Page 1

JULY 2017

CYBER WORLD Rounding up the latest in Cyber Security

In this month’s edition: Latest News Newest Vulnerabilities Special Guest (Luay Baltaji, OMNETRIC Group) Business Strategies After The WannaCry Outbreak (Cheng Lai Ki) Using Analytics with Cybersecurity (Walker Rowe) Physical Attacks on Networks GDPR ‘Fake News’ (Jonathan Armstrong) GDPR is Coming (Brian Fitzpatrick) Rising Stars (Erin Jones) Future Leaders (Sophia McCall) Upcoming Events


CyberWorld.News


Hello. Welcome to the July 2017 edition of Cyber World magazine, bringing you the latest news from the world of information security. This edition features contributions from special guests and seasoned cyber security experts, including Luay Baltaji, Cybersecurity Manager (EMEA) at OMNETRIC Group; Jonathan Armstrong, Partner at Cordery; and Brian Fitzpatrick, Director at Equiniti. We also have analyses on hot topics in cyber security such as ‘Using Analytics with Cybersecurity’ by Walker Rowe; ‘Business Strategies After The WannaCry Outbreak’ by Cheng Lai Ki; and an article on ‘Physical Attacks on Networks’ by Secgate Research & Innovation. Last, but not least, our monthly ‘Rising Star’ interview has been conducted with Erin Jones from PwC, and we are delighted to present a ‘Future Leaders’ contribution by Sophia McCall, a BSc in Cyber Security Management student at Bournemouth University. As always, we thank all our readers for their interest and valuable feedback, and we look forward to your continuous engagement with our magazine. If you enjoy this magazine, feel free to share it with your friends and colleagues, and any feedback is always welcome

Laith Gharib, Managing Director

J ULY 2 017 • 2


Latest News Rounding up the news

TWO BRITS ARRESTED FOR TRYING TO HACK MICROSOFT A 22 year old and a 25 year old male were arrested by the UK police for trying to hack into Microsoft to steal customer data. They were charged under Britain’s Computer Misuse Act. Hacker News said police believe they are part of an international ring ‘breaking into the Microsoft’s network between January 2017 and March 2017 to scoop up the customer information.’ That statement suggests Microsoft was successfully breached earlier this year. Microsoft released a statement saying no customer data was stolen. Read more here. SPYWARE BEING USED TO TARGET JOURNALISTS IN MEXICO The New York Times reports that spyware sold to the Mexican government has been used against human rights activists, journalists and their families, as well as against those looking to expose corruption in Mexico. The software was sold with the restriction that it only be used for law enforcement and terrorism prevention. Among the hacked persons were lawyers looking into the disappearance of 43 students several years ago. The Pegasus spyware was sold by the NSO Group. Mexican analysts said it is ‘highly unlikely’ that Mexican officials asked any court’s permission to target these persons and that ‘illegal surveillance is standard practice.’ Read more here.

3 • C Y B ER WORLD


VOTER DATABASE EXPOSED The Washington Post reports that cybersecurity researcher Chris Vickery discovered that a voter database in the USA containing 198 million votes was accidently exposed to the internet by a contracting firm. The firm has been using the data for data mining and analytics services paid for by politicians interested in their analysis. The data came from the Republican party, data brokers, and other sources. The article did not say whether this was an exposed database, which could be accessed by JDBC or a webservice. The information included voter history and voter opinions on candidates, theit ethnicity, and religion, and other interests. Read more here. KMART POS TERMINALS ATTACKED Kmart is a very large retail chain owned by Sears. Its POS (check out) terminals have been breached for the 2nd time in 3 years. The company released a statement saying that after having found the malware, they engaged forensic services. According to the forensic researchers, no customer data - ‘PERSONAL DATA (written in caps)’ - was stolen, except for credit card data. The company said their use of EMV chips should limit the amount of damage since they require physical access to a card to use it. Citing that this is an ongoing criminal investigation, the company gave no further technical details. Read more here.

J ULY 2 017 • 4


RUSSIAN HACKING ON US ELECTION BIGGER THAN PREVIOUSLY KNOWN The fallout from the believed Russiand hacking of the US election continues. Bloomberg Politics reports under the headline ‘Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known.’ According to the report, 39 of 50 states were attacked. Still there is no evidence that Russia was able to actually change voter data, although they ‘tried to delete or alter voter data’ in Illinois. Bloomberg reports that the Obama administration was aware of this and picked up the so-called ‘red phone’ to complain to Moscow about this. An NSA report shows that weaknesses exist that threaten future elections as well. The former FBI director surmised that ‘Moscow isn’t done meddling.’ Read more here. HACKERS TRICK BROADCASTERS INTO REPORTING FAKE NEWS FROM QATAR Aljazeera reports that ‘Sky News Arabia and Al Arabiya’ were tricked into publishing ‘fake news’ when they ran with stories planted by hackers on the Qatar News Agency website. The news said that the emir expressed support for Iran, Hamas, Hezbollah and Israel and that President Trump ‘might not last in power.’ Qatar-based Al Jazeera criticised Sky PLC in the UK saying they approached the organization to ask ‘what media standards their Gulf affiliate adheres to.’ Read more here. EU PARLIAMENT PROPOSES THAT ENCRYPTION BE DEPLOYED EVERYWHERE The EU parliament proposes that ‘end-to-end encryption be enforced on all forms of digital communications to protect citizens.’ This

would further prohibit any kind of vendor

backdoor in apps like Telegram or WhatsApp, both of which already have encryption. In the recent UK election, the Conservative Party said that tech companies should be required to provide ‘access to information as required’ to combat online terrorist planning and recruiting. The BBC says this has created confusion with tech companies as to whether they need to provide such backdoors. Security experts say the government’s plans would not work in any case since terrorists can find other ways to send encrypted communications. Read more here.

5 • C Y B ER WORLD


The EU parliament proposes that ‘end-to-end encryption be enforced on all forms of digital communications to protect citizens.’ J ULY 2 017 • 6


Newest Vulnerabilities Latest Developments and Trends

MICROSOFT PATCHING EOL OPERATING SYSTEMS BECAUSE OF WANNACRY RANSOMWARE Microsoft has released security patches for EOL (end-of-life) versions of Microsoft Windows because of the damage caused by the WannaCry ransomware. The patches include Windows XP, Windows Vista, Windows 8, Windows Server 2003, and Windows Server 2003 R2. The company said this was because of ‘state-sponsored cyberattacks’. Microsoft said: ‘We also know that some of our customers are running versions of Windows that no longer receive mainstream support.’ They said those people would not have received a security update released in March. So they have made this special patch for those users. Users will have to download it or run Windows Update. Read more here. OPENVPN PATCHES CRITICAL SECURITY ISSUES OpenVPN is an opensource VPN server and client. They have released 3 updates for the OpenVPN server and 1 for the OpenVPN client. These are all deemed critical. Some were found during a security audit, i.e. source code review. Others were uncovered by security researcher Guido Vranken. One of the issues uses memory exhaustion to let the authenticated VPN execute remote code. OpenVPN stated that this was only possible when given a special set of parameters that were ‘very unlikely to fail in real-world usage.’ The client bug would let a hacker steal a password. The server bugs only worked for authenticated users. Read more here. ROOTKIT EXPLOIT FOUND THAT WORKS ON WINDOWS 10 CyberArk has found a CPU-based attack that bypasses Microsoft PatchGuard, a tool to block kernel rootkits. This is called Processor Trace Based Hooking. It would let hackers plant a rootkit. Plus Intel PT would let security software install cyber defenses there and programmers do debugging at the assembly language level. Intel Processor Trace is an extension to the CPU. CyberArk says, ‘this technology is primarily used for performance monitoring, diagnostic code coverage, debugging, fuzzing, malware analysis and exploit detection.’ While intended for tracking software, a hacker could take over a thread using this. Microsoft 7 • C Y B ER WORLD


says it has ‘closed the support’ case as it would require a hacker already running the boot kernel and that no therefore security patch is needed. CyberArk did not mention whether Intel made any comments. Read more here. MICROSOFT PATCHES SMB WEAKNESS Microsoft has released a new, different security patch than the one mentioned in an earlier story above. The affected systems include Windows Server 2016, 2012, and 2008 plus desktop Windows 10, 7 and 8.1 and older unsupported versions of Windows. Qualsys says that of the 94 items patched, 27 would allow a hacker to take over a machine. One of the most critical exploits works by sending an SMB (a network file sharing protocol) request to the desktop Windows Search Service. Another issue attacks graphic processing when certain fonts are displayed. Other patches include Outlook, Office, Edge, IE, and attacks on .lnk (binary metadata) files. Read more here. CHROME SECURITY UPDATES Google has released a security update for Chrome 59.0.3071.104 on Windows, Mac, and Linux. The company says: ‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix.’ However, the company did list 5 persons to whom it paid bounty bugs for finding these issues. Google paid out about $20,000 USD in total. Chrome calls these Sandbox Escape in IndexedDB, Out of bounds read in V8, and Domain spoofing in Omnibox. Google said the patches include ‘various fixes from internal audits, fuzzing and other initiatives.’ Read more here.

J ULY 2 017 • 8


Security Beyond Smart Meters – Smart Homes SPECIAL GUEST: Luay Baltaji

9 • C Y B ER WORLD


About the Author: Luay Baltaji is a Cybersecurity Manager within OMNETRIC Group, a Siemens and Accenture joint venture which specialises in smart grid transformation. Luay is a recognised expert in the field of IT/OT integration and industrial Cybersecurity. Luay currently serves as Cybersecurity architect and advisor to a number of critical infrastructure operators in the UK. He holds an MSc in Computer Security and is a certified security practitioner from SANS, ISC2 and SABSA.

This will be your typical morning in a few years’

The SEC specifies the rules for the whole smart

time: Early in the morning your smart wearable

metering operations, it includes detailed sections

senses that you’re about to wake up and so your

for security and privacy. Encryption is heavily

home starts preparing for the day. Your smart

utilised across the AMI and there are very strict

meter builds a picture of your anticipated energy

rules for handling consumption data which is

consumption for this morning, and then agrees with

classed as personal information. The data flow

the energy supplier how your home routine should

and trust relationships between all parties in the

be executed. This activity could be performed every day in harmony with millions of other smart meters across the country, intelligently orchestrating smart home appliances, electric vehicle chargers and domestic energy sources, like a beehive to save us money and to help the grid operators reduce congestion on the energy grid. The fact that our little ‘smart’ helpers can ‘negotiate’ with energy companies on our behalf to get us the best deal in near real-time sounds like science

infrastructure are controlled by a central hub called the Data and Communication Company (DCC). The design and implementation of the national Rollout Programme have been put under the microscope of academics, security experts and government agencies (Anderson & Fuloria, 2010; Levy, 2016). In this series of articles, we will look at how the industry is moving towards the ‘next generation’ applications of smart meters. We will try to apply a different lens to study the challenges arising from the integration of smart meters with disruptive IoT technologies and legacy industrial control silos. This

fiction, but is indeed becoming reality.

part highlights the key energy security challenges in

In Britain, it is starting with the rollout of smart

of the series (to be published in upcoming editions

meters into every home, the GB Smart Metering Rollout programme is targeted for completion by 2020. By then, there will be more than 50 million smart meters across the nation, sending out about 25 TB of energy consumption data every day to

designing and implementing smart homes. The rest of Cyber World) will discuss the cyber-physical risks of increased automation and intelligence in the energy grid, and the impacts of converging IoT/IT/ OT silos in order to form a functional smart grid.

energy providers. With personal permission, this

EMBRACING THE ‘SMART’ CULTURE

data can be shared with other companies interested

Energy companies in the UK are looking for ways

in knowing how we use energy. The smart meters

to leverage the power of the information collected

rely on an Advanced Metering Infrastructure (AMI)

from smart data points, industry use cases are

for communication and data management, which

emerging to convert the current AMI progress into

is governed by the Smart Energy Code (SEC) and

an operational smart grid; most themes are taking

overseen by the energy regulator OFGEM.

place within two technology domains: J ULY 2 017 • 10


Although CADs and smart meters in the UK are certified by the NCSC, they open a door for new and emerging threats.

1. The Internet of Things (IoT) domain, smart home devices such as smart locks and washing machines, will help us automate parts of our lives in ways that give us more control of our energy bills. This is realised through the analysis of high resolution information that is produced by smart homes; also giving the energy companies more insights into energy usage patterns to offer their customers more competitive and tailored services.

to automate tasks in load and outage management. These themes would require increased automation and interconnection, as well as more intelligent software systems that are capable of taking complex decisions whilst ensuring safe operation. These factors pose unprecedented challenges to privacy and security (Schneier, 2016). The latest Cyber Threat to UK Business report, issued by the National Cyber Security Centre (NCSC), predicts

2. The Operational Technology (OT) domain,

that it is ’highly likely that connected devices in

feeding the information gathered by smart

industry are already targeted and that incidents are

meters into the grid infrastructure in order

more common than are currently reported or that

to generate intelligence in the grid network

have been detected’.

11 • C Y B ER WORLD


UNDERSTANDING

THE

COMPLEXITY

OF

connected home devices as botnets to attack

SMART HOMES

the internet infrastructure (Kerbs, 2016). The

The consumer market has been flooded with

exploited devices, such as IP cameras and routers,

technology to automate homes. Devices such as Amazon Echo and Google Home, as well as smart appliances such as Smart TVs and washing machines, are being increasingly adopted. Many of these technologies are able to connect to smart meters through a module called ’Consumer Access Device’ or CAD, which comes with default support for many wireless communication protocols such as ZigBee and Z-wave. Although CADs and smart meters in the UK are certified by the NCSC, they open a door for new and emerging threats. Last

are not tested or assured in any way, and, given the economy of scale in IoTs, they’re unlikely to be tested for cyber threats. The rise of millions of identical smart devices living in similar setups, such as smart thermostats, raises some concerns. If a vulnerability is found on one device, a million others can be exploited at the same time: turning a million thermostats on or off at the same time can cause serious damage to the power infrastructure. This is not a fully fictional scenario, it has already been partially demonstrated (Tierney, 2016).

year, the Mirai attack specifically used internetJ ULY 2 017 • 12


NEW APPROACHES TO ADDRESS SECURITY

elsewhere for smart home solutions. Balancing

The IoT technology moves the control of devices

security with value and functionality would require

from a central authority to the hands of consumers without a clear accountability model. For instance, if a smart device comes with a password that reads ‘1234’, is it the fault of the vendor for not building a secure product, the supplier for not doing a proper due diligence, or the consumer for not changing the default password? This ambiguity in governance, coupled with the added cost of securing products, are cited by official agencies as elements that derail

a joint effort from all parties involved, including governments, to build a holistic view of the IoT risks on the energy supply. This effort is starting to take shape with initiatives from the UK government to sponsor dialogs between technology vendors and energy suppliers, and with a new wave of EU policies targeting the IoT technology (The European Commission, 2017).

efforts in building secure and privacy-oriented

BIBLIOGRAPHY

IoTs (European Union Agency for Network and

Anderson, R. & Fuloria, S., 2010. On the security economics of electricity metering, s.l.: Cambridge University Computer Laboratory.

Information Security, 2015). These challenges are not unique in the utility industry, and the risks on the energy supply resulting from this decentralisation of control are not yet fully understood. Utilities can leverage the contractual relationship they already have with their customers to start tackling the responsibility and accountability challenges. But with a lack of industry incentive, it is unlikely that we will see a proportionate progress of security in the IoT-Energy ecosystem in the near future. Addressing the issue of incentives is fundamental to improving the security of smart homes. The traditional approach of a regulatory force driving change in the Utility business may not be fit for purpose, especially now that unregulated technology firms are active players in the game of smart homes. Utilities providing IoT services are generally aware that a purely reactive posture will be less permissible as societal awareness of the value of data grows, and as the reputational and regulatory consequences of data breaches increase (Clemente & Fell, 2015). Many have opted to use proprietary protocols and certified products in an attempt to limit threats from unsecure IoT devices. This poses a commercial challenge: the security features

Clemente, D. & Fell, M., 2015. Information Security in Smart Cities, London: Information Security Forum. European Union Agency for Network and Information Security, 2015. Threat Landscape for Smart Home and Media Convergence. [Online] Available at: https://www.enisa.europa.eu/publications/ threat-landscape-for-smart-home-and-media-convergence [Accessed 24 May 2017]. Kerbs, B., 2016. Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. [Online] Available at: https://krebsonsecurity.com/2016/10/hackedcameras-dvrs-powered-todays-massive-internet-outage/ [Accessed 24 May 2017]. Levy, I., 2016. The smart security behind the GB Smart Metering System. [Online] Available at: https://www.ncsc.gov.uk/articles/smartsecurity-behind-gb-smart-metering-system [Accessed 24 May 2017]. Schneier, B., 2016. The Internet of Things Will Turn LargeScale Hacks into Real World Disasters. [Online] Available at: https://motherboard.vice.com/ en_us/article/the-internet-of-things-will-causethe-first-ever-large-scale-internet-disaster [Accessed 24 May 2017]. The European Commission, 2017. The Internet of Things. [Online] Available at: https://ec.europa.eu/digitalsingle-market/en/internet-of-things [Accessed 24 May 2017]. Tierney, A., 2016. Thermostat Ransomware: a lesson in IoT security. [Online] Available at: https://www.pentestpartners.com/securityblog/thermostat-ransomware-a-lesson-in-iot-security/ [Accessed 24 May 2017].

come with an additional cost and could limit some functionality, leading consumers who are more influenced by functionality and cost to look

13 • C Y B ER WORLD

Luay Baltaji Cybersecurity Manager (EMEA) OMNETRIC Group


Join us for high-impact sessions uniquely built around a multitude of cyber tracks.

Customize Your Cyber Security Experience. CSX sessions provide unique opportunities to learn from top experts in the field. Each track is offered in 2 levels of complexity: Essential and Advanced. At CSX 2017 Europe you will find an unparalleled degree of customization for your conference education experience.

CSX 2017 sessions teach you to:

DEFEND

2017 EUROPE

Be one of the first 200 people to register and pay in full and RECEIVE US $200 OFF registration fees. Earn up to 32 CPEs. www.isaca.org/2017CSXEURO

30 October – 1 November | London, UK

J ULY 2 017 • 14


Business Strategies After the Recent WannaCry Outbreak LAI KI CHENG

About the Author: Lai Ki Cheng is a Political and Security Analyst (APAC) at Riskline. He is a recent graduate from the MA Intelligence and International Security programme at King’s College London and has participated in cyber policy competitions, contributed to security journals such as IHSJane’s Intelligence Review, and was an Armour Officer in the Singapore Armed Forces.

On 12 May 2017, multiple computer systems were

American-developed exploit and utilised a windows

infected by a variant of the Ransom.CryptXXX

security update as targeting intelligence.

ransomware family otherwise identified as Ransom. Wannacry. Exploiting a vulnerability within the Windows operating system (WinOS), the worm impacted organizations globally, ranging from hospitals in the United Kingdom, to academic institutions in China. Luckily, our societies are resilient. Soon, organisations will recover from this ‘worst-ever recorded’ attack and return to

Preliminary attribution efforts suggest the Lazarus Group as the potential culprit. While North Korea appears likely to be the advanced persistent threat (APT) actor in this instance, it remains too early to be certain. Nonetheless, the ransomware outbreak does reveal the increasing sophistication of cyberattacks.

maximum operational capacities. The scale of this

First,

ransomware outbreak, however, is a dark reminder

(identified as ETERNALNIGHT), allegedly obtained

about the increasing sophistication of contemporary

from the Shadow Brokers’ digital assault on the

threat-actors, who have been able to remodel an

US National Security Agency, which was used

15 • C Y B ER WORLD

researchers

identified

a

cyber-exploit


to enhance the Trojan’s effectiveness. This also

monetary ramifications of the WannaCry attack

provides a glimpse into the cyber arsenal of the

haven’t been determined yet, the outbreak itself

United States, and how vulnerable enterprises are if

bears a stark resemblance to the ILOVEYOU bug

targeted by a state-sponsored or state-intelligence

that plagued the world over fifteen years ago,

actor. Second, the WannaCry Ransomware targeted

causing billions of dollars in damages. However,

a ‘critical’ vulnerability identified in a Microsoft

despite consistent narratives about the escalation

Windows security update two-months prior, which

of sophisticated cyber threats, corporate executives

could have been exploited as targeting intelligence.

are still ‘putting cyber security on the back burner’

While the outbreak was curtailed by a British cyber

– according to a research paper by Barclays and the

security researcher by the name of MalwareTech,

Institute of Directors published in 2017. Warwick

‘albeit by a stroke of good fortune’, various

Ashford, the security editor at Tech Target, said that

organizations are still experiencing problems

the WannaCry Ransomware outbreak is the much

despite patches published by Microsoft; and newer

needed ‘wake-up call’ for enterprises to realise

WannaCry variants have already been discovered.

that security is a luxury, a luxury which will prove

According

to

Microsoft,

the

ransomware’s

global impact is arguably due to government secrecy relating to efforts aimed at weaponizing

unattainable for corporates that still ‘lack a cyber security strategy’ in an increasingly digital business environment.

vulnerabilities, rather than fixing them. Regardless of

To engage effectively with future threats like

the national security or political agendas behind the

WannaCry, enterprises (of all sizes) must adopt a

US government’s non-disclosure, that information

proactive stance towards their digital security. Here

holds no value for most businesses which are more

are some strategies for businesses to enhance their

likely to have monetary concerns. While the exact

digital resilience: J ULY 2 017 • 16


1. Establish a universal risk ‘language’ between

2. Establish

a

specialised

digital

resilience

executives. While there may be obvious

framework unique to the objectives of your

differences in terminology, all executives need

enterprise. Digital resilience today is primarily

to be on the same page when talking about

guided by regulatory compliances, national

risk. Corporate executives (for example, chief

practice standards, and government sponsored

financial officers and chief marketing officers)

schemes. While these standardised practices

focus on business risks, orientated primarily

allow

towards financial, expansion, investment, or

enterprises should not solely rely on them,

reputational concerns. Security executives

according to Torsten George from ISACA who

(that is chief information security officers or

suggests an alternative approach determined

chief compliance officers) focus on defensive

by calculated business and security risks.

risks, orientated around network resilience, database

security,

meeting

standards,

and

information

compliance defence.

According to Matthew Leitch, ‘the words we use…can have a profound effect…a vital practical concern that affects whether risk management programmes make headway or not’. If executives can establish a standardized risk ‘language’, mutual understanding and the realisation of the importance of one another’s contributions towards providing customers with a service or product that is reliable and secure are enhanced. 17 • C Y B ER WORLD

easy

adoption

across

industries,

All enterprises are unique, having their own operational procedures predefined by their corporate objectives, and with limited budgets allocated to cyber security. Security should be addressed alongside other business objectives. Corporate executives should note that the standards described are only a guide to outline basic security foundations, and should expand their cyber security budgets to enable the development of a specialised cyber security framework. 3. Integrate security into business design and development. Consider incorporating security


To engage effectively with future threats like WannaCry, enterprises (of all sizes) must adopt a proactive stance towards their digital security.

into the early design stages of a product or

employees often underestimate their value as

service line. Embracing ‘security by design’

an intelligence and access resource to potential

provides the key benefit of ensuring products

attackers,

and services are secure before they are released

leaders often overestimate the capabilities

to the public. A prime business example is

of existing security products or services. To

Blackberry, whose products are designed

combat this, larger enterprises should consider

from ‘the inside-out with security as a prime

establishing regular penetration tests and red

consideration, and have just introduced the

teaming exercises. Though more established

‘Most Secure Cloud-Based Communications

organizations might possess the resources or

Platform’. Though the company suffered

expertise to integrate security into business

losses when compared to other smartphones,

domains, the same cannot be said of SMEs

it was over the issue of recreational benefits,

(small- and medium-sized enterprises). This

not security. In a world where security is an

can be accounted for by virtual CISOs, who

increasing priority, Blackberry’s emphasis on

can provide similar services on a case-by-

security-first has paid off, as it (Blackberry

case basis. However, the first port-of-call for

PRIV) was named by Google as ‘One of the

SMEs should be government initiatives (for

most secure android phones’. The key here is

example Cyber Essentials) or well-established

to cultivate a security integration that is also

cyber security consultancies (such as Secgate,

unique to enterprise objectives.

Proficio etc.).

while

corporate

and

security

4. Enhance cyber security knowledge across the

enterprise.

The

greatest

threat

to

enterprises’ digital resilience is complacency among employees, corporate leadership and even security practitioners. Low to mid-level

Lai Ki Cheng Political and Security Analyst (APAC) Riskline

J ULY 2 017 • 18


Forest

Intelligent Cy

19 • C Y B ER WORLD


t Tree

yber Defence

J ULY 2 017 • 2 0


21 • C Y B ER WORLD


Forest Tree A pioneering solution that empowers your functional teams to safeguard your enterprise. The big data solution to network and data discovery, event detection and generating knowledge from your network to support your operational, compliance and security needs. Forest Tree enables you to make decisions based on real data from your network whether those decisions involve operational, security or compliance objectives. This solution shows you a comprehensive analysis of network traffic to identify and catalogue events in your organisation in real time. Our solution uses ground breaking machine learning capabilities to bring insights on system and user behaviours enabling decisions to be made holistically. It risk rates behaviours enabling unusual activity to be flagged to your operational teams. This solution learns and alerts you. Forest Tree provides dashboards for IT operations, security and compliance teams that show the risk rated activity and highlight individual high risk communications. It provides the capability for teams to interrogate the database to investigate on suspicious or unusual activity. This solution answers all your questions. With all network activity captured and tools for making queries, Forest Tree gives you the ability to demonstrate your compliance to policies and regulations and to prepare reports as required. This solution is your organisation’s “Black Box” Forest Tree gives transparency to your business teams, seeing the same picture of the real activity passing across your network enabling appropriate business level responses. This solution enables cross-functional understanding.

J ULY 2 017 • 22


Forest Tree A holistic solution designed to protect and serve your business needs Forest Tree provides information about data and communications in your network allowing full visibility of activity from your systems. Operations staff can extract data to create inventories of your entire estate and its behaviour dynamically. It can be used to identify end-user computing, data transfers to cloud providers and other third parties. Forest Tree can bring you visibility of services that are outside the control of your systems management solutions. Security Forest Tree produces risk rated assessments of all network activity, facilitates inspection down to packet level for security operations teams and provide security dashboards for management. Connections and data transfers can be approved so that they aren’t continuously flagged for attention. We use machine learning to characterise user behaviour and can identify when a user deviates from the norms for they role or is inconsistent with their peers. Forest Tree works with unstructured data within emails and attachments as well as structured data providing the widest coverage of data traversing your network. Group Functions Forest Tree supports Group functions who can have the same visibility of dashboard information and thus have transparency between operations and policy and compliance departments. Some examples of use cases include: ● ● ●

Is user behaviour changing, which users are not complying with policies? Are you in compliance with policies and regulations? Is the total risk score reducing in line with your plan?

23 • C Y B ER WORLD


J ULY 2 017 • 24


25 • C Y B ER WORLD


Forest Tree Designed for humans; engineered for networks Performance engineered. Our solution is built to meet the needs of even the most sophisticated networks. Everything from the detection of events through to the generation of reports has been developed by our engineers to ensure speed and scalability. Our Core engine has been implemented and tested on networks that operate at one terabit per second — processing the entire network traffic, with zero packet loss, all in real time. Our solution is linearly scalable; we maintain our high performance on networks of any size or complexity. Delivers certainty. Business decisions require accuracy. Our entire product has been developed and tested to ensure that you know exactly what actions are happening within your network at a given point in time. Its ability to act as a “black box” on the network, recording network activity for later investigation, gives certainty to your forensic investigations and incident reports. We help ensure your leadership are informed on any incidents before regulators and reporters approach them. Built for people. Every part of our solution has been designed in consultation with security analysts, incident responders, penetration testers and CISOs to ensure that it is as efficient and as effective as possible. The user experience has been carefully considered to ensure that analysts can get to the features they need quickly, and the dashboards have been designed to ensure that each analyst is presented with the data they need to be able to perform their job. We work continuously with industry professionals to ensure our product meets the operational needs of security teams.

J ULY 2 017 • 26


Forest

A defence-grade cyber security product, Fores solution that allows organisations to monitor an electronic commu Contact us for a demo

27 • C Y B ER WORLD


t Tree

st Tree is a patented advanced Cyber Security nd understand the content and context of each unication channel at: Info@secgate.co.uk

J ULY 2 017 • 28


Using Analytics with Cybersecurity WALKER ROWE

About the Author: Walker Rowe is a freelance tech writer and programmer. He writes extensively on big data analytics, cloud architecture, and cybersecurity. Walker worked as a programmer for 30 years in the USA on SAP and application security. Now he writes blog posts, tutorials, SDK documentation, and user manuals.

Here we explain, in general terms, how to apply

Streaming can be used to create real-time graphs in

analytics to cybersecurity. We explain the logic

ways that ElasticSearch and Kibana cannot.

behind some of the machine learning algorithms built

The goal with the analytics approach is that it can

into ML APIs, like Spark ML. And we explain how

be used to reduce the signal-to-noise problem

the existing ELK (ElasticSearch, LogStash, Kibana)

inherent with older approaches to flagging security

architecture that many companies already use can

events, like using ArcSight, rules, and thresholds.

be analysed using Apache Spark and other tools.

But there is a steep learning curve in understanding

Finally, we show that Apache Zeppelin and Spark

how ML algorithms work, which you should use

29 • C Y B ER WORLD


and where. So here we provide a broad view and

you will at least need to have some graduate and

basic level of understanding so you can do further

undergraduate level understanding of that. That

study and build simple models yourself. The tools

means not all big data programmers will understand

and architecture let you start small and then

ML, as not all people understand maths.

add complexity without breaking what you have

In the absence of analytics, one applies basic

already built. DEFINITIONS First, we explain the logical foundations upon which

statistics, empirical observation, and just plain guessing in setting thresholds to determine whether an event is a hacking event. The basic statistical approach is not a bad place to start, but it will send

analytics are based.

analysts chasing down what statisticians call outliers,

As someone who holds a degree in maths, and

meaning events that are not statistically significant.

works daily with analytics, I can tell you this: make

Basic statistics uses the principle of the mean (Îź)

no mistake, analytics is applied mathematics. You

and standard deviation (Ďƒ) to set some kind of

do not need to be John Nash to understand it. But

threshold. The mean is basically the average. The J ULY 2 017 • 3 0


standard deviation is a measure of the distance of

indication of how fat someone might grow given

an observation from the mean. That is represented

how many cards they eat. m is called the coefficient

as a normal curve, like this:

and b is the intercept. So your conclusion might be y = 3x + 10, or something like that. In this case y is a very simple predictive model.

Graphic Source: Palomar

What this is showing is the probability that a data point is within 1, 2, or standard deviations of the mean. 68% of observations are within -1 and +1 observations. Only 15% should be greater than +3 standard deviations. So you could set a rule saying

Graphic Source: Wikipedia

You can solve that simple LR problem with Excel or Google Sheets. But you need an analytics API to do

that your analysts should investigate anything that

that with multiple input variables.

is > +-3σ. But as we just said, that would send the

For example, if you want to know how likely an

analyst chasing outliers, thus wasting their time in

event is a hacker event, you might plug dozens of

most cases.

data points into the model. In other words you are

Analytics uses more advanced statistics and

looking to solve a probability function P like:

algorithms. Some of this expands on the use of the

P = αa + βb + cγ + δd + εe + …. + χx + ψy + ωz + C

normal curve. But it goes far beyond that in drawing conclusions or making observations. Analytics are of several types: Regression tries to find some correlation between variables. Classification looks at data points and divides them into clusters which have some common characteristic. And

Where the Greek letters are the coefficients and the Latin ones are, for example: • Number of MBs sent out from an IP address. • How many times a user has loaded programme abc.

decision trees derive some conclusion based upon

• Time of day, e.g. after hours.

a series of prior decisions.

• etc.

LINEAR REGRESSION Linear Regression is the simplest place to start.

The outcome could be a probability. Or, in the case of a binary model, a decision: 1 (true) or 0 (false).

Many other algorithms expand on that. The basic

CLUSTERING

concept is illustrated below.

This is what advertising companies do. They put all

We look at a set of data points and try to find the

kinds of data about people into a big data database

line that most closely expresses a relationship

and then group them into categories (clusters) as

between them. For example, if you eat a lot of carbs

shown in the graph below. This includes what

then you might get fat. So you plot carbs on the x

people clicked on, how much they spent last year on

axis and weight on the y axis. Then you calculate

expensive items, how much they spent on budget

some formula like y = mx + b that will give an

items, whether they use coupons, etc. to divide

31 • C Y B ER WORLD


“

The goal with the analytics approach is that it can be used to reduce the signalto-noise problem inherent with older approaches to flagging security events, like using ArcSight, rules, and thresholds.

J ULY 2 017 • 32


shoppers into groups. Then they pitch targeted

can put multiple programming languages into it at

advertising to each group.

the same time. It supports markdown, SQL, scala, python, static, JDBC, user input, JavaScript, bash, and so on. This means a programmer can use Apache Spark and Scala, R, or Python, run ML algorithms, and then graph the output onto the screen. Markdown is the syntax used to create README pages at github. So the programmer can put the instructions and the code in the same place and then use websockets to broadcast that to users. The programmer sees the code. The users see the results, all from the same web page. So it’s a report, or a visualization.

Source: MathWorks

Zeppelin supports AngularJS JavaScript too. This

The same logic applies to cybersecurity. You feed

lets you make real time graphs when you attach it

data points into a clustering algorithm and let it look

to real-time data coming from Apache Spark.

to see if there is anything common about these.

All of this integrates with ELK. So you can feed

For example, if you plot user activity, they should

different logs from your web servers, firewalls,

be clustered in regular users and super users. Find

switches, applications, and so on into ELK and then

a regular user behaving like a super user and that

use Apache Spark to do ETL (extract, transform,

could indicate their computer has been hacked.

load) to translate all that into label-feature vectors

THE TOOLS If you know ElasticSearch, then you are familiar with Kibana dashboards. But if you want to use big data to display analytics data then you need to use Zeppelin dashboards.

to feed into ML algorithms. In terms of what we discussed above, the labels are something like “denial of service attack”, and features are an array of data points that reflect user behaviour, firewall stats, and data coming from external sources. The volume by which this

Apache Zeppelin is like a web page and REPL IDE

data flows and the computing resources needed

(that is an interactive code interpreter) all in one. You

to do large scale matrix multiplication can only

33 • C Y B ER WORLD


be done in a scalable, distributed computing

IP addresses. If that set is not empty, they overlap.

architecture. In other words, this fits perfectly into

So, one of your computers is a bot. Creating sets

the big data design.

and finding intersections is what Apache Pig, Spark

WHAT DATA SHOULD YOU MONITOR? Now, having some understanding of the logical basis upon which analytics is based, what tools do you need to do that? You probably already have some or most of them. And if not, they are all free, so download some and learn them. The difficulty is in finding people who understand it all.

and so on do quite well. Another target would be to inspect the memory of each machine on your network and look at frequency with which .dlls are loaded. Perhaps there is a tool that will report on memory address usage. Buffer overflow attacks will not create events in the Windows system log. But it should be possible to look at Chrome users and finding those

The tools for doing analytics include ML APIs,

that are spraying memory with shell code by looking

Spark, Hadoop, Cassandra, Hbase, Kafka, Pig, Scala,

for patterns in how they address memory.

Python, R, ELK, Spark Streaming, Storm, and so on. There is a lot of accumulated knowledge among the community of programmers and architects on what those do. What is less understood is how to apply this knowledge to cybersecurity. There are not many documented user cases, or literature on the subject. And it seems that not many, if any, security tools actually use analytics. Most are still relying on the malware signature approach, which as we know does not work, or on simple rules.

The good thing about doing all of this is that you can build it up in stages. Start off simple. Then extend the models you build as more data points and data feeds become available. Then let people who really do understand statistics look at their error rate, which these models continually calculate, and make adjustments to minimize those. Hopefully, you can flush out some hacker and insider threat activity that current intrusion detection tools have not been able to find.

So start off by making a list of what data you could monitor to stop intruders. For example, you can stream threat feeds into Apache Spark. That will give you, for example, IP addresses that are launching bot attacks now around the world. Then,

Walker Rowe Freelance Tech Writer and Programmer

again using mathematics, you find the intersection of that set of IP addresses with the set of your user’s J ULY 2 017 • 3 4


Physical Attacks on Networks Most cyber defences are automated tools and eyes-

into the executive dining room where he excuses

on monitoring that look at network traffic, block

himself to go to the men’s room. There he removes

spam, and search for malware. But physical security

a smart thermostat from the wall and attaches a

is a major risk too, especially in highly-secure facilities that hackers can’t penetrate in other ways. So a company needs to be aware of and set up defences against company insiders and outside spies connecting computing cards to LAN cables

Raspberry Pi to the LAN cable. His goal is not to spy on network traffic; this would only be possible from the vantage point of a router. Instead, now he has an IP address and can freely run commands on the

in hidden places, removing disk drives, plugging

company’s network. The Raspberry Pi can be fitted

directly into routers and switches, and attaching

with a 4G modem with which to communicate with

USB drives to machines to infect the boot sector, or

the hacker’s command-and-control centre. The Pi

copy data directly.

runs Linux, has an ssh command prompt, and is not

ATTACKING SMART DEVICES Anyone who has seen the highly-rated TV series Mr

much bigger than a deck of playing cards. In movies, like Ocean’s 11, hackers tap into video

Robot knows this risk. Hacker Elliot Alderson gains

systems by snapping on a clamp. The clamp pierces

access to the Level 2 floor of a secure data facility

the cable shielding and connects to the copper wire

by posing as an invited guest. He makes his way

inside. But you cannot tap traffic on IP networks

35 • C Y B ER WORLD


unless you connect a device that can obtain its own

on and off all the time, the triggered alert is likely to

IP address.

be ignored. There would have to be an inventory of

What a hacker needs to do is install a computing card that has two LAN ports: one for itself and

the MAC address of every device on the network. Any device not in that inventory should be shut

one for the traffic going out the other side. The

down automatically.

Raspberry Pi or other computing cards need to

Also, routing tables and subnets are going to

run OpenWRT or similar software that will query a

control what networks the hacker can attack. If the

DHCP server. In the case of the smart thermostat, the computing card will obtain one for itself and for the smart thermostat since it is now playing the role of a switch. The only way to block this would be to use static IPs and not DHCP. Then the computing card would only work if the hacker already knows

IoT sensor is on a separate network than, say, the SAP system, the hacker cannot get in. They would have to attack the adjacent switch and update the routing tables in order to move laterally through the company.

the IP address of the smart device.

STOLEN DISK DRIVE

Is there a way to block this attack? When the hacker

Most enterprise disc drives are hot-swappable.

cuts the LAN cable, a monitoring system could alert

They are built that way so that a technician can

that a device has gone offline. But since devices go

remove a failed drive without turning off the array. J ULY 2 017 • 36


So hot-swapping is not likely to generate an alert.

ports. Docker, Kubernetes, and Mesos broadcast

Drives are replaced frequently in data centres as

configuration information that contains far more

they have a limited shelf life. Replication ensures

than the IP address stored in a microservices

that the application keeps on running.

registry. So tapping into that traffic will let a hacker

Any data that is lost this way is limited if the drive is encrypted, or if it is only writing data blocks for a file that spans multiple drives. When you pull out an encrypted drive you lose the encryption key. So you cannot read it. And the drive will not be a logically complete file in the case of RAID, which is how disc drives use multiple drives to create one logical file and protect against loss by writing pieces of it (blocks) to different drives. ACCESS TO THE ROUTER A man-in-the middle attack is possible on a wired

know what kind of software is running where. ACCESS TO A USB PORT Anyone who has replaced Windows with Ubuntu on their laptop knows that they can boot a device using a USB, bypassing the operating system on the computer to which it is attached. Then they can run Linux and mount file systems. They could then install a rootkit into the boot sector and update the grub configuration on the device to load that when the device boots up. They infect a machine, disconnect, and walk away leaving the device compromised.

or wireless network, but not easy. You cannot spy

There are different ways to protect against such

on traffic flowing across the network simply by

an attack. Such as encryption keys etched into the

using brute force to attach to a Wi-Fi router. This is

firmware of the device. The iPhone works like that.

because data packets flowing from one connected

It checks the integrity of the host operating system

device to another do not pass by all devices

and does a factory reset if the OS image hash

connected to the network (They would in a ring-

value does not match. Also PCs have secure boot.

topology as in the old Novell IPX networks).

Microsoft does that to keep people from using

But a hacker who gains physical access to a closet where there is networking equipment or the data centre can plug an ethernet cable into the management ethernet port of a switch. They can then see all the traffic that passes. Now they could do a man-in-the-middle attack. This will fail against VPN, AES, and other traffic unless the hacker has a valid certificate with a correct (CN). Man-in-the middle attacks usually only work against SSL when a human being is dumb enough to click through and ignore the browser warning when the hacker is using a self-signed certificate. So, employees need to be warned against such an occurrence. Having access to the router too lets the hacker tap into device discovery protocol and find other

copies of Windows that they did not pay for. But that is easily disabled in bios. THE NEED FOR PHYSICAL SECURITY All of this means that it is crucial to control physical access to the data centre. People need to be trained against the tricks of social engineering so hackers cannot talk their way past security guards. Employees need to be trained to challenge people who are trying to piggyback access cards, walking into a door that someone else has opened. Data centre cages should be locked. Credentials and keycards need to be issued through an identity management system. IDM is a system that is used to give new employees computer and physical access and, more importantly, take it away when they change positions of leave the company.

devices and determine what software they are running by querying microservices. A load balancer in particular has knowledge of the network architecture and container and VM IP addresses and

37 • C Y B ER WORLD

Secgate Research & Innovation


J ULY 2 017 • 3 8


GDPR ‘fake news’ Jonathan Armstrong

About the Author: Jonathan Armstrong is a Partner with London-based compliance law firm Cordery. An acknowledged expert on compliance and technology, his practice advises multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries. Jonathan is a Fellow of The Chartered Institute of Marketing and co-author of the LexisNexis definitive work on technology risk, ‘Managing Risk: Technology & Communications’. He leads on Cordery’s GDPR Navigator subscription service, and is a frequent broadcaster for the BBC and other channels. Jonathan was ranked as the 14th most influential figure in global data security by Onalytica in their 2016 Data Security Top 100 Influencers and Brands survey. WHAT IS GDPR ‘FAKE NEWS’?

more of our time at Cordery is being taken up by

I think the fake news concept can be overused but

calls from our clients after their CFO or another

we have talked about GDPR fake news in the past.

member of the leadership team has attended an

It seems to be getting worse, not better. More and

event or read a vendor paper. In the worst cases,

39 • C Y B ER WORLD


in the call the team is told that their budget has

5. The new data rights (like data portability and

been withdrawn/reduced because GDPR or some

the right to erasure/right to be forgotten) just

aspects of it ‘just doesn’t apply to them’. The reality

won’t be used

we’ve seen is that in every case it does. We put together a ‘dirty dozen’ of the most frequent pieces of GDPR ‘fake news’ we’ve seen or heard about from our clients: 1. GDPR is enforced by a new Brussels-based data police force

6. Data Processors have no liability 7. Organisations outside of the EU have no liability 8. GDPR looks good but won’t be enforced

2. GDPR only applies to PII (and that’s a short list)

9. GDPR doesn’t apply to financial services

3. Fines are based on 4% of profit (not turnover)

10. GDPR doesn’t apply to the health sector

4. GDPR is all very new

11. GDPR won’t apply because of Brexit J ULY 2 017 • 4 0


12. GDPR brings in just one set of laws for the whole of Europe – the law will now be exactly the same across the EU To be honest though it was hard to stop at 12 – we could easily have done 10 or 20 more. WHY IS THIS AN ISSUE? Aspects of data protection have always been pretty complicated and it’s sometimes hard enough to make the right call even when you don’t start with the wrong basic facts. I think I first reached out to the UK data regulator on a client’s behalf in the early 1990s (yes, I really am that old). At the time I was doing a lot of work for healthcare organisations and we were acting on behalf of a hospital that had a very complicated issue about a child in their care. The medical evidence suggested that the hospital had to make a life or death decision. The hospital and the doctors involved behaved properly and responsibly in talking this through in detail with the regulator with our help. I am still convinced we reached the right decision, but it was not obvious. Even before GDPR, you needed to put some proper thought into the situation to get to the right answer. Some aspects of data protection aren’t that difficult. But there is often a confusion in some minds between what the law is and what you’d like the law to say. On the 25th January 2012, the European Commission introduced its new data protection Regulation, which we now know as GDPR. I wrote about it within a couple of hours of the proposals being published (you can read it HERE). While there are things I would probably change now, this was the product of reading 119 pages end to end to quickly get the client alert out. One of the most controversial things at the time was that I said that the passage of GDPR into law would not be as smooth as the European Commission anticipated. It has become very apparent that the passage into law still isn’t smooth in some countries – for example the recently announced new German law which will sit alongside GDPR but take away some of GDPR’s essential aims at harmony. Some of the GDPR fake 41 • C Y B ER WORLD


Some aspects of data protection aren’t that difficult. But there is often a confusion in some minds between what the law is and what you’d like the law to say.

J ULY 2 017 • 42


news come from old articles like the one I wrote in

a large audience that GDPR didn’t apply to financial

2012 – for example the fine levels have changed

services and was pretty shirty when I argued it did.

from the 2012 draft to the final version. But there

The ‘evidence’ it seems was that he had spoken to

are no excuses for some of the other alternative

a junior lawyer at a bank at a breakfast event who

facts which are either misinformed, or just wishful

had said so. Was that enough evidence to tell 150

thinking.

people in a room that they could stop getting ready?

WHY SHOULD WE CARE? The danger of GDPR fake news is that it just reduces readiness. It is not responsible to speak at an event and tell people to forget about GDPR because Brexit means it will not apply in the UK.

You can probably sense my frustration in this blog. We have tried to mask our frustration with an attempt at the quirky, but this is a serious topic. This article is a slightly amended version of the original article, which was first published HERE.

There is not a shred of evidence for this and that pronouncement from the ‘expert’ speaker might mean 70 or 80 organisations fail to prepare. I’ve had the same at an event last year where someone told 4 3 • C Y B ER WORLD

Jonathan Armstrong Partner Cordery


The leading european evenT on cybersecuriTy

The FIC 2017 by Visitors

7086 visitors

so much to see in so little time “ ” at Fic, but definitely not the last time! ” “The1stFictimeallowed us to make new qualified contacts “ ” dimension and by the diversity of the participants “This show is outstanding by itsbrilliant ” organisation ” “ “great show, and many good meetings”

Free registration and free access to conferences for professionals

280 business partners 300 high quality speakers 30 workshops 20 conferences 12 keynotes

w w w . F o r u m - F Ji ULY c . 2c017o• m 44


GDPR is Coming Brian Fitzpatrick

About the Author: Brian Fitzpatrick is Director, Business Development, EQ Digital, at Equiniti. Previously, he was Director, Strategic Partnerships, and before that Business Development Manager at Equiniti, and prior to this he was Head of Sales at Snaggl. Brian has 20 years’ experience in Sales and Business Development in UK, Ireland, Europe and USA. This includes products and service based solutions for Capital Markets, Commercial Banking and the Public Sector. He helps clients with secure technology led automation and productivity solutions for: The EU General Data Protection Regulation; Biometrics based client on-boarding and other identity scenarios; and Complex bespoke workflow/case management. The European Union’s General Data Protection

On one hand, if your organisation and its data still

Regulation (GDPR) is due to come into force in

interacts with the EU post Brexit, there is still a need

Spring 2018. While all eyes are currently on the

to ensure your data is being held in accordance with

UK’s approach to Brexit, whether or not the UK is

the GDPR, whilst on the other, the UK will most

still part of the EU at this time is immaterial when it

probably amend its own data protection legislation

comes to data protection.

prior to 2018 to bring it into line with the GDPR.

45 • C Y B ER WORLD


Either way, your organisation, be it public or

The upside for some organisations, however, could

private, needs to ensure that your approach to data

be that the GDPR is actually a catalyst to bring

protection and cyber security is taken seriously and

about changes to how they do things in the future.

that there is buy in from the top. To some, the need to change their approach to data protection brought about by the GDPR could be seen as additional workload for already overstretched resources, whereas in effect, GDPR, if embraced correctly, could bring with it a much more modern and robust approach to information security. Yes, the regulation will require a more strenuous data protection regime coupled with

A lot of organisations need to look at their data in the round. Systems may have grown and evolved over years as one system gets bolted onto another. This leaves the very real prospect of many organisations not actually knowing what data they hold, never mind knowing how much of it they actually have. This is a frightening prospect when it comes to cyber security because if an organisation doesn’t know the

much more punitive penalties for non-compliance

level of data it actually holds, then how can it expect

(fines of up to 4% of global turnover or €20million,

to keep it safe? In this regard, the GDPR be should

whichever is the greater).

be seen as a necessary evil and an opportunity to J ULY 2 017 • 4 6


have a root and branch review of an organisation’s approach to their systems, data and security. A wait and see approach is not recommended and clear action should be taken now to ensure compliance is achieved within the timescales. A good place to start would be to map data flows as part of a privacy impact assessment, i.e. how information is collected, stored, used, shared and deleted or archived and what would be the most likely reasons for a data breach? The most common reasons for a data breach could include: • Human error • Failure to encrypt • Lack of or poor data retention policies • Poor data access policies • Lack of staff training • Misdirected communications (fax, email, post, hand delivery) • Dependence on paper records • Accidental loss/theft • Breaching direct marketing rules • Bad asset control (decommissioning of hardware) • Dependence on non-connected data islands • Poor security policies All of these potential breaches could have a serious knock-on effect on your information security and leave your organisation vulnerable to a cyber security attack. The good news however is that these risk factors can be overcome by a systemised approach which addresses better compliance, more effective business processes and robust information security at their core. This article was first published in agendaNI magazine

Brian Fitzpatrick Director, Business Development, EQ Digital Equiniti

47 • C Y B ER WORLD


“

GDPR, if embraced correctly, could bring with it a much more modern and robust approach to information security.

J ULY 2 017 • 4 8


Vis

Take control

49 • C Y B ER WORLD


sDa

of your data

J ULY 2 017 • 50


51 • C Y B ER WORLD


VisDa Unlocking your data transfers; mitigating your risk. Information and data is the lifeblood of companies today. Whole industries rely on the rapid sharing of information to generate revenue. As a result, huge volumes of data move from network to network, company to company, every day, non-stop. This presents organisations with a challenge - with so much data being transferred in and out of a company’s network, and with 2 out of every 3 large businesses in the UK experiencing a cyber-attack or breach in 2016, how can you keep track of which transfers are legitimate and which are malicious? Compound this challenge with regulatory drivers such as the general data protection regulation (GDPR) and the need for a coherent solution to monitor and mitigate data transfer risks to your business is clear. VisDa is a revolutionary solution that gives you the capability to track, trace, monitor, visualise, and analyse your organization’s data transfers without impacting the performance of your business. Sitting transparently on your network, VisDa allows you to understand what, where, when and how data is moving, both internally within your network and externally to third parties. Developed by world-renowned records management consultants, risk consultants, cyber security experts and technologists, VisDa has been designed from the ground up to quantify the data transfer risk that your organisation is exposed to. Risks are displayed on our next generation dashboards; each dashboard is tailored to your individual operational risk framework and risk appetite. From senior executives to operational level users, keep your entire team informed.

J ULY 2 017 • 52


VisDa Visualising your data. VisDa is a tool that equips your network teams with three new capabilities. The first is the ability to map out all the data transfers occurring both internally and externally on your network, allowing malicious connections to be identified and blocked. The second is the ability to visualise and quantify your complete risk exposure caused by data transfers, giving your board mission critical business intelligence with regards to their risk exposure. The third is the ability to add context and information to security events quickly and efficiently by acting as a ‘black box’ on your network. VisDa passively monitors your network for data transfers and then applies a risk score to each data transfer based upon several features – these features include the amount of data sent in the transfer, the types of files the data is contained in, the time and day the transfer was sent and the destination IP address of the data transfer. The risk score calculations are highly configurable and can be configured to map to an organisation’s individual risk framework and operational environment. VisDa allows you to then approve (and pre-approve) data transfers that are expected and investigate data transfers that seem malicious. The next generation dashboards convey your companies global risk in a quantifiable way, giving your board of directors an easy to understand and easy to digest report of their data transfer risk exposure. VisDa is a solution that gives you a fresh new way of monitoring data transfers and quantifying your global risk of a data breach – it is a complete data transfer risk management solution. Whether you need a solution to help you mitigate data transfer risk, or help you to achieve regulatory compliance with regulations such as the general data protection regulation (GDPR), VisDa is the solution for you.

53 • C Y B ER WORLD


J ULY 2 017 • 5 4


Vis

A fresh new way of monitoring data transfers a – it is a complete data transfer risk managemen you mitigate data transfer risk, or help you to a such as GDPR, VisDa i Contact us for a demo

55 • C Y B ER WORLD


sDa

and quantifying your global risk of a data breach nt solution. Whether you need a solution to help achieve regulatory compliance with regulations is the solution for you. at: Info@secgate.co.uk

J ULY 2 017 • 56


Erin Jones RISING STAR INTERVIEW

57 • C Y B ER WORLD


About the Author: Erin Jones is a senior associate in the PwC cyber security practice. She has worked on a range of engagements for FTSE100 and Financial Services clients, including large security transformations, incident response, identity and access management, and third party security management. Prior to joining PwC, Erin spent two years completing the TeachFirst graduate scheme, teaching computer science at a secondary school in North London. Erin holds a BSc in Information Security Management for Business from Loughborough University, and is currently studying for an MSc in Information Security at Royal Holloway, University of London.

TELL US ABOUT YOURSELF:

of securing a digital society. It was hard to leave

My name is Erin Jones. I’m 27 and work as a cyber

teaching, but I know that I can still help inspire

security consultant at PwC where my primary role is to help our financial services clients build and assure their cyber security defences. In plain English, this means that I help customers both to understand how strong their cyber security is, and to improve it as necessary. I joined PwC three years ago after spending two years on the TeachFirst graduate scheme, where I taught computer science at a secondary school in North London.

students to take up core subjects and career paths in my current job. WHAT ARE THE GREATEST POSITIVES ABOUT WORKING IN CYBER SECURITY? Definitely the exposure I have had and the opportunities to learn. I have met the coolest people in this industry, with such different backgrounds, experiences,

and

sometimes

really

niche

specialisms – yet, all of them are super passionate. It’s a really innovative industry because people do

My job sometimes gets quite stressful, and studying

bring together what they know to deliver solutions

for an MSc in my spare time doesn’t help that! It

or just new ways of doing things. Additionally, no

really helps me to stay active; I particularly enjoy

client problem I have ever faced is the same, so

long-distance running, boxing and skiing. I am also

it’s exciting to constantly challenge myself in new

am a big fan of South Korean culture.

environments and situations.

WHAT MADE YOU CHOOSE A CAREER IN

WHAT ARE THE GREATEST CHALLENGES IN

CYBER SECURITY?

CYBER SECURITY?

I was actually a computer science teacher when I

I would say two of the biggest challenges I have

decided to join the cyber security industry; I spent

noticed are education and skills.

two years on the TeachFirst graduate scheme after leaving university as I recognised the leadership skills I could gain and the important purpose of the scheme. I realised I wanted to do something that applied both to my degree and to my interest in enabling business through technology (I’d seen it treated only as a cost-centre in my placement year). At the time of ending my commitment to teaching,

The industry has grown so rapidly that the organic growth of the right skills has not been able to keep up, which is making it difficult for organisations to ensure they have the right people to deliver security objectives. Although crucial technical skills such as ethical hacking and security architecture are taught, there is so much more to the field.

two big breaches had happened in North America

I also believe education plays a huge part in the

and I became really fascinated by the complexities

challenges faced by organisations and the public. J ULY 2 017 • 58


Although this is starting to change, there is a

really proud that PwC sponsored. Its success was

huge misconception that cyber security is simply

covered by lots of UK media, ultimately supporting

a technology issue and therefore not owned

education about the industry and helping discover

by the business. In order to mitigate risk, cyber security must be embedded fully and within all

new talent along the way.

organisational processes – a key example of this is

WHAT/WHO

third party management, i.e. how can organisations

INFLUENCE ON YOU?

be confident in the security of their supply chain? WHAT ARE HIGHLIGHTS OF MY CAREER? Working on two high profile data breaches with a

HAS

BEEN

THE

BIGGEST

My dad has always taught me to be fearless and resilient; if something is challenging, it’s probably good for me.

really talented response team and seeing the direct

Within cyber security specifically, the leaders in

impact my work was having on those organisations

my team are awesome. Over the three years I have

to enable them to take the next steps forward.

been here, I have been empowered to do some

Designing, managing and delivering the 2016 final

really exciting things, which if written on paper

of the Cyber Security Challenge UK, which I am

would appear higher than my grade. Those leaders

59 • C Y B ER WORLD


definitely inspire me to constantly innovate and

to fill key roles with suitably qualified people. The

believe in myself.

industry also lacks diversity, with many women

My best friend also works in my wider team but has really different skills and strengths to mine, she’s definitely a daily inspiration. WHERE DO YOU SEE CYBER SECURITY IN 10 YEARS? I think that the field is going to become increasingly regulated over the next 10 years, both in terms of regulations around organisations’ own cyber security, and in terms of regulating providers in the marketplace (of products and services).

choosing to have careers elsewhere. I hope that both of these will have changed in 10 years’ time, and we’ll see a much better resourced industry that is far more representative. Part of this is going to be changing people’s perceptions of cyber security as a career, and demonstrating that there are more than just ‘techy’ IT roles up for grabs. WHAT ARE YOUR CAREER AMBITIONS? In 10 years’ time I want to be well known in the industry as an expert in my chosen field. At the moment, I really appreciate the importance of

Also, right now, there is a widely accepted ‘skills gap’

building a solid foundation of skills and knowledge

in cyber security, whereby the industry is struggling

so that I can appreciate all facets of a problem. J ULY 2 017 • 6 0


However, over time, I’d like to focus increasingly on a specialist area and become renowned for my mastery of it. I think getting myself to that place will be a challenge, but thoroughly enjoyable. Perhaps even more ambitiously, I’d love to be a CEO in 20 years’ time. I think that as society and business becomes more and more reliant on digital technology, future chief executives will equally need to become more literate in that technology. Also, I don’t think that it’s right that women are so underrepresented on corporate boards, and I’d like to be someone that helps to change that. WHAT WOULD YOU DO IF YOU WEREN’T A CONSULTANT? I come from a family of police officers; my parents both met in the police and my grandad had some really amazing achievements across a variety of forces. If I hadn’t taken the career path I had, I would like to think I would have joined the police too and eventually become a detective. The current direct entry detective scheme for the Met sounds really impressive as they recognise transferrable skills. WHAT ADVICE WOULD YOU GIVE YOUNG PEOPLE HOPING TO ENTER A CAREER IN THE FIELD? Be passionate. There is so much opportunity in this industry as it’s so fast paced: you need to be passionate about it as it will never stand still. Read up about cyber security news and developments, and research what interests you – is it the technical detail, processes or people? Look out for internships, industry events or opportunities to look at what different organisations do – I know for instance that PwC offers tech internships which include cyber security.

Erin Jones Cyber Security Senior Associate PwC UK

61 • C Y B ER WORLD


J ULY 2 017 • 62


Women in Cyber Security FUTURE LEADERS: Sophia McCall

About the Author: Sophia McCall is currently studying for a BSc in Cyber Security Management at Bournemouth University. She has participated in many ethical hacking competitions and ‘hackathons’ across the country, achieving a series of awards and ‘wins’. Sophia is in the process of taking on the role of vice president of the Bournemouth University Cyber Security Society for the forthcoming academic year. Sophia is planning to engage in industry placements in the near future to enhance her experience and knowledge of the field. The field of cyber security is not only currently

representation in the room is very noticeable. There

lacking both numbers and talent, but also exhibiting

is constant talk of how more women are wanted in

a massive gender imbalance. Statistics show that

cyber security, but, some may ask, why do we want

only 11 per cent of the global IT industry workforce

more women in cyber security?

is female and with such a large gap between the

Historically, there has been a lack of female

male and female ratio in the industry, campaigns have been mounted to encourage more women to enter the cyber security field. I am part of the small percentage of women in cyber

representation in the technology and STEM sectors, but times are changing – and with the advance of technology and the increasing needs of the technology sector, more and more women are

security; and for as long as I can remember, I have

entering the field.

always been part of a minority within information

However, only a small proportion of female students

technology. Ever since my secondary school days,

currently studying for a degree are planning to

I was either the only female, or one of a very few,

enter a career in technology – for a number of

in the classroom environment – and this trend

reasons: There is the risk of entering a heavily male-

has continued into my university life. With every

dominated environment, the isolation one may

industry day I attend, or cyber security exhibition,

experience as a result , and the strict culture and

or educational course – the lack of female

stereotype of the typical cyber-geek, to name just

6 3 • C Y B ER WORLD


a few. However, I, and many others, have grown to

from human error. To gain an understanding of

accept the fact that we may be the only females in

how to increase the security of a device, one must

the room, and with time and experience we have

understand the end-user. Most large firms and

learned to persevere and combat these stereotypes.

companies are fall victim to some form of social

Cyber security is a field where many diverse skills are needed, far beyond the typical cyber-geek tapping away on a keyboard. There is now a great variety of roles that can be offered to someone entering the field. With the range of roles available today and the number of diverse skillsets needed, a wide variety of suitors should be considered – including an equal ratio of males and females. It is an accepted scientific fact that the male and female brain have their own unique characteristics. The male brain tends to be more analytical with more logical cognitive processing and systematic thinking. The female brain is known to be more

engineering, hence the psychological factors of cyber security are growing ever more in importance. With women exhibiting a deeper understanding of psychological factors and the behaviours of individuals, not only can their technical skills be put to great use, but the psychology of understanding how a person works can be used to advantage. So to answer the question why we need females in cyber security, the answer is simple: We need the diversity! Not only to support a healthy workspace ecosystem, but to utilise all the available talent to increase the capabilities and success of our cyber workforces.

empathising, more capable of understanding and better at relating to another person’s emotions and thoughts. While both traits and functions are great on their own, the combination of both skills can be used to increase the overall success of a cyber

Sophia McCall BSc in Cyber Security Management Bournemouth University

security workforce. Cyber security is not only reliant on the success of technical roles: most security vulnerabilities derive J ULY 2 017 • 6 4


Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on cyber@secgate.co.uk 65 • C Y B ER WORLD


Upcoming Events HEALTHCARE CYBERSECURITY CONFERENCE hosted in Salford, UK, 20th July 2017 Read more here. BLACK HAT USA 2017 hosted in Las Vegas, USA, 22nd to the 27th July 2017 Read more here. ASIAL 2017 hosted in Sydney, Australia, 26th to 28th July 2017 Read more here. CYBER SECURITY SUMMIT: CHICAGO hosted in Chicago, USA, 8th August 2017 Read more here. SECUTECH VIETNAM hosted in Ho Chi Minh City, Vietnam, 16th to 18th August 2017 Read more here. XXI WORLD CONGRESS ON SAFETY AND HEALTH AT WORK 2017 hosted in Singapore, 3rd to 6th September 2017 Read more here.


67 • C Y B ER WORLD


About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clients’ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.

www.secgate.co.uk info@secgate.co.uk

Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom J ULY 2 017 • 6 8


69 • C Y B ER WORLD

Cyber World July 2017  
Read more
Read more
Similar to
Popular now
Just for you