Page 1

CYBER SECURITY SUMMIT MAGAZINE Gibraltar 2017

PART OF THE

I N A S S O C I AT I O N W I T H R O YA L G I B R A LTA R P O L I C E & C H EC K P O I N T Cover GigMag17.indd 1

25/5/17 11:24


ONE STEP AHEAD

CHECK POINT ONE STEP AHEAD

Check Point’s innovative solutions keep businesses one step ahead of hackers, cyber security threats and the competition.

CONTACT US

0207 628 4211

uk_marketing@checkpoint.com

checkpoint.com

©2016 Check Point Software Technologies Ltd.

CP_EF38_011116_ONE STEP AHEAD A4 ADVERT.indd 1

01/11/2016 10:54


Just a Journey OF JUSTICE

Welcome to this little big cyber security event. I embarked upon this journey of bringing people together in cyber security to try and join the fight against those that want to do us wrong, and as part of a fight for justice. When I started this journey, it was simply to gather a small workshop for those in Gibraltar that wished to know how to be prepared and armed against the online invaders. That journey evolved in to what we see here today. The battle against cybercrime is a journey we are all on. It affects each and every one of us, our livelihoods and our children’s, yet we are stronger together, and thus the theme of the event became ‘People Power.’ In December 2016 together with the Royal Gibraltar Police we held a press conference to announce this event as the year ended with yet another significant increase in cybercrime with millions of offences, and those were just the ones we knew about. Perhaps it is not until there are more high profile attacks such as the recent crippling affects that WannaCry had on the NHS and Telefonica that we sit up a little more and study our devices that we tip tap on constantly. In just one weekend that breach spread to over 100 countries across the globe. Our world changes by the minute, and in a split second it can change ours. In the few minutes a speaker is on today, according to figures, there will be around 10,000 more victims of a cybercrime.

They will then be on a different journey. But a journey is upon us all in this fight against invaders. As Gibraltar knows only too well - 14 sieges and Gibraltar has remained resolute and resilient throughout. Cannons jutting through the rocks will not deter or defeat this new enemy though. They are a silent and unseen enemy. Like the enemy before they are getting bolder and in so breeds contempt. Their modern bombardments are relentless, they know no boundaries, and constant attempts at brute force entry are unforgiving. I do not know how many of us receive and see real time warnings of the constant failed login attempts to your systems, sites and services, but if you do, you will see attack after attack at your borders. It’s a little like sitting in your living room and hearing an intruder constantly banging on the door & windows to gain entry. Ignorance is not actually bliss. And the summit is just a very small window to look out through to make us much more aware of those trying to get in. Yet it is not one enemy, it is many we cannot see, and they are all looking for an entry point, and they will target anyone to get in. As long as they have a motivation they will always try. A military army would use gold from their war chest to plunder, now it can be achieved for a few dollars, and their prize today is Bitcoins, yet still leaving devastation in their wake. So our Radars have to change.

Gibraltar is known as the Fortress of fortresses, for 1000s of years it has been of strategic importance, a key location for war and commerce. Yet as Ian McGrail said to me, it is a small nation that punches above its weight, with selfdetermination, pride in its reputation and a quest to be one the safest places to do business in, in what is now a digital world. There is no doubt that the trenches of cyber war have shifted dramatically over the recent years. Together we can make a difference and take a positive step against a sea of sad headlines as millions more become the victims of a cybercrime. However there are many ways for us to enjoy the wonderful online world, and for our children. Which is why I wanted the evening event to be specifically for family protection. Our children’s online journey should be a safe one as the obstacles of misuse lie in wait. There is no end in sight for all of us on this journey, but we can light the fires to keep the enemy at bay. As they did in Gibraltar on the night of 1783, and as those fires raged and the enemy retreated against a sea of flames, the Governor stood, turned to his soldiers and said; ‘’Look around me boys and view how beautiful the rock appears by the light of this glorious fire.” By Justin Manners Manners Media / GibCyber / Sincere Cyber Group

In honour and thanks to Superintendent Ian McGrail and Sarah Knight for their incredible support. A special thanks to the team and all those involved for their support, dedication, talent and hard work: Charlotte Sellors, Lorraine Vella, Danny Dresner, Stewart McLean, Stewart Harrison, Stewart Freeman, Darren Locke, Chris Nutt, Fenton Collins, Lynda Woodin, James Kyle, Neil Siner, Paul Smith, Annabel Smith, Pilar Anguita and of course each and every one of our wonderful speakers and sponsors plus the Gibraltar Government and anyone I might have forgotten but you know who you are! And a special thank you to all of you who have attended and we hope to see you again next year. Stay safe. Cyber Security Mag

Justin Page GigMag17.indd 3

3

25/5/17 11:28


Chief Minister LETTER

The dangers of the virtual world are fast becoming a topic of daily conversation, from cyber-attacks targeting banking institutions, health service providers and the networks of large and well-resourced multi-national corporations, to the theft of email passwords of prominent individuals. Whilst the perpetrators of such attacks range from every day citizens and organised criminals to international terrorists and foreign governments, victims of these crimes are equally diverse; private citizens experiencing identify theft or financial loss, businesses losing intellectual property and Governments and other organisations suffering data breaches. The threat of cyber-crime is growing and so the nature of the cyber threat evolves rapidly. Cyber-security has therefore evolved into being a national priority. Public-private partnerships are now understood to be a vital tool in securing cyberspace. Despite the proliferation of cyber security partnerships over the past decade, there are concerns that existing efforts suffer from ill-defined goals and objectives, a lack of clearly articulated strategy, or a focus on information sharing as a goal rather than a tool. We need to enable greater understanding of the cyber security landscape in Gibraltar and to share and access information, knowledge and expertise in order to detect and mitigate vulnerabilities. The creation of effective partnerships is just one of several measures that Her Majesty’s Government of Gibraltar is keen to develop alongside the Royal Gibraltar Police and other key stakeholders. Such work forms part of Gibraltar’s wider cyber-security framework under the remit of the Gibraltar Contingency Council, which I chair jointly with His Excellency The Governor. This framework also sees us collaborate closely with Her Majesty’s Government in the UK and other UK based agencies. Fabian Picardo QC - Chief Minister

4

Cyber Security Mag

Minister - Governor GigMag17.indd 4

25/5/17 11:30


Governor LETTER

Dear Delegate, Welcome to Gibraltar’s Cyber (GibCyber) Security Summit 2017 – Gibraltar’s first. And thank you for coming. I guarantee that if you are interested in the flourishing and innovative Digital platform that Gibraltar offers then you are in the right place. Promoting security understanding and best practice in the Cyber Domain is increasingly important to civic, corporate and governmental well-being. I am, therefore, delighted to be associated with this exciting initiative; an initiative that illustrates Gibraltar’s prominence in developing a sustainable model of future prosperity for us all to share. As part of Gibraltar’s ‘Smart Rock’ approach to the future, this Summit aims to advance collective understanding of how a Micro Jurisdiction can best develop and sustain a globally-connected and locally-federated platform for a variety of Cyber enterprises. To this end, the Summit, in step with the UK’s wider Cyber Security Strategy, has three overarching themes: · To enhance our understanding of the global opportunities and challenges that civic, corporate and governmental institutions face in the Cyber Domain. · To lay the foundations of a ‘community of partners’ that is committed to optimising the relevance, robustness and resilience of Cyber enterprises. ·· To nurture Cyber good governance and interdependent preparedness. And, in doing so, underscore the Chief Minister’s intent for Gibraltar to become a beacon of Digital excellence in an increasingly volatile world. Finally, at the outset of the Summit may I, first, congratulate and thank the Summit’s Sponsors and Organisers. Their ambition, generosity and hard work have set the Summit up for success. We are all most grateful. Second, I would like to contend that, ultimately, the Cyber Domain will only realise its full potential if we transform our individual security behaviours, institutional security culture and social security responsibility in tandem with the game-changing technological advances that are now so profoundly apparent. So, let us all start this first Gibraltar’s Cyber Summit as we mean to continue: believing, partnering and sharing. I wish you all a superb Summit. Very respectfully, Ed Davis - Governor of Gibraltar & Commander in Chief Cyber Security Mag

Minister - Governor GigMag17.indd 5

5

25/5/17 11:30


You’re in good company

THANK YOU TO ALL FOR ATTENDING THE GIBRALTAR CYBER SECURITY SUMMIT. HERE ARE JUST SOME OF THE COMPANIES AND ORGANISATIONS REPRESENTED TODAY... GibCyber

Isle of Man Government

Benady Cohen & Co Ltd

CISP

Lithuanian Cybercrime Center of Excellence for Training,Research & Education

Gibraltar International Bank

States of Jersey Police / Mykolas Romeris University

JSC “Ekonomines konsultacijos ir tyrimai”

Markom Directors (Gibraltar) Limited

Borders and Coastguard Agency

Capital Trustees Limited

Royal Gibraltar Police

Gibraltar International Airport

STM Group Plc

Isle of Man Government

Gibraltar Electricity Authority

Marina Dominguez Steglich

Manners Media

HMGOG

STM Fidecs

Check Point

Gibraltar Port Authority

Payoneer (EU) Ltd

Jenny Radcliffe Training

Office of Fair Trading

Transact Payments Limited

Trend Micro

Nothumbrian Water

Abacus Financial Services Ltd

Darktrace

Sapphire Networks

Turicum Private Bank

ZoneFox

Triay and Triay

Pentest Partners

Gibraltar Financial Services Commission

MH Bland & Co Ltd

NCA

Mediterranean Computers

Gibtelecom

Ladbrokes International PLC

Fairhomes Gibraltar ltd

The Anti Social Engineer

Gibraltar Stock Exchange

AquaGib Ltd

Callaghan Insurance Brokers

JALARO Associates Ltd

Blackfriars Insurance Brokers Ltd

SBL

Tradewise Insurance Company Ltd

Centurion Administration Limited

Advantage Insurance Company Limited

Jersey Police Guernsey Police

Hassans Cordery Check Point (ISC)², Inc. Novae Lloyds of London Securitek Jebel Tarik Security Governor of Gibraltar

6

Centro Coaching

NatWest

888.com

Spectra Media

Collingwood Insurance Company Limited

Deloitte Limited

Haven Insurance Company

ISOLAS

Capurro Insurance & Investments Ltd

Sycomp

Finsbury Trust & Corporate Services Ltd

Red Sands Insurance

CISP

Steadfast Corporate Services

Robus Group

NCSC

Jard Secretaries Ltd

Bayside School

Carboni Jardim & Co

Robus Risk Services (Gibraltar) Limited

SENTER Project, Mykolas Romeris University

Companies House Gibraltar

Government of Jersey

Newton Systems Ltd York Ltd

Guernsey Border Agency

Bassadone Automotive Group

Gibraltar Insurance Institute Westside School - Cyber Challenge Bland Group International Childline

Cyber Security Mag Please note that the above delegate list are just some of those that are attending and was devised before going to print in May.

Delegates Page GigMag17.indd 6

25/5/17 12:23


Delegates Page GigMag17.indd 7

25/5/17 12:23


8

Cyber Security Mag

Checkpoint Editorial GigMag17 2.indd 8

25/5/17 11:32


Smart Prevention EXPECT THE UNEXPECTED

The political world is currently dominated by binary decisions, with voters asked to choose between diametrically opposed views. In the security industry, the choice between prevention and detection has often been presented in a similar way – almost as a philosophical choice of approach.

When organisations first heard the ‘not if, but when’ mantra from technology vendors, some chose to place a disproportionate number of security eggs into the detection basket. But as attackers have become increasingly creative, reaching corporate resources with ever-more complex attacks, enterprises are drowning in detected issues – let alone those they do not know about. A recent study from the Ponemon Institute stated that over 90% of enterprises have vulnerability backlogs of up to 5,000. An over reliance on detection is not working. So why did faith in prevention falter? Zero-day and advanced persistent threats emerged that could bypass traditional security controls such as AV, that relied on having seen a threat before. These controls could only catch what they expected to see. At the same time, evasive malware rendered many sandboxing solutions ineffective, as well fruitlessly and frustratingly slowing down business. BT and Check Point have always maintained that effective cybersecurity should never be a binary choice between prevention and detection. Both capabilities form part of a welldesigned, layered cybersecurity strategy. But we have also both argued the case for a proactive rather than passive approach.

Now, through our continuous innovation, enterprises can implement and maintain proactive protection that eliminates even unknown and highly-camouflaged threats - before they reach users. With smart prevention, organisations can now confidently expect the unexpected.

‘As the risk of digital crime grows, I believe businesses must be proactive’ Sir Michael Rake, Chairman, BT Group Plc A PROACTIVE APPROACH GIVES ORGANISATIONS BACK THE UPPER HAND Board members are now more aware of the increased threat of cyber-attack. In a BT and KPMG study of 2016, 73% of respondents said digital security was on the agenda of board meetings at least quarterly, if not more frequently. But in our experience many executives still fail to understand how every aspect of their business now relies on IT; and as a complex, interconnected digital ecosystem organisations are at risk from one cleverly crafted, highly-targeted email with a malicious attachment.

Perhaps this is why so many attacks still take businesses by surprise. When the German Federal Office for Information Security revealed that an unnamed German steel mill had experienced ‘massive damage’ following a cyber-attack, there was apparent disbelief. It was reported that hackers had infiltrated the company’s corporate network with a phishing email that tricked employees into opening a malicious attachment. Once the malware was installed, the attackers were able to move laterally within the steel mill’s IT systems - damaging the production network so that a blast furnace could not shut down, causing significant material damage. At the time a digital expert said: ‘We do not expect a steel plant to be connected to the internet and to be hackable - that is quite unexpected.’ Every business is a potential target and must take a proactive approach to counter the loss of data that has increased by 400% in the past three years. In the case of the unsuspecting German steel mill, we do not know if the malware embedded in the email attachment was known or unknown; but with our latest prevention solution this is immaterial, as Check Point and BT work together to help organisations expect the unexpected. Cyber Security Mag

Checkpoint Editorial GigMag17 2.indd 9

9

25/5/17 11:32


10

Cyber Security Mag

Checkpoint Editorial GigMag17 2.indd 10

25/5/17 11:32


Those of us on the front lines of enterprise security see the reality of modern hacking techniques, where anti-virus solutions are becoming less dependable against these newer threats.

It is critical not only to do the best job possible detecting the latest malware, but also to respond rapidly as events occur.

By preventing more attacks from reaching our users, and then empowering our team to quickly contain threats before they can impact operations, we allow our highly mobile workforce to manage their business with confidence. Michael Brine, Infrastructure Manager, Community Newspaper Group

NEW PREVENTION CAPABILITY WITH BT AND CHECK POINT In addition to getting the basics right to counter known threats, organisations need to enhance their prevention capabilities to manage the risks of threats they have not seen before. Attacking with unknown malware increases the likelihood of success for cybercriminals, who need fewer attempts to yield greater results. Even a slight modification to existing malware creates a new, unknown variant that could evade AV solutions. With nearly 12 million new malware variants being discovered every month, more new malware has been discovered in the past two years than in the previous 29 years combined. In the case of the German steel mill the impact, if not immediate, was obvious – but this is not always the case. Statistics show that in some cases, organisations take an average of 256 days to detect a breach4, by which time it is far too late to take positive action and reduce the impact. Managing the risk of new, unexpected malware will require organisations to do things differently, particularly as malware continues to target the files we trust and work with every day, such as PDF, Flash, or Microsoft Office.

These files form the life blood of many businesses and hold much of their most sensitive data. But whatever solutions organisations choose to enhance prevention, they do not want to repeat the common frustrations with traditional sandboxing that introduce unacceptable delays to file delivery, or let potential threats through while evaluating files. One of the priorities for any prevention solution must be fast, secure delivery of content that businesses can trust. BT and Check Point are delivering this by combining the most granular CPU-level exploit detection with expert human analysis. In this way, we can expose and help action the most unexpected and camouflaged threats before they enter your network - without slowing down or disrupting users. BECOME A MOVING TARGET WITH CHECK POINT AND BT Preventing attacks before they damage an organisation and creating a unified security architecture to simplify and harden security is a must in today’s threat landscape. As we have discussed, a mature security strategy will integrate smart prevention with detection and response to maximise every penny of security investment.

Analysts now advise that organisations seek technology solutions that not only integrate but also fulfil multiple criteria to reduce complexity. One additional benefit of the latest prevention solutions is that they can also be used to rapidly uncover existing vulnerabilities and - in the case of Check Point’s Sandblast solution – deployed to accelerate incident response. Organisations can use the actionable forensics data that the solution collects on user systems, to establish a detailed understanding of the attack flow, malware entry points and the scope of the incident. Add human enrichment to this from BT’s expert analysts and you can achieve a contextual, prioritised view to give you practical next steps. BT and Check Point are working with organisations to develop a multi-layered approach to security - making it harder for criminals to operate before, during and after an attack. With Check Point and BT providing a partnership of technology and skills to disrupt attacks before they happen and proactively protect your most important assets, your organisation will become a moving target for cybercriminals. To find out more about how working with BT and Check Point can help your business benefit from integrating smart prevention with detection and response, please call +44 (0) 207 628 4211. By Aatish Pattni, Check Point and Luke Beeson, BT Cyber Security Mag

Checkpoint Editorial GigMag17 2.indd 11

11

25/5/17 11:32


Smile!

YOU’RE ON CAMERA

Every day, we’re surrounded by cameras and microphones. It’s not just those on our smartphones and laptops anymore. It’s smart TVs, CCTV cameras, conferencing systems, and virtual assistants like Amazon’s Alexa. Many of these devices are recording even when you think they’re off  , so they collect audio and video footage 24/7. Unfortunately, these are among the most vulnerable devices in the IT world. The Mirai botnets responsible for the largest DDoS attack in history have reportedly taken control of  300,000 devices worldwide. Most of them are cameras and video recording equipment. So why is video equipment so vulnerable? In short, they were manufactured for mass production, and quick timeto-market, not security. After the Dyn DDoS attack, Chinese company  Xiongmai vowed to recall up to 10,000 webcams. Devices like these use default usernames and passwords like “admin” and “password”. And in many cases, they’re designed so that users can’t change the password. The scale of this vulnerability is giving way to a new threat type:  ambient surveillance, where you are potentially

12

watched all the time as you move around the world. But this begs the question: who would want to do such a thing? What would they have to gain by listening to my meetings for hours? Why would a hacker want to watch my face staring at a computer screen? Because it’s profitable. The rapid development of AI means that ambient surveillance is increasingly becoming a viable way to penetrate business environments and engage in corporate espionage and ambient data theft. In the past, attackers would have to go through victims’ video or audio footage manually to look for something of value. But AI techniques will automate the process. Attackers will be able to train malicious software to know what to look for – to understand what it hears and sees. In other words, infected machines will be able to sift through all the boring stuff to find the diamond in the rough – recognizing faces, images, and words along the way. Without disrupting normal functions, conferencing systems could quietly listen and extract the most valuable information, like discussions of illegal activity, quarterly

earnings, negotiations, or preparation for mergers and acqusitions. This isn’t just a hypothetical. Recently, Darktrace observed a law firm’s videoconferencing unit behaving strangely. It was transmitting large volumes of data to rare external IPs. The camera was being accessed remotely, allowing the attacker to essentially live stream images and sound. The worst part? The conference room was used for the most important board and customer meetings. Sensitive information was discussed daily, and the attacker had access to all of it. This case involved sending large streams of data to the attacker’s server. But soon, cyber-attacks will only send back the most relevant information. By leaking only tiny fragments, these attacks will be much harder to detect. In the movies, we see gangsters and spies lock their phones away before discussing sensitive topics. But in an era of widespread IoT we need to do something cleverer than hiding from our devices. Ambient surveillance is just one of many new techniques that modern attackers will add to their arsenal. By Dave Palmer

Cyber Security Mag

Darktrace editorial GigMag17.indd 12

25/5/17 11:37


Darktrace editorial GigMag17.indd 13

25/5/17 11:37


Behind Gibtelecom’s great network infrastructure you’ll find resiliant global partnerships.

Connecting businesses around the world is at the heart of what we do.

As an established player in the carrier world, we provide tailored solutions across various sub-sea and terrestrial cable systems in order to meet requirements of international enterprises and carriers alike. Gibtelecom prides itself on being big enough to do business, but small enough to care. Why not put us to the test? www.gibtele.com

Global reach Highly resilient network Secure data centres with redundant power, cooling and connectivity Agility and flexibility for optimum service delivery Dedicated 24/7 engineer support


Behind Gibtelecom’s great network infrastructure you’ll find resiliant global partnerships.

Connecting businesses around the world is at the heart of what we do.

As an established player in the carrier world, we provide tailored solutions across various sub-sea and terrestrial cable systems in order to meet requirements of international enterprises and carriers alike. Gibtelecom prides itself on being big enough to do business, but small enough to care. Why not put us to the test? www.gibtele.com

Global reach Highly resilient network Secure data centres with redundant power, cooling and connectivity Agility and flexibility for optimum service delivery Dedicated 24/7 engineer support


16

Cyber Security Mag

Emea Isla Lyndsay GigMag17.indd 16

25/5/17 12:27


What is the Value

IN A PROFESSIONAL AWARDS PROGRAMME?

(ISC)², the world’s largest nonprofit membership body of certified cyber, information, infrastructure and software security professionals, has just launched its Information Security Leadership and Achievement Awards (ISLA). We are asking everyone in the industry to consider nominating colleagues working within the EMEA cybersecurity community who have achieved something that should be recognised. People can be skeptical about award and industry recognition programmes. Some are accused of being developed to attract sponsorship or attendee income. I was even up for a series of awards in the public affairs sector last year that had 80 shortlisted nominees! However, there is a real need for more recognition in information security, a sector that I have supported as a public relations professional for nearly fourteen years. One of the first things I came to appreciate in this community was that success came with silence. It was in making sure that nothing happens, that a security professional was judged to be doing their job. It was difficult for many to comprehend the effort that went into this, let alone value it. Today, much has moved on. Cybersecurity risks are better recognised, but not necessarily the effort and unseen duck paddling that goes into the battle

to face them. How well do the people relying on your efforts really understand what you do? It’s time to break the silence, debunk the myths and stereotypes and start celebrating what cyber and information security professionals do to achieve progress and assure success. The (ISC)² ISLAs have just four categories, enough to spotlight good work at various levels of practice, and will be an added dimension for our Secure Summits; allowing us to independently celebrate good work within an existing community event. The EMEA ISLAs are the only EMEA-wide awards that give the professional cybersecurity community a credible opportunity to recognise their peers, while providing notable exposure from the world’s largest, nonprofit professional organisation in our field. This is truly a unique opportunity to nominate fellow information security and management professionals who go the extra mile to enhance security workforce throughout the private and public sectors in the region. It would be a genuine shame not to take it. The nominee could be a well-known figure, a stand out leader, or equally, an unsung hero working tirelessly in the background. NOMINATIONS AND AWARDS CATEGORIES Consider nominating the information security professionals who have distinguished themselves under specific projects, programmes and initiatives in the following categories: Senior Information Security Professional – someone who has significantly contributed to the enhancement of the information security workforce by demonstrating a leadership role in any information security workforce improvement initiative, program or project. Candidates in this category typically should have at least five years of work experience directly related to information security. Information Security Practitioner –

an individual who has distinguished themselves for implementing and/ or managing the implementation of a component of a security program. Candidates in this category typically should have at least three years of work experience directly related to information security. Up-and-Coming Information Security Professional – a person who is a new, rising star in the information security field. The project, improvement or initiative may not relate to leadership as with the other categories, but rather something that relates to their current position or educational. Woman Information Security Professional - a female who through her work and commitment, has contributed to women’s representation in the profession and raised awareness to encourage vocations among women. Candidates in this category typically should have at least three years of work experience directly related to information security. Nominations are open between 12th June and 12th July, and can be submitted via the (ISC)² Global Awards Programme nomination portal. Submissions will be judged by members of the Europe, Middle East and Africa Advisory Council (EAC). THE AWARDS CEREMONY The prize giving will be hosted at the (ISC)² Secure Summit UK in London in December, with shortlisted nominees from outside the host country sponsored to attend the evening ceremony. Why not show your appreciation for achievement that has impressed you, as we shine a spotlight on and celebrate the tremendous amount of talent in this region. We are looking forward to hearing from you. To find out more about the awards and how to nominate, visit the official (ISC)² EMEA ISLAs page By Lyndsay Turley

Cyber Security Mag

Emea Isla Lyndsay GigMag17.indd 17

17

25/5/17 12:27


Password Crack Game

FOR THE PURPOSES OF THIS PASSWORD CRACKER GAME SOME OF THE SPEAKERS WILL GIVE OUT CLUES WITHIN THEIR SPEECHES/PRESENTATIONS, SO YOU WILL HAVE TO STAY ALERT TO SPOT THEM, AND THEY WILL EVENTUALLY SPELL OUT A HIDDEN PASSWORD… The endgame will be for the delegates to rearrange the first letter of the clues given to CRACK the password. This forms an anagram and if your table thinks you have cracked it, simply use the social screen - Go to www.sli.do – Enter Event Code: GIBCYBER – and type your answer with your table number (further details on the social screen interaction page).

KEEPING YOUR PASSWORD AND PASSWORDS RECOVERY SAFER: Interactive sites will have a standard Password Recovery service. This service is activated by a nominal set of questions that you set up when you first log on to the websites, these include: - What is the first and last name of your first boyfriend or girlfriend? - Which phone number do you remember most from your childhood? - What was your favourite place to visit as a child? - Who is your favourite actor, musician, or artist? - What is the name of your favourite pet? - In what city were you born? - What high school did you attend? - What is the name of your first school? - What is your favourite movie? - What is your mother’s maiden name? - What street did you grow up on? - What was the make of your first car? - When is your anniversary? - What is your favourite colour? - What is your father’s middle name? - What is the name of your first grade teacher? - What was your high school mascot? - Which is your favourite web browser? A large majority of the answers to

18

the top 18 recovery questions sits on open source web sites and can be easily found by anyone that may have an interest in You our your Company. You place the information freely yourself and do not know you are doing it. Look at your Facebook and your LinkedIn profile and you have already given answers to most of the Password recovery questions. All of the answers to the recovery questions you have supplied will sit in a Password/Recovery Repository this can be confirmed when you try to use the same answer to a Password or Question that you have used before, you will be prompted to change to a Password or Recovery Information that you have not used before this is not magic the information is being checked against your pre-uploaded information. The most common sties that will ask you to set up Recovery Information are: E-Mail accounts, Application stores, Social Networking sites, On-line Stores and Personal and Company Banking. From experience, the most common security question is ‘What is your mother’s maiden name? The second most common I’ve seen is: ‘Name of

your favourite childhood pet’. Another top question is: ‘Where were you born? I would recommend that you make up original questions if you are able to, at least for important sites. Also, remember that if someone gets in to a low-security web site of yours, it gives them a toehold to gain access to your more secured ones. WHAT CAN WE DO TO MAKE IT HARDER FOR HACKERS TO GET OUR INFORMATION? Think more secure when answering the recovery questions and make up as much as you can remember, try not to use your information on your Open Source web sites. Use Hexadecimal or Alpha Numeric strong passwords. One of the best ways to strengthen passwords is mnemonics use a phrase that you can remember and use the first letter of the phrase as your password: My - Dog - Is - 12 - Years - Old - And His - Name - Is - Barry. The Password is then MDI12YOAHNIB, this then strengthens your password and gives you a fighting chance and making the Hacker work harder. By Stewart Freeman

Cyber Security Mag

Game Page GigMag17.indd 18

25/5/17 12:34


Cyber Risk and Reward Do your ambitions include taking advantage of all that the digital economy has to offer? You may already appreciate cybersecurity is fundamental to your success.The next step is to deepen your understanding of the task ahead: how your business is evolving; the tech innovations to help you get there; and who is accountable for the risks. (ISC)2 has been cer tifying the professionals with that deep understanding for 27 years. With over 120,000 cer tified members across the globe, we have a world of experience, the documented knowledge, and a professional community to apply to your ambition. Would you want anything less? The largest not-for-profit membership body of cer tified cyber, information, software and infrastructure security professionals, (ISC) 2 assures the competency needed to inform decisions for your whole organisation, from the Board to the front-lines. We are the organisation behind the world-leading Cer tified Information Systems Security Professional ( CISSP)® and the new Cer tified Cloud Security Professional (CCSP)®* , fast becoming one of the most demanded professional credentials in the industry. *Developed in par tnership with the Cloud Security Alliance.

Understand which (ISC)2 Certified Professionals are right for your ambitions.

Reap the Reward. www.isc2.org © 2016 (ISC)2, Inc. All rights reserved.


Social Engineering?

DOES THE ANSWER LIE IN PEOPLE POWER? In the security industry, people are often referred to as ‘the weakest link’ and nowhere is this more prevalent than when we are discussing social engineering.

20

Cyber Security Mag

Jenny R GigMag17.indd 20

25/5/17 12:40


Memorably, Kevin Mitnick, one of the most well known and notorious social engineers in the world, spoke about there being ‘no patch for stupidity’ and amongst industry professionals we are all acutely aware that our best laid plans and most sophisticated systems can be easily waylaid by the careless or malicious actions of a single human being. As an ethical social engineer, I have learnt how to manipulate and fool, to persuade and cajole, influence and convince, so that I could demonstrate weakness, replicate malicious attackers, and help companies patch up the vulnerabilities in their ‘protein-based assets’. I have seen, first hand, how easily human beings can be led to talk too much, trust too much and will ‘open the company kimono’ to attackers of all types, for all sorts of reasons. People have the power to bring down organizations through the details they know about them. They seldom understand that criminals can use even small pieces of information as a route into breaching their organisations. Whatever harm is caused on the way, loss of individual privacy, dignity, security and money, constitutes collateral damage. However, people also have strength, resilience, and an incredible capacity to adapt and grow. It’s not news that people can be conned, scammed and fooled, and all of us are occasionally ‘stupid’. But neither should it be news that people can form an effective part of organisational - and even society’s - defence architecture as well. Informed and aware people can work alongside technical defences to slow down or stop human-based attacks in their tracks. When people know about the threat of social engineering scams in whatever form, they are better placed to prevent, measure and mitigate than almost any other warning system because people, when energized and alert, are a powerful and magnetic force for change. And change is needed when it comes to spotting and reporting cyber crimes. Protecting against social engineering is a good first step in creating secure individuals, workforces, and communities, because it is an attack vector that is easy to understand. Human-based attacks are often linked with

more technical threats, and whilst we need to raise awareness of all types of attack, the human side has a better story. It is easier for people to picture a con artist and understand how they operate, than to picture the structure and consequences of an intangible technical hack. ‘People hacking’ is a good place to start on the journey of awareness and security. For security professionals to really fuel the ‘people power’ to protect against social engineering, we need to do a few things as an industry. We need to give individuals personalised and relevant information about the type and nature of the social engineering attacks that they might come across, and inform them what they need to do and how to report this. We need to stop blaming people for falling for tricks, cons and scams, giving them more incentives to be suspicious, and to easily report near misses and suspect behaviour. Finally, we need to hand the baton to the masses to both observe and report ‘human hacking’ because they really are the ones who can do it best. Inform, empower and then step back. Let the people lead. Social engineering is an attack on people. Anyone can be a target because everyone has information that is of some use to someone, somewhere. Protecting ourselves against these attacks is the responsibility of us all. This is not something that can be passed on or over. It has to be a responsibility shared by individual, by organization, and even by society. The industry needs ‘people power’ if we are ever going to succeed in stopping attacks. We have to mobilize the troops and get eyes and ears, millions of them, open and alert to the dangers. Without this mass vigilance and widespread observatory, we have little hope of stopping cyber attacks, but with it we have every chance of slowing them down and draining them of energy. Whilst the actions of a single human may well be able to bring down a fortress, that same single human might well protect millions. Empowering the people is really what security is all about. Lets get on with it.

Protecting against social engineering is a good first step in creating secure individuals, workforces, and communities.

By Jenny Radcliffe. Cyber Security Mag

Jenny R GigMag17.indd 21

21

25/5/17 12:40


Getting Social

SCAN TO CONNECT

As the theme of the event is ‘People Power’ we have brought a plethora of the good and the great to speak to you today. To ensure a colourful and engaging summit that it aims to be a day of pace as well as engaging and empowering, so as there will be little time for questions directly after each speaker, we have provided a social wall for you pose your questions. As well of course talking to speakers personally, your questions will be answered through the day on the social walls as well as over the forthcoming days by speakers responding to delegates questions.

TWEET USING THE HASHTAG #gibcyber TO SEE YOUR POSTS ON THE WALL. GET SOCIAL AND GIVE IT A GO!

The Social Walls collect and display all the Social Media Interaction using the hashtag #GibCyber. Show us your best photos, posts or videos of the day from your phone, tablet or laptop on Twitter, Facebook, Instagram and YouTube. Join in and ask with Slido. You can also join in with the Polls we will have throughout the day. 3 steps: Open Your Browser – Go to www.sli.do – Enter Event Code: GIBCYBER   Throughout the day, you will hear clues from speakers and on the social screens to an Anagram in the password quiz (further details on the Password Crack Page) so together with your table team, you can try solving it. You’ll know when the clues are given because there will be a sign! (Look out for them). When you solve the Anagram, use Slido to send us the answer with your table number and Answer. Good luck and enjoy!

SUMMIT AGENDA FOR INTERACTION – NETWORKING – BRAIN PICKING, KEY SPEAKERS WILL MOVE FROM THEIR TABLE TO ANOTHER TABLE AFTER EACH BREAK. REGISTRATION 8am until 9am. Boarding gates close at 9am. SUMMIT starts at 9.15 in the main hall. Genre – Human Nature and Social Behaviour Coffee and Comfort Break 11.30am 12 o’clock until 2pm: Genre – Cops and Robbers 3pm until 4 ish: Local & Global Refreshing Break 4pm til 5ish: Genre - Sharing – People Power End. After drinks and networking

By Stewart McLean. Digital Strategist Manners Media / Gibcyber

22

Cyber Security Mag

Social Page GigMag17.indd 22

25/5/17 12:42


Social Page GigMag17.indd 23

25/5/17 12:42


24

Cyber Security Mag

Secret Service GigMag17.indd 24

25/5/17 12:43


Monetizing your information THE EVOLVING TRANSNATIONAL CYBER CRIME THREAT AND CRIMINAL UNDERGROUND MARKETPLACE United States Secret Service It is probably safe to assume that anyone reading this has bought or sold a good or service on popular ecommerce sites such as EBay, Craig’s List or your local community Facebook page. More so, according to financial analysts, ecommerce sites are slowly but surely becoming the death knell for traditional brick and mortar retailers. Unfortunately, this legitimate business model has been copied and used extensively in the criminal underground via transnational cyber -crime actors. Transnational cyber crime has steadily evolved over the past 20 years, requiring continued adaptation to strategically counter this threat. In the late 1990s and early 2000s, websites like Carder Planet and Shadow Crew were established to coordinate transnational cyber-crime activity that predominately involved the buying and selling of stolen credit and payment card information. Worldwide financial and payment systems were, and remain, the natural target for much of this illicit activity - for the simple reason, as the bank robber Willie Sutton was once reported to have quipped, ‘That’s where the money is at.’ Verizon’s recently published annual data breach investigations survey reported that 73% of bad cyber actors were financially motivated. While it is true that the modern day Willie Sutton is increasingly using cyberspace to exploit financial payment systems, it would be short-sighted to think that financial transaction information is the only thing that can be monetized in the criminal underground marketplace. Criminals have reinvested their illicit proceeds to develop formidable criminal enterprises, and facilitated the development of a robust underground for a wide-range of cybercrime services, enabling a wide range of illicit cyber activity. For example, the U.S. Secret Service

has seen an increase in Business Email Compromise (BEC) schemes - a payment fraud that involves the compromise of legitimate business e-mail accounts for the purpose of conducting an unauthorized wire transfer. In most cases, after the actors compromise the legitimate business e-mail accounts through social engineering or malware, they conduct reconnaissance to review the business’s legitimate e-mail communications and travel schedules.

It is important to institute not only security controls but operational controls Sometimes actors have auto-forwarded e-mails received by the victim to an e-mail account under their control. This reconnaissance stage lasts until the actor feels comfortable enough to send wire transfer instructions using either the victim’s e-mail or a spoofed e-mail account that is controlled by the actor. A business of any size in any industry type can become the unwitting victim of a Business Email Compromise (BEC). So it is important to institute not only security controls but operational controls (like verifying a change in payment instructions to a vendor or supplier by calling to verbally confirm the request and requiring dual-approval for any wire transfer request involving a dollar amount over a specific threshold). A private citizen can become the victim of a ransomware attack. How much bitcoin are you willing to send a cyber actor to decrypt your family photos? As a hospital

administrator, how much do you think your patient’s medical records containing personally identifiable information (name, social security number, date-of-birth) are worth on the criminal underground? As a result of the growth of the cybercriminal underground, along with the amount of data that can be monetized, Cybercrime-as-a-Service (CaaS) or Malware-as-a-Service (Maas) has logically followed suit. The U.S. Secret Service has seen an increase in Russian speaking (non-state) hackers selling Malware-as-a-Service (MaaS) because it is lucrative, there is a market for it, and the risk is very low. The market is those criminals who are good at committing fraud but may not have had the ability in the past to create malware themselves. Exploit kits that steal credit card information, crack passwords or harvest credentials can be bought for the right price, lowering barriers to entry for those criminals who are not adept at writing codes. By lowering the barrier to entry, anyone with rudimentary knowledge can suddenly use ‘top notch’ malware to steal, hold files for ransom, or cause general havoc. What steps can individuals and businesses take to mitigate their risk of breach or attack in the face of these threats? Education is the key. The main target vector is phishing emails (particularly spear-phishing to targeted companies) and looking for weaknesses due to bad cyber hygiene. The Secret Service recently published a cyber hygiene document that can be found on the Secret Service website at http://www.secretservice.gov/forms/ Cyber-Hygiene.pdf. In addition, this document discusses the current trends surrounding ransomware and business email compromises (BEC). Cyber Security Mag

Secret Service GigMag17.indd 25

25

25/5/17 12:43


Virtual community policing It is a recognised notion from time immemorial that the police institution on its own cannot be the panacea to crime. And so community policing was born – to tackle issues of mutual concern.

There are many key stakeholders and partners that contribute to maintaining good social order and it is when all the parts of the community engine are finely tuned that we stand a better chance in the fight against crime.

26

The hard core criminal - who we always associate with armed robberies, drug trafficking etc. - has now some very competent peers who, because of the anonymity that the Internet can provide, are taking criminality

to different levels. Pretty much every crime nowadays has some cyber connotation attached to it. Believe me, it multiplies and challenges the complexities of investigating crime by a good margin.

Cyber Security Mag

Ian McGrail GigMag17.indd 26

25/5/17 12:45


So how can we bring community policing to virtuality? It can hardly be argued that the Internet is just one big neighbourhood! Many of the traditional crime prevention ideologies can be transposed to the prevention and reduction of cyber criminality - it is a question of addressing culture and behaviour. We can do this by drawing very simple correlations with how we physically protect our property, homes, and loved ones. We certainly lock up our cars when we park them up for the day, we lock our front doors at night to feel safe, secure, and deter the burglar, and we tell our children not to talk to or take sweets from strangers. I could go on and on. However, are we as

careful or savvy when it comes to cyber and risks that we are exposed to when we go on-line? Criminals are exploiting an ever growing niche of a conceptual belief that, ‘Nah! It won’t happen to me’, and they are ripping off and hurting many victims. Shouldn’t we be looking after each other in very much the same way as good neighbours do? Gibraltar prides itself in the great community bonding that we have enjoyed for many centuries. So we’re bringing community policing to Gibraltar’s Internet users. We will identify the different sectors in our community and devote specific attention to the risks they face, and what prevention methods can be implemented. We will promote

partnerships in as many sectors as needed together with platform provisions to share information, advice, and anything else which promotes good cyber security and governance. The Royal Gibraltar Police continues to be a major contributor to working together to make our community safer and will continue to adjust its law enforcement activities to extend to the growing threats that cyber criminality presents. Cyber crime is not going away, let’s get tougher and make it harder for cyber criminals to operate. The people power in our community is one of our greatest assets – let’s apply it! By Ian McGrail Cyber Security Mag

Ian McGrail GigMag17.indd 27

27

25/5/17 12:45


Imagine this… You are planning a trip to some distant place of nasty bugs and venomous snakes. Danger and disease abound in the air, food, and water. Perils; known, and unknown make you nervous to the point of fear. It’s a risky adventure. But this trip is at the top of your bucket list. You have cherished it since the day, driven by pre-Internet boredom, you picked up the Sunday supplement, saw those photographs and read that article. Despite the risks, you just want to go. Just like you ‘just wanted’ to wear that Borat Mankini, drink that one last shot, and marry whoever your mother thought wasn’t good enough. You are human. You take risks. You fly in aeroplanes. You don’t exercise enough. You eat cream cakes because they are naughty but nice. You climb mountains; for fun. And, you put your seatbelt on every time in the car. You live, rather than simply exist, because you are a glorious cascade of contradictions. You are rational but not reckless. You make an appointment to see your doctor about how best to manage the risks you know you will confront. The doctor greets you as ‘The Patient’ and instructs you to sit and listen. The doctor tells you they are ‘The Expert’, knowing deep and dark secrets about stuff you will never understand. You, ‘The Patient’, have no clue about the situation’s realities. They, as ‘Expert’, know best what risks you should choose. You, as ‘The Patient’, are stupid; more the threat than any bug or beast. ‘The Expert’ describes the horrors of the fauna, and laments the ignorance of ‘Patients’ who consistently fail to listen. If your doctor had their way, ‘Patients’ would

28

be prosecuted for being dumb. ‘The Expert’ projects a high definition rendition of the flesh rotting and internal organ melting consequences of your inevitable infection with every virus ever discovered should you take the trip. Even if ‘The Expert’ were to give you treatment or advice, you are told, it would be entirely unreasonable of you to expect ‘The Expert’ to be accountable for the efficacy of either. Should the treatment or advice fail, this will be the result of ‘Patient Error’.

To a cyber-security expert, the idea of an Internet connected fridge makes as much sense as television did to Daryl Zanuck at 20th Century Fox in 1946. To demonstrate their brilliance, ‘The Expert’ proves their worth by illustrating just how easy it is for them to kill you. You are dismissed with the dire injunction to think about things a lot. With ponderous warning to be careful. And, without any clue whatsoever about what you should actually do. This is unfortunate. You will take the trip regardless. All you wanted from the doctor were vaccinations and advice about mosquito nets and insect repellents. Isn’t that how they earn their wages and the accolade of ‘Expert’? When was it the ‘experts job to make these decisions for

you? When did you get to be called an expert and not actually help fix the problems you describe? You climb mountains; if there’s trouble, you expect mountain rescue to bring you home, not hover overhead in a helicopter, telling you that it was a bad idea to ever have climbed any mountain, describe in detail your inevitable death when the storm hits, and then fly home without you. Remember… There are billions of smart phones on the planet because humans want there to be; because they enrich their lives. TOR works because of, not despite, hyper connectivity. And, according to the ‘Economist’, around 10% of smart phone users say that they have used their device whilst having sex. To a cyber-security expert, the idea of an Internet connected fridge makes as much sense as television did to Daryl Zanuck at 20th Century Fox in 1946. His expert opinion was: ‘Television won’t be able to hold on to any market it captures after the first six months. People will soon get tired of staring at a plywood box every night.’ I know this because I heard it on Dave last night. Is it the job of an expert to tell others how to express their humanity in ways that suit them, the expert? Or is it their job to help others to be human in ways of their own choosing? Now… Imagine that you are at a cybersecurity conference where an expert is taking to the platform to tell you all about the perils of privacy and identity in a hyper-connected world. Nice to be ‘The Patient’. Isn’t it? By Professor Colin Williams

Cyber Security Mag

Colins Williams GigMag17.indd 28

25/5/17 12:47


Cyber Security Mag

Colins Williams GigMag17.indd 29

29

25/5/17 12:47


Employees:

AN INSIDER CYBER THREAT OR AN ORGANISATIONAL ASSET? Organisations investing in technology and digital services find themselves deployingincreasing resources to combat cyber threats. 30

Cyber Security Mag

Bob K GigMag17.indd 30

25/5/17 12:51


But whatever their cyber defences, efforts can be defeated by an attacker with legitimate access to their systems. Many organisations view people their weakest link. Snowden or Manning were ‘insiders’ responsible for the biggest known, recent cyber breaches of military and intelligence. Why do few organisations have cyber security in the induction training for new staff or cyber related training for all existing staff? In the early days of desktop computers, employees received training in their use and the cost was part of ‘business as usual’. Advice and training increased as related health and safety issues emerged. Organisations saw staff as one of their biggest assets and invested accordingly. Now technology is used to reduce costs. Organisations routinely invest in technology becoming evermore reliant on digital tools for productivity. Today’s workforce are expected to know how to use the ever growing choice of devices available, yet staff training needs are no longer a routine part of staff induction or development. Why do organisations invest in digital technology but not in training their staff? Senior decision makers are constantly fed a diet of cyber scare stories; the cyber attack spectre haunts the boardrooms! Investment decisions in digital technology were made on the understanding that the costs are recoverable elsewhere. As cyber attacks threaten technology Investments of the IT department, decision makers see cyber as a technology issue, looking to the IT department for technical solutions. IT departments know the threat landscape changes (BYOD, IOT, Cloud, etc.) bringing new opportunities and risks. The resulting arms race leaves defenders one or two steps behind the attackers. Cyber defences designed to counter known attack methodologies have f little or no use against new or evolving weapons! Investment in more updated cyber defences and more in technical solutions are needed, leaving fewer resources elsewhere – including staff training. Is it so surprising that under-valued employees, by accident or intent, are now seen as an insider threat? Organisations investing in digital technology to reduce costs (for competitiveness or reducing taxpayer burdens) often fail to address the need to invest in staff - an unintended cost of their investment. Yet,

failure to invest in staff creates opportunities and risks. Cyber attackers can and do exploit disillusioned staff – why should they care about an organisation that clearly does not value them? More likely is the lack of training increasing the risks of accidental incidents - the e-mail link opened because a member of staff did not know how to recognise something awry! Investing in digital needs to include cyber security training for all staff We need new approaches to risk modelling taking into account the nature of the service, the locality, and the people using or delivering the service. Cyber defences must be less about technology and more about a whole organisational approach people, processes, and systems. IT departments must accept that certifications are no longer sufficient. Organisations cannot rely on technical suppliers to deliver cyber resilience. Ticking boxes, whatever the claim, does not work. IT departments must help their organisations become aware of cyber risks and impact to the business. Only then can organisations put in place business continuity plans and test their contingency planning to know whether or not they work? Cyber security is everyone’s responsibility not just the it department’s and the nominated senior manager or board level lead. Organisations must ensure that everyone understands their role in defending against cyber attacks, why they must remain diligent, and how to find and follow the latest advice. They will see how cost-effective it is to train all staff. As health and safety were addressed for existing regulations, training will be provided for GDPR. But cyber training has no regulatory pressures. Some organisations link GDPR to cyber – or at least the need to protect against the risks of poor cyber hygiene! What is now needed goes beyond GDPR. An organisation that truly understands its potential exposure to cyber risks, understands the likely hidden costs of an attack – loss of business, resources deployed on recovery, damage to brand or organisational reputation, etc. Investing in staff helps organisations to create a cyber secure culture. Staff understand their role and have the mind-set to help tackle or prevent issues. Such organisations sees staff not as a cyber threat, but a valued part of their cyber defences. By Bob Kamall. Cyber Security Mag

Bob K GigMag17.indd 31

31

25/5/17 12:51


Analyze. Detect. Protect. ZoneFox helps businesses around the globe protect their business-critical data and Intellectual Property (IP) against the insider threat. The award-winning technology provides 360 visibility of activities around your data – who, what, where and when – by monitoring user behaviour and data movement both on and off the network, and instantly alerting to malicious or anomalous activities.

Monitor Data Flow Alert risky behaviour Combat Insider Threats Protect company IP

www.zonefox.com Artwork_GibCyber_Final_A4.indd 2

17/05/2017 15:28


No more ‘unknown unknowns’ ZoneFox removes the need to transform excessive log files by capturing the key information from 5 anchors to deliver rapid, actionable insights.

Processes

Users

Devices

Behaviour

Resources

Security posture is strengthened, business-critical information is protected and regulatory compliance is supported.

Want to find out more? +44 (0) 845 388 4999 Artwork_GibCyber_Final_A4.indd 3

alerts@zonefox.com 17/05/2017 15:28


Capturing the innocence OF YOUTHFUL ENTHUSIASM

34

Cyber Security Mag

Richard De Vere GigMag17.indd 34

25/5/17 12:53


I was 11 when I first did something I shouldn’t of done online. The classroom pals I had around the time had very early Nokia phones and for a small contribution to my school shop fund, I would replace their phones ‘operator logo’ with a picture or remove it entirely. Just by dialling into a server in Germany, we made about £5 from this and were amazed…but my mother copped for the £200 phone bill which, unbeknownst to me, was racking up each time we did this. This followed with the initial Pokemon craze. Aged 13, supply and demand being what it is, I came up with a way to make a Pokemon game run on a Windows machine. The operation grew and I sold coloured Gameboy disks containing for 50p each throughout the school. Children from other schools were asking me for the disks and again we made money to assist in the consumption of fizzy drinks and sweets. This was before cyber crime was even on my radar. By the time I was 14, I was banned from the school computers – for an event I can only describe as worthy of the ban! It seems however, as time went on and I left schooling and college and gained employment in a lawful unrelated sector, that people all around us carried on pursuits like this. Years later software piracy was rife and services like Napster emerged. Criminals started to turn to the mischievous side of computing, creating new and impactful ways of taking money from people. Today we ‘surf online’ in a culmination of the previous years of rising cyber crime, now higher and more varied than ever before in human existence. You are far more likely to come into contact with

criminals, hackers, fraudsters today than a naive 12 year old trying to sell you a Pokemon game that’s for sure. We have extortion gangs running cryptolocker botnets, a worldwide, interconnected fraud network aiming for banking details and data, phishers picking off the unexperienced with credential harvesting attacks, people cloning cards from your wallet. Hackers aim directly for your ‘crown jewels’ from their bedrooms and the list only grows. Policing authorities are at tipping point when it comes to cyber crime, currently convicting a mere 3% of these kind of people. The time for change is now and the change has to start from within. Whilst the above might seem like a downwards spiral into the abyss, we, as the ingenious species that we are have developed a solution - and it’s easier than you may think! You can help us fight back against these criminals simply by educating yourself to the risks and following widely available guidance. Events like the Gibraltar Security Summit are essential for all businesses because it’s from within these collaborative and open solutions we find the true gems of information security defence. Organisations from all over the UK and beyond have vital knowledge to share and by coming together we can really make an impact on cyber crime. If we are ever going to see Internet crime statistics plateau - or even fall – we need to work together, implement the solutions the technology geniuses have developed and start to fight back!

Today we ‘surf online’ in a culmination of the previous years of rising cyber crime, now higher and more varied than ever before in human existence.

By Richard De Vere Cyber Security Mag

Richard De Vere GigMag17.indd 35

35

25/5/17 12:53


Digital peashooters AGAINST DIGITAL ROCK

As I searched for a Gibraltar quote with which to start this short article, I had in mind something that would capture the notion of defence and security. I certainly wasn’t surprised by a Wiki page of quotes that called to mind impregnability, castles, rocks and strategic position. One quote is by Channing Pollock (1880-1946), for which I am admittedly unaware of the full context, and reads ‘Each generation produces its squad of “moderns” with peashooters to attack Gibraltar.’ This quote highlights several factors to reflect on during this conference. One is that weapons of the past seemed as peas shooters to Gibraltar. A second is that attacks on Gibraltar have over time generated a sense of persistence – or the state of nature for something so prized in strategy. A third issue is what the quotes of the past do not reflect. That is, the changing strategic context of digitally-enabled financial services and trade. In the quotes of the past, ‘the Rock’ stands as a metaphor for defence and strength, yet today its open borders, flow of people for tourism and work, and its digital networks show an economic strength based on services and rela-

36

tionships beyond boundaries. To be successful this necessary openness exposes businesses and citizens to risk, which no physical boundary effectively mitigates. The persistence of attacks on Gibraltar is also likely to continue, motivated beyond geo-politics, by the economic prizes associated with information, data and networks at the heart of a thriving digital economy. The attacks are persistent, and digital. In this context, what does the metaphor of ‘rock’ mean? It most certainly remains relevant but it requires several elements to work together to create a ‘digital rock’. Firstly, the digital networks on which Gibraltar relies must be as secure by design as possible. That is, when reviewing, designing and procuring digital infrastructure, a basic requirement is that weaknesses that make systems vulnerable to attack should be designed out as much as is practical. The infamous TalkTalk attack was carried out by a young hacker who exploited a vulnerability older than he was. This was indeed a ‘modern’ who used a peashooter to great effect. Secondly, it needs everybody to be involved in securing cyberspace. This

means for example, that employees have to treat information as something of value. It means that the right skills for business, engineers and IT professional need to be developed and sustained. Thirdly, leaders need to give it a priority through setting the right governance arrangements, processes, example and accountability. After all this, only then can the right technical and physical defences against cyber-attack be deployed and maintained effectively. That Gibraltar is a valuable target is because of its networked services. It is said that implementing basic cyber hygiene will deal with 80% of cyber problems. It will at least make the cyber pea-shooter redundant. However, when a more widespread and strategic approach is taken as suggested above, one can talk of Gibraltar as being cyber resilient. In a world where the value of information and data is most obviously known by the cybercriminal, Gibraltar can be trusted as a place to do business because it aims to recognise and prioritise that value in its own government, businesses and citizens. By Nigel Jones

Cyber Security Mag

Nigel GigMag17.indd 36

25/5/17 12:57


#1 GLOBAL PARTNER FOR CHECK POINT SOFTWARE 4 STAR ELITE & PARTNER OF THE YEAR 2015 & 2016

CONTACT Rich Phillips Managing Director EMEA rphillips@sycomp.com +44 7814 936 022 Sycomp.com

SYCOM GigMag17.indd 37

GLOBAL SECURITY SOLUTIONS Mobile Security Endpoint Security Security Management Next Generation Firewalls Managed Security Services Next Generation Threat Prevention SPECIAL ATTENDEE OFFER One day of no-charge security consulting: Visit: goo.gl/I3NcbQ

25/5/17 11:57


38

Cyber Security Mag

Enma GigMag17.indd 38

25/5/17 12:59


The UK’s Cyber Security CLUSTER PHENOMENON

Malvern is a small English town that at first glance is an unlikely centre for cyber security activity. However, because of radar research work being moved here during the Second World War and the town’s proximity to the Government Communications Headquarters (GCHQ) there is a concentration of small cyber security companies here. Until 2011, many of them were working for government or large companies in isolation and did not know each other. Six years ago a ‘Cyber Security Cluster’ of small companies was started in Malvern. The Cluster focuses around monthly informal meetings specifically for members. Attendees hear a speaker, get to know each other, share best practice, and form trusted partnerships. There are no minutes or terms of reference; members only participate when they have time. The Malvern Cluster started to have a number of effects. Member companies began forming partnerships to offer a wider range of services. They advised each other on how to work with different customers and introduced each other to customers who needed their skills. Meanwhile, organisations such as the defence primes and government departments started using the Cluster as a place to find out about innovation in the sector and forge links with small company representatives. When David Cameron, then British Prime Minister, visited the USA in 2015 he took 12 small cyber security companies with him and 4 of those were from the Malvern Cluster. The grouping of the SMEs gave them a shared power to influence. They went from many small voices to one stronger voice and the government started listening to the issues raised, including

access to finance, the skills shortage, issues relating to government procurement rules, and problems with the security clearance process. In 2014 the BBC Radio 4 ‘In Business’ programme (also aired on the World Service) featured the Cluster resulting in Cyber Security SMEs from all over the UK wanting to join. The logical step was to support the creation of similar informal Clusters across the UK. So in 2014 the UK Cyber Security Forum, an umbrella social enterprise (specifically a Community Interest Company) to support the regional Clusters, was born.

Many of the Clusters have close relationships with the Police and local charities and schools The UK Cyber Security Forum now facilitates 17 regional Clusters representing more than 600 small companies who are actively working in cyber security. It is free for these small companies to join and the Cluster meetings remain informal. Clusters are each run by a ‘Cluster Manager’ from a Cyber Security SME and everyone is a volunteer. The Clusters themselves have very different personalities, usually because of the different industry requirements of their region. Some Clusters focus on high-end cyber security practice and only allow cyber security SMEs to attend the meetings while others invite any organisation with an interest in cyber security to mix with the cyber security SMEs. Many of the Clusters have close

relationships with the Police and local charities and schools. They help to raise awareness and some support victims of cyber crime. Every fortnight, the UK Cyber Security Forum sends out a bulletin to all members. This contains a summary of all opportunities and events, including discounts and relevant special offers. This is extremely well received and has allowed members to find opportunities they would otherwise not have been made aware of. The aim is to try and allow small companies to have the same opportunities no matter where in the UK they are based. A secure online collaboration portal, CyberCollaborate™, has been developed and is used to allow the members to start specialist groups and then have private discussions in those groups. This portal also allows larger companies to search for partners and suppliers from among the SME community based on capability. Care has also been taken to adopt a workable taxonomy to describe this capability within the sector. Membership numbers continue to rise; feedback from forum members is overwhelmingly positive. One company even commented in a recent survey ‘We would not be here without you.’ Would you like to have a Cyber Security Cluster in your region? It is simple to get one started – you just arrange a meeting and tell people about it. We find that numbers usually start small and grow via word of mouth. Go ahead and try it and let us know if we can help! More information can be seen at www.ukcybersecurityforum.com or by emailing info@ukcybersecurityforum.com By Dr Emma Philpott Cyber Security Mag

Enma GigMag17.indd 39

39

25/5/17 12:59


Filling the widening CYBERSECURITY SKILLS GAP

In recent years, cyber has become the most common type of crime, accounting for nearly 50% of all crime in the UK alone. The prevalence of these attacks is plain to see, with reports of hacks on businesses, governments and even elections filling our airwaves and newspapers on a daily basis; elevating it beyond a technical issue into a business risk. Needless to say, organisations must do more to protect themselves and the valuable data they hold. But to do this, they need more staff. As far as I can remember, cybersecurity has long faced a gap between the supply and demand of professionals, leaving businesses, and by extension us, vulnerable to vicious cyberattacks. Our research programme, the (ISC)2 Global Information Security Workforce Study, has tracked the state of the workforce over the past thir-

40

teen years, with its most recent report which surveyed over 19,000 professionals from our industry - revealing a widening chasm; a projected shortfall of 1.8 million cybersecurity workers worldwide by 2022, if current hiring trends continue. This is up 20% from the same figure projected in 2015’s report, and the issue is directly leading to data breaches, impacting us as consumers. A SKILLS CLIFF EDGE The lack of professionals entering our profession has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to

retirement and companies failing to recruit long-term replacements. As the fastest growing demographic, millennials will be critical for filling the employment gap, but I believe existing attitudes must change if we are to entice valuable candidates. Recruiters are currently not hiring enough recent university graduates, instead opting for those with more prior experience – 93% of respondents indicated that this is an important factor when making their hiring decisions. Yet, employers could be doing much more to attract and retain younger people. The study found that millennials value organisation training, mentorship and leadership programmes. As a demographic that holds personal development in such high regard, businesses need to be catering to these needs to attract crucial young talent.

Cyber Security Mag

Gibraltar GIWS GigMag17.indd 40

25/5/17 13:01


IMPROVING GENDER DIVERSITY In addition to the widening skills gap, diversity within the workforce remains low. Our study also revealed that women form just 7% of the workforce worldwide in Europe; a level that has remained virtually unchanged since 2004. There are also signs of a rampant gender pay gap, with male professionals in Europe earning £9,100 more on average than his female counterpart. This is despite Europe’s female cybersecurity professionals tending to be better educated, with a higher proportion of them occupying managerial positions. In the UK for example, 50% of female cybersecurity professionals hold postgraduate degrees, compared to just 37% of men, with 64% of women in managerial positions compared to 57% of men. A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote such a profession to women. The lack of women also creates a self-perpetuating cycle with few established female role models to encourage the new generation. But there are clear steps that can be taken to attract more women into cyber, and at the same time address the growing need for more staff. Much like with millennials,

employers need to create inclusive work places that support and value women, via sponsorship and mentorship programmes that tie to the success and satisfaction of women at all levels. Equally as important, organisations must end pay inequity, and also draw from a wider set of backgrounds and degrees, including humanities and arts degrees, where there tend to be higher proportions of females. Fundamentally, this is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time we survey our workforce, and governments across the world are recognising that cyberattacks are critical national vulnerabilities. Attracting more millennials and women into the industry would not only significantly help reduce this shortfall in skills, but by diversifying the workforce, it will provide the necessary basis for a safer world, especially in today’s increasingly plugged-in society. By Adrian Davis

Cyber Security Mag

Gibraltar GIWS GigMag17.indd 41

41

25/5/17 13:01


Local heroes

TODAY CYBER CHAMPIONS, NATIONAL DEFENDERS TOMORROW

Solving puzzles is satisfying. More so when I see my students’ satisfaction. Puzzles and challenges engage and draw them in. I work at Bayside, a Gibraltar school with just over a thousand boys. Every teacher knows the challenge of nurturing the curiosity of learning and engagement. So when the CyberCenturion opportunity arose, I wondered how much commitment and interest I could raise. My team and I arrived of six at Bletchley Park for the 2015 Grand Final, unaware of the momentum the initiative would gain. We won the competition! Three years on, seven teams from Gibraltar are participating, three of which are girls’ teams from our neighbouring Westside School and we are more excited than. I am proud of our teams’ variety of gender, ages, skills, and experience. They work together incredibly well. It’s learning at its best. We have students doing City and Guilds qualifications in cyber security, taking up summer schools run by the HMG’s NCSC, and potential to undertake placements at leading cyber security businesses. Opportunities keep on coming. Speaking at GibCyber is an honour that would not have come without the students’ work and dedication. The competition has given them such insight into cyber security, highlighting its importance to their future, closing a skills gap that could threaten their employability. At some point it is inevitable that they will faced cyber threat. They realise that there has never been a more exciting and relevant time for cyber security skills. As the Head of Physics at Bayside, I am often questioned

42

about the shortage of STEM skills. Tying education to this real-life, work experience is a path to help solve this problem. Our youngsters are supported not just by educators, but also by community members of who give up their time to invest in our future generation. Lluis Mora, Head of Security (and colleagues, Richard and Jose) at online gaming company BW is very enthusiastic about investing time into coaching our students for the competition. We share similar views about education and the future workplace. His philosophy is no checklists, no hacking, and never break the law. Thoroughly learning industry methods with good intentions is central - knowing about social engineering and the difference between white hat and black hat hacking. Cyber security is experiencing unprecedented growth. Estimates show that the market worldwide was worth £53 billion in 2015 and will soar to an £117 billion by 2020. Gibraltar’s population is just over 30,000 but our growing financial sector continues to excel, with over 10% of our population employed in the online gaming industry. Lluis and his team saw the opportunity to harness our students’ enthusiasm and provide insight into the ever changing cyber threats we all face personally and professionally. It is a sector which is crying out for undergraduates to have the skills to take up jobs. These are exciting times for any student who has an interest in cyber security, whether studying computing or not. Studies in mathematics, physics, and similar ‘A’ levels are still relevant and

can attract funding for university places. The competition has been a success and an amazing experience on many levels. We’ve had ever increasing local support with PriceWaterCoopers donating over 15 desktop computers and our largest telecommunications provider Gibtelecom, donating a broadband connection so that we didn’t have to rely on our school’s already overburdened network. The increasing press and media attention, alongside growing numbers of students eagerly awaiting a place for next years’ competition is further evidence of the success. Even our His Excellency the Governor of Gibraltar has shown great interest in our efforts and involvement. He recognises not only the importance of cyber security and how these competitions can entice and promote youngsters to take up careers in it. Rarely have I witnessed such mindful learning with incredible team building, developing leadership skills amongst them. The students’ increased independence, confidence and maturity has soared whilst embracing the challenges and opportunities. The benefits of going to the UK, and participating at Bletchley Park gave them an opportunity to be excellent ambassadors for our school, simultaneously enriching their opportunities to be active and informed local and global citizens, connecting with peers in another country. They have increased awareness of future study and career opportunities and an appreciation for the real challenges that lie ahead in the world of cyber security. By Stewart Harrison

Cyber Security Mag

Local Heros GigMag17.indd 42

25/5/17 13:03


CYBER SECURIT Y E VENTS GIBRALTAR

MALTA

ISLE OF MAN

CYPRUS

JERSEY

GUERNSEY

www.sincerecyber.com

Inside BackCover GigMag17.indd 43

25/5/17 11:54


IN ASSOCIATION WITH

PARTNERS

MANNERS MEDIA

PART OF THE

BackCover GigMag17.indd 1

25/5/17 11:51

GibCyber Delegate/Event Magazine  

A Colourful 21st Century Event & Delegate Magazine for Gibraltar's Cyber Security Summits by GibCyber. www.gibcyber.com

GibCyber Delegate/Event Magazine  

A Colourful 21st Century Event & Delegate Magazine for Gibraltar's Cyber Security Summits by GibCyber. www.gibcyber.com

Advertisement