CYBER WORLD Rounding up the latest in Cyber Security
In this month’s edition: Latest News Newest Vulnerabilities Robert Morgus, New America Ramsés Gallego, Symantec Olivier Kraft, RUSI Arthur P. B. Laudrain, Leiden University China - The Real Cyber Threat? Talal Rajab, techUK Leron Zinatullin, KPMG UK Rising Stars (Steven Thomson, IT Lab) Future Leaders (Amy Ertan, Royal Holloway) Upcoming Events
Hello. Welcome to the March 2018 edition of Cyber World – a monthly magazine that brings you the latest news in the world of cyber security. Cyber World offers the latest analyses and opinions from leading industry professionals, academics and the policy community. In this edition, we present a special guest contribution by Robert Morgus, Senior Policy Analyst with New America’s Cybersecurity Initiative and International Security program and the deputy director of the FIU-New America C2B Partnership. Moreover, we have analyses by Ramsés Gallego, a Strategist & Evangelist in the Office of the CTO, Symantec; Olivier Kraft, Research Fellow at RUSI’s Centre for Financial Crime and Security Studies; Arthur P. B. Laudrain, an incoming DPhil researcher in cyber security at the University of Oxford and reserve officer in the French armed forces; Talal Rajab, Head of Programme for techUK’s Cyber and National Security programmes; and by Leron Zinatullin, Security Architect, Technology Risk Consulting, at KPMG UK. We are also pleased to present an analysis on ‘China – The Real Cyber Threat?’ as well as a Rising Star interview with Steven Thomson, Lead Analyst of the Security Operations Centre (SOC) at IT Lab and a Future Leaders contribution by Amy Ertan, a PhD student in Cyber Security at Royal Holloway (University of London) and Strategic Threat Intelligence Analyst at Barclays. We are grateful to our Readers for their continued interest in our magazine, and as always, please send us your feedback and comments on our current and/or past editions. If you enjoy this magazine, feel free to share it with your friends and colleagues.
Laith Gharib, Managing Director
M A RCH 2 018 • 2
Latest News Rounding up the news
CRIME-AS-A-SERVICE DOESN’T PAY In 2016, a four-year, 30 country police sting smashed the Ukraine-based Avalanche criminal network. Top bosses were arrested, hundreds of servers were shut down or seized, and 800,000 internet domains were blocked. One of the organisers, Gennadiy Kapkanov, was detained but was released, despite his fouryear presence on Interpol's most-wanted list. Kapkanov disappeared until cyber police caught up with the alleged mastermind behind the Avalanche malware spam botnet again on February 25th. "An organizer of the international crime platform known as 'Avalanche' which infected up to half a million computers in the world daily was detained in Kiev," Ukraine's cyber police confirmed in a statement. Read More Here. GITHUB SUFFERS LARGEST EVER DDOS ATTACK Software developer platform Github revealed this week that it had been hit by the world's largest ever DDoS attack. Attackers took advantage of 100,000 unprotected Memcached servers to amplify the strength of the DDoS in what is being called a “Memcached UDP reflection attack.” Memcached servers amplified the data sent by about 50 times, bringing the assault to up to 1.35 Terabits per second (Tbps) of traffic at its peak. While this would normally paralyse most sites, Github was down for less than 10 minutes after cloud computing service, Akamai Prolexic, helped mitigate the attack by removing and blocking malicious traffic. Read More Here.
3 • C Y B ER WORLD
WINTER OLYMPICS HACKED Russian military spies allegedly hacked hundreds of computers at the Winter Olympics in South Korea and tried to make it look like North Korea was the culprit. The cyberattack came during the opening ceremonies and caused disruptions to broadcast systems and the Olympics websites, meaning attendees were not able to print their tickets and as a result leaving many seats empty. The Washington Post’s national security adviser, Ellen Nakashima, reported that Russia’s military intelligence agency, GRU, accessed as many as 300 computers according to two US officials. To cover their tracks, and pin suspicion on North Korea, the hackers used North Korean IP addresses. Read More Here. THE TRUE COST OF CYBERCRIME A McAfee report entitled “Economic Impact of Cybercrime - No Slowing Down” estimates cybercrime costs the global economy $600 billion a year, or 0.8 percent of global GDP. The report attributes the $155bn jump since 2014 to the speed with which new technology is adopted by cybercriminals and an increase in the number of internet users in parts of the world with weak cybersecurity. 2017’s NotPetya attack was a wake-up call to many: FedEx and Danish shipping company Maersk each reporting the attack cost them $300 million. Read More Here.
M A RCH 2 018 • 4
WHO WATCHES THE WATCHMEN? Britain's local governments were hit by 98 million cyber attacks in the last five years - the equivalent of 37 attacks a minute - while one in four councils’ systems were successfully breached. Most common were malware and phishing attacks. Big Brother Watch argued these numbers would only increase with the government’s quest for big data and as councils continue to build “ever-expanding troves of personal information… under the banner of data-driven government”. The privacy group warned that “zealous data sharing comes with real risks” as the information councils amass are “attractive targets for criminals”. They also slammed the councils for lack of investment: “This should mean staff in councils are well versed in cybersecurity threats, the group said, but three-quarters said they don’t provide mandatory training, while 16% said there was no training at all.” Read More Here. NO ONE IS SAFE Fidelis Cybersecurity's Jason Reaves, who last year demonstrated that X.509 certificate exchanges could carry malicious traffic, has disclosed that X.509 metadata can carry information through the firewall. The X.509 standard defines the characteristics of public key certificates and anchors much of the world’s public key infrastructure. In similarly worrying news, two common, long-thought impenetrable methods of physical cybersecurity, air gapping and Faraday cages, have been found to be breachable. The latest attack vector is low-level magnetic fields as detailed in two papers released by researchers from Israel’s BenGurion University. Read More Here and Here. CRYPTOMINING 1 RANSOMWARE 0 Malicious actors are ditching ransomware and cutting out the human element to mine cryptocurrency. Cisco’s Talos security team reported improvements in detecting ransomware (via antivirus and OS) for this switch from traditional ransomware malware attack vectors to cryptomining. A single machine compromised by unseen malware can return around 25 cents of Monero per day, with one such malware family using the NSA EternalBlue exploit to net between $2.8m to $3.6m a month. The majority of affected machines are in Russia, India and Taiwan, but could be coming to a screen near you soon! Read More Here.
5 • C Y B ER WORLD
Britain’s local governments were hit by 98 million cyber attacks in the last five years - the equivalent of 37 attacks a minute - while one in four councils’ systems were successfully breached.
M A RCH 2 018 • 6
Newest Vulnerabilities Latest Developments and Trends
TELEGRAM FROM RUSSIA. STOP. Russian Cyber attackers have been exploiting a zero-day vulnerability in the Telegram messaging app since March 2017 to install malware, gain remote access to the target computer and cryptojack currency. Kaspersky Lab reports that the attackers used a zero-day vulnerability based on the RLO (right-to-left override) Unicode method whereby a hidden Unicode character in the file name reverses the order of the characters and renames the file. As a result, users downloaded hidden malware which was then installed on their Windows computers. Kaspersky reported the vulnerability to Telegram and the zero-day flaw has not since been observed. Read More Here. FACEBOOK ADMINS AT RISK Facebook has patched a severe vulnerability which leaked the information of administrators. Bug hunter Mohamed Baset said the bug, a logic error problem, occurred when a user liked a specific post on a page. Page admins could send Facebook invitations asking users if they wished to like a page after liking a post, and a few days later, these users may have received an email reminding them of the invitation. Intrigued, Baset showed the "original" message leaked the administrator's name and admin ID. Baset immediately reported the problem to the Facebook Security Team and the researcher was awarded $2,500 through the Bugcrowd bug bounty program. Read More Here. SPY KIDS More than 50,000 Chinese-built Mi-Cam baby monitors could be broadcasting sound and video to whoever comes looking, claims Austrian security company SEC Consult. The MiSafesare devices stream 720p video and two-way audio in real-time to apps running on parents' smartphones, via Amazon cloud servers. All attackers must do is set up a proxy server that can intercept and modify an HTTP request between the phone and the device. SEC also physically extracted the deviceâ€™s firmware and found default root passwords to watch video feeds on the baby monitor. SEC also discovered open APIs. Read More Here.
7 â€˘ C Y B ER WORLD
M A RCH 2 018 â€˘ 8
Cybersecurity in Development: To Mainstream or Prioritize? Robert Morgus
About the Author: Robert Morgus is a senior policy analyst with New America’s Cybersecurity Initiative and International Security program and the deputy director of the FIUNew America C2B Partnership.
and better cybersecurity capacity building has only
grown as nearly all pillars of society—from the
economy, to governance, to social interaction—are
Nations Group of Governmental Experts on developments in the field of information and telecommunications recognized the importance of building the cybersecurity capacity of nations around
developed countries. Since 2010, as information and communication technology (ICT) increasingly drives development outcomes, the need for more
9 • C Y B ER WORLD
or can be touched by ICT. To many, the importance of cybersecurity in light of these new pan-societal dependencies is given. Events like WannaCry and the various cybersecurity concerns around the 2016 United States election have catalyzed additional interest and investment in cybersecurity many resource-rich, fully developed countries. However, in much of the lesser
developed world—the part of the world where the
the surface in one of two ways: prioritization or
digital economy is growing at nearly two times the
speed as it is in the developed world; the part of the world where developments in e-voting and e-governance could have an outsized impact on the quality of human life—cyber insecurity is considered a longer-term threat that will be handled once the full benefits of ICT are being reaped across society.
Prioritization is the act of identifying a key issue for the development community to focus on. Prominent examples of prioritization from the last decade include the goals outlined in the Millennium Development Goals and Sustainable Development Goals, like achieving universal primary education,
Yet, in 2016, the World Bank’s World Development
Report (WDR) explicitly acknowledged for the first
oceans. Priorities are often identified by leading
time in a WDR the importance of cybersecurity as
development institutions, like the World Bank
a concern for international development, noting
that, “some of the perceived benefits of digital
technologies are offset by emerging risks.” However,
despite that recognition, the question remains:
Millennium Development Goals. In most past cases,
how exactly should cybersecurity be folded into
prioritization takes an existing development focus
international development writ large? In the past,
and elevates it for critical attention.
the development community has incorporated or focused on emerging issues as they bubbled to M A RCH 2 018 • 10
By contrast, mainstreaming is most relevant in the
possesses as an issue, mainstreaming cybersecurity
context of an emerging issue that has the potential
in development could follow a template similar to
to cut across many or all areas of development
that of human rights.
and may not receive sufficient focus from the development community. Mainstreaming seeks to fold this new issue into existing development practice as a new equity or consideration in the practice of the community. Perhaps the most notable examples of mainstreaming have occurred in the past two decades in the form of women’s rights and human rights. In both of these cases, leaders in the development community—from prominent celebrity voices to major development donors—highlighted the need to consider these basic rights as development activity unfolds.
development was the result of a concerted effort on the part of the human rights movement to “operationalize the relevance of human rights to various fields of development.” The breakthrough was precipitated by two important shifts in approach. The first was a shift of emphasis from the “right-holder” approach/model—expanding human rights opportunities for individuals—to the “dutybearer”
and non state actors understand, respect, protect, and fulfil human rights obligations. The second
Because cybersecurity cuts across nearly all
was a shift from a violations approach—where
sectors of the economy, society, and government,
the emphasis was on identifying and punishing
mainstreaming seems like a better fit. The question
human rights violators—to a policy approach, which
then becomes: how? Although it lacks some of the
“demands developing new tools to bring human
intrinsic and visceral aspects that human rights
rights concerns into forward-looking policy-making
11 • C Y B ER WORLD
... mainstreaming is most relevant in the context of an emerging issue that has the potential to cut across many or all areas of development and may not receive sufficient focus from the development community.
processes,” like Human Rights Impact Assessments
4. Transparency and access to information,
5. Accountability mechanisms, and
In fact, the mainstreaming of human rights
6. Inter-sectoral approach.
manifested most obviously in the creation and implementation of HRIAs. An initial push for HRIAs in business came in 2005 when UN Secretary General Kofi Annan appointed noted international relations scholar and the force behind the Millennium Development Goals John Ruggie as the Special Representative on the issue of human rights, transnational corporations, other business enterprises. Ruggie’s mandate included “identifying and clarifying standards of corporate responsibility
assessments doesn’t exist right now, but such assessments for corporations, lending institutions, and other development actors—underpinned by the similar essential elements as HRIAs—could be an important tool to drive forward the conversation about the impact of cybersecurity on development outcomes. This article was originally published by New America.
and accountability with regard to human rights.” This work spilled over into development, where HRIAs six essential elements: 1. A normative human rights framework, 2. Public participation,
Robert Morgus Senior Policy Analyst New America Foundation
3. Equality and non-discrimination, M A RCH 2 018 • 12
GDPR Will Catalyze New Cybersecurity Investments Ramsés Gallego
13 • C Y B ER WORLD
About the Author: Ramsés Gallego is a Strategist & Evangelist in the Office of the CTO, Symantec, where he is responsible for strategy development and execution of the cybersecurity portfolio. Previously, Ramséswas Executive Vice President at the Quantum World Association and a board director at ISACA.
As we move toward the 25th of May when the
long term – and to make these investments more
European Union General Data Protection Regulation
effective, since companies must meet identical high
(GDPR) will come into force, most enterprises are
standards across all EU countries where they do
focused on just two questions: Are we affected?
And, how do we comply? The past months have made it clear that GDPR is more far-reaching than some initially thought. Your company is subject to this new regulation if it does business with just one EU citizen or in one EU location – no matter where it is headquartered or where else it does business. As a result, you currently may be in haste to achieve full GDPR implementation, including making changes to achieve both compliance by the deadline as well as maintain ongoing compliance. Beyond the near term, however, I see GDPR as a fantastic opportunity to unify and simplify the way organizations and governments defend and protect data. GDPR is not a directive, but a law that does not allow for varying interpretations by local governments in the 28 EU countries or beyond. It explicitly mentions technologies, such as encryption, that help protect enterprises against cyberattacks. Furthermore, GDPR implicitly encourages discipline that improve cybersecurity, such as data loss protection, identity governance and monitoring. As a result, I expect GDPR to be a catalyst for cybersecurity investment over the
GDPR will spur investment in the following areas: Privacy safeguards. At the core of GDPR is the Privacy Impact Assessment (PIA), a process to determine where data sits, in which format, who manages it, for how long, etc. After this initial assessment comes protection and defense – starting with defining processes and protocols to know and manage who has access to what data. These requirements will spur additional investment in preventing and addressing unauthorized access. Monitoring. GDPR’s ongoing compliance mandate requires enterprises to prove effective privacy safeguards at any time. This requirement is far more rigorous than for periodic audits, which merely show results – good and bad – at a given time. Investment in improved monitoring as required by GDPR can only benefit enterprises that seek to avert, detect and respond more quickly to a potential cyberattack. Breach communication. GDPR requires companies to inform the appropriate regulator of a data breach within 72 hours of the moment they know a breach occurred. The law is silent about whether
M A RCH 2 018 • 14
Any sweeping new regulation may have unintended consequences.
an organization will incur liability if it doesn’t detect
enterprises to carefully consider and navigate any
a breach that quickly. My opinion is that ignorance
differences. In addition, an organization’s GDPR-
will not be considered a valid defense. Reporting a
required Data Privacy Officer (DPO) may not always
breach several months after it occurred will cause
be in sync with the departments tasked with the
regulators to question the quality of a company’s
mechanisms to ensure data security, development,
control and reporting capabilities. Therefore,
infrastructure, network management, etc.
enterprises have new incentives to invest in disciplines that improve cybersecurity monitoring and reporting. It’s also interesting to note that the first drafts of GDPR called for data breach reporting to occur within just 24 hours, which makes me wonder whether regulators will choose to shrink
Overall, however, I consider GDPR something to celebrate. It sets uniform standards for data privacy and security, and provides incentives for enterprises to invest in cybersecurity that could reduce cybercrime around the world.
this communication window over time. Any sweeping new regulation may have unintended consequences. GDPR sets forth privacy obligations, enforcement and penalties that differ from those in other regions of the world, requiring multinational 15 • C Y B ER WORLD
Ramsés Gallego Strategist & Evangelist Symantec
Practical and innovative analysis from the world’s oldest think tank. RUSI members have access to the very best defence and security analysis and are introduced to a network of peers, specialists and decision-makers. Join RUSI and get a better understanding of today’s complex challenges.
M A RCH 2 018 • 16
Financial Crime 2.0: International Cooperation Vital in Fight Against Cybercrime Olivier Kraft
About the Author: Olivier is a Research Fellow at RUSI’s Centre for Financial Crime and Security Studies. Prior to joining RUSI in 2017, he worked with the Financial Action Task Force (FATF), the global standard-setter in the areas of anti-money laundering and counter terrorist financing (AML/CTF), where he focused on evaluating the effectiveness of countries’ AML/CFT efforts. From 2011 to 2015, Olivier advised the World Bank Group Sanctions Board on allegations of fraud and corruption in development projects co-financed by the World Bank Group. He previously worked on the implementation of the United Nations Convention against Corruption at the UN Office on Drugs and Crime. When Europol Director General Rob Wainwright
This raises a question as to how AML tools can be
addressed RUSI’s Centre for Financial Crime and
more effectively used to tackle the proceeds of
Security Studies annual conference he noted recent
cases of successful international cooperation against cybercrime. For example, Operation Avalanche was directed against a cybercrime syndicate of more than 20 organised criminal groups and required cooperation across 30 jurisdictions. At the same time, Wainwright noted that there was insufficient synergy between cybercrime and anti-money laundering (AML) units in many public and private institutions.
17 • C Y B ER WORLD
One potential response discussed during the subsequent panel at the RUSI gathering is the cyber financial intelligence unit recently established by Standard Chartered Bank. The unit uses cyberrelated information to complement financial crime intelligence to better identify, disrupt and report illicit proceeds from cybercrime. This is in line with guidance issued by the US financial intelligence unit
institutions to include cyber-related information
and connect multiple Bitcoin addresses that are
when filing suspicious activity reports (SARs).
controlled by the same wallet.
It was noted that money laundering techniques
According to data collected by Chainalysis, a
relating to the proceeds of cybercrime often
New York-based forensic firm, 7.8% of Bitcoin
involved traditional methods such as ‘money mules’.
transactions involve ‘mixing’, a process that bundles
For example, this could mean that a fraudster might
wire funds from a victim’s account to that of a
considerably reduces the traceability of financial
‘mule’, who will withdraw the funds in cash and
transfer them to the fraudster via a money service business. A recent investigation by the UK National Crime Agency uncovered the use of approximately 400 accounts to launder £6.9 million originating from cybercrime. While cash is still king in the context of money
Discussions at the ‘Financial Crime 2.0’ conference addressed not only the risks associated with new technologies, however, but also the opportunities. Specifically, speakers discussed the potential of new technologies, including regulatory technologies (RegTech), to increase not only the efficiency of AML
laundering, Britain’s Crown Prosecution Service
efforts, but also their effectiveness, which is likely to
has observed that virtual currencies are also gaining
be a key objective for the national economic crime
popularity due to the anonymity that some of them
offer to users.
The representative of a UK bank, that has
In order to support investigations involving virtual
implemented an automated know-your-customer
currencies such as Bitcoin, private companies have
(KYC) system, explained that the new system had
developed techniques to map out transactions
allowed the institution to increase the frequency of reviews and had enabled skilled staff to focus on
M A RCH 2 018 • 18
Britain’s Crown Prosecution Service has observed that virtual currencies are also gaining popularity due to the anonymity that some of them offer to users
high-risk situations. Designing the outputs of an
centre (NECC), announced on 11 December by
automated system in a way that is close to the ‘look
Home Secretary Amber Rudd. The NECC should
and feel’ of a manual system has helped to ensure
also draw on the experience of other jurisdictions
that staff are comfortable working with digital
that have explored innovative approaches to data-
driven financial crime supervision and enforcement.
As financial institutions harness the opportunities
While SARs can provide valuable information, they
of new technologies, there was consensus that
are often filed when the funds in question have
this effort should take place in tandem with an
already moved. Advanced data analytics therefore
increase of the governments’ analytical capacities.
provide a critical addition to the SARs regime.
In addition, a RegTech representative expressed
Examples of data-driven supervisory efforts were
the view that governments should issue clearer
presented by representatives of De Nederlandsche
Bank (DNB, the Dutch financial supervisor) and the
regulators’ expectations regarding the use of technologies.
Italian Financial Intelligence Unit (FIU). DNB receives information from money service
He pointed out that, while certain US remediation
businesses (MSBs) operating in the Netherlands on
programmes generally provide useful details on
all money transfers they conduct to and from the
good practices, this should be made available
country. DNB processes the collected data using
before an institution is fined.
advanced analytics and determines the risk level of
Coordinating the use of technologies against
MSBs and agents on that basis.
financial crime across sectors will be critical to the
This new data-driven approach has led to
mandate of the UK’s new national economic crime
supervisory action, with one MSB licence being
19 • C Y B ER WORLD
revoked and 20 agents being closed, as well as to various criminal prosecutions. It has also raised awareness in the sector about the use of MSBs for criminal purposes and therefore contributed to stronger internal controls. The Italian FIU analyses aggregate data on cash transactions and financial flows that financial institutions are required to submit monthly. Using
This new data-driven approach has led to supervisory action, with one MSB licence being revoked and 20 agents being closed
quantitative methods, the FIU has been able to detect anomalies at the country- or province-level. These anomalies may point to potential cases
approaches that will increase the system’s overall effectiveness.
of trade-based money laundering, or – when
The views expressed in this Commentary are the
compared with data on suspicious activity reports
author’s, and do not necessarily reflect those of RUSI
– cases of under-reporting. The findings inform not
or any other institution.
only the FIU’s work, but provide critical input to law
This article was originally published by the Royal
enforcement and the financial sector in their efforts to tackle financial crime. To meet its objectives to address the financial crime risks facing the UK, the NECC will have to not only make the existing tools work more efficiently, but also to lead a wider discussion on innovative
United Services Institute (RUSI).
Olivier Kraft Research Fellow RUSI
M A RCH 2 018 • 2 0
Big Smart Brother? How Smart-Cities May Redefine the Right to Privacy in Europe Arthur Laudrain
About the Author: Arthur P.B. Laudrain is an incoming DPhil researcher in cyber security at the University of Oxford and a reserve officer in the French armed forces. He previously read international relations (Montréal, Seoul), war studies (London) and law (Leiden). His research focuses on the relationship between emerging technologies on the one hand, and war, law and power on the other. He contributed in this regard to research projects at both ETH Zurich and NATO Communications and Information Agency.
When it comes to data protection in Europe, the
and ownership. In parallel, smart cities and the
European Union’s GDPR seems to be the focus of
Internet of Things (IoT) are changing the nature,
attention for businesses and scholars alike. This
scale and purpose of data collected by institutions,
article’s premise is that we should not forget the
public or private. Even more so, they are likely to
more fundamental legal framework surrounding
profoundly challenge our conceptions of private
privacy and personal data, and thus suggests to
life, consent to data collection and to ownership by
address the European Court of Human Rights
third-parties. Reconciling these structural changes
(ECHR) through the trendy topic of smart-cities.
to our social lives with the fundamental right to
Indeed, the ECHR has been developing an extensive jurisprudence on the protection of personal data. Their handling, primarily when they relate to individual persons, is restricted in purpose, time 21 • C Y B ER WORLD
privacy will present significant challenges for all stalk holders.
public entities, and within a broader geographic
zone. This is the case in Brussels for example,
where a centralised command and control centre
If smart-cities, in their original meaning, merely
manages and shares access to all CCTV. This more
designated a centralised model of city management which relied on ICT-intensive infrastructures, todayâ€™s smart cities are increasingly user-centric. The IoT for the purpose of smart-cities relies mostly on sensors attached to everyday objects, such as cameras, short-range identifiers (RFID/NFC) or geo-locators embedded in pavements, public
extensive sharing does not only concern different police sectors, but other public service institutions as well, such as the environment and cleaning service of the Brussels municipality. Such a broader sharing implies de facto a repurposing of both the sensors and the related stored data, and is the likely consequence of better cooperation between public
transports or buildings.
Two major trends in the development of smart-
cities affect privacy. As an old technology widely deployed in all major urban infrastructures, CCTV is often one of the first to be upgraded in a smart-city philosophy, and provides an excellent illustration of the phenomenon. The first trend is that sensors and related databases are being more widely shared among different
deploying sensors and databases fitted with artificial intelligence capabilities. As these sensors or
algorithms are able to collate these multiple sources of data. This is the case in China, for instance, where CCTV footage is embedded with a face recognition software connected to the national, regional or municipal identification database, but also to M A RCH 2 018 â€˘ 22
IoT sensors, when exploited as part of a wide network, are becoming more efficient than smartphones in tracking people’s activities.
personal public transport check-in data. This trend
ownership is far from given with IoT devices and
is made possible by advances in AI technology, and
smart-city infrastructures, and it raises a number of
reflects the ubiquity of the IoT. However, this poses
a direct risk to the privacy of individuals because of the underlying cross-referencing possibility. The spokesman of an advanced CCTV system
THE EUROPEAN CONVENTION OF HUMAN RIGHTS: AN INSTRUMENT LIVING WITH ITS
manufacturer in China told the BBC in 2017: ‘We
can match every face with an ID card and trace all
The ECHR is a treaty established in 1950. As of
your movements back one week in time. We can
2017, it consists of 47 High-Contracting parties.
match your face with your car, match you with your
The object and purpose of the Convention is to
relatives and people you’re in touch with. With
maintain ‘peace and justice’ by setting up a regime
enough cameras, we can know who you frequently
of ‘collective enforcement’ of human rights, on the
basis of a ‘common heritage […] of ideals’. Because
In other words, IoT sensors, when exploited as part of a wide network, are becoming more efficient than smartphones in tracking people’s activities. This statement in itself says a lot. Individuals roughly
the Convention protects the most fundamental human rights and possesses an independent court, it was described as what comes closest to a ‘European bill of rights’.
know what their personal devices’ capabilities are.
The Convention is characterised by its strong focus
They know how to, and actually can, turn them
on social and political rights, by the scope of its
off, although it seems even US soldiers trained to
application (its member-states convene 800 million
operational security (OPSEC) methods massively
people) and by its strong enforcement mechanism.
failed to do it. This level of understanding and
The latter rests principally on the ability given to
23 • C Y B ER WORLD
individuals to petition their case to the Court when they have exhausted national remedies. The Court has taken a teleological approach to the interpretation of the Convention. It stated in 1975 that the Convention’s interpretation must be the ‘most appropriate one’ to further its object and purpose. Accordingly, the Court affirmed in Tyrer v UK, and again more recently in Rantsev v Cyprus and Russia, that the rights protected by the Convention must be understood and interpreted in light of ‘present-day conditions’. This doctrine was coined as dynamic interpretation. The first and foremost impact of dynamic interpretation is that it extends the reach of the rights protected by the Convention over time. In such an ‘anti-textualist’ and ‘anti-originalist’ approach, the process of interpretation leads to the discovery of new grounds of application of human rights, as societies change. Some usages and values that were predominant in 1950 are today either unacceptable or inexistent. High-profile cases for which rulings were influenced by society's
evolution addressed topics such as children born out of wedlock, corporal punishment or the criminalisation of homosexual behaviour. If the Court was to interpret the Convention stricto sensu in its 1950 context, achieving the Convention’s purpose today would be of considerable difficulty. DATA PROTECTION AS A HUMAN RIGHT The Convention provides for the right to respect for four distinct interests: one’s private life, family life, his or her home and correspondence. These interests may be subject to interferences by public or private entities to the extent that they are justified and that there exist sufficient safeguards in the domestic legal order. The Court stated that the scope of private life could not be ‘susceptible to an exhaustive definition’. Nonetheless, it developed an open scope that can encompass ‘multiple aspects of the person’s physical and social identity’. Notably, the Court determined that private life cannot be restricted to a certain geography or social circle. Rather, the
M A RCH 2 018 • 24
right to private life includes a wide-ranging ability
that individuals will gradually lose the freedom to
to ‘develop relationships with other human beings’
choose whether to expose themselves to them.
for the ‘fulfilment of one’s own personality’ or for
Choosing not to would prevent people from living
other purposes such as business. Consequently, the
a normal life, i.e. not being able to use public
scope of private life goes much beyond one’s home
transport. Indeed, today we can hardly decide to
or personal devices.
live without regular internet access, which has
As opposed to the EU Charter, the Convention does not dedicate an article to personal data. However, the Court has developed an extensive case-law record addressing the issue. It ruled in 2008 and reaffirmed in 2014 that protection of personal data is a fundamental requirement for an individual to enjoy his or her right to private and family life, thus
become an essential part of one’s private and professional activities and as such, is considered a basic human right in a number of countries such as France. In consequence, we may have to consider moving towards a context-based consent, where consent would be assumed or not, depending on the situation.
enshrining data protection within the meaning and
Second, the increasing number of the sources and
scope of article 8.
variety in the nature of data collected is expected
WHAT DOES THAT IMPLY FOR SMARTCITIES?
to bring tremendous value to their collation and cross-analysis, better known as big data analytics. The processing of data outside of the entity that
First, we may have to collectively rethink our
collected it forecasts a trend of wider sharing and
approach to personal data and consent to their
repurposing of personal data, both of which require
collection. IoT devices and infrastructures that make
specific consent and procedural safeguards under
a smart city are meant to be invisible and forgotten.
the principles of necessity and legality.
They will be present in such a comprehensive and integrated fashion with private and public services
25 • C Y B ER WORLD
Finally, and consequently to both previous issues we highlighted, it is likely we will need to rethink
The increasing number of the sources and variety in the nature of data collected is expected to bring tremendous value to their collation and crossanalysis, better known as big data analytics.
the current binary notion of public and private
These evolutions in societal usages and values can
spaces. In Von Hannover v Germany, the Court
thus bring new obligations to states, positive or
found that even public figures can benefit from
negative, enlarging the scope of the right in scale
reasonable expectations of privacy in public spaces,
and nature that could not have been foreseen
outside of their professional activities. Thus, these
by the Convention’s drafters nor by states when
expectations should benefit private individuals
they ratified it. The scope of the right to privacy
at least at an equal level, if not a higher one. This
is thus potentially ‘limitless’. Smart-cities will likely
approach seems justified, as the line between public
require data protection specialists and human
and private spaces collapse, both online and in the
rights scholars to take a fresh approach to founding
real world. Parallels can notably be drawn with
principles of privacy. This will undoubtedly impact
social media, where some spaces are open (public)
not only citizens across Europe, but also businesses
and others can be restricted to friends or followers.
around the world that rely on their data.
CONCLUSION AND OPENING The dynamic interpretation doctrine adopted by the Court implies that the scope of the right to privacy is redefined as society evolves. As usages of technology evolve, but also as moral values and expectations of ethical standards evolve, so does
Disclaimer: The views expressed are exclusively those of the author. This article was produced and adapted from an academic work in progress at Leiden Law School, Netherlands. For brevity and clarity, referencing may fall short of academic standards. As a result, this article should not be considered as scientific writing.
the scope and meaning of the right to privacy. The substantial widening of the right to access to
Arthur P.B. Laudrain
information is only the latest example in a long
Incoming DPhil Researcher
trend among the case-law record.
University of Oxford
M A RCH 2 018 • 26
China – The Real Cyber Threat? ALL ROADS LEAD TO RUSSIA
THE GREAT WALLS OF CHINA
Since Donald Trump became President, one can’t
Vast, rugged and clouded in secrecy, China has been
open a webpage or turn on the news without hearing
largely inaccessible ever since emperor Qin Shi
“Russia” and “hacking” in the same sentence… and
Huang protected its citizens from attack behind The
with good reason.
Great Wall two thousand, two hundred years ago.
In mid-February, Trump’s own national security advisor, H.R. McMaster was forced to admit Russian meddling in the 2016 election was “incontrovertible” and Robert Mueller charged thirteen Russian nationals and three Russian entities with interfering with the election. Whatever the outcome of the Mueller Investigation, Trump’s doth protest too much misdirection and selfincriminating Russia-related Twitter meltdowns mean suspicious eyes will continue to gaze only as far east as Moscow. Which is exactly what the Chinese want.
27 • C Y B ER WORLD
Nowadays, China’s online population of 731 million are ‘protected’ by the world’s largest censorship and surveillance system, The Great Firewall or Golden Shield Project. Chinese netizens receive a highly restricted Internet which doesn’t include access to Google, Facebook, YouTube or Twitter without a VPN. These strict censorship laws make getting facts, figures and reliable information out of the country difficult, but it’s not only Chinese policy that makes reporting troublesome. The West, and in particular The United States, continues to dictate the narrative that China is a boogeyman intent on taking over the world.
In a January 2018 interview with the BBC’s security
In the same year, the government launched DDoS
correspondent, the Director of the CIA, Mike
attacks against foreign websites associated with
Pompeo stated that China is “as big a threat to
Falun Gong, a spiritual movement banned in China.
the US (as Russia)” and “We’ve seen Chinese cyber
Then, in 2001, after a mid-air collision killed a
attacks throughout the world.”
Chinese fighter pilot and led to the forced landing
HOW DID THE USA’S CYBERWAR WITH CHINA BEGIN?
and detention of the American crew, Chinese hackers defaced thousands of U.S.-based websites with cyber graffiti, including the White House. The
To understand the future, we must first look
New York Times monickered this web-terrorism “The
to the past. Hacking is inextricably linked with
First World Hacker War”.
political events, and Chinese hackers’ first known cyberattack came in 1999 after the U.S. bombed the Chinese embassy in Belgrade, Kosovo killing three Chinese reporters. Patriotic hackers planted messages denouncing “NATO’s brutal action” on several U.S. government websites including the White House. CNN reported a brewing cyberwar.
cyberespionage became alarmingly apparent: A series of cyber intrusions - usually masked by proxy, zombie computer, spyware/virus infected malware with code-names like “Titan Rain”, “Byzantine Hades” and “GhostNet” were traced back to computers in China.
M A RCH 2 018 • 28
Between 2003 and 2007, the “Titan Rain” hackers,
the Chinese state twice breached the Office of
thought to be associated with the Chinese army,
Personnel Management’s (OPM) computer system,
invaded and stole sensitive data belonging to The
compromising the personal data of 22 million
Pentagon, Britain’s Ministry of Defence and U.S.
Department of Defense contractors.
Obama and Xi Jinping met again in 2015, and the
In 2010, “Operation Aurora”; an ultra-sophisticated
two nations reached an official Cyber-Agreement to
Advanced Persistent Threat by The Elderwood Group,
stem cyber espionage, curb the theft of intellectual
who has ties to the People's Liberation Army, used
property, agreed that their governments would not
unprecedented tactics that combined encryption,
conduct or knowingly support cyber-enabled theft
stealth programming and a zero-day vulnerability
of business secrets and set up channels for cyber
in Internet Explorer. These targeted attacks on
corporate infrastructure hit at least 34 companies in the tech, financial and defence sectors including seeking source code from Google and Adobe.
China arrested hackers from Shanghai-based hacking group Unit 61398 in connection to the OPM intrusion, but American-Sino cyber relations
Back-and-forth attacks continued for a decade as
soured and have never truly recovered. Indeed,
Chinese hackers stole intellectual property and
American cyberintelligence firm CrowdStrike’s 2015
government secrets including designs for military
Global Threat Report identified “dozens of Chinese
weapons systems and the advanced F-35 stealth
adversaries targeting business sectors… and 28
groups going after defense and law enforcement
Something had to be done, and relations between
HOW IS CHINA CHANGING CYBERWARFARE?
America and China improved in 2013 when
As with all forms of warfare, weaponry and tactics
Presidents Obama and Xi Jinping shook hands
evolve fast. In addition to the traditional malware,
across the Pacific. President Xi claimed the talks as
trojans, worms, logic bombs, DDoS attacks and
“a new historical starting point.” But all good things
zero-day exploits, China is coming up with ingenious
come to an end, and in 2014 hackers working for
new ways to hack. By turning their existing
29 • C Y B ER WORLD
on Xiaomi, Lenovo and other Chinese smartphones.
it's not just governments, security agencies and
In 2016, mobile security firm Kryptowire uncovered
cyber analysts that will be affected, but also tech
Chinese-authored malware on as many as 700
corporations and Android-based smartphone users
million budget Android devices. Hidden in a benign
on the street; like you and me.
support app, the pre-installed, third-party software
The last six years has seen Huawei Technologies grow to become the largest telecoms equipment manufacturer in the world. The Shenzhen-based company produces more smartphones than Apple
would covertly send call history, text messages, contact lists, location data and other sensitive information to a server in Shanghai every 72 hours to “tailor advertising to users.”
and its founder and CEO; Ren Zhengfei just so
In late 2017, three Chinese nationals Wu Yingzhuo,
happens to be a former officer and engineer in the
Dong Hao, and Xia Lei, who worked for Chinese
People's Liberation Army; effectively an arm of the
cybersecurity firm, Boyusec, were charged with
As a result, the NSA believes the Chinese may have installed backdoors in Huawei equipment, enabling
networks at Moody's Analytics, Siemens AG and Trimble Inc.
it for surveillance. In mid-February 2018, the
Boyusec, it turns out, and hacking group APT3 are
heads of five other major US intelligence agencies
one in the same, and an internal report by The
including the CIA and FBI warned American citizens
Pentagon's J-2 Intelligence Directorate identified
against products and services from Huawei and ZTE.
Boyusec and Huawei as working together to
FBI Director, Christopher Wray also told Congress
produce security products that could allow Chinese
the company’s products “provide the capacity to
intelligence to remotely steal data from phones and
conduct undetected espionage."
MADE IN CHINA
If the idea of your Android-based smartphone
While Huawei is banned from competing for US
spying on your for the Chinese government sounds
Government contracts, China’s huge telecoms
far-fetched, malware has also been found loaded
M A RCH 2 018 • 3 0
the country could already be exploiting huge
with China's repressive legal environment, could
cybersecurity flaws/backdoors in every device it
make government snooping that much easier.
manufactures. Defensively, China is ahead of the rest of the world, too. The Great Firewall can act as a forcefield, redirecting inbound internet traffic to attack sites as it did in 2015 when Github and GreatFire experienced the largest DDoS attacks in their history, the latter receiving 2.5 billion spoof requests per hour. China also has a new Cybersecurity Law, which came into effect in June 2017. Compliance rules now require network operators to store personal data on domestic servers (within The Great Firewall) and allow authorities to conduct mandatory spotchecks on a company’s network operations. Beijing asserts the law is intended to bring China in line with European and American cybersecurity and data management best practices. But with companies such as Apple migrating local users’ encryption keys to local server farms on Chinese soil, all those mandatory data requests, together
31 • C Y B ER WORLD
SIX OF ONE AND HALF A DOZEN OF THE OTHER For all this talk of Chinese aggression, let’s not forget that cyber espionage works both ways. In addition to dealing with the USA, China also faces the same attacks from North Korea, the MiddleEast and probably Russia as the rest of the world... despite President Xi having a bilateral cyber nonaggression pact with Putin. Chinese Internet security company Qihoo 360 stated the 2017 WannaCry ransomware attack had infected close to 30,000 Chinese organisations. Between January and October 2016, China was hit by 17.5 million cyber attacks, most of them Trojan viruses and bots from the United States, according to the National Computer Network Emergency Response Technical Team and Coordination Center, the country's top security risk-monitoring authority.
Is China really an existential threat or is this cyber warfare the new face of creating a necessary boogeyman; a continuation of the paranoia and political muscle-flexing that’s been going on for decades?
China isn’t the only party guilty in this spiral of
Is China really an existential threat or is this cyber
mistrust. Edward Snowden’s 2013 intelligence
warfare the new face of creating a necessary
leaks underscored the sophistication and extent of
boogeyman; a continuation of the paranoia and
internet surveillance by the United States and its
political muscle-flexing that’s been going on for
allies against targets worldwide, including China.
WILL THE REAL CYBER THREAT PLEASE STAND UP? In the aforementioned BBC interview, America’s spymaster general, Mike Pompeo gleefully states “We are the world’s finest espionage service, I’m incredibly proud of that. We’re going to go out there and do our damnedest to steal secrets” while China’s People’s Daily newspaper has described the United States’ accusations as “a thief crying ‘stop thief!’”
Until this cyber arms race turns from an ideological war to a real war in The United States via a cyber Pearl Harbor or death by a thousand cuts by China, it will be difficult to say... especially if you’re Donald Trump. In the meantime, we netizens in the west should just keep buying more Chinese-made Internet of Things (IoT) connected devices... and hope we don’t hear Chinese whispers coming from our widescreen televisions anytime soon.
The fact of the matter is, the USA engages just as aggressively in cyber campaigns; we just don’t hear about it because of China’s secrecy and the fact that, like it or not, we are unwitting slaves to our
Secgate Research & Innovation
mainstream media outlets.
M A RCH 2 018 • 32
33 â€¢ C Y B ER WORLD
M A RCH 2 018 â€¢ 3 4
35 â€¢ C Y B ER WORLD
Forest Tree A pioneering solution that empowers your functional teams to safeguard your enterprise. The big data solution to network and data discovery, event detection and generating knowledge from your network to support your operational, compliance and security needs. Forest Tree enables you to make decisions based on real data from your network whether those decisions involve operational, security or compliance objectives. This solution shows you a comprehensive analysis of network traffic to identify and catalogue events in your organisation in real time. Our solution uses ground breaking machine learning capabilities to bring insights on system and user behaviours enabling decisions to be made holistically. It risk rates behaviours enabling unusual activity to be flagged to your operational teams. This solution learns and alerts you. Forest Tree provides dashboards for IT operations, security and compliance teams that show the risk rated activity and highlight individual high risk communications. It provides the capability for teams to interrogate the database to investigate on suspicious or unusual activity. This solution answers all your questions. With all network activity captured and tools for making queries, Forest Tree gives you the ability to demonstrate your compliance to policies and regulations and to prepare reports as required. This solution is your organisation’s “Black Box” Forest Tree gives transparency to your business teams, seeing the same picture of the real activity passing across your network enabling appropriate business level responses. This solution enables cross-functional understanding.
M A RCH 2 018 • 36
Forest Tree A holistic solution designed to protect and serve your business needs Forest Tree provides information about data and communications in your network allowing full visibility of activity from your systems. Operations staff can extract data to create inventories of your entire estate and its behaviour dynamically. It can be used to identify end-user computing, data transfers to cloud providers and other third parties. Forest Tree can bring you visibility of services that are outside the control of your systems management solutions. Security Forest Tree produces risk rated assessments of all network activity, facilitates inspection down to packet level for security operations teams and provide security dashboards for management. Connections and data transfers can be approved so that they aren’t continuously flagged for attention. We use machine learning to characterise user behaviour and can identify when a user deviates from the norms for they role or is inconsistent with their peers. Forest Tree works with unstructured data within emails and attachments as well as structured data providing the widest coverage of data traversing your network. Group Functions Forest Tree supports Group functions who can have the same visibility of dashboard information and thus have transparency between operations and policy and compliance departments. Some examples of use cases include: ● ● ●
Is user behaviour changing, which users are not complying with policies? Are you in compliance with policies and regulations? Is the total risk score reducing in line with your plan?
37 • C Y B ER WORLD
M A RCH 2 018 â€¢ 3 8
39 â€¢ C Y B ER WORLD
Forest Tree Designed for humans; engineered for networks Performance engineered. Our solution is built to meet the needs of even the most sophisticated networks. Everything from the detection of events through to the generation of reports has been developed by our engineers to ensure speed and scalability. Our Core engine has been implemented and tested on networks that operate at one terabit per second — processing the entire network traffic, with zero packet loss, all in real time. Our solution is linearly scalable; we maintain our high performance on networks of any size or complexity. Delivers certainty. Business decisions require accuracy. Our entire product has been developed and tested to ensure that you know exactly what actions are happening within your network at a given point in time. Its ability to act as a “black box” on the network, recording network activity for later investigation, gives certainty to your forensic investigations and incident reports. We help ensure your leadership are informed on any incidents before regulators and reporters approach them. Built for people. Every part of our solution has been designed in consultation with security analysts, incident responders, penetration testers and CISOs to ensure that it is as efficient and as effective as possible. The user experience has been carefully considered to ensure that analysts can get to the features they need quickly, and the dashboards have been designed to ensure that each analyst is presented with the data they need to be able to perform their job. We work continuously with industry professionals to ensure our product meets the operational needs of security teams.
M A RCH 2 018 • 4 0
A defence-grade cyber security product, Fores solution that allows organisations to monitor an electronic commu Contact us for a demo
41 â€˘ C Y B ER WORLD
st Tree is a patented advanced Cyber Security nd understand the content and context of each unication channel at: Info@secgate.co.uk
M A RCH 2 018 â€˘ 42
The UK National Cyber Security Strategy – One Year On Talal Rajab
About the Author: Talal Rajab is the Head of Programme for techUK’s Cyber and National Security programmes. He manages strategic relationships between Government and industry members on cyber and national security issues, in particular through the Cyber Growth Partnership. He leads techUK’s work on the Investigatory Powers Bill.
2017 was the year that cyber truly entered the
governments around the world. For example, take
public consciousness. From WannaCry to the
the work of the National Cyber Security Centre
cyber attack on the Houses of Parliament, high
(NCSC) which, in its first year, responded to 590
profile cyber attacks showcased just why the UK
significant cyber-attacks across the UK. The
Government had doubled its investment in cyber
resources and expertise behind the NCSC are clear
security from £850m to £1.9bn in an ambitious
signs of the seriousness with which government
strategy that aimed to make the UK the most secure
takes cyber security. The government is also already
place to live, work and do business online.
concluding some of the objectives contained within
One year on, it is clear to see why the strategy continues
4 3 • C Y B ER WORLD
the strategy, such as the “Secure by Default” project, which is concluding in March with the publication
of a report and Code of Practice for manufacturers
their response and resilience to the threat, or face
of consumer IoT products and services.
the prospect of significant fines for non-compliance.
Furthermore, a number of “cyber growth” initiatives
All of this progress is encouraging – though more
have also been kicked off by the Department
could be done to highlight these initiatives to
for Digital, Culture, Media and Sport (DCMS) in
businesses across the country and ensure that
order to grow the number of UK cyber security
efforts are joined up. Whilst it is far too early to
companies. From the Cheltenham Innovation
entirely judge the National Cyber Security Strategy
Centre to the Cyber 101 Bootcamps, it is clear that
with three years still to go, it is good to see 2018
the Government sees our best defence to the cyber
start with the same momentum from government,
threat as growing UK cyber capabilities.
helping businesses and individuals meet the
This is even more important as the regulatory
growing challenges that cyber security brings.
framework for cyber changes this year, with the General Data Protection Regulation (GDPR) and
Network and Information Systems Directive (NIS)
Head of Programme
due to come into effect in May 2018. It is clear that
Cyber and National Security
UK businesses will need to raise the bar in terms of
M A RCH 2 018 • 4 4
Poker and Security Leron Zinatullin
About the Author: Leron Zinatullin is an experienced risk consultant, specialising in cyber security strategy, management and delivery. He has led large-scale, global, high-value security transformation projects with a view to improving cost performance and supporting business strategy. He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors. Leron is the author of The Psychology of Information Security. His website can be found at: www.zinatullin.com.
Good poker players are known to perform well
about opponents’ cards and predicting their next
under pressure. They play their cards based
moves. Security professionals are also required
on a rigorous probability analysis and impact
to be on the forefront of emerging threats and
assessment. This sounds very much like the sort
discovered vulnerabilities to see what the attackers’
of skills a security professional might benefit from
next move might be.
when managing information security risks.
At the beginning of a traditional Texas hold’em
What can security professionals learn from a game
poker match, players are only dealt two cards (a
of cards? It turns out, quite a bit. Skilled poker
hand). Based on this limited information, they have
players are very good at making educated guesses
to try to evaluate the odds of winning and act
45 • C Y B ER WORLD
accordingly. Players can either decide to stay in the
When the game progresses and the first round of
game – in this case they have to pay a fee which
betting is over, the players are presented with a
contributes to the overall pot – or give up (fold).
new piece of information. The poker term flop is
Security professionals also usually make decisions
used for the three additional cards that the dealer
under a high degree of uncertainty. There are many
places on the table. These cards can be used to
ways they can treat risk: they can mitigate it by
create a winning combination with each player’s
implementing necessary controls, avoid, transfer or
hand. When the cards are revealed, the player
accept it. Costs of such decisions vary as well.
has the opportunity to re-assess the situation
Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are
and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.
right, a security professional can start a project
There is nothing wrong with terminating a security
to implement a security change to increase the
project. If a poker player had a strong hand in
security posture of a company.
the beginning, but the flop shows that there is no point in continuing, it means that conditions M A RCH 2 018 • 4 6
security professionals can’t mitigate every security risk and implement all the possible countermeasures.
have changed. Maybe engaging key stakeholders
that bring desired long-term results. Even the best
revealed that a certain risk is not that critical and
poker player can’t win every hand. Similarly, security
the implementation costs might be too high. Feel
professionals can’t mitigate every security risk and
free to pass. It is much better to cancel a security
implement all the possible countermeasures. To stay
project rather than end up with a solution that is
in the game, it is important to develop and follow
ineffective and costly.
a security strategy that will help to protect against
However, if poker players are sure that they are
ever-evolving threats in a cost-effective way.
right, they have to be ready to defend their hand.
Leron Zinatullin is the author of The Psychology of
In terms of security, it might mean convincing the
board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they
Leron Zinatullin Security Architect
did everything in their power to proactively mitigate
Technology Risk Consulting
It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions 47 • C Y B ER WORLD
2018 EUROPE 29 – 31 October | London, UK
Attend ISACA’s Industry-Leading Cyber Event Enhance your Career— Earn up to 32 CPE Credits
GR OW YO U R KNOWL EDGE. SH AR PE N YOU R SKI L LS. Gain cyber insights that can defend your enterprise.
Choose from invaluable sessions in cybersecurity, innovative technologies, and more.
SAVE US $400 until 30 March W W W. I S AC A . O RG/ CY BERWO R L D400
Network with global experts and peers to advance your career.
Earn up to 32 CPE credits.
GET TO KNOW WHY ATTENDEES RAVE: “ Phenomenal educational and networking opportunity. I look forward to attending in the future.”
ISACA®, the Cybersecurity Nexus™ (CSX) trademark, and ISACA’s Cybersecurity Nexus™ (CSX) products, certifications, and services are not affiliated with CSX Corporation or its subsidiaries, including CSX Transportation, Inc.
What Should You Pay to Protect Your Data? The Economics of Information Security FUTURE LEADERS: Amy Ertan
About the Author: Amy Ertan is a PhD student in Cyber Security at Royal Holloway (University of London), while also working as a Strategic Threat Intelligence analyst with Barclays. Her research focuses on interdisciplinary approaches to cyber security, including international relations and military defence studies, as well as behavioural and applied economic theory. Amy is excited to promote interdisciplinary approaches to cyber security alongside greater collaboration between academia and industry organisations.
A CISO’s primary duty is to protect his/her
we might expect a range of controls to be put in
organisation’s data. The past year has seen
place, from employee training and risk management
an increase in the frequency of major cyber
strategies to network monitoring, up-to-date
incidents, including evolving malware, DDoS, social
firewalls and breach mitigation products. The
engineering and supply-chain attacks. These events
difficult question is therefore: what is the ‘right’
serve as a serious warning to organisations that
amount to invest to protect a given data-set? How
cyber security investment is essential to protect
do you know if you’re investing too much, or too
their assets, regardless of their size.
little? Leaders in organisations often have little to go
Cyber security investment is generally viewed as essential to protect an organisation’s assets. If the organisation holds valuable data (for example, customer PII or sensitive commercial information), 49 • C Y B ER WORLD
on when determining the optimal amount to invest in cyber security, which needs to be more than an intuitive (and therefore subjective) exercise.
Two academics at the University of Maryland,
them to reduce the problem to three variables: the
Laurence Gordon and Martin Loeb, have developed
monetary loss of a breach, the probability of a threat
an economic framework to help answer this
occurring, and the vulnerability (the probability that
question. They found that the optimal amount of
an attack on a data-set will be successful).
investment should only be a’ small fraction’ of the expected monetary loss following a data breach (and estimate the optimal figure at around 37% of
The model leads to some counterintuitive results: 1. An increase in vulnerability does not (necessarily)
an expected loss). They also found that beyond a
The Gordon-Loeb model simplifies the issue of dataprotection investment with several assumptions: functions are smooth and well-behaved; a single threat is examined at a time; as investment in security increases, the information is made more secure (albeit with diminishing returns). This allowed
instead of highest vulnerabilities.
benefits. Their model has become one of the most
PRESENTING THE GORDON-LOEB MODEL
better off protecting midrange vulnerabilities
provided increasingly limited additional protection
investment. In these cases, firms may be
certain expected level of loss, extra investment
prominent frameworks within the economics of
2. A firm should spend only ‘a small fraction’ of the expected loss resulting from a security breach. The
vulnerability is not necessarily linear, as one might expect (shown in diagram 1 below). Indeed, at a certain point extra investment ceases to have any effect whatsoever. Consequently, we can see in diagram (2) that where a loss due to a vulnerability is very low, towards the left of the chart, the M A RCH 2 018 • 50
The relationship between investment and vulnerability is not necessarily linear, as one might expect.
investment costs may outweigh the value of the
investment levels do not deliver the required levels
data, and therefore not make sense to implement.
of security. In other words, Gordon and Loeb argued
In contrast, as the loss associated with the
that for extremely vulnerable datasets, it would be
vulnerability (vL) goes beyond a certain point, the
‘inordinately’ expensive to sufficiently protect the
optimal investment level decreases as the required
vulnerability from an attack.
(1) Ideal level of investment in company computer security, given decreasing incremental returns (Gordon and Loeb, 2016) 51 • C Y B ER WORLD
(2) Optimal value of security investments as a function of vulnerability (Class II).
‘v(L)’ is the loss associated with a vulnerability. (Gordon and Loeb, 2002) The Gordon-Loeb model and findings suggest that
and in accordance with Fig 1, the amount invested
organisations would instead be better-positioned
should only be a small fraction of the vulnerability
by focusing on the ‘midrange’ of vulnerabilities,
rather than the most expensive cases. Additionally,
M A RCH 2 018 • 52
No-one is suggesting entering your manager’s office tomorrow to demand security investment matches 37% of an expected loss.
information security managers don’t have the
No-one is suggesting entering your manager’s office
luxury of accepting risk as part of their budget
tomorrow to demand security investment matches 37% of an expected loss. Context and nuance vary widely, loss is not just measured in monetary terms, and ultimately the real world is never going to fit into a model, no matter how sophisticated it may be. Gordon and Loeb are the first to point out the limitations and assumptions within their work, such
considerations. Gordon and Loeb conclude with a call for further research, highlighting open questions and various opportunities to refine the framework. Indeed, Willemson (2006) subsequently tweaked assumptions within the Gordon-Loeb model to demonstrate how in some cases, an optimal level of investment may be 50% of an expected loss, even
as the assumption that functions are smooth. This
approaching 100% in extreme constructions.
discounts real-world practice where fixed costs
Nonetheless, the model has immense value
exist and discrete amounts of investment are required. Furthermore, these findings obviously don’t affect CPNI and critical functions, where
53 • C Y B ER WORLD
in challenging default assumptions within an organisation’s security function - that bigger is always better, and you can never pour too much
money into protecting the organisationâ€™s assets.
Loeb model." Journal of Information Security
In the very realistic context of limited resources,
7.02 (2016): 49 [Accessible, earlier version
budget restrictions force security functions to
published 2002, some maths]
prioritise, and this model takes this broad goal, delivering an excellent starting point for further research on information security investment. LEARN MORE:
3. [Academic Article] Willemson, J., 2006, June. On the Gordon & Loeb Model for Information Security Investment. In WEIS. [Intermediate maths]
1. [Book] Managing Cybersecurity Resources: A Cost-Benefit Analysis, Gordon and Loeb, 2005 print (Practical, aimed at practitioners) 2. [Academic Article] Gordon, Lawrence A.,
Amy Ertan Strategic Threat Intelligence Analyst Barclays
Martin P. Loeb, and Lei Zhou. "Investing in cybersecurity: Insights from the GordonM A RCH 2 018 â€˘ 5 4
Steven Thomson Rising Star Interview
55 â€¢ C Y B ER WORLD
About the Author: Steven Thomson leads the security operations centre (SOC) for IT Lab, as well as the managed SOC service for their clients, and is based in Manchester. He is currently reading for an MSc in Advanced Security & Digital Forensics at Edinburgh Napier University, one of only six fully certified GCHQ MSc programmes, whilst also studying for an MBA. His journey in to the cyber security field was (some would say) unconventional, but his passion for cyber security flourished throughout his early career, eventually securing his first cyber security role with KPMG.
TELL US ABOUT YOURSELF?
and which makes my day to day much more varied
I have been at IT Lab since November 2017, so only
a short period of time really. However, I have already
I am very passionate about cyber security, and I
been instrumental in maturing the SOC service and helping to grow the team. The SOC is moving to a dedicated new office space at Lowry Mill, just on the outskirts of Manchester city centre, in the coming weeks, and so I’ve had the pleasure of being heavily involved in scoping the new SOC. It is an exciting time at IT Lab, and I am so very privileged to be a part of the IT Lab family, and honoured they are entrusting me with leading their SOC service. I have responsibility for creating the governance strategy and policies for the SOC, incident response (IR) processes and run/playbooks. I also lead the design and implementation of the monitoring architecture and SOC tools required to successfully identify and investigate security incidents on internal and external (client) networks, contain identified incidents, and then remediate and recover from those incidents. However, I am also very much involved with the technical, hands on, business-as-usual tasks in the SOC, such as incident response, vulnerability management, cyber threat intelligence and forensic analysis. I also have responsibility for managing the teams involved, designing the respective programmes,
internally to IT Lab and externally with our clients. It is this hybrid responsibility that I find so engaging
enjoy channelling this passion into developing and mentoring others, with the aim of ensuring the SOC team remain fit-for-purpose, agile and a responsive cyber unit. This passion to give back to the cyber security community inspired me to setup a DFIR & SOC Mastermind Group, for my peers in the same field and those wishing to get into cyber security, to create an informal environment where we can learn from one another. You can join this growing group here. WHAT MADE YOU CHOOSE A CAREER IN CYBER SECURITY? I have been involved in cyber security, in some form or other, for almost 4 years now. I have always had a passion for technology and so once I had graduated from university, my cyber journey started when I joined the NHS as an IT Helpdesk Technician. It is there that I kind of “fell in to” cyber security, as I happened to mention my interest in it to one of my managers who was more than happy to give me the opportunity to get involved with updating the Trust’s Information Security Management System (ISMS). My first foray in information security was an interesting side project from my day to day role and gave me experience of developing the ISMS and experience with the ISO27001 and IEC80001 frameworks.
M A RCH 2 018 • 56
I found this experience really interesting, and
as a Technical Engineer. As with my previous roles,
every role I have secured since has given me the
I took on extra responsibilities and projects, all
opportunity to keep involved with cyber security.
with a cyber security focus, which highlighted
Following on from the NHS I moved into the
my enthusiasm and passion for the subject to my
hospitality sector, where I was able to get to grips
colleagues. I was then given the opportunity to
with the PCI DSS security standard. I was given the
join the Risk Consulting’s regional Cyber team in
responsibility of conducting regular vulnerability
Manchester, and I haven’t looked back since!
scans, and remediating any short-comings the scans highlighted to the businesses security controls to
WHAT ARE THE GREATEST POSITIVES ABOUT
ensure compliance with the standard. From here, I
WORKING IN CYBER SECURITY?
was keen to pursue a role that was solely focused
It has absolutely got to be the variety of issues
on cyber security, however being only a novice I
thrown up daily and the fact that no two days are
found it difficult to find a role that didn’t require
ever the same. This presents its own challenges, but
years of experience. I then decided I needed to take
it is these daily challenges that keeps me working
a different approach. Rather than applying directly
in cyber security and makes it so interesting. I feel
for cyber security roles (as I wasn’t having much
that I am constantly learning and developing every
success), I was going to try and secure a role I had
day, and this fulfils my need to always continue
experience in (IT support) for a company that also
improving myself to become the best that I can be.
employed people in cyber security roles in the hope
Cyber security fuels my desire to be my best self
that my passion for this area would shine through
and I feel that in the current climate there are ample
and I could eventually move laterally within that
opportunities to feed back into the community and
business. My plan worked, and along came my
volunteer my time to helping others achieve their
opportunity with KPMG where I was first employed
57 • C Y B ER WORLD
WHAT ARE THE GREATEST CHALLENGES IN
learn, develop and pick up those skills quickly once
in their dream role. The challenge is finding these
In my current role I have the responsibility of
candidates and giving them the confidence to apply.
recruiting talent into the SOC team, and in the
The second challenge is keeping pace with the
current skills-shortage climate, it is very difficult to find the right mix of talent, with the required skillset, together with the matching culture fit for our organisation. To try and overcome this challenge I very much focus on competencies and transferable skills and the candidate must show a true passion for wanting to be in cyber security. I chose to focus on these areas because you can train a candidate to have the required skills, but it is difficult to change a candidate’s personality and how they think. Also, I think back to when I was trying to break in to my first cyber security role, and the difficulties I had; all you want is for someone to take a chance on you so you can prove yourself, and so, as long as I can see the passion, enthusiasm and drive for cyber security in the candidate, they don’t necessarily have to have all the experience with the toolsets required for the role, because I know the right candidate will
evolving cyber security landscape. Adversaries are constantly changing their tactics, techniques and procedures (TTP’s) to circumvent security controls and so as a cyber defence specialist this is a constant battle to ensure that we are prepared to deal with any security incident. The adversary must only get it right once in order to breach a network, but as a cyber defender you must be right all the time in being able to successfully defend it. It is this dichotomy that confirms the cyber security cliché of “when, and not, if, you will be breached”, and so the challenge is ensuring that you are prepared for when you are breached, and then being able to minimise the impact the breach has on the entity affected. Then you must be able to learn from how the breach occurred, so you can improve and develop in readiness for next time, when the adversaries will have evolved their TTP’s.
M A RCH 2 018 • 58
Show your passion, drive and enthusiasm for cyber security, let that shine through, and you will go far.
WHAT ARE THE HIGHLIGHTS OF YOUR
INFLUENCE ON YOU?
I am still very much in the early stages of my career,
There are many people who have influenced me
so it is hard to identify a specific highlight as I have
and my career to-date, and for various reasons.
had an incredible journey so far. For me, it has
On an academic level, one of my lecturers on the
probably been the many opportunities I have been
MSc in Advanced Security & Digital Forensics,
given to be involved in cyber security by a diverse
Professor Bill Buchanan, has been a huge influence
range of people who must’ve seen something in
(unbeknownst to him) and he inspired me to
me for them to entrust me with this responsibility.
apply to this specific master’s programme after I
I specifically enjoyed one engagement I had at
experienced his presentation at CRESTcon & IISP
KPMG, involving a regional retailer that had
Congress 2016. He is truly passionate about what
suffered a ransomware attack. The engagement
he teaches. I was overjoyed when Bill was awarded
really gave me a brutal insight into the challenges
an OBE in the 2017 Birthday Honours list, as I feel
organisations face from being unprepared for a
it is a very well-deserved award.
malware incident like this. I took great satisfaction from being able to advise the client on how to improve their cyber maturity to reduce the risk of re-occurrence and lessen the impacts should they experience another breach. The highlight for me though was the positive recognition from the client and their gratefulness for the advice given. It is from helping clients truly understand the cyber security risks, and how to overcome (or reduce) them, that gives me the greatest satisfaction. 59 • C Y B ER WORLD
Other influences have been Sion Lloyd-Jones and David Cousins at KPMG, who took me under their wing and mentored me in my first cyber security focused role, for which I am very grateful. I also have to mention Matthew Hickling (Head of IT at NWTC), Stephen Deacon (Head of IT at Warrington & Halton NHS Trust) and Chris Bellfield (Team Lead Technical Engineer at KPMG), who all gave me opportunities to explore cyber security topics
and projects, and then allowed me to continue that
career trajectory for anything, as I am thoroughly
journey by wishing me well for the next stages of
enjoying it (bar winning the lottery of course!).
WHAT ADVICE WOULD YOU GIVE YOUNG
WHAT ARE YOUR CAREER AMBITIONS?
PEOPLE HOPING TO ENTER A CAREER IN THE
I’d like to think that I could become a CISO in a
FTSE 250 company at some stage, or achieve
Show your passion, drive and enthusiasm for cyber
Director level within one of the Big 4, consulting
security, let that shine through, and you will go
with the CISO’s and CEO’s of some of the largest
far. Don’t let fear of failure or rejection stop you
international organisations in the world.
from pursuing a career within this field, as it is very
WHAT WOULD YOU DO IF YOU WERE NOT A CONSULTANT?
satisfying and rewarding, and you won’t regret it. I have let the fear of failure and imposter syndrome stop me from applying for roles in the past, and I
As a child growing up I always had the dream of
have only regretted it further down the line. My
being a commercial airline pilot, and one day flying
advice is to just go for it, follow your passion and
Concorde. Obviously, this dream was taken from
dreams and see where it takes you. If you aim for
me, however, I have enjoyed learning to fly as part
the moon, and fall short, you’ll still be amongst the
of the Yorkshire University’s Air Squadron whilst
doing my undergraduate degree. The experience I had in the RAFVR doing this was an experience I will never forget, and I hope to continue flying as
a hobby in the future once I’ve reached my career
Lead SOC Analyst
goals. However, I wouldn’t change my current
M A RCH 2 018 • 6 0
Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact on firstname.lastname@example.org 61 â€˘ C Y B ER us WORLD
Upcoming Events BEHAVIOURAL ANALYSIS 2018 hosted in Cardiff, UK 14th to 15th March 2018 Read more here. INFOSEC WORLD hosted in Florida, USA 19th to 21st March 2018 Read more here. BLACK HAT ASIA 2018 hosted in Singapore 20th to 23rd March 2018 Read more here. LEGAL CYBER SECURITY EXPO hosted in London, UK 21st to 22nd March 2018 Read more here. WORLD CYBER SECURITY CONGRESS 2018 hosted in London, UK 27th to 28th March 2018 Read more here. CYBER SECURITY OF THE IOT hosted in London, UK 28th to 29th March 2018 Read more here.
6 3 â€¢ C Y B ER WORLD
About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clientsâ€™ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.
Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom
M A RCH 2 018 â€˘ 6 4
65 â€¢ C Y B ER WORLD