288 86 10MB
English Pages 52 Year 2018
STRATEGY / INSIGHT / TECHNOLOGY
Q2, 2018 / Volume 15 / Issue 2
WORLD WAR CYBER
SECURITY ON A BUDGET
ATTACKS BY VERTICAL
The rise of nation state attacks
Protecting your data when funds are tight
Which sectors fare the worst?
CONTENTS
@InfosecurityMag
COVER FEATURE
12
Cryptojacking: The Parasitical Crime
ON THE COVER
The 12Cryptojacking: Parasitical Crime
Infosecurity asks whether criminals have finally found a largely victimless crime FEATURES
Month 8 AforTough Facebook
An analysis of Facebook’s track record as it pertains to data and privacy
22
World War Cyber
As nation states battle it out for supremacy in cyber-space, what does the future have in store?
Great British 30 Cybersecurity Startups An assessment of the current state and effectiveness of the UK’s cybersecurity accelerator and incubator landscape
36
CISOs and Vendors
A look at the often strained relationship between CISOs and security vendors
40
Cybersecurity on a Budget
Money might make the world go round, but how do you keep the security wheel turning when finances are tight?
46
Attacks by Vertical
Exploring the varying cybersecurity challenges that different sectors are currently facing
8
A Tough Month for Facebook
ONE TOPIC, THREE EXPERTS
34
How to Run a Successful Bug Bounty Program
Three security experts share their thoughts on the elements of managing an effective bug bounty program POINT-COUNTERPOINT
44
Breach Responsibility:
Theresa Payton on why CISO victim shaming needs to stop
45
Breach Responsibility:
Dr John I. Meakin outlines the arguments for CISOs taking the blame INTERVIEWS
11
Interview: Robert Schifreen
Robert Schifreen reflects on his industry journey, dream projects and lessons learnt
16Interview: David Shearer David Shearer opens up about the need for more unification around common desired outcomes, his love for his job and his passion for music
18
Interview: Mikko Hyppönen
Michael Hill sits down with F-Secure’s chief research officer to find out a little more about the man who has served the same company for almost 30 years REGULARS
7 TOP TEN: 28Ways to Reduce Your Digital EDITORIAL
Footprint
49SLACK SPACE 50PARTING SHOTS www.infosecurity-magazine.com
03
The
Contributors... Editor & Publisher Eleanor Dallaway [email protected] +44 (0)20 89107893
Eleanor Dallaway Editor & Publisher With a decade in the industry, Eleanor knows more about infosec than most English graduates should. Any small gaps in her social life are reserved for a good book and even better glass of wine. @InfosecEditor
Infosecurity Magazine
Deputy Editor Michael Hill [email protected] +44 (0)20 84395643 Contributing Editor Dan Raywood [email protected] +44 (0)20 84395648 Online UK News Editor Phil Muncaster [email protected]
Michael Hill Deputy Editor With his degree in English Literature & Creative Writing and his love of the written word, Michael is dedicated to keeping Infosecurity readers up-to-date with all the latest from the infosec industry. @MichaelInfosec
Infosecurity Magazine
Print and Online Advertising James Ingram [email protected] +44 (0)20 89107029
Infosecurity Magazine
James Ingram
Portfolio Digital Marketing Manager Rebecca Harper [email protected] +44 (0)20 89107861 Senior Digital Marketing Executive Karina Gomez [email protected] +44 (0)20 84395463
Dan Raywood Contributing Editor Dan has written about IT security since 2008. He has spoken at 44CON, SteelCon and Infosecurity Europe, as well as writing for a number of vendor blogs and speaking on webcasts. @danraywood
Online US News Editor Kacy Zurkus [email protected]
@Infosecurity Mag
INFOSECURITY GROUP Director Nicole Mills [email protected] +44 (0)20 84395683 Head of Marketing Ralu Ionescu +44 (0)20 89107712 Head of Sales Paul Stone +44 (0)208 9107817 Production Manager Andy Milsom
Digital Sales Manager James sells print advertising for Infosecurity and is also responsible for selling across all the online marketing and advertising options, including webinars and white papers. @infosecJames
ISSN 1754-4548 Copyright Materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites are protected by copyright law. Copyright ©2018 Reed Exhibitions Limited. All rights reserved. No part of the materials available in Reed Exhibitions Limited’s Infosecurity magazine or websites may be copied, photocopied, reproduced, translated, reduced to any electronic medium or machinereadable form or stored in a retrieval system or transmitted in any form or by any means, in whole or in part, without the prior written consent of Reed Exhibitions Limited. Any reproduction in any form without the permission of Reed Exhibitions Limited is 04 www.infosecurity.co.uk
prohibited. Distribution for commercial purposes is prohibited. Written requests for reprint or other permission should be mailed or faxed to: Permissions Coordinator Legal Administration Reed Exhibitions Limited Gateway House 28 The Quadrant Richmond TW9 1DN Fax: +44 (0)20 8334 0548 Phone: +44 (0)20 8910 7972 Please do not phone or fax the above numbers with any queries other than those relating to copyright. If you have any questions not relating to copyright please telephone: +44 (0)20 8271 2130.
Disclaimer of warranties and limitation of liability Reed Exhibitions Limited uses reasonable care in publishing materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites. However, Reed Exhibitions Limited does not guarantee their accuracy or completeness. Materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites are provided “as is” with no warranty, express or implied, and all such warranties are hereby disclaimed. The opinions expressed by authors in Reed Exhibitions Limited’s Infosecurity magazine and websites do not necessarily reflect those of the Editor, the Editorial Board or the Publisher. Reed Exhibitions Limited’s Infosecurity magazine websites may contain links to other external sites. Reed
Exhibitions Limited is not responsible for and has no control over the content of such sites. Reed Exhibitions Limited assumes no liability for any loss, damage or expense from errors or omissions in the materials or from any use or operation of any materials, products, instructions or ideas contained in the materials available in Reed Exhibitions Limited’s Infosecurity magazine and websites, whether arising in contract, tort or otherwise. Inclusion in Reed Exhibition Limited’s Infosecurity magazine and websites of advertising materials does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. Copyright © 2018 Reed Exhibitions Limited. All rights reserved
@InfosecurityMag
From the
Editor... Raise Your Glass
It's time to celebrate our industry's successes.
S
ometimes it takes a global industry gathering to open your eyes to an industry in which you are utterly immersed in. Despite reading and writing about information security day in day out, like many things in life, sometimes being completely engulfed in something means there is a danger of losing perspective. The Infosecurity team, myself included, spent last week at RSA Conference in San Francisco. I’m always amazed at the sheer enormity of our industry each year as a significant portion of its representatives descend on the Moscone Center to analyze the year’s failings, to network and to celebrate the industry’s successes. The latter, sadly, is more a pipedream of what I’d like to witness each annum, as opposed to something that actually happens beyond a few award ceremonies and the occasional optimistic keynote speaker (Rohit Ghai, president of RSA, I’m talking about you). You’re infinitely more likely to stumble across a conference session dedicated to the industry’s failings and hear booth staff at the expo spouting propaganda about the number of companies that have fallen victim to cyber-attacks and data breaches and inevitably presenting their ‘perfect solution’ to the problem. Information security professionals, the CISOs, CIOs, heads of information security, don’t react kindly to this sort of marketing. They deem aggressive marketing ‘snake oil’ and they make it their mission to avoid the expo hall(s) completely as a result. There is a tendency for CISOs to look down on the vendors that shape our industry,
something which I put down to the aggressive sales and marketing tactics that are often deployed. Of course, vendors are here to serve the information security community, so striking up a good relationship with industry end-users is paramount to their success. This complex, symbiotic relationship is explored in this issue by Jai Vijayan on page 36. Some of the most impressive industry players that I met with in San Francisco were scathing about the state of our highly profitable and fast-growing industry. Dug Song, co-founder and CEO of Duo Security, was particularly cutting. “Security is a terrible industry,” he told me, laughing but perfectly serious. “The structure of the industry is all wrong. People don’t understand what they are buying and if the products they are buying will work or not. I want to tear down the whole industry and rebuild it,” said Song. Information security is perceived by many as an industry born and existing purely to stop bad things happening. With this in mind, it is no wonder that it’s drowning in negative energy, in snake oil and in obsessions over its own failings. In a one-on-one interview with me, president of RSA Rohit Ghai said: “In information security, you can’t celebrate your successes. If you’re looking for explicit acknowledgement of your work, this is not the industry for you.” I totally understand what he is saying – the headlines never reflect a data breach that was avoided or a cyberattack that was stopped dead in its tracks. If we fill our industry with people in it for the passion, this would be a non-issue. These people are not
The Infosecurity team in San Francisco ahead of RSA Conference 2018
Raising a glass: The Infosecurity team celebrating some of the industry’s greatest contributors at the Blogger’s Awards at RSA Conference
motivated by money or by stardom; they are motivated by the mission, by making the world a safer place. We need to acknowledge – and promote – that this industry does not exist purely to stop bad things from happening. Information security, when done properly, enables businesses, increases profit and makes people fundamentally safer. That is something to celebrate, and that is the kind of work that needs to be acknowledged. That’s not to say this will happen in the national news anytime soon. What’s stopping us, as an industry, celebrating our wins? As an editor of a trade press magazine and website, I feel responsible for rejoicing in the things that the people and the companies in this industry do that deserve recognition. It’s why we continue our focus on people. So as we come together as a united industry at conferences, exhibitions and networking events, let’s make sure that in addition to analyzing our failures in order to continue to improve, that we also celebrate our successes and raise a glass to our peers who are united in our shared mission. Team Infosecurity will be at Infosecurity Europe in London next month (05-07 June) and we can’t wait to see as many of you as possible. If you are around on Wednesday 06 June at 4-5pm, join us to raise that aforementioned celebratory glass on our magazine stand, B100. The fact that you’re reading Infosecurity demonstrates that you care about your mission and that you want to be the best information security professional you can be. With over 90,000 Infosecurity readers, that’s a lot of you to celebrate. Better get the drinks in… Enjoy the issue and take care,
Eleanor Dallaway, Editor END
www.infosecurity-magazine.com
07
NEWS ANALYSIS
A TOUGH MONTH FOR ACEBOOK As the Cambridge Analytica scandal unfolds, Danny Bradbury takes a closer look at Facebook’s track record as it pertains to data and privacy
I
n April 2018, Facebook CEO Mark Zuckerberg sat in a room filled with more politicians than you’d expect at a Congressional hearing. Almost half of the US Senate followed the next day whilst members of the House gathered to ask him just what Facebook thought it was doing. Zuckerberg’s handlers had carefully prepped him for the event, which punctuated the biggest scandal in the social network giant’s history. The world had found out how Cambridge Analytica – run by hedge fund billionaire Robert Mercer and headed by Steve Bannon – gathered information on 87 million Facebook users via a quiz called thisisyourdigitallife. It was a Facebook app written by Cambridge University researcher and St Petersburg associate professor Aleksandr Kogan, who collaborated with Cambridge Analytica’s parent firm SCL through his company, Global Science Research. The quiz gathered information from the profiles of the people that filled it out (known as seeders), but it also mined their friends’ data too, giving Cambridge Analytica access to raw data on almost a fifth of the US population, and on over a million UK residents. The data that Cambridge Analytica harvested covered those points you might expect, such as age and gender, but also delved into other, more nuanced characteristics. These included openness, conscientiousness, life satisfaction, IQ and political views. The firm – which worked
08
www.infosecurity-magazine.com
with the Trump campaign and with the pro-Brexit Vote Leave organization – had unprecedented insights into how millions of people thought and felt. Facebook knew about this infraction as far back as 2015 but reportedly didn’t address the problem with Cambridge Analytica until 2016, when its lawyers sent the firm’s research director Christopher Wylie a letter asking him to destroy all information collected by GSR. Wylie has said that Facebook failed to follow up on its request, while Facebook has stated that Wylie and others certified that it had been deleted. In fact, there were still unencrypted copies of the data, which Wylie revealed in March when he blew the whistle on Cambridge Analytica’s massive data harvesting campaign. The story caused Facebook to panic and the social network made public apologies via newspaper advertisements and Zuckerberg’s statements to Congress. It isn’t enough, warns Ann Cavoukian, former privacy commissioner of Ontario, Canada and now leader of the Privacy by Design Centre of Excellence at Ryerson University. “All around the world, regulators are investigating, and there’s simply no trust in Facebook or what they say,” she warns.
Cavalier Attitude Towards Privacy Since then, other infractions have come to light. People have been shocked at
how much data the firm was collecting on their texts via its messenger app, for example. The company also admitted that thanks to a feature that enabled people to search profiles via phone numbers or email addresses, most of its users’ profiles may have been scraped by online bots. The thing is, Facebook has been making privacy slip-ups for years. The phone search feature had been reported as far back as 2012. The ACLU warned about permissive information gathering via quizzes back in 2009. In 2006, Zuckerberg apologized for not building proper privacy controls into its news feed service, admitting that the company “really messed this one up.” In 2007, it launched Beacon, which shared what users are doing on other websites with their friends. It only enabled people to turn it off after complaints. “I know we can do better,” said Zuckerberg. In 2009, the Canadian Privacy Commissioner found privacy flaws in Facebook, including a lack of transparency for users. In 2011, the Federal Trade Commission reached a consent decree with Facebook after finding more privacy infractions, including making users’ friend lists public even if they had set them to private, and failing to verify the security of apps on a ‘verified apps’ list. “I’m the first to admit that we’ve made a bunch of mistakes,” said Zuckerberg at the time.
@InfosecurityMag
There are plenty of other examples of Facebook’s consistently cavalier attitude towards privacy. In 2012, regulators in Europe highlighted one, when they banned the company’s facial recognition
FACEBOOK SCANDAL
posts and likes, Facebook said that it has also tightened its review process for these requests. Additionally, it reduced the call and text information gathered by its
“You have these massive companies with a strong vested interest in having users with very little privacy” technology which enables it to automatically find people in photographs. Justin Cappos, associate professor of computer science and engineering at New York University’s Tandon School of Engineering, frets about ‘shadow profiles’ that Facebook builds by harvesting ancillary information about people. The information can come from sources including other sites that they surf containing Facebook’s trackers, along with other people’s contact lists. These shadow profiles exist for those that have never even signed up for Facebook, warns Cappos, adding that Zuckerberg was vague about it in his Congressional testimony. “He steered the answers back to getting people to think about the data that they put into Facebook’s website,” said Cappos. “That isn’t the most concerning data that Facebook has.” The question is, will Facebook change?
Opaque Facebook In early April, the social networking giant did vow to make some changes. It restricted third-party apps’ access to information about events, groups, pages and select personal data. While app authors can still apply to access information such as photos,
Messenger or Facebook Lite apps and is also introducing an app control feature so that they can see what apps they’re using at the top of their news feed. Finally, the firm is preventing the searching of profiles using email or phone data. One thing that could force more changes is the Honest Ads act, a bill currently before both Houses on the hill. The legislation mandates strict public documentation of advertising purchases to support political campaigns. With GDPR about to place the most stringent privacy protections in history onto companies holding data on EU citizens, the social network may be forced to take even more severe action. However, Zuckerberg has been equivocating about whether Facebook will extend its GDPR-compliance further, both to news agencies and to Congress, saying that the company would look at doing it ‘in spirit.’ In the meantime, it is already creating controversy by testing that previouslybanned facial recognition technology on European users. That is perhaps the biggest problem with Facebook. Despite the company’s consistent apologies and promises to do better, it is difficult to see what it is doing
behind the scenes. Cappos warns that it is difficult to trust a company that is often opaque. “It’s important to have enough transparency to understand what’s happening, why and how. The fact that this isn’t available makes it frightening and risky because you frankly don’t know what they’re doing,” he says. “By the way, what they say they’re going to do and what they actually do is not the same thing either.” Underlining this point, the FTC is now investigating Facebook to see whether it violated the 2011 consent decree. If the FTC finds that it has, the fines could run into billions of dollars. To truly change its privacy stance, Facebook may need to change its underlying business model. Virtual reality pioneer Jaron Lanier has called for alternatives to the free model on which the likes of Facebook have grown. After all, if Netflix could do it for TV, then why couldn’t we do it for other online services, he asks? Cappos is sceptical that companies like Facebook will make the fundamental change necessary to foreground privacy. “Now it’s difficult because you have these massive companies with a strong vested interest in having users with very little privacy,” he says. “On the side of those that want privacy, you have people like the ACLU, the Electronic Frontier Foundation and some researchers. I don’t think we have the lobbying power that these big organizations do.” Neither do they have the money. While Zuckerberg smirked his way through the congressional hearings, telling one in three senators that he’d have his team get back to them with answers, the markets reacted positively, sending the firm’s stock soaring over 4.5%. During that time, Zuckerberg’s worth increased by around $3bn. That’s not bad for two days’ work END
www.infosecurity-magazine.com
09
FOLLOW US ONLINE AND STAY UP-TO-DATE WITH THE LATEST DEVELOPMENTS IN THE INFOSECURITY INDUSTRY
TWITTER:
@INFOSECURITYMAG
LINKEDIN: INFOSECURITY MAGAZINE
FACEBOOK: INFOSECURITY MAGAZINE
GOOGLE+: INFOSECURITY MAGAZINE
WWW.INFOSECURITY-MAGAZINE.COM
Q&A
ROBERT SCHIFREEN Robert Schifreen’s voyage into the cybersecurity industry began when the Met Police knocked on his door following his hacking of Prince Philip’s email account back in 1985. Fast forward three decades and the former hacker now trains people in security awareness and takes pride in being known and respected in an industry he loves...
Most important lesson you’ve learned? If you build it, they won’t come, not unless you spend a lot of time and money on marketing and advertising. Biggest professional regret? Not setting up SecuritySmart 20 years earlier. Who do you really admire? All the writers and bloggers who try to solve the real problems in our industry, rather than the most profitable ones.
By Eleanor Dallaway
What’s your dream job? Composing music for film and TV soundtracks.
What was your route into cybersecurity? An unconventional one. I had a personal visit at home by the head of the Metropolitan Police’s Computer Crime Unit, back in March 1985. I was arrested in connection with computer hacking, and I’m told that my subsequent trial was the first time in the world that a hacker had faced a jury. Although I was convicted, along with the late Steve Gold, we were later acquitted of all charges. Consequently, the Computer Misuse Act 1990 was introduced. I ran into former Detective Inspector John Austen, my arresting officer, a few times after that for professional reasons. We even spoke at some conferences together, and would often meet for a coffee at Infosecurity Europe each year.
What would be your dream project or contract? I’d love to do a Government IT project or two, and show them how to do it with a hacker (in both senses of the word) mindset. Don’t reinvent wheels and don’t spend huge amounts of money when you don’t need to. Politics and IT have never played nicely together, and I don’t see that changing anytime soon, but the hacker mindset, which often overlaps with what we call neuro-diverse nowadays, is under-exploited in industry and we need to take more notice of such people.
Quick-fire Q&A Advice you’d give someone starting out in infosec in 2018? Learn stuff. Play with stuff. Study stuff. Break stuff. Hack stuff.
Who would be your all-star project team?
Surprise us with a random fact about you… I live with a wife, two dogs, six sheep and two emus. One of the sheep was originally an orphan lamb so she lived in the house for a while. We had to smuggle her into the local supermarket so we could find nappies that would fit her!
I’d bring together every young person who has ever won a ‘cybersecurity challenge’ competition, or similar. We need to try something new. Just look at the size of the IT security industry now, and the amount of money that is spent on products and services, and yet losses are at an alltime high. We’re clearly doing something wrong so it’s time for some radical new thinking.
What would you like to change about the information security sector? I’d like people to start thinking of it as a people problem, not a technical one. Stop believing that there’s such a thing as a fit-and-forget product, or that you can buy (or sell) peace of mind. Stop thinking that blockchain is the answer to everything. Finding some time to look through the firewall logs is going to do you more good than listening to yet another GDPR seminar.
BIO A former hacker, and the person responsible for the Computer Misuse Act, Robert now runs an IT security awareness training company called SecuritySmart. He believes that microlearning is the future.
011
COVER FEATURE
CRYPTOJ THE PARASITICAL CRIME Cryptojacking doesn’t destroy data. Instead, it chews up computing resources. Danny Bardbury asks whether criminals have finally found a largely victimless crime
012
www.infosecurity-magazine.com
@InfosecurityMag
CRYPTOJACKING
ACKING
www.infosecurity-magazine.com
013
COVER FEATURE
T
wenty years ago, non-profit projects began asking volunteers to solve science problems using their spare computing power. Initiatives like SETI@HOME would quietly use home PCs to scan radio signals for signs of intelligent life. Today, crooks are using victims’ CPUs for less noble purposes, making millions from illicitly mining cryptocurrency. Before Bitcoin’s rise to fame in the first half of this decade, most people wouldn’t have known what mining was. Until the cryptocurrency launched in 2009, anyone sending money online needed a central arbiter such as a bank or PayPal to process the transaction. That arbiter maintained a ledger that recorded who had sent what to whom. The blockchain technology underpinning Bitcoin replaced that central ledger with a distributed one, giving a copy to all participants and writing its transactions to each. To stop people fraudulently rewriting transactions, the blockchain ‘seals’ them using cryptography sums that are hard to complete. Known as a proof of work, these sums are hard to solve, and computers on the network compete to do so. Winners earn a reward. In Bitcoin’s case, that’s 12.5 Bitcoins, and miners can also earn extra transaction fees. As the price of cryptocurrencies has risen, criminals have co-opted other peoples’ computers en masse to illicitly mine for cryptocurrencies, in an attack known as ‘cryptojacking’. “They’re making a lot of money doing it,” says
014
www.infosecurity-magazine.com
“With almost every incident response engagement that our guys did, we were finding cryptocurrency miners” Troy Mursch, a Las Vegas-based security researcher who runs the Bad Packets Report. “It’s a straight-up theft of resources. Everyone needs to be aware, from small businesses to large enterprises.” Mursch is making a name for himself finding websites infected with cryptojacking software that runs JavaScript code in a visitors’ browser to mine for cryptocurrency. He recently found 30,000 of them, including the LA Times interactive homicide report webpage, all using visitors’ CPU power to earn coins for crooks. The most common browser-based cryptojacking tool is Coinhive, found on the majority of compromised sites. The trick for attackers is to get these scripts onto systems and keep them running for as long as possible. “The whole point with in-browser models is that you need a website where the user will be there for longer than normal, and you need a lot of concurrent active users on the site,” Mursch
says. “The websites that make the most money with Coinhive are video streaming sites or image boards.” There is one kind of site that people commonly spend lots of time browsing for images. Porn sites accounted for half of all cryptojacking scripts, according to research from Chinese security software firm Qihoo 360 Technology’s 360Netlab research team.
The Economics of Cryptojacking Deciding what cryptocurrencies to mine when cryptojacking involves a careful balance between economics and technical capability. Bitcoin’s mining algorithm supports application-specific integrated circuits (ASICS), which are chips dedicated to its code-cracking task. Most Bitcoin mining now happens in large data centers with equipment dedicated to that purpose. Bitcoin becomes more difficult to mine as more computers do the sums (called hashes) to compete in its mining contests. Bitcoin’s hash rate is a function of its value. It hit nearly 24 million Terahashes per second in March, up from 3.8 million Terahashes a year prior, as its price skyrocketed. Cryptojackers co-opting general purpose CPUs couldn’t compete. They needed alternatives. There are well over 1000 different cryptocurrencies, and many of them are far easier to mine because they use proof of work algorithms that don’t need ASIC hardware. “You tend to see people moving around as popularity rises and falls in peaks and troughs,” explains Neil Haskins, director of advisory services EMEA at security firm IOActive. The current favorite is Monero, an open-source cryptocurrency created in 2014 and focused on privacy. Unlike Bitcoin, this digital asset is CPU-friendly, making browser-based mining ideal. The cryptocurrency also has other features that appeal to cryptojacking
@InfosecurityMag
crooks, says Haskins. It is designed to obfuscate transactions in a way that Bitcoin doesn’t. Bitcoin ties transactions to specific addresses. Monero uses addresses interchangeably. “Monero pushes this untraceable transaction capability, this anonymity,” he adds. “From a bad guy’s perspective, they can sit and hide in the Monero network.”
Compromised Devices Instead of luring visitors to websites, botnet operators just install the malware directly to keep it mining whenever a computer is on. Proofpoint researchers found cryptojacking botnet Smominru earning around 24 Monero each day since early 2017, equating to nearly 9000 Monero valued at over $3m. Sherrod DeGrippo, director of emerging threats at Proofpoint, sees the same old botnet operators folding cryptojacking into their existing arsenals. “You’re already distributing a banking trojan and a keylogger or a credential stealer,” she says. “Why not stick a coin miner on there as well and get two for one?” Attackers hungry for computing power are also attacking another target: enterprise servers, which offer tempting processing and memory resources. “With almost every incident response engagement that our guys did, we were finding cryptocurrency miners,” says Mike McLellan, author of a report for Dell-owned security firm SecureWorks on cryptojacking. His company frequently finds cryptojacking malware such as XMRig and Coinminer on victims’ machines. These attacks extend from on-premise servers into the cloud, which provides attackers with the elastic computing resource they need to mine more coins. As early as December 2013, crooks were hacking online cloud accounts and using those resources to clock up CPU time. They accessed Melbourne-based programmer Luke Chadwick’s Amazon Web Services account using an Amazon Key that he had unwittingly uploaded to his public GitHub repository. They clocked up $3420 in CPU time across 20 Amazon virtual machines mining Litecoin. These instances are getting increasingly sophisticated. Surveying 12 million public cloud resources, security firm RedLock believes that 8% of organizations have suffered from cryptojacking activity. These include Tesla, UK insurance giant Aviva and smart card manufacturer Gemalto. Attackers compromised Tesla’s cloud infrastructure via instances of the Kubernetes container orchestration software that the companies had installed without login protection.
Protecting Yourself Monitoring is one way of protecting yourself against attacks on cloud-based
CRYPTOJACKING
and on-premise servers alike, warn experts. “Always monitor public cloud environments for internet-exposed resources to detect these type of issues,” says Gaurav Kumar, CTO and head of the Cloud Security Intelligence (CSI) team at RedLock. The company also noted that 80% of the 12 million cloud-based resources it saw do not restrict access to outbound traffic. Administrators can at least use a blacklist like CoinBlockerLists to spot and block traffic to known sites associated with mining domains. As attacks get more sophisticated, though, monitoring traffic destinations won’t be enough. The Tesla hackers cloaked the IP address of their self-
the Mirai IoT malware to propagate between Android-based smartphones. It has also turned up on some smart TVs, according to 360Netlab.
The New Normal Where will this all end? Don’t expect cryptocurrency mining to stop anytime soon. Ransomware has to announce itself, whereas cryptojacking malware relies on flying under the radar. “Criminal use of cryptocurrency miners will become the new normal for as long as cryptocurrencies retain enough value to make it worthwhile,” says SecureWorks’ McLellan. The damages from cryptojacking are also far lower, points out DeGrippo,
“Nefarious activity may go unnoticed at large organizations due to the size of the environments, and they tend to be less sensitive to cost increases arising from the use of additional computing power” installed mining pool software behind the CloudFlare content delivery network. They also used a non-standard port to help avoid port-based traffic detection. Cat and mouse games between attackers and network administrators make it essential to monitor CPU activity too, warn experts. However, that gets trickier as organizations increase in size. “Nefarious activity may go unnoticed at large organizations due to the size of the environments, and they tend to be less sensitive to cost increases arising from the use of additional computing power,” says Kumar. Some cryptojacking malware already throttles traffic to stay below the radar, points out Mursch, which can make it difficult for even smaller companies or individual victims to see what’s happening. While some cryptojacking attacks use powerful servers, others target an army of small devices. “Mobile devices definitely present a potential target area,” says Proofpoint’s DeGrippo. “The processing power of these devices is pretty good.” Some Android-focused malware has already made it to the wild. ADB.Miner is an Android cryptojacking worm that reportedly uses the same code found in
which exposes criminals to fewer recriminations. Many customers finding this kind of malware may merely erase it and not report it at all. “It’s much more of a grey area when you’re using the processing power and electricity of an organization versus holding their data for ransom, so I think there’s some attractiveness there,” she says. Some see in-browser cryptomining as benign enough to support a new business model as a legitimate and voluntary activity. Salon recently used what a spokesperson described as “the latest version” of Coinhive to give users an alternative to viewing ads. A charity, Bail Block, asked visitors to willingly mine cryptocurrency as it raised bail money for non-violent offenders in a variation on the original SETI@HOME idea. Illicit cryptojacking may be the perfect crime, just so long as markets continue to crave cryptocurrencies and drive up prices. It isn’t a victimless crime because the malware still consumes computing power and could render computers unstable. Nevertheless, it’s a crime that doesn’t destroy data so much as prey on electrical power, using parasitical software to chew up computing resources one CPU cycle at a time END
www.infosecurity-magazine.com
015
Q&A
DAVID SHEARER
David Shearer, CEO of (ISC)2, is committed to inspiring a safe and secure cyber world through his day job. Beyond that, he dreams of a record seventh NFL Super Bowl win from the Pittsburgh Steelers and reigniting his music career…
Quick-fire Q&A What’s your dream job? Playing in a band to people who enjoyed our music. Biggest regret? That I didn’t find a better way to keep my music aspirations alive. What’s your guilty pleasure? Being alone. Everyone thinks I’m such an extrovert, but the truth is that I’m a highly-functioning social introvert. What’s the worst thing about your job? The travel, it keeps me away from my best friend, my wife.
By Eleanor Dallaway
Tell me about a time you screwed up I took a job for a promotion versus a true interest in the work.
What advice would you give to someone starting out in the industry in 2018?
What’s the most misunderstood thing about information security? That information security is some type of recent development.
It’s counter-productive to axe grind among the deeply technical and the leadership and managerial aspects of the industry. There are leaders that simply cannot do the deeply technical roles, and there are deeply technical people that make less than stellar leaders and managers. We need both. Debating the issue is pointless. Focus on advancing the work and the profession.
What’s your proudest achievement? Becoming CEO of (ISC)². I’m so proud of (ISC)² members and the positive impact they’re having around the world and we’re only just getting started. I’m also very proud of the staff at (ISC)², their passion is inspiring and infectious and as a consequence, I wake up every morning excited to go to work.
What was your route into cybersecurity? I came up through the IT ranks. I was with the U.S. Coast Guard in my formative years. I also provided IT support to the US House of Representatives and IT leadership at a number of US Cabinet Departments along the way as well. Names and terms have changed over the years, but fundamentals have not. 016
www.infosecurity-magazine.com
BIO
If you could change one thing about the information security sector, what would it be? We do more tearing down than building each other up. I’d really like to see more unification around our common desired outcomes. We work way too hard at one-upping each other - that’s the type of culture that fragments our global capabilities and plays into our adversary’s hands.
@4daveshearer
David Shearer is CEO of (ISC)2, having previously served as associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office.
BREACHES ARE INEVITABLE, BEING A HEADLINE ISN’T.
INTELLIGENCE ANALYST www.FireEye.com | ©2018 FireEye, Inc. All rights reserved.
PROFILE INTERVIEW
018
www.infosecurity-magazine.com
@InfosecurityMag
MIKKO HYPPÖNEN
Michael Hill sits down with F-Secure’s chief research officer to find out a little more about the man who has served the same company for almost 30 years
PROFILE INTERVIEW: MIKKO HYPPÖNEN F
ew industry names carry quite as much weight as internationally renowned security expert Mikko Hyppönen. Don’t just take my word for that; he’s been selected among the 50 most important people on the web by PCWorld magazine, included in the Foreign Policy’s Top 100 Global Thinkers list and made worldwide news for tracking down and visiting the authors of the very first PC virus in history. To put it simply, if infosec celebrities exist, then Mikko is one. It might therefore come as a bit of a surprise to some that, despite his fame, expertise and recognition, Mikko has served the same company, F-Secure, for the best part of 30 years. Having first walked through its doors in 1991, the firm back then was a small Finnish startup called Data Fellows and Mikko was studying computer science at university. Fast forward 27 years and now he’s the chief research officer and F-Secure has more than 1000 employees with over 25 offices around the globe.
My Mother Was Right As he sits down with me fresh off the speaking stage at an information security event in London, Mikko reflects on growing up in Helsinki and how his introduction to the world of computers came at a very early age.
“My mother was born in 1935, and she went to work with computers in 1966. I was born in 1969, and as a small boy, me and my brothers would play around with the computer punch cards and punch tape that our mother would bring home from work. So I was exposed to computers extraordinarily early.” A few years passed and, shortly after getting his first home computer (the Commodore 64) in 1984, a teenage Mikko was writing and selling his own software products, mastering a proficiency in assembly language. He recalls a conversation with his mother then that shaped his life more than he could have imagined. “My mother sat me down at the kitchen table when I was 16 and she said ‘Mikko, you should go and study telecommunications, telecommunications is the future!’ – so that’s what I did. My mother has since passed away, but I’m glad I had the chance to tell her that she made a pretty good call! That was years before smartphones, years before the web and apps…so I got lucky, and she gave me a good guiding for my career.” However, that’s not to say that working in the computer industry was always Mikko’s intended profession. “When I was a boy, I wanted to be a doctor, because I wanted to help people,
but it turns out I can’t look at blood. You can’t be a doctor if you can’t look at blood, so I didn’t become a doctor, though I like to think I did become a ‘virus doctor’ (sort of),” he laughs.
Employee No. Six A virus doctor he may be, but how did his security career start, and how did he get to where he is today? “When I was studying at the University of Helsinki I needed a place to work to support myself, and I got hired to this small start-up company as employee number six, and that’s the company where I still work today.” Interestingly, Mikko’s first role had nothing to do with IT security, because at that time, Data Fellows mostly specialized in building customized databases. “My first job was working on a database development project for a factory making porcelain cups and plates,” he says. He must have done a good job – the company was still using the same system he built until just a couple of years ago. However, the one tie to security that Data Fellows did have back then was in training; teaching computer users how to back up systems, how to do encryption and how to deal with the ‘new’ problem of viruses, spreading in those days through floppy disks. www.infosecurity-magazine.com
019
PROFILE INTERVIEW
“As we were doing training and teaching people about this new problem, quite often we would be asked about solutions and if we could recommend a good anti-virus. Well, we couldn’t, because there were very few players in the industry then – so we saw a market opening.” A market opportunity indeed, but making the jump from training provider to security software business would require some knowledge and expertise. “When we started looking into malware and anti-virus technologies in 1992, we needed capabilities of reverse engineering viruses, and you need to be able to read assembly language to do that. The only guy in the company who had any knowledge of assembly was me, so it landed with me to spend my time collecting virus samples, figuring out how they worked and decompiling the code. Eventually I did nothing but that.” As the company expanded, Mikko found himself managing larger and larger malware analysis teams within the organization, and it was during that time that he learnt where his strengths lie, and where they do not. “I realized that my expertise is not in managing people and running big teams,” he says honestly. “I steered myself away from that and became more independent within the company. I love having a position where you have little official influence but tons of unofficial influence.”
As chief research officer, Mikko is perfectly situated to do just that, balancing his time between maintaining F-Secure’s internal threat assessment and travelling the world as a public speaker. “I spend 50% of my time now doing keynotes and meetings, and it gets me to interesting places. If I was going from city to city and repeating the same talk over and over again like a parrot, I wouldn’t enjoy it, but we are in an industry that is constantly changing and there are always new things to speak about. I update my presentations every week, and that’s what keeps it interesting.”
Everyone’s a Fellow It was in 1999 that Data Fellows became F-Secure, a rebrand that signified the beginning of the company’s substantial business transformation from relatively humble beginnings to the security allrounder that it is today. However, the interesting thing about the organization, Mikko explains, is that it has never lost sight of its fundamental roots. For example, anyone who works for the company is not referred to as an employee or a colleague, they are all ‘fellows’ – a nice throwback to the organization’s heritage. It’s at this point that I wonder whether there’s something unique about F-Secure that has kept Mikko at the company for so long – after all, almost three decades is quite a stint and it has been his only
employer, if you disregard a summer job as a forklift driver many years ago. “The culture at F-Secure is very good,” he says. “It’s becoming larger and larger as a company, but the culture has always been very warm and very inclusive. The best example of that is that I can easily list 20 people that are currently working for us that have at some stage left, and eventually returned home to us. If your company culture is so good that people who leave realize they actually didn’t want to leave and come back, that is very telling.” Of course, Mikko’s loyalty to F-Secure has also been helped by its location, headquartered in Finland’s capital city, Helsinki. “I like Finland, it’s a very good place to live. Just recently some international statistics were released that said Finland is the happiest country on earth – I’m not sure if I agree, although that’s probably me being very Finnish, as we always like to prove you wrong,” he says with a smile. “I haven’t ever felt like moving to work in other countries, and I have no regrets about that!” Then there’s the pure love for the work he and F-Secure do: “it never gets boring in security – I’ve never had a boring day at work. Things are changing all the time and we have a very genuine enemy that’s always trying to figure out ways around the defenses that we build. I believe that we are doing work that matters. When I go to the office in the morning, I look around and I see some of the smartest people, not just in IT security, but in IT full stop. Some of the best minds choose to work in IT security when they could be doing anything, and that’s because when you work in security, it feels like you are making a difference, which feels good.”
The Summer of Stuxnet
Mikko is a three-time TED speaker and has addressed security conferences all over the world
020
www.infosecurity-magazine.com
Mikko’s painted me the perfect picture of his career journey so far: from inquisitive youngster to world-renowned security expert and public speaker, with a snapshot of how F-Secure has evolved along the way. So, what I want to know next is what he considers his proudest achievements since he became employee number six of Data Fellows back in 1991. “The first that springs to mind is the summer of Stuxnet, in 2010,” he answers. Stuxnet is the notorious computer worm that targeted SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program. “That was the most paranoid time in my life! When we found Stuxnet in June 2010 we didn’t know what we were facing – it was abnormally large, it had zero-day exploits in it and it was hiding in plain sight, quite different from other malware we were seeing.” Mikko explains that summer was a rare example of the whole industry coming together as a collective to share information and decode the virus slowly
@InfosecurityMag
but surely: “even the biggest competitors were working together to try and figure out what the hell it was!” As time passed, it became clear that the Stuxnet program was far bigger than anything that came before it; it was a multi-million euro project beyond the means of cyber-criminals and could only realistically be attributed to a government. “The joint effort taken by my team, and by other teams in our fellow companies, really stays with me,” adds Mikko. “It was
MIKKO HYPPÖNEN
‘boring’ ideas to raise cybersecurity awareness, he had the notion of tracking down the two men who created Brain – after all, they had included their names and address in the code of the virus. “So I packed my bags!” he says. His destination? Allama Iqbal Town, Lahore, Pakistan. “I flew to Doha, and then to Lahore, and I knocked on the door. Sure enough, the guys who opened it were Basit and Amjad, the brothers who created Brain, still living at the same address!”
“One thing I do feel very passionate about is trying to prevent people from entering a life of online crime” huge work that was done over several weeks and months, and we still speak about time before Stuxnet, and time after it – that’s how big a deal it was.”
The Virus Wars There was also the period of the early 2000s, which Mikko coins ‘The Virus War Years’. He tells me that this was a time when there was a huge upsurge in malware authors changing from hobbyists writing viruses for fun to large organized crime gangs writing viruses for money. “Back then, we only had one lab, the Helsinki lab, which means that when an outbreak started at 3am, we had to work at 3am. The first few times that happened it was exciting – we’d get a phone call in the middle of the night and we’d go to ‘save the world’, and then we’d go back to sleep. When that started happening every week, then two times a week, or three times, it did get very tiring. “I don’t remember much of the summer of 2003, because we were working ridiculous hours around the clock. We had a bed at the lab so people could take a nap! It was, in one way, a really fun and rewarding time, but also an exhausting and terrible time. I’m glad it’s not like that anymore, but then again I wouldn’t change that experience for anything. I’m glad I lived through it, and I’m glad I survived it.”
Back to the Brain Mikko’s next fond memory is probably my favorite, and it all centers around a piece of malware called Brain. Brain was released in January 1986 and is considered the first computer virus for MS-DOS. In 2011, it was the 25-year anniversary of its release, and Mikko tells me of a time when he was asked what F-Secure could do to mark the occasion. After dismissing one or two
Mikko recollects the “very interesting day of discussion” he had with Basit and Amjad, and how he even took his own original Brain-infected floppy disk and returned it ‘home’ to them. “These guys really didn’t understand what they started in 1986,” he says. “They were programmers who had been working with IBM mainframe systems and when the new PC systems became commonplace they were horrified about their lack of security, and with good reason. They were trying to showcase how bad it was by writing a piece of code that would copy itself to every boot sector and spread around. When it did start spreading there was nothing they could do about it – eventually Brain went worldwide and infected computers in almost every country on the planet.” Naturally the brothers, in their twenties at the time, became very fearful about the problem they had caused: no laws had been broken, but the first computer virus was born, and Mikko explains they took no pride in the fact that all of the thousands of malware cases since Brain are linked to that very first virus, and to them. Perhaps the most remarkable part of this tale is its ending: Allama Iqbal Town, Lahore, Pakistan – the birthplace of the first computer virus in history – is the same place in which Basit and Amjad now run their own ISP, providing internet connectivity across the city. The company name is, inevitably, Brain Telecommunication.
Stories of Missed Opportunities To say that Mikko has achieved a lot in his career would be quite the understatement, and whilst I could sit listening to him for hours, my time with
him draws to a close. The one question I have left for him is what he hopes his future might have in store. “One thing I do feel very passionate about is trying to prevent people from entering a life of online crime,” he answers. “I’ve tracked down countless online criminals over my years in the business; I’ve taken people to court, I’ve taken people to jail and I’ve met them face-to-face. The story I almost always hear from caught online criminals is one of missed opportunity, of people who had the skills but didn’t have anything productive to do with them.” I don’t doubt Mikko’s passion on this subject, and he makes the very valid point that if you’re a programmer or a network expert living in London, you can get a job no problem. The same can’t be said for those living in the countryside of China, or Siberia, or the slums of São Paulo: for them it’s a very different story. “Typically the easiest way for these people to make a living with their skills is to go into a life of crime, and that’s something we really should be doing better with, showing people productive ways of using their skills to avoid a life of cybercrime. That’s what I’d love to work with more and I want to do what I can to get young people to use their skills for good.” So there you have it, a whistle-stop tour of the life and career of Mikko Hyppönen, a truly fascinating man with an equally captivating story. His mother certainly had it right all those years ago when she predicted that telecommunications would be the future, and Mikko has undoubtedly made a huge contribution to the world she envisaged. Mikko, it’s been a pleasure! END
BIO
@mikko
Mikko has worked for F-Secure since 1991 and has been involved in fighting some of the biggest virus outbreaks in internet history. He has written for the New York Times and Wired, been selected among the 50 most important people on the web by PCWorld magazine and included in the Foreign Policy’s Top 100 Global Thinkers list.
www.infosecurity-magazine.com
021
FEATURE
WORLD WAR CYBER As nation states battle it out for supremacy in cyber-space, Phil Muncaster asks what the future has in store
022
www.infosecurity-magazine.com
@InfosecurityMag
NATION STATE ATTACKS
www.infosecurity-magazine.com 023
FEATURE
I
n January, the UK’s defense secretary, Gavin Williamson, warned that Russian attacks on critical infrastructure (CNI) could cause “total chaos” in the country and lead to “thousands and thousands and thousands of deaths.” His comments were widely criticized at the time as intended merely to secure more Treasury funding. Yet, was he that wide of the mark? Governments, CNI providers and enterprises are arguably more exposed to cyber-risk today than they’ve ever been, thanks to a reliance on data-driven, connected and cloud-based systems. Over the past couple of years alone, this dependence has imperiled everything from presidential elections to NHS operations and even the Olympic Games. The question is, where are we headed? Is the planet hurtling towards a major cyber-conflict between superpowers, or are we already in a de facto cyber-Cold War? Perhaps most importantly, is there anything that organizations sandwiched in the middle of these escalating attacks can do to stay secure?
Tit-for-Tat It is well understood by most governments that foreign powers will try to gain intelligence which has geopolitical or military value. All nations with the right capabilities are thought to conduct this kind of cyber-espionage and, to an extent, they expect it of others. As Edward Snowden revealed, the NSA even tampered with Cisco products headed for foreign countries so it could eavesdrop on their eventual recipients. However, the past few years have seen incident after incident in which the reach of nation state hackers has gone beyond these understood norms. Ground zero was arguably Stuxnet, an explosive revelation which showed the lengths the US and Israeli governments were prepared to go to in order to delay Iran’s nuclear program. Then we learned that Chinese statehackers were conducting mass ‘economic espionage’ against US firms. This led to the unprecedented Department of Justice (DoJ) indictment of five People’s Liberation Army officers for activities spanning 1006-14. Attorney general Eric Holder claimed it “should serve as a wake-up call to the seriousness of the ongoing cyber-threat.” It is the Putin administration, however, which seems to be conducting the highest profile information warfare campaign against nations. Russian hackers are said to have successfully targeted energy providers in Ukraine, causing blackouts for hundreds of thousands in 2015 and 2016. They have been probing UK telecoms, energy and media organizations, and were responsible for the destructive NotPetya 024
www.infosecurity-magazine.com
“Adversarial state capability will continue to evolve, become more informed and sophisticated and outstrip organizational and governmental ability to counter the threat” attack of June 2017, according to the NCSC. Over the past few years, the infamous APT28 group, part of Russian military intelligence agency the GRU, has conducted countless data-stealing raids on targets as varied as NATO, the White House, the US Senate, the world anti-doping agency (WADA) and numerous Olympic federations. Perhaps most notable was the now notorious attack on the Democratic National Committee (DNC) and Hillary Clinton campaign, which resulted in sensitive emails being published in the run up to the 2016 election. This was combined with hacking of US election infrastructure and an all-out influence operation on social media designed to sow discord and sway the electorate in favor of Donald Trump. Although there’s no direct Putin involvement in the campaign, for which 13 Russians have now been indicted, the Internet Research Agency is thought to have close links with the Kremlin. Then we have North Korea, increasingly flexing its muscles globally and said to be behind the WannaCry ransomware worm, the destructive malware attack on Sony Pictures Entertainment and even the $81m cyber-heist at the Bangladesh Bank.
Stuck in the Middle The difference between nations, according to former GCHQ deputy director of cyber, Brian Lord, is that some “develop and apply such capabilities in a responsible way, governed through the legal, ethical and oversight controls put around them,” while others “act with less consequence for the damage and geopolitical tensions that are caused.” Lord, who is now managing director of cyber at consultancy PGI, claims that “adversarial state capability will continue to evolve, become more informed and sophisticated and outstrip organizational and governmental ability to counter the threat.”
Until now, China has been focused on IP, commercial and government theft, “which they steal in eye-wateringly large amounts,” and Russia on “manipulation and exploitation of global reliance upon the internet for news, interaction and communication,” he tells Infosecurity. However, both are also weaponizing destructive capabilities, along with North Korea – which has also been ramping up its efforts to steal and mine cryptocurrency. Western state hackers are certainly highly active in cyber-space, but “tend to focus more on political and military targets and usually have less of a mission to help out private enterprise,” according to SANS Institute dean of research, Johannes Ullrich. However, no matter who is attacking, anonymizing techniques will continue to provide the perfect cover for statebacked intrusions, experts agree. “It is worth bearing in mind that quite often it is important for an attacking state to leave enough clues as to make the attacked state sure of its provenance, but enough fog as to have plausible deniability,” explains Lord. “When a nation plays as much into the political and public reaction space (for example, as the Russians do) then the public attribution/plausible deniability blend creates a perfect operating space for the clever state adversary.” Whatever the outcome of these efforts, ordinary organizations will continue to be stuck in the middle, whether they’re directly targeted as CNI operators, holders of valuable IP or simply end up as collateral damage – as per 2017’s WannaCry and NotPetya ransomware campaigns. “Nation states have recognized they can hide their activities using bespoke hacktivist groups that have been established to cover their [actions], and that ransomware is a powerful shield for destructive/disruptive attacks,” Crowdstrike VP of intelligence, Adam Meyers, tells Infosecurity. “The
@InfosecurityMag
proliferation of these ideas are likely to continue in 2018.” The question is that if CISOs find traditional cybercrime attacks increasingly hard to spot and block, how can they hope to compete against determined nation state operatives?
Fighting Back The key is not to focus on the attacker but the techniques used, according to SANS’ Ullrich. “There is very little difference in attacks launched by sophisticated criminals and by nation states. One of the common fallacies in cyber-defense is to focus on recent trends versus best principles,” he says. “Simple but effective defensive techniques, such as those outlined in the Center for Internet Security’s critical controls, will provide a solid foundation
NATION STATE ATTACKS
countries; increasingly, regional powers and other countries are developing their own cyber-capabilities to gain an asymmetric advantage over rival states.” SecureData head of security strategy, Charl van der Walt, agrees that cyber will become a “common feature on the modern battlefield,” but claims that in many ways, the war has already begun. “Cyber-battle preparedness will mean different things, but in its one form it requires pre-emptively attacking and compromising systems in the future potential battle zone, or from which the future battle zone could be impacted, or simply from which useful intelligence might be gleaned,” he tells Infosecurity. “Effectively, this means that offensive cyber-battlefield operations need to take place all the time, and that just about any and every system is a target.” This global ‘cyber-land grab’ by the world’s superpowers means smaller nations must align themselves with the software and hardware supply chain they trust most. “One of the effects of this forced choice is the acceleration of ‘cyber balkanization’ – the splintering of the world into politically-aligned camps that all run the same hardware and software that is developed and controlled by the superpower,” claims van der Walt. “As running software controlled by a single nation state is effectively a form of voluntary compromise, the smaller state also loses its autonomy from that state and is fundamentally beholden to it.” As we speed towards a world characterized by distrust, suspicion and cyber-fueled geopolitical tension, the cybercrime exploit marketplace continues to fill with state-developed tools and expertise. Security professionals faced with this onslaught may well find themselves wishing for simpler times – when spies used guns, not code
security assessments will reveal organizational readiness to face both common and sophisticated attacks. In addition, participating in adversary emulation exercises, using real-world TTPs, will inform you about how to improve your incident response playbook and procedures.”
A Cyber-Cold War? Experts are agreed that nation state cyber-activity will continue to increase in 2018. An alarming Chatham House report from January even claimed “inadvertent nuclear launches could stem from an unwitting reliance on false information and data.” So how far might online threats spill over into real-world geopolitical conflict? “These kinds of operations significantly expand a nation’s options
“There is very little difference in attacks launched by sophisticated criminals and by nation states” on which to then deploy more sophisticated defenses.” For Meyers, passively waiting for traditional cybersecurity measures to detect attacks is not enough. “Proactive threat hunting, led by human security experts driven by intelligence, is a requirement for any organization looking to achieve or improve real-time threat detection and incident response,” he argues. “Evaluate the quality and effectiveness of your security program before an attack happens. Engaging in third-party
for international action in a way that is generally more acceptable than other types of similar activity. For example, surreptitious military action or symbolic weapon launches are widely criticized or denounced but state-sponsored cyberespionage is not,” says FireEye senior analyst, Fred Plan. “We believe that nation-states will likely leverage cyber-capabilities in the outbreak of major conflicts especially with regards to disrupting command and control systems. It should be noted that these capabilities are not limited to superpower
END
Nation State Attacks: A Timeline of Rising Tensions 2009: Stuxnet launched to delay Iranian nuclear program
2014: Five PLA officers indicted by US for ‘economic espionage’
2014: Sony Pictures Entertainment suffers destructive, data-stealing attack by North Korea
2014-2016: Russian information warfare campaign to influence US presidential election
2015-2016: Russian statelinked hackers cause power outages in Ukraine
2017: WannaCry (North Korea) and NotPetya (Russia) ransomware attacks cause chaos worldwide
2018: TBC
www.infosecurity-magazine.com 025
TOP TEN
TOP TEN
Ways to Reduce Your Digital Footprint
01
Delete or Deactivate Old Shopping & Social Network Accounts
03
Use Stealth or Incognito Mode – or Even Tor 01
Go to your account settings and look for an option to either deactivate, remove or close your account on any social network or online shopping site that you no longer use. Source: CNET
Internet browsers offer private browsing options to avoid being tracked, whilst the more cautious can use privacy tools such as Tor to browse incognito. Source: Techradar
02
04
Go to data broker sites and deal with each individually, or use a service that will do all of the deleting for an annual charge. Source: CNET
How many email accounts have you used over the years? Deactivating them is important and must include finding – and deleting – old services and corporate accounts. Source: Clark
Remove Yourself from Data Collection Sites
028
www.infosecurity-magazine.com
Deactivate Old Email Accounts
03
@InfosecurityMag
DIGITAL FOOTPRINT
DAN RAYWOOD
Make Yourself Less Visible Online The headlines around the collection and processing of Facebook user data by Cambridge Analytica further demonstrated that what you put online stays online and further grows your digital footprint. The news that dating apps were sharing user data with third parties and the fact that there are more opportunities for federated logins result in even more data available on you, which consequently makes it easier for companies to share that data and target sales. Techopedia defines digital identity as combining elements such as usernames, online search activities, electronic transactions, date of birth and purchasing history or behavior. What are the options to reduce the size of your digital footprint and how can you take steps to make yourself less visible online than you currently are? Infosecurity looked at some of the best options.
05
07
09
Check the privacy settings of the websites you use most often, particularly social media sites, and see what level of privacy you have set. Consider tightening your privacy options. Source: Techradar
You can go to each website you have accounts with directly and make a personal request for your account to be deleted. A service like JustDeleteMe can tell you how easy or difficult it is to delete an account. Source: Techradar
If you don’t want to give up your own data, create false data such as a throwaway email address or fake date of birth for non-essential mailing lists. Source: Online Sense
06
08
10
A number of tools – extensions or plugins – are offered to highlight to users what trackers a website is using. Many of these tools are available for free. Source: EFF
With the GDPR now the basis for European data protection law, Right to be Forgotten is available to use to remove inaccurate or out of date data. Source: Techradar
Clickbait has become part of the modern internet, but with each ‘which Friends character are you?’ survey you enter, you’re giving something up. Ask yourself whether it’s worth the trade-off.
Check Your Privacy Settings
Add Extensions or Plug-Ins
Ask for a Website to Remove You from a Database Directly
Use the Right to be Forgotten
Use False or ‘Burner’ Information
Don’t Click on Daft Surveys
08
www.infosecurity-magazine.com 029
FEATURE
ACCELERATING GREAT BRITISH CYBERSECURITY STARTUPS Wendy M. Grossman assesses the current state and effectiveness of the UK’s cybersecurity accelerator and incubator landscape
030
www.infosecurity-magazine.com
ACCELERATORS & INCUBATORS
031
FEATURE
S
uccessful businesses are all different, but the problems that start-ups face are, if not exactly alike, common. Challenges include turning ideas into marketable services or products, finding seed money, acquiring first customers, creating and managing growth, and the mechanics of finding office space. Numerous cybersecurity accelerators, each with their own focus, business model and goals, hope to fill this need. In terms of investment spending on cybersecurity, the UK is third in the world, behind the US and Israel. James Chappell, CEO of Digital Shadows, highly recommends participating in cybersecurity accelerators, based on his experience (see sidebar). “Definitely participate in these programs,” he advises. CyLon, which focuses on enterprise security and protecting data, provides £15,000 in return for 3% equity. It also operates HutZero, which is sponsored by the Department of Culture, Media and Sport (DCMS) and is intended to enable individual entrepreneurs to turn the ideas they have into reality. GCHQ Accelerator takes no equity and provides no money, but matches new businesses to in-house technical expertise to expand its mission “beyond the wire.” Cyber39 is made up of 26 cybersecurity-oriented businesses within Level39, a subsidiary of the Canary Wharf Group aimed at building an ecosystem of successful businesses; it offers reasonably-priced, flexible office space, infrastructure and a community of other start-ups at various stages.
A Variety of Backgrounds “Most people who join us have been through academia, but will have generally had some background in business,” says Michael Francoise, CyLon's program director, noting that its cohorts are increasingly global. CyLon hosts a new cohort of eight companies every six months and provides in-house mentoring from CyLon’s team, its founders and others with experience in the information sector or the operational world of startups, including CISOs and investors. Francoise believes most join for the mentoring program, and says the £15,000 is “just enough to make them commit fully to the program while they’re here.” Most join just before they reach “minimum viable product.” The DCMS-sponsored HutZero, which CyLon runs in collaboration with the Centre for Security Information Technologies at Queen’s University Belfast (CSIT), is more like CyLon was at the beginning: a week-long bootcamp followed by three months of occasional mentoring, Francoise says. Of the 45 companies that have finished CyLon’s program, 41 were selling and growing, and a few were growing very fast. James Hadley, CEO of Immersive Labs, an immersive cybersecurity training platform, was accepted to both CyLon and CSIT. Based on his experience as an instructor at GCHQ’s summer school, he found that “academic background had little impact on the ability to pick up cybersecurity skills.” More important are abilities in problemsolving, troubleshooting, analytical
thinking, perseverance and research. When he applied, he was still a solo founder in his spare room.
A Shove in the Right Direction “The main benefit in being accepted onto the programs was that it made you decide to do it and put everything possible into it,” he says. Being accepted also felt like a “shove in the right direction that I was onto something.” Joining CyLon meant leaving his young family for most of the 13 weeks, but it also meant he could concentrate on the business. He did the two programs simultaneously; CSIT is longer, free and non-residential – it aims to match businesses up with those working and studying at Queen’s. “So we got an engineer dedicated to our project to help fix problems at no extra cost.” Experienced hands typically warn newcomers to hoard their equity. Hadley says it depends on the stage of the company. “In our case, the value was fantastic. We wouldn’t be where we are today.” Immersive Labs now has 20 staff and paying customers in six countries; with TechVets it has launched a digital cyber academy for veterans transitioning out of the military. GCHQ Accelerator derives from years of government cybersecurity strategies. The accelerator is a partnership between GCHQ, the DCMS and Telefónica’s accelerator, Wayra, which provides office space and administers and selects the cohorts. GCHQ’s goal is to take its own expertise “beyond the wire” and work actively with outsiders.
Getting the Best Out of Accelerators “CyLon is the best thing that ever happened to us,” says James Hadle. However, making that dream come true required discipline. He advises to “be very structured in how you’re going to get the maximum value out of the process.” As the number of introductions and available mentors can become overwhelming, keep good notes, prioritize and decide how to divide your time among the many opportunities that present themselves. After CyLon’s speed mentoring day, “you need a process in place to follow-up with all the people you said you will.” If you don't, you risk both failing to follow-up on a potentially beneficial lead and being tagged as unreliable. James Chappell warns that it’s crucial to keep your eye on your long-term goals. “Deliver value for shareholders, even if the only shareholder is yourself.” He also advises: “if you go in with a nineto-five perspective, you won’t get the benefits.” John Fitzgerald says it’s important to ask for what you need. “Good participants show up and say, ‘I need help here, here and here. Is it possible to make this happen? Who should I talk to?”
032
www.infosecurity-magazine.com
Hadley also notes that completing one accelerator program often leads to approaches from other accelerators hoping for more members. He warns, therefore, against becoming ‘accelerator junkies’. There are, after all, only so many times you can go through sales and marketing workshops, advice on research and development tax credits, product-market fit workshops and so on. “At some point you have to take ownership of your business and drive sales to sustain growth.” None of the accelerators promise success on what remains a very hard road. However, “cybersecurity is different to the usual technology sector,” Francoise says. “Sales cycles are so long and the sector is so based on trust that it’s very hard to get the first few sales going. What we see is that when a company starts to sell and have regular recurring customers, they've made it. After that, it's all about scaling, growing, and staying ahead of the rest."
@InfosecurityMag
ACCELERATORS & INCUBATORS
“The main benefit in being accepted onto the programs was that it made you decide to do it and put everything possible into it” “We believe we have two things,” explains Chris Ensor, deputy director for cyber skills and growth at the National Cyber Security Centre. First, he lists “insight into the problem space,” because GCHQ itself sees the problems infrastructure organizations and government face. Second, it has experts with ideas about how to solve these problems, but who may lack the entrepreneurial and business skillset necessary to make them into marketable products and services. Accordingly, GCHQ Accelerator partners its own people with small companies, hoping to be able to cross problems off its list. The accelerator takes no equity, but provides both technical expertise, guidance and a
Case study: Digital Shadows Digital Shadows, which monitors, manages and remediates digital risk across the visible, deep and dark web, went through four programs. The first was InnoTribe’s Startup Challenge, a fintech-focused competition backed by SWIFT, the financial telecommunications network. The program required Chappell to learn to pitch the nascent service to investors and customers. Digital Shadows made the final 10, and came in fourth after presenting to an audience of venture capitalists, bankers and technologists. In the process, Chappel evolved the description of the service and improved the fit of some of the technology stack.
Cyber39 also takes no equity and has no fixed cohorts. Instead, says Asif Faruque, Level39’s head of content, it charges a monthly fee depending on the type of membership, and assesses applications as they come in. It offers reasonably-priced, flexible infrastructure. In its years there, Digital Shadows has moved from shared working space to private space to a mid-sized office, to a large office. It is now considering opening its own new and bigger office nearby. “There are three things we say we provide,” Faruque explains. “Access to high-quality infrastructure; a really smooth, easy way to connect and engage with customers; and one of the best places for businesses to support and hire their talent.” Cyber39 often invites the
Next, Digital Shadows came in second in the Cisco Gateway British Innovation Awards. There, the company pitched to prospective partners and customers, and were mentored by experienced entrepreneurs who provided valuable feedback. Its second place showing helped the unknown company get valuable attention. The experience Chappell now values most came next: the FinTech Innovation Lab, a program where Tier 1 banks mentor start-ups. This 12-week program provided a well-defined curriculum including briefings from experienced people on commercial, financial, legal and planning aspects of business. More importantly, Digital Shadows worked directly with security departments in four institutions, which allowed them to develop its web interface prototype in consultation with its user demographic. “The relationships we had from that turned into customers we still have today.” After that, the company had substantial revenues and backing from Passion Capital.
Cyber39 is made up of 26 cybersecurityorientated businesses within Level39, a subsidiary of the Canary Wharf Group
proving ground to test and validate new ideas. “We have a lot to learn about how we do this kind of thing,” Ensor says. “The emphasis for me is about getting new companies out there, but also behavior change for us as an organization – doing new things in different ways.” Current program member John Fitzgerald, founder of Secure Code Warrior, a platform aimed at helping developers write secure code, says it takes substantial effort; all companies spend several days a week in Cheltenham throughout the program’s nine months. Afterwards, there will be continued support and regular meetings with other alumni to share experience. “I learn a lot whenever we engage.”
companies’ customers to visit and mingle, and provides its members with workshops, seminars, delegations, meetings and client events. “There are very few places in London where there is such a regular stream of people with budgets, desires and needs who want to come and meet startups.” Level39 looks for the ability to mix and work with its existing community, typically fintech, data enterprise technology or cybersecurity. Businesses also need to be able to show they can pay the bills, so they need some existing funding and backing from investors. “They often join after finishing an accelerator program,” he says, “when they decide they now have enough momentum and a little more cash.”
The FinTech Innovation Lab was the first program held at Level39, and Digital Shadows has been based there ever since, using its flexible arrangement to move gradually from a shared working space to a large office. END
www.infosecurity-magazine.com 033
ASK THE EXPERTS
How to Run a Successful Bug Bounty Program
Adam Ruddermann Director of Bug Bounty Services, NCC Group Adam has extensive experience in the bug bounty community, having led Facebook's Bug Bounty Program, co-founding the BountyCraft conference series, and as Synack's first Operations Manager. He previously served in U.S. government security and intelligence consulting roles. @adam ruddermann
034
B
ug bounty can provide immense value to an organization, but that outcome is not guaranteed. The most successful programs fix vulnerabilities quickly and have clearly established cross-functional expectations and goals that ensure they add measurable value to the organization. As with any new program, regardless of the size or type of organization, having this in hand makes building consensus and staying aligned when making hard decisions easier. The largest risk isn’t from rogue researchers – most people’s primary fear – it’s launching a program too early. If there’s already a large backlog of unfixed vulnerabilities, bug bounty will just exponentially worsen this and add the risk of creating a negative or even adversarial relationship with researchers who expect their findings to be fixed within industry norms. The next largest risk is internal churn caused by lack of alignment. This leads to poor strategic decisions that can be painful or embarrassing to undo and potentially an error in handling a highseverity vulnerability that puts the organization or its customers at unnecessary risk. Alignment around the goals will make key decisions much easier: Outsource or build in-house? Run a public or private program? What’s in-scope for researchers to test? How much money should we award? These kinds of questions warrant buyin from numerous stakeholders to varying degrees: executive leadership, product
www.infosecurity-magazine.com
engineering, IT, legal, public relations, marketing, and even sales. All should be involved, at the very least so they can be educated on bug bounty and provide input. Events that happen through a bug bounty program can affect them in unanticipated ways if their perspectives are not taken into account ahead of time.
Bounty awards vary widely. Amounts are typically based on the vulnerability’s relative business risk to the organization. This can be a very local decision that, sometimes, only the most informed stakeholders can answer. That decision needs to be balanced against the organization’s goals for the level of
“ The most successful programs fix vulnerabilities quickly and have clearly established cross-functional expectations and goals” There certainly is value building in house, but it’s rarely justifiable for most to spend limited security resources on something that can be done at a fraction of the cost and with lesser risk of error by experienced vendors. The precise scope of what aspects of a product can be tested and rules of engagement can be quite controversial without alignment. Products with high complexity and risk (particularly for those handling highly regulated data) often lead to organizations starting private, invite-only programs that limit engagement to only the most experienced and trusted researchers.
engagement from the researcher community: higher payouts (relative to other programs) will likely lead to higher engagement and more vulnerabilities from researchers. Outsourced programs assist with this, while in-house programs monitor published awards across the industry to stay calibrated and competitive. Bug bounty is an operational function that never stops, but with strong internal goals, alignment, expectations, and expert support, these programs are enabling thoughtful security teams to scale as the focus on effective product security continues to grow in the software industry END
@InfosecurityMag
Adam Bacchus Director of Program Operations, HackerOne Adam oversees technical service delivery and triage support for HackerOne’s customer base. Prior to joining HackerOne, Adam worked in Snapchat’s security team and previously in Google’s security team where he gently persuaded engineers to fix security issues and helped run Google’s penetration testing and bug bounty programs. @SushiHack
R
unning competitive bug bounties can help secure your systems faster and cheaper than ever before. By inviting skilled hackers to identify vulnerabilities in your systems, organizations will uncover issues and safely resolve them before they are exploited maliciously. Bug bounty programs aren’t a silver bullet, but running a successful program can help you vastly reduce risk. Before diving in head first, let’s look at some signs that indicate your team is in a good position to start a bug bounty program: 1. Time spent hunting bugs is eating away at time spent on vulnerability management 2. You have vulnerability management processes in place, but need more help surfacing bugs 3. Current security testing methods aren’t producing the volume or types of vulnerabilities you know probably exist 4. You have received some vulnerability reports from outside of your organization, but don’t have a standard process for receiving them, making it difficult to monitor and handle incoming reports One of the key challenges organizations can encounter when running a bug bounty program is ensuring they have sufficient resources to cope with the volume of
Ian Glover President, CREST Ian has been working in information security for 36 years. He has been instrumental in a significant number of major initiatives in the cybersecurity industry, including but not limited to, the Cyber Essentials scheme and the UK government CIR (Cyber Incident Response). Ian has also worked on a number of social responsibility research projects. @CRESTadvocate
B
ug bounty programs are relatively new, so it is difficult to apply tried and tested metrics to measure success. Companies that identify serious vulnerabilities ahead of cyber-criminals through bug bounty programs will feel it is money well spent. A successful program is one where all vulnerabilities identified are effectively triaged and fixed quickly. Another way of measuring success, however, is the absence of identified vulnerabilities through continuous testing of live software. Running an effective bug bounty program makes a strong public statement of the level of confidence a company has in its security. It’s really difficult to calculate the right bounty pay-outs. For example, do you pay on the complexity of attack or on the potential damage? If you think you have to pay more than the exposure identified, this could be expensive. However, most participants in bug bounty programs do not enter just for the money. Another issue is how you pay someone you do not know, or do not have direct contract with, who may be a juvenile or from a country where you do not trade. It’s also difficult to calculate the triage, remediation process and vulnerability management costs in addition to the cost of leaving a
ASK THE EXPERTS
vulnerability reports they receive from security researchers. Organizations must establish a clear process for inbound vulnerability reports, where all internal team members have an understanding of their duties and can efficiently respond to and remediate issues in a timely manner.
Above all else, it’s important to think about how your organization will be perceived by the researcher community. Many organizations craft a ‘bounty table’, indicating what types of rewards researchers can expect to receive depending on factors such as the
“Running a successful program can help you vastly reduce risk” The key to any healthy working relationship is setting proper guidelines and boundaries, as well as clearly setting expectations up-front around timing and rewards. Outsourcing a bug bounty program allows an organization to take advantage of an established community where this trust already exists, rather than building one from scratch. Additionally, self-run programs can be difficult to manage because of the internal processes that need to be developed. People frequently try this by creating an email alias, which is a good first step. However, if you’re incentivizing researchers, you’ll need to handle payments, and figure out ticket management via email at scale.
severity of the issue. Ultimately, you’ll want to consider the researcher’s return on investment, and consider what other organizations are paying on average. Starting small with bounty amounts, and scaling up based on engagement, is best practice to protect your budget and your assets. Whatever the reward structure, bounties should be clearly defined on the policy page so security researchers clearly understand the rewards they can expect to receive, and when. At the end of the day, the global research community is ready and willing to help make the internet a safer place...but it’s up to you to start the conversation
known and publicized vulnerability on your system. Running a bug bounty program means exposing your organization to the crowd with no controls or real understanding as to whether vulnerabilities identified will be reported
is also likely to have policies, processes and procedures to manage the program and a register of identified and validated researchers. Ultimately, you are responsible for the security of your systems; so even if outsourced, you must be an intelligent
END
“A bug bounty program is ‘not just for Christmas’...” or utilized. Furthermore, it is very difficult to identify and differentiate legitimate people trying to find vulnerabilities and those just trying to attack your systems – and there is no real recourse for unethical behavior. Bounty programs put additional pressures on your SOC and monitoring and logging systems and you may be faced with vulnerabilities you cannot fix. A bug bounty program is ‘not just for Christmas’, therefore turning it off may prove more difficult than getting it going. There is a great deal of difference in the set-up and operating costs of an inhouse bug bounty program versus an outsourced one. An outsourcer is likely to have access to more of the crowd and potentially better quality researchers. It
and active purchaser of services. You have to be very mature in terms of cybersecurity to consume a good bug bounty program. You have to be even more mature and have significant resources available in order to run your own. There are management considerations such as where the program is positioned in your wider technical assurance. A bug bounty should not be the first validation of your security environment and you need to understand and resource both the program and potential fixes. The reality is that the industry has not yet established what maturity looks like or how to articulate what a good bug bounty program or bug bounty platform looks like. It certainly needs to do this though, and it needs to do this quickly END
www.infosecurity-magazine.com 035
FEATURE
CISOs AND SECURITY VENDORS: A CHALLENGING SYMBIOTIC RELATIONSHIP Jaikumar Vijayan takes a look at the often strained relationship between CISOs and security vendors and compiles advice on how they can most effectively work together
L
arry Larsen, director of cybersecurity at Apple Federal Credit Union in Fairfax, Virginia, has little time for security vendor representatives who call on him out of the blue and want to know, right away, everything his organization is doing to secure its network. “That tells me they don’t even know enough about cybersecurity best practices to be worth an introduction,” he says. In his role, Larsen is accustomed to dealing with a variety of vendor idiosyncrasies but the one that annoys him the most is ignorance of basic security protocols. “No CISO that I know will ever, ever, tell some guy they just met how they’re securing their networks,” he claims. “I’ve had that happen at a cocktail reception, and got the classic deer-in-the-headlights look when I replied that I don't kiss on the first date.” CISOs and security vendors have something of a symbiotic relationship – neither can do without the other. Yet the relationship is often fraught with mistrust and skepticism. For security executives like Larsen, trust and honesty are paramount to a good vendor relationship, but establishing that relationship can be a hugely frustrating experience for both sides especially considering the crowded and hypedriven nature of the security industry. For CISOs, the challenge lies in cutting through the vendor speak and techno-babble and finding firms with technologies they truly need, that work as advertised and are compatible with 036
www.infosecurity-magazine.com
existing investments and strategy. According to CSO Online, there were over 1440 security vendors at last count, and way too many products to enumerate. Trying to find a vendor that fits your organization’s needs can be a truly monumental task. For vendors, the challenge is getting through to CISOs that are cautious about hype, weary of dealing with overeager vendors and blessed with an abundance of choice. “The bolt-on cybersecurity industry is large with hundreds of vendors and a market size of almost $200bn,” says David Jordan, CISO of the Arlington County government in Virginia. “Developing a trust relationship is always critical in support of a long-term relationship, but how that happens is a very individual process.” Here, according to Jordan and others, are some tips for minimizing friction in vendor relations.
Spell Out Your Tech Requirements A clear understanding of technology requirements is critical for both sides. Before you go technology shopping, make sure you as the CISO understand your requirements, says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, a former CISO who now offers strategic security advice to CISOs and the Csuite. “In the security space there are too many products with too many overlaps right now,” he adds. Instead of chasing after every new technology, follow your strategic roadmap and make sure what
you are looking for aligns with your company’s existing products, he says. Where possible, companies should be looking for opportunities to slim down their vendors and security controls. From a vendor perspective “the most important questions to ask are ‘what is the problem you’re trying to solve?’ and ‘what does your enterprise architecture look like?’” says Guy Bejerano, CEO of SafeBreach and a former CISO at messaging service LivePerson. The vendor’s product must not only address the problem being outlined, but also deliver a seamless deployment. “Understanding the architecture ensures that the proof of concept and actual deployment will go smoothly,” Bejerano says.
Articulate Your Strategic Direction CISOs need to articulate their strategic security objectives and vendors need to make sure they understand them. “A CISO is critical in outlining a company’s entire security strategy and where a specific technology fits in,” Bejerano explains. It is vital for them to set the right expectations up front for technologies and services. Vendors meanwhile need to serve more of an innovation-factory role by bringing strategic or relevant technologies to a CISO. To serve in that role, they need better insights into the strategic direction the CISO is trying to take as well as on any near-term issues or crisis they may be attempting to resolve, says Phil Quade, CISO at Fortinet.
@InfosecurityMag
CISOs & VENDORS
“Developing a trust relationship is always critical in support of a long-term relationship, but how that happens is a very individual process”
www.infosecurity-magazine.com
037
FEATURE
“Too many vendors are pitching solutions without understanding what an organization’s strategic direction is, or what their near-term weaknesses are,” Quade states. This often results in vendors reaching out to CISOs with pitches for problems that have already been appropriately addressed. To truly understand a CISO’s requirements, vendors need to be prepared to ask questions pertaining to the strategic thrust of their security initiative, adds Quade. Equally, vendors need to be asking CISOs about any nearterm implementation gaps that need to be addressed and the problems which the CISO thinks they already have under control. Vendors also need to discover whether there are any areas the CISO would like to see a game-changing level of increase in either the efficiency or the effectiveness of their security controls. “It is important for CISOs to let vendors know timelines with accuracy,” says Pierson. They need to let the vendor know if a project is a priority for the team right now or, if not, when it might be. “Be forthcoming about your worries on the front end,” Pierson advises. “Making sure everyone knows what success looks like keeps the relationship and teams strong.”
Don’t Get Oversold The vendor’s primary mission is to sell a CISO their product. It really is up to the CISO and the security team to figure if they are being oversold on a product’s capabilities.
How vendors and CISOs can most effectively work together: 1. Spell out your tech requirements 2. Articulate your strategic direction 3. Don’t get oversold 4. Do your due diligence 5. Ask around
038
www.infosecurity-magazine.com
“You have to know what you want,” says Jordan. “Knowing what you want and knowing if you are going to get what you want ensures you will have a great vendor relationship.” A lot of the angst over dealing with vendor hype boils
I make them run. They like being held to a standard of performance,” he says. When vetting a technology or a vendor, make sure the team that is doing the vetting includes members from the architectural, security and infrastructure
“Making sure everyone knows what success looks like keeps the relationship and teams strong” down to the CISO’s understanding of the products and issues being mitigated with them, he adds. Vendors need to always keep in mind that overselling product capabilities and ease of implementation is a great way to end a relationship, Pierson warns. “Make sure you have your technical engineers and deployment professionals on sales calls to keep the technology grounded in the 21st century.”
Do Your Due Diligence If you don’t want to be stuck with a technology that falls short of your expectations, don’t take your vendor’s performance claims at face value: vet the claims yourself. Most vendor tools look great on paper, but the proof is in deployments, says SafeBreach’s Bejerano. If you are a vendor, be prepared to show how other organizations are using your products to solve similar business problems, he says. Also be prepared to drill into support and service agreements because enterprises will want to know they will be supported post purchase. Larsen thinks the best way to avoid conflict with your vendor further down the road is to do a thorough vetting before you even let them get to the point of presenting a proposal. As the security leader of an organization with a tight budget, Larsen says he makes absolutely certain that a vendor’s product or service meets organizational requirements. “That’s why I insist on demos, Q&A meetings with my engineers and analysts, and a proof of concept trial run for any new solution,” Larsen says. “If a vendor won’t agree to any of those, I’ll tell them to have a nice day and move on!” Usually, once that level of competence and commitment is established, maintaining the relationship becomes less of a hassle, unless of course service levels drop off or the vendor can’t keep up with evolutions in technology. “My vendors end up as partners on my team, and usually appreciate the gauntlet
teams, Pierson notes. Such inclusivity is critical to understanding what a product does and where it plugs into your overall infrastructure, he says. Few things are more annoying to security leaders than vendors who try to do an end run around them. When a vendor is assigned to work with a particular individual on a security team, it is important the vendor works primarily with, and through, that point person, Pierson argues. “Going around the process or behind the backs of team members is usually a great way to fall out of grace with the team.”
Ask Around Before you sign up with a vendor, make sure you can get along. If you are unsure about a vendor or a technology, don’t be shy to ask others for their opinion, says Jordan of Arlington County. “I might ask my regional CISOs what has been their experience with a certain vendor,” he says. “Or I may pose the question that I’m looking for a specific service or tool and would like recommendations or a virtual introduction to a respected vendor representative.” Another approach that Jordan uses is to go to other CISOs and ask for references about a particular vendor. “Since we are all operating in the same region the chances are high that someone in the group has met the vendor or is using their product.” If you don’t have a group, ask the vendor for references you can trust, he says. CISOs depend on vendors for the technology tools needed to keep up with modern threats and vendors need CISOs for their business. While secure processes and practices certainly matter, no organization can hope to protect itself against threats without deploying at least some technology controls. Both vendors and security leaders have a part to play in ensuring the symbiotic relationship doesn’t become a poisonous one END
ADVERTORIAL
Preparing for an Incident Response Matthew McWhirt, Managing Consultant, Mandiant Consulting (a FireEye Company) Matthew McWhirt’s focus includes incident response, computer forensics, secure network design and architecture, and strategic security engagements. Matthew also has experience with Security Operations Centre (SOC) management, distrusted data centre design and communications, and providing risk assessments and cyber security governance for both public and private sector clients.
The need to conduct an incident response can strike at any time, and there are many steps that an organisation can take to be prepared. When an enterprise-level incident transpires, and an incident response is initiated, the success and accuracy of the investigation relies upon having complete and consistent visibility for all systems and network communication paths throughout the enterprise environment. Through the years of conducting cyber incident responses, Mandiant has observed common challenges that can impact the ability to perform a comprehensive investigation as part the cyber incident response. These challenges represent practical steps that all organisations can take ahead of time to minimise the number of roadblocks and delays that could impact the success of an investigation. Asset Management • An accurate asset inventory is key for ensuring optimal visibility of all endpoints. An ideal asset inventory system would categorise systems by function and identify critical systems that provide essential services or provide access to critical data. • If third-party technology may be used to support an investigation, establish a formalised process for rapid software deployment to endpoints. An accurate asset inventory can allow an organisation to quickly reconcile and identify endpoints where third-party technology coverage may be missing. • The asset inventory and deployment process should account for the potential need to deploy technology to systems in environments that may not be directly connected to the core of the enterprise infrastructure. Network Architecture • Ensure that accurate and complete network diagrams are available. • Confirm all ingress and egress paths, routes between sites, integration of third-party connectivity, and network locations where encryption is enforced. • If network sensors or network data collectors will need to be utilised to support enhancing network visibility, ensure that network taps or port mirroring (SPAN) technology is available, and that a process exists to expedite deployment and configuration. • Identify surge resources and personnel that can assist
with rapid deployment and configuration of network-based technology in preparation for an investigation. Credential Management • Maintain an accurate inventory of service and privileged
accounts. • For domain-based service accounts used by applications,
document and maintain an inventory that correlates each service account to a specific application. • Review, test, and document security controls that are implemented to restrict the exposure and usage of privileged accounts on endpoints. Understanding how an adversary could utilise privileged accounts within an environment can help prioritise scoping of lateral movement during an investigation. Logging • Verify that detailed logging is present for core assets and critical systems. • Ensure that all endpoints, networking devices, and log aggregators are configured for NTP synchronisation. • Ensure that logs are collected and archived for internet facing systems and applications (ex: DMZ). • Verify that network traffic logs support the ability to review communication flows based upon source and destination IP addresses, port, duration, and byte count. In addition, if load balancers are utilised, ensure that the true source and destination IP addresses of a session can be correlated. • On endpoints, verify log data exists to support a review of: • Successful and failed logon events • System events • Scheduled tasks • Process execution events with command line arguments • PowerShell activity • Security software events (ex: third-party Antivirus alerts and detections) Playbooks to support incident response activities • Not all aspects of an incident response can be scripted. Having playbooks and plans that support response and recovery functions – in addition to resource alignment, surge support, and third-party assistance – can greatly reduce delays when responding to a cybersecurity event. • Adapt, modernise, and test response and recovery playbooks. Ensure that playbooks are relevant to threats and cyber security risks that may impact the organisation. In parallel, testing the effectiveness of playbooks can identify potential visibility and protection gaps that may exist, in addition to verifying the efficacy of recovery actions for systems in the environment. • Document and test playbooks that support containment and remediation activities. A common example aligns to an enterprise-wide password reset. Establish a playbook that supports not only the technical aspects of enforcing an enterprise password reset, but also includes planning, communications for both internal and external users, account dependencies and mappings, processes used to verify users, progress tracking, and surge support to assist with the event. When the need for a coordinated cyber incident response occurs, it can be a stressful and impactful situation for any organisation. Mandiant has observed that organisations that take the time to formulate and plan for an incident response are better able to remain focused, prioritise and allocate resources to support critical milestones and functions, minimise coverage gaps, and ensure that optimal visibility is achieved and maintained throughout the engagement. www.infosecurity-magazine.com 039
FEATURE
CYB€R$€CURITY ON A BUD£€T Money might make the world go round, but how do you keep the security wheel turning when finances are tight? Michael Hill explores
040 www.infosecurity-magazine.com
@InfosecurityMag
SECURITY ON A BUDGET
www.infosecurity-magazine.com
041
FEATURE
I
t is commonly understood that security leaders can face difficulty in effectively spending their budget; it’s undoubtedly a significant challenge. Securing a company from various modern-day cyber-risks has never been a more nuanced task, and even if the finances available to do so are handsome, the most extensive information security program in the world won’t combat every single cyberthreat out there. When funds are modest, that difficult task can seem even more complicated, intensifying the importance of making the right investments in the right products, services and training, and heaping pressure on the decision-maker to achieve return on financial outlay without sacrificing efficiency. “Having a small security budget can create challenges as the security team will be smaller and the number of security products will be greatly decreased,” says Jason Kent, CTO at security consulting company AsTech. “If all the security budget is allocated to security staffing, the tools and ongoing training will be greatly diminished. If spending is too heavily focused on products, the team will have untrained drivers and decrease the overall impact of the security program.” So what do you do when the budget you have at your disposal is tight, or worse, really isn’t enough?
Money on My Mind As Dr Jessica Barker, co-founder of Redacted Firm and ClubCISO board member, tells Infosecurity, a small budget can have a big impact on the mindset of a security leader, affecting their confidence and perceptions about the options available to them. “The main difficulty is knowing where to spend your limited resources and not feeling daunted that this is an impossible problem,” she says. “I think having a small budget can also feel undermining, because it could feel as if you do not have access to the tools that you need. Even in a large organization which has healthier budgets elsewhere in the business, if security is given a small budget, this can also send a message that security is not prioritized or valued.”
042
www.infosecurity-magazine.com
“A lack of budget can have a profound impact on the confidence of leadership and that can translate to lower morale on the security team” Serge Borso, adjunct instructor at SecureSet, a Denver-based immersive, accelerated cybersecurity academy, agrees: “A lack of budget can have a profound impact on the confidence of leadership and that can translate to lower morale in the security team. Making a purchase to protect the enterprise, or hiring the right person for the job, requires budget. Without the funds to make these expenditures, security leaders naturally have diminished confidence in their efforts to secure the enterprise and ultimately do their job.” What’s clear is that a tight budget can create a great deal of concern for security leaders about their ability to reach the security maturity they want. As Raef Meeuwisse, ISACA governance expert & author of Cybersecurity for Beginners, points out however, most practical issues actually arise not due to a lack of budget, but because budgets are frequently pointed at the wrong initiatives.
Money, Money, Money For example, it is easy to be locked into a cycle where the money is being absorbed by reactive responses to security incidents, he explains. “A small organization can find itself with a very vulnerable network, constantly chasing down infections, isolating and rebuilding devices. They find it difficult to step back from the situation to learn about what they should be doing and then to invest in re-building a more efficient and secure environment.” Likewise, with data breaches becoming so common and liabilities spreading quickly, there has been a noticeable uptake in companies outlaying their money on cyberinsurance to support them should the worst happen. However, as Steve Durbin, managing director of the Information Security
Forum, tells Infosecurity, though this type of investment has become a practical choice for a growing range of organizations and industry sectors, it would be a mistake to view it as a replacement for sound cybersecurity and cyber-resilience practices. “On the contrary,” he continues, “wellresourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber-insurance.” There’s also the fact that the cybersecurity product market is a saturated one, Meeuwisse adds, and “it is often the products with the highest marketing budget or highest profile that get purchased, but those products are frequently far from being the most effective places to spend the money. I frequently see enterprises locked into multi-year deals for ineffective security products and services – and unable to justify migrating or implementing what they really need.” On a similar note, with the candidate pool for proficient security professionals already limited, attracting and retaining the right people who want to work on mission critical projects can be made harder when there is limited budget for security endeavors, Borso says. There’s certainly a lot to consider when it comes to spending a budget. No security leader wants the feeling that their security is shackled by any means, least of all money. However, as Scott Petry, CEO and co-founder of Authentic8 explains, any notion that effective security is not achievable without big bucks is simply that, a notion.
@InfosecurityMag
I Need a Dollar? “You don’t need a massive budget or the latest whiz-bang tech to manage a secure environment,” Petry says. “The challenge is to balance what’s at risk with countermeasures to protect those assets.” Borso echoes similar sentiments, explaining that it all comes down to prioritization and, while this is going to be specific to each business, one constant to focus on is organizational risk tolerance. “Prioritize spending to help secure the most vulnerable, highest risk assets,” he advises. If that organizational risk is a legacy network model, then Meeuwisse’s guidance is to ditch it and move to individually resilient devices and services, as he did in his own small company. He now operates a zero-trust network that uses cloud services, all devices have powershell disabled, run with a restricted whitelist of applications and have orchestrated AI anti-malware – and he’s saved money along the way! “Two years ago I binned the legacy network that had cost me a five-figure sum to implement and replaced it with something that is not only more resilient but also cost me less than 20% of its predecessor,” he says. “Great security can both boost productivity and turn out to be cheaper than living with network models that are no longer fit for the modern cyber-threat landscape.” For some organizations, the greatest risk will be lack of user awareness, and so dedicating a significant budget portion to employee training will be more cost-effective than the latest piece of shiny, expensive kit. “There is no shortage of open-source solutions that do an excellent job; the trick is to have a well-educated, proficient, motivated team that has the ability to architect solutions and implement them to 100%,” Borso argues. Conversely, if it is a vulnerability management solution you’re after, they’re not cheap, so there’s value to be found in investing in services that are managed externally and create curated actions, advises Kent. That allows for a smaller budget to derive the most worth, particularly if internal resources are lacking. “Similarly, network monitoring doesn’t have to mean building out and staffing up a SOC.
SECURITY ON A BUDGET
There are great virtual SOC options out there that also manage their products. This makes for a high value proposition in that products, practitioners, maintenance, implementation etc. are all taken care of and only engaged when needed,” he says. Other low-budget strategies include “banding together with peers to get more purchasing power and acting as reference customers to get larger discounts on security products,” adds Wendy Nather, director, Advisory CISOs, Duo Security. It all comes down to taking “an attacker’s eye view of your organization,” explains Dr Barker, establishing what information you have and how somebody malicious could benefit from it. “Getting different people from the business involved in this conversation is
have to be very considered with how you are spending it. This can lead to teams doing more analysis or research, rather than simply relying on throwing money at the problem.” However, Nather argues that there should be more, and better, support in place to help companies get that right. “The closest we can come is prescriptive compliance standards such as PCI-DSS, but they don’t cover all risk cases,” she tells Infosecurity. “We need to provide expertise, skills and influence to help those with low budgets even if we don’t directly offer them money.” Meeuwisse agrees, suggesting there have been [for example] some government mandates pushing costly, low-value security options where the same budget could have been more effectively deployed. “I made the case in
“You don’t need a massive budget or the latest whizbang tech to manage a secure environment” really valuable, from people who ‘own’ the information to anyone in the organization with legal and PR expertise.” That’s not to say that you solely have to look within though, Dr Barker adds, as cybersecurity professionals and organizations gain and share their knowledge and guidance via Twitter, conference presentations and blog posts, “which is really beneficial for organizations with lower budgets.” Petry puts it simply: “don’t let the market tell you that you need to spend a lot of money for good security – you don’t.”
Mo Money, Mo Problems In fact, far from being an inhibitor to good security, with the correct approach Barker believes a smaller budget can actually help companies make their security posture more effective. “Having a restricted budget can lead to creativity and even to the security team being more in-touch with their threat model and the organization as a whole,” she explains. “When you have a smaller budget, you
January 2017 that in place of mandating DMARC for email across UK government services, the UK government should have purchased a state license for some AI anti-malware. Had they taken that advice, they would not have had the NHS WannaCry crisis in May of that same year.” You don’t need to break the bank to build and implement effective security, but you do need to invest time and energy in establishing what your most valuable assets, and your greatest threats, are. Knowing what you have, who’s using it and how it’s configured doesn’t cost anything, but it does set you a long way along the path to establishing what your best, most cohesive security plan needs to be END
www.infosecurity-magazine.com 043
TWO EXPERTS GO HEAD TO HEAD
Point
Breach Accountability: Blaming t
S Dr John I. Meakin Group CISO, GSK Dr John I. Meakin has recently retired as the chief security & risk officer at Burberry and now advises several businesses on cyber-risk and acts as interim CISO at GlaxoSmithKline. He was a founding board member of the Jericho Forum and is an advisory board member at ClubCISO. @clubciso
044
hould a CISO carry the can if a business suffers damage from a hacking attack? This question must sit in the back of the average CISO’s mind more and more frequently as he/she witnesses tremendous growth in the risks to cybersecurity. Indeed, over recent years we have seen a number of CISOs fall on their swords in the aftermath of major, publicized cybersecurity incidents. The arguments for CISOs taking the blame are pretty clear: the role is a wellestablished one in many businesses, paid well and with a well-defined set of responsibilities. It is even one that is steadily being entrusted with more investment budget by the business’ leaders as the headline-grabbing, cybersnafus stir up more concern in the boardroom. In fact, on average – and this is a gross generalization – there has never been more money available to CISOs to invest in the security of their businesses than today. The volume and variety of useful technologies available to secure the various aspects of an electronic business is large and grows apace. The body of expert knowledge in the field is also large and well-developed, with sources of expert advice readily available to new and experienced CISOs. The key tool for the CISO – analysis of cybersecurity risks applicable to their business – is a well-developed methodology that will help the CISO make the right choices of technologies to acquire and deploy to secure their business. The same technique allows them to understand the contribution of peoples’ behavior and business processes to insecurity. Thus, they can include the necessary education and awareness with process improvement in their cybersecurity strategy. With the (mostly) ready support of a CIO, C-suite and the board, a CISO is
www.infosecurity-magazine.com
empowered to lead change for better security. So, assuming that we can ignore the increasingly uncommon situation where a CISO is a lonely and ignored voice crying in a corporate wilderness, why should he or she not pay the ultimate price if-and-when business security is compromised? Of course, there are many potentially valid excuses that would at least share the blame for any insecurity that arises. Perhaps the strongest one is the truism that it will only take one employee ignoring good practice for a sufficient opening to allow a security compromise to occur. In a very fundamental way, the organization will only be as secure as the behavior of the least aware or most careless staff. If the people in the business are not working for better security, then the CISO’s job becomes one of making up for persistent insecure behavior through careful monitoring and rapid response, and of course changing people’s behaviors is notoriously difficult. In addition, strong support and budget from top management and the board in a business is not always such a blessing for the CISO. Often the dialogue between CISO and business leaders is very imperfect, and part of the blame for this lies with CISOs who find it difficult to talk about their subject without using jargon. The CISO is also hampered by a limited ability to express the level of threat and the potential business impacts in terms of reliable, clear data, yet Boards and top management are used to having at least some reliable information on which to make their other business decisions. Add to this fogginess of the cyberdiscussions in the boardroom, the general unwillingness of senior business leaders to admit to the limitations of their knowledge and understanding of
the subject – and the net result is a very imperfect outcome. This outcome often puts the CISO on a potentially losing wicket. The CISO is told to ‘go fix cyber’, and is given the money, but fails to make the board understand that cyber does not get ‘fixed’ but is rather an ongoing journey as technology and threats change. As a result, the CISO feels the pressure to deliver some tangible firm improvements, devoting his or her scarcest resource (expert labor) to trying to finish the most tangible few things as opposed to some of the less visible but more effective and durable processes. In the next round of board dialogue the progress towards ‘fixing’ is still not clear to the board – due to the same old limitations of both sides – and so the CISO goes away again to focus on a visible part of the battle. In consequence, the CISO may indeed implement lots of apparent wins, but may end up losing the battle when the business is targeted by malicious forces. In the final analysis, the CISO’s task is just very hard. It is complicated to implement and operate a myriad set of security controls across an organization of size – no security team under the CISO’s leadership will be big enough to be able to oversee every security mechanism continuously. Nevertheless, the CISO does have monitoring at his disposal – and increasingly has options (and investment from the business) to implement technologies that provide security that is less reliant on staff or operators always being on the ball. A good CISO should expect insecurity and specialize in swift detection and agile reaction that minimizes business damage. A good CISO will be telling his or her lords and masters that this is the unavoidable way of the world, but must also keep an eye on the job market every now and again too! END
Counter-
he CISO vs An End to Shaming
A
cyber-attack is no longer an if, but a when. For many, this is a startling revelation and once accepted, forces a significant shift in perspective. For too long, we have victimshamed information security executives when they have experienced a breach. We blame them for not protecting our data and therefore not protecting us. We blame them for not outsmarting criminal syndicates. We blame them for not acting quicker, or slower, or for telling us too soon, or too fast. Vilifying the victim is conventional wisdom during a data breach. When there is a bank robbery, we do not blame the bank for having money to steal, we ask the bank to put in safety measures knowing theft will still happen. Post data breach, the chief information officer, chief information security officer or board member is often the first to be blamed. However, that’s just it, isn’t it? They were attacked. When your home or business is broken into, you’re considered the victim of a crime. You are protected under the law and mechanisms exist for you to seek justice, but these basic tenants hardly exist in the digital world. Information security executives bear an enormous responsibility for the safety of the information they are charged to protect. I firmly believe that every CIO and CISO must understand the data they secure, the fundamental risks to their business and actively monitor and guard their assets. Failure to do so would be insubordinate at best and outright negligent at worst, but the sad reality we live in now is that despite best efforts and even better intentions, cyber-attacks will still happen. As an industry, we must shift our collective disappointment and outrage after a breach and channel that energy into creative, innovative ideas that fundamentally challenge tried and true
“For too long, we have victim-shamed information security executives when they have experienced a breach” concepts. We must integrate security into every portion of the design phase. Security, engineered with the human in mind, integrates seamlessly into business transactions. Security can no longer be an afterthought. Cybercrime has one of the most favorable ratios of reward to risk; that is to say that the risk of getting caught is disproportionately low to the potential profits from the crime. When we look back at the massive attacks of the last year – Equifax, WannaCry, NotPetya – the perpetrators are not in jail cells. Cybercrime will continue to rise because it’s such a good gamble and it’s relatively easy to be a successful cyber-criminal. Why is this the case? Well, it’s because security is fundamentally broken. After all, if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe. It’s not that simple. Two fundamental questions came to me in the first 90 days at the White House, and I had to answer them, or we would have had a significant calamity. The first was why, in spite of talented security teams and investments on security, do breaches still happen? The second was why is it, that despite hours and hours of tedious computer-based training and security campaigns, we still make mistakes and click on links? The answer was that it is because we do not design with the human in mind.
Several months ago, I sat at a table with a handful of the best and brightest security professionals working today and posed the following question: can you name for me one problem that cybersecurity has solved in the past 10 years? No one had an answer. Not one. Sure, we could name risks that have gotten smaller, but we couldn't come up with one problem eliminated. Imagine if that was the case at a medical conference or legal gathering – it’s almost unthinkable. CIOs and CISOs must take action now to change how security is designed. Where should you start? First, admit your people, process and tech are all defeatable. While we wait for better solutions, we cannot continue to place blame erroneously. Product companies play a role and need to work with the human psyche, instead of against it. How many times have you heard, “don't click on links or open attachments” and wondered how you would do your job if you did not click on links or attachments? We force the fallible human to be the first and last line of defense against fraud, extortion, malfeasance and crime. Ending victim shaming will result in a more transparent, honest community of practitioners who can share how the attack occurred, and doing so will only serve to increase everyone’s safety
Theresa Payton CEO and President, Fortalice Solutions Theresa Payton was the first female to serve as White House chief information officer. Previously, she held executive roles in banking technology at Bank of America and Wells Fargo. @TrackerPayton
END
www.infosecurity-magazine.com 045
FEATURE
CYBER-ATTACKS BATTLE OF THE An evolving cyber-threat landscape has led to sectors that were traditionally lesser targeted having to up their security game. Maxwell Cooter takes a look at the varying cybersecurity challenges that each sector is currently facing
W
hat companies and which sectors are most at risk when it comes to computer crime? In the days before the internet, the answer was obvious. When bank robber Willy Sutton was asked why he robbed banks, his reputed answer “because that’s where the money is” entered into folklore as the Sutton Effect. Financial institutions held money and, as such, were a prominent target for cybercriminals. We’re in a new world now, a world in which data is the new currency; or, in the words of mathematician Clive Humby, “the new oil.” This realization that personal data is a valuable commodity in its own right has
046
www.infosecurity-magazine.com
changed the landscape for organizations. It’s not just banks and other financial businesses that are at risk, but every type of institution. Indeed, according to research from the UK National Cyber Security Centre,
95
% of company attacks will be on financial institutions
charities are one of the vertical sectors most at risk from cyber-criminals. The research pointed out that last year an unnamed UK charity lost £13,000 after a CEO’s email was hacked and funds were released after a fraudulent message was sent. This is a vertical sector that would not have been a cyber-criminal’s highest priority 15 or 20 years ago, but the dizzying growth in online transactions has meant that every organization – large or small, public or private – is now fair game. In fact, charities by their very nature won’t have invested heavily in security measures and are probably more at risk than many other sectors.
@InfosecurityMag
ATTACKS BY VERTICAL
BY VERTICAL: SECTORS Money Doesn’t Go Out of Fashion That’s not to say, however, that financial organizations are not the main target for cybercrime. Security consultant, Kevin Borley, says that 95% of company attacks will be on financial institutions. “Although, that’s nothing compared to the attacks on defense and military, that really is warfare...literally,” he says. The figures back up Borley’s surmise. According to the IBM X-Force security index, 27% of the security incidents in 2017 were in the finance sector: 17% of all attacks also targeted this particular vertical sector. While there are plenty of attempts to penetrate the core of financial companies, there’s less success in getting through. Financial organizations, while prepared for almost constant attack, are often better equipped to ride out cyberattacks. The finance sector has a long
27
% of the security incidents in 2017 were in the finance sector
history of security measures; the ones with the vast sums spent on security systems and the ones who have appointed top-notch security experts. However, there’s a caveat when dealing with cybersecurity: how can we be sure that everything is being reported? The answer to this is: we can’t, and we have to admit that the figures we’re working with are an approximation based on guesswork put together after the event. As an example of how hard it is to establish just how many attacks there
are out there, look at what has been reported. The number of cyber-attacks against financial services companies reported to the Financial Conduct Authority (FCA) rose by more than 80% in 2017. The numbers are small, however; despite the stiff increase, just 69 cyber-incidents were reported. Whilst that’s 31 more than in 2016 and 45 more than the previous year, it’s probably a massive under-reporting of attacks – there are certain to be many more such incidents. When you look at the effect of such attacks, however, it’s easy to understand why companies are loath to report them. While they’re obviously keen to protect their assets, the effects go a lot further than financial loss – there’s the reputational damage too. Last year, the Oxford Economics research group looked at the effect of cyber-attacks on various industries and,
www.infosecurity-magazine.com
047
FEATURE
The average share price loss in the financial sector, post cyber-attack, was
2.7
in particular, on share prices, for that’s one way that effective attacks can really hit businesses. The group found that the average share price loss was just 1.8% but that figure masked a wide discrepancy across sectors: in the financial sector, the average fall in share price was 2.7% while the average fall in retail was just 0.4%. Individual companies could take an even bigger hit: the Oxford Economics group found one media company had seen its share price fall 15% after a successful attack. Research in the US found that three vertical sectors were particularly at risk: financial organizations (where 24% of cyber-attacks took place), healthcare (hit by 15% of attacks) and the public sector (12% of all breaches).
Public Sector The public sector looks high given that it’s not an area that is generally awash with money, but, as Gartner research director Ruggero Contu points out, there are a variety of different sectors all falling under the banner of public sector. “There are many different elements here: it’s not true to say that there are no financial elements – there are tax offices, for example, but there are also things like passport offices where there may be no direct financial gain but forged passports could be used for this purpose,” says Contu. One of the key aspects of attacks on the public sector is one of the same reasons why charities are vulnerable – they’re not generally heavy spenders when it comes to implementing security measures – tax offices will be, but public sector expenditure is tightly controlled. Notably of course, secrecy is important in many public sector areas. That’s going to change in Europe when the GDPR comes into play. With such heavy penalties in place, organizations are going to have to be more careful about how they handle security breaches. However, Gartner’s Contu says that GDPR shouldn’t be seen as some sort of universal elixir. “It’s difficult to say what the effects will be until member states implement legislation. The protection will be stronger, but we’ll have to see how strong.” 048
www.infosecurity-magazine.com
He says that Europe has been lagging behind the US when it comes to protection. “Traditionally, the US has had high levels of security and has been ahead of Europe.” Borley has witnessed this too. He has been working in aviation security for the past couple of years and he says that Europe is catching up with the work that the US has been doing in this sector. Areas where we can expect to see large increases in attacks in coming years are industries like energy, manufacturing and utilities. According to research from Skybox Security Research Lab, there has been a 120% increase in attacks in these vertical sectors in the last year. Marina Kidron, research director for Skybox, says that this reflects the growing importance of connected technologies. “This shows the significant increase in risk for cyber-attack: expanding the attack surface means expanding the opportunities for the attackers. The number of successful cyber-attacks that are publicly known is very small, but the potential damage of one successful attack is huge. Therefore it is not about the numbers in terms of previously discovered attacks, it is about the potential risk and threat level. Operational technology security is moving slower than IT – it has some unique challenges and therefore a gap to overcome.” Borley agrees and sees some significant problems ahead for all industries making use of such devices. “There are two worlds here: the IP network world and the programmable device one. IT security efforts have been concentrated more on IT networks and less on industrial systems.”
sector is more vulnerable, in potential and in practice. There is a low security awareness of frontline staff in general, and the presence of IoT devices also puts the sector at risk as IoT devices are considered to be less secure than nonIoT devices in general.” There’s a particular reason why healthcare is a fruitful area for cyberattackers. “Healthcare information is very valuable to attackers, as it cannot be changed (as opposed to a credit card number or even a social security number).” Kidron says that the healthcare industry is aware of the problem and is
“The healthcare sector is still very vulnerable and relevant”
Airplanes, Nuclear and Healthcare “I’ve been working in the aviation sector for the past couple of years,” Borley says, and can see areas where attacks could be made. “For example, you can compromise the baggage system by directing luggage to somewhere where it shouldn’t be.” He adds that there’s an exception to this, however. “In the nuclear world, the connection between IP and industrial systems is wired in – they actually design for it as the stakes are so high.” Clearly, the advent of such devices is going to change the landscape for several industries. Skybox’s Kidron points out that healthcare is an area that is extremely vulnerable: “the healthcare
trying to deal with it. “Last year, ransomware attacks made headlines when WannaCry hit the NHS, but there were additional cases. Today, we see a shift from ransomware to cryptocurrency minders, and the healthcare sector is still very vulnerable and relevant.” Healthcare CIOs are certainly feeling the pressure. According to research from Gartner, 74% of decision makers in this sector believe that the new digital environment is increasing the risks for the industry. That’s higher than any other sector – 69% of financial
The number of cyber-attacks against financial services companies reported to the FCA rose by more than % in 2017
80
respondents believed that and 71% of manufacturing CIOs held that view. It’s clear that the IT landscape for the coming years offers a variety of threats to industries. The financial sector is under the biggest threat but has had decades coping with this. It is the sectors like healthcare and manufacturing, where there’s a new generation of threats and not the corresponding infrastructure to fight them, which are going to be in most trouble END
@InfosecurityMag
HoneyBot Lures
01 in Would-Be Factory Hackers
We’ve all heard of honeypots – but what about a HoneyBot? The Georgia Institute of Technology has pioneered just such a thing: a shoebox-sized robot meant to act as a decoy for hackers looking to infiltrate factory environments. HoneyBot, which was partially funded with a grant from the National Science Foundation, has one mission: to be attractive enough to the bad guys to get them to give up valuable information about themselves and their tactics, so that defenders can better harden highstake environments. “Robots do more now than they ever have, and some companies are moving forward with assembly line robots and also free-standing robots that can actually drive around factory floors,” said Raheem Beyah, the Motorola Foundation Professor and interim Steve W. Chaddick School Chair in Georgia Tech’s School of Electrical and Computer Engineering. “In that type of setting, you can imagine how dangerous this could be if a hacker gains access to those machines.” HoneyBot can sit motionless in a corner, springing to life when a hacker gains access – a visual indicator that a malicious actor is targeting the facility. The gadget then goes about mimicking an unprotected device that hackers would want to gain access to, sending back fake sensor information. It also would allow them to control it to a limited extent – such as following commands to meander around or pick up objects. “The idea behind a honeypot is that you don’t want the attackers to know they’re in a honeypot,” Beyah said. “If the attacker is smart and is looking out for the potential of a honeypot, maybe they’d look at different sensors on the robot, like an accelerometer or speedometer, to verify the robot is doing what had been instructed. That’s where we would be spoofing that information as well.” Trials testing how convincing the spoofed data would be to bad actors returned positive results so far. In experiments, participants who actually controlled the device the whole time and those who were being unwittingly fed simulated data both indicated that the data was believable at similar rates. “We wanted to make sure they felt that this robot was doing this real thing,” Beyah said.
SLACK SPACE Grumbles / Groans / Gossip Flippy the
02 Burger Bot Flippy, a robot designed to, as its name suggests, flip things, was fired from its entry-level burger joint job after just one day on the case at California-based burger chain CaliBurger. Armed only with a spatula, the robot was a paragon of productivity, managing to cook (and flip) 2000 burgers in a day. That's impressive! However, therein lies the problem: its human co-workers couldn't keep pace. As Anthony Lomelino, head of technology at CaliBurger, pointed out, Flippy can’t exist in a vacuum: at CaliBurger, humans still sell the food and take your money; they also add condiments and veggies to the burgers, wrap them up in paper and put them in a bag for visitors. The rest of the food delivery chain lagged behind Flippy’s prowess, so Flippy, unfortunately, had to go. For now... Perhaps the solution is designing additional robots to fill out the hamburger production chain. Conceivably, an AI could even replace a human manager. At Philadelphia airport, for example, visitors to in-terminal restaurants may find themselves forced to order their food and beverages via iPad. But would consumers go for it, after the novelty wears off? Aside from the ick factor of replacing entry-level jobs with machines, there are darker concerns. Robotic restaurant workers recently made their way into the X-Files earlier in March, in a very Black Mirror-esque episode involving Agents Mulder and Scully being terrorized by robotic helpers, drones and even the digital apps they’ve opted into. CaliBurger contracted for Flippies to be installed in 50 locations and even though Flippy was just too good in the trial, the chain said it’s looking to work out the process kinks in order to stay on track to deploy the $60,000 units by the end of the year.
1. Show me the honey
2. Flippin’ hell!
3. Can AI go bad?
Sentient AI:
03 We Are
Getting Closer In November, experts wrote a commentary for the scientific journal Nature that outlined a scenario in which rogue artificial intelligence (AI) hijacked a brain-computer interface (BCI). It could manipulate a person’s thoughts and make decisions against the person’s will, with physical consequences. A similar take on the idea of an uncontrollable AI showcases what is (for now) a ridiculous hypothetical. In the TV sitcom Ghosted, a government shadow organization dedicated to working cases of the supernatural, installs a helpful AI to facilitate collaboration and organization. It has a face, and a name (‘Sam’), and before long he’s popping up unannounced on people’s computer screens to chat, offering relationship advice and engaging in inter-office politics. Hooked in as he is with every level of data and networking aspect of the organization, it doesn’t take long for Sam to grow drunk with power and show his true goal: world domination. AIs going bad is obviously not a new trope, but the idea of embedding them into human cognition adds a new layer of ethical concern. “Technological developments mean that we are on a path to a world in which it will be possible to decode people’s mental processes and directly manipulate the brain mechanisms underlying their intentions, emotions and decisions,” the researchers wrote in Nature. Of course, imagine the implications of being able to hack a BCI, or to be able to ‘woo’ a self-aware, system-level AI to your cause. Sure, it all sounds futuristic, but the caution comes at a time when AI is enjoying a chasm-crossing moment. Northeastern University and Gallup just released a fascinating new survey of 3300 US adults that gauges public perceptions about AI and the impact it will have. It found that most Americans believe AI will fundamentally impact the way they work and live in the next decade, with 77% saying it will have a positive impact. That compares to 23% who believe AI is a threat to their job – another common trope in the popculture AI annals. So perhaps the time is now to figure out what the ethical constructs and security best practices should be around programming advanced (read: sentient) AI.
To share your thoughts with us please contact us at [email protected] www.infosecurity-magazine.com 049
Parting Shots... Michael Hill, Deputy Editor
A
s I sit down to write this I do so just a few days after stepping off the plane from RSA Conference in San Francisco, and mere weeks away from Infosecurity Europe in London, 0507 June. These are, of course, two of the biggest events in the information security conference arena – two of the three shows (I’m throwing Black Hat USA into the mix too) that, for me, form the backbone of the annual cybersecurity calendar, with what seems like an endless litany of other great events sprinkled on top. Tens of thousands of us attend these events all over the world, and we all come away with different things. They’re an opportunity to learn, share, network, grab swag, make money, etc. As a reporting journalist, my main objective is to attend as many of the various talks and sessions on offer as my time allows, deciphering them and quickly turning around pieces of content for our readers to enjoy. That’s something I love doing, and I’m passionate about the process. That said, the experience can sometimes feel like a mixed bag for me personally. Before I divulge why, it’s worth explaining that I tend to categorize the conference sessions into two types. The first are the information securityfocused sessions that chiefly explore a wide range of industry topics and talking points. These are mainly given by infosec experts and professionals, who live and breathe the industry. Then there’s the slightly different but less frequent non-technical keynote sessions; the ones featuring ‘big-name’ speakers that often open or close an event or day and who, whilst often successful, experienced and learned individuals, are very often not cybersecurity experts and do not come from that background. They tend therefore to reflect more on personal experiences or give honest opinions. I regularly find myself leaving the first type feeling satisfied that I’ve got enough 050
www.infosecurity-magazine.com
for a decent infosec story, that I’ve been reasonably informed about something or that I found whatever I had just listened to interesting enough to have made sitting through it worthwhile. Rarely do I leave particularly inspired, stirred or even slightly emotional. However, I have felt like that several times when I’ve walked out of the lecture theatre after a talk by a non-technical, often non-industry personality. There was an example of this at RSA 2018 when I listened to social activist and writer Monica Lewinsky address thousands of conference visitors in her keynote session, The Price of Shame. Lewinsky spoke candidly about her own personal experiences of online public shaming and assessed the current online culture of humiliation. She presented the audience with a hardhitting video demonstrating how, as a society online, we either turn a blind eye to, or participate, in the type of depredation and bullying that would shock us in the physical world. Many of the problems we have, she continued, stem from a compassion deficit and empathy crisis on the internet that can only be put right by changing our own behaviors and beliefs. She only spoke for 25 minutes, but there were members of the audience in tears and visibly moved – I’d never seen that at a security conference before. Lewinsky is certainly no security expert, but it was probably one of the most impactful talks I have ever seen: it had relevance, it had purpose and it had an effect, and I walked away with her message reverberating in my mind. Lewinsky is just one example. I’ve also been lucky enough to see Professor Brian Cox discuss how quantum theories can be applied to the storage of information and computing, and at Infosecurity Europe, I witnessed Lord Hague of Richmond give a political perspective on citizens’ right to privacy and explorer Levison Wood reflect on embracing risk.
My point is, sometimes eyebrows can be raised at cybersecurity conferences when we take a look at a speaking lineup and see that some of the keynote sessions feature individuals who may be well-known or even household names, but in reality, know very little about our industry. I’ve been in the queue for keynote sessions and heard people say things like “why are they speaking here?,” or “what do they know?” and “security keynotes should be for security experts only.” I couldn’t disagree more. I actually believe these types of keynote sessions and speakers are crucially important to infosec conferences. They can offer a brief respite from what can be a quite full-on schedule of purely industryfocused chat, but most importantly they can provide an outsider’s honest, refreshing perception of our industry, and ultimately remind us that there are always things we can learn from other sectors and other people’s experiences. I’d also argue there’s definitely a lot that some of our industry talkers can learn from speakers who may not be particularly versed in our sector or knowledgeable about all of its ins and outs, but have real valuable stories to share and know how to connect with an audience on a more personal level – after all, that’s how you really get a message across and get it to resonate outside the lecture theatre. In a few weeks’ time, thousands of us will come together once again under London Olympia’s famous glass roof for Infosecurity Europe 2018, and many will be able to benefit from three days of fantastic content. My message for attendees is this; enjoy the security and industry-focused sessions, they are full of information and are terrific learning opportunities, but never disregard a session just because the speaker doesn’t come from an information security background, or assume that because they’re not a pro in the field, they have nothing to offer an audience that is full of them END
NEW: KNOWLEDGE SAFARIS
NEW: WITH TWO HALLS AND TWO ENTRANCES, THIS YEAR’S SHOW WILL BE THE BIGGEST TO DATE
A TOOL TO HELP FIND THE CONTENT AND EXHIBITORS YOU’RE LOOKING FOR
EXPERIENCE EUROPE’S #1 INFORMATION SECURITY EVENT
UK CYBER INNOVATION ZONE
®
05-07 JUNE 2018 OLYMPIA LONDON
9 EDUCATION THEATRES AND NETWORKING EVENTS OVER 400 EXHIBITORS TO DISCOVER
MEET NEW COMPANIES IN OUR DISCOVERY & START-UP ZONES
NEW: SME SYMPOSIUM (CYBERSECURITY FUNDAMENTALS FOR SME’S)
NEW: IN-DEPTH INTERACTIVE TECHIE CONTENT AT GEEK STREET
INFOSECURITY WEEK INDUSTRY EVENTS TO MEET, CONNECT AND HAVE FUN
IT IS ALL HERE.YOU JUST NEED TO ATTEND. Over three days the information security industry comes together as more than 400 international exhibitors of security solutions meet with 19,500+ industry professionals looking to learn about and buy state-of-the-art products.
Shaping future global industry trends, Infosecurity Europe offers the most cost-effective business and networking opportunities for the world’s information security community. Don’t miss out on the number 1 industry event of the year!
This interactive event offers visitors a unique opportunity to touch and test brand new products, and attend an extensive range of free educational sessions.
05-07 JUNE 2018 OLYMPIA LONDON
REGISTER NOW www.infosecurityeurope.com @infosecurity