01 cyber security cover - new statesman...ship, strengthens a business’s resilience and protects...

The A-Z of cyber securityA plain English guide to

online risk and resilience

01 Cyber security cover.indd 1 15/09/2015 15:33:48

2 | NEW STATESMAN | 18-24 SEPTEMBER 2015

Four pieces of enlightening news land-ed on my desk on the same day recent-ly. First, there was a story in the Fi-

nancial Times, quoting the new chairman of the Institute of Directors, Lady Barbara Judge, saying that cyber security is so overwhelming to boards that their reac-tion is to file it in the “too difficult cat-egory” – her words not mine – rather than tackle the issue head-on.

Then there came research from Marsh, the global insurance broking and risk man-agement firm, which showed that many UK companies are failing to assess their customers and trading partners for cyber risk adequately, and are more vulnerable to cyber attacks themselves as a result.

Third was a story from the Telegraph which highlighted that the average cost of a cyber attack is now £1.46m a year.

And last of all came news from the United States, that the head of the gov-ernment’s personnel office had abruptly resigned because hackers had stolen the sensitive information of some 21 mil-lion employees, including bank account details, health reports and even security clearance assessments.

It was a big news day for information se-curity. But what struck me most was that collectively it painted a picture of a serious and expensive problem, which was being dealt with ineffectively.

By not facing up to the changing world, leaders are playing Russian roulette – with their company’s success, and the future of their careers. Boards and chief officers need to understand that cyber security is no more than a complicated business risk. And executives can choose to be a victim (and leave the challenge in the too difficult tray) or go on the offensive.

In my experience, leaders of the most suc-cessful, growing companies usually tackle

challenges squarely, rather than passively wait to deal with the consequences.

The issue does not have to be compli-cated or confusing. It can start with some very simple questions, such as these below.

Questions that chief officers and

boards should be asking about

information security

1. Do we know if we’ve ever been breached? Companies often don’t know they’ve had a data leak until long after it has happened. There are advanced detec-tion systems that can do this as part of a layered info security monitor system.

These are the five simple questions you should be asking to demystify cyber security and protect your business (and career), writes Joe Jouhal

Time to stop playing Russian roulette

2. Where is our most sensitive, potentially damaging and most valuable information? All of it, every piece of it, every copy (this could be customer information, staff re-cords, IP, financial information, business plans, emails between executives … and much more). Who has access to it? What special arrangements do we have to pro-tect it within our systems?3. How do we protect our sensitive data when it’s outside our perimeter? How do we stop it being seen or shared with unauthorised people?4. These days most of us use more than one device for work. How do we protect all of these end-points? Are they a poten-tial weak point of access to our systems and data?5. Do we have insurance to make us more risk-aware and more prepared to mitigate the risk?

There are tools, technology and prac-tices to mitigate all these issues. And fac-ing this information security challenge head-on demonstrates stronger leader-ship, strengthens a business’s resilience and protects chief officers’ current roles and future job prospects. lJoe Jouhal is managing director at Avatu, the information security specialists

Join a one-day seminar free to New Statesman readers, see page 13.

IN PARTNERSHIP WITH AVATU

Leaders are playing a risky game with company

and career alike

02 Avatu advertorial.indd 2 15/09/2015 11:34:50

New Statesman2nd Floor71-73 Carter LaneLondon EC4V 5EQTel 020 7936 6400Subscription inquiries, reprints and syndication rights: Stephen Brasher sbrasher@ newstatesman.co.uk0800 731 8496

Supplement EditorJon BernsteinDesign and ProductionLeon ParksGraphicsLeon ParksSub-EditorPrudence Hone

Account ManagerPenny Gonshaw+44 (0)20 3096 2269

Commercial DirectorPeter Coombs+44 (0)20 3096 2267

CONTENTS

Countering the threatBetween the day when this supplement was conceived and the moment it was sent to press, the name Ashley Madison – the dating site that facilitates extramarital affairs – was added to the hall of cyber security shame. Hackers stole personal details of 37 million members of the morally ambiguous website, causing embarrassment and ignominy.

The US government’s Office of Personnel Management is another recent inductee to the hall of shame, victim of a hack attack that resulted in 21.5 million federal employee records being stolen. There have been many others; and there will probably be more between printing and distribution, and then distribution and reading.

Perhaps that makes 32 pages devoted to cyber security especially timely but, in truth, it would have been timely at any point in the past two decades.

Cyber security is a complex concept, not least because it acts as an umbrella term to cover an array of threats as well as methods to address those threats.

Countering the challenge falls into three broad categories: threat management (keeping the bad guys out); security information management; and identity and access management (locking the front, back and side doors).

As for the threats themselves, the terminology can be baffling. Working on the assumption that many people don’t know their APTs from their DoS or their malware from their zero-day attacks, the centrepiece of this supplement is an A-Z of cyber security terms (see page four).

Cyber security is complex for at least another three reasons. First, a security breach is just as likely to be the result of the actions of an internal member

4 A-Z of cyber securityU is for . . . understandingUnravelling the code from advanced persistent threats to zero days

20 View from the experts“Total security is a futile concept”Where does the biggest threat lie?

31 Facts and FiguresSecurity breaches by numbersHow UK businesses, big and small, are coping with cyber threats

A-Z of cyber security View from the experts Facts and figures

of staff (sometimes deliberate, often accidental) as it is the effect of external actors. Consider this: three-quarters of the security breaches that affected large UK companies last year were the result, at least in part, of employee-related activity (see page 31).

Second, given cyber security is now a multibillion-dollar products and services industry, the sceptical response is to suggest that some unscrupulous suppliers trade on people’s fears. That assertion is robustly addressed by four security experts (see page 20).

And third, as one of those experts, Mark Brown from EY, acknowledges, “100 per cent security is a futile concept”. What is needed instead is best endeavours. That requires informed decision-making. It’s time to start reading. l

This supplement, and other policy reports, can be downloaded from the NS website at: newstatesman.com/page/supplements

CO

VE

R: S

HU

TT

ER

STO

CK

/DE

SIG

N B

Y L

EO

N P

AR

KS

18-24 SEPTEMBER 2015 | NEW STATESMAN | 3

The paper in this magazine originates from timber that is sourced from sustainable forests, responsibly managed to strict environmental, social and economic standards. The manufacturing mills have both FSC and PEFC certification and also ISO9001 and ISO14001 accreditation.

First published as a supplement to the New Statesman of 18-24 September 2015. © New Statesman Ltd. All rights reserved. Registered as a newspaper in the UK and USA.

4 20 31

03 intro & contents.indd 3 15/09/2015 15:40:45


A-Z OF CYBER SECURITY

Cyber security comes with a language all of its own, often opaque and replete with acronyms. With some expert help, we unravel the code, from advanced persistent threat to zero days

U is for . . . understanding

A is for advanced persistent threatAn APT is an attack carried out by an adversary that targets and exploits indi-viduals instead of computers and oper-ating systems. Its intent is to be stealthy, targeted and data-focused. Typically an APT targets individuals in an organisa-tion. The adversary performs extensive reconnaissance and then sends a targeted piece of information such as a web-link or email to trick the user to open up vulner-abilities. From this breach, the adversary uses the compromised system as a pivot point into the organisation’s network.

The trick in dealing with APTs is recognising that prevention is ideal but detection is a must. Organisations will get compromised by APTs. The goal is to minimise the frequency and impact of this by controlling where the adversary can get to in the network and how much damage it can perform.

Here are things you can do to limit the impact of an APT:1. Content-filtering and examination of behavioural anomalies.

2. Create highly segmented networks to prevent lateral moment.3. Monitor outbound traffic for the attackers command and control channels.Eric Cole is a faculty fellow and course author at the SANS InstituteA is also for authorisation, active attack and anti-virus software

B is for biometricsBiometrics refers to authentication tools and technologies such as facial recogni-tion, fingerprinting and retina-scanning. With traditional password-based secu-rity features increasingly hacked by cy-ber criminals, biometrics are becoming popular as they can be a much harder tar-get for hackers.

Biometrics are more difficult to hack but should not be seen as a replacement for password technology. Whether it’s voice recognition or fingerprint technol-ogy, bio metrics do solve some of the flaws inherent in modern password systems, but they also bring a different set of chal-lenges. For example, fingerprints can be reproduced; some prints are stronger

than others; and changes in the physical appearance of the user can throw off the results in facial recognition.

Used together, passwords and biomet-rics provide a stronger form of protection. One serves as a backup for the other, rais-ing the barrier further for unauthorised users attempting to gain access and hack a system. For example, security tools that incorporate multi-factor authentica-tion, including encryption, alongside bio-metric fingerprint technology and typical password security can ensure that devices are covered at all bases.Nicholas Banks is a vice-president of IronKey by ImationB is also for bot, backdoor, boundary protection and BYOD

C is for cloud computingAs defined by Gartner, cloud computing is “a style of computing in which scal-able and elastic IT-enabled capabilities are delivered as a service using internet technologies”. In other words, cloud t

04-18 A-Z of Cyber Security.indd 4 15/09/2015 15:29:43


SHU

TT

ER

STO

CK

E is for encryption: the process is at once intellectually simple and morally complex



Information security (infosec or just security) often gets a bad press and is often seen in a negative light. Why is

this? Is it the influence of sensationalism in the media about the bad guys getting heaps of credit-card data? Or is the cover-age causing fatigue because the messages are seen as being overhyped and in a sense that “it’s not happened here yet”? Is it that the costs associated with infosec are seen as coming off the bottom line, with no ap-parent benefit? Perhaps an expensive in-fosec project failed or costs spiralled.

Whatever the reason, infosec needs to be better understood. It is, after all, a busi-ness enabler – but can we demonstrate that? A good analogy is to ask why are cars built with brakes. Ask an audience, and the majority answer will be because it stops the car. The real reason is that the brakes enable car to be driven. In other words, they take the risk out of actually driving the car at speed, because brakes are used to slow or stop the car.

We can extend the analogy by com-paring a Formula 1 racing car’s brakes to a family car’s brakes. Fit a family car’s brakes into an F1 car and they will fail be-fore the F1 car completes its first circuit. The quality of the brakes, or control, is proportionate to the risk. An F1 car needs far better brakes than those fitted to a fam-ily car, due to higher speeds, acceleration and deceleration rates.

What is infosec actually doing in an or-ganisation? It is protecting company data, be it intellectual property, finance and HR records or customer data. And each data type has a value. For example, sales and marketing information is of value to rivals planning to make a hostile bid. Ac-cording to the data/information value, we can identify the threats, threat sources and business exposures.

By identifying the threats, sources and exposures, a set of general controls governing access to any data set and the processing it can be subject to can be determined.

So who owns infosec? In many organi-sations infosec is thrown lock, stock and barrel over the fence to the IT group, but they are the wrong people. While IT can devise, implement and manage technical controls in support of identified threats, it is the core business that understands what the organisation does and the threats and exposures.

The business owns the information that drives an organisation. Information and the data it is derived from can and must only be owned by only one person for due diligence, auditability and legal/ regulatory reasons. Hence the HR director (or equivalent) will own HR data, the fi-nance director owns finance data and so on.

What does “owning” the data mean? It means saying who can access data and

Just as a car’s brakes take the risk out of driving, so information security makes business possible, writes Peter Wenham

Why infosec is the great enabler

for what purpose. Just because a person is the MD, CEO or director does not mean that he or she should have access to all the company data. Information should be re-stricted on a “need to know” basis.

Nevertheless, care is needed in this area, to ensure this principle is not overly strict.

Generally directors in large organisa-tions cannot have hands-on decision mak-ing for all the data under their control, so any decision making regarding access and use will be devolved down in their organi-sations; but in the end they set the policy and retain overall responsibility.

In summary, you will have come to real-ise that for any specific informational area such as HR, the business has identified the value of the information (public, company internal, sensitive and so on) and who (or which groups) can access the information and what they can do to it (create, delete, edit, copy, transmit and so on).

This is the information necessary to build a sane and sensible infosec strategy for a company that an IT department can take and turn into usable technical con-trols and an HR department can turn into user policies. lPeter Wenham is the director of Trusted Management, specialists in information assurance

To find out more, visit: trusted-management.com

IN PARTNERSHIP WITH TRUSTED MANAGEMENT

06 Trusted management advertorial.indd 6 15/09/2015 11:37:22

individual, business or government.The strength of the encryption depends

on how the technology is applied. Broad-ly, this happens in two ways – symmetric encryption uses the same key both to en-crypt and to decrypt a message, whereas asymmetric encryption uses a different key at the beginning and end of the pro-cess. From a security point of view, en-cryption can be viewed as an unalloyed good thing, but there is also an ethical dimension. Should technology firms pro-vide governments with access to encryp-tion keys in the name of averting terror-ism, for example? If they withhold those keys, are they wilfully putting national security at risk? But if they share keys, are they blatantly invading personal privacy?Jon BernsteinE is also for event and exploit

F is for Flashback malware attackThe conventional wisdom dictates that Apple-made devices are less prone to

with a grievance against a particular brand or political issue, and can be a smoke-screen to confuse the target while other more sophisticated attacks take place.

DoS attacks can be mitigated by counter- measures such as certain types of appli-cation traffic-management devices that can be configured to identify and discard traffic that appears to be coming from a botnet. There are also third-party services that act as a type of clearing house for web traffic that can counteract DoS attacks.Stephen Sims is a course author and senior instructor at the SANS InstituteD is also for decryption and data breach

E is for encryptionEncryption is at once intellectually simple and morally complex.

At its most straightforward, it is the act of encoding data, turning plain text into cipher text. Only those with a key or password can decode – or decrypt – the data, meaning that, in theory at least, sensitive information can pass securely across networks and be stored safely by an

computing enables companies to tap in to extended resources situated anywhere in the world, creating efficiencies and scale – and allowing users to pay for ser-vices as they are used.

While the cloud brings a host of finan-cial and business benefits, it also brings risks in the form of cyber theft, acciden-tal data leaks and privacy fines. As sensi-tive information is of enormous value to criminals, cloud defence is imperative for businesses that hold such data.

A logical starting point is to identify all cloud applications in use, classify the types of data they hold and assess the risk level of each app. This then helps firms to map the appropriate security controls to protect data, such as through encryption, tokenisation and data-loss prevention. And finally, organisations should con-tinuously monitor activities to detect and flag up any anomalies in the use of data.Willy Leichter is the global director for cloud security at CipherCloudC is also for critical infrastructure, cipher and cryptography

D is for denial of serviceA denial of service (DoS) is a type of cyber attack that aims to overwhelm a website or cloud service so that it cannot function or accept legitimate requests from other internet users.

To perpetrate this attack, cyber crimi-nals will stealthily instal software, often on the PCs of unsuspecting home users, that on command can generate spurious traffic directed at the victim’s website. These botnets can include tens of thou-sands of PCs and are referred to as a dis-tributed denial of service (DDoS) attack. Imagine a telephone switchboard with a total of eight available phone lines. If at-tackers keep calling, never giving a chance for a line to be freed, then the switchboard can never answer a legitimate call.

DoS attacks are often used by groups


A movie about the North Korean leader Kim Jong-un triggered cyber attacks on the film company

t

t





security breaches than Microsoft Win-dows equivalents. Although a quick flick through the technology press cuttings of the past two decades is likely to bear out this view, the Apple Mac operating sys-tem is not impervious to attack.

The Flashback malware attack is one example of when Apple’s defences – and those of its OS X operating systems – were breached. Using a form of malware known as a Trojan Horse, it was first detected in 2011. As the term suggests, a Trojan Horse attack is based more on deception than stealth, and Flashback was initially hidden as an Adobe Flash Player plug-in before moving on to ex-ploit vulnerabilities in the Java program-ming language. The malware drops a small application on to the host computer, allowing a hacker to run malicious code from a remote location.

Why are such attacks effective? First, the malicious intent is hidden behind something mundane and useful, such as a software update. And second, many of those software updates are automated so the victim is a passive participant, oblivi-ous to malicious intent. According to re-ports at the time, Flashback infected more than 600,000 machines.Jon BernsteinF is also for fraud and firewall

G is for gateway crimesIn the world of addiction prevention, the notion of a gateway drug is well understood – a relatively benign narcotic becomes a gateway to harder and more harmful alternatives. Criminality and illegality are important components in the transition. A similar theory can be applied to the criminality that surrounds computer hacking.

According to Andy Archibald, head of the National Crime Agency’s cyber crime unit, digital piracy can become a gateway to more serious online crime.

Speaking at the Infosecurity Europe conference in June, Archibald noted that many young people were developing so-phisticated digital skills and that it was “important that they put those skills to good use and are not tempted, unwitting-ly, to cyber criminality”.Jon BernsteinG is also for graduated security

H is for HeartbleedHeartbleed is the open-source software flaw that affected more than 60 per cent of the internet over a year ago. It allowed access to the private key used by indi-viduals and businesses to encrypt web traffic. In particular, it allowed anyone with the right skills to retrieve data from the memory of a web server without leaving a trace.

Heartbleed served as a long over-due wake-up call for the IT industry; in some IT organisations, the percentage of open-source code used is greater than 25 per cent, meaning there’s a lot of open-source code being reused by information technology programmers. While some claimed that open-source code was more secure than in-house-generated code, be-cause millions of eyeballs were looking at it, the reality showed there were still basic flaws in popular software. OpenS-SL is arguably one of the most cared-for components in the open-source commu-nity, yet that community still completely missed the zero-day vulnerability posed by Heartbleed.

The moral of the Heartbleed story is that while IT may continue to rely on open-source components as it develops applications, IT personnel must check, analyse and measure those components for software quality and security risks.Lev Lesokhin is an executive vice-president at CAST SoftwareH is also for honey pot and hot wash

I is for identity managementFor practical purposes, an identity is a combination of username and password (you might call it a login, or account) used to access websites such as Facebook, your bank or a favourite internet shopping site.

Between home and work, we have too many identities to keep track of, and most of us add new ones every week. To ease the headache of remembering many complex passwords, we use simple ones, reuse them for various accounts and never change them. This leaves us, and the com-panies we work for, open to cyber attacks and data breaches.

Identity management generally ad-dresses problems caused by having multi-ple identities. It defines methods for a user to prove who they claim to be – known as authentication – and, in a corporate envi-ronment, it ensures employees have ac-cess only to those systems, applications and accounts they need for their job, and that access is updated appropriately as roles change – referred to as authorisation.

Third-party identity management soft-ware and services should provide identity and access management across systems, devices and applications, whether in the data centre, cloud or mobile devices.Bill Mann is the chief product officer at CentrifyI is also for incident, information assurance, intrusion and intellectual property

J is for jammingJamming is a technique used by

t

t


00 MONTH 2014 | NEW STATESMAN | 9

Even though there are an estimated 100,000 or so flights every day glob-ally, for many people air travel still

retains a large fear factor for the simple reason that aircraft disasters, although statistically incredibly rare, still dominate news headlines when they occur. Regard-less that you are more likely to die falling out of bed (a one in two million chance) than in a plane crash (a one in 11 million chance), many people still fear flying.

Unfortunately this article will hardly help to assuage those fears. As many busi-nesses will know, the increasing threat of a cyber attack is something that has been gaining a great deal of media attention in recent years, and the aviation industry now finds itself a target for cyber attacks of various kinds. So is it now possible for hackers to seize control of an aircraft?

Not yet, but the industry is coming under sustained attack from a variety of sources. A security researcher, Chris Rob-erts, reportedly hacked into an aircraft flight system to demonstrate its vulner-ability, only to tweet about it and subse-quently find himself under arrest by the FBI when he landed.

More recently, LOT, Poland’s national airline, had its aircraft grounded follow-ing a hack that targeted computers issuing flight plans at Warsaw airport.

What these examples highlight is the vulnerability of the aviation industry to

the growing threat of a cyber attack; a di-rect consequence of the proliferation of technology within the industry. New Boeing models are flown with the help of advanced computer systems, with pilots ceding aspects of control to technology. While this has allowed for great strides in aircraft safety, particularly during landing and take-off, it has also given hackers and other cyber criminals a new target.

There are a multitude of attack methods that pose a threat to airlines. On a ground level, phishing attacks are a popular method used by criminals, whereby fake emails are sent to staff in order to attempt to retrieve sensitive company informa-tion, such as passwords. According to the Centre for Internet Security (CIS), 75 US airports were targeted with attacks of this sort in 2014, highlighting the frequency at which cyber criminals are operating.

Remote hacking and wifi attacks are an-other form of attack, with flight control systems and wifi networks offering a new means for hackers to compromise an air-craft’s command centre. Couple this with “ghost” flights, when a hacker inserts or removes a plane’s projection on to radar screens, and there is plenty for the aviation industry to consider alongside existing stringent safety measures.

The aviation industry is just one fac-ing up to this new threat, as it becomes more reliant on technology. Shipping and

New aircraft technology, designed to enhance safety, gives hackers a fresh target, warns Jack Elliott-Frey

Threat – and the innovation dilemma

ports, rail networks, retail and finance are just some of the other areas of busi-ness that are facing serious cyber threats as their core business moves online and relies on increasingly connected networks to operate.

The aviation industry offers businesses foresight in how to adapt to this threat without compromising on innovation. While the threat of a hacker taking down a flight is unlikely, the potential to dis-rupt other airport or airline systems and create widespread disruption is higher and could be incredibly damaging to both the economy and passenger confidence. The aviation industry has taken pre-emptive steps, with major airports in the US stress-testing networks and manufacturers such as Boeing investing more in the security of their on-board systems and the code that supports them.

As the famous FBI quote goes, for busi-nesses “it is not a matter of if you are hacked, but when”. For the aviation indus-try, and other industries that are becom-ing hot cyber targets, this is a quote that should certainly not go unheeded. lJack Elliott-Frey is a broker at Safeonline, a Lloyd’s insurance broker based in the City of London, specialising in cyber insurance

To find out more, visit: safeonline.com

IN PARTNERSHIP WITH SAFEONLINE


09 safe online advertorial.indd 9 15/09/2015 11:37:43



attackers to interrupt authorised wire-less communication. Jamming techniques fall into one of three categories:1. By flooding spectrum using a signal generator.2. By attacking the transmission collision avoidance protocols to prevent other stations from transmitting.3. By exploiting a vulnerability in the protocols that process transmissions.

While the blocking or disrupting of the authorised transmissions may be the end goal, jamming techniques are often deployed as a smokescreen to hide other attacks. In this case, the communications being attacked are often detection or alert-ing capabilities.

It is impossible to stop the impact of all forms of jamming because of the shared nature of all radio-spectrum communi-cations. The best advice is to set up an al-ternative communication path that can be used if a device is impacted by jamming.Steve Armstrong is a certified instructor at the SANS InstituteJ is also for joint authorisation

K is for Kim Jong-unUnwittingly or otherwise, the leader of North Korea is intimately connected to one of the biggest, most commercially embarrassing and politically contentious data breaches of all time. In November 2014, Sony Pictures Entertainment fell victim to a massive leak of sensitive infor-mation – more than 100 terabytes of data, claimed the assailants – ranging from internal emails, employee salaries and details of yet-to-be-announced movie projects. A group called the Guardians of Peace claimed responsibility and threat-ened further disclosures unless Sony can-celled one of its forthcoming movies.

The film in question was a comedy called The Interview, about a plot to assas-sinate Kim Jong-un. Sony didn’t cancel and the leaks kept on coming. The United States government blamed North Korea, believing Guardians of Peace to be a proxy

in an act of state-sponsored cyber crime. Samantha Power, US ambassador to the United Nations, described the Sony hack as both “absurd” and “exactly the kind of behaviour we have come to expect” from North Korea. For its part, the country continues to deny any involvement.Jon BernsteinK is also for key and key escrow

L is for licensingIt is one of the key weapons in the ongoing fight against hackers. The importance of licensing to businesses, software provid-ers and intelligent device manufacturers cannot be underestimated as we usher in the Internet of Things. Tamper-resistant software licensing should help to reduce the risk of hacking and protect intellectual property, with techniques such as code obfuscation and hacker detection being implemented to help reduce piracy.

The constant struggle to keep a com-pany’s software estate correctly licensed and optimised means that firms often seek the advice of specialists who are able to help manage these security, risk and compliance issues in one fell swoop. Fail-ure to license and manage software as-sets properly will leave businesses open to hefty fines from software publisher audits and invariably leaves them paying significantly more than they should for the technology they use in their business.Gareth Johnson is the CEO of CrayonL is also for the law and logic bombs

M is for MelissaThe Melissa virus struck in May 1999,

infecting at least 100,000 computers during the first weekend of its release. Its ability to spread quickly was tied to a propagation technique that at the time was highly innovative: Melissa embedded its code inside a Microsoft Word docu-ment and emailed itself to 50 individuals from the victim’s address book. Once the recipient opened the infected attachment, Melissa would repeat the process to pur-sue the next set of victims.

Since most security tools allowed incoming email attachments and didn’t have signatures for Melissa’s files, the virus was able to bypass many anti-virus and firewall defences. Moreover, an ele-ment of social engineering increased the likelihood that the victim would open the malicious document. Because the list of message recipients was compiled from the previous victim’s address book, the person would recognise the sender’s name and, thinking the message came from a friend or colleague, not be cautious about double-clicking the attachment.

The Melissa virus demonstrated how malicious software could spread semi- autonomously by means of difficult-to-control channels such as email and could attach itself to document files that people routinely share.

Variations of these techniques are em-ployed to this day to infect individual and corporate systems worldwide.Lenny Zeltser is a senior instructor at the SANS InstituteM is also for McAfee (John), malicious code, malware and mobile

N is for network resilienceWe all rely on network connectivity in our day-to-day lives – from the mobile networks that keep us in contact with the world to the internet, where we increas-ingly run our lives. Network resilience ensures that these essential services

t

t



In the past three years we have created more data than was created since the beginning of humanity; data is of-

ficially becoming bigger. Data volumes are exploding as the number of gadgets recording and transmitting data – from smartphones to intelligent fridges, indus-trial sensors to CCTV cameras – are devel-oping and adapting.

For a business, this vast universe of data could consist of 10,000 devices connected to the network transmitting terabytes of data every day. This means that secur-ing data is more difficult than ever, as cyber threats can now be a virtual needle in a haystack. Companies therefore face a huge challenge in how best to protect themselves against serious threats to their networks. In this age of connectivity, it is no longer a case of if your security can be breached but when.

The question many businesses therefore need to ask themselves is this: which tech-nologies are truly effective at safeguarding their networks?

Cyber security and big data analyt-ics are two sets of technologies that are seen as the top investment opportuni-ties for savvy companies keen to protect themselves against online attacks by or-ganised cyber criminals, syndicates for hire or state actors.

According to a survey by MeriTalk, a US government IT network, cyber threats are

now a national emergency in the Ameri-cas. The survey went on to say that 86 per cent of government cyber security profes-sionals believe big data analytics is the key to helping improve cyber security.

This is because many organisations cur-rently only possess the ability to protect themselves against previously detected threats and concentrate on endpoint pro-tection. By combining big data analytics with cyber security, companies will be able to identify the threats before they damage the organisation, enabling rapid activation of cyber defence strategies against opera-tional, financial or reputational damage.

The serious crime-fighting software expert Wynyard Group helps govern-ment, financial institutions and critical infrastructure organisations find serious threats in the masses of network data, by leveraging the intersection of big data ana-lytics with cyber security.

According to Wynyard, what compa-nies need is a solution that analyses all of the data that is currently collated, but not currently analysed, which will provide or-ganisations with a holistic view of threats to their digital networks and devices, un-covering high-consequence cyber threats.

By monitoring the network and identi-fying what is normal using rigorous ana-lytical algorithms, anomalies are identified and presented to the security operations team for investigation via a powerful anal-

Serious crime-fighting requires new tools, argues Paul Stokes

Big data,the future of UK cyber security

ysis component. Providing the ability to identify, explore and interpret the critical information is key to identifying threats.

Businesses can more effectively moni-tor the security of their network by highlighting the highest priority threats that lie hidden amidst the large volume of data, and feed these threats directly to the security teams for immediate hu-man investigation.

By identifying the “unknown un-knowns” on a network (the identification of previously unknown and unusual pat-terns and anomalies), advance notice of potentially malicious activity is provided, which in turn can quickly be identified and managed by the security team.

The future of cyber security for organi-sations with data to protect is therefore the understanding that malicious threats against a network are constant, current and increasing in number and complex-ity. By combining big data analytics with cyber security, companies can arm them-selves against this insidious threat by identifying it at source, investigating high-priority threats, and rapidly responding to compromise before irreparable damage is done to the organisation. lPaul Stokes is the chief operating officer for Wynyard

To find out more, visit: wynyardgrroup.com

IN PARTNERSHIP WITH WYNYARD GROUP


11 Wynyard Group advertorial.indd 11 15/09/2015 11:38:14


A few months ago, a chain of York-shire tea shops found themselves in the spotlight because someone

stole all their customers’ information.It’s hard to think of a more unlikely

target for a hack. But it happened. And Bettys had to apologise to all its cus-tomers, review its information security and no doubt spend many thousands of pounds trying to put things right.

This summer, the cyber hacking finger of fate pointed at Carphone Warehouse. Before that, the high-profile hack was the US federal government’s HR depart-ment; and a while back, the name on all information security lips was Sony . . . and Target . . . and eBay . . . and Home Depot . . . and JPMorgan Chase.

When it comes to information securi-ty, there is no typical victim. Anyone and everyone has the potential to enter the fir-ing line. Next week it could be you.

How to protect yourself: start with your crown jewelsCompanies today have an over flowing amount of information and multiple routes in to reach it. For many, the chal-lenge is where to start. And our answer

is always: begin with your crown jewels. Step one is to decide what your compa-ny’s crown jewels look like. What infor-mation constitutes the lifeblood of your business? What is secret, sensitive or po-tentially damaging?

Step two is to find it, all of it (which is trickier than you might think for many companies). Step three is to decide on which layers are needed to keep it safe.

There is no one single policy or piece of technology that will provide total protection and a layered approach is rec-ommended to business by the govern-ment’s cyber and information security advisers at GCHQ.

In this unnerving and threatening land-scape, we need good old-fashioned pe-rimeter prevention. But we need added layers of protection, detection, mitiga-tion and a plan in place to put things right when they go wrong, too.

No business would leave the office front door unguarded, but when it comes to access to their most valuable or sensitive information the door is often left wide open. It makes no sense, says Joe Jouhal, especially as there are new tools and techniques that will help slam the door shut

How safe are your crown jewels?

Six activities to help protect your crown jewels1. Make detection part of your strategyMany organisations have already been breached; they just don’t know it yet. And the longer a threat sits within your sys-tems, the more potential there is for dam-age (as Sony can testify). Detection can be a more expensive option. But if you can’t afford to take the risk, it’s a step you need to take. Detection systems such as Dam-balla Failsafe will give you the reassurance that anything that does get through will be dealt with as quickly and efficiently as possible, before it can do unimaginable and devastating damage.

2. Know where your sensitive data is (and protect it)Many organisations don’t know where its most sensitive data is held or who has access to it. This increases the risk, and doesn’t allow for proper risk assessment or threat mitigation. Nuix’s Information Governance tool can solve this situation.

3. Look after your data when it’s inside, and outside, your organisationToday, in our interconnected world, our

IN PARTNERSHIP WITH AVATU

Many and multiple devices can be the weak

point in your security

12-13 Avatu advertorial.indd 12 15/09/2015 11:39:15


Join an Avatu seminar for senior professionals to discover more about the challenges faced by business and the ways in which leaders can put organisations back on the offensive by protecting their “crown jewels”.

Are you really protecting your crown jewels?Organisations hold an abundance of information which is essential to their business, but can also bring down chief officers and hit share prices if it gets into the wrong hands (through internet hackers or rogue/careless insiders).

But companies do not always understand or appreciate the full extent of the risk, and how they can proactively mitigate it.

This free seminar for senior personnel will:l Explore the risks from cyber and insider threatsl Discuss some of the proactive solutions to put you back on the front footl Hear from chiefs of well-known companies about how they protect their most valuable information, and the lessons they have learned

Date: 22 October 2015Venue: Institute of Directors, Pall Mall, London SW1Suitable for: people in senior positions, particularly those in a strategic role, such as MDs, CEOs, CIOs, CISOs, CTOs, IT directors, etc.

Also suitable for: senior people with direct responsibility for information security, information governance, IT or network security, cyber security or risk management.

Joining fee: free to NS readers. Email: [email protected] or phone: 01296 621 121 to join or to find out more. Quote “New Statesman” when you book and the event will be free.

data often has to be shared with people outside our systems. Don’t make it easy for hackers and thieves to steal and share it. Information rights management, such as Seclore FileSecure, can allow you to-tal control of your data whether inside or outside your organisation.

4. Review and limit access arrangementsRemoving admin rights can mitigate 97 per cent of Microsoft vulnerabilities.

5. Protect the endpointAccess to company data through many and multiple devices can be a weak point in your security plan. Introducing tech-nology such as Avecto’s Defendpoint – which is already used by many banks, government agencies, aerospace compa-nies and Formula 1 teams –will keep your devices secure but still easy to use.

6. Look seriously at insuranceInsurance will lessen the impact finan-cially and will help mitigate cyber risks. It will give a financial cushion to help you deal with the fallout of an attack and en-courage best, risk-limiting practices. l

Find out more at a one-day seminar for senior professionals Free to New Statesman readers


12-13 Avatu advertorial.indd 13 15/09/2015 11:39:17



are maintained to an acceptable level whenever there is disruption.

In cyber security, this is typically when the service is under attack by an unusu-ally high level of requests, or incorrect or invalid requests. This is usually charac-terised by a denial of service (DoS) attack launched from a large number of compro-mised systems and is known as a distrib-uted denial of service attack (DDoS).

Network and service providers put in place technologies that detect this increase in requests and scrub the network to provide resilience and maintain services. They must also ensure that the applica-tions are not vulnerable to attack.Garry Sidaway is a senior vice-president at NTT Com SecurityN is also for non-repudiation

O is for outside threatAs opposed to insider threat, this repre-sents the majority of threats to an organi-sation. Insider threats typically have some level of knowledge and privilege.

There are different levels of outside threat, ranging from reconnaissance attacks to determine weaknesses in the perimeter defences of an organisation, to social engineering where the outside attacker uses social networking, news articles and personal calls to gain an in-sight into the person or company’s de-fences. This knowledge is then typically used to write a specific email that contains malware (malicious software).

The majority of organisations focus their attention on outside threats and put in place a range of technologies that pro-tect the perimeter of an organisation. But with the advent of cloud computing and an increased mobile workforce, these de-fences are being bypassed.

This is where, with the right security processes and policies, businesses can educate their workforce to help reduce the risk of outside threats.

Garry Sidaway is a senior vice-president at NTT Com SecurityO is also for offline attack

P is for passwordThe comedian John Oliver recently observed that cyber security is “the only reason we know our mother’s maiden name”. The use of passwords to grant access to software and services online is the most common security measure we use, and the most vulnerable. To combat these vulnerabilities, many companies insist on the use of more complex pass-words – longer with a mix of letters, up-per and lower case, and numbers. They also insist that the password is changed at regular intervals.

As more than one security expert in-sists, the only secure password is the one you can’t remember.

However, there’s no getting away from the impact of human behaviour and the limits of memory. According to figures

from the credit-checking agency Expe-rian, we have an average of 26 online accounts at any one time. Duplicate use of passwords and scribbled reminders on Post-it notes are an inevitable conse-quence. While two-factor authentica-tion can help mitigate misuse, biometrics and other forms of identity management appear to be likely rivals to the alphanu-meric password. Nevertheless, no solu-tion is entirely safe – or foolproof.Jon BernsteinP is also for passive attack, personally identifiable information and phishing

Q is for quarantineQuarantine is a method of isolating a file when it is thought to have been infected with a virus. The aim is to protect other files on the same or connecting devices from the spread of the software virus. Anti-virus software and tools will

Edward Snowden: the ultimate breach-of-privacy dilemma

t

t RE

X F

EA

TU

RE

S



In the event of a significant data breach – due to a cyber attack, malicious act, negligence or human error – the In-

formation Commissioner’s Office (ICO) will conduct an investigation. The com-missioner will want to know what action you took to protect the personal data en-trusted into your care and what you did to mitigate any loss, damage or distress to the data subject.

As part of the investigation the ICO will ask: “What training did you give your team?” An inadequate response to this question will influence the ultimate decision and potential enforcement, and possible monetary penalties.

We have conducted many compliance reviews and audits and often company guidelines, training and policy docu-mentation are not fit for purpose. Many organisations are aware that they need a data protection policy or training guide, but simply provide staff with an A4 sheet of paper stating: “Staff must process per-sonal data in accordance with the Data Protection Act.” Some elaborate by listing the eight principles.

While any policy is better than none, this would fall far short of demonstrating to the ICO a commitment to protecting data. To help you, these are our top tips for creating an effective data protection train-ing programme.1. Perform a privacy impact assessment (PIA) to understand what personal data

you hold. This will tell you the nature of the information, where it is held and how securely. Crucially it will identify the im-pact of a breach on the data subject.2. Armed with the results of the PIA, decide what level of training you need to give your team members to protect this data.3. Identify the different levels of re-sponsibility and segment your training accordingly. It may be sufficient to train entry level staff with little access to data using an e-learning package, or get them to watch one of the ICO’s free training videos. Supervisors and managers may benefit from external courses, such as our Level 2 Certificate in Data Protection. For Data Protection Officers and in-house trainers, longer residential courses may be suitable.4. Ensure the training you provide is up-to-date and relevant to the task in hand. Provide real life examples, such as “at Griffin House we ensure that information is fairly and lawfully obtained by giving a clear statement on our website, before any data is collected”.5. Keep the training interesting and appro-priate to the level of experience. For exam-ple, if you are training your reception team how to handle inbound telephone enquir-ies, try role-playing. Academic study has its place, but people tend to engage more when the training is personalised.6. Keep records of your training. You will need to prove to the ICO that it was

Company guidelines, training and policy documents are often not fit for purpose. Griffin House Consultancy offers an alternative approach

Seven steps to effective training

delivered; getting your employee to sign off the training record is best practice. Make data protection part of your new employee induction process and update the team at regular intervals.7. Remember to tailor policies and provide training for all stakeholders who can ac-cess or influence your data flows, includ-ing volunteers, subcontractors and data processors. A data breach may not just result in the loss of personal information, but also commercially sensitive and confi-dential information.

Never underestimate the positive effect of culture in an organisation. If you instil a culture of good governance and actively encourage and praise best practice, your team will take ownership of compliance and seek out vulnerabilities, propose im-provements and apply pressure to their peers to keep the organisation safe.

Training is a critical element in protect-ing your organisation, but even with all of these precautions, sadly it is not a case of “if” you are a victim of a cyber attack but “when”, and we therefore also rec-ommend that organisations consider ad-ditional security regimes such as Cyber Essentials or ISO 270001. lGriffin House Consultancy is a data protection and information governance consultant, auditor and trainer

To find out more, visit: griffinhouseconsultancy.co.uk

IN PARTNERSHIP WITH GRIFFIN HOUSE CONSULTANCY


15 Griffin House advertorial.indd 15 15/09/2015 11:40:14

16 | NEW STATESMAN | 00 MONTH 2014

HEADING

digital engineeringStuart J. Green

The phrase “We’re very serious about cyber security” seems to have be-come a standard party line. Usually,

this statement follows a very public an-nouncement of a breach or cyber attack, or when shortcomings have been highlight-ed in a gap analysis and an organisation is about to justify doing nothing about it.

Yes, you read that right. Some organisa-tions will pay for a gap analysis to high-light their vulnerabilities and weaknesses and then will simply do nothing about it. Why? Sometimes it’s the perceived cost of rectifying the problems. Sometimes there are personalities within the organisation (often the finance director or IT manager) who strongly object to the independent findings and block any subsequent action. Often, though, it’s because the organisa-tion just doesn’t get it – “we’ve always worked this way and we’ve been fine so far” is often a closing remark.

With larger and more sophisticated cyber attacks now being reported on at least a monthly basis (Ashley Madi-son, Carphone Warehouse, and so on), as consumers we want to know that the com panies that we are dealing with are protecting our identities and any informa-tion that they hold on us. As consumers we are becoming more savvy, with higher expectations.

Why then, do a vast majority of small and medium-sized enterprises forget this

when they deal business-to-business? Why is supply chain security such an al-ien concept to some? An organisation’s supply chain is vital to its existence and it doesn’t take an experience of the likes of Target to appreciate that.

Take the field of accountancy. Argu-ably there is an accountant or account-ancy practice in every supply chain and this professional area of expertise often remains unchallenged around how they are protecting data. Furthermore, this one profession appears to be the first to resist any form of change to protect themselves and their clients from cyber attack. Yet many claim “we’re very serious about cy-ber security”. Really? Prove it.

So, in the world of all things cyber, what can be done to strengthen a supply chain and combat this apparent apathy?

Well, the UK government has an an-swer to that in the form of their Cyber Es-sentials scheme. Launched in 2014, Cyber Essentials is a recognised certification that any organisation can attain and it consists of a number of technical controls that can be easily implemented to strengthen an organisation against cyber attack. CESG, GCHQ’s cyber advisory body, will be the first to point out that an organisation which meets the Cyber Essentials stand-ard is resistant to around 80 per cent of common cyber attacks. Now that sounds like a great place to be.

What better way to demonstrate that you’re meeting the challenge than by having someone independent assess your performance, asks Stuart Green

So you’re serious about cyber security?

With two levels of certification, Cy-ber Essentials and Cyber Essentials Plus, organisations can demonstrate that they have self-assessed or have been assessed by an independent auditor. In this age of consumer cyber-enlightenment, what better way to demonstrate that you’re meeting the challenges of cyber threats head on than by having someone inde-pendent come in and formally say what a jolly good job you’re doing? That’s worth shouting about – marketers take heed!

Cyber Essentials is in its early days, but more and more organisations are feeling the benefit of going through the process of attaining the certification. Even those with ISO 27001 find the process reveals something they didn’t know about their organisation and they see the value in the process. Cyber Essentials is the one ele-ment that we should be insistent about having in our supply chains.

So, the next time you hear “we’re very serious about cyber security”, look for that Cyber Essentials badge. Those who are will have it and can prove how serious they are. Those who aren’t? They’re prob-ably speaking after a cyber attack. lStuart Green is managing director of Stuart J Green Digital Engineering Ltd, an information security specialist

To find out more, visit: sjgdigital.com

IN PARTNERSHIP WITH STUART J GREEN DIGITAL ENGINEERING LTD


16 Stuart Green advertorial.indd 16 15/09/2015 11:42:02


quarantine a file if they are unsure of the provenance of the attack or, simply, unable to eliminate it (remember, the virus maker is always one step ahead of the virus eliminator). The quarantined file is often sent for analysis before being destroyed. This helps anti-virus software firms develop and update protocols to deal with similar attacks in the future.Jon BernsteinQ is also for quadrant and quality of service

R is for risk assessmentA broad set of steps that help an organisa-tion understand the likelihood, implica-tions and potential damage resulting from a cyber attack. Risk assessments should be carried out on a regular basis to coun-ter threats that take advantage of large, highly dynamic and complex IT environ-ments, new technology vulnerabilities and evolving human processes – in other words, your “attack surface”.

Risk assessments are often used to sup-port regulatory guidelines and include a broad series of activities. These can range from basic steps, such as automated vul-nerability scans, to more advanced as-sessment methods, including replicated attacks carried out by professional pen-etration testers. These real-world attacks culminate in a comprehensive report of how the attack was perpetrated and the potential ensuing damage. Such exercises highlight the exposure of your detect, contain and respond capabilities missing in traditional risk assessments.

Consider these questions when con-templating a risk assessment:1. Is there a set of security policies such as employee internet and email usage that meets best-practice guidelines?2. Is there a defined and regularly carried-out process for detecting an attack or an actual breach?3. Is there a response plan for an attack

and does it actually work in practice?Panos Dimitriou is chief technology officer and co-founder of the Encode GroupR is also for resilience and rogue devices

S is for Snowden, EdwardHow’s this for an ethical dilemma? What would you do if the only way to demon-strate a breach of privacy and trust on an industrial scale was to reveal highly con-fidential data? In effect, that is the pre-dicament Edward Snowden, a former Na-tional Security Agency contractor, faced before he leaked a raft of documents from a top-secret surveillance programme sanctioned by the US government.

In early summer 2013, he shared the in-formation with a handful of journalists. Soon stories appeared in the New York Times, the Washington Post, Germany’s Der Spiegel and the Guardian in the UK. Snowden – a traitor to some, a heroic whistleblower to others – was charged on two counts under the Espionage Act 1917, including wilful communication of clas-sified material to unauthorised personnel.Jon BernsteinS is also for spam, spoofing and spyware

T is for TargetIf ever there was a case of corporate nominative determinism, this was it. Think: if your company is called Target, beware attack. The US retailer with that name on its back suffered a catastrophic cyber breach in the run up to Christmas 2013. Malware placed in the retailer’s

security and payments system extracted the names, addresses, phone numbers and email addresses of 70 million cus-tomers and obtained credit-card details of a further 30 million.

Reputational and financial damage followed. The attack had a human cost too: chief executive and chairman Gregg Steinhafel and chief information officer Beth Jacob both lost their jobs.

The winners? The hackers who report-edly sold between one to three million of the credit-card numbers for $54m; and the technology suppliers who benefited from Target’s subsequent multimillion-dollar investment in cyber security.Jon BernsteinT is also for threat and Trojan Horse

U is for userYou may not realise it, but you are a target. If you have an email address, a mobile device, a computer or any on-line accounts, cyber criminals are target-ing you. Fortunately, you can protect yourself and your family by taking some simple steps.1. Use common sense. If you receive an email, message or phone call that seems odd, suspicious or too good to be true, it may be an attack.2. Use strong passwords to secure your online accounts and make sure you use a different password for each account. Can’t remember all your passwords? Not a problem. Consider using a password manager. Finally, use two-step verification for all of your accounts whenever possible; it’s the most secure step you can take to secure an account.3. Protect your mobile devices with a strong PIN or pass code, or use the fingerprint authentication. That way, if it’s lost or stolen, no one can access your photos, data or apps.4. Keep your computers and mobile devices updated and current.Lance Spitzner is an instructor at the SANS InstituteU is also for unauthorised access

t

t





V is for verificationOnline verification is established through cryptographic keys and digital certifi-cates, which act as the foundation of all cyber security. It is a critical element in establishing online trust for secure com-munications, commerce, computing and mobility. A certificate is a digital form of identification. Like a passport or other user identification, digital certificates pro-vide generally recognised proof of iden-tity and are intended to verify and secure data between users, systems and applica-tions and devices.

Digital certificates rely on public key cryptography for authentication. When a certification authority issues a digital cer-tificate, it is signed with a private key. In order to verify the authenticity of a digital certificate, the user can obtain the public key and use it against the certificate to determine if it was signed by the certifica-tion authority. Unfortunately, even this verification process can be subverted.

Cyber criminals are able to com-promise keys and certificates that are not properly protected to get around security controls, hiding in your system, monitoring what you do online and com-promising personal data.Kevin Bocek is a vice-president at VenafiV is also for vulnerability and virus

W is for wormThe one characteristic shared by all com-puter worms is the capability to replicate. Whereas a conventional computer virus will attach itself to file or a software pro-gram, a worm will commonly use failings in the computer security to gain access

and then spread itself across the network without human intervention.

Some worms have a malicious payload attached that might delete or corrupt files, for example. Others do not. Nevertheless, the simple act of replication at speed can cause significant disruption. By consum-ing sufficient system memory or network bandwidth, it can degrade – or stop – web and network server or standalone com-puter access. An example of a payload-less worm was MyDoom that hit Microsoft Windows PCs in 2004. It became the fastest-spreading email worm to date and caused significant disruption.Jon BernsteinW is also for white team and wifi

X is for X-ratedBeware dark recesses of the web. That seemed to be the verdict of researcher Conrad Longmore, who analysed diag-nostic data from Google and concluded that many popular pornography web-sites are infected with multiple instances of malware. Longmore told the BBC in 2013 that the root of the malicious files was some of the adverts featured on these sites. “We call these malicious advertise-ments ‘malvertising’,” he said. The web-site owners disputed the findings.Jon BernsteinX is also for X.509 Public Key Certificate

Y is for Generation YThe term Generation Y applies to those who were born after 1980 and were raised in a world of technology. As a result they are more tech-savvy and knowledgeable than previous generations. Generation Y

employees are more aware of the cyber risks posed by new social, mobile and cloud technologies than older, probably management-level colleagues.

According to a recent Blue Coat survey of the online behaviour of UK employees, 62 per cent of 18-to-24-year-olds take ef-fective precautions against unauthorised access to their social media data on mo-bile apps. They routinely check the iden-tities of strangers before connecting with them, according to the survey results. By contrast, only 33 per cent of 45-to-54-year-olds check requests before accepting invitations to connect.Christophe Birkeland is chief technical officer of malware analytics at Blue CoatY is also for you

Z is for zero dayA zero-day vulnerability is a previously undisclosed and exploitable weakness in a computer application for which no security patches are publicly available. The term refers to how many days the vendor of the compromised software has known about the vulnerability. Zero-day attacks or zero-day malwares are com-puter programs developed to exploit this.

Best practice is to disclose new vulner-abilities responsibly and confidentially, by sending information about vulnerable software to the party responsible for its creation so fixes can be made available before it is disclosed to the public.

However, there are individuals who identify and use zero day for financial, political or social gains. These agents include black-hat hackers, criminals and private companies who research, develop and sell zero-day vulnerabilities.

Some government agencies exploit zero day as part of their attempts to dis-rupt, degrade or disable a rival govern-ment’s operations. A real-life use of a zero-day vulnerability was Stuxnet in 2010, which disabled uranium enrich-ment facilities in Iran.Christophe BirkelandZ is also for zombie



bronzeyeIBRM

Cyber crime is a top priority, says the government. The police barely scratch the surface of the problem,

says the commissioner of the City of Lon-don Police. Most cyber crimes we hear about involve banks. Perusing victim lists, you would be forgiven for thinking that this is an American disease. You would be wrong. We are equally vulnerable and suffer successful attacks just as frequently. We’re just better at hiding it.

Cyber crimes that make the news in-variably involve victims who have been negligent – giving a conman banking de-tails he then uses to raid the bank account, for example. But where money goes walk-ies and financial companies can’t deter-mine how it has happened, they refund the losses and keep very quiet about it – usually under non-disclosure terms.

There are many companies whose security has been breached and had in-tellectual property stolen. Many will not know that this has happened, and for small to medium-sized enterprises (SMEs) that lost data may ultimately be a cause of their demise – and they will probably never know.

The cyber security industry paints itself as a superhero fighting off hackers. This is nonsense. It is a multibillion-dollar in-dustry which relies on bad guys to stay lucrative, according to John Prisco, a man who has made it his mission to highlight

its many failings. Much of the software doesn’t work anyway, and they know it, he says.

Hyperbole? Probably not. Scale and deep pockets are the primary drivers for vendors. They are much less interested in SMEs. They have herds of cash-cow solu-tions to sell and they are going to sell them! The cumulative cost – hardware, software, licensing, people – quickly zooms out of the reach of most SMEs. For any company, the consequences of being insecure, get-ting hacked and subsequently deemed negligent are horrendous. And it is easy to get there. Goofing PCI compliance, which is pretty easy, equals big trouble – into Kerplunk! territory for many. That’s a real dichotomy for SMEs.

Things are changing. New laws create liability and dictate responsibility. Most regulations are written with big compa-nies – primarily banks – in mind. Unfor-tunately, a law for one is a law for all and compliance is a massive drain. It is meant to force enterprises to focus on their cy-ber security. For SMEs it quickly becomes a barrier. In response, many do nothing and hope for the best: “It hasn’t hap-pened, so it’s not a problem.” That is be-coming suicidal. When “it” does happen, it will be too late. If you are not ready, in a moment, “it” becomes an insurmount-able problem and you are probably going out of business.

For many small businesses, cost has become a barrier to good protection. It needn’t be, says Bronzeye

Cyber security, a must do for SMEs

Three-quarters of large breaches enter through third-party systems. Hackers know defences will be weaker here. Only about 15 per cent of larger businesses con-duct meaningful checks on supply-chain cyber security.

Criminals work on risk/reward. Cyber criminals are criminals. Good cyber secu-rity increases hackers’ risks and makes you less of a target – more attractive to custom-ers and partners, too. Every enterprise can improve cyber protection – surprisingly inexpensively. Soon it will be a prerequi-site to have excellent cyber security. Regu-lators will bear down on larger companies who will simply pass the requirement on.

No one can guarantee that any system is unbreachable, but that doesn’t mean doom and gloom. An engaged management that has identified the threat can create strong cyber defences through judicious use of resources and sensible governance. Then, when an intruder gets in, “it” is identi-fied and removed promptly. This can be achieved for a budget within reach of all.

Einstein said that insanity was doing the same thing over and over again and expecting a different result. Let’s cut the insanity and change the way we think. lBronzeye IBRM offers an affordable, subscription-based, information and cyber security service to SMEs and others

To find out more, visit: bronzeye.com

IN PARTNERSHIP WITH BRONZEYE


19 Bronzeye advertorial.indd 19 15/09/2015 11:42:26


VIEW FROM THE EXPERTS

1. How would you convince UK plc to take cyber security more seriously?

Catherine AskamSenior manager of cyber risk services at Deloitte UKThe recent large-scale cyber incidents have demonstrated the in-

creased need for improved security in UK organisations. Cyber threats are growing and cyber attacks are moving from dis-ruptive to destructive.

The UK has experienced many large-scale point-of-sale compromise and credit-card thefts, but now we’re also seeing new targeted attacks. For example, there have been large-scale compromises of healthcare companies and hospitals for the theft of personal records.

This isn’t surprising – the personal-data trading market is starting to generate real rewards for criminals. The loss of data from any organisation and the rise of the destruction of data is very concerning.

John BerrimanChair of cyber security practice at

Pricewaterhouse-CoopersEvery organisation needs to be confident that it is fit for the digi-tal age. As they have capitalised on new op-erating platforms, the

amount of data they hold has increased phenomenally. Data is the lifeblood of a business: it underpins its every relation-ship, decision and interaction.

Information is now a greater source of competitive advantage than ever before, but only if it is secure. It is essential to cre-ate a risk-aware culture led from the top, with the boardroom showing it recognis-es the potential risks at the same time as it embraces opportunities for growth.

Mark BrownExecutive direc-tor, cyber security and resilience at Ernst & YoungCyber threats remain one of the most sig-nificant risks facing

UK businesses today. The blistering pace of technological change and the cyber threats that come with it are only going to accelerate. The UK government has made cyber security one of its priorities, so UK plc should need little convincing about the seriousness of this threat.

Businesses should remember that cyber security is not just about threats; it also offers a tremendous opportunity for or-ganisations to turn the challenge around. The risks associated with cyber security must not be viewed solely as a danger, but more innovatively as opportunities for business to benefit by better leverag-ing technology. Cyber security can make good business sense, and those businesses embracing cyber opportunities stand to gain significant advantage over competi-tors in an ever more global marketplace.

Paul TaylorUK head of cyber security practice at KPMGBusinesses are increas-ingly realising that cy-ber security is some-thing that they cannot

ignore. Our own survey of FTSE-350 companies found that 74 per cent of them thought their boards were taking cyber security very seriously, yet just 39 per cent of board members saw cyber risk as an operational one when comparing it to other threats.

Businesses need to consider that if subject to a cyber breach, they risk losing money or intellectual property, regula-tory fines, clear-up costs, reputational damage and – perhaps most importantly – losing customer confidence.

Where does the biggest threat lie? And what steps should organisations, large and small, take to mitigate risk? We ask four cyber specialists

“Total security is a futile concept”

t

20-25 View from the experts vox pops.indd 20 15/09/2015 12:03:08


SHU

TT

ER

STO

CK

Cyber security makes good business sense and should be seen as an opportunity



Businesses are beginning to realise the potential costs of a cyber breach and they’re asking us what they can do

to protect themselves. We help them to understand their risks and what’s in the insurers’ minds, so they can address these issues and get the best cover possible.

Cyber insurance can offer businesses protection against a host of risks.

The call from boards and shareholders for adequate insurance cover is growing. The good news is many insurers are offer-ing cover or are in the process of building teams to assess and insure the risks.

Businesses can easily buy insurance to cover:l costs incurred to manage breach crisisl regulatory fines proceedingsl legal liabilityAlso, they can now find cover for:l consequential losses due to damage of business reputationl consequential losses due to interruptions in network operations.

From an insurer’s point of viewInsurers are nervous. They are facing regulatory scrutiny over whether they can afford the risks they are insuring and the possibility of escalating claims. At the same time, they are trying to maintain their profitability. As a consequence, the cost of insurance is going up.

To understand their exposures and the ripple effects of claims, underwriters

constantly monitor claim trends. They look at the severity and frequency of cy-ber breaches across all industries. So they know what the losses are for small, com-mon breaches, while being ready to pay for the hugely expensive catastrophes, which are relatively rare.

Unlike other types of insurance, gener-ating predictable models for cyber losses is difficult for two reasons. First, the in-surance sector only has five years of good loss data. Compare this to property insur-ers, who have losses dating back hundreds of years. And second, the risks constantly evolve, so data from five years ago may al-ready be useless.

How to get the best insurance for your cyber riskInsurers are trying to improve their un-derstanding of the risks they are taking on from clients. They are asking for more and more information about how the business is run, and how information is handled.

The key to finding inexpensive cover is to demonstrate you have strong defences and the capability to monitor your net-work and shut it down quickly if needs be. More specifically, insurers will ask ques-tions about:l Privacy governance Do you have poli-cies in place for users to follow?l Privacy culture Are you making em-ployees, vendors and other visitors to the organisation aware of privacy risks?

Looking for comprehensive and inexpensive insurance? Max Perkins explains where to start

Protection for when your defences fail

l Network security Do you protect and monitor your IT infrastructure?l Data encryption tools Encrypting data on portable electronics is now as impor-tant as having fire sprinklers in a building.l Network segmentation Separation of networks, or at least data, is important. Would you keep all of the money you have in the world stored in one place for some-one to steal?l Point-of-sales systems We have all seen the problems with storing credit-card information.

We recently helped a large corporation avoid a 35 per cent increase in the cost of its insurance by showing it took privacy culture seriously. And a small business in Bristol was able to increase its insurance capacity from £5m to £15m by showing that it had put proper controls in place for its point-of-sales systems. lMax Perkins is a member of Lockton’s global technology and privacy practice. He helps clients manage their professional liability, cyber, data breach and other risks that can damage their reputation. The team serves clients in Europe and the US. Recently the firm was asked to give evidence to the US Senate on cyber security on behalf of the insurance industry.Max Perkins can be contacted at: [email protected]

Lockton is a global insurance broker. Visit: lockton.com/cyber-and-technology

IN PARTNERSHIP WITH LOCKTON


22 Lockton advertorial.indd 11 15/09/2015 11:42:50


The headlines may be about cyber war and digital Armageddon, but cyber attacks affecting businesses of all

sizes and are on the increase. Criminals know that electronic crime offers fast re-turns, with a much-reduced chance of being caught. The growth in cyber crime coincides with the explosion in the num-ber of digital devices such as smartphones, laptops and tablets. Meanwhile, social media and the web have become integral parts of life.

Yet many businesses are operating as if the data revolution hadn’t happened. They face two challenges: their conven-tional defences against cyber attack are likely to be inadequate, and their employ-ees are often unaware of the tricks that cy-ber criminals will use to get information.

Basic technical precautions are still im-portant. Anti-virus software and server security patches should be applied, and email systems, as a minimum, have spam filters. A firewall acting as a barrier be-tween the outside world and the company is still a requirement. Important data or devices must be protected by strong pass-words and subject to access controls to prevent accidental or deliberate leakage.

The problem is that such basics were de-signed for a different, more static, business environment. The world has gone mobile and the data along with it. Attackers know

that many employees use their personal devices for business use as well. They share emails across web-based email, and download office documents to unprotect-ed devices or cloud-based storage.

This means that increasing amounts of company data and access points exist out-side the traditional company perimeter, way beyond the protection of the firewall.

Criminals are also adept at exploiting the vulnerability of employees through social engineering techniques. They send fake emails that look as if they originate from official bodies. These contain web links that, once clicked, may download malware designed to steal company data or passwords and login details from un-suspecting employees.

Hackers will obviously go after data that they can see on company servers, but what if it was hidden from prying eyes? Af-ter all, you can’t hack what you can’t see. Technology exists that can do just that and make data servers go dark. Such stealth technology puts a virtual cloak around servers so only the rightful owners and those users, devices and applications that are authorised to access the data can see it.

Businesses should also consider two-factor authentication, where users need more than a password to access data that is essential. This can be in the form of a ran-domly generated pin or biometrics such as

Attitudes to data security must change if businesses are to guard against cyber attacks, writes Colin Tankard

“Keep calm and carry on” is not an option

a fingerprint scan. And, of course, pass-words should also be as strong as possible.

Encryption is great, but not enough on its own. Again only those authorised to read the data should be able to decrypt the data fully – for example, system admin-istrators should be able to know that the data exists, but cannot read it.

Effective business security is more than just a one-time fix. Protecting the company’s “crown jewels” is an ongoing process and needs regular checks to ensure that the processes put in place are good enough to keep cyber attackers at bay.

According to research by Kaspersky Lab, a security firm, one-third of UK small businesses wouldn’t know what to do if they suffered a security breach, while a quarter admit they wouldn’t be able to re-cover any lost data.

All businesses need to get wiser about cyber security and think beyond simply spending more on an ad-hoc basis. Cyber defences need to be planned and technol-ogy choices made carefully.

With the sophistication of cyber crimi-nal gangs increasing all the time, the op-tion for “keeping calm and carrying on” is not on the table. lColin Tankard is the managing director of Digital Pathways

To find out more, visit: www.digpath.co.uk

IN PARTNERSHIP WITH DIGITAL PATHWAYS


23 Digital Pathways advertorial.indd 23 15/09/2015 11:43:25

VIEW FROM THE EXPERTS


constantly evolving threat landscape pro-motes a feeling of vulnerability for many and has resulted in some organisations spending significant sums of money on ineffective programmes with poor align-ment to risks and business imperatives. Cyber security is not achievable by a quick technical fix, nor is it a matter solely for the IT department.

We often see that these behaviours leave leadership wondering what they really need to do, how much is really enough and who they can trust to help them get it right.

The reality is that cyber security is a business risk, just like physical security. If measures are put in place to deal with it, then businesses can mitigate and protect against future attacks as a matter of “busi-ness as usual”.

Catherine AskamCyber risk is often associated with high-profile cyber espionage, rather than the more common reality of direct threats to day-to-day activities. The basics, such as regularly updating security software, are often forgotten as a means to prevent attacks. The answer is not to stop wor-rying, but to turn defences in the right direction. Security officers should pri-oritise the training of employees to un-derstand and prevent the security risks the organisation faces, instead of being paralysed by the fear of being blamed in the event of an incident.

3. Internal or external: where does the biggest threat to a firm’s security lie? And why?Mark BrownAlthough the actual threat remains the technical vulnerabilities exploited by the cyber criminals, the biggest risk is that most of these technical vulner-abilities are exploited in the first place due to the actions of internal employees. Well-intentioned but misinformed staff continue to expose otherwise safe prac-

tices in an organisation; therefore, failure to provide continual education, training and awareness to staff is a key risk.

Notwithstanding internal aspects, if a cyber criminal wishes to break into a cor-porate organisation, technical defences alone are insufficient. An ardent attacker will attack an organisation until they find the exposure.

Paul TaylorBoth internal and external threats exist. It really depends on the core business of the company you are dealing with. The key is to take a holistic view of the threat – think-ing about who your adversaries might be, what they might be after and the various ways they might achieve their goals.

Moreover, keeping the different aspects of security in the front of your mind by means of cyber exercises or resilience games is a good way of making sure that all relevant parts of the organisation can work together to deal with any incident. In short: attackers won’t respect your stovepipes and you need to think.

Catherine AskamEmployees and non-employees accessing buildings, data and critical IT systems are probably an organisation’s biggest threat.

While malicious users may attack from the inside of an internal system, causing greater harm than any cyber attack, em-ployees could also make mistakes that put the company at risk. Security infor-mation and event-management tools can prevent these, as they can flag up irregu-lar activity. This leads to timely incident detection and containment.

Smartphones are also becoming a cyber-security minefield. The ability to log in automatically, steal credentials and break into the back-end systems poses a real risk.

John BerrimanThere’s no doubt that external threats regularly grab the headlines. Malicious threats and breaches cause genuine, serious and high-profile breaches. Many organisations prioritise external threats, but internal ones can be just as damag-ing. Staff can be the strongest or, indeed, weakest point in the security chain.

PwC research for the government found that 75 per cent of large organisa-tions suffered staff-related breaches, up from 58 per cent a year ago. Inadequate

2. “The cyber security industry trades off people’s fears – often unsubstantiated.” DiscussJohn BerrimanPwC research conducted for the govern-ment has shown that nine out of ten or-ganisations reported a cyber-security breach in the past year, so the threat businesses face is very real. The cyber-security industry is driven by the genuine experiences of organisations that suffer security breaches.

Others are in denial about the extent to which they are vulnerable or fail to pre-pare adequately and then find themselves hit by a major breach that causes serious business disruption.

At PwC we are trying to make organi-sations more aware and better prepared. There is a lot that can be done to prevent a breach becoming a serious issue that causes long-term and costly damage to a business, its brand and reputation.

Mark BrownThe fear aspect of cyber security is well documented, but there are alternative viewpoints. A modern approach to view-ing the role of cyber security is evolving – one rooted in the heart of enterprise risk-management rather than compliance. As organisations recognise that 100 per cent security is a futile concept, a move to-wards cyber resilience is evolving, where detection and response is as important, if not more so, than prevention.

This change requires a new breed of cyber-security professional, one as comfortable in the parlance of business management as technology, and who can sell the concept of risk enablement rather than simply being seen as the inhibitor of progress.

The risk is very real, but can be man-aged without detrimentally impacting operations where a business-centred ap-proach is adopted.

Paul TaylorThere’s a great deal of scaremongering out there that isn’t necessarily helpful. The



5. What three steps should businesses take now in order to improve their own cyber security?Catherine Askam1. Fix the basics such as passwords and update security patching and new joiner, mover and leaver processes.2. Review current security operations and invest in them to strengthen this area of your business.3. Focus on prevention in addition to how you would respond to an attack, for example threat intelligence (detecting the methods of hackers and using this intelligence to plan responses) and data-destruction protection, such as technol-ogy or insurance policies to avoid data or information being destroyed if a hacker accessed it.

John Berriman1. Organisations need to accept breaches will happen and put in place controls to protect systems with additional security for the assets that matter most.2. They need to make sure that they are investing effectively in cyber secu-rity. That means focusing investment on preventing, detecting and responding to breaches. When organisations invest SH

UT

TE

RST

OC

K

training, poor security awareness or gen-eral negligence can lead to breaches just as readily as hackers and criminals.

Employee awareness is a difficult area for information security and many organ-isations struggle to get it right.

4. What single statistic should act as a wake-up call to those who need convincing?Paul TaylorEvery day we hear of new vulnerabilities, attacks and incidents. The Centre for Stra-tegic and International Studies estimates that the likely annual cost to the global economy from cyber crime is between $375bn and $575bn. These startling fig-ures are more than the national income of many countries.

Catherine AskamAccording to CYREN’s 2015 Cyberthreat Yearbook, the number of successful cyber attacks on businesses of all sizes increased by 144 per cent between 2010 and 2014. Therefore, cyber attacks are clearly a growing concern for UK businesses. We often say that it’s no longer a case of if you get hacked, but when.

John BerrimanThe average cost of the most severe security breaches for big business is now £1.46m, according to PwC research. That doesn’t take into account the impact on an organisation’s reputation and relation-ship with its stakeholders. Every organi-sation needs to wake up to the very real threats they face.

Mark BrownCyber crime today is prevalent as a glob-al criminal industry. Organisations are hacked daily, but the scale of attacks is often difficult to comprehend.

During 2014 the biggest reported hack was conducted by the Russian organised-crime gang CyberVor, which captured more than 1.2 billion personal IDs – the equivalent of hacking the entire popula-tion of India.

Organisations are hacked every day, but it can be difficult to comprehend the scale of cyber crime

appropriately upfront and align security strategy with business objectives, they prevent having to pay significantly larger sums of money for breach responses at a later date.3. They need to focus the entire organi-sation on thinking about risk, setting the tone from the top.

Mark Brown1. Activate – make sure you switch on the defences that exist and configure them properly. Failure to do this leaves you unnecessarily exposed to today’s threats.2. Adapt – analyse your business and understand what information makes you a target for cyber crime. Personal data and credit-card data are obvious targets, but also think about IP and who your customers and suppliers are to protect against threats.3. Anticipate – get on the front foot and rehearse threat scenarios to understand your organisational weaknesses. If they exist, cyber criminals will find them – so better that you find and resolve them first.

Paul Taylor1. Identify what data and processes are the most important to your business.2. Undertake a cyber-maturity assess-ment to see where you are now. Bench-mark yourself against your industry.3. Put a long-term plan in place, using a balance of internal resources and appro-priate help. Don’t try to be 100 per cent secure – that’s simply not possible. l


A worryingly large number of IT pro-fessionals believe that there is a huge shortage in the number of cy-

ber security professionals and most ex-pect that their organisation will be hit by a cyber attack at some point over the next 12 months.

The 2015 Global Cybersecurity Status Report released by ISACA showed that 83 per cent of respondents believe the biggest threat to business today is the one posed by hackers and other tech-savvy criminals. The report also shows that 87 per cent of its British members believe that there is a shortage of skilled cyber security profes-sionals. In the United States that figure is as high as 90 per cent.

The British government further high-lighted the dangers posed by cyber criminals in July, when they released a report which showed that 90 per cent of businesses in the country had suffered a security breach in 2014. Fortunately, it ap-pears as though the UK is starting to take the matter of cyber security seriously, but as for businesses, most remain woefully

unprepared to tackle the ever growing and evolving threat posed by cyber crime.

A cyber attack can do huge damage to businesses, the theft of sensitive business data or customers’ details, for example, can do serious harm to a company’s repu-tation. A damaged reputation is also likely to lead to customers being wary of your business and in turn result in a substantial loss of revenue.

The best way to tackle this menace? Governments and businesses must do more to train their staff, close the know-ledge gap and increase specialist skills ed-ucation. Everyone must also be taught that when online, everybody is a target and that none of us is too small or unimportant.

The skills shortage is so bad that the lack of cyber-security skills has been classed as the biggest problem faced by the IT indus-try for four years in a row. Universities are offering courses to try to fill this skills gap, but it will be years before there are enough graduates to satisfy demand adequately. People with these skills can expect to re-ceive very good salaries from companies

It’s time to close the knowledge gap, writes Matthew Olney

To fight cyber crime, first invest in closing the skills gap

and organisations fighting over them.This high rate of pay may not be much

of an issue for corporations or govern-ments, but smaller businesses are unable to compete.

Waiting around for the latest batch of graduates may sound like a good idea, but in reality it is a flawed method of obtaining staff with the necessary skills and know-ledge. Most graduates are headhunted straight out of university and the competi-tion to recruit them is fierce. A better way to close the skills gap is to train staff cur-rently on the payroll.

Having staff that are cyber aware gives a business an advantage over its rivals and can increase customer confidence. Ask yourself whether you would rather do business with a company that has taken cyber security seriously, or one that has not? It’s not difficult to guess the answer.

Another problem faced by organisa-tions looking to recruit cyber security per-sonnel is that professionals able to cope with the ever advancing cyber threat are few and far between. With threats always

IN PARTNERSHIP WITH PGI CYBER ACADEMY


26-27 PGI Academy advertorial DPS.indd 26 15/09/2015 11:46:37


evolving, businesses and governments are forced to react and defend, rather than take the offensive.

With the launching of various pro-grammes by the British government, it is hoped that smaller and perhaps more vulnerable businesses will take action to tackle the cyber security threat. In July it launched a scheme offering small and medium-sized enterprise up to £5,000 worth of funding to team up with external experts such as Protection Group Interna-tional (PGI) to help provide staff training. The scheme is certainly a step in the right direction but more needs to be done, espe-cially in sectors such as transport.

The story of Jeep Cherokee, which was subjected to test hacking in the US, hit the headlines in July and brought into the public eye the vulnerabilities of the car industry when it comes to hacker at-tacks. At August’s Black Hat conference in Las Vegas, hackers demonstrated how the cyber attack was carried out.

“Please stop saying whatever you have and whatever thing you make is un-hackable, because you’re going to look silly,” said a security expert at the Black Hat conference.

If someone with some skills and a laptop can hack into and take control of a car from miles away, then what is to prevent the same from happening in the aviation and maritime sectors?

The maritime sector in particular has been found to be especially vulnerable to cyber threats. In some cases the sector is ten or even twenty years behind the curve when it comes to cyber defence.

With the sector becoming increasingly reliant on technology and the fact that the vast majority of the world’s goods are transported by sea, the possibilities for disruption by hackers or cyber ter-rorists is vast. A hacker could send a ship off course or disable it to make it an easy target for piracy. According to the Euro-pean Network and Information Security Agency (Enisa), awareness of cyber secu-rity in the maritime sector is currently low to non-existent.

Given the global importance of the sec-tor this lack of awareness needs to change.

“No one is immune from cyber threats and there are many attacks aimed at the maritime sector on a daily basis. Insuffi-cient investment in training and upgrad-ing cyber security measures means that the sector is falling behind in the fast-paced world of cyber security,” said Ben Swindlehurst, commercial development director at PGI.

According to the InfoSec Institute, the aviation industry is also struggling to fill a shortage of skilled cyber security profes-sionals. With the industry hosting some of the most integrated and complex infor-mation and communications technology systems on the planet, it faces threats on a multitude of fronts.

The leading threats to the aviation in-dustry range from phishing attacks to remote hijacking. The implications of a hacker breaching an aeroplane’s or an air-port’s security should send a cold shiver down all of our spines.

Without adequate numbers of new cyber security professionals, we are all vulnerable to the acts of cyber criminals and cyber terrorists. It is a skills gap that needs to be filled, and this is where PGI’s Cyber Academy comes in.

PGI aims to be a major contributor in the struggle to close the skills gap in the

cyber sector. At our state of the art Cyber Academy based in Bristol we implement our unique approach: “Understand, test, monitor, respond, educate.”

All of our instructors are established cyber security professionals, holding both leading industry certificates and having a wealth of real world experience. Whether you are a small company or a large organisation, we have the skills, experi-ence and expertise to offer businesses and governments tailored solutions that will make the difference in this information-enabled world.

PGI believes in education and aware-ness, therefore cyber security education and training for both IT professionals and non-IT executives stand at the core of our business. Our world-class information security specialists, certified against na-tional and international standards, come from a multitude of backgrounds, rang-ing from multinational corporations to government institutions. We also operate on a global scale and believe in making the world a safer place to do business. lMatthew Olney is the communications officer at Protection Group International

Find out more about PGI at: pgitl.com

Fiat Chrysler’s Jeep Cherokee was the subject of a hacking test earlier this year


26-27 PGI Academy advertorial DPS.indd 27 15/09/2015 11:46:40

28 | NEW STATESMAN | 00 MONTH 2014

HEADING

In today’s reality of increasing cyber threats, the Cyber Essentials Scheme is the UK government’s endeavour to

help businesses and organisations secure their digital assets by undergoing a secu-rity assessment. Cyber Essentials is an optional requirement for most businesses, unless you wish to bid for some govern-ment tenders, when it becomes a manda-tory requirement.

I must confess, as a security consultant with Digital Assurance, when the Cyber Essentials scheme was first launched in June 2014, I felt sceptical and somewhat disenchanted, certainly as a pen-tester and a fellow of the tin-foil hat brigade.

Cyber Essentials was not a traditional pen test that involved vigorous testing, staring at the only light emitting in the room at 2am and wondering what can be obtained from some odd memory leak vulnerability. Neither was it a physical security test where we were sneaking into your building and hiding, ninja-like, behind your employees or sitting at your desks. (Yes, yours, the one with password Post-it notes all over the monitor . . .)

And it certainly doesn’t include trying to contemplate how to debug a car’s on-board computer over drinks with friends at a local pub after successfully exploiting and unlocking said car remotely.

I also felt somewhat sullied when I compiled some of the first of the Cyber

Essentials reports for Digital Assurance, because low-risk issues did not have to be included in the final report. How pre-posterous!

Now, having completed several assess-ments against all kinds of infrastructure belonging to companies large and small, I can eat my tinfoil testing hat and declare that I was wrong.

If adapted by industry, Cyber Essentials has the potential to improve UK cyber security dramatically. It is especially ben-eficial to companies that do not operate a regular or annual security review.

So what does a Cyber Essentials certifi-cation include?

It comes in two flavours: Cyber Essen-tials and Cyber Essentials Plus. The basic one, Cyber Essentials, consists of a com-prehensive questionnaire with five stages, covering security controls which are later assessed by the overseeing body of the Cy-ber Essentials certification.

The five stages covered are:l boundary firewalls and internet gatewaysl secure configurationl access controll malware protectionl patch management.

To add a further level of assurance we also offer a vulnerability scan against your external perimeter and analyse the issues

A five-step security assessment is an excellent introduction, writes Digital Assurance’s Michael Minchinton

Cyber, cyber, cyber essentials

arising in common, off-the-shelf prod-ucts. The Cyber Essentials flavour is a re-spectable starting point that helps protect your digital assets from the perspective of an unauthenticated remote hacker across the internet.

The second, the Cyber Essentials Plus, includes all the elements of the Cyber Es-sentials together with an additional review against internal systems including fire-walls, laptops, PCs and email gateways.

The Cyber Essentials Plus variant is a comprehensive addition, embracing the unauthenticated remote hacker aspect, which includes malicious intent to propa-gate malware and ransomware threats.

For companies that have not had any security assessment of any kind, I suggest that going through the five Cyber Essen-tials stages is a comprehensive introduc-tion to cyber assurance. lMichael Minchinton is a security consultant for Digital AssuranceDigital Assurance is CREST- and CESG-accredited. Based in offices in Westminster, it delivers Cyber Essentials certification along with conventional penetration testing services, social engineering campaigns – and the odd bit of car hacking just for the heck of it!

For more information visit: digitalassurance.com or phone: 020 7060 9001

IN PARTNERSHIP WITH DIGITAL ASSURANCE


28 Digital Assurance advertorial.indd 28 15/09/2015 11:48:22


What is digital infrastructure?We have all heard of the digital economy, but perhaps are less familiar with the term digital infrastructure. It refers to the dig-itisation of the services that run our criti-cal national infrastructure. It describes our ability to convert physical assets, such as signalling equipment, into digital code run by computers. It also encompasses the increased information systems that cap-ture data about those assets and allow us to run them more efficiently.

With the rapid growth of this digital infrastructure, more services are accessed or delivered online. More and more data is being collected by organisations, about policies, procedures, staff, clients, com-mercial behaviour and the condition and use of its assets. To exploit the data ef-fectively, it needs to be made available in different geographic and virtual environ-ments and at varying levels of granularity.

What are the risks?All of this brings great societal benefit but also presents an opportunity for competi-tors or criminals seeking to profit. Oppor-tunity and threat go hand in hand.

When it comes to a nation’s infrastruc-ture, the potential risks go beyond the threat of theft of customer or employee information. As well as more general threats, an infrastructure organisation has to deal with risks to the industrial and process control systems that maintain its daily operations.

Industrial control (or Scada) systems that control power plants, signalling systems

and network facilities are increasingly be-ing run across the same internet protocol (IP) networks as customer management systems. These systems have features that make risk more severe and the proximity of the threat greater.

For example, the operational systems that are being accessed across the internet have longer life cycles than the IT equip-ment that is used to run enterprise client management and accounting systems. As a result, the underlying computer systems are older and this means that operating systems are potentially no longer sup-ported and vulnerabilities are not patched. Similarly these systems are operated from the shop floor and system management is carried out on a part-time basis by an in-frastructure engineer rather than a dedi-cated IT professional.

Security is a secondary concern to keep-ing the plant operational.

What can we do about it?Despite the gloomy assessment, there is cause for optimism. The current focus on renewing or replacing infrastructure means that we have the opportunity to build a secure modern digital infrastruc-ture for future generations.

As we design tomorrow’s infrastruc-ture, we need to consider the future needs of our society. These not only include considering what services are needed but also how those services are accessed will change over the whole life of the asset. We can make future digital infrastructure se-cure by design.

Despite the risks there is room for optimism, argues Andrew Cooke

The threat to digital infrastructure

How can we help make this happen?Infrastructure organisations are experts in understanding the whole life cost of their assets. This can now be leveraged to en-sure security of service delivery.

Taking a digital enterprise asset man-agement (d-EAM©) approach allows the design of infrastructure to take account of present and future objectives and the security of the physical and the informa-tion assets that deliver organisational and societal objectives. Threat, vulnerability and risk information are linked to the de-livery of the organisation’s objectives and consequently to the assets that are needed to achieve them. Vulnerability and threat need to be managed on an asset by asset basis, to ensure the threat to the delivery of organisational, and in this case national, objectives are mitigated.

The approach is not exclusively used in the design of new infrastructure and should be used with legacy assets as well. Understanding what is critical to deliver-ing the goals of the organisation means that infrastructure providers can ensure that they secure what needs to be secured and make the information they need to be available accessible.

Protecting digital infrastructure is a matter of understanding the digital asset, its use and value, and making sure that security is at the heart of the way it is de-signed and exploited. lAndrew Cooke is the client director for infrastructure at Atkins

To find out more, visit: atkinsglobal.com

IN PARTNERSHIP WITH ATKINS


29 Atkins Global advertorial.indd 29 15/09/2015 11:49:04


The threats posed by cyber breaches to the UK government, critical national infrastructure, financial institutions

and all levels of corporate entities within our sovereign shores are irrefutable. Yet while the agenda regarding the skills gap is never more relevant to the UK than at pre-sent, too little is being done to reduce our risk of a cyber attack by increased training and awareness.

Several schemes have been created in recent years to address what is perceived as the cyber skills gap. However, these schemes, and government policies, only focus on the two realms of attack and re-covery. Certification available today either develops simulated attack expertise, in-tended to identify weakness, or recovery expertise, designed to recover from or in-vestigate an attack. Both of these strategies are fine and play an important role in shor-ing up our defences, but the cyber skills gap is bigger than this.

When we ask why computer systems are vulnerable we can identify two main areas of weakness: the software develop-ers and the computer users. Not enough is being done to enhance the skills of the software developers to better defend against cyber attack, and too little is be-ing done to upskill the computer users to identify socially based and other attacks aimed at gaining user credentials and other sensitive information, which can be used in a cyber attack.

Government policies are mandating IT security health checks and simulated at-tacks on a regular basis; however, little to no security quality checking is being car-ried out on the software solutions prior to procurement. There is no certification path for software developers to identify that they have been trained in the disci-pline of secure coding.

In part, this issue is a cultural one. Soft-ware companies are looking to ship soft-ware within a defined project develop-ment life cycle in order to meet customer demands and to remain profitable. With the ever increasing number of software platforms, developer companies now need to ship their products to Apple, Linux, multiple Windows platforms and a vast variety of mobile phones and, more recently, wearable devices; not to mention the advent of the Internet of Things.

Studies have been conducted into the overheads created when consciously cre-ating secure code using an established se-cure development life cycle, and surpris-ingly it is as little as 14 per cent additional resource. However, 14 per cent additional resource to the bottom line of any busi-ness is unpalatable.

It is clear that focus on providing the next generation of software developers with a clear understanding of security and how their work may be attacked and abused will prevent a large number of at-tacks from occurring in the first instance.

What level of investment is needed for the UK to deal effectively with a rapidly expanding global cyber-threat landscape?

First line of attack and weakest defence

The computer users are the first line of attack and generally the weakest defence. They must be made aware of the threats and educated in how to respond to them and defend against them. At the very least this should be a standard part of any induction programme that should be re-freshed frequently. Why not introduce formal certifications that lead to a licence to operate, a little like the driving licence theory and practical tests? Organisations, both large and small, need to invest more in educating staff in cyber security and it must be an ongoing process. lEstablished in 2006, Encription is a UK-and Ireland-based IT security specialist company delivering services worldwide to a diverse client base, including the UK central government, the Ministry of Defence, police, fire and rescue services, financial institutions, professional service companies, manufacturers, small, medium-sized and large businesses, and charities. With experienced consultants at your disposal, Encription is able to meet your IT security needs, no matter how simple or complex, including penetration testing in all disciplines, advanced research, digital forensics at evidential standard and training

We are ISO 27001 and ISO 9001 certified and also CESG CHECK, TigerScheme and CyberScheme members. Contact us on +44 (0)330 100 2345, or at: encription.co.uk

IN PARTNERSHIP WITH ENCRIPTION


30 Encription advertorial.indd 30 15/09/2015 11:49:49


FACTS AND FIGURES

SHU

TT

ER

STO

CK

/GR

APH

ICS

BY

LE

ON

PA

RK

S

90%

Security breaches by numbers

of large organisations experience security breaches,

up from 81% a year ago

74%of small businesses experience security

breaches, up from 60% a year ago

£1.46m-£3.14mAverage cost of worst security breaches to large organisations

£75k-£311kAverage cost of worst security breaches to small businesses50%

of worst breaches caused by inadvertent

human error

Security breach by type

Source: 2015 Information Security Breaches Survey (commissioned by HM Government and conducted by PwC)

Large organisations Small organisations

75%Staff-related

69%Unauthorised

outsider

30%

Denial of service attack

Staff related

38%16%

Denial of service attack

31%

Unauthorised outsider

31 facts & figures.indd 31 15/09/2015 11:51:07

Professional development guidance for senior decision-makers to help them counteract data loss and cyber-attacks

It’s time to develop your own Cyber Security capabilities

Accredited by leading professional bodies and institutions:

Download our free guide from www.7safe.com/cyber-skills or email [email protected] to see us at

IP EXPO (Cyber Security Europe exhibition) 7-8th October ExCel London

7Safe_NewStatesman_ad_FP_Sep15_aw.indd 1 15/09/2015 18:47

Awareness of cyber security has risen on the back of high-profile news sto-ries and consumer recognition of the

threats. But though everyone is talking, most businesses are still in the early stages of rec-ognising the sheer scale of the task ahead.

Consider this summer’s recall of 1.4 mil-lion cars by Fiat Chrysler after researchers remotely took control of a Jeep, turning off the engine by using wireless networks and a vulnerability in the vehicle’s radio. Similar stories have emerged of compromises with aircraft and washing machines. The accusa-tions fly easily: corporations do not prioritise security, or worse, they wilfully ignore it. It’s more likely that the opposite is true.

The onset of the connected world – with an estimated 50 billion devices connected together by 2020 – heralds a fundamental change in the way society and its economies are developing. The impact of technology on the way we function is already evolving at an unprecedented rate.

You will hear technology and business-driven innovators alike talk about how the cloud is the new core and mobile devices the new edge. In plain English, they mean that employees and suppliers, from disparate companies, business units and countries, can work together using myriad systems, social networks and business tools (many of which stem from consumer services such as Skype or WhatsApp that no one organisation over-sees). And there is no turning back.

(ISC)2 has tracked these trends since 2004. Our most recent study concludes that the changing organisational footprint has left in-formation security professionals, and the or-ganisations they protect, cornered in a reac-tionary role of addressing security incidents as they occur. There is little opportunity to plan for the future.

Connected cars that analyse driving, fridg-es that can do the weekly shop, and light and heating systems that can be controlled with an app on a mobile phone are accelerating the pace of change. It’s time to help those driving this change work with a much clearer under-standing of how it is moving us forward, and where it is leaving us vulnerable.

We need to examine developments in ar-eas such as robotics and health care to evalu-ate how dependent these fields are on tech-nology and how those dependencies could affect legal and regulatory concerns. This goes much further than the need for techni-cal excellence in forensics, technical analysis or penetration testing.

The call is for a comprehensive effort, one that spans industry and management disci-plines, to develop of a broad pool of talent capable of reassessing business risk, product and service development requirements, and organisational resilience.

At the moment, such considerations are shouldered by an overburdened cyber secu-rity function, straining under a now well-known skills gap in the field.

The connected world offers great promise and heralds fundamental change with new risks, writes Adrian Davis

Cyber security skills for a digital future

The current (ISC)2 Global Information Security Workforce Study forecasts a global shortfall of 1.5 million qualified profession-als (379,000 in Europe, the Middle East and Africa) by 2020. Many laudable efforts to define apprenticeships, cyber security chal-lenges and other initiatives address focused requirements. That overall push to enhance a breadth of understanding and accountabil-ity still eludes us.

As a professional community of nearly 110,000 working in the field, (ISC)2 mem-bers are motivated to change this. We have, for example, worked with the Council of Professors and Heads of Computing (CPHC) on curriculum guidelines now incorporated within the accreditation criteria for most computing science degrees in the UK. The aim of this and similar projects is to help those working on that Jeep of the future understand the cyber security concepts that should be a core part of what they do.

The connected world and the digital econ-omy offer great promise. We must be guided, however, by a much broader appreciation for how we must evolve. lDr Adrian Davis is the managing director for EMEA at (ISC)², the largest not-for-profit membership body of certified cyber, information, software and infrastructure security professionals worldwide, with nearly 110,000 members

To find out more, visit: isc2.org

IN PARTNERSHIP WITH (ISC)2

Main mag ISC2 advertorial.indd 46 15/09/2015 11:26:41

This supplement, and other policy reports, can be downloaded from the NS website at:

newstatesman.com/page/supplements

32 outside back.indd 32 15/09/2015 11:51:31

01 cyber security cover - new statesman...ship, strengthens a business’s resilience and protects...

Documents