority when they assess their cyber security needs? Mohit Davar: When I was in the Middle East there was a lot of attacks at the agents, and the agents were having access to the money transfer systems. The transfer systems would then get hacked because the agents were accessing them through web sites that had no real firewall controls. The hackers would penetrate the money transfer companies’ systems and make fictitious transactions. They would effectively create a transaction, send it let’s say from Dubai to Kenya, and the transaction would get cashed out in Kenya. Of course these were fake transactions, but nevertheless the agent and the remittance company would lose the money. That was quite a common thing that was happening, and this was not even digital, this was the traditional agency model. The money transfer industry has lately been moving very much from the traditional to the digital side. And as you move to the digital side,

clearly you are exposing yourself more and more to cyber attacks, and the vulnerability is going to be higher. Norman Frankel: Are the money transfer companies prepared to deal with this increased vulnerability? Mohit Davar: My assessment is that the money transfer world in general doesn’t take cyber security as seriously as they should. So I think it’s very much either not an issue, or it’s an issue on the IT departments’ plates and it has not really risen its head to where it should be, that is seen as a key issue by the CEO and the board. Norman Frankel: What is your advice on this matter? Mohit Davar: I think companies have to take cyber security seriously and I believe it needs to be dealt with in the same way they deal with compliance. If you go back prior to 9/11, compliance was a non-issue. This industry was not really regulated, and it was not high on anybody’s agenda. And then we went through a phase where compliance was a burden and we had to do it, there was no choice. Now we are in a phase where it’s just integrated into your day-to-day business. Actually, the more compliant you are, the more you have a selling point, not only to your customers, but also to your banks and other stakeholders. I think cyber security has to go through some of the same learning curve. Maybe right now some people have barely thought about this issue, or maybe they are bordering on: “Oh, it’s a pain, but we have to go through it”. That’s not enough. They have to get to the realization that this is part of the puzzle of our business, and just as a shop carrying a lot of cash would look at physical security, an operator doing online transactions should look at cyber security, right? It’s got to be one of the key risks that is identified and dealt with, and I don’t think that it’s in the firms’ culture yet. The only time it becomes a higher priority is when it strikes and there is an issue, and then of course it’s too late. Norman Frankel: What practical steps do you recommend to your members - and to the money transfer companies in general - to address this issue? Mohit Davar: I think this is a real threat to their business, so they are better off not putting it off, but actually getting cyber security up the agenda and making it a priority. They should either build the security capability in-house – which is what large companies do - or look at outsourcing it to companies such as iCyber-Security Group or others. At the very least they should get the penetration testing done, and have annual health checks in place on their security systems given the rapid evolution of the threats that are in the market. They should also get contractors to give them the comfort that their systems are secure – or, if they are not secure, they should bring them up to speed with all the controls they need to put in place to prevent cyber attacks from happening. As they are storing customer data they are regulated, so this is quite a big issue if their system will be breached. Norman Frankel: In Europe the data protection rules are changing in May 2018, as the EU General Data Protection Regulation (GDPR) will enter into force, and substantial fines will exist for companies found not to be compliant with these new rules, in particular for not disclosing

BIO Mohit Davar is a payments expert and has worked in the industry for over 25 years. He started his career at Sedgwick Noble Lowndes internal audit and moved to Thomas Cook Group, corporate finance department. In 1997, he helped set up the joint venture between MoneyGram Inc. (NYSE listed company) and Thomas Cook. He ran this JV until 2003, when the 49% held by Thomas Cook was sold back to MoneyGram at a significant valuation. He then set up Travelex Money Transfer, a subsidiary of the Travelex Group. This was sold to Coinstar Inc. (NASDAQ listed company) in 2006. He continued to build Coinstar Money Transfer into a very successful global remittance company and sold it to Sigue Financial Corporation in 2011. He then went on to set up his own consultancy / advisory service in Dubai. He joined the Board of Eastnets, a swift service bureau in Dubai and was involved in various payment / mobile wallet projects in the region. He is now on the Board of and an advisor to a number of payment companies. Mohit is the Chairman of International Association of Money Transfer (remittance trade body) and a member of the Institute of Chartered Accountants in England and Wales.

breaches. Do you think companies will change their attitude regarding disclosures? Mohit Davar: I think they will do that, that’s not a problem. The challenge is that they will never come in the public domain, because they do not want the consumers to know that something has happened, as they don’t want the consumers to lose trust in their service. So they will make a declaration to the regulator, but that’s not public knowledge. If we start to say that the disclosure should be public - in which case it will affect their reputation, it will affect their volumes - then maybe they will take it more seriously. I think any Money Transfer Operator in Europe should be looking at these rules and ensuring compliance. But actually these rules may make sense for money transfer operators outside of Europe to take a look at as well, as they are a useful starting reference point for good practice. The USA have also adopted new fines for breaches of data on US citizens that can involve a US$2m fine. Given so many remittances originate from the USA, this should be another reason for companies in the industry to adopt good working practices.


Trends VIP Interview - Cybersecurity

Interview with Gian Carlo Caselli

From the countryside directly to cyberlaundering: the agriculture mafia now targets network security author: Massimiliano Cannata Transcript originally translated from Italian.

«The estimate regarding the “turnover” achieved by the agriculture mafia has reached nearly Euro 21.8 billion, from approximately Euro 16 billion, states official data published in 2016. We are talking about a “guesstimate”, showing a clear 30% increase and this underlines the gravity of the phenomenon. The organized crime approach in targeting the agriculture sector, has thrown away the ‘military uniform’ in order to adopt “the suit and tie”, thus managing to benefit from the advantages of globalization and of the financial domain. In addition to the laws being inadequate, which fail to be fully applied or hold back practices developed by the agriculture mafia, the capillarity of the various joints within this kind of crime is the factor that creates the attractiveness of this sector.»

Gian Carlo Caselli The Prosecutor Gian Carlo Caselli, the Scientific Committee President of the Observatory for agro-food crimes, has been working for decades in the field of fighting against organized crime and terrorism.


In this interview he presents the most recent details published in “Rapporto Agromafie”, for the fifth edition of the report, an initiative created by the Eurispes President, Gian Maria Fara, and developed in collaboration with Coldiretti [The Association of Agricultural Entrepreneurs that brings together more than one and a half million members – Ed.]. Massimiliano Cannata: Mr. Prosecutor, illicit affairs in the agro-food sector are in full growth. Which are the most feared aspects? Gian Carlo Caselli: Firstly the “chameleonic” phenomenon, in other words the ability of mafia branches to transform themselves and which cannot be fought against under the schemes we have followed in recent decades, for that would be counter-productive. Nobody denies the historical origins of a phenomenon pertaining to our southern Italian region, which, over the years, has demonstrated its ability to implant itself in the vital cells of the big cities along the center and northern part of our country. However, at the moment, the most feared phenomenon is “the silent mafia”, that proliferates itself by adopting a modus operandi totally different than all the methods used in the past.

In order to understand the transformation process that we are witnessing at present, we have a look at the cyberlaundering phenomenon, i.e. online laundering of money coming from criminal activities. Massimiliano Cannata: What does this mean, precisely? Gian Carlo Caselli: It means that not only does the “new” mafia no longer extort supermarkets or auto dealership owners, on the contrary, they team up or even take over their entire activity, obtaining in this way “clean” channels for money laundering. The new crime knows how to operate with the possibilities offered by the Internet and the digital age, which has come to be a sort of an accelerator. If in the past, the mafia groups would ensure their income using a “gangster” behavior, by imposing a “pizzo” (ransom fee) in exchange for the “protection” offered, today they have become themselves “entrepreneurs” being in the process of completing a “normalization” strategy. A felony which is being carried out using the Internet. As always, the purpose of money laundering has been to drive away money from their real source through a series of operations intended to prevent the traceability of this income’s origins. With the Internet, the distance between the money launderer and the capital is constantly growing, and the investigations targeting the suspects become more complex. Massimiliano Cannata: What are the consequences of such a radical mutation? Gian Carlo Caselli: The consequences are clear: even the concepts of “mafia” and “mobster” have changed, now incorporating new areas that require new legislative frameworks, synchronized with the “new” crime hidden by now behind management boards, holdings, international funds, consulting agencies, as well as behind the formal shield of politics and public institutions, as it is often met.

From Kalashnikov to virtual networks Massimiliano Cannata: What characterizes the strategy adopted by the criminal organizations in the agro-food sector, organizations that possess extraordinary knowledge in the use of new technologies? Gian Carlo Caselli: In the agro-food sector, we are witnessing, among other things, the birth of a parallel economy. Regarding the cyberlaundering phenomenon that we talked about already, the activity is being reduced to a single virtual and dematerialized operation where the illicit money laundering phenomenon finds ideal conditions for development. Organized crime has quickly accessed the world of technology, moving from Kalashnikovs to more sophisticated weapons, like the botnets, those networks that can control tens of thousands of computers and which can be used for online attack against companies and organizations. Massimiliano Cannata: These are delicate techniques that involve the ability of bringing together different profiles and skills. In addition to the change in methods and strategies, are we facing a generation change with a “qualitative leap” of the new organized crime? Gian Carlo Caselli: We have to emphasize the fact that the Internet and the web allow organized crime in all states to extend its operating territory by providing opportunities and perspectives, not so long ago, hard to be considered. This has resulted in an updated profile and identity of the “old mafia”. Furthermore, it should be stressed that the web is a “free zone” able to offer the guarantee of safety and anonymity, a “grey area” which

BIO Gian Carlo Caselli, was born in Alessandria, Italy in 1939. He has been since 1964, after receiving his degree in Law, voluntary assistant at the History of the Italian Law Department at Turin University. In 1967, he joined the magistracy as legal auditor, then, in the early 1970s, he became a judge at the Turin Courthouse. In this capacity, until 1986, Caselli built cases (initiated by himself, then joined by other magistrates) on the investigations regarding the terrorist activities of the Red Brigades and Prima Linea in Turin, Genoa and Milan. In 1992, he was appointed the President of the Court of Justice, Turin. In 1992, following the mafia attacks from Capaci and via d’Amelio, that took the lives of Judges Giovanni Falcone and Paolo Borsellino, Caselli requested to be appointed public prosecutor of the Italian Republic at Palermo Courthouse. He placed all his experience in the field of the fight against organized crime, in service for the country and took on the fundamental mission to counteract the mafia. Once the mandate in Palermo is concluded, Caselli continues his career with the same passion and fulfills other standing tasks, also at international level. In 1999 he became Director of the Penitentiary Administration Department, in 2001 he is a member of the European Union’s Judicial Cooperation Unit (Eurojust), and in 2002 he became General Prosecutor of the Italian Republic at the Turin Court of Appeal. His commitment carries on in Turin, where - with the unanimous support of the High Council of the Judiciary - he was appointed Chief Prosecutor, by replacing Judge Marcello Maddalena. Carrying on his call to spread a culture of legality, he is since 2014, the President of the Scientific Committee of the Coldiretti Foundation “Observatory for agriculture and agro-food sector crimes”. He served as President of the Commission for the elaboration of intervention proposals with respect to the criminal offenses reform in the agro-food sector (D.M. 20.4.2015), set up by the Minister Andrea Orlando. The work of the Commission concluded with the submission to the minister of a 49 articles file, each including guidelines to be followed in the reform process.

offers the possibility to commit various types of crimes. Network security, in this new context, retains its natural importance, but becomes an important method when dealing with a criminal strategy which no longer has borders and is becoming increasingly threatening.


Trends VIP Interview - Cybersecurity

Massimiliano Cannata: A crime that stands out by its ability to “commercially” penetrate new markets. Do you think this is something unusual? Gian Carlo Caselli: In fact, that is exactly what is going on. With an unsuspected marketing talent, the mafia groups have at first transferred their responsibilities: the pyramidal structure of management and the other numerous exploitation schemes and forms. At present, they affect the market, by establishing the price of crops, by controlling the distribution and sorting systems for entire supermarket chains, they manage the export of the Made in Italy goods - both original and counterfeit products, they create abroad production lines of Italian sounding items and they go up to establishing grocery shop networks.

Network Security a strategic advantage used in incident response Massimiliano Cannata: Are you referring to what we call the “liquid mafia”? Gian Carlo Caselli: It is the most appropriate definition that captures the ability of the organized crime to infiltrate everywhere, just like water does. The members of the mob groups adopt more and more diverse schemes, succeeding to benefit from significant capital coming from EU funding. We just have to recall that the Financial Guard, during 2016, has confiscated 137 pieces of land and mapped 29,689 pieces of land which pertain to organized crime groups. Also in 2016,


the same institution has seized economic goods worth 150 million euros and confiscated 35 million euros coming from unlawfully public granted funding. Massimiliano Cannata: The innovations do not stop here. High frequency trading is another keyword that should be taken into account from now on. Can you provide a synthesis regarding this matter? Gian Carlo Caselli: It is a more and more accessible tool for the organized crime, which allows stock exchange transactions at a very high speed, operated automatically, based on algorithms. These are speculative operations carried out by using significant amounts of money in order to influence share’ prices. We are faced with some hyper-technological devices, able to issue on the market, in a record time, a high flux of orders, sometimes exceeding 5,000 operations per second. A sort of automatic insider trading whose operations are very difficult to be traced by the investigators. Massimiliano Cannata: How do these criminals operate? Gian Carlo Caselli: Due to the speed of the high frequency trading, the banks and the financial operators currently act on multiple regulated platforms, such as the stock exchange, but more often, on completely uncontrolled areas, such as the Over the counter (OTC) platforms, which allow purely speculative profits. Thanks to the operations speed, the operators place, modify and cancel millions of orders a day, in order to speculate the minimal differences between the selling and purchasing prices. Massimiliano Cannata: The speed and the network control are still sources for these illegal actions? Gian Carlo Caselli: The central point is actually the speed: the algorithms, which become increasingly complex and they can “read” the orders for a given product made by competitors on the different markets. During the extremely short timeframe between the order placing and the order recording in any of the market transactions’ log - i.e. the telematics display containing the sale or purchase bid, the quantities, the price and the operator, mafia groups flood the markets with the same product orders on different other platforms, managing to negotiate the most convenient price for themselves. These thousands of orders aim to determine the increase or decrease of a product cost and once the negotiations are concluded they are being deleted in a few fractions of a second. The speed of these operations is so high that the control bodies of the different states consider that only 10% of the orders placed via high frequency trading reach their true purpose, the rest of 90% are being deleted. Massimiliano Cannata: What kind of measures can be taken in the fight against these very complex and well-developed phenomena? Gian Carlo Caselli: The complexity of the criminal phenomena network has reached very high levels. At the moment, we focus our efforts at mapping the level of market penetration of the criminal activities in the agro-food sector. This is in order to get a “Permeability Index”, which can help us better understand the vulnerable areas of our action field and initiate a more effective prevention and protection activity suited to our times. We are facing a transnational problem and the supervision authorities only have national authority which makes none of them have a complete vision on the activities developed by the high frequency trading operators. Obviously, it is time to start implementing investigation, risk and vulnerabilities prevention strategies, via information services having transnational competencies and being in charge with implementing effective cyber-security strategies. Only if we manage to bring together the fight against the mafia, a freedom horizon will open for our country. We are engaged in a game, which we are not allowed to lose.


Introduction to the EU General Regulation on Data Protection (GDPR)

author: Isabelle Dubois (Translated from the original article in Swiss) Expert on data protection, member of the CLUSIS Committee

Adopted on April 27, 2016, this ambitious and future oriented Regulation will be directly applicable in each of the European Union Member State as of May 25, 2018. It contains 99 articles and is structured in ten large chapters, which include general provisions, applicable principles, the rights of the data subject, the question of the controller and the processor, the issues of transfer of personal data to third countries or international organizations, the independent supervisory authorities,

BIO Lawyer by profession and former cantonal Judge, Isabelle Dubois was the first attachĂŠ working in the field of data protection and transparency in the canton Geneva. Since January 2014, she works with various organizations as an independent collaborator for Ad Hoc Group Resolution and writes reports and guidelines in the field. She teaches data protection within the University of Geneva and HES-SO Lausanne.

the cooperation and coherence rules, the ways of appeal, the liabilities and penalties, the provisions regarding specific data-processing situations, delegated and implementing acts, and lastly, final provisions. This article presents the summarized essence of this Regulation, as it is described in the introductory part of the document which precedes the articles themselves. To complete, reference to the full regulation is made. The objective of this Regulation is to strengthen the rights of individuals regarding data protection and to facilitate the free flow of personal data in a single digital market, in particular by decreasing the administrative burdens. Its foundation is based on the compliance with all the fundamental rights and principles documented in the Charter of Fundamental Rights of the European Union, recognized in the Treaties, and in particular the respect for private and family life, the right for residence and communications, the right to the protection of personal data, the right to freedom of thought, conscience and religion, the right to freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial, as well as respecting the cultural, religious and linguistic diversity. The Regulation starts from a finding: the technological developments and globalization “require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market�. It is stated that the individuals should have control over their own personal data, and the legal and concrete security of individuals, economic operators and public authorities should be strengthened. For its application, the Regulation allows Member States a maneuver margin in specifying its procedures, also in regard with the processing of sensitive data. The effective protection of the personal data in the whole Union requires not only the consolidation and the establishment in detail of the rights of the data subject and the obligations of those who process and decide the processing of personal data, but also the equivalent competent authorities for monitoring and compliance ensuring with the rules for the protection of personal data and equivalent sanctions for such offenses in the Member States. dvanced&lang=fr&andText0=R%C3%88GLEMENT%20(UE)%202016/679&SUBDOM_INIT=LEGISLATION&DTS_ SUBDOM=LEGISLATION


Focus - Cybersecurity Trends Adopted on April 27, 2016, this ambitious and future oriented Regulation will be directly applicable in each of the European Union Member State as of May 25, 2018. The Regulation should ensure an identical protection standard for the individuals throughout the territory of the Union. There may be some exceptions for microenterprises and SMEs.

The field of application is also established. Thus, the Regulation will be applicable: to natural persons, whatever their nationality or residence, with regard to the processing of their personal data; regardless of the technology used; to the processing of personal data by automated means, as well as manual processing, in if the personal data are contained or intended to be contained in a filing system; in the case of personal data processing by a state agency, the Regulation 45/2001 is applicable, to which necessary amendments should be made; it will not be applicable to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, but will be applicable to controllers or processors which provide the means for processing personal data for such personal or household activities; it will not be applicable to the processing of personal data by the competent authorities for the purposes the prevention, investigation, detection or prosecution of criminal offenses or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, which is the subject of a specific Union legal act; to any processing of personal data in the context of the activities of an establishment of a controller or a


Infographic of the European Union Š European Union

processor in the Union, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements.

to the processing of personal data, of data subjects who are in the Union by a controller or a processor not established in the Union, where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment; to the processing of personal data when it is related to the monitoring of the behavior of such data subjects so far as their behavior takes place within the Union; to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post, where Member State law applies by virtue of public international law; to any information concerning an identified or identifiable natural person, including personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, by the means reasonably likely to be used, either by the controller or by another person to identify the natural person, but not to anonymous information, including for statistical or research purposes. Pseudonymisation is encouraged. to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Then the definitions and specific characteristics are described. Consent should have the following characteristics: should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her (such statement should be proved); the “opt in” concept is promoted, as opposed to the “opt out”; for consent to be informed, the data subject should be aware at least of the identity of the controller or the processor and the purposes of the processing for which the personal data are intended; consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. No clear imbalance between the data subject and the controller should exist (as a matter of fact, also between a person and a public authority); data subjects should be allowed to give their consent to the extent allowed by the intended purpose, except from data processing for scientific research, in which case, their consent only to certain areas of research or parts of research projects will suffice. Personal data concerning health is also defined as “all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test”.

The principles are then detailed: any processing of personal data should be lawful and fair; it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The information can be easily accessible and easy to understand, and clear and plain language is used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing; the rights in relation to the processing of personal data, as well as the risks and rules and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. Data processing for another purpose is admissible if compatible with the purpose for which the personal data are initially collected (i.e. archiving); the personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The period for which the personal data are stored is limited to a strict minimum; time limits should be established by the controller. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. personal data which are inaccurate are rectified or deleted; personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing; It can be easily seen that, by this Regulation, several rights are being reinforced: the right of access of the data subject, including the “right to be forgotten”, the determination that the data subject can regain possession of personal data, the responsibilities of the controller and the processor, the role of the data protection officer and that of the supervisory authorities and the penalties applicable to the offenders. data-protection-regulation-infographics/


Focus - Cybersecurity Trends

Cyber-attacks on fintech companies author: iCyber-security team

What are the costs associated with a data breach or a cyber attack on a fintech company? Have these costs been increasing or decreasing. Are the direct financial losses – fraud from customers’ accounts – bigger than operational and reputational losses? What techniques have the attackers used in recent security incidents? As the number of cyber attacks against financial services groups in UK has reportedly soared in the past couple of years, these questions are prompting increased concerns among fintech companies. In this article we look at some recent major cyber security incidents and see what we can learn from them.

Mobile banking: 2017 infographic © FICO 20

In April this year, the payday lender Wonga suffered a large data breach personal data belonging to 270,000 clients from UK and Poland were stolen. The breach generated undisclosed operational and reputational losses, but the company did not report any fraud from the affected customers’ bank accounts and was not fined by the Information Commissioner’s Office (ICO). Wonga did not explain how the breach occurred – however, Marco Essomba, the iCyber Security founder, believes the method used was SQL Injection, which consists of relaying malicious code to a web application that would then make the web application execute specific commands to steal data. In January 2017, Lloyds, Halifax and Bank of Scotland were for several days, victims of a distributed denial of service (DDoS) attack, which flooded their web sites with large volumes of artificial traffic, which caused delays in online services for thousands of customers. No fraud occurred and no personal data was reported to be stolen in the attack, which did not prompt an ICO fine either. Media reports attributed the attack to a group of hackers who tried to extort a ransom of 100 Bitcoin (£75,000 / $94,000) from a Lloyds’ top executive, in exchange for stopping the attack and revealing the security flaws they had identified at the online banking portals. Last November, Tesco Bank suspended online transactions for all its 136,000 customers after a cyber attack that resulted in £2.5m being stolen from around 9,000 current account holders. The bank did not reveal how the cyber theft was done. Some experts suggested the fraudsters found a vulnerability in its app; others believed the attackers succeeded in gaining debit card details, or attributed the heist to a possible security issue at a third party connected to Tesco. A YouGov report estimated Tesco needed 55 days to recover after the attack and 14 weeks to return to the pre-crisis brand index buzz score. In September – October 2016, several Indian banks were hit by a cyber attack that forced them to either replace or request users to change the security codes of as many as 3.2 million debit cards. In addition, some customers complained that large sums of money have been taken from their accounts. The banks targeted were State Bank of India and its subsidiaries, Axis Bank, HDFC Bank, ICICI Bank and Yes Bank. The breach was apparently carried through a virus or malware infection at one of the companies that operate ATMs in India. These incidents look small in comparison with the cyber heist carried out in February 2016 on the Bangladesh Central Bank (known as Bangladesh State Bank), when $81 million was embezzled. Bangladeshi diplomatic sources revealed that hackers used Dridex malware to retrieve administrator privileged credentials from the computer of a central bank official, which they then employed to make payments via SWIFT. The attackers ordered $951million worth of transactions from which the hackers managed to actually transfer some $81million. Of all of this about $38 million was eventually recovered.

The Bangladesh Central Bank attack © BAE While none of the recent known cyber security incidents generated such major losses, a report on the state of IT security in the financial sector issued in March this year by Kaspersky Lab, estimates that the average cost per serious incident is $988,000 for banks and $926,000 for financial firms in general. The report lists the exploit / vulnerability in point-of-sale systems incidents as the costliest, at an average amount of around $2 million, followed by attacks on mobile devices (some $1.6 million) and targeted attacks - $1.3 million. The report indicates that the estimated costs take into account compensation payouts to customers, lost business, damages to product premiums, additional wages for internal staff, expenses related to employing external professionals, including PR to repair brand damage. The prevention of future breaches, when customers’ data was actually stolen, generates additional expenditure with infrastructure and software improvements, along with the hiring and training of new staff. The key advice Kaspersky Lab offers for this year, to fintech companies who want to avoid falling prey to cyber security attacks includes: increased awareness on targeted attacks likely to be conducted through third parties; proper consideration given to less sophisticated threats, which can cause huge losses at mass levels; regular penetration testing (and health checks), to identify unseen vulnerabilities; emphasis on protection rather than

The result of the AIG study published in May, 2017 © AIG

compliance in the allocation of IT security budgets; and adequate attention to insider threats, as some employees can be exploited by cyber attackers, or – in some instances - even decide to become criminals themselves. The highly digitized environment where fintech companies operate brings about massive business opportunities. At the same time, it enables cybercriminals to constantly try to steal credentials to make payments or purchases and gain access to customer accounts. Hackers have access to advanced tools and they can change attack patterns by using new combinations of attack vectors. The spectacular increase of the use of mobile devices for online banking and access to financial services has added new challenges and concerns on the cyber security agenda of fintech operators. The UK consistently ranks as a top cyber attack destination, although many organizations do not report the full extent of attacks out of fear of bad publicity and loss of brand confidence. Given the wide range of losses generated by the attacks - business disruption; revenue and information loss; reputational and equipment damage – and the magnitude of costs, it is clear by now that cyber security is not an IT issue anymore and has become a boardroom issue. With data protection rules changing in May 2018 (known as GDPR) and the advent of fines being introduced for the failure to report breaches to the local ICO’s, there is likely to be a substantial rise in the number of reported breaches which today must be iceberg like in its nature as many such events still go unreported and undisclosed. In conclusion this is a sector which for a number of years will only see a further increase in media attention, drawing in more opportunistic attacks and placing even greater demand strain on the already desperate supply shortage of skilled defenders.


Focus - Cybersecurity Trends

The O2 SS7 attack A banking fraud successfully executed in Germany last month by hacking the O2 Telefonica network was the news the mobile industry had been dreading. Steve Buck of Evolved Intelligence explains why it might turn out to be good news after all. author: Steve Buck Product Director, Evolved Intelligence

The start - or the beginning of the end? In May, O2 Telefonica in Germany confirmed that it had been the victim of a mobile network hack that led to an undisclosed number of the operator’s customers having their bank accounts emptied by fraudsters. The criminals had hijacked the SMS-based two factor authentication systems that are used by so many banks. The hack took advantage of the signalling system called SS7 that mobile operators use to interconnect - it is the part of the global network that effectively enables mobiles to be mobile. In April last year, the vulnerability of this part of the network was highlighted on the US TV Show, 60 Minutes, having earlier been publicly demonstrated at the Chaos Computer Congress in 2015. The equipment needed to access SS7 used to be both too costly to buy and require technical expertise to use. That limited protection is no longer in place – the tools, techniques and even a service, are all available and being “openly” traded for very little money on the dark web. By hacking into the network signalling fraudsters can not only locate and track mobiles, they can also snoop on your activity by intercepting your phone communication. That ability to divert mobiles was the security weakness that was central to the theft in Germany. According to confirmed reports on the O2 incident, the fraudsters first used traditional banking-fraud phishing techniques and spyware to infect account holders’ computers in order to steal account details, passwords and other personal information. Once they had access to the customers’ online accounts they could then view and target the accounts with ’rich pickings’. The crime then involved diverting the account holder’s mobile to the fraudster’s own handset, so that – in the middle of the night – they could look to empty those accounts. When the bank sent an automated SMS with the mobile Transaction Authentication Number (mTAN),


it was received by the fraudsters, not by the customer. Armed with that, the criminals could authorise transfers to their own, well-hidden, accounts, and could then remove the mobile divert. Removing the divert after the theft, also helped to cover over the traces and delay the discovery of the theft.

O2 in Germany confirmed that the attack had taken place and said in a statement to the newspaper Süddeutsche Zeitung that: “Criminals carried out an attack from a network of a foreign mobile network operator. The attack redirected an incoming SMS message for selected German customers to the attackers.” This is the first mass incident of SS7 signalling fraud, and consumers are still largely unaware that it can happen. The banks and the mobile operators are, however, getting nervous and looking for ways to counter the threat. Recently, Vodafone’s CEO Vittorio Colao admitted that the issue of cyber security was one that “kept him awake at night.” Colao said that it needed a pan-European approach to stave off the threat of cyber criminals and called for: “Much larger collaboration between companies across sectors to create a more integrated cyber-defence system.” There’s no doubt that operators, and Enterprises, are fighting a cyber security war across many fronts – on their IT systems, their devices and their networks. Hackers will evidently use whatever mechanism they can to attack systems, steal data, cripple operations and defraud businesses and consumers. With the rise of the Bring Your Own Device environment, it is no longer enough for companies to seek to protect the traffic on their IP backbone, end to end security over the mobile network is also required. It’s a requirement that is well recognised in the US by Congressman Ted Lieu who has been pressuring the US regulators to act on the SS7 weakness. When the US House of Representatives announced it will begin protecting the


mobile devices of members of Congress and their staff with endpoint security to help identify threats such unsecured WiFi connections and malicious apps; Lieu welcomed the move but still described Congress cyber security as “a locked building with an open window.” “Members of Congress and their staff are hugely dependent on mobile devices to do our work, but those phones are not adequately protected,” Lieu said. The Congressman is well aware that simply shutting the open window by protecting the device is not enough when the network itself remains vulnerable. Of course, Congressman Lieu is quite personally invested in the SS7 security story, as it was his phone that was publicly hacked on the ’60 minutes” TV programme. Naturally, he was quick to react to the news of the SS7 attack in Germany. “Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw,” he said. Meanwhile in Germany, rival operator Deutsche Telekom was quick to reassure its customers that such an attack could not happen on its network. A statement on the DT website said that it had become one of the first telecommunications providers worldwide to implement an SS7 firewall that would have blocked and prevented the O2 attack. The signalling weakness is a legacy of the “trusted network” relationships that existed before the telecoms market became so open. It’s a weakness that is also made greater by the sheer size of the market today. To give an idea of the scale, our own signalling firewall can be installed as a software addition to the Network Interface Units (NIFs) that we have deployed in some 60 operator networks around the world. These NIFs support the roaming value added services we provide to operators. Across our systems, we are currently seeing somewhere in the region of 12bn SS7 signalling messages every day. Apart from the scale, the other challenge is that the fraudulent signalling messages often imitate some of the messages that drive genuine value added services which are revenue generating for the operator. The messages that drive those services differ from normal signalling so the systems need to distinguish between those unusual signals and the unsafe ones – the harmless from the harmful. The number of messages we see that are unusual but safe by far dwarfs the number of fraudulent ones. Nevertheless, we would still put the number of potentially fraudulent messages at a level of around one per second on every network in the world. Accurately stopping those harmful messages without disrupting normal network traffic is the challenge that the signalling firewalls need to meet. We are confident that the signalling firewalls we are providing to operators would have caught and blocked the O2 attack – indeed one of our firewalls did stop such an attack about the same time as the O2 incident. One way we can do that is by taking a measure of distance and velocity to make a judgement

Steve has over 30 years’ experience in mobile telecoms in engineering and marketing roles for both equipment manufacturers and mobile operators. He has experience of fraud, identity and risk products for enterprises including banks, retailers, public sector and other verticals. In the 1980s Steve worked for Racal Research (which spawned Vodafone) doing R&D for what was to become GSM technology. He developed the hardware and real time software for the UK testing of the technology –making the first GSM call in the UK in 1986. He joined Motorola in 1988 leading the definition of the GSM standards for phase 1 and 2 into the early 90s, heading up Motorola’s GSM firmware development and managing the development of new base stations. He joined Aethos in early 1995 as product director, running marketing, product management and development; supporting several tens of millions of prepay subscribers. Logica acquired Aethos in 1998. Steve continued to lead prepay delivering the first network solution for prepay messaging and subsequently ran product management for MMS for Logica. Steve was VP Products for T-Mobile (UK) from 2004 to 2009 launching a number of innovative and prize winning services including the first true mobile internet service in the UK. Steve joined NSN (Nokia networks) in 2009 where he ran the $200M customer experience business. After a brief stint with Amdocs in OSS, Steve ran Product Management for Equifax, a credit reference agency, selling risk, fraud and identity solutions to a variety of enterprises including banks, financial institutions, retailers, telecom operators, and public sector organisations. Steve joined Evolved Intelligence in 2015.

on the location updates that were behind the O2 attack. A mobile signalling in Germany one evening, cannot be legitimately signalling a short while later from an island in the Pacific or the Caribbean for example. The subscriber could not have travelled that distance in that time. But, as Vodafone and Deutsche Telekom have pointed out, measures taken by individual operators represent only a limited solution. It will take concerted action by the whole industry to properly protect against fraudsters looking to exploit SS7 signalling weaknesses. Maybe, this first confirmation of the type of fraud attack that the mobile industry was fearing, might be the catalyst that accelerates the roll-out of protection. Rather than the start of something bad, let’s hope it signals the beginning of the end.


Focus - Cybersecurity Trends

Time to move beyond Cyber-fear There’s no shortage of news when it comes to data breaches. Every day we face new headlines where trusted brands and institutions have fallen foul of the fraudsters. And these high-profile incidents are just the tip of the iceberg.

author: Alison Hanley

The introduction of Europe’s new General Data Protection Regulation (GDPR) next year, which mandates that all data breaches must be reported, will help reveal the true scale of the problem. While transparency is good, it could also send many organisations into a frenzy of activity where strategy is driven by fear and investment is focused on ”lock-out” technology which creates more friction for users. This will be exacerbated by lack of positive cyber planning and skills development, which is already a major issue for the UK.

Experts highlight the issues According to a recent iCyber-Security research report. Feedback from 10% of the UK’s top independent cyber consultants revealed that fear, poor skills and knee-jerk reaction to breaches are the norm when it comes to safeguarding Britain’s digital assets. Not unsurprisingly, it suggests that too many vulnerabilities are still down

BIO Alison Hanley is a freelance marketing consultant specialising in fintech, cloud, mobile services and cyber-security. With a career spanning 25 years, she has worked with some of Europe’s leading consumer and businesses-to-business IT brands.


to poor practice such as weak passwords – a common starting point for many breaches. Much of this could be down to a failure to invest resource, time and effort into enterprise training on security and user safety and in the underlying shortage of good cyber skills and expertise in the UK. All too often it seems to take an incident of fraud or data loss to escalate cyber-security up the agenda of company Boardroom priorities. The iCyber-Security study reinforces this by confirming that 43% cyberconsultants believe that training and skills is the biggest cyber challenge facing UK business. A staggering 93% feel there is currently insufficient investment in cyber security. And the same percentage pointed out that cyber-investment is being propelled by ”threat’. Finally, 40% indicated that negative media coverage of breaches, and 30% that a lack of skilled resource was driving cyber-outsourcing. So, what’s going on and where are the majority of the threats coming from? Well it seems that Application Level and Distributed Denial of Service (DDoS) are deemed the most common forms of attack with ”weak passwords” being the most widespread vulnerability. Looking to the future, 40% of cyber security consultants expect to see Ransomware, and 30% Identity Harvesting, become more prominent in the next 2-3 years. With cloud services and connected devices (IoT) becoming the areas most frequently targeted.

Increased regulation and consequence For many organisations the situation hasn’t been helped by the lack of regulation in the industry. Few would argue that more protection is needed for consumers and for businesses. The new EU GDPR regulation, which comes into effect from 25th May 2018, is considered long overdue by some consultants. However, many businesses, especially SME’s are not prepared for this regulatory change and for the new 72-hour breach notification and handling requirements involved. Failure to comply will come at a heavy price – with mammoth fines of up to 4% of annual global turnover. For large and small organisations, this could be a crippling blow when added to the loss of business and reputation.

Taking a positive stance As our digital world grows, so will the incidence of cyber-crime and the inevitability of breaches. It’s completely understandable that UK organisations feel threatened by the scale, complexity and consequences involved in securing their data. However, it’s vital that enterprises don’t allow a negative attitude to cyber-investment to exacerbate the situation. It’s time to make cyberinvestment a ”positive choice” and not one driven purely by reactivity or compliance. At present 80% of cyber security investment is currently focused on 20% of the threat. There has to be a more considered and thoughtful approach to balance this and to reallocate investment where it can have the biggest impact. Organisations must ditch their reluctance to talk about their security externally. All too often, specialist help is sought AFTER data has been compromised – when the horse has already bolted! It makes much more sense to assess, plan and remove vulnerabilities BEFORE a breach occurs. Many cyber-security experts believe that risk could be reduced if they were brought in earlier on, when systems and processes were being designed. This would allow them to optimise infrastructure and investment, make IT more productive and prevent future-risk through technical innovation, best practice and comprehensive cyber security training.

central government are now charged with tackling or preventing potential cyber threats. In terms of boosting skills, the Government has also teamed up with the British Computer Society to introduce cyber security modules onto computer science degrees, giving an extra 20,000 people skills a year. At the same time, it has made a £20m investment in a new cyber curriculum, to give thousands of the best and brightest young minds the opportunity to learn the latest cyber security skills alongside secondary school studies through extracurricular clubs. It hopes that these will help identify and inspire future talent to help prepare Britain for the challenges it faces ahead. In addition, there are now dedicated training facilities for accredited experts to increase their knowledge and expertise. For example, Thames Valley based iCyber-Academy, supports a broad range of vendor certifications and training programmes as well running regular skills workshops and online training schemes for both in-house cyber-security professionals and external consultants. It is seeing demand for its courses rise as more businesses, individuals and educational institutions sign-up for skills development.

Closing the skills gap Rewriting rules from the top This leads us to the real nub of the issue. The crippling shortage of cyber security professionals that is threatening businesses in the UK, where more than two thirds of companies are already struggling to recruit the levels of staff necessary to defend against major attacks. Almost half of British businesses say that the skills shortage has a “significant impact” on their customers and has caused breaches of their computer systems. This is symptomatic of the global shortfall of security experts, which is expected to reach 1.2 million by 2020 and increase 20pc to 1.8m by 2022, according to industry association ISC Squared. It’s essential that Britain PLC invests quickly in expanding the pool of accredited cyber security professionals. Fraudsters and cyber criminals have no boundaries, so companies need broader cyber security strategies and better qualified expertise to protect their brands and safeguard their businesses today and tomorrow. While most businesses have at least some basic technical controls, such as firewalls, patched software and anti-malware programs, few are aware they can be certified for having the full range of controls required.

Nurturing national talent Even before the recent NHS breach, the UK Government had recognised Cyber-security as a national issue - not just for business but also for our infrastructure. In February this year, it opened the National Cyber Security Centre (NCSC) to provide a clearer focus in defining the National Cyber Security Council’s (NCSC) role in preventing attacks. 12 separate teams from

It would be easy for businesses to feel overwhelmed by the threat and aftermath of data breaches. And for staff and customers to feel anxious of the consequences. However, by treating cyber-security as a ”people” issue and not purely as an IT issue, organisations can gain some control. Through adequate training they can equip their staff to mitigate risk and encourage customers to manage their security settings, passwords, etc more effectively. By adopting a more proactive approach and - not just a reactive response and by broadening out their investment to include specialist independent security consultants as well as IT support then there is no reason why they cannot reduce their vulnerabilities. Many of these changes must come from the top. That means the C-class needs to take some ownership of the issue and make it an active part of their regular business discussions, encouraging and supporting cybersecurity initiatives, creating cross functional teams and empowering employees with suitable resources. To truly change attitudes to cyber security, ”creating a safer digital world” needs to become a corner stone of how we do business – not as something to be feared, but as something to be embraced, celebrated and invested in by all.


Trends - Cybersecurity Trends

Digital identity and the right to be forgotten The vast majority of information and personal data that constantly circulates on the web has made the digital identity less under our control, and in the same time has significant repercussions in day by day real life.

author: Michele Gallante Translated from the Orginal Article in Italian

Constant and spasmodic use of applications and devices connected to a network, irreparably affects people’s behaviors, who share in a brief instant personal information, without considering the consequences and the difficult removal of such data from the virtual world: once loaded, a file on the web is almost impossible to have it completely eliminated.

In order to protect the rights related to the inappropriate dissemination of those data in the network and to ensure the privacy of every citizen, the “right to be forgotten” was born, namely the right of a person to be forgotten and not to be remembered about facts which concerns him or her. In practice, this right is a guarantee for those who do not wish to be exposed for an unlimited period of time to harmful consequences which are likely to adversely affect their reputation, for events that took place in the past (especially in a digital era as ours, in which most information flows online). As stated by the philosopher Friedrich Nietzsche “forgetting is an active ability” which in the modern world must be exercised with very precise

BIO Michele is a practicing lawyer and member of the lawyers’ order in Rome. After getting his Law degree at the University of Rome, he developed a research thesis with the title “Legal dilemmas regarding the use of drones in armed conflicts” at the University of Washington, Law Department, Seattle, USA. After these studies, he obtained a Master Degree in “Homeland Security” at the university campus BioMedico of Rome, where he deepened his knowledge concerning security issues, data protection and confidentiality. At present he is a researcher at the Global Cyber Security Center (funded by Poste Italiane), on legal issues concerning the safety of data processing.


procedures. For example, let’s see how one may require unsubscribing to online indexing from a major search engine such as Google1: when completing the online available form, you must specify the reasons and submit a mandatory copy of an identity document of the applicant. The actual removal is neither immediate, nor automatic, and, of course, will not be done from additional search engines other than Google.

After assessing the reasons invoked by the applicant, the search engine may decide not to take into account a request without legitimacy and refuse deletion of its contents. In this case, the user may call upon the confidentiality clause at a cost of €150 and a waiting period of no more than 60 days. Finally, if the user is still not satisfied, a case can be filed in a civil court against the privacy Guarantor, but this, of course, requires time and large amounts of money. The procedure seems easy, but in 2014 Google has accepted only about 30 percent of the 36,000 applications, on the grounds that they have not been rightfully filed or that the reasoning was insufficient. The recommendation of the authorities is to turn to expert consultants, so that you don’t get caught in bureaucratic procedures and to have your rights recognized. However, even in such cases, most of the times, the public interest information are hard to be removed and, in the case a piece of news has become a viral, the procedure is not sufficient for a complete removal. The right to private life and the reputation of those involved must be guaranteed, yet this is put into balance with the freedom of the press, and only a perfect balance of these interests will allow an appropriate decision. As Rodotà said - “the right to be forgotten can dangerously tilt the balance toward falsifying the reality and can become a tool for the limitation of the right to information” and for these reasons, it is necessary to have clear and transparent rules.

Recently, the European Regulation 679/2016 has created a first form of disciplinary matters. In fact, Article 17 provides that any person has the right to obtain from the controller the deletion of personal data, without further unjustified delays. However, this right shall be lost if the disclosure of certain information is required for the exercise of the right to freedom of expression and information, for legal compliance or for carrying out a public interest task or while exercising state authority on grounds of public interest in the field of public health, for archiving purposes in the public interest, for historical or scientific purposes, or for statistical purposes or for the finding, exercising or defending a right in the court of law. In the Italian law, there are no precise rules, but the jurisprudence matrix applies exclusively. On December 3, 2015, the Court in Rome by the sentence no. 23,771 reiterated the fact that the right to be forgotten

The so-called “Right to be forgotten” has been created to defend the rights of each citizen in case of an unappropriated diffusion of his data in the web and to guarantee his privacy. is nothing more than a special expression of the right to private life (also expressed at the European level in the Articles 7 and 8 of the Charter of Fundamental Rights). The conclusions drawn from this decision show that it must be clear that the fact you intend to make forgotten must not be recent and it is not of public interest. In order to balance the fundamental interests of the law in question, in the absence of a special Italian legislation, it should be noted the way in which the public interest plays a key role in the decision. In fact, even in the unique text comprising the powers of the journalists (February 3, 2016), it is recommended that the journalists avoid making reference to certain facts of the past, unless they are essential for the completeness of the information. “Forgetting is a form of freedom” (Khalil Gibran) and this assumed, in a developed society such as ours, it must be clearly and transparently stated, ensuring an adequate level our identity protection, paying special attention to the new digital realities. The European harmonization made by the new regulation on the processing of personal data, mandatory as of May 25, 2018, is only the beginning of an intentions exchange aimed at fulfilling a fundamentally recognized right.

1 Link: eudpa?product=websearch.


Trends - Cybersecurity Trends


The 21 Century and the programmed death of private life at global level This title is not intended to be an alarmist one, but it corresponds to reality in this mass digital age. Thus, it is up to each of us, as our own responsibility, to build a personal “Noah’s Ark” in order not to be swallowed up by the ocean of data known as the “big data”.

(Small and insignificant) presents in exchange for your private life? author: Laurent Chrzanovski

According to the 2015 United Nations statistics, there are twice as many citizens connected to the Internet than those who own a simple toilet, and the number of things connected to the Internet is ten times higher than the total number of Earth inhabitants, only a dreamer can hope to get rid of the exercised control by means of our own data. However, there are several options of action, choices apparently trivial, but tomorrow, in a year or in ten years’ time, anyone adopting the correct actions will be less exposed to the risks than others. Big Brother exists, but it is not the one that everyone is talking about. No state in the world has yet, the technical capacity to collect, analyze and use a huge amount of mass collected data, comparable to the data controlled by corporations that develop software and services that one uses, still mass use, daily... In other words, we have to assume the fact that making public/posting something online will forever remain in the public domain, with the exception of that data transiting public networks using the most advanced methods of messages’ encryption/ securing.


In the USA and other countries with strong commercial power and strategy, Loyalty cards have existed since the 70s. With the information these cards enclose, they become for commercial purposes, extraordinary tools for decreasing prices, providing exactly what most customers are looking for in all types of shops. For the consumer, generous discounts are sometimes being offered, according to the loyalty degree and the payments made in a particular shop or network of shops. But behind this process, once registering all these cards in a common computer system, the most powerful personal data collection system is being activated. For the moment, the European legislation prevents these traders reselling the data collected, but in the countries where the law is more permissive, we face a phenomenon that sometimes goes up to the harassment of customers, by making use of but without control of their data. Nowadays, this data is even more precise and easily obtained, because it may be combined with online searches carried out by users. Search platforms and engines are being used for the provision of personalized advertising (ad market). Also, this kind of information is being gathered through all the sites that provide free services in exchange for personal data, as well as through a large part of the social networking sites and some online stores. The hypochondriac, the compulsive consumer, the daily alcohol buyer or the ordinary consumer, the vegetarian, the parent buying gifts for his/her children etc. - all of them provide online data that is the basis for customized offers, but which may also provide a basis for drafting the complex and

complete psychological profiles of each individual consumer. Thus, your entire life can be accessible in exchange for a few percentages of discounts - it is your choice!

Dangerous mergers for your well-being? For a few years already, the big companies which provide free online services have begun diversifying their offer: search engines have their own navigation applications (and vice versa), free mail and cloud services, direct access from a single account to an entire panoply of other services. During the past 3 years, we have been witness to the massive purchasing by the same companies of the other companies that offer online communication services or social networks. Relevant being the purchases made by Microsoft regarding Skype and more recently the largest online professional network, LinkedIn. From the European authorities there is no reaction for the moment, and there is the risk of very soon facing the powerful monopolistic cartels, that in principle are prohibited by law. But what is more alarming for the citizen is not the merger of the services and companies in itself, but the control by a single player of these types of services and data associated with their use, offered or generated by the user.

Who reads today a contract with more than 80 pages displayed on the screen? Of course, these days the corporations take refuge more and more behind their security systems, the individuals behind the privacy settings that they may easily adapt. But one question arises, and we also asked the specialist Velten Arnaud at Aosta colloquium in March 2016: “are people really aware of what they are signing?” If you take the time to read the tens of pages of the contracts with these companies, accepted by a simple mouse click, you will notice that, in fact, you have given them the right to use your data “for all purposes considered useful” - a term reserved mainly to state security institutions – meaning, all

BIO Laurent Chrzanovski (HDR Postdoc Phd MA BA) is a Professor at the Doctoral and Postdoctoral School of Social Sciences at the University of Sibiu (Romania). Thanks to his work experience in 12 European and South Mediterranean countries, he has since 2010, expanded his fields of research into cyber security, social, behavioral, cultural and geopolitical aspects. As such, he is a member of the ITU (UN-Geneva) cyber-security expert group and a contract consultant for the same institution, as well as for several Swiss and French think-tanks (PPP). He founded in 2013 and continues to run, the “Cybersecurity in Romania”, a macro-regional public-private platform (www., supported by the ITU, all related public institutions in the host country, as well as many other specialist organizations from France, Switzerland, Italy and the United Kingdom. In the same spirit, he co-founded in 2015 and is editor-inchief of one of the very few free quarterly cyberprevention journals (a PPP) designed for the general public. Originally, intended for Romanian audiences, Cybersecurity Trends is today published - with the collaboration of prestigious specialist partners - in multiple languages adapted to French, Italian, English (as of June 2017) and German (as of September 2017) audiences ( It should be noted that the Congress and the magazine have been promoted and supported by the ITU since 2015 as the “Best Practice Example for the European Continent”. Laurent Chrzanovski is the author / editor of 23 books, of more than 100 scientific articles and as many other texts intended for the general public.

of what you write, post, send, search and look at through the use of their services. The case of Windows 10, along with the latest Microsoft Cloud terms and conditions, when acquiring the Office package, would deserve a strict ban from the European Commission, as the case in several other states, such as Russia for the first time, and especially related to the use of these packages by state owned institutions. Why? This is because the intrusion desired by Microsoft, if not understood by the users, will exceed by far the powers and the technical possibilities of the most effective information services belonging to the top developed countries in the world. Storing a private Word document on the Cloud support offered by the Office package, will grant Microsoft full access to its contents. The use of the Windows operating system gives its


Trends - Cybersecurity Trends creators access to almost everything you do on your computer. Until today the European Commission has got some minimal concessions from Microsoft, but never has been clearly questioned anything on the legality of such services, because, on one hand, the company is not established within the territory of the European Union, and on the other hand, due to the fact that you, as consumers, accept these terms of use. More than ever, there is the need today to provide prior notice and to make the choice fully aware of the IT services used. The best advice is - never “put all eggs in one basket”. Buy the Cloud services under adequate safety conditions adapted to your privacy need, store your most sensitive documents on external memory support, not connected to the network computer systems, but above all, read the available online articles regarding consumers’ protection: you will find the reviews of all the findings concerning the levels of intrusion in the private life of the various platforms and services available today on the market, free of charge or with payment, that you already use or which you would like to use.

taking advantage of the responsible action of the individual which chooses to install them on the personal device. In order to better illustrate this aspect let us take for example one of the numerous applications that allows you to use your phone as a flashlight. What services or data does it have access to? 1. Read phone status and identity 2. Without prior authorization, it can take pictures, or record videos with the video camera 3. Reading, modifying or erasing data existing on the memory card of your device 4. Full access to Internet and your Internet and WiFi connections and receiving data (without any restrictions) 5. Collecting data regarding other running applications on your device 6. Disconnecting or preventing the device to access sleep mode 7. Modify system settings Simply said, in order to have light are you willing to “donate your soul to the devil”?

Search for smartphones that can even prepare coffee Addicted to the smartphone – the perfect victim! Never has an information agency ever dreamed of an espionage instrument as perfect as the smartphone used today by the majority of citizens. The permanent geographical location, the permanent connectivity, applications and programs with multiple infection possibilities, video, camera, microphone - all in one device and almost permanently linked to one person!!!!!

Here again, the citizen is responsible for his/her own protection. Installing an antivirus, requires deactivation of certain functions or their activation only where they are used and, before installing a new application, be it free of charge, carefully reading about the data to which this application request access. There is information on the abundance of spyware programs, which are used in a perfectly legal manner,


The most fearful weapon of smart phones and application producers is the pretext of increasing comfort and easing of life for customers. Exaggerating a little, it is as if you want a car which makes the coffee, prints documents next to the steering wheel and also does the laundry - this might soon be available, according to the market studies. ☺ The most perfidious effect of this kind of attitude, appreciated by the consumers, is that along with the tablets, smartphones are by far the most vulnerable devices which we use almost permanently. Imagine a printer that requires coins to operate, similar to the effects which a virus infection (e.g.: ransom ware) of the smartphone that you use on a daily basis for personal or work related issues may have. This multitude of services available on mobile platforms, if accepted and used in current activities, can easily lead you to a crisis situation, personal or business related, in the event of loss or unauthorized intrusion of the device. Once more, whether this is about phone conversations and applications intended for smartphones communication, super-connectivity comes with a series of associated serious risks. Recently, the smartphone belonging to a manager of one of the most powerful IT companies in the world had been compromised through hacking activities. The consequences were catastrophic: not only the data stored on his phone had been accessed and erased, but also all data stored in the cloud, email and on social networks which he was using.

Moreover, the attacker managed this way to also access the data stored on the tablet and PC, while gaining access to confidential data intended for business use only. How was this possible? Very simple, that manager had synchronized all three devices and all shared programs, in addition to the cloud, choosing simplicity in favor of safety, and that proved to be fatal. On the same note, at the time of buying a new phone or tablet do not simply put up for sale your previous devices, without making sure that the data stored on it is permanently deleted and cannot be recovered anymore. This is possible by using advanced security features provided by the device in question, by using specially designed software for this particular purpose, or, if you do not have the necessary technical skills for such action, you can sell your phone to a resale shop that can assume via written and signed contract that all your data will be permanently deleted from the memory of your device, prior to being sold. Without taking all of the above into consideration, you risk offering the future owner access to all your connections, passwords used, online carried out searches, etc., even if apparently they look as being deleted from the accessible memory part of your former device.

Do you really need them all? The entire issue set out above can be summarized in a few simple questions to which you are the only one who can provide the appropriate answers: 1. Do you really need this application, this device permanently connected to the Internet - IoT, this new online service – without which you actually lived very contented until today? 2. Have you ever considered the advantages your private life gets while using a paid service (cloud, mail, etc.) in comparison to those offered by a free of charge service? 3. If you are a dynamic and mobile person, why do you torture your eyes with a mobile phone screen, instead of using a small laptop, maybe much more secured? 4. Do you really have to read and answer to emails while driving or walking on the street? By using such a small screen your reactions are down to a minimum: with just one click on a dangerous file or link the consequences can be disastrous and irreparable for the security of your data. Do you read about politics, economy, weather or sport? Why don’t you take some minutes a day to learn about the risks existing on the Internet?

This edition is brought to you with the support of:

Intelligent Cybersecurity 31

Focus - Cybersecurity Trends

PSD2 a challenge? How does a bank choose the right solution that ensures maintaining its place on the market? Evaluation guide ru


rit a

te a Siste m elo

r In








ic e

žia Nažion ocia alÅ As


The Payment Service Directive (PSD2) is a new European directive which shall be implemented in the European financial-banking environments at the beginning of 2018. This Directive will bring fundamental changes to the European financial-banking system.

author: Mihai Scemtovici General Director, SolvIT Networks Article translated from original Romanian language article for CyberSecurity Trends Romania quarterly magazine

BIO Within SolvIT Networks, Mihai Scemtovici developed in the last 12 years a number of infrastructure management and security management projects, implemented in Romania as well as in different countries in South-Eastern Europe, Turkey, Middle East and Scandinavia. His projects are specifically designed for the banking sector, but also for the telco world while some were implemented by governmental institutions. During the last years, Mihai is focusing on developing projects for the security and cyber-security management area.


The main foreseen changes refer to the need of providing operating interfaces for the so-called third-party vendors and the need of strengthening the authentication of banking customers and support for authentication by two or more elements (Multi Factor Authentication), for most types of payment. As a result, service providers, can become initiating payments service providers or accounts information service providers, i.e. they will be able to “resell” banking services, together with the services they traditionally provide, offering new benefits to the existing customers. Just imagine what attractive packages of combined banking services a telecom operator or hypermarket chain could provide. Although there are some competent opinions which say that banks will be affected, the other half of the glass must be taken into account. Therefore, a bank which opens a quality interface for a supplier, automatically has access to a customer database much higher than what it managed to address ever on the classic channels. When taking into account the fact that the telecom penetration among the population is over 100% and that of banking of maximum 60% (even hypermarkets have an attractive penetration in nonurban environments, through the mini-markets chains in the villages) new opportunities for banks exist. For this reason, the banks must be able to offer reliable interfaces, on one hand, and secure, on the other hand, considering the sensitivity of the information that is to be transacted. The banks affirm that there is going to be quite a competition, so, those which provide easy-to-use and extensive interfaces in terms of functionality will be more attractive and will also have a better position for negotiating commercial terms with the service providers.

What does a bank need to do? It should develop interfaces to internal applications and to expose them to third parties. These interfaces (API) need to be developed, securely exposed and subsequently maintained, because the banking industry is a dynamic one. The human resources involved are also critical, both at the time of the interfaces development and carrying out the connection with the systems of the services supplier, and continuously, while managing these interfaces. Are there applications that can completely cover these needs? Yes they exist; they can be found in the API Management category. In the following, we will try to suggest a guide, which a bank can use while assessing such a solution. What are the steps and what key functionalities should a bank look at, in order to ensure that the soon to be acquired API Management solution meets the needs of present and future generations and will provide a comfortable position in regard to the competition? The first step would be choosing a solution which is positioned in the leaders’ category or at least of the challengers’ one, as stated in the independent reports of this industry (e.g. Gartner). Due to the fact that these web APIs which are to be developed will not serve some entertainment applications, but banks, institutions positioned at the top list of cyber-attacks, the first thing to be taken into consideration would be if the application is offering solid information security features. Will the created API have “by design” protection against threats; is it in line with the Open Web Application Security Project (OWASP) community methodologies? Does it allow new created APIs an easy integration with a type of applications like Single Sign-On or Identity Management, by offering complete safety on applications, mobiles or Cloud? Next, taking into account the fact that we are talking about an application which must handle hundreds of thousands or even millions of transactions per time unit, the second thing which I recommend a bank to look for is scalability. Will the created API maintain the same high performance also during the busy periods, like Christmas time for instance? Does it have the possibility to prioritize, create dynamic and intelligent routing of the requirements coming from the applications that it is linked with? Taking into account the fact that the software should support competition, the third important thing refers to the flexibility of the application and the ease with which this is being used by the bank, but most importantly by the external partners of the bank. Imagine that a service provider connects its operations to two banks. One provides easy-to-use APIs, flexible, with friendly management interfaces, and another which has nonstop problems, the customers that frequently encounter use errors, must often call upon the support from the bank. Given these conditions, the service provider will mainly recommend to its customers the services of the first banks, even if they would be, slightly more expensive. Doesn’t this sound like a scenario you would know already? The final aspects to be considered, though by no means part of the least category, would be those referring to the flexibility of creating APIs towards mobile applications (taking into account the fact the mobile devices have already outnumbered the fixed devices), also the bank’s ability to precisely control the type of access and to account it for invoicing. I would also consider the possibility of providing access from the Cloud to my app, taking also into account that the transition to cloud already has a scale that makes it unstoppable, from the adoption point of view and, why not, I would like to be able to create APIs with “drag and drop”, regardless if I must link it to an application, even be it an application that does not have support (banks have such applications), a database or another data source.

To conclude, if I were a banker, I would like the API Management solution to be highly scalable, with strong security, to cover an API’s entire life cycle, to be able to create a new API in minutes, to provide quality mobile support and advanced management features by the bank, by the partners who will be connected to the bank’s resources, offering at the same time total control also to the clients of the bank with regard to the rights which are given to the TPP services provider, having anytime the possibility to disable/ activate options, in order to have access to the new features of the applications.

ANSSI - A partner of Cybersecurity Trends The National Association for Information Systems Security (ANSSI) has been established in 2012 to become a bridge between public and private sector, in order to promote best practice and enable a cultural change towards information security. ANSSI is a private, professional, independent and non-profit organisation. It unites 40 members, companies with around 20000 employees, representing 25% of the total number of employees in the private IT&C sector. Our members, due to the large diversity of technical and professional competencies and capabilities form a group that is representative for the entire sector, the group’s interests being the same as the overall sector’s interests. ANSSI has also organized, alone or together with other authorities, public institutions or embassies, several national and international conferences and events, in fields like: telecommunications, e-government and e-administration systems and solutions, UE funds, HR development, occupational standards, the technological and infrastructure security component being a common key issue. Nationwide, ANSSI has setup partnerships with organisations like the Ministry for Communications and Information Society, the Romanian National CSIRT - CERT. ro, the Bucharest Stock Exchange - BVB, the Romanian Banking Institute - IBR, the Financial Services Association - ALB, the CIO Council, the Romanian Association for Security Technique - ARTS, the Romanian Association for Promoting Critical Infrastructure and Services Protection - ARPIC and other, in order to ensure coherence with other fields that use IT&C infrastructure between the beneficiaries and the services provided (such as: energy, financial, Internet services) and to enable the transfer and adoption of internationally recognized best practices. ANSSI has already set-up partnerships and is preparing new ones with similar organisations from other countries – France, USA, Canada and other.


ds Focus - Cybersecurity Tren

Secure Passwords. Maybe “simple engineering is good engineering” One of my favourite teachers when I was studying for my Bachelor’s had two mantras : «simple engineering is good engineering» and «old engineering is good engineering». He was right, especially on the first one.

author: Vassillios Manoussos of Napier University, Scotland

People keep asking me about how to make their passwords secure, how to avoid shortfalls and how to keep others from guessing their passwords (social engineering). (see also my article: How to Hack Friends and Family). The truth is that solutions may sometimes be more simple than they seem. First of all, common sense should prevail. FACT: No matter how good your password is, if you have no antivirus and no firewall on your computer, it will be stolen. They cost virtually nothing, and it is unbelievable that individuals and even small businesses do not think it is a big deal not to have one. FACT: If you use your name or your dog’s name etc. someone will easily guess your password. People who will want to get your email password may go to your email’s login page , type your email, click on «Forgot password» and use the security questions to make an educated guess. FACT: Remembering a small password is easy FACT: Remembering a 32 character password is not easy. Or is it? There is a process called hashing where a value is calculated on a string or a file or even an entire drive.


That hash value is as unique as a fingerprint. Although hashed words can be reverse looked up (i.e. check a hash value against a pre-existing table), it is impossible to create the source from a hash. The MD5 hashing is one of the oldest, and despite its questionable validity in some applications, it is still a simple and precise tool. There are many online MD5 generators online. If you go to any of these and enter the same string of letters or word, the resulting 32 digit code should be exactly the same. So how can someone use a tool like this, in order to create a strong password? And how strong that password can be? Again we are talking about the threat of social engineering and phishing rather than a brute force or similar attack. The difficulty in getting that hash password right is directly related to the original word(s) you used to develop the hash. A small variation in the source produces totally different hashes. Take my name for example: Vassilis will return 325fc57f275cd8a61d88800c1c52e541 whereas vassilis will return 1534aac0fd311f42ba96a9a280c4253e Example 1 Now how secure is this 32 digit string as a password? Let’s have a look. I used the password checker of Password checkers are not really an absolute tool, but a proper one will give you a good indication of where you stand.

Adding a single capital letter increases the time needed to crack it by about 6 times. Example 2

Now here is the interesting part. Writing the same word in Greek (using a non-latin alphabet) makes things more complicated for password crackers. For the same word in a different language we moved from 41 minutes to 25 days. Example 3

And finally the MD5 hash of my name (vassilis without a capital letter). This one will take 13,000,000,000,000,000,000,000 years. Now that is a safe password. Can you remember your password? Only a few people on this planet can remember an alphanumeric string like this, so you will need to either store it or generate it every time you use it. That should not be a problem though. If you use this as a password for your online logins, you will be on an internet connected computer. Visit an online MD5 generating site (or SHA1 or SHA-256 for that matter) and generate your password every time. It will be easier to remember «I saw a mockingbird in my sleep» then A509723A37FD45E18632CC6EB40B8229. Who should use this: This method is by far safer than using your cat’s name and your wedding anniversary as a password. Big organisations should have other more sophisticated methods in place to secure access to their IT infrastructure. But for individuals who just want to make sure nobody else will read their emails, then this is a good and secure starting point to a more cyber aware behaviour. Some DON’Ts Do not use your regular browser when visiting an MD5 generator. Use an «incognito» mode, so other users of the same computer will not know what you are doing A hash value is as strong as its source. If you try words like password and 123456 the hash value will be easily guessed. Do not tell other people how you work out your passwords!

BIO Vassilis Manoussos, AAS, BSc, PGCHE, MSc Vassilis Manoussos is a Digital Forensics & Cybercrime consultant. He is working as an Expert Witness as the owner of Strathclyde Forensics ( and he is an Associate at Edinburgh Napier University and The Cyber Academy. He is also Head of Digital Forensics at The Security Circle, a consortium of security experts. He has also been appointed a National Advisor for the Scottish Charity Roshni. His work experience includes working in several high profile cases in the UK that range from employment and private cases, to criminal investigations (murder, child pornography, fraud and industrial espionage). Mr Manoussos is a regular guest speaker to several UK universities (Edinburgh Napier University, University of Strathclyde, Glasgow University, Robert Gordon University, University of West of Scotland). He is a regular speaker for businesses audiences, focusing on cyber security, data loss prevention, social engineering and incident response. He is delivering courses to lawyers (as part of their CPD requirements) on digital evidence, data protection and digital forensics investigations. He has also delivered training to Chinese government officials on Big Data through Edinburgh Napier University. His academic credentials include an MSc Forensic Informatics, BSc Business and an AAS in Computer Programming. He has been a guest speaker to international and regional conferences and symposia and he was the co-organiser of the PGCS Symposium at Edinburgh Napier. He is a registered expert with the International Telecommunications Union (ITU) and a founding member of the UK’s Digital Forensics Society. Mr. Manoussos can be reached at: and on Linkedin.


Focus - Cybersecurity Trends

London responds to digital threats An innovative approach to help secure businesses across Britain’s capital Text: London Digital Security Centre

“London is open for business” is the Mayor’s official slogan for the capital of the UK. And the Mayor of London, with the Metropolitan and City of London Police, is also working to ensure that London is safe for business, through the London Digital Security Centre. Every month, over a thousand of London’s companies report to the Police that they have suffered a damaging cyber attack. And surveys commissioned by the Police show that for every company that reports such a crime, another five or ten businesses suffer in silence. The Centre was created to respond to this challenge, as a not-for-profit funded by The Mayor, the Metropolitan Police and the City of London Police. This structure allows the Centre to be both highly credible and very proactive. In June 2017, the Centre launched a programme of complimentary services that can be accessed by any of the estimated 1,000,000 businesses operating in London. And the Centre also launched a managed MarketPlace, to help businesses understand and purchase the products they need to staff safe. Last year, John Unsworth was appointed as Chief Executive. He set himself the challenge to “help businesses to operate in a secure digital environment, and make London the safest place to do businesses online,” and set his team to reach out to business leaders. John has a distinctive approach, “we go to businesses where they are, across London. Accompanied by officers from the Police, we meet with business owners in their place of work to help them risk assess their


digital security. It could be considered old fashioned to reach out in this way. But while cyber conferences are good for sharing information between specialists, it’s only personal engagement that inspires action by executives and business owners and most small business owners tend not to attend cyber security conferences.” CIOs and CISOs are brought together by the Centre for master classes in key digital security issues. A hundred delegates are brought together each month, for in depth sessions on such topics as identity crime, social engineering and how to respond commercially to a major breach. Business leaders are signing up with the Centre at a rate of one hundred a week. They take up Membership of the Centre, and this immediately gives them access to a range of complimentary services. This includes an assessment provided by SecurityScorecard, of the vulnerabilities that hackers can potentially see on their computer systems. It also includes online training from Axelos, the joint venture between the UK’s Cabinet Office and Capita. Partnerships and alliances are key to John Unsworth’s vision. Partners have been selected to participate in the Centre’s new MarketPlace, to provide London’s businesses with access to appropriate products and services. John comments “we provide free services that enrich a business digital security, but we can’t deliver at no charge all the services that a business needs to block digital threats and embrace digital innovations. That’s OK, because responsible companies know they should invest in the products that will make them more secure. Our MarketPlace has been designed to make life easier for such businesses, by helping them to understand and source what they really need.” There are a wide range of leading suppliers of cyber security that already support the Centre. These range from the largest global vendors, such as Sophos and Symantec, to innovative new specialists like Cyber Rescue and Yoti. Additional partners will be recruited in the coming weeks. They are required to be leaders in their area, of good repute and financially sound. Typically, they will have won several awards for their product offerings. John comments “we’ve designed the MarketPlace so that our Members can use it without fear of being exploited or sold products that do not

enhance their security.” Details of how to become a partner of the Centre are on their website: Other alliances are also crucial to the Centre. Strong relationships have been developed with business associations, such as the Federation of Small Businesses, and the British Retail Consortium. The Centre also works closely with many national organisations, to bring their insights to the businesses in London that need that knowledge to protect themselves. Such organisations include the National Fraud and Cyber Crime Reporting Centre (Action Fraud), and the National Cyber Security Centre.

Importantly, the Centre also works with academia, with several Universities contributing generously, such as the University of London and Oxford University. It’s early days, but the London Digital Security Centre already sets itself apart from most organisations throught its down-to-earth attitude and determination to deliver. John emphasises that “the hard graft is ahead of us. We are committed to evidencing how our work improves London’s security.”

Working with leading suppliers of cyber security, and supported by the Mayor of London, the Metropolitan Police and the City of London Police, I am confident we can make our capital the safest place for businesses to innovate and grow online. John Unsworth CEO, London Digital Security Centre.

London’s businesses are the lifeblood of our great Capital city. It’s so important that they protect themselves from digital crime. Mayor of London’s Office for Policing & Crime

The LDSC is a really exciting initiative for London. What we hope this will achieve is a London that is truly resilient to cyber crime. What we offer are services that aren’t currently available. Metropolitan Police Service

Every day, I see businesses that have been victims of cyber crime. I hope businesses will access the LDSC services, to make themselves safer and more competitive. City of London Police

Many small businesses don’t really appreciate the dangers of trading online. Some have lost considerable amounts of money, and almost gone bankrupt. Federation of Small Businesses

Never before has it been so important for businesses to protect themselves. The LDSC will help businesses understand what they must do to stay safe and secure.


ends Useful Tips - Cybersecurity Tr

The National Cyber Security Centre (NCSC) ( Incident advice and guidance

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security. It is part of GCHQ. The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). The NCSC’s main purpose is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. It works together with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management. This is underpinned by world class research and innovation.

What is a cyber security incident ? The UK NCSC defines a cyber security incident as : A breach of a system’s security policy in order to affect its integrity or availability The unauthorised access or attempted access to a system Activities commonly recognised as security policy breaches are : attempts to gain unauthorised access to a system and/or to data the unauthorised use of systems and/or data modification of a system’s firmware, software or hardware without the system-owner’s consent malicious disruption and/or denial of service The NCSC defines a significant cyber security incident as one which may have : impact on UK’s national security or economic wellbeing the potential to cause major impact to the continued operation of an organisation


Cyber security incidents can take many forms: denial of service, malware, ransomware and phishing attacks. Is it an incident? If you are experiencing unexpected or unusual computer network issues, we recommend that you contact your system administrator or service provider to identify the root cause of the issue. If a cyber security incident is confirmed, please consult the NCSC guidance for detailed advice. Personal attack. There are a number of crimes which we do not define as cyber security incidents. Cyber bullying, threats via email, text or instant message are all examples. If you are in the UK, you should report these to the police. You can contact them by telephone on 101, or see the website for further information. Fraud Action Fraud is the UK’s national fraud and cyber crime reporting centre. If you believe you have been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website.

Contacting the NCSC Incident Management team If you feel you are the victim of a significant cyber security incident you can report this to the NCSC (

Get Safe Online ( The website is the UK’s leading source of unbiased, factual and easy-to-understand information on online safety. It is a unique resource providing practical advice on how to protect yourself, your computers and mobiles device and your business against fraud, identity theft, viruses and many other problems encountered online. It contains guidance on many other related subjects too – including performing backups and how to avoid theft or loss of your computer, smartphone or tablet. Every conceivable topic is included on the site – including safe online shopping, gaming and dating … so now you really can stay safe with everything you do online.The site also keeps you up to date with news, tips and stories from around the world.

10 Steps To Cyber Security at-a-glance: An effective approach to cyber security starts with establishing an effective organisational risk management regime (shown at the centre of the following diagram). This regime and the 9 steps that surround it are described below.

Get Safe Online is not only a website, however, as we also organise national events - such as Get Safe Online week - and work closely with law enforcement agencies and other bodies in support of their outreach activity, internal awareness and customer online safety. Get Safe Online is a public / private sector partnership supported by HM Government and leading organisations in banking, retail, internet security and other sectors.

Get Safe Online Code of Conduct:

And simple steps…

01 02 03 04 05 06 07 08 09 10

Make sure your computer has up-to-date internet security software, switched on. Don’t reveal personal information on social networking sites. Regularly backup the data on your computer and smartphone/tablet. Never reveal your password or PIN when asked to do so by email or on the phone. Make sure your wireless network is secure at all times. Be careful who you are selling to and buying from on auction sites. Choose strong passwords, change them regularly and don’t tell anybody what they are. When shopping, paying or banking online, always make sure the website is secure. Always download the latest software and operating system updates when prompted. Remember your smartphone is also a target for viruses and spyware.


Trends Bibliography - Cybersecurity The CERT-EU newsfeed free App

The CERT-EU function, of the European Union, has been extremely proactive, offering to the analysts but also to regular citizens, an application (App) available for iPhone and Android. This platform proves to be efficient, very well designed and available in 10 languages. It is, the result of thousands of online media monitoring impressions, with cutting-edge technologies that allow news extraction and classification into extremely well ranked categories, from the “top 20 news” of the moment, to the section dedicated to more specific subjects (with sub-areas), such as “Ongoing Threats”, “Strategic Threats”, “Cyber Crime”, “Economic”, “Product Vulnerabilities”, “Malware”, etc. Thanks to this application, a simple daily check of the news can quickly help you protect your business or your connected devices, such as your smartphone! A.A.V.V., Cybersecurity Futures 2020 (Center for Long-Term Cybersecurity, School of Information, University of California), Berkeley 2016 This volume can be read as a science-fiction thriller. The Berkeley University coordinators have worked with transdisciplinary teams to propose 5 plausible scenarios for the next 3 years. The text and images of this volume are designed, as if the book were published in 2020 and takes a peek into the past. It is impressive to read how likely most of the theories proposed in each scenario might actually be, and what the consequences could be, if a more cautious attitude is not adopted soon and the grounds of quality education in the digital security are not being set rapidly enough. The first scenario “The new normal” introduces a society that accepts from the start that all private information is to be stolen and made public. The attacks become more and more personal, hackers benefit from global collaboration, while the legislators and national institutions, fail both to keep up to date the legislative framework and to actively collaborate at the international level. The citizens


choose to live disconnected or to make public all the information, on a voluntary basis, a few choose to counterattack using the same tools as the ones the hackers have. The digital world has become a true Wild West, where those who want justice must find the resources to make their own justice. The second scenario, “Omega”, introduces a society engaged into a certain state of slavery by algorithms and technologies that are able to predict and to manipulate the behavior of every connected human being, when he or she undertakes certain actions or takes certain decisions, both in private and professional life. Security specialists are overtaken by the new challenges where the vulnerabilities of the prediction technology allow hackers to take into their own hands the destiny of hundreds of thousands of citizens, triggering colossal economic and human damages. The third scenario, “Bubble 2.0” foresees a new stock exchange crisis for the web giants due to the free fall caused by the advertising shift in the online field. Lawbreakers and the surviving companies are in full competition to get the data collected by the bankrupted companies. The “data war” is to be carried out in the worst possible circumstances: stress and panic of the markets, ambiguous copyrights, opaque economic sectors and “data trolls” everywhere. The criminals are exploiting the data banks and the people working there and the IT industry collapse has left unemployed hundreds of researchers, many of them being available for any kind of work, legal or illicit. The fourth scenario, “Intentional Internet of Things” describes a social revolution where groups of citizens take over the power in order to be faced with the educational, ecological, medical, professional and personal difficulties. A lot of the problems they believed it was impossible to be solved – like climate change or health care system improvement, for instance - are now on the way to be solved. The tensions between the rich countries which possess this new Internet, and poor countries, which do not have access to the latest technology, are at the top. Hackers find countless possibilities to handle and endanger the IoT systems, most often without their actions being actually detected. Since IoT is now everywhere, “cybersecurity” is reduced to the simple daily life “security”. The last scenario, called “Sensorium or the Internet of Emotions” anticipates wearable devices that take over the control of the emotional state of the user, permanently monitoring the hormonal level, heart rate, facial expressions, tone of voice … the Internet has become a reading system of emotions, touching the most intimate aspects of human psychology. Individuals can be monitored and manipulated depending on their condition and the criminals and the states that managed to get their hands on these emotional data bases massively profit from them and exert individual targeted blackmails. Cybersecurity has been completely redesigned and redefined and has the purpose of defending the entire society and maintaining data bases safe and protecting the public image of the citizens, privacy being now an emotional and moral one.

Eric Diehl, Ten Laws for Security, Springer, Cham 2016 Eric Diehl, one of the most renowned French cryptographers, currently established in the USA, provides a real interdisciplinary and intelligent masterpiece. To those who are used to his direct and fluent style that can be found in each article he shares on his own blog (, it is a joy to have the opportunity of reading an entire volume written in the same spirit. Intended to become a reference material for both the academic environment and specialized organizations in this field, this volume contains pragmatic and very suggestive arguments for each principle/law illustrated below by the author, sharing for the reader the necessary logic required when implementing this kind of thinking when facing such events in real life: Law 1: Attackers will always find their way Law 2: Know the assets to protect Law 3: No security through obscurity Law 4: Trust no one Law 5: Si Vis Pacem, Para Bellum – If you want peace, prepare for war Law 6: Security is no stronger than its weakest link Law 7: You are the weakest link Law 8: If you watch the internet, the internet is watching you Law 9: Quis Custodiet Ipsos Custodes? – Who’s watching the watchers? Law 10: Security is not a product, security is a process Out of this volume, where each “law” should deserve a special review, it is necessary to consider three fundamental elements: the safety of a system shall be measured through its weakest link, the human being, and not through the highest developed one (e.g.: latest generation security technology). It does not matter how qualified the “watchers” (Custodes) of the system are, they must also be constantly checked and controlled by somebody else, either for potential abuses, or for the performance loss as time passes by and as they develop routine activities. Diehl has kept for the end final the most protruding argument, which seems a triviality, but which reflects a principle very seldom applied: security is not a product but is a complex process which implies the existence of educated people, whose education evolves and who permanently adjust depending on the evolution of the real threats and the technological platforms with the same degree of flexibility and customization. Javier Parra-Arnau, Félix Gómez Mármol, David RebolloMonedero, Jordi Forné, Shall I post this now? Optimized, delaybased privacy protection in social networks, in Knowledge and Information Systems (Posted November 2016), 33 p. This article, written in mathematical spirit, is relevant for the general public, not just the specialized one, for whom it is actually addressed.

© Parra-Arnau, Gómez Mármol, Rebollo-Monedero, Forné, Fig. 1 The authors have chosen to begin with all the risks (for security, private life, etc.) of using social networking immediately and instinctively, and continued with a case study inspired by real facts, of very high impact. It is about a U.S. citizen, a young lady who has just earned with great results a law bachelors degree. Logically, she immediately gets head hunted bylaw offices for an interview. And thus, starts a story which, fortunately, has not become tragic. The maiden name of this young lady sounds oriental, of Arabic origins - something that in a country such as the United States is not a problem. Furthermore, knowing that she can become the potential target of origin or religion based attacks, Isabela has not posted any political messages or anything too personal on social networks. She has very clean profiles on all networks that share more the adventures of her puppy and brief data about her life. In the last few years, Isabela, a moderate Muslim, used to massively post online through midday, only during a certain period of the year: Ramadan. Therefore, this ordinary fact analyzed by the human resources of the companies where she wanted to get hired, has made the interviews degenerate into questions about her ethnic origins with the intent to learn more about her religious beliefs. Luckily, in the end, this young lady was however hired. What the authors actually suggest is that the users of social networks utilize these sites in a manner that makes it pointless for search engines, known as big data, to collect info on their activities- the time when they post online, their typology, content, place of posting, emphasizing some personal or religious beliefs, linking them with professional activities etc. - for example, posting a number of messages constantly during the day, in such a way that when running an analysis for a specified period of time, the big data type analysis does not reveal relevant aspects.

© Standard profile of a social media user during the day (pink) and profile after applying the proposed method (blue). Parra-Arnau, Gómez Mármol, Rebollo-Monedero, Forné, Fig. 2


Trends Bibliography - Cybersecurity Ferri Abolhassan (ed.), Cyber Security. Simply. Make it Happen. Leveraging Digitization Through IT Security, Cham 2017 (Springer), 136 pp.

Thomas J. Holt, Olga Smirnova, Yi-Ting Chua, Data Thieves in Action. Examining the International Market for Stolen Personal Information, New York 2016 (Palgrave Macmillan), 164 pp.

This book, published and promoted by Telekom Deutschland, is one of the best for businessmen we have been able to find in recent years. In less than 140 pages, written in a crystal-clear style and full of practical and simple examples, the authors guide any non-technical decision-maker reader through all the must have basic knowhow to engage his company into a secure digital world. The major advantage of the way the arguments are brought in is the - very needed - insistence of the authors on the point that good security is not per force expensive and, moreover, it does not slow down the business processes. Chapters are structured in a very interesting way, well thought through for people with limited time: as a matter of fact, in the first 26 pages, almost all is unveiled: the cloud transition, the data protection and the rules in cyberspace. Then, each point is dealt with more details, not only insisting on the necessary trust (and the keys to know if trust is possible) a company must have in the products and services it will buy, but also on the everlasting need of upskilling the employees’ resilience by raising capacity-building through numerous options of learning (team-building, gaming, courses, etc.), including the necessary cyber-expertise a manager must have himself. All major topics, relevant for business, in the digital world, are concisely but carefully explained, focusing on a German but also European public: for example what is the Safe Harbour treaty, and what are the most important EU and German laws and directives, how to be compliant with them, etc. The numerous possibilities of choosing to outsource security are also detailed, as well as the cases in which this outsourcing is advised or not. The last quarter of the book is dedicated to this topic as well as to the different tricks which are used to exploit the human weaknesses inside the company, a very well-chosen combination as in the case of « plug and play security » outsourcing, the company needs to have a security officer and a trained team of employees. The last pages explain the evolutions of the cyber-dangers as well as the ever-growing skills of the hackers, inciting the reader to act before it is too late. Finally, an emphasis is made, as in the introduction, to recall the fact that cybersecurity can be understood and dealt with in a very simple way: it is neither extremely expensive, nor as complicated as thought, nor business-hostile. On the contrary, an unprepared company will face not only damage and shame but also very important losses not only by the attackers, but also by fines for non-compliance according to the new rules and regulations being enforced all over the EU in these years.

Even if written in a scientific way, with an abundance of notes and further reading recommendations, this volume is an accurate, documented and precise answer to all of those wondering why data – mainly financial – became so attractive and what, is their real value. After a necessary recall of the existent studies in this field, a «thriller-style» chapter explains in which context the stolen data market is similar to other illicit markets and where it is not. An extensive analysis of the pricing of all possible kind of financial data information (from simple credit card, by country, to pin-code to exploits in money-transfer systems) gives us a real indication of how juicy this business is. The following chapter, dedicated to the economic costs of stolen data, underlines that the sellers of data can make thousands of dollars by transaction, almost without risk, while the buyers face a total different problematic: either they can make millions, either they can be fooled, depending on a very complex yet businessclassic system of trust between vendor and buyer and huge variations on pricing - benefits according to languages, countries, economics and other parameters. The author continues with their research explaining the complex social organization of the different actors of this illegal market. To sum up, this study, without achieving what nobody is able to, i.e. giving estimative amounts of the losses for the real economy, is an accurate and detailed immersion of this criminal activity. The complex structure of the different actors and their interaction models, in particular, is extremely interesting for any reader desiring to understand how digital crime works.


George Lucas, Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare, Oxford 2016 One year after publishing, as editor, the reference volume Routledge Handbook of Military Ethics (2015), George Lucas offers us a complete overview of ethics in the cyber world. An amazing text which keeps the reader hungry to know more, page after page, combining a brilliant style with punchy and sometimes cynical assertions and hundreds of real examples coming to illustrate the discussion. Exactly as the military are fighting now mostly against unconventional enemies with different ethics of war - or no ethics at all, the « cyber » domain is another field where states, armies, agencies and also individuals have to reconsider

their positions. After depicting the main threats in cyberwarfare, and clearly inciting us to see the difference between crime and warfare, the author ironically asks if there is a role for ethics and law in cyber conflicts, and gives an overview of the different kind of main « ethics » as they do exist: the « Folk Morality », the different law frameworks, the « Just war theory». Published just before the revised edition of the 2.0 version of the Tallinn Manual, the writer explains why the first Tallinn International Law book failed to reach its goals. He then switches with talent to the concept he considers as basic for the building of any ethic code: a moral point of view. He quotes back Greek philosophy to emphasize “If Aristotle Waged Cyberwar: How Norms Emerge from Practice”. Then, a vital aspect is debated: laws are not norms. This aspect is vital as there is today a tremendous confusion in the business sector, where any regulation is considered to be a law. The moral dilemma raised by anonymity vs. privacy is also a central point of the book, with all the problems the two concepts raise, being much more antagonists than allied contrary to general belief. At the end, he carefully considers the morality and ethics both of the « whistleblowers » and of the NSA and other agencies. As a matter of fact, he points out the immorality of both, in their own quest of “being moral”, with a tremendous quote: “And so—like all those who wage war, use deadly force against other human beings, lie, cheat, and steal—Mr. Snowden must be called to account for his actions”. The volume is a must-read for anyone interested to understand the vital needs to enforce at least an ad minima dose of morals and ethics in the cyber-field, at least if Europeans still want to claim we are the custodians of democracy, which means duties and obligations both for State and for citizens, in a moral, ethical and legal framework. A. Nagurney, S. Shukla, Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability, in European Journal of Operational Research 260 (2017) 588–600 This extremely careful mathematic analysis proposes one of the first real demonstrations that information sharing of vulnerabilities, even between competitors, is the most effective weapon for building up resilience and, at the same time, recovering badly spent money (invested in the so-called “security competitive advantage”). Taking apart the very complicated equations, the graphics speak for themselves. In all simulations of real situations with real companies, the network vulnerability is considerably lower if companies decide to apply a « Nash Bargaining » (NB) system (i.e. exchanging useful information in a way which is not harmful to their security advantage than if they use the conventional « Nash Equilibrium » (NE) system, meaning poor sharing or no sharing at all. A third way is also investigated, the system-optimization (S-O), where all « ideal » cyber-capacities of a company would be maximized. Even with this scenario, the results are worse than by applying a good and equitable information sharing model between State and Private organizations.

The amount of benefits listed in the conclusions may not seem very huge, but associated with an increased resilience they come to show that the collaborative scenario not only works better but even… produces “gains”. An increase as high as US$1.24 million in expected utility was observed for Target and US$1.25 million for Home Depot if NB was employed instead of NE. This increases as high as US$2.61 million for JPMC, US$2.24 million for Citibank, and US$4.25 million for HSBC in expected utility were observed if NB was adopted in place of NE. We have no doubts that his text, must become one of the strongest arguments of all the bodies promoting vulnerability disclosure in Europe. Syed Taha Ali, Patrick McCorry, Peter Hyun-Jeen Lee, Feng Hao, ZombieCoin 2.0: managing next-generation botnets using Bitcoin, in International Journal of Information Security (2017), pp. 1-12 A very new threat… yet maybe a future pandemic. Are you adept with virtual currencies? Be aware! Some months ago, researchers found out that sometimes, even antiviruses have been used to bear… viruses. Now, a recent study unveils a rare yet already known phenomenon: the use of “zombiecoins”. The authors show how a botnet command-and-control mechanism works that leverages the Bitcoin network. The research shows how its authors succeeded to implement “ZombieCoin bots” deploying them in the Bitcoin network. The biggest problem underlined is the confidence of the Bitcoin users in the system, which makes the whole system (even if hard to attack) extremely attractive for cybercriminals. The paper has a very high value for the experts, as it rings the alarm bell on an underestimated yet almost certain future threat, as they illustrate with existing examples found on bitcoin modus operandi vulnerabilities where Interpol researchers at the BlackHat Asia conference recently demonstrated a malware which downloads specific coded strings from the Bitcoin blockchain (where they are stored as transaction outputs) and stitches them together into one command and executes it…

The book reviews are drafted by Laurent Chrzanovski and do not necessarily express the point of view of the magazine.


Trends - Cybersecurity Trends A publication get to know!


edited by:

Copyright: Copyright © 2017 Pear Media SRL, Swiss WebAcademy and iCyber-Security. All rights reserved. Redaction: Laurent Chrzanovski and Romulus Maier (all editions) For the iCyber-Security edition: Norman Frankel ISSN 2559 - 6136 ISSN-L 2559 - 6136 Addresses: Bd. Dimitrie Cantemir nr. 12-14, sc. D, et. 2, ap. 10, settore 4, 040234 Bucarest, Romania Tel: 021-3309282 / Fax 021-3309285 Griffins Court, 24-32 London Road Newbury Berkshire, RG14 1JX, UK +44 800 086 9544


In partnership with: