CYBER WORLD Rounding up the latest in Cyber Security
In this month’s edition: Latest News Newest Vulnerabilities Special Guest (Luay Baltaji, OMNETRIC Group) Business Strategies After The WannaCry Outbreak (Cheng Lai Ki) Using Analytics with Cybersecurity (Walker Rowe) Physical Attacks on Networks GDPR ‘Fake News’ (Jonathan Armstrong) GDPR is Coming (Brian Fitzpatrick) Rising Stars (Erin Jones) Future Leaders (Sophia McCall) Upcoming Events
Hello. Welcome to the July 2017 edition of Cyber World magazine, bringing you the latest news from the world of information security. This edition features contributions from special guests and seasoned cyber security experts, including Luay Baltaji, Cybersecurity Manager (EMEA) at OMNETRIC Group; Jonathan Armstrong, Partner at Cordery; and Brian Fitzpatrick, Director at Equiniti. We also have analyses on hot topics in cyber security such as ‘Using Analytics with Cybersecurity’ by Walker Rowe; ‘Business Strategies After The WannaCry Outbreak’ by Cheng Lai Ki; and an article on ‘Physical Attacks on Networks’ by Secgate Research & Innovation. Last, but not least, our monthly ‘Rising Star’ interview has been conducted with Erin Jones from PwC, and we are delighted to present a ‘Future Leaders’ contribution by Sophia McCall, a BSc in Cyber Security Management student at Bournemouth University. As always, we thank all our readers for their interest and valuable feedback, and we look forward to your continuous engagement with our magazine. If you enjoy this magazine, feel free to share it with your friends and colleagues, and any feedback is always welcome
Laith Gharib, Managing Director
J ULY 2 017 • 2
Latest News Rounding up the news
TWO BRITS ARRESTED FOR TRYING TO HACK MICROSOFT A 22 year old and a 25 year old male were arrested by the UK police for trying to hack into Microsoft to steal customer data. They were charged under Britain’s Computer Misuse Act. Hacker News said police believe they are part of an international ring ‘breaking into the Microsoft’s network between January 2017 and March 2017 to scoop up the customer information.’ That statement suggests Microsoft was successfully breached earlier this year. Microsoft released a statement saying no customer data was stolen. Read more here. SPYWARE BEING USED TO TARGET JOURNALISTS IN MEXICO The New York Times reports that spyware sold to the Mexican government has been used against human rights activists, journalists and their families, as well as against those looking to expose corruption in Mexico. The software was sold with the restriction that it only be used for law enforcement and terrorism prevention. Among the hacked persons were lawyers looking into the disappearance of 43 students several years ago. The Pegasus spyware was sold by the NSO Group. Mexican analysts said it is ‘highly unlikely’ that Mexican officials asked any court’s permission to target these persons and that ‘illegal surveillance is standard practice.’ Read more here.
3 • C Y B ER WORLD
VOTER DATABASE EXPOSED The Washington Post reports that cybersecurity researcher Chris Vickery discovered that a voter database in the USA containing 198 million votes was accidently exposed to the internet by a contracting firm. The firm has been using the data for data mining and analytics services paid for by politicians interested in their analysis. The data came from the Republican party, data brokers, and other sources. The article did not say whether this was an exposed database, which could be accessed by JDBC or a webservice. The information included voter history and voter opinions on candidates, theit ethnicity, and religion, and other interests. Read more here. KMART POS TERMINALS ATTACKED Kmart is a very large retail chain owned by Sears. Its POS (check out) terminals have been breached for the 2nd time in 3 years. The company released a statement saying that after having found the malware, they engaged forensic services. According to the forensic researchers, no customer data - ‘PERSONAL DATA (written in caps)’ - was stolen, except for credit card data. The company said their use of EMV chips should limit the amount of damage since they require physical access to a card to use it. Citing that this is an ongoing criminal investigation, the company gave no further technical details. Read more here.
J ULY 2 017 • 4
RUSSIAN HACKING ON US ELECTION BIGGER THAN PREVIOUSLY KNOWN The fallout from the believed Russiand hacking of the US election continues. Bloomberg Politics reports under the headline ‘Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known.’ According to the report, 39 of 50 states were attacked. Still there is no evidence that Russia was able to actually change voter data, although they ‘tried to delete or alter voter data’ in Illinois. Bloomberg reports that the Obama administration was aware of this and picked up the so-called ‘red phone’ to complain to Moscow about this. An NSA report shows that weaknesses exist that threaten future elections as well. The former FBI director surmised that ‘Moscow isn’t done meddling.’ Read more here. HACKERS TRICK BROADCASTERS INTO REPORTING FAKE NEWS FROM QATAR Aljazeera reports that ‘Sky News Arabia and Al Arabiya’ were tricked into publishing ‘fake news’ when they ran with stories planted by hackers on the Qatar News Agency website. The news said that the emir expressed support for Iran, Hamas, Hezbollah and Israel and that President Trump ‘might not last in power.’ Qatar-based Al Jazeera criticised Sky PLC in the UK saying they approached the organization to ask ‘what media standards their Gulf affiliate adheres to.’ Read more here. EU PARLIAMENT PROPOSES THAT ENCRYPTION BE DEPLOYED EVERYWHERE The EU parliament proposes that ‘end-to-end encryption be enforced on all forms of digital communications to protect citizens.’ This
would further prohibit any kind of vendor
backdoor in apps like Telegram or WhatsApp, both of which already have encryption. In the recent UK election, the Conservative Party said that tech companies should be required to provide ‘access to information as required’ to combat online terrorist planning and recruiting. The BBC says this has created confusion with tech companies as to whether they need to provide such backdoors. Security experts say the government’s plans would not work in any case since terrorists can find other ways to send encrypted communications. Read more here.
5 • C Y B ER WORLD
The EU parliament proposes that ‘end-to-end encryption be enforced on all forms of digital communications to protect citizens.’ J ULY 2 017 • 6
Newest Vulnerabilities Latest Developments and Trends
MICROSOFT PATCHING EOL OPERATING SYSTEMS BECAUSE OF WANNACRY RANSOMWARE Microsoft has released security patches for EOL (end-of-life) versions of Microsoft Windows because of the damage caused by the WannaCry ransomware. The patches include Windows XP, Windows Vista, Windows 8, Windows Server 2003, and Windows Server 2003 R2. The company said this was because of ‘state-sponsored cyberattacks’. Microsoft said: ‘We also know that some of our customers are running versions of Windows that no longer receive mainstream support.’ They said those people would not have received a security update released in March. So they have made this special patch for those users. Users will have to download it or run Windows Update. Read more here. OPENVPN PATCHES CRITICAL SECURITY ISSUES OpenVPN is an opensource VPN server and client. They have released 3 updates for the OpenVPN server and 1 for the OpenVPN client. These are all deemed critical. Some were found during a security audit, i.e. source code review. Others were uncovered by security researcher Guido Vranken. One of the issues uses memory exhaustion to let the authenticated VPN execute remote code. OpenVPN stated that this was only possible when given a special set of parameters that were ‘very unlikely to fail in real-world usage.’ The client bug would let a hacker steal a password. The server bugs only worked for authenticated users. Read more here. ROOTKIT EXPLOIT FOUND THAT WORKS ON WINDOWS 10 CyberArk has found a CPU-based attack that bypasses Microsoft PatchGuard, a tool to block kernel rootkits. This is called Processor Trace Based Hooking. It would let hackers plant a rootkit. Plus Intel PT would let security software install cyber defenses there and programmers do debugging at the assembly language level. Intel Processor Trace is an extension to the CPU. CyberArk says, ‘this technology is primarily used for performance monitoring, diagnostic code coverage, debugging, fuzzing, malware analysis and exploit detection.’ While intended for tracking software, a hacker could take over a thread using this. Microsoft 7 • C Y B ER WORLD
says it has ‘closed the support’ case as it would require a hacker already running the boot kernel and that no therefore security patch is needed. CyberArk did not mention whether Intel made any comments. Read more here. MICROSOFT PATCHES SMB WEAKNESS Microsoft has released a new, different security patch than the one mentioned in an earlier story above. The affected systems include Windows Server 2016, 2012, and 2008 plus desktop Windows 10, 7 and 8.1 and older unsupported versions of Windows. Qualsys says that of the 94 items patched, 27 would allow a hacker to take over a machine. One of the most critical exploits works by sending an SMB (a network file sharing protocol) request to the desktop Windows Search Service. Another issue attacks graphic processing when certain fonts are displayed. Other patches include Outlook, Office, Edge, IE, and attacks on .lnk (binary metadata) files. Read more here. CHROME SECURITY UPDATES Google has released a security update for Chrome 59.0.3071.104 on Windows, Mac, and Linux. The company says: ‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix.’ However, the company did list 5 persons to whom it paid bounty bugs for finding these issues. Google paid out about $20,000 USD in total. Chrome calls these Sandbox Escape in IndexedDB, Out of bounds read in V8, and Domain spoofing in Omnibox. Google said the patches include ‘various fixes from internal audits, fuzzing and other initiatives.’ Read more here.
J ULY 2 017 • 8
Security Beyond Smart Meters – Smart Homes SPECIAL GUEST: Luay Baltaji
9 • C Y B ER WORLD
About the Author: Luay Baltaji is a Cybersecurity Manager within OMNETRIC Group, a Siemens and Accenture joint venture which specialises in smart grid transformation. Luay is a recognised expert in the field of IT/OT integration and industrial Cybersecurity. Luay currently serves as Cybersecurity architect and advisor to a number of critical infrastructure operators in the UK. He holds an MSc in Computer Security and is a certified security practitioner from SANS, ISC2 and SABSA.
This will be your typical morning in a few years’
The SEC specifies the rules for the whole smart
time: Early in the morning your smart wearable
metering operations, it includes detailed sections
senses that you’re about to wake up and so your
for security and privacy. Encryption is heavily
home starts preparing for the day. Your smart
utilised across the AMI and there are very strict
meter builds a picture of your anticipated energy
rules for handling consumption data which is
consumption for this morning, and then agrees with
classed as personal information. The data flow
the energy supplier how your home routine should
and trust relationships between all parties in the
be executed. This activity could be performed every day in harmony with millions of other smart meters across the country, intelligently orchestrating smart home appliances, electric vehicle chargers and domestic energy sources, like a beehive to save us money and to help the grid operators reduce congestion on the energy grid. The fact that our little ‘smart’ helpers can ‘negotiate’ with energy companies on our behalf to get us the best deal in near real-time sounds like science
infrastructure are controlled by a central hub called the Data and Communication Company (DCC). The design and implementation of the national Rollout Programme have been put under the microscope of academics, security experts and government agencies (Anderson & Fuloria, 2010; Levy, 2016). In this series of articles, we will look at how the industry is moving towards the ‘next generation’ applications of smart meters. We will try to apply a different lens to study the challenges arising from the integration of smart meters with disruptive IoT technologies and legacy industrial control silos. This
fiction, but is indeed becoming reality.
part highlights the key energy security challenges in
In Britain, it is starting with the rollout of smart
of the series (to be published in upcoming editions
meters into every home, the GB Smart Metering Rollout programme is targeted for completion by 2020. By then, there will be more than 50 million smart meters across the nation, sending out about 25 TB of energy consumption data every day to
designing and implementing smart homes. The rest of Cyber World) will discuss the cyber-physical risks of increased automation and intelligence in the energy grid, and the impacts of converging IoT/IT/ OT silos in order to form a functional smart grid.
energy providers. With personal permission, this
EMBRACING THE ‘SMART’ CULTURE
data can be shared with other companies interested
Energy companies in the UK are looking for ways
in knowing how we use energy. The smart meters
to leverage the power of the information collected
rely on an Advanced Metering Infrastructure (AMI)
from smart data points, industry use cases are
for communication and data management, which
emerging to convert the current AMI progress into
is governed by the Smart Energy Code (SEC) and
an operational smart grid; most themes are taking
overseen by the energy regulator OFGEM.
place within two technology domains: J ULY 2 017 • 10
Although CADs and smart meters in the UK are certified by the NCSC, they open a door for new and emerging threats.
1. The Internet of Things (IoT) domain, smart home devices such as smart locks and washing machines, will help us automate parts of our lives in ways that give us more control of our energy bills. This is realised through the analysis of high resolution information that is produced by smart homes; also giving the energy companies more insights into energy usage patterns to offer their customers more competitive and tailored services.
to automate tasks in load and outage management. These themes would require increased automation and interconnection, as well as more intelligent software systems that are capable of taking complex decisions whilst ensuring safe operation. These factors pose unprecedented challenges to privacy and security (Schneier, 2016). The latest Cyber Threat to UK Business report, issued by the National Cyber Security Centre (NCSC), predicts
2. The Operational Technology (OT) domain,
that it is ’highly likely that connected devices in
feeding the information gathered by smart
industry are already targeted and that incidents are
meters into the grid infrastructure in order
more common than are currently reported or that
to generate intelligence in the grid network
have been detected’.
11 • C Y B ER WORLD
connected home devices as botnets to attack
the internet infrastructure (Kerbs, 2016). The
The consumer market has been flooded with
exploited devices, such as IP cameras and routers,
technology to automate homes. Devices such as Amazon Echo and Google Home, as well as smart appliances such as Smart TVs and washing machines, are being increasingly adopted. Many of these technologies are able to connect to smart meters through a module called ’Consumer Access Device’ or CAD, which comes with default support for many wireless communication protocols such as ZigBee and Z-wave. Although CADs and smart meters in the UK are certified by the NCSC, they open a door for new and emerging threats. Last
are not tested or assured in any way, and, given the economy of scale in IoTs, they’re unlikely to be tested for cyber threats. The rise of millions of identical smart devices living in similar setups, such as smart thermostats, raises some concerns. If a vulnerability is found on one device, a million others can be exploited at the same time: turning a million thermostats on or off at the same time can cause serious damage to the power infrastructure. This is not a fully fictional scenario, it has already been partially demonstrated (Tierney, 2016).
year, the Mirai attack specifically used internetJ ULY 2 017 • 12
NEW APPROACHES TO ADDRESS SECURITY
elsewhere for smart home solutions. Balancing
The IoT technology moves the control of devices
security with value and functionality would require
from a central authority to the hands of consumers without a clear accountability model. For instance, if a smart device comes with a password that reads ‘1234’, is it the fault of the vendor for not building a secure product, the supplier for not doing a proper due diligence, or the consumer for not changing the default password? This ambiguity in governance, coupled with the added cost of securing products, are cited by official agencies as elements that derail
a joint effort from all parties involved, including governments, to build a holistic view of the IoT risks on the energy supply. This effort is starting to take shape with initiatives from the UK government to sponsor dialogs between technology vendors and energy suppliers, and with a new wave of EU policies targeting the IoT technology (The European Commission, 2017).
efforts in building secure and privacy-oriented
IoTs (European Union Agency for Network and
Anderson, R. & Fuloria, S., 2010. On the security economics of electricity metering, s.l.: Cambridge University Computer Laboratory.
Information Security, 2015). These challenges are not unique in the utility industry, and the risks on the energy supply resulting from this decentralisation of control are not yet fully understood. Utilities can leverage the contractual relationship they already have with their customers to start tackling the responsibility and accountability challenges. But with a lack of industry incentive, it is unlikely that we will see a proportionate progress of security in the IoT-Energy ecosystem in the near future. Addressing the issue of incentives is fundamental to improving the security of smart homes. The traditional approach of a regulatory force driving change in the Utility business may not be fit for purpose, especially now that unregulated technology firms are active players in the game of smart homes. Utilities providing IoT services are generally aware that a purely reactive posture will be less permissible as societal awareness of the value of data grows, and as the reputational and regulatory consequences of data breaches increase (Clemente & Fell, 2015). Many have opted to use proprietary protocols and certified products in an attempt to limit threats from unsecure IoT devices. This poses a commercial challenge: the security features
Clemente, D. & Fell, M., 2015. Information Security in Smart Cities, London: Information Security Forum. European Union Agency for Network and Information Security, 2015. Threat Landscape for Smart Home and Media Convergence. [Online] Available at: https://www.enisa.europa.eu/publications/ threat-landscape-for-smart-home-and-media-convergence [Accessed 24 May 2017]. Kerbs, B., 2016. Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. [Online] Available at: https://krebsonsecurity.com/2016/10/hackedcameras-dvrs-powered-todays-massive-internet-outage/ [Accessed 24 May 2017]. Levy, I., 2016. The smart security behind the GB Smart Metering System. [Online] Available at: https://www.ncsc.gov.uk/articles/smartsecurity-behind-gb-smart-metering-system [Accessed 24 May 2017]. Schneier, B., 2016. The Internet of Things Will Turn LargeScale Hacks into Real World Disasters. [Online] Available at: https://motherboard.vice.com/ en_us/article/the-internet-of-things-will-causethe-first-ever-large-scale-internet-disaster [Accessed 24 May 2017]. The European Commission, 2017. The Internet of Things. [Online] Available at: https://ec.europa.eu/digitalsingle-market/en/internet-of-things [Accessed 24 May 2017]. Tierney, A., 2016. Thermostat Ransomware: a lesson in IoT security. [Online] Available at: https://www.pentestpartners.com/securityblog/thermostat-ransomware-a-lesson-in-iot-security/ [Accessed 24 May 2017].
come with an additional cost and could limit some functionality, leading consumers who are more influenced by functionality and cost to look
13 • C Y B ER WORLD
Luay Baltaji Cybersecurity Manager (EMEA) OMNETRIC Group
Join us for high-impact sessions uniquely built around a multitude of cyber tracks.
Customize Your Cyber Security Experience. CSX sessions provide unique opportunities to learn from top experts in the field. Each track is offered in 2 levels of complexity: Essential and Advanced. At CSX 2017 Europe you will find an unparalleled degree of customization for your conference education experience.
CSX 2017 sessions teach you to:
Be one of the first 200 people to register and pay in full and RECEIVE US $200 OFF registration fees. Earn up to 32 CPEs. www.isaca.org/2017CSXEURO
30 October â€“ 1 November | London, UK
J ULY 2 017 â€˘ 14
Business Strategies After the Recent WannaCry Outbreak LAI KI CHENG
About the Author: Lai Ki Cheng is a Political and Security Analyst (APAC) at Riskline. He is a recent graduate from the MA Intelligence and International Security programme at King’s College London and has participated in cyber policy competitions, contributed to security journals such as IHSJane’s Intelligence Review, and was an Armour Officer in the Singapore Armed Forces.
On 12 May 2017, multiple computer systems were
American-developed exploit and utilised a windows
infected by a variant of the Ransom.CryptXXX
security update as targeting intelligence.
ransomware family otherwise identified as Ransom. Wannacry. Exploiting a vulnerability within the Windows operating system (WinOS), the worm impacted organizations globally, ranging from hospitals in the United Kingdom, to academic institutions in China. Luckily, our societies are resilient. Soon, organisations will recover from this ‘worst-ever recorded’ attack and return to
Preliminary attribution efforts suggest the Lazarus Group as the potential culprit. While North Korea appears likely to be the advanced persistent threat (APT) actor in this instance, it remains too early to be certain. Nonetheless, the ransomware outbreak does reveal the increasing sophistication of cyberattacks.
maximum operational capacities. The scale of this
ransomware outbreak, however, is a dark reminder
(identified as ETERNALNIGHT), allegedly obtained
about the increasing sophistication of contemporary
from the Shadow Brokers’ digital assault on the
threat-actors, who have been able to remodel an
US National Security Agency, which was used
15 • C Y B ER WORLD
to enhance the Trojan’s effectiveness. This also
monetary ramifications of the WannaCry attack
provides a glimpse into the cyber arsenal of the
haven’t been determined yet, the outbreak itself
United States, and how vulnerable enterprises are if
bears a stark resemblance to the ILOVEYOU bug
targeted by a state-sponsored or state-intelligence
that plagued the world over fifteen years ago,
actor. Second, the WannaCry Ransomware targeted
causing billions of dollars in damages. However,
a ‘critical’ vulnerability identified in a Microsoft
despite consistent narratives about the escalation
Windows security update two-months prior, which
of sophisticated cyber threats, corporate executives
could have been exploited as targeting intelligence.
are still ‘putting cyber security on the back burner’
While the outbreak was curtailed by a British cyber
– according to a research paper by Barclays and the
security researcher by the name of MalwareTech,
Institute of Directors published in 2017. Warwick
‘albeit by a stroke of good fortune’, various
Ashford, the security editor at Tech Target, said that
organizations are still experiencing problems
the WannaCry Ransomware outbreak is the much
despite patches published by Microsoft; and newer
needed ‘wake-up call’ for enterprises to realise
WannaCry variants have already been discovered.
that security is a luxury, a luxury which will prove
global impact is arguably due to government secrecy relating to efforts aimed at weaponizing
unattainable for corporates that still ‘lack a cyber security strategy’ in an increasingly digital business environment.
vulnerabilities, rather than fixing them. Regardless of
To engage effectively with future threats like
the national security or political agendas behind the
WannaCry, enterprises (of all sizes) must adopt a
US government’s non-disclosure, that information
proactive stance towards their digital security. Here
holds no value for most businesses which are more
are some strategies for businesses to enhance their
likely to have monetary concerns. While the exact
digital resilience: J ULY 2 017 • 16
1. Establish a universal risk ‘language’ between
executives. While there may be obvious
framework unique to the objectives of your
differences in terminology, all executives need
enterprise. Digital resilience today is primarily
to be on the same page when talking about
guided by regulatory compliances, national
risk. Corporate executives (for example, chief
practice standards, and government sponsored
financial officers and chief marketing officers)
schemes. While these standardised practices
focus on business risks, orientated primarily
towards financial, expansion, investment, or
enterprises should not solely rely on them,
reputational concerns. Security executives
according to Torsten George from ISACA who
(that is chief information security officers or
suggests an alternative approach determined
chief compliance officers) focus on defensive
by calculated business and security risks.
risks, orientated around network resilience, database
According to Matthew Leitch, ‘the words we use…can have a profound effect…a vital practical concern that affects whether risk management programmes make headway or not’. If executives can establish a standardized risk ‘language’, mutual understanding and the realisation of the importance of one another’s contributions towards providing customers with a service or product that is reliable and secure are enhanced. 17 • C Y B ER WORLD
All enterprises are unique, having their own operational procedures predefined by their corporate objectives, and with limited budgets allocated to cyber security. Security should be addressed alongside other business objectives. Corporate executives should note that the standards described are only a guide to outline basic security foundations, and should expand their cyber security budgets to enable the development of a specialised cyber security framework. 3. Integrate security into business design and development. Consider incorporating security
To engage effectively with future threats like WannaCry, enterprises (of all sizes) must adopt a proactive stance towards their digital security.
into the early design stages of a product or
employees often underestimate their value as
service line. Embracing ‘security by design’
an intelligence and access resource to potential
provides the key benefit of ensuring products
and services are secure before they are released
leaders often overestimate the capabilities
to the public. A prime business example is
of existing security products or services. To
Blackberry, whose products are designed
combat this, larger enterprises should consider
from ‘the inside-out with security as a prime
establishing regular penetration tests and red
consideration, and have just introduced the
teaming exercises. Though more established
‘Most Secure Cloud-Based Communications
organizations might possess the resources or
Platform’. Though the company suffered
expertise to integrate security into business
losses when compared to other smartphones,
domains, the same cannot be said of SMEs
it was over the issue of recreational benefits,
(small- and medium-sized enterprises). This
not security. In a world where security is an
can be accounted for by virtual CISOs, who
increasing priority, Blackberry’s emphasis on
can provide similar services on a case-by-
security-first has paid off, as it (Blackberry
case basis. However, the first port-of-call for
PRIV) was named by Google as ‘One of the
SMEs should be government initiatives (for
most secure android phones’. The key here is
example Cyber Essentials) or well-established
to cultivate a security integration that is also
cyber security consultancies (such as Secgate,
unique to enterprise objectives.
4. Enhance cyber security knowledge across the
enterprises’ digital resilience is complacency among employees, corporate leadership and even security practitioners. Low to mid-level
Lai Ki Cheng Political and Security Analyst (APAC) Riskline
J ULY 2 017 • 18
19 â€¢ C Y B ER WORLD
J ULY 2 017 â€¢ 2 0
21 â€¢ C Y B ER WORLD
Forest Tree A pioneering solution that empowers your functional teams to safeguard your enterprise. The big data solution to network and data discovery, event detection and generating knowledge from your network to support your operational, compliance and security needs. Forest Tree enables you to make decisions based on real data from your network whether those decisions involve operational, security or compliance objectives. This solution shows you a comprehensive analysis of network traffic to identify and catalogue events in your organisation in real time. Our solution uses ground breaking machine learning capabilities to bring insights on system and user behaviours enabling decisions to be made holistically. It risk rates behaviours enabling unusual activity to be flagged to your operational teams. This solution learns and alerts you. Forest Tree provides dashboards for IT operations, security and compliance teams that show the risk rated activity and highlight individual high risk communications. It provides the capability for teams to interrogate the database to investigate on suspicious or unusual activity. This solution answers all your questions. With all network activity captured and tools for making queries, Forest Tree gives you the ability to demonstrate your compliance to policies and regulations and to prepare reports as required. This solution is your organisation’s “Black Box” Forest Tree gives transparency to your business teams, seeing the same picture of the real activity passing across your network enabling appropriate business level responses. This solution enables cross-functional understanding.
J ULY 2 017 • 22
Forest Tree A holistic solution designed to protect and serve your business needs Forest Tree provides information about data and communications in your network allowing full visibility of activity from your systems. Operations staff can extract data to create inventories of your entire estate and its behaviour dynamically. It can be used to identify end-user computing, data transfers to cloud providers and other third parties. Forest Tree can bring you visibility of services that are outside the control of your systems management solutions. Security Forest Tree produces risk rated assessments of all network activity, facilitates inspection down to packet level for security operations teams and provide security dashboards for management. Connections and data transfers can be approved so that they aren’t continuously flagged for attention. We use machine learning to characterise user behaviour and can identify when a user deviates from the norms for they role or is inconsistent with their peers. Forest Tree works with unstructured data within emails and attachments as well as structured data providing the widest coverage of data traversing your network. Group Functions Forest Tree supports Group functions who can have the same visibility of dashboard information and thus have transparency between operations and policy and compliance departments. Some examples of use cases include: ● ● ●
Is user behaviour changing, which users are not complying with policies? Are you in compliance with policies and regulations? Is the total risk score reducing in line with your plan?
23 • C Y B ER WORLD
J ULY 2 017 â€¢ 24
25 â€¢ C Y B ER WORLD
Forest Tree Designed for humans; engineered for networks Performance engineered. Our solution is built to meet the needs of even the most sophisticated networks. Everything from the detection of events through to the generation of reports has been developed by our engineers to ensure speed and scalability. Our Core engine has been implemented and tested on networks that operate at one terabit per second — processing the entire network traffic, with zero packet loss, all in real time. Our solution is linearly scalable; we maintain our high performance on networks of any size or complexity. Delivers certainty. Business decisions require accuracy. Our entire product has been developed and tested to ensure that you know exactly what actions are happening within your network at a given point in time. Its ability to act as a “black box” on the network, recording network activity for later investigation, gives certainty to your forensic investigations and incident reports. We help ensure your leadership are informed on any incidents before regulators and reporters approach them. Built for people. Every part of our solution has been designed in consultation with security analysts, incident responders, penetration testers and CISOs to ensure that it is as efficient and as effective as possible. The user experience has been carefully considered to ensure that analysts can get to the features they need quickly, and the dashboards have been designed to ensure that each analyst is presented with the data they need to be able to perform their job. We work continuously with industry professionals to ensure our product meets the operational needs of security teams.
J ULY 2 017 • 26
A defence-grade cyber security product, Fores solution that allows organisations to monitor an electronic commu Contact us for a demo
27 â€˘ C Y B ER WORLD
st Tree is a patented advanced Cyber Security nd understand the content and context of each unication channel at: Info@secgate.co.uk
J ULY 2 017 â€˘ 28
Using Analytics with Cybersecurity WALKER ROWE
About the Author: Walker Rowe is a freelance tech writer and programmer. He writes extensively on big data analytics, cloud architecture, and cybersecurity. Walker worked as a programmer for 30 years in the USA on SAP and application security. Now he writes blog posts, tutorials, SDK documentation, and user manuals.
Here we explain, in general terms, how to apply
Streaming can be used to create real-time graphs in
analytics to cybersecurity. We explain the logic
ways that ElasticSearch and Kibana cannot.
behind some of the machine learning algorithms built
The goal with the analytics approach is that it can
into ML APIs, like Spark ML. And we explain how
be used to reduce the signal-to-noise problem
the existing ELK (ElasticSearch, LogStash, Kibana)
inherent with older approaches to flagging security
architecture that many companies already use can
events, like using ArcSight, rules, and thresholds.
be analysed using Apache Spark and other tools.
But there is a steep learning curve in understanding
Finally, we show that Apache Zeppelin and Spark
how ML algorithms work, which you should use
29 â€˘ C Y B ER WORLD
and where. So here we provide a broad view and
you will at least need to have some graduate and
basic level of understanding so you can do further
undergraduate level understanding of that. That
study and build simple models yourself. The tools
means not all big data programmers will understand
and architecture let you start small and then
ML, as not all people understand maths.
add complexity without breaking what you have
In the absence of analytics, one applies basic
already built. DEFINITIONS First, we explain the logical foundations upon which
statistics, empirical observation, and just plain guessing in setting thresholds to determine whether an event is a hacking event. The basic statistical approach is not a bad place to start, but it will send
analytics are based.
analysts chasing down what statisticians call outliers,
As someone who holds a degree in maths, and
meaning events that are not statistically significant.
works daily with analytics, I can tell you this: make
Basic statistics uses the principle of the mean (Îź)
no mistake, analytics is applied mathematics. You
and standard deviation (Ďƒ) to set some kind of
do not need to be John Nash to understand it. But
threshold. The mean is basically the average. The J ULY 2 017 â€˘ 3 0
standard deviation is a measure of the distance of
indication of how fat someone might grow given
an observation from the mean. That is represented
how many cards they eat. m is called the coefficient
as a normal curve, like this:
and b is the intercept. So your conclusion might be y = 3x + 10, or something like that. In this case y is a very simple predictive model.
Graphic Source: Palomar
What this is showing is the probability that a data point is within 1, 2, or standard deviations of the mean. 68% of observations are within -1 and +1 observations. Only 15% should be greater than +3 standard deviations. So you could set a rule saying
Graphic Source: Wikipedia
You can solve that simple LR problem with Excel or Google Sheets. But you need an analytics API to do
that your analysts should investigate anything that
that with multiple input variables.
is > +-3σ. But as we just said, that would send the
For example, if you want to know how likely an
analyst chasing outliers, thus wasting their time in
event is a hacker event, you might plug dozens of
data points into the model. In other words you are
Analytics uses more advanced statistics and
looking to solve a probability function P like:
algorithms. Some of this expands on the use of the
P = αa + βb + cγ + δd + εe + …. + χx + ψy + ωz + C
normal curve. But it goes far beyond that in drawing conclusions or making observations. Analytics are of several types: Regression tries to find some correlation between variables. Classification looks at data points and divides them into clusters which have some common characteristic. And
Where the Greek letters are the coefficients and the Latin ones are, for example: • Number of MBs sent out from an IP address. • How many times a user has loaded programme abc.
decision trees derive some conclusion based upon
• Time of day, e.g. after hours.
a series of prior decisions.
LINEAR REGRESSION Linear Regression is the simplest place to start.
The outcome could be a probability. Or, in the case of a binary model, a decision: 1 (true) or 0 (false).
Many other algorithms expand on that. The basic
concept is illustrated below.
This is what advertising companies do. They put all
We look at a set of data points and try to find the
kinds of data about people into a big data database
line that most closely expresses a relationship
and then group them into categories (clusters) as
between them. For example, if you eat a lot of carbs
shown in the graph below. This includes what
then you might get fat. So you plot carbs on the x
people clicked on, how much they spent last year on
axis and weight on the y axis. Then you calculate
expensive items, how much they spent on budget
some formula like y = mx + b that will give an
items, whether they use coupons, etc. to divide
31 • C Y B ER WORLD
The goal with the analytics approach is that it can be used to reduce the signalto-noise problem inherent with older approaches to flagging security events, like using ArcSight, rules, and thresholds.
J ULY 2 017 â€˘ 32
shoppers into groups. Then they pitch targeted
can put multiple programming languages into it at
advertising to each group.
The same logic applies to cybersecurity. You feed
lets you make real time graphs when you attach it
data points into a clustering algorithm and let it look
to real-time data coming from Apache Spark.
to see if there is anything common about these.
All of this integrates with ELK. So you can feed
For example, if you plot user activity, they should
different logs from your web servers, firewalls,
be clustered in regular users and super users. Find
switches, applications, and so on into ELK and then
a regular user behaving like a super user and that
use Apache Spark to do ETL (extract, transform,
could indicate their computer has been hacked.
load) to translate all that into label-feature vectors
THE TOOLS If you know ElasticSearch, then you are familiar with Kibana dashboards. But if you want to use big data to display analytics data then you need to use Zeppelin dashboards.
to feed into ML algorithms. In terms of what we discussed above, the labels are something like “denial of service attack”, and features are an array of data points that reflect user behaviour, firewall stats, and data coming from external sources. The volume by which this
Apache Zeppelin is like a web page and REPL IDE
data flows and the computing resources needed
(that is an interactive code interpreter) all in one. You
to do large scale matrix multiplication can only
33 • C Y B ER WORLD
be done in a scalable, distributed computing
IP addresses. If that set is not empty, they overlap.
architecture. In other words, this fits perfectly into
So, one of your computers is a bot. Creating sets
the big data design.
and finding intersections is what Apache Pig, Spark
WHAT DATA SHOULD YOU MONITOR? Now, having some understanding of the logical basis upon which analytics is based, what tools do you need to do that? You probably already have some or most of them. And if not, they are all free, so download some and learn them. The difficulty is in finding people who understand it all.
and so on do quite well. Another target would be to inspect the memory of each machine on your network and look at frequency with which .dlls are loaded. Perhaps there is a tool that will report on memory address usage. Buffer overflow attacks will not create events in the Windows system log. But it should be possible to look at Chrome users and finding those
The tools for doing analytics include ML APIs,
that are spraying memory with shell code by looking
Spark, Hadoop, Cassandra, Hbase, Kafka, Pig, Scala,
for patterns in how they address memory.
Python, R, ELK, Spark Streaming, Storm, and so on. There is a lot of accumulated knowledge among the community of programmers and architects on what those do. What is less understood is how to apply this knowledge to cybersecurity. There are not many documented user cases, or literature on the subject. And it seems that not many, if any, security tools actually use analytics. Most are still relying on the malware signature approach, which as we know does not work, or on simple rules.
The good thing about doing all of this is that you can build it up in stages. Start off simple. Then extend the models you build as more data points and data feeds become available. Then let people who really do understand statistics look at their error rate, which these models continually calculate, and make adjustments to minimize those. Hopefully, you can flush out some hacker and insider threat activity that current intrusion detection tools have not been able to find.
So start off by making a list of what data you could monitor to stop intruders. For example, you can stream threat feeds into Apache Spark. That will give you, for example, IP addresses that are launching bot attacks now around the world. Then,
Walker Rowe Freelance Tech Writer and Programmer
again using mathematics, you find the intersection of that set of IP addresses with the set of your userâ€™s J ULY 2 017 â€˘ 3 4
Physical Attacks on Networks Most cyber defences are automated tools and eyes-
into the executive dining room where he excuses
on monitoring that look at network traffic, block
himself to go to the men’s room. There he removes
spam, and search for malware. But physical security
a smart thermostat from the wall and attaches a
is a major risk too, especially in highly-secure facilities that hackers can’t penetrate in other ways. So a company needs to be aware of and set up defences against company insiders and outside spies connecting computing cards to LAN cables
Raspberry Pi to the LAN cable. His goal is not to spy on network traffic; this would only be possible from the vantage point of a router. Instead, now he has an IP address and can freely run commands on the
in hidden places, removing disk drives, plugging
company’s network. The Raspberry Pi can be fitted
directly into routers and switches, and attaching
with a 4G modem with which to communicate with
USB drives to machines to infect the boot sector, or
the hacker’s command-and-control centre. The Pi
copy data directly.
runs Linux, has an ssh command prompt, and is not
ATTACKING SMART DEVICES Anyone who has seen the highly-rated TV series Mr
much bigger than a deck of playing cards. In movies, like Ocean’s 11, hackers tap into video
Robot knows this risk. Hacker Elliot Alderson gains
systems by snapping on a clamp. The clamp pierces
access to the Level 2 floor of a secure data facility
the cable shielding and connects to the copper wire
by posing as an invited guest. He makes his way
inside. But you cannot tap traffic on IP networks
35 • C Y B ER WORLD
unless you connect a device that can obtain its own
on and off all the time, the triggered alert is likely to
be ignored. There would have to be an inventory of
What a hacker needs to do is install a computing card that has two LAN ports: one for itself and
the MAC address of every device on the network. Any device not in that inventory should be shut
one for the traffic going out the other side. The
Raspberry Pi or other computing cards need to
Also, routing tables and subnets are going to
run OpenWRT or similar software that will query a
control what networks the hacker can attack. If the
DHCP server. In the case of the smart thermostat, the computing card will obtain one for itself and for the smart thermostat since it is now playing the role of a switch. The only way to block this would be to use static IPs and not DHCP. Then the computing card would only work if the hacker already knows
IoT sensor is on a separate network than, say, the SAP system, the hacker cannot get in. They would have to attack the adjacent switch and update the routing tables in order to move laterally through the company.
the IP address of the smart device.
STOLEN DISK DRIVE
Is there a way to block this attack? When the hacker
Most enterprise disc drives are hot-swappable.
cuts the LAN cable, a monitoring system could alert
They are built that way so that a technician can
that a device has gone offline. But since devices go
remove a failed drive without turning off the array. J ULY 2 017 â€˘ 36
So hot-swapping is not likely to generate an alert.
ports. Docker, Kubernetes, and Mesos broadcast
Drives are replaced frequently in data centres as
configuration information that contains far more
they have a limited shelf life. Replication ensures
than the IP address stored in a microservices
that the application keeps on running.
registry. So tapping into that traffic will let a hacker
Any data that is lost this way is limited if the drive is encrypted, or if it is only writing data blocks for a file that spans multiple drives. When you pull out an encrypted drive you lose the encryption key. So you cannot read it. And the drive will not be a logically complete file in the case of RAID, which is how disc drives use multiple drives to create one logical file and protect against loss by writing pieces of it (blocks) to different drives. ACCESS TO THE ROUTER A man-in-the middle attack is possible on a wired
know what kind of software is running where. ACCESS TO A USB PORT Anyone who has replaced Windows with Ubuntu on their laptop knows that they can boot a device using a USB, bypassing the operating system on the computer to which it is attached. Then they can run Linux and mount file systems. They could then install a rootkit into the boot sector and update the grub configuration on the device to load that when the device boots up. They infect a machine, disconnect, and walk away leaving the device compromised.
or wireless network, but not easy. You cannot spy
There are different ways to protect against such
on traffic flowing across the network simply by
an attack. Such as encryption keys etched into the
using brute force to attach to a Wi-Fi router. This is
firmware of the device. The iPhone works like that.
because data packets flowing from one connected
It checks the integrity of the host operating system
device to another do not pass by all devices
and does a factory reset if the OS image hash
connected to the network (They would in a ring-
value does not match. Also PCs have secure boot.
topology as in the old Novell IPX networks).
Microsoft does that to keep people from using
But a hacker who gains physical access to a closet where there is networking equipment or the data centre can plug an ethernet cable into the management ethernet port of a switch. They can then see all the traffic that passes. Now they could do a man-in-the-middle attack. This will fail against VPN, AES, and other traffic unless the hacker has a valid certificate with a correct (CN). Man-in-the middle attacks usually only work against SSL when a human being is dumb enough to click through and ignore the browser warning when the hacker is using a self-signed certificate. So, employees need to be warned against such an occurrence. Having access to the router too lets the hacker tap into device discovery protocol and find other
copies of Windows that they did not pay for. But that is easily disabled in bios. THE NEED FOR PHYSICAL SECURITY All of this means that it is crucial to control physical access to the data centre. People need to be trained against the tricks of social engineering so hackers cannot talk their way past security guards. Employees need to be trained to challenge people who are trying to piggyback access cards, walking into a door that someone else has opened. Data centre cages should be locked. Credentials and keycards need to be issued through an identity management system. IDM is a system that is used to give new employees computer and physical access and, more importantly, take it away when they change positions of leave the company.
devices and determine what software they are running by querying microservices. A load balancer in particular has knowledge of the network architecture and container and VM IP addresses and
37 â€˘ C Y B ER WORLD
Secgate Research & Innovation
J ULY 2 017 â€¢ 3 8
GDPR ‘fake news’ Jonathan Armstrong
About the Author: Jonathan Armstrong is a Partner with London-based compliance law firm Cordery. An acknowledged expert on compliance and technology, his practice advises multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries. Jonathan is a Fellow of The Chartered Institute of Marketing and co-author of the LexisNexis definitive work on technology risk, ‘Managing Risk: Technology & Communications’. He leads on Cordery’s GDPR Navigator subscription service, and is a frequent broadcaster for the BBC and other channels. Jonathan was ranked as the 14th most influential figure in global data security by Onalytica in their 2016 Data Security Top 100 Influencers and Brands survey. WHAT IS GDPR ‘FAKE NEWS’?
more of our time at Cordery is being taken up by
I think the fake news concept can be overused but
calls from our clients after their CFO or another
we have talked about GDPR fake news in the past.
member of the leadership team has attended an
It seems to be getting worse, not better. More and
event or read a vendor paper. In the worst cases,
39 • C Y B ER WORLD
in the call the team is told that their budget has
5. The new data rights (like data portability and
been withdrawn/reduced because GDPR or some
the right to erasure/right to be forgotten) just
aspects of it ‘just doesn’t apply to them’. The reality
won’t be used
we’ve seen is that in every case it does. We put together a ‘dirty dozen’ of the most frequent pieces of GDPR ‘fake news’ we’ve seen or heard about from our clients: 1. GDPR is enforced by a new Brussels-based data police force
6. Data Processors have no liability 7. Organisations outside of the EU have no liability 8. GDPR looks good but won’t be enforced
2. GDPR only applies to PII (and that’s a short list)
9. GDPR doesn’t apply to financial services
3. Fines are based on 4% of profit (not turnover)
10. GDPR doesn’t apply to the health sector
4. GDPR is all very new
11. GDPR won’t apply because of Brexit J ULY 2 017 • 4 0
12. GDPR brings in just one set of laws for the whole of Europe – the law will now be exactly the same across the EU To be honest though it was hard to stop at 12 – we could easily have done 10 or 20 more. WHY IS THIS AN ISSUE? Aspects of data protection have always been pretty complicated and it’s sometimes hard enough to make the right call even when you don’t start with the wrong basic facts. I think I first reached out to the UK data regulator on a client’s behalf in the early 1990s (yes, I really am that old). At the time I was doing a lot of work for healthcare organisations and we were acting on behalf of a hospital that had a very complicated issue about a child in their care. The medical evidence suggested that the hospital had to make a life or death decision. The hospital and the doctors involved behaved properly and responsibly in talking this through in detail with the regulator with our help. I am still convinced we reached the right decision, but it was not obvious. Even before GDPR, you needed to put some proper thought into the situation to get to the right answer. Some aspects of data protection aren’t that difficult. But there is often a confusion in some minds between what the law is and what you’d like the law to say. On the 25th January 2012, the European Commission introduced its new data protection Regulation, which we now know as GDPR. I wrote about it within a couple of hours of the proposals being published (you can read it HERE). While there are things I would probably change now, this was the product of reading 119 pages end to end to quickly get the client alert out. One of the most controversial things at the time was that I said that the passage of GDPR into law would not be as smooth as the European Commission anticipated. It has become very apparent that the passage into law still isn’t smooth in some countries – for example the recently announced new German law which will sit alongside GDPR but take away some of GDPR’s essential aims at harmony. Some of the GDPR fake 41 • C Y B ER WORLD
Some aspects of data protection aren’t that difficult. But there is often a confusion in some minds between what the law is and what you’d like the law to say.
J ULY 2 017 • 42
news come from old articles like the one I wrote in
a large audience that GDPR didn’t apply to financial
2012 – for example the fine levels have changed
services and was pretty shirty when I argued it did.
from the 2012 draft to the final version. But there
The ‘evidence’ it seems was that he had spoken to
are no excuses for some of the other alternative
a junior lawyer at a bank at a breakfast event who
facts which are either misinformed, or just wishful
had said so. Was that enough evidence to tell 150
people in a room that they could stop getting ready?
WHY SHOULD WE CARE? The danger of GDPR fake news is that it just reduces readiness. It is not responsible to speak at an event and tell people to forget about GDPR because Brexit means it will not apply in the UK.
You can probably sense my frustration in this blog. We have tried to mask our frustration with an attempt at the quirky, but this is a serious topic. This article is a slightly amended version of the original article, which was first published HERE.
There is not a shred of evidence for this and that pronouncement from the ‘expert’ speaker might mean 70 or 80 organisations fail to prepare. I’ve had the same at an event last year where someone told 4 3 • C Y B ER WORLD
Jonathan Armstrong Partner Cordery
The leading european evenT on cybersecuriTy
The FIC 2017 by Visitors
so much to see in so little time “ ” at Fic, but definitely not the last time! ” “The1stFictimeallowed us to make new qualified contacts “ ” dimension and by the diversity of the participants “This show is outstanding by itsbrilliant ” organisation ” “ “great show, and many good meetings”
Free registration and free access to conferences for professionals
280 business partners 300 high quality speakers 30 workshops 20 conferences 12 keynotes
w w w . F o r u m - F Ji ULY c . 2c017o• m 44
GDPR is Coming Brian Fitzpatrick
About the Author: Brian Fitzpatrick is Director, Business Development, EQ Digital, at Equiniti. Previously, he was Director, Strategic Partnerships, and before that Business Development Manager at Equiniti, and prior to this he was Head of Sales at Snaggl. Brian has 20 years’ experience in Sales and Business Development in UK, Ireland, Europe and USA. This includes products and service based solutions for Capital Markets, Commercial Banking and the Public Sector. He helps clients with secure technology led automation and productivity solutions for: The EU General Data Protection Regulation; Biometrics based client on-boarding and other identity scenarios; and Complex bespoke workflow/case management. The European Union’s General Data Protection
On one hand, if your organisation and its data still
Regulation (GDPR) is due to come into force in
interacts with the EU post Brexit, there is still a need
Spring 2018. While all eyes are currently on the
to ensure your data is being held in accordance with
UK’s approach to Brexit, whether or not the UK is
the GDPR, whilst on the other, the UK will most
still part of the EU at this time is immaterial when it
probably amend its own data protection legislation
comes to data protection.
prior to 2018 to bring it into line with the GDPR.
45 • C Y B ER WORLD
Either way, your organisation, be it public or
The upside for some organisations, however, could
private, needs to ensure that your approach to data
be that the GDPR is actually a catalyst to bring
protection and cyber security is taken seriously and
about changes to how they do things in the future.
that there is buy in from the top. To some, the need to change their approach to data protection brought about by the GDPR could be seen as additional workload for already overstretched resources, whereas in effect, GDPR, if embraced correctly, could bring with it a much more modern and robust approach to information security. Yes, the regulation will require a more strenuous data protection regime coupled with
A lot of organisations need to look at their data in the round. Systems may have grown and evolved over years as one system gets bolted onto another. This leaves the very real prospect of many organisations not actually knowing what data they hold, never mind knowing how much of it they actually have. This is a frightening prospect when it comes to cyber security because if an organisation doesn’t know the
much more punitive penalties for non-compliance
level of data it actually holds, then how can it expect
(fines of up to 4% of global turnover or €20million,
to keep it safe? In this regard, the GDPR be should
whichever is the greater).
be seen as a necessary evil and an opportunity to J ULY 2 017 • 4 6
have a root and branch review of an organisation’s approach to their systems, data and security. A wait and see approach is not recommended and clear action should be taken now to ensure compliance is achieved within the timescales. A good place to start would be to map data flows as part of a privacy impact assessment, i.e. how information is collected, stored, used, shared and deleted or archived and what would be the most likely reasons for a data breach? The most common reasons for a data breach could include: • Human error • Failure to encrypt • Lack of or poor data retention policies • Poor data access policies • Lack of staff training • Misdirected communications (fax, email, post, hand delivery) • Dependence on paper records • Accidental loss/theft • Breaching direct marketing rules • Bad asset control (decommissioning of hardware) • Dependence on non-connected data islands • Poor security policies All of these potential breaches could have a serious knock-on effect on your information security and leave your organisation vulnerable to a cyber security attack. The good news however is that these risk factors can be overcome by a systemised approach which addresses better compliance, more effective business processes and robust information security at their core. This article was first published in agendaNI magazine
Brian Fitzpatrick Director, Business Development, EQ Digital Equiniti
47 • C Y B ER WORLD
GDPR, if embraced correctly, could bring with it a much more modern and robust approach to information security.
J ULY 2 017 â€˘ 4 8
49 â€¢ C Y B ER WORLD
of your data
J ULY 2 017 â€¢ 50
51 â€¢ C Y B ER WORLD
VisDa Unlocking your data transfers; mitigating your risk. Information and data is the lifeblood of companies today. Whole industries rely on the rapid sharing of information to generate revenue. As a result, huge volumes of data move from network to network, company to company, every day, non-stop. This presents organisations with a challenge - with so much data being transferred in and out of a companyâ€™s network, and with 2 out of every 3 large businesses in the UK experiencing a cyber-attack or breach in 2016, how can you keep track of which transfers are legitimate and which are malicious? Compound this challenge with regulatory drivers such as the general data protection regulation (GDPR) and the need for a coherent solution to monitor and mitigate data transfer risks to your business is clear. VisDa is a revolutionary solution that gives you the capability to track, trace, monitor, visualise, and analyse your organizationâ€™s data transfers without impacting the performance of your business. Sitting transparently on your network, VisDa allows you to understand what, where, when and how data is moving, both internally within your network and externally to third parties. Developed by world-renowned records management consultants, risk consultants, cyber security experts and technologists, VisDa has been designed from the ground up to quantify the data transfer risk that your organisation is exposed to. Risks are displayed on our next generation dashboards; each dashboard is tailored to your individual operational risk framework and risk appetite. From senior executives to operational level users, keep your entire team informed.
J ULY 2 017 â€˘ 52
VisDa Visualising your data. VisDa is a tool that equips your network teams with three new capabilities. The first is the ability to map out all the data transfers occurring both internally and externally on your network, allowing malicious connections to be identified and blocked. The second is the ability to visualise and quantify your complete risk exposure caused by data transfers, giving your board mission critical business intelligence with regards to their risk exposure. The third is the ability to add context and information to security events quickly and efficiently by acting as a ‘black box’ on your network. VisDa passively monitors your network for data transfers and then applies a risk score to each data transfer based upon several features – these features include the amount of data sent in the transfer, the types of files the data is contained in, the time and day the transfer was sent and the destination IP address of the data transfer. The risk score calculations are highly configurable and can be configured to map to an organisation’s individual risk framework and operational environment. VisDa allows you to then approve (and pre-approve) data transfers that are expected and investigate data transfers that seem malicious. The next generation dashboards convey your companies global risk in a quantifiable way, giving your board of directors an easy to understand and easy to digest report of their data transfer risk exposure. VisDa is a solution that gives you a fresh new way of monitoring data transfers and quantifying your global risk of a data breach – it is a complete data transfer risk management solution. Whether you need a solution to help you mitigate data transfer risk, or help you to achieve regulatory compliance with regulations such as the general data protection regulation (GDPR), VisDa is the solution for you.
53 • C Y B ER WORLD
J ULY 2 017 â€¢ 5 4
A fresh new way of monitoring data transfers a â€“ it is a complete data transfer risk managemen you mitigate data transfer risk, or help you to a such as GDPR, VisDa i Contact us for a demo
55 â€˘ C Y B ER WORLD
and quantifying your global risk of a data breach nt solution. Whether you need a solution to help achieve regulatory compliance with regulations is the solution for you. at: Info@secgate.co.uk
J ULY 2 017 â€˘ 56
Erin Jones RISING STAR INTERVIEW
57 â€¢ C Y B ER WORLD
About the Author: Erin Jones is a senior associate in the PwC cyber security practice. She has worked on a range of engagements for FTSE100 and Financial Services clients, including large security transformations, incident response, identity and access management, and third party security management. Prior to joining PwC, Erin spent two years completing the TeachFirst graduate scheme, teaching computer science at a secondary school in North London. Erin holds a BSc in Information Security Management for Business from Loughborough University, and is currently studying for an MSc in Information Security at Royal Holloway, University of London.
TELL US ABOUT YOURSELF:
of securing a digital society. It was hard to leave
My name is Erin Jones. I’m 27 and work as a cyber
teaching, but I know that I can still help inspire
security consultant at PwC where my primary role is to help our financial services clients build and assure their cyber security defences. In plain English, this means that I help customers both to understand how strong their cyber security is, and to improve it as necessary. I joined PwC three years ago after spending two years on the TeachFirst graduate scheme, where I taught computer science at a secondary school in North London.
students to take up core subjects and career paths in my current job. WHAT ARE THE GREATEST POSITIVES ABOUT WORKING IN CYBER SECURITY? Definitely the exposure I have had and the opportunities to learn. I have met the coolest people in this industry, with such different backgrounds, experiences,
specialisms – yet, all of them are super passionate. It’s a really innovative industry because people do
My job sometimes gets quite stressful, and studying
bring together what they know to deliver solutions
for an MSc in my spare time doesn’t help that! It
or just new ways of doing things. Additionally, no
really helps me to stay active; I particularly enjoy
client problem I have ever faced is the same, so
long-distance running, boxing and skiing. I am also
it’s exciting to constantly challenge myself in new
am a big fan of South Korean culture.
environments and situations.
WHAT MADE YOU CHOOSE A CAREER IN
WHAT ARE THE GREATEST CHALLENGES IN
I was actually a computer science teacher when I
I would say two of the biggest challenges I have
decided to join the cyber security industry; I spent
noticed are education and skills.
two years on the TeachFirst graduate scheme after leaving university as I recognised the leadership skills I could gain and the important purpose of the scheme. I realised I wanted to do something that applied both to my degree and to my interest in enabling business through technology (I’d seen it treated only as a cost-centre in my placement year). At the time of ending my commitment to teaching,
The industry has grown so rapidly that the organic growth of the right skills has not been able to keep up, which is making it difficult for organisations to ensure they have the right people to deliver security objectives. Although crucial technical skills such as ethical hacking and security architecture are taught, there is so much more to the field.
two big breaches had happened in North America
I also believe education plays a huge part in the
and I became really fascinated by the complexities
challenges faced by organisations and the public. J ULY 2 017 • 58
Although this is starting to change, there is a
really proud that PwC sponsored. Its success was
huge misconception that cyber security is simply
covered by lots of UK media, ultimately supporting
a technology issue and therefore not owned
education about the industry and helping discover
by the business. In order to mitigate risk, cyber security must be embedded fully and within all
new talent along the way.
organisational processes – a key example of this is
third party management, i.e. how can organisations
INFLUENCE ON YOU?
be confident in the security of their supply chain? WHAT ARE HIGHLIGHTS OF MY CAREER? Working on two high profile data breaches with a
My dad has always taught me to be fearless and resilient; if something is challenging, it’s probably good for me.
really talented response team and seeing the direct
Within cyber security specifically, the leaders in
impact my work was having on those organisations
my team are awesome. Over the three years I have
to enable them to take the next steps forward.
been here, I have been empowered to do some
Designing, managing and delivering the 2016 final
really exciting things, which if written on paper
of the Cyber Security Challenge UK, which I am
would appear higher than my grade. Those leaders
59 • C Y B ER WORLD
definitely inspire me to constantly innovate and
to fill key roles with suitably qualified people. The
believe in myself.
industry also lacks diversity, with many women
My best friend also works in my wider team but has really different skills and strengths to mine, she’s definitely a daily inspiration. WHERE DO YOU SEE CYBER SECURITY IN 10 YEARS? I think that the field is going to become increasingly regulated over the next 10 years, both in terms of regulations around organisations’ own cyber security, and in terms of regulating providers in the marketplace (of products and services).
choosing to have careers elsewhere. I hope that both of these will have changed in 10 years’ time, and we’ll see a much better resourced industry that is far more representative. Part of this is going to be changing people’s perceptions of cyber security as a career, and demonstrating that there are more than just ‘techy’ IT roles up for grabs. WHAT ARE YOUR CAREER AMBITIONS? In 10 years’ time I want to be well known in the industry as an expert in my chosen field. At the moment, I really appreciate the importance of
Also, right now, there is a widely accepted ‘skills gap’
building a solid foundation of skills and knowledge
in cyber security, whereby the industry is struggling
so that I can appreciate all facets of a problem. J ULY 2 017 • 6 0
However, over time, I’d like to focus increasingly on a specialist area and become renowned for my mastery of it. I think getting myself to that place will be a challenge, but thoroughly enjoyable. Perhaps even more ambitiously, I’d love to be a CEO in 20 years’ time. I think that as society and business becomes more and more reliant on digital technology, future chief executives will equally need to become more literate in that technology. Also, I don’t think that it’s right that women are so underrepresented on corporate boards, and I’d like to be someone that helps to change that. WHAT WOULD YOU DO IF YOU WEREN’T A CONSULTANT? I come from a family of police officers; my parents both met in the police and my grandad had some really amazing achievements across a variety of forces. If I hadn’t taken the career path I had, I would like to think I would have joined the police too and eventually become a detective. The current direct entry detective scheme for the Met sounds really impressive as they recognise transferrable skills. WHAT ADVICE WOULD YOU GIVE YOUNG PEOPLE HOPING TO ENTER A CAREER IN THE FIELD? Be passionate. There is so much opportunity in this industry as it’s so fast paced: you need to be passionate about it as it will never stand still. Read up about cyber security news and developments, and research what interests you – is it the technical detail, processes or people? Look out for internships, industry events or opportunities to look at what different organisations do – I know for instance that PwC offers tech internships which include cyber security.
Erin Jones Cyber Security Senior Associate PwC UK
61 • C Y B ER WORLD
J ULY 2 017 â€¢ 62
Women in Cyber Security FUTURE LEADERS: Sophia McCall
About the Author: Sophia McCall is currently studying for a BSc in Cyber Security Management at Bournemouth University. She has participated in many ethical hacking competitions and ‘hackathons’ across the country, achieving a series of awards and ‘wins’. Sophia is in the process of taking on the role of vice president of the Bournemouth University Cyber Security Society for the forthcoming academic year. Sophia is planning to engage in industry placements in the near future to enhance her experience and knowledge of the field. The field of cyber security is not only currently
representation in the room is very noticeable. There
lacking both numbers and talent, but also exhibiting
is constant talk of how more women are wanted in
a massive gender imbalance. Statistics show that
cyber security, but, some may ask, why do we want
only 11 per cent of the global IT industry workforce
more women in cyber security?
is female and with such a large gap between the
Historically, there has been a lack of female
male and female ratio in the industry, campaigns have been mounted to encourage more women to enter the cyber security field. I am part of the small percentage of women in cyber
representation in the technology and STEM sectors, but times are changing – and with the advance of technology and the increasing needs of the technology sector, more and more women are
security; and for as long as I can remember, I have
entering the field.
always been part of a minority within information
However, only a small proportion of female students
technology. Ever since my secondary school days,
currently studying for a degree are planning to
I was either the only female, or one of a very few,
enter a career in technology – for a number of
in the classroom environment – and this trend
reasons: There is the risk of entering a heavily male-
has continued into my university life. With every
dominated environment, the isolation one may
industry day I attend, or cyber security exhibition,
experience as a result , and the strict culture and
or educational course – the lack of female
stereotype of the typical cyber-geek, to name just
6 3 • C Y B ER WORLD
a few. However, I, and many others, have grown to
from human error. To gain an understanding of
accept the fact that we may be the only females in
how to increase the security of a device, one must
the room, and with time and experience we have
understand the end-user. Most large firms and
learned to persevere and combat these stereotypes.
companies are fall victim to some form of social
Cyber security is a field where many diverse skills are needed, far beyond the typical cyber-geek tapping away on a keyboard. There is now a great variety of roles that can be offered to someone entering the field. With the range of roles available today and the number of diverse skillsets needed, a wide variety of suitors should be considered – including an equal ratio of males and females. It is an accepted scientific fact that the male and female brain have their own unique characteristics. The male brain tends to be more analytical with more logical cognitive processing and systematic thinking. The female brain is known to be more
engineering, hence the psychological factors of cyber security are growing ever more in importance. With women exhibiting a deeper understanding of psychological factors and the behaviours of individuals, not only can their technical skills be put to great use, but the psychology of understanding how a person works can be used to advantage. So to answer the question why we need females in cyber security, the answer is simple: We need the diversity! Not only to support a healthy workspace ecosystem, but to utilise all the available talent to increase the capabilities and success of our cyber workforces.
empathising, more capable of understanding and better at relating to another person’s emotions and thoughts. While both traits and functions are great on their own, the combination of both skills can be used to increase the overall success of a cyber
Sophia McCall BSc in Cyber Security Management Bournemouth University
security workforce. Cyber security is not only reliant on the success of technical roles: most security vulnerabilities derive J ULY 2 017 • 6 4
Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on email@example.com 65 â€˘ C Y B ER WORLD
Upcoming Events HEALTHCARE CYBERSECURITY CONFERENCE hosted in Salford, UK, 20th July 2017 Read more here. BLACK HAT USA 2017 hosted in Las Vegas, USA, 22nd to the 27th July 2017 Read more here. ASIAL 2017 hosted in Sydney, Australia, 26th to 28th July 2017 Read more here. CYBER SECURITY SUMMIT: CHICAGO hosted in Chicago, USA, 8th August 2017 Read more here. SECUTECH VIETNAM hosted in Ho Chi Minh City, Vietnam, 16th to 18th August 2017 Read more here. XXI WORLD CONGRESS ON SAFETY AND HEALTH AT WORK 2017 hosted in Singapore, 3rd to 6th September 2017 Read more here.
67 â€¢ C Y B ER WORLD
About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clientsâ€™ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.
Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom J ULY 2 017 â€˘ 6 8
69 â€¢ C Y B ER WORLD