Page 1

March 2018

CYBER WORLD Rounding up the latest in Cyber Security

In this month’s edition: Latest News Newest Vulnerabilities Robert Morgus, New America Ramsés Gallego, Symantec Olivier Kraft, RUSI Arthur P. B. Laudrain, Leiden University China - The Real Cyber Threat? Talal Rajab, techUK Leron Zinatullin, KPMG UK Rising Stars (Steven Thomson, IT Lab) Future Leaders (Amy Ertan, Royal Holloway) Upcoming Events


Hello. Welcome to the March 2018 edition of Cyber World – a monthly magazine that brings you the latest news in the world of cyber security. Cyber World offers the latest analyses and opinions from leading industry professionals, academics and the policy community. In this edition, we present a special guest contribution by Robert Morgus, Senior Policy Analyst with New America’s Cybersecurity Initiative and International Security program and the deputy director of the FIU-New America C2B Partnership. Moreover, we have analyses by Ramsés Gallego, a Strategist & Evangelist in the Office of the CTO, Symantec; Olivier Kraft, Research Fellow at RUSI’s Centre for Financial Crime and Security Studies; Arthur P. B. Laudrain, an incoming DPhil researcher in cyber security at the University of Oxford and reserve officer in the French armed forces; Talal Rajab, Head of Programme for techUK’s Cyber and National Security programmes; and by Leron Zinatullin, Security Architect, Technology Risk Consulting, at KPMG UK. We are also pleased to present an analysis on ‘China – The Real Cyber Threat?’ as well as a Rising Star interview with Steven Thomson, Lead Analyst of the Security Operations Centre (SOC) at IT Lab and a Future Leaders contribution by Amy Ertan, a PhD student in Cyber Security at Royal Holloway (University of London) and Strategic Threat Intelligence Analyst at Barclays. We are grateful to our Readers for their continued interest in our magazine, and as always, please send us your feedback and comments on our current and/or past editions. If you enjoy this magazine, feel free to share it with your friends and colleagues.

Laith Gharib, Managing Director

M A RCH 2 018 • 2

Latest News Rounding up the news

CRIME-AS-A-SERVICE DOESN’T PAY In 2016, a four-year, 30 country police sting smashed the Ukraine-based Avalanche criminal network. Top bosses were arrested, hundreds of servers were shut down or seized, and 800,000 internet domains were blocked. One of the organisers, Gennadiy Kapkanov, was detained but was released, despite his fouryear presence on Interpol's most-wanted list. Kapkanov disappeared until cyber police caught up with the alleged mastermind behind the Avalanche malware spam botnet again on February 25th. "An organizer of the international crime platform known as 'Avalanche' which infected up to half a million computers in the world daily was detained in Kiev," Ukraine's cyber police confirmed in a statement. Read More Here. GITHUB SUFFERS LARGEST EVER DDOS ATTACK Software developer platform Github revealed this week that it had been hit by the world's largest ever DDoS attack. Attackers took advantage of 100,000 unprotected Memcached servers to amplify the strength of the DDoS in what is being called a “Memcached UDP reflection attack.” Memcached servers amplified the data sent by about 50 times, bringing the assault to up to 1.35 Terabits per second (Tbps) of traffic at its peak. While this would normally paralyse most sites, Github was down for less than 10 minutes after cloud computing service, Akamai Prolexic, helped mitigate the attack by removing and blocking malicious traffic. Read More Here.


WINTER OLYMPICS HACKED Russian military spies allegedly hacked hundreds of computers at the Winter Olympics in South Korea and tried to make it look like North Korea was the culprit. The cyberattack came during the opening ceremonies and caused disruptions to broadcast systems and the Olympics websites, meaning attendees were not able to print their tickets and as a result leaving many seats empty. The Washington Post’s national security adviser, Ellen Nakashima, reported that Russia’s military intelligence agency, GRU, accessed as many as 300 computers according to two US officials. To cover their tracks, and pin suspicion on North Korea, the hackers used North Korean IP addresses. Read More Here. THE TRUE COST OF CYBERCRIME A McAfee report entitled “Economic Impact of Cybercrime - No Slowing Down” estimates cybercrime costs the global economy $600 billion a year, or 0.8 percent of global GDP. The report attributes the $155bn jump since 2014 to the speed with which new technology is adopted by cybercriminals and an increase in the number of internet users in parts of the world with weak cybersecurity. 2017’s NotPetya attack was a wake-up call to many: FedEx and Danish shipping company Maersk each reporting the attack cost them $300 million. Read More Here.

M A RCH 2 018 • 4

WHO WATCHES THE WATCHMEN? Britain's local governments were hit by 98 million cyber attacks in the last five years - the equivalent of 37 attacks a minute - while one in four councils’ systems were successfully breached. Most common were malware and phishing attacks. Big Brother Watch argued these numbers would only increase with the government’s quest for big data and as councils continue to build “ever-expanding troves of personal information… under the banner of data-driven government”. The privacy group warned that “zealous data sharing comes with real risks” as the information councils amass are “attractive targets for criminals”. They also slammed the councils for lack of investment: “This should mean staff in councils are well versed in cybersecurity threats, the group said, but three-quarters said they don’t provide mandatory training, while 16% said there was no training at all.” Read More Here. NO ONE IS SAFE Fidelis Cybersecurity's Jason Reaves, who last year demonstrated that X.509 certificate exchanges could carry malicious traffic, has disclosed that X.509 metadata can carry information through the firewall. The X.509 standard defines the characteristics of public key certificates and anchors much of the world’s public key infrastructure. In similarly worrying news, two common, long-thought impenetrable methods of physical cybersecurity, air gapping and Faraday cages, have been found to be breachable. The latest attack vector is low-level magnetic fields as detailed in two papers released by researchers from Israel’s BenGurion University. Read More Here and Here. CRYPTOMINING 1 RANSOMWARE 0 Malicious actors are ditching ransomware and cutting out the human element to mine cryptocurrency. Cisco’s Talos security team reported improvements in detecting ransomware (via antivirus and OS) for this switch from traditional ransomware malware attack vectors to cryptomining. A single machine compromised by unseen malware can return around 25 cents of Monero per day, with one such malware family using the NSA EternalBlue exploit to net between $2.8m to $3.6m a month. The majority of affected machines are in Russia, India and Taiwan, but could be coming to a screen near you soon! Read More Here.


Britain’s local governments were hit by 98 million cyber attacks in the last five years - the equivalent of 37 attacks a minute - while one in four councils’ systems were successfully breached.

M A RCH 2 018 • 6

Newest Vulnerabilities Latest Developments and Trends

TELEGRAM FROM RUSSIA. STOP. Russian Cyber attackers have been exploiting a zero-day vulnerability in the Telegram messaging app since March 2017 to install malware, gain remote access to the target computer and cryptojack currency. Kaspersky Lab reports that the attackers used a zero-day vulnerability based on the RLO (right-to-left override) Unicode method whereby a hidden Unicode character in the file name reverses the order of the characters and renames the file. As a result, users downloaded hidden malware which was then installed on their Windows computers. Kaspersky reported the vulnerability to Telegram and the zero-day flaw has not since been observed. Read More Here. FACEBOOK ADMINS AT RISK Facebook has patched a severe vulnerability which leaked the information of administrators. Bug hunter Mohamed Baset said the bug, a logic error problem, occurred when a user liked a specific post on a page. Page admins could send Facebook invitations asking users if they wished to like a page after liking a post, and a few days later, these users may have received an email reminding them of the invitation. Intrigued, Baset showed the "original" message leaked the administrator's name and admin ID. Baset immediately reported the problem to the Facebook Security Team and the researcher was awarded $2,500 through the Bugcrowd bug bounty program. Read More Here. SPY KIDS More than 50,000 Chinese-built Mi-Cam baby monitors could be broadcasting sound and video to whoever comes looking, claims Austrian security company SEC Consult. The MiSafesare devices stream 720p video and two-way audio in real-time to apps running on parents' smartphones, via Amazon cloud servers. All attackers must do is set up a proxy server that can intercept and modify an HTTP request between the phone and the device. SEC also physically extracted the device’s firmware and found default root passwords to watch video feeds on the baby monitor. SEC also discovered open APIs. Read More Here.


WARGAMES US bug bounty programme, Hack the Air Force 2.0, has resulted in 106 vulnerabilities being reported and fixed. HackerOne revealed that the 20-day competition to find vulnerabilities in federal systems resulted in $103,883 in payouts to White Hat hackers. In the second competition, the highest bounty paid out was $12,500, the highest to-date in any of the federal bug bounty programs, such as Hack the Pentagon and Hack the Army. Since the initiative launched in 2016, over 3000 vulnerabilities have been reported and resolved in government systems. Read More Here. BOUNTY HUNTERS Washington D.C.-based private exploit acquisition program, Zerodium, is offering up to $45,000 for local privilege escalation (LPE) exploits. Unreported vulnerabilities should work with default installations of Linux such as the popular Ubuntu, Debian, CentOS, Red Hat Enterprise Linux (RHEL), and Fedora builds. Zerodium buys up vulnerabilities across a wide range of target devices and operating systems to privately sell this information to clients. If you want in, you have until March 31st. Read More Here. DO FEAR THE REAPER Cybersecurity firm FireEye has reported that the advanced persistent threat (APT) group, "Reaper" uses a range of zero-day vulnerabilities and malware to spy on governments on behalf of North Korea. Also known as APT37, the group has been linked to the exploits of many Adobe Flash zero-day vulnerabilities, as well as security flaws in the Hangul Word Processor (HWP). Reaper also attacks victims with the RUHAPPY wiper malware, the CORALDECK exfiltration tool, Karae backdoors, information-collecting backdoor SHUTTERSPEED, and JavaScript profiler RICECURRY. Reaper usually targets South Korea but Japan, Vietnam, and the Middle East are also now in the group's sights. Read More Here.

M A RCH 2 018 • 8

Cybersecurity in Development: To Mainstream or Prioritize? Robert Morgus

About the Author: Robert Morgus is a senior policy analyst with New America’s Cybersecurity Initiative and International Security program and the deputy director of the FIUNew America C2B Partnership.





development not






and as


and better cybersecurity capacity building has only


grown as nearly all pillars of society—from the


economy, to governance, to social interaction—are




Nations Group of Governmental Experts on developments in the field of information and telecommunications recognized  the importance of building the cybersecurity capacity of nations around







developed countries. Since 2010, as information and communication technology (ICT) increasingly drives development outcomes, the need for more


or can be touched by ICT. To many, the importance of cybersecurity in light of these new pan-societal dependencies is given. Events like WannaCry and the various cybersecurity concerns around the 2016 United States election have catalyzed additional interest and investment in cybersecurity many resource-rich, fully developed countries. However, in much of the lesser

developed world—the part of the world where the

the surface in one of two ways: prioritization or

digital economy is growing at nearly two times the


speed as it is in the developed world; the part of the world where developments in e-voting and e-governance could have an outsized impact on the quality of human life—cyber insecurity is considered a longer-term threat that will be handled once the full benefits of ICT are being reaped across society.

Prioritization is the act of identifying a key issue for the development community to focus on. Prominent examples of prioritization from the last decade include the goals outlined in the Millennium Development Goals and Sustainable Development Goals, like achieving universal primary education,

Yet, in 2016, the World Bank’s World Development


Report (WDR) explicitly acknowledged for the first

oceans. Priorities are often identified by leading

time in a WDR the importance of cybersecurity as

development institutions, like the World Bank

a concern for international development, noting


that, “some of the perceived benefits of digital


technologies are offset by emerging risks.” However,


despite that recognition, the question remains:

Millennium Development Goals. In most past cases,

how exactly should cybersecurity be folded into

prioritization takes an existing development focus

international development writ large? In the past,

and elevates it for critical attention.





communicated through








documents Goals



like the

the development community has incorporated or focused on emerging issues as they bubbled to M A RCH 2 018 • 10

By contrast, mainstreaming is most relevant in the

possesses as an issue, mainstreaming cybersecurity

context of an emerging issue that has the potential

in development could follow a template similar to

to cut across many or all areas of development

that of human rights.

and may not receive sufficient focus from the development community. Mainstreaming seeks to fold this new issue into existing development practice as a new equity or consideration in the practice of the community. Perhaps the most notable examples of mainstreaming have occurred in the past two decades in the form of women’s rights and human rights. In both of these cases, leaders in the development community—from prominent celebrity voices to major development donors—highlighted the need to consider these basic rights as development activity unfolds.







development was the result of a concerted effort on the part of the human rights movement to “operationalize the relevance of human rights to various fields of development.” The breakthrough was precipitated by two important shifts in approach. The first was a shift of emphasis from the “right-holder” approach/model—expanding human rights opportunities for individuals—to the “dutybearer”




and non state actors understand, respect, protect, and fulfil human rights obligations. The second

Because cybersecurity cuts across nearly all

was a shift from a violations approach—where

sectors of the economy, society, and government,

the emphasis was on identifying and punishing

mainstreaming seems like a better fit. The question

human rights violators—to a policy approach, which

then becomes: how? Although it lacks some of the

“demands developing new tools to bring human

intrinsic and visceral aspects that human rights

rights concerns into forward-looking policy-making


... mainstreaming is most relevant in the context of an emerging issue that has the potential to cut across many or all areas of development and may not receive sufficient focus from the development community.

processes,” like Human Rights Impact Assessments

4. Transparency and access to information,


5. Accountability mechanisms, and

In fact, the mainstreaming of human rights

6. Inter-sectoral approach.

manifested most obviously in the creation and implementation of HRIAs. An initial push for HRIAs in business came in 2005 when UN Secretary General Kofi Annan appointed  noted international relations scholar and the force behind the Millennium Development Goals John Ruggie as the Special Representative on the issue of human rights, transnational corporations, other business enterprises. Ruggie’s mandate included “identifying and clarifying standards of corporate responsibility







assessments doesn’t exist right now, but such assessments for corporations, lending institutions, and other development actors—underpinned by the similar essential elements as HRIAs—could be an important tool to drive forward the conversation about the impact of cybersecurity on development outcomes. This article was originally published by New America.

and accountability with regard to human rights.” This work spilled over into development, where HRIAs six essential elements: 1. A normative human rights framework, 2. Public participation,

Robert Morgus Senior Policy Analyst New America Foundation

3. Equality and non-discrimination, M A RCH 2 018 • 12

GDPR Will Catalyze New Cybersecurity Investments Ramsés Gallego


About the Author: Ramsés Gallego is a Strategist & Evangelist in the Office of the CTO, Symantec, where he is responsible for strategy development and execution of the cybersecurity portfolio. Previously, Ramséswas Executive Vice President at the Quantum World Association and a board director at ISACA.

As we move toward the 25th of May when the

long term – and to make these investments more

European Union General Data Protection Regulation

effective, since companies must meet identical high

(GDPR) will come into force, most enterprises are

standards across all EU countries where they do

focused on just two questions: Are we affected?


And, how do we comply? The past months have made it clear that GDPR is more far-reaching than some initially thought. Your company is subject to this new regulation if it does business with just one EU citizen or in one EU location – no matter where it is headquartered or where else it does business. As a result, you currently may be in haste to achieve full GDPR implementation, including making changes to achieve both compliance by the deadline as well as maintain ongoing compliance. Beyond the near term, however, I see GDPR as a fantastic opportunity to unify and simplify the way organizations and governments defend and protect data. GDPR is not a directive, but a law that does not allow for varying interpretations by local governments in the 28 EU countries or beyond. It explicitly mentions technologies, such as encryption, that help protect enterprises against cyberattacks. Furthermore, GDPR implicitly encourages discipline that improve cybersecurity, such as data loss protection, identity governance and monitoring. As a result, I expect GDPR to be a catalyst for cybersecurity investment over the

GDPR will spur investment in the following areas: Privacy safeguards. At the core of GDPR is the Privacy Impact Assessment (PIA), a process to determine where data sits, in which format, who manages it, for how long, etc. After this initial assessment comes protection and defense – starting with defining processes and protocols to know and manage who has access to what data. These requirements will spur additional investment in preventing and addressing unauthorized access. Monitoring. GDPR’s ongoing compliance mandate requires enterprises to prove effective privacy safeguards at any time. This requirement is far more rigorous than for periodic audits, which merely show results – good and bad – at a given time. Investment in improved monitoring as required by GDPR can only benefit enterprises that seek to avert, detect and respond more quickly to a potential cyberattack. Breach communication. GDPR requires companies to inform the appropriate regulator of a data breach within 72 hours of the moment they know a breach occurred. The law is silent about whether

M A RCH 2 018 • 14

Any sweeping new regulation may have unintended consequences.

an organization will incur liability if it doesn’t detect

enterprises to carefully consider and navigate any

a breach that quickly. My opinion is that ignorance

differences. In addition, an organization’s GDPR-

will not be considered a valid defense. Reporting a

required Data Privacy Officer (DPO) may not always

breach several months after it occurred will cause

be in sync with the departments tasked with the

regulators to question the quality of a company’s

mechanisms to ensure data security, development,

control and reporting capabilities. Therefore,

infrastructure, network management, etc.

enterprises have new incentives to invest in disciplines that improve cybersecurity monitoring and reporting. It’s also interesting to note that the first drafts of GDPR called for data breach reporting to occur within just 24 hours, which makes me wonder whether regulators will choose to shrink

Overall, however, I consider GDPR something to celebrate. It sets uniform standards for data privacy and security, and provides incentives for enterprises to invest in cybersecurity that could reduce cybercrime around the world.

this communication window over time. Any sweeping new regulation may have unintended consequences. GDPR sets forth privacy obligations, enforcement and penalties that differ from those in other regions of the world, requiring multinational 15 • C Y B ER WORLD

Ramsés Gallego Strategist & Evangelist Symantec

Practical and innovative analysis from the world’s oldest think tank. RUSI members have access to the very best defence and security analysis and are introduced to a network of peers, specialists and decision-makers. Join RUSI and get a better understanding of today’s complex challenges.

M A RCH 2 018 • 16

Financial Crime 2.0: International Cooperation Vital in Fight Against Cybercrime Olivier Kraft

About the Author: Olivier is a Research Fellow at RUSI’s Centre for Financial Crime and Security Studies. Prior to joining RUSI in 2017, he worked with the Financial Action Task Force (FATF), the global standard-setter in the areas of anti-money laundering and counter terrorist financing (AML/CTF), where he focused on evaluating the effectiveness of countries’ AML/CFT efforts. From 2011 to 2015, Olivier advised the World Bank Group Sanctions Board on allegations of fraud and corruption in development projects co-financed by the World Bank Group. He previously worked on the implementation of the United Nations Convention against Corruption at the UN Office on Drugs and Crime. When Europol Director General Rob Wainwright

This raises a question as to how AML tools can be

addressed RUSI’s Centre for Financial Crime and

more effectively used to tackle the proceeds of

Security Studies annual conference he noted recent


cases of successful international cooperation against cybercrime. For example, Operation Avalanche was directed against a cybercrime syndicate of more than 20 organised criminal groups and required cooperation across 30 jurisdictions. At the same time, Wainwright noted that there was insufficient synergy between cybercrime and anti-money laundering (AML) units in many public and private institutions.


One potential response discussed during the subsequent panel at the RUSI gathering is the cyber financial intelligence unit recently established by Standard Chartered Bank. The unit uses cyberrelated information to complement financial crime intelligence to better identify, disrupt and report illicit proceeds from cybercrime. This is in line with guidance issued by the US financial intelligence unit






institutions to include cyber-related information

and connect multiple Bitcoin addresses that are

when filing suspicious activity reports (SARs).

controlled by the same wallet.

It was noted that money laundering techniques

According to data collected by Chainalysis, a

relating to the proceeds of cybercrime often

New York-based forensic firm, 7.8% of Bitcoin

involved traditional methods such as ‘money mules’.

transactions involve ‘mixing’, a process that bundles

For example, this could mean that a fraudster might


wire funds from a victim’s account to that of a

considerably reduces the traceability of financial

‘mule’, who will withdraw the funds in cash and


transfer them to the fraudster via a money service business. A recent investigation by the UK National Crime Agency uncovered the use of approximately 400 accounts to launder £6.9 million originating from cybercrime. While cash is still king in the context of money





Discussions at the ‘Financial Crime 2.0’ conference addressed not only the risks associated with new technologies, however, but also the opportunities. Specifically, speakers discussed the potential of new technologies, including regulatory technologies (RegTech), to increase not only the efficiency of AML

laundering, Britain’s Crown Prosecution Service

efforts, but also their effectiveness, which is likely to

has observed that virtual currencies are also gaining

be a key objective for the national economic crime

popularity due to the anonymity that some of them


offer to users.

The representative of a UK bank, that has

In order to support investigations involving virtual

implemented an automated know-your-customer

currencies such as Bitcoin, private companies have

(KYC) system, explained that the new system had

developed techniques to map out transactions

allowed the institution to increase the frequency of reviews and had enabled skilled staff to focus on

M A RCH 2 018 • 18

Britain’s Crown Prosecution Service has observed that virtual currencies are also gaining popularity due to the anonymity that some of them offer to users

high-risk situations. Designing the outputs of an

centre (NECC), announced  on 11 December by

automated system in a way that is close to the ‘look

Home Secretary Amber Rudd. The NECC should

and feel’ of a manual system has helped to ensure

also draw on the experience of other jurisdictions

that staff are comfortable working with digital

that have explored innovative approaches to data-


driven financial crime supervision and enforcement.

As financial institutions harness the opportunities

While SARs can provide valuable information, they

of new technologies, there was consensus that

are often filed when the funds in question have

this effort should take place in tandem with an

already moved. Advanced data analytics therefore

increase of the governments’ analytical capacities.

provide a critical addition to the SARs regime.

In addition, a RegTech representative expressed

Examples of data-driven supervisory efforts were

the view that governments should issue clearer

presented by representatives of De Nederlandsche


Bank (DNB, the Dutch financial supervisor) and the






regulators’ expectations regarding the use of technologies.

Italian Financial Intelligence Unit (FIU). DNB receives information from money service

He pointed out that, while certain US remediation

businesses (MSBs) operating in the Netherlands on

programmes generally provide useful details on

all money transfers they conduct to and from the

good practices, this should be made available

country. DNB processes the collected data using

before an institution is fined.

advanced analytics and determines the risk level of

Coordinating the use of technologies against

MSBs and agents on that basis.

financial crime across sectors will be critical to the

This new data-driven approach has led to

mandate of the UK’s new national economic crime

supervisory action, with one MSB licence being


revoked and 20 agents being closed, as well as to various criminal prosecutions. It has also raised awareness in the sector about the use of MSBs for criminal purposes and therefore contributed to stronger internal controls. The Italian FIU analyses aggregate data on cash transactions and financial flows that financial institutions are required to submit monthly. Using

This new data-driven approach has led to supervisory action, with one MSB licence being revoked and 20 agents being closed

quantitative methods, the FIU has been able to detect anomalies at the country- or province-level. These anomalies may point to potential cases

approaches that will increase the system’s overall effectiveness.

of trade-based money laundering, or – when

The views expressed in this Commentary are the

compared with data on suspicious activity reports

author’s, and do not necessarily reflect those of RUSI

– cases of under-reporting. The findings inform not

or any other institution.

only the FIU’s work, but provide critical input to law

This article was originally published by the Royal

enforcement and the financial sector in their efforts to tackle financial crime. To meet its objectives to address the financial crime risks facing the UK, the NECC will have to not only make the existing tools work more efficiently, but also to lead a wider discussion on innovative

United Services Institute (RUSI).

Olivier Kraft Research Fellow RUSI

M A RCH 2 018 • 2 0

Big Smart Brother? How Smart-Cities May Redefine the Right to Privacy in Europe Arthur Laudrain

About the Author: Arthur P.B. Laudrain is an incoming DPhil researcher in cyber security at the University of Oxford and a reserve officer in the French armed forces. He previously read international relations (Montréal, Seoul), war studies (London) and law (Leiden). His research focuses on the relationship between emerging technologies on the one hand, and war, law and power on the other. He contributed in this regard to research projects at both ETH Zurich and NATO Communications and Information Agency.

When it comes to data protection in Europe, the

and ownership. In parallel, smart cities and the

European Union’s GDPR seems to be the focus of

Internet of Things (IoT) are changing the nature,

attention for businesses and scholars alike. This

scale and purpose of data collected by institutions,

article’s premise is that we should not forget the

public or private. Even more so, they are likely to

more fundamental legal framework surrounding

profoundly challenge our conceptions of private

privacy and personal data, and thus suggests to

life, consent to data collection and to ownership by

address the European Court of Human Rights

third-parties. Reconciling these structural changes

(ECHR) through the trendy topic of smart-cities.

to our social lives with the fundamental right to

Indeed, the ECHR has been developing an extensive jurisprudence on the protection of personal data. Their handling, primarily when they relate to individual persons, is restricted in purpose, time 21 • C Y B ER WORLD

privacy will present significant challenges for all stalk holders.








public entities, and within a broader geographic


zone. This is the case in Brussels for example,


where a centralised command and control centre

If smart-cities, in their original meaning, merely

manages and shares access to all CCTV. This more

designated a centralised model of city management which relied on ICT-intensive infrastructures, today’s smart cities are increasingly user-centric. The IoT for the purpose of smart-cities relies mostly on sensors attached to everyday objects, such as cameras, short-range identifiers (RFID/NFC) or geo-locators embedded in pavements, public

extensive sharing does not only concern different police sectors, but other public service institutions as well, such as the environment and cleaning service of the Brussels municipality. Such a broader sharing implies de facto a repurposing of both the sensors and the related stored data, and is the likely consequence of better cooperation between public

transports or buildings.


Two major trends in the development of smart-


cities affect privacy. As an old technology widely deployed in all major urban infrastructures, CCTV is often one of the first to be upgraded in a smart-city philosophy, and provides an excellent illustration of the phenomenon. The first trend is that sensors and related databases are being more widely shared among different





deploying sensors and databases fitted with artificial intelligence capabilities. As these sensors or





algorithms are able to collate these multiple sources of data. This is the case in China, for instance, where CCTV footage is embedded with a face recognition software connected to the national, regional or municipal identification database, but also to M A RCH 2 018 • 22

IoT sensors, when exploited as part of a wide network, are becoming more efficient than smartphones in tracking people’s activities.

personal public transport check-in data. This trend

ownership is far from given with IoT devices and

is made possible by advances in AI technology, and

smart-city infrastructures, and it raises a number of

reflects the ubiquity of the IoT. However, this poses

legal issues.

a direct risk to the privacy of individuals because of the underlying cross-referencing possibility. The spokesman of an advanced CCTV system


manufacturer in China told the BBC in 2017: ‘We


can match every face with an ID card and trace all

The ECHR is a treaty established in 1950. As of

your movements back one week in time. We can

2017, it consists of 47 High-Contracting parties.

match your face with your car, match you with your

The object and purpose of the Convention is to

relatives and people you’re in touch with. With

maintain ‘peace and justice’ by setting up a regime

enough cameras, we can know who you frequently

of ‘collective enforcement’ of human rights, on the


basis of a ‘common heritage […] of ideals’. Because

In other words, IoT sensors, when exploited as part of a wide network, are becoming more efficient than smartphones in tracking people’s activities. This statement in itself says a lot. Individuals roughly

the Convention protects the most fundamental human rights and possesses an independent court, it was described as what comes closest to a ‘European bill of rights’.

know what their personal devices’ capabilities are.

The Convention is characterised by its strong focus

They know how to, and actually can, turn them

on social and political rights, by the scope of its

off, although it seems even US soldiers trained to

application (its member-states convene 800 million

operational security (OPSEC) methods massively

people) and by its strong enforcement mechanism.

failed to do it. This level of understanding and

The latter rests principally on the ability given to


individuals to petition their case to the Court when they have exhausted national remedies. The Court has taken a teleological approach to the interpretation of the Convention. It stated in 1975 that the Convention’s interpretation must be the ‘most appropriate one’ to further its object and purpose. Accordingly, the Court affirmed in Tyrer v UK, and again more recently in Rantsev v Cyprus and Russia, that the rights protected by the Convention must be understood and interpreted in light of ‘present-day conditions’. This doctrine was coined as dynamic interpretation. The first and foremost impact of dynamic interpretation is that it extends the reach of the rights protected by the Convention over time. In such an ‘anti-textualist’ and ‘anti-originalist’ approach, the process of interpretation leads to the discovery of new grounds of application of human rights, as societies change. Some usages and values that were predominant in 1950 are today either unacceptable or inexistent. High-profile cases for which rulings were influenced by society's

evolution addressed topics such as children born out of wedlock, corporal punishment or the criminalisation of homosexual behaviour. If the Court was to interpret the Convention stricto sensu in its 1950 context, achieving the Convention’s purpose today would be of considerable difficulty. DATA PROTECTION AS A HUMAN RIGHT The Convention provides for the right to respect for four distinct interests: one’s private life, family life, his or her home and correspondence. These interests may be subject to interferences by public or private entities to the extent that they are justified and that there exist sufficient safeguards in the domestic legal order. The Court stated that the scope of private life could not be ‘susceptible to an exhaustive definition’. Nonetheless, it developed an open scope that can encompass ‘multiple aspects of the person’s physical and social identity’. Notably, the Court determined that private life cannot be restricted to a certain geography or social circle. Rather, the

M A RCH 2 018 • 24

right to private life includes a wide-ranging ability

that individuals will gradually lose the freedom to

to ‘develop relationships with other human beings’

choose whether to expose themselves to them.

for the ‘fulfilment of one’s own personality’ or for

Choosing not to would prevent people from living

other purposes such as business. Consequently, the

a normal life, i.e. not being able to use public

scope of private life goes much beyond one’s home

transport. Indeed, today we can hardly decide to

or personal devices.

live without regular internet access, which has

As opposed to the EU Charter, the Convention does not dedicate an article to personal data. However, the Court has developed an extensive case-law record addressing the issue. It ruled in 2008 and reaffirmed in 2014 that protection of personal data is a fundamental requirement for an individual to enjoy his or her right to private and family life, thus

become an essential part of one’s private and professional activities and as such, is considered a basic human right in a number of countries such as France. In consequence, we may have to consider moving towards a context-based consent, where consent would be assumed or not, depending on the situation.

enshrining data protection within the meaning and

Second, the increasing number of the sources and

scope of article 8.

variety in the nature of data collected is expected


to bring tremendous value to their collation and cross-analysis, better known as big data analytics. The processing of data outside of the entity that

First, we may have to collectively rethink our

collected it forecasts a trend of wider sharing and

approach to personal data and consent to their

repurposing of personal data, both of which require

collection. IoT devices and infrastructures that make

specific consent and procedural safeguards under

a smart city are meant to be invisible and forgotten.

the principles of necessity and legality.

They will be present in such a comprehensive and integrated fashion with private and public services


Finally, and consequently to both previous issues we highlighted, it is likely we will need to rethink

The increasing number of the sources and variety in the nature of data collected is expected to bring tremendous value to their collation and crossanalysis, better known as big data analytics.

the current binary notion of public and private

These evolutions in societal usages and values can

spaces. In Von Hannover v Germany, the Court

thus bring new obligations to states, positive or

found that even public figures can benefit from

negative, enlarging the scope of the right in scale

reasonable expectations of privacy in public spaces,

and nature that could not have been foreseen

outside of their professional activities. Thus, these

by the Convention’s drafters nor by states when

expectations should benefit private individuals

they ratified it. The scope of the right to privacy

at least at an equal level, if not a higher one. This

is thus potentially ‘limitless’. Smart-cities will likely

approach seems justified, as the line between public

require data protection specialists and human

and private spaces collapse, both online and in the

rights scholars to take a fresh approach to founding

real world. Parallels can notably be drawn with

principles of privacy. This will undoubtedly impact

social media, where some spaces are open (public)

not only citizens across Europe, but also businesses

and others can be restricted to friends or followers.

around the world that rely on their data.

CONCLUSION AND OPENING The dynamic interpretation doctrine adopted by the Court implies that the scope of the right to privacy is redefined as society evolves. As usages of technology evolve, but also as moral values and expectations of ethical standards evolve, so does

Disclaimer: The views expressed are exclusively those of the author. This article was produced and adapted from an academic work in progress at Leiden Law School, Netherlands. For brevity and clarity, referencing may fall short of academic standards. As a result, this article should not be considered as scientific writing.

the scope and meaning of the right to privacy. The substantial widening of the right to access to

Arthur P.B. Laudrain

information is only the latest example in a long

Incoming DPhil Researcher

trend among the case-law record.

University of Oxford

M A RCH 2 018 • 26

China – The Real Cyber Threat? ALL ROADS LEAD TO RUSSIA


Since Donald Trump became President, one can’t

Vast, rugged and clouded in secrecy, China has been

open a webpage or turn on the news without hearing

largely inaccessible ever since emperor Qin Shi

“Russia” and “hacking” in the same sentence… and

Huang protected its citizens from attack behind The

with good reason.

Great Wall two thousand, two hundred years ago.

In mid-February, Trump’s own national security advisor, H.R. McMaster was forced to admit Russian meddling in the 2016 election was “incontrovertible” and Robert Mueller charged thirteen Russian nationals and three Russian entities with interfering with the election. Whatever the outcome of the Mueller Investigation, Trump’s doth protest too much misdirection and selfincriminating Russia-related Twitter meltdowns mean suspicious eyes will continue to gaze only as far east as Moscow. Which is exactly what the Chinese want.


Nowadays, China’s online population of 731 million are ‘protected’ by the world’s largest censorship and surveillance system, The Great Firewall or Golden Shield Project. Chinese netizens receive a highly restricted Internet which doesn’t include access to Google, Facebook, YouTube or Twitter without a VPN. These strict censorship laws make getting facts, figures and reliable information out of the country difficult, but it’s not only Chinese policy that makes reporting troublesome. The West, and in particular The United States, continues to dictate the narrative that China is a boogeyman intent on taking over the world.

In a January 2018 interview with the BBC’s security

In the same year, the government launched DDoS

correspondent, the Director of the CIA, Mike

attacks against foreign websites associated with

Pompeo stated that China is “as big a threat to

Falun Gong, a spiritual movement banned in China.

the US (as Russia)” and “We’ve seen Chinese cyber

Then, in 2001, after a mid-air collision killed a

attacks throughout the world.”

Chinese fighter pilot and led to the forced landing


and detention of the American crew, Chinese hackers defaced thousands of U.S.-based websites with cyber graffiti, including the White House. The

To understand the future, we must first look

New York Times monickered this web-terrorism “The

to the past. Hacking is inextricably linked with

First World Hacker War”.

political events, and Chinese hackers’ first known cyberattack came in 1999 after the U.S. bombed the Chinese embassy in Belgrade, Kosovo killing three Chinese reporters. Patriotic hackers planted messages denouncing “NATO’s brutal action” on several U.S. government websites including the White House. CNN reported a brewing cyberwar.








cyberespionage became alarmingly apparent: A series of cyber intrusions - usually masked by proxy, zombie computer, spyware/virus infected malware with code-names like “Titan Rain”, “Byzantine Hades” and “GhostNet” were traced back to computers in China.

M A RCH 2 018 • 28

Between 2003 and 2007, the “Titan Rain” hackers,

the Chinese state twice breached the Office of

thought to be associated with the Chinese army,

Personnel Management’s (OPM) computer system,

invaded and stole sensitive data belonging to The

compromising the personal data of 22 million

Pentagon, Britain’s Ministry of Defence and U.S.

federal employees.

Department of Defense contractors.

Obama and Xi Jinping met again in 2015, and the

In 2010, “Operation Aurora”; an ultra-sophisticated

two nations reached an official Cyber-Agreement to

Advanced Persistent Threat by The Elderwood Group,

stem cyber espionage, curb the theft of intellectual

who has ties to the People's Liberation Army, used

property, agreed that their governments would not

unprecedented tactics that combined encryption,

conduct or knowingly support cyber-enabled theft

stealth programming and a zero-day vulnerability

of business secrets and set up channels for cyber

in Internet Explorer. These targeted attacks on


corporate infrastructure hit at least 34 companies in the tech, financial and defence sectors including seeking source code from Google and Adobe.

China arrested hackers from Shanghai-based hacking group Unit 61398 in connection to the OPM intrusion, but American-Sino cyber relations

Back-and-forth attacks continued for a decade as

soured and have never truly recovered. Indeed,

Chinese hackers stole intellectual property and

American cyberintelligence firm CrowdStrike’s 2015

government secrets including designs for military

Global Threat Report identified “dozens of Chinese

weapons systems and the advanced F-35 stealth

adversaries targeting business sectors… and 28


groups going after defense and law enforcement


systems alone.”

Something had to be done, and relations between


America and China improved in 2013 when

As with all forms of warfare, weaponry and tactics

Presidents Obama and Xi Jinping shook hands

evolve fast. In addition to the traditional malware,

across the Pacific. President Xi claimed the talks as

trojans, worms, logic bombs, DDoS attacks and

“a new historical starting point.” But all good things

zero-day exploits, China is coming up with ingenious

come to an end, and in 2014 hackers working for

new ways to hack. By turning their existing







on Xiaomi, Lenovo and other Chinese smartphones.

it's not just governments, security agencies and

In 2016, mobile security firm Kryptowire uncovered

cyber analysts that will be affected, but also tech

Chinese-authored malware on as many as 700

corporations and Android-based smartphone users

million budget Android devices. Hidden in a benign

on the street; like you and me.

support app, the pre-installed, third-party software

The last six years has seen Huawei Technologies grow to become the largest telecoms equipment manufacturer in the world. The Shenzhen-based company produces more smartphones than Apple

would covertly send call history, text messages, contact lists, location data and other sensitive information to a server in Shanghai every 72 hours to “tailor advertising to users.”

and its founder and CEO; Ren Zhengfei just so

In late 2017, three Chinese nationals Wu Yingzhuo,

happens to be a former officer and engineer in the

Dong Hao, and Xia Lei, who worked for Chinese

People's Liberation Army; effectively an arm of the

cybersecurity firm, Boyusec, were charged with

Chinese government.


As a result, the NSA believes the Chinese may have installed backdoors in Huawei equipment, enabling





networks at Moody's Analytics, Siemens AG and Trimble Inc.

it for surveillance. In mid-February 2018, the

Boyusec, it turns out, and hacking group APT3 are

heads of five other major US intelligence agencies

one in the same, and an internal report by The

including the CIA and FBI warned American citizens

Pentagon's J-2 Intelligence Directorate identified

against products and services from Huawei and ZTE.

Boyusec and Huawei as working together to

FBI Director, Christopher Wray also told Congress

produce security products that could allow Chinese

the company’s products “provide the capacity to

intelligence to remotely steal data from phones and

conduct undetected espionage."




If the idea of your Android-based smartphone

While Huawei is banned from competing for US

spying on your for the Chinese government sounds

Government contracts, China’s huge telecoms

far-fetched, malware has also been found loaded





M A RCH 2 018 • 3 0

the country could already be exploiting huge

with China's repressive legal environment, could

cybersecurity flaws/backdoors in every device it

make government snooping that much easier.

manufactures. Defensively, China is ahead of the rest of the world, too. The Great Firewall can act as a forcefield, redirecting inbound internet traffic to attack sites as it did in 2015 when Github and GreatFire experienced the largest DDoS attacks in their history, the latter receiving 2.5 billion spoof requests per hour. China also has a new Cybersecurity Law, which came into effect in June 2017. Compliance rules now require network operators to store personal data on domestic servers (within The Great Firewall) and allow authorities to conduct mandatory spotchecks on a company’s network operations. Beijing asserts the law is intended to bring China in line with European and American cybersecurity and data management best practices. But with companies such as Apple migrating local users’ encryption keys to local server farms on Chinese soil, all those mandatory data requests, together


SIX OF ONE AND HALF A DOZEN OF THE OTHER For all this talk of Chinese aggression, let’s not forget that cyber espionage works both ways. In addition to dealing with the USA, China also faces the same attacks from North Korea, the MiddleEast and probably Russia as the rest of the world... despite President Xi having a bilateral cyber nonaggression pact with Putin. Chinese Internet security company Qihoo 360 stated the 2017 WannaCry ransomware attack had infected close to 30,000 Chinese organisations. Between January and October 2016, China was hit by 17.5 million cyber attacks, most of them Trojan viruses and bots from the United States, according to the National Computer Network Emergency Response Technical Team and Coordination Center, the country's top security risk-monitoring authority.

Is China really an existential threat or is this cyber warfare the new face of creating a necessary boogeyman; a continuation of the paranoia and political muscle-flexing that’s been going on for decades?

China isn’t the only party guilty in this spiral of

Is China really an existential threat or is this cyber

mistrust. Edward Snowden’s 2013 intelligence

warfare the new face of creating a necessary

leaks underscored the sophistication and extent of

boogeyman; a continuation of the paranoia and

internet surveillance by the United States and its

political muscle-flexing that’s been going on for

allies against targets worldwide, including China.


WILL THE REAL CYBER THREAT PLEASE STAND UP? In the aforementioned BBC interview, America’s spymaster general, Mike Pompeo gleefully states “We are the world’s finest espionage service, I’m incredibly proud of that. We’re going to go out there and do our damnedest to steal secrets” while China’s People’s Daily newspaper has described the United States’ accusations as “a thief crying ‘stop thief!’”

Until this cyber arms race turns from an ideological war to a real war in The United States via a cyber Pearl Harbor or death by a thousand cuts by China, it will be difficult to say... especially if you’re Donald Trump. In the meantime, we netizens in the west should just keep buying more Chinese-made Internet of Things (IoT) connected devices... and hope we don’t hear Chinese whispers coming from our widescreen televisions anytime soon.

The fact of the matter is, the USA engages just as aggressively in cyber campaigns; we just don’t hear about it because of China’s secrecy and the fact that, like it or not, we are unwitting slaves to our

Secgate Research & Innovation

mainstream media outlets.

M A RCH 2 018 • 32


Intelligent Cy


t Tree

yber Defence

M A RCH 2 018 • 3 4


Forest Tree A pioneering solution that empowers your functional teams to safeguard your enterprise. The big data solution to network and data discovery, event detection and generating knowledge from your network to support your operational, compliance and security needs. Forest Tree enables you to make decisions based on real data from your network whether those decisions involve operational, security or compliance objectives. This solution shows you a comprehensive analysis of network traffic to identify and catalogue events in your organisation in real time. Our solution uses ground breaking machine learning capabilities to bring insights on system and user behaviours enabling decisions to be made holistically. It risk rates behaviours enabling unusual activity to be flagged to your operational teams. This solution learns and alerts you. Forest Tree provides dashboards for IT operations, security and compliance teams that show the risk rated activity and highlight individual high risk communications. It provides the capability for teams to interrogate the database to investigate on suspicious or unusual activity. This solution answers all your questions. With all network activity captured and tools for making queries, Forest Tree gives you the ability to demonstrate your compliance to policies and regulations and to prepare reports as required. This solution is your organisation’s “Black Box” Forest Tree gives transparency to your business teams, seeing the same picture of the real activity passing across your network enabling appropriate business level responses. This solution enables cross-functional understanding.

M A RCH 2 018 • 36

Forest Tree A holistic solution designed to protect and serve your business needs Forest Tree provides information about data and communications in your network allowing full visibility of activity from your systems. Operations staff can extract data to create inventories of your entire estate and its behaviour dynamically. It can be used to identify end-user computing, data transfers to cloud providers and other third parties. Forest Tree can bring you visibility of services that are outside the control of your systems management solutions. Security Forest Tree produces risk rated assessments of all network activity, facilitates inspection down to packet level for security operations teams and provide security dashboards for management. Connections and data transfers can be approved so that they aren’t continuously flagged for attention. We use machine learning to characterise user behaviour and can identify when a user deviates from the norms for they role or is inconsistent with their peers. Forest Tree works with unstructured data within emails and attachments as well as structured data providing the widest coverage of data traversing your network. Group Functions Forest Tree supports Group functions who can have the same visibility of dashboard information and thus have transparency between operations and policy and compliance departments. Some examples of use cases include: ● ● ●

Is user behaviour changing, which users are not complying with policies? Are you in compliance with policies and regulations? Is the total risk score reducing in line with your plan?


M A RCH 2 018 • 3 8


Forest Tree Designed for humans; engineered for networks Performance engineered. Our solution is built to meet the needs of even the most sophisticated networks. Everything from the detection of events through to the generation of reports has been developed by our engineers to ensure speed and scalability. Our Core engine has been implemented and tested on networks that operate at one terabit per second — processing the entire network traffic, with zero packet loss, all in real time. Our solution is linearly scalable; we maintain our high performance on networks of any size or complexity. Delivers certainty. Business decisions require accuracy. Our entire product has been developed and tested to ensure that you know exactly what actions are happening within your network at a given point in time. Its ability to act as a “black box” on the network, recording network activity for later investigation, gives certainty to your forensic investigations and incident reports. We help ensure your leadership are informed on any incidents before regulators and reporters approach them. Built for people. Every part of our solution has been designed in consultation with security analysts, incident responders, penetration testers and CISOs to ensure that it is as efficient and as effective as possible. The user experience has been carefully considered to ensure that analysts can get to the features they need quickly, and the dashboards have been designed to ensure that each analyst is presented with the data they need to be able to perform their job. We work continuously with industry professionals to ensure our product meets the operational needs of security teams.

M A RCH 2 018 • 4 0


A defence-grade cyber security product, Fores solution that allows organisations to monitor an electronic commu Contact us for a demo


t Tree

st Tree is a patented advanced Cyber Security nd understand the content and context of each unication channel at:

M A RCH 2 018 • 42

The UK National Cyber Security Strategy – One Year On Talal Rajab

About the Author: Talal Rajab is the Head of Programme for techUK’s Cyber and National Security programmes. He manages strategic relationships between Government and industry members on cyber and national security issues, in particular through the Cyber Growth Partnership. He leads techUK’s work on the Investigatory Powers Bill.

2017 was the year that cyber truly entered the

governments around the world. For example, take

public consciousness. From WannaCry to the

the work of the National Cyber Security Centre

cyber attack on the Houses of Parliament, high

(NCSC) which, in its first year, responded to 590

profile cyber attacks showcased just why the UK

significant cyber-attacks across the UK. The

Government had doubled its investment in cyber

resources and expertise behind the NCSC are clear

security from £850m to £1.9bn in an ambitious

signs of the seriousness with which government

strategy that aimed to make the UK the most secure

takes cyber security. The government is also already

place to live, work and do business online.

concluding some of the objectives contained within

One year on, it is clear to see why the strategy continues


4 3 • C Y B ER WORLD



as world-leading


the strategy, such as the “Secure by Default” project, which is concluding in March with the publication

of a report and Code of Practice for manufacturers

their response and resilience to the threat, or face

of consumer IoT products and services.

the prospect of significant fines for non-compliance.

Furthermore, a number of “cyber growth” initiatives

All of this progress is encouraging – though more

have also been kicked off by the Department

could be done to highlight these initiatives to

for Digital, Culture, Media and Sport (DCMS) in

businesses across the country and ensure that

order to grow the number of UK cyber security

efforts are joined up. Whilst it is far too early to

companies. From the Cheltenham Innovation

entirely judge the National Cyber Security Strategy

Centre to the Cyber 101 Bootcamps, it is clear that

with three years still to go, it is good to see 2018

the Government sees our best defence to the cyber

start with the same momentum from government,

threat as growing UK cyber capabilities.

helping businesses and individuals meet the

This is even more important as the regulatory

growing challenges that cyber security brings.

framework for cyber changes this year, with the General Data Protection Regulation (GDPR) and

Talal Rajab

Network and Information Systems Directive (NIS)

Head of Programme

due to come into effect in May 2018. It is clear that

Cyber and National Security

UK businesses will need to raise the bar in terms of


M A RCH 2 018 • 4 4

Poker and Security Leron Zinatullin

About the Author: Leron Zinatullin is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large-scale, global, high-value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors. Leron is the author of The Psychology of Information Security. His website can be found at:

Good poker players are known to perform well

about opponents’ cards and predicting their next

under pressure. They play their cards based

moves. Security professionals are also required

on a rigorous probability analysis and impact

to be on the forefront of emerging threats and

assessment. This sounds very much like the sort

discovered vulnerabilities to see what the attackers’

of skills a security professional might benefit from

next move might be.

when managing information security risks.

At the beginning of a traditional Texas hold’em

What can security professionals learn from a game

poker match, players are only dealt two cards (a

of cards? It turns out, quite a bit. Skilled poker

hand). Based on this limited information, they have

players are very good at making educated guesses

to try to evaluate the odds of winning and act


accordingly. Players can either decide to stay in the

When the game progresses and the first round of

game – in this case they have to pay a fee which

betting is over, the players are presented with a

contributes to the overall pot – or give up (fold).

new piece of information. The poker term flop is

Security professionals also usually make decisions

used for the three additional cards that the dealer

under a high degree of uncertainty. There are many

places on the table. These cards can be used to

ways they can treat risk: they can mitigate it by

create a winning combination with each player’s

implementing necessary controls, avoid, transfer or

hand. When the cards are revealed, the player

accept it. Costs of such decisions vary as well.

has the opportunity to re-assess the situation

Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are

and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.

right, a security professional can start a project

There is nothing wrong with terminating a security

to implement a security change to increase the

project. If a poker player had a strong hand in

security posture of a company.

the beginning, but the flop shows that there is no point in continuing, it means that conditions M A RCH 2 018 • 4 6

security professionals can’t mitigate every security risk and implement all the possible countermeasures.

have changed. Maybe engaging key stakeholders

that bring desired long-term results. Even the best

revealed that a certain risk is not that critical and

poker player can’t win every hand. Similarly, security

the implementation costs might be too high. Feel

professionals can’t mitigate every security risk and

free to pass. It is much better to cancel a security

implement all the possible countermeasures. To stay

project rather than end up with a solution that is

in the game, it is important to develop and follow

ineffective and costly.

a security strategy that will help to protect against

However, if poker players are sure that they are

ever-evolving threats in a cost-effective way.

right, they have to be ready to defend their hand.

Leron Zinatullin is the author of The Psychology of

In terms of security, it might mean convincing the

Information Security.

board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they

Leron Zinatullin Security Architect

did everything in their power to proactively mitigate

Technology Risk Consulting



It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions 47 • C Y B ER WORLD

2018 EUROPE 29 – 31 October | London, UK

Attend ISACA’s Industry-Leading Cyber Event Enhance your Career— Earn up to 32 CPE Credits

GR OW YO U R KNOWL EDGE. SH AR PE N YOU R SKI L LS. Gain cyber insights that can defend your enterprise.

Choose from invaluable sessions in cybersecurity, innovative technologies, and more.

SAVE US $400 until 30 March W W W. I S AC A . O RG/ CY BERWO R L D400

Network with global experts and peers to advance your career.

Earn up to 32 CPE credits.

GET TO KNOW WHY ATTENDEES RAVE: “ Phenomenal educational and networking opportunity. I look forward to attending in the future.”

ISACA®, the Cybersecurity Nexus™ (CSX) trademark, and ISACA’s Cybersecurity Nexus™ (CSX) products, certifications, and services are not affiliated with CSX Corporation or its subsidiaries, including CSX Transportation, Inc.

What Should You Pay to Protect Your Data? The Economics of Information Security FUTURE LEADERS: Amy Ertan

About the Author: Amy Ertan is a PhD student in Cyber Security at Royal Holloway (University of London), while also working as a Strategic Threat Intelligence analyst with Barclays. Her research focuses on interdisciplinary approaches to cyber security, including international relations and military defence studies, as well as behavioural and applied economic theory. Amy is excited to promote interdisciplinary approaches to cyber security alongside greater collaboration between academia and industry organisations.

A CISO’s primary duty is to protect his/her

we might expect a range of controls to be put in

organisation’s data. The past year has seen

place, from employee training and risk management

an increase in the frequency of major cyber

strategies to network monitoring, up-to-date

incidents, including evolving malware, DDoS, social

firewalls and breach mitigation products. The

engineering and supply-chain attacks. These events

difficult question is therefore: what is the ‘right’

serve as a serious warning to organisations that

amount to invest to protect a given data-set? How

cyber security investment is essential to protect

do you know if you’re investing too much, or too

their assets, regardless of their size.

little? Leaders in organisations often have little to go

Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), 49 • C Y B ER WORLD

on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise.

Two academics at the University of Maryland,

them to reduce the problem to three variables: the

Laurence Gordon and Martin Loeb, have developed

monetary loss of a breach, the probability of a threat

an economic framework to help answer this

occurring, and the vulnerability (the probability that

question. They found that the optimal amount of

an attack on a data-set will be successful).

investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of

The model leads to some counterintuitive results: 1. An increase in vulnerability does not (necessarily)

an expected loss). They also found that beyond a

The Gordon-Loeb model simplifies the issue of dataprotection investment with several assumptions: functions are smooth and well-behaved; a single threat is examined at a time; as investment in security increases, the information is made more secure (albeit with diminishing returns). This allowed


instead of highest vulnerabilities.

benefits. Their model has become one of the most



better off protecting midrange vulnerabilities

provided increasingly limited additional protection

security investment.


investment. In these cases, firms may be

certain expected level of loss, extra investment

prominent frameworks within the economics of


2. A firm should spend only ‘a small fraction’ of the expected loss resulting from a security breach. The





vulnerability is not necessarily linear, as one might expect (shown in diagram 1 below). Indeed, at a certain point extra investment ceases to have any effect whatsoever. Consequently, we can see in diagram (2) that where a loss due to a vulnerability is very low, towards the left of the chart, the M A RCH 2 018 • 50

The relationship between investment and vulnerability is not necessarily linear, as one might expect.

investment costs may outweigh the value of the

investment levels do not deliver the required levels

data, and therefore not make sense to implement.

of security. In other words, Gordon and Loeb argued

In contrast, as the loss associated with the

that for extremely vulnerable datasets, it would be

vulnerability (vL) goes beyond a certain point, the

‘inordinately’ expensive to sufficiently protect the

optimal investment level decreases as the required

vulnerability from an attack.

(1) Ideal level of investment in company computer security, given decreasing incremental returns (Gordon and Loeb, 2016) 51 • C Y B ER WORLD

(2) Optimal value of security investments as a function of vulnerability (Class II).

‘v(L)’ is the loss associated with a vulnerability. (Gordon and Loeb, 2002) The Gordon-Loeb model and findings suggest that

and in accordance with Fig 1, the amount invested

organisations would instead be better-positioned

should only be a small fraction of the vulnerability

by focusing on the ‘midrange’ of vulnerabilities,

in question.

rather than the most expensive cases. Additionally,

M A RCH 2 018 • 52

No-one is suggesting entering your manager’s office tomorrow to demand security investment matches 37% of an expected loss.


information security managers don’t have the

No-one is suggesting entering your manager’s office

luxury of accepting risk as part of their budget

tomorrow to demand security investment matches 37% of an expected loss. Context and nuance vary widely, loss is not just measured in monetary terms, and ultimately the real world is never going to fit into a model, no matter how sophisticated it may be. Gordon and Loeb are the first to point out the limitations and assumptions within their work, such

considerations. Gordon and Loeb conclude with a call for further research, highlighting open questions and various opportunities to refine the framework. Indeed, Willemson (2006) subsequently tweaked assumptions within the Gordon-Loeb model to demonstrate how in some cases, an optimal level of investment may be 50% of an expected loss, even

as the assumption that functions are smooth. This

approaching 100% in extreme constructions.

discounts real-world practice where fixed costs

Nonetheless, the model has immense value

exist and discrete amounts of investment are required. Furthermore, these findings obviously don’t affect CPNI and critical functions, where


in challenging default assumptions within an organisation’s security function - that bigger is always better, and you can never pour too much

money into protecting the organisation’s assets.

Loeb model." Journal of Information Security

In the very realistic context of limited resources,

7.02 (2016): 49 [Accessible, earlier version

budget restrictions force security functions to

published 2002, some maths]

prioritise, and this model takes this broad goal, delivering an excellent starting point for further research on information security investment. LEARN MORE:

3. [Academic Article] Willemson, J., 2006, June. On the Gordon & Loeb Model for Information Security Investment. In WEIS. [Intermediate maths]

1. [Book] Managing Cybersecurity Resources: A Cost-Benefit Analysis, Gordon and Loeb, 2005 print (Practical, aimed at practitioners) 2. [Academic Article] Gordon, Lawrence A.,

Amy Ertan Strategic Threat Intelligence Analyst Barclays

Martin P. Loeb, and Lei Zhou. "Investing in cybersecurity: Insights from the GordonM A RCH 2 018 • 5 4

Steven Thomson Rising Star Interview


About the Author: Steven Thomson leads the security operations centre (SOC) for IT Lab, as well as the managed SOC service for their clients, and is based in Manchester. He is currently reading for an MSc in Advanced Security & Digital Forensics at Edinburgh Napier University, one of only six fully certified GCHQ MSc programmes, whilst also studying for an MBA. His journey in to the cyber security field was (some would say) unconventional, but his passion for cyber security flourished throughout his early career, eventually securing his first cyber security role with KPMG.


and which makes my day to day much more varied

I have been at IT Lab since November 2017, so only

and exciting.

a short period of time really. However, I have already

I am very passionate about cyber security, and I

been instrumental in maturing the SOC service and helping to grow the team. The SOC is moving to a dedicated new office space at Lowry Mill, just on the outskirts of Manchester city centre, in the coming weeks, and so I’ve had the pleasure of being heavily involved in scoping the new SOC. It is an exciting time at IT Lab, and I am so very privileged to be a part of the IT Lab family, and honoured they are entrusting me with leading their SOC service. I have responsibility for creating the governance strategy and policies for the SOC, incident response (IR) processes and run/playbooks. I also lead the design and implementation of the monitoring architecture and SOC tools required to successfully identify and investigate security incidents on internal and external (client) networks, contain identified incidents, and then remediate and recover from those incidents. However, I am also very much involved with the technical, hands on, business-as-usual tasks in the SOC, such as incident response, vulnerability management, cyber threat intelligence and forensic analysis. I also have responsibility for managing the teams involved, designing the respective programmes,





internally to IT Lab and externally with our clients. It is this hybrid responsibility that I find so engaging

enjoy channelling this passion into developing and mentoring others, with the aim of ensuring the SOC team remain fit-for-purpose, agile and a responsive cyber unit. This passion to give back to the cyber security community inspired me to setup a DFIR & SOC Mastermind Group, for my peers in the same field and those wishing to get into cyber security, to create an informal environment where we can learn from one another. You can join this growing group here. WHAT MADE YOU CHOOSE A CAREER IN CYBER SECURITY? I have been involved in cyber security, in some form or other, for almost 4 years now. I have always had a passion for technology and so once I had graduated from university, my cyber journey started when I joined the NHS as an IT Helpdesk Technician. It is there that I kind of “fell in to” cyber security, as I happened to mention my interest in it to one of my managers who was more than happy to give me the opportunity to get involved with updating the Trust’s Information Security Management System (ISMS). My first foray in information security was an interesting side project from my day to day role and gave me experience of developing the ISMS and experience with the ISO27001 and IEC80001 frameworks.

M A RCH 2 018 • 56

I found this experience really interesting, and

as a Technical Engineer. As with my previous roles,

every role I have secured since has given me the

I took on extra responsibilities and projects, all

opportunity to keep involved with cyber security.

with a cyber security focus, which highlighted

Following on from the NHS I moved into the

my enthusiasm and passion for the subject to my

hospitality sector, where I was able to get to grips

colleagues. I was then given the opportunity to

with the PCI DSS security standard. I was given the

join the Risk Consulting’s regional Cyber team in

responsibility of conducting regular vulnerability

Manchester, and I haven’t looked back since!

scans, and remediating any short-comings the scans highlighted to the businesses security controls to


ensure compliance with the standard. From here, I


was keen to pursue a role that was solely focused

It has absolutely got to be the variety of issues

on cyber security, however being only a novice I

thrown up daily and the fact that no two days are

found it difficult to find a role that didn’t require

ever the same. This presents its own challenges, but

years of experience. I then decided I needed to take

it is these daily challenges that keeps me working

a different approach. Rather than applying directly

in cyber security and makes it so interesting. I feel

for cyber security roles (as I wasn’t having much

that I am constantly learning and developing every

success), I was going to try and secure a role I had

day, and this fulfils my need to always continue

experience in (IT support) for a company that also

improving myself to become the best that I can be.

employed people in cyber security roles in the hope

Cyber security fuels my desire to be my best self

that my passion for this area would shine through

and I feel that in the current climate there are ample

and I could eventually move laterally within that

opportunities to feed back into the community and

business. My plan worked, and along came my

volunteer my time to helping others achieve their

opportunity with KPMG where I was first employed




learn, develop and pick up those skills quickly once


in their dream role. The challenge is finding these

In my current role I have the responsibility of

candidates and giving them the confidence to apply.

recruiting talent into the SOC team, and in the

The second challenge is keeping pace with the

current skills-shortage climate, it is very difficult to find the right mix of talent, with the required skillset, together with the matching culture fit for our organisation. To try and overcome this challenge I very much focus on competencies and transferable skills and the candidate must show a true passion for wanting to be in cyber security. I chose to focus on these areas because you can train a candidate to have the required skills, but it is difficult to change a candidate’s personality and how they think. Also, I think back to when I was trying to break in to my first cyber security role, and the difficulties I had; all you want is for someone to take a chance on you so you can prove yourself, and so, as long as I can see the passion, enthusiasm and drive for cyber security in the candidate, they don’t necessarily have to have all the experience with the toolsets required for the role, because I know the right candidate will

evolving cyber security landscape. Adversaries are constantly changing their tactics, techniques and procedures (TTP’s) to circumvent security controls and so as a cyber defence specialist this is a constant battle to ensure that we are prepared to deal with any security incident. The adversary must only get it right once in order to breach a network, but as a cyber defender you must be right all the time in being able to successfully defend it. It is this dichotomy that confirms the cyber security cliché of “when, and not, if, you will be breached”, and so the challenge is ensuring that you are prepared for when you are breached, and then being able to minimise the impact the breach has on the entity affected. Then you must be able to learn from how the breach occurred, so you can improve and develop in readiness for next time, when the adversaries will have evolved their TTP’s.

M A RCH 2 018 • 58

Show your passion, drive and enthusiasm for cyber security, let that shine through, and you will go far.





I am still very much in the early stages of my career,

There are many people who have influenced me

so it is hard to identify a specific highlight as I have

and my career to-date, and for various reasons.

had an incredible journey so far. For me, it has

On an academic level, one of my lecturers on the

probably been the many opportunities I have been

MSc in Advanced Security & Digital Forensics,

given to be involved in cyber security by a diverse

Professor Bill Buchanan, has been a huge influence

range of people who must’ve seen something in

(unbeknownst to him) and he inspired me to

me for them to entrust me with this responsibility.

apply to this specific master’s programme after I

I specifically enjoyed one engagement I had at

experienced his presentation at CRESTcon & IISP

KPMG, involving a regional retailer that had

Congress 2016. He is truly passionate about what

suffered a ransomware attack. The engagement

he teaches. I was overjoyed when Bill was awarded

really gave me a brutal insight into the challenges

an OBE in the 2017 Birthday Honours list, as I feel

organisations face from being unprepared for a

it is a very well-deserved award.

malware incident like this. I took great satisfaction from being able to advise the client on how to improve their cyber maturity to reduce the risk of re-occurrence and lessen the impacts should they experience another breach. The highlight for me though was the positive recognition from the client and their gratefulness for the advice given. It is from helping clients truly understand the cyber security risks, and how to overcome (or reduce) them, that gives me the greatest satisfaction. 59 • C Y B ER WORLD





Other influences have been Sion Lloyd-Jones and David Cousins at KPMG, who took me under their wing and mentored me in my first cyber security focused role, for which I am very grateful. I also have to mention Matthew Hickling (Head of IT at NWTC), Stephen Deacon (Head of IT at Warrington & Halton NHS Trust) and Chris Bellfield (Team Lead Technical Engineer at KPMG), who all gave me opportunities to explore cyber security topics

and projects, and then allowed me to continue that

career trajectory for anything, as I am thoroughly

journey by wishing me well for the next stages of

enjoying it (bar winning the lottery of course!).

my career.




I’d like to think that I could become a CISO in a


FTSE 250 company at some stage, or achieve

Show your passion, drive and enthusiasm for cyber

Director level within one of the Big 4, consulting

security, let that shine through, and you will go

with the CISO’s and CEO’s of some of the largest

far. Don’t let fear of failure or rejection stop you

international organisations in the world.

from pursuing a career within this field, as it is very


satisfying and rewarding, and you won’t regret it. I have let the fear of failure and imposter syndrome stop me from applying for roles in the past, and I

As a child growing up I always had the dream of

have only regretted it further down the line. My

being a commercial airline pilot, and one day flying

advice is to just go for it, follow your passion and

Concorde. Obviously, this dream was taken from

dreams and see where it takes you. If you aim for

me, however, I have enjoyed learning to fly as part

the moon, and fall short, you’ll still be amongst the

of the Yorkshire University’s Air Squadron whilst


doing my undergraduate degree. The experience I had in the RAFVR doing this was an experience I will never forget, and I hope to continue flying as

Steven Thomson

a hobby in the future once I’ve reached my career

Lead SOC Analyst

goals. However, I wouldn’t change my current

IT Lab

M A RCH 2 018 • 6 0

Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact on 61 • C Y B ER us WORLD

Upcoming Events BEHAVIOURAL ANALYSIS 2018 hosted in Cardiff, UK 14th to 15th March 2018 Read more here. INFOSEC WORLD hosted in Florida, USA 19th to 21st March 2018 Read more here. BLACK HAT ASIA 2018 hosted in Singapore 20th to 23rd March 2018 Read more here. LEGAL CYBER SECURITY EXPO hosted in London, UK 21st to 22nd March 2018 Read more here. WORLD CYBER SECURITY CONGRESS 2018 hosted in London, UK 27th to 28th March 2018 Read more here. CYBER SECURITY OF THE IOT hosted in London, UK 28th to 29th March 2018 Read more here.

6 3 • C Y B ER WORLD

About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clients’ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.

Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom

M A RCH 2 018 • 6 4


Cyber World March 2018  
Cyber World March 2018