Cyber Risk News

Boards Push Security, Rush to GDPR Compliance

Info Security - Wed, 06/06/2018 - 14:14
Boards Push Security, Rush to GDPR Compliance

IT leaders are prioritizing improvements in cybersecurity at a growing rate in an effort to fight cybercrime threats and become GDPR compliant, reports the Harvey Nash/KPMG CIO Survey 2018

More than one-third of organizations surveyed in April reported that they did not expect to be compliant by the recent GDPR deadline, though 68% report that they have the support needed from their boards to ramp up investments to bring them into compliance.

“The seemingly inevitability of a cyber attack crosses all borders and has now crossed firmly over the threshold for board-level discussions,” Akhilesh Tuteja, global cyber security services co-leader, KPMG International, said in a press release. 

“Protecting the business from a cyber attack has jumped further up the boardroom agenda than any other item and IT leaders are being encouraged to make their defences the best that they can be,” Tuteja said.

David Ferbrache OBE, chief technology officer in KPMG's cybersecurity practice, said that data privacy and cybersecurity are closely intertwined. "With the introduction of the GDPR, privacy has become very much a front line issue. It was no surprise to see that 38% of survey respondents said they would ‘still be on the journey’ at the GDPR start date and only 15% said their compliance programme would be ‘complete’. "

Less than a quarter (22%) of respondents stated that they are in a good position to respond to a cyber-attack despite the overwhelming number of IT leaders (77%) whose greatest concern is the threat of organized cybercrime.

In addition, many organizations are in the nascent stages of their digital strategies, with most digital investment focused on the front end rather than on operational activities. According to the survey, 78% of CIOs believe their digital strategy is – at best – moderately effective, with only 32% of organizations reporting to have an enterprise-wide digital strategy. 

Those organizations that have a dedicated chief digital officer (CDO) are more than twice as likely to have an all-encompassing digital strategy. "The incessant rise of shadow IT, the explosive growth of the CDO and the changing nature of technology have removed many of the certainties that have fueled the importance of the CIO role," Ferbrache said.

A relatively new role, the CDO is responsible for driving the value of digital in a business across technology and operations. "It has less legacy and baggage than more traditional roles like the CIO, although many CIOs would argue that they are CDOs in everything but job title."

Half of all IT leaders now report having either a dedicated or acting CDO, but Ferbrache noted that 40% of organizations do not have a CDO and did not indicate plans to establish such a role. "The size of the IT budget is directly proportional to the likelihood of having a dedicated CDO, with larger organisations much more likely to have one."

Categories: Cyber Risk News

#Infosec18: Machine Learning Doesn't Mean AI or End of Humans

Info Security - Wed, 06/06/2018 - 14:03
#Infosec18: Machine Learning Doesn't Mean AI or End of Humans

The introduction of AI and machine learning should not mean a decision of man or machine, but one of man and machine bringing combined skills together.

Speaking at Infosecurity Europe 2018, Christopher Morales, head of security analytics at Vectra Networks, looked at 'Building Security That Works, Machine Learning Fundamentals for Cybersecurity Professionals' admitted that there is confusion around what AI, machine learning and deep learning are.

“AI is the output of what you’re trying to do, and do things that is a repetitive task,” he said. “Machine learning is the method and the means to AI, but it is not AI itself.”

Morales went on to say that deep learning is part of machine learning, and there are two types: supervised or unsupervised. Supervised means it is task driven, “you give it input and have X data and you get Y output.” With unsupervised, he explained that you “have the X but no Y, a set of data and no outputs.” 

Explaining unsupervised machine learning, Morales said that as conference delegates “we’ve been clustered by a vendor."

He went to address algorithms, saying that if you have a single algorithm and you’re using it to do a job, that is not really AI, that is about using the right tool for the job. “Look at the task and who administrates the system, and if you want to find a remote access trojan, that is a good use of supervised learning as you are being specific on what you are looking for and how to apply it,” he said.

Moving on to how this can help with security, Morales said that pattern matching has been done for years, and users have focused on understanding what malware is, and with machine learning you can focus on what it does rather than what it is – and match it to that decision.

“Focus on behavior and how it relates to an attack, and focus on what to do and what it is doing to you now.”

He went on to encourage users to train systems on a subset of tools and what it looks like when an attacker wants to get on your network, and apply it to the network so it looks for any tool doing the same behavior.

“Unsupervised learning is good at learning local context and what people do, and in this case security research on what an attacker actually does,” he said.

He concluded by saying that the real value of AI is in replicating human tasks, but what you get out is to reduce the workload of the human. “We need to realize that machines are not going to replace humans, and in most instances they increase the human‘s work,” he said.

“But in security machines and humans are inherently different: machines are good at memorizing data and repetitive tasks and do it fast in multiple tasks, and humans are good at being creative and looking at context. It is not man or machine, but a combination of machines doing tedious work so humans can focus on creative work.”

Categories: Cyber Risk News

#Infosec18: Dystopic Internet Future Brewing in the East says Martha Lane Fox

Info Security - Wed, 06/06/2018 - 10:44
#Infosec18: Dystopic Internet Future Brewing in the East says Martha Lane Fox

Internet stakeholders should worry less about the problems created by Silicon Valley and focus more on the increasingly dystopic online world being developed in Russia, China, Iran and elsewhere, according to Baroness Martha Lane Fox.

The founder and cross-bench peer told attendees on day two of Infosecurity Europe of her concerns about Russian attempts to destabilize Western democracies and China’s controversial social credit system.

The latter seeks to give citizens points according to their behavior on- and offline, and restrict their lifestyles if scores fall below a certain level.

“We’ve become a bit obsessed with the West [when] we should be looking East,” she argued.

“We could easily put ourselves into a dystopian future in our heads … but we have it in our gift to own the future.”

To ensure the UK does so, work is needed to effect change at three levels: among lawmakers, individuals and corporations, Lane Fox claimed.

There is a particular challenge in changing the mindset of legislators from the current stance: “that no politician is going to lose votes by being negative about technology.”

“We need to upskill our legislators dramatically if we’re going to face the challenges of the coming years,” said Lane Fox.

However, politicians and civil servants were upskilled in this way during the creation of the Government Digital Service and initiative, so it is possible, she added.

It will also be challenging to educate individuals about all things digital. Although 50% of respondents to a recent poll conducted by her new company Doteveryone claimed tech has helped them at an individual level, just 12% believe it helps society overall.

Key to the UK’s resilience in a post-Brexit world will be its ability not just to grow the digital economy, but to “flip the switch” and build a society enabled by technology – driving improvements in schools, transport, local government and more.

“We don’t have any option [post-Brexit] but to become the most modern digital nation we can be,” said Lane Fox.

However, in order to do so, the UK will have to tackle a profound technical skills deficit, she added.

Categories: Cyber Risk News

Better post-Brexit support needed for tech start-ups says report - Wed, 06/06/2018 - 09:01
The UK government should be putting in place measures to support start-up companies in the technology sector more effectively, concludes a new report.
Categories: Cyber Risk News

#Infosec18: A Diverse Team with Opportunities will Benefit a Company's Security

Info Security - Wed, 06/06/2018 - 08:35
#Infosec18: A Diverse Team with Opportunities will Benefit a Company's Security

Speaking in the keynote session 'Rethinking Security Teams to Address the Skills Shortage & Secure the Business' at Infosecurity Europe 2018, panelists were united in agreement about having a blend of talent and diversity to build the best team.

Cory Scott, CISO of LinkedIn, said that if you only employ “tricksters” nothing will get fixed, and that is why you need to look for all types “and why diversity and narrative should be in your mindset, if you they look like you and all have the same background and education you end up with a homogenous group of individuals who are not serving the business.” 

Scott added that you want a collection of people with different narratives and different types of functions, but that “trickster” narrative was also important to understand how the next attack pivots, and you want an engineering wizard to solve problems at scale and not just do a manual review time and time again.

Christian Toon, CISO of Pinsent Masons, likened the building of a security team to Marvel’s Avengers where there are participants with different skills and backgrounds. He said: “There is not a skills gap, there is an attitude gap and that is why you hire.”

In terms of internal development, Toon encouraged delegates to consider “giving people a career, a job and then give them something else” like training and education opportunities.

“People want to grow and develop, and give them training and meaningful qualifications that enhance your security team and treat them as individuals,” he said. “Look at every walk of life, every gender and you need to tell HR need to positively discriminate.”

A question from moderator Wesley Simpson, chief operating officer, (ISC)2, pointed out that women only make up 8% of most security teams, and only 7% are women under 29, so what is being done to cast the net wider?

Toon recommended looking at incentivizing those looking for a career change and encouraging those only able to take on part time roles, while Scott said that there are three areas to consider:

Having an inclusive and supportive culture, where you listen to your employees and understand how to measure culture.

The second is about hiring and getting the right type of candidates and an “unconscious bias” in organizations who don’t understand your message.

The third is about establishing ability with a wide group and focusing on the development of the organization.

Closing with a discussion on the role of recruitment agents, Toon said that he finds “recruiters difficult to deal with, and the right ones are worth their weight in gold.”

Mun Valiji, CISO of Sainsbury's, said that there is too much time spent trying to get “a CV match” and not enough spent on getting the recruitment agent to understand requirements that the company is trying to fulfill and understand the business and engagements.

Emma Smith, group technology security director at Vodafone, argued that the more the recruitment company knows about the business the better the match. “We make sure every role goes through the gender language tool” and that recruiters can help with that, and make sure that the recruitment process is a personal task.

Categories: Cyber Risk News

#Infosec18: European Blogger Awards Winners Announced

Info Security - Tue, 06/05/2018 - 19:00
#Infosec18: European Blogger Awards Winners Announced

The European Security Blogger Award winners have been announced.

Following on from the last awards, held in 2016, the shortlist saw some of the leading names in cybersecurity commended.

Nominated and voted for by the public, with votes added by judges including Infosecurity Europe Hall of Fame members Jack Daniel and Brian Honan, security blogger and AlienVault advocate Javvad Malik, Infosecurity Magazine contributing editor Dan Raywood and Yvonne Eskenzi from Eskenzi PR, the awards were presented at the Blogger Awards meet-up in a reception held in London.

The winners were announced as the following:

Categories: Cyber Risk News

#Infosec18: How to Design Security Awareness Programs & Drive Smart Security Behavior

Info Security - Tue, 06/05/2018 - 16:18
#Infosec18: How to Design Security Awareness Programs & Drive Smart Security Behavior

At Infosecurity Europe 2018, Dr Jessica Barker, co-founder of Redacted Firm, discussed practical ways to build security awareness programs that can drive better user behaviors.

The first step is assessing “what your organization looks like on paper, and knowing about your organization in terms of the sector, the size, the geography – what are the most important information assets, which are the biggest threats and what would be the most damaging thing that could happen to the organization.”

Once you have that understanding of the baseline characteristics of the organization on paper, you can move onto “understanding them in real life,” Dr Barker said, and the key thing that must be done here is speaking to people within the organization “to find out what is actually happening, because as we know, what is happening day-to-day among the employees of an organization will be a very different picture to what you see on paper.”

Dr Barker added that a good level of security awareness does not always equate to good security understanding and changes in behavior, “so when we talk about awareness we need to think about what the outcome is that we want – we don’t want people to be aware just for the sake of it, we want to see changed behaviors.”

Her advice for doing that is to “work backwards” to create a culture in which people are engaged through experiences of what good security behavior is, and making “cybersecurity personal is one of the best ways to get through to people.

“If you really want to change behaviors,” she concluded, “you need to think about intrinsic motivation and what you can do that is really going to tap into their [users’] internal rewards system.”

Categories: Cyber Risk News

#Infosec18: Users are 'Predictably Irrational' & Influenced by Cognitive Biases

Info Security - Tue, 06/05/2018 - 15:51
#Infosec18: Users are 'Predictably Irrational' & Influenced by Cognitive Biases

Speaking at Infosecurity Europe 2018 founder of The Analogies Project Bruce Hallas discussed user behavior, highlighting a common assumption about the subject and explaining why it is a flawed logic that should be reconsidered.

That assumption is that people are logical thinkers, and process information rationally and make decisions which appear to be sensible. In fact, Hallas explained, users are irrational and make many behavioral decisions which are affected by cognitive biases, and that must be taken into account when you are trying to influence better security behaviors and design security awareness training.

“The bad news is that people are people and they aren’t that logical at the end of the day,” he added. By embracing that approach it can be concluded that people are actually becoming predictably irrational, thanks to more than 150 cognitive biases.

Examples of the cognitive biases Hallas pointed to include: loss aversion, whereby “we feel more what we lose than what we gain,” status quo bias which suggests users “don’t like change” unless it is their idea, social influences and the “IKEA effect” where “we tend to value things we have developed more than other people.”

“Research has shown that you can make really, really small tweaks to what you are already doing” to see effective behavioral returns, Hallas concluded, but to do that “you’ve got to get to grips with cognitive biases.”

Categories: Cyber Risk News

Five Riskiest States for Cybercrime

Info Security - Tue, 06/05/2018 - 14:44
Five Riskiest States for Cybercrime

When it comes to cybersecurity practices of consumers, a new report shows that Florida ranks as the riskiest state with most residents lagging behind in their awareness of online safety practices.

The Cyber Hygiene Index: Measuring the Riskiest States, conducted by Ponemon Institute and commissioned by Webroot, surveyed more than 4,000 consumers across all 50 states and Washington, D.C., and found that New Hampshire scored the highest. In contrast, Florida came in dead last, reflecting that most residents are not ready to prevent, detect or respond to cyber-related attacks such as malware, phishing, ransomware and identity/credential theft.

Wyoming and Montana were just above Florida, an indication that despite high profile breaches such as Equifax, individuals across the US lack cybersecurity education. The spectrum is wide, though, and at the other end, individuals residing in New Hampshire, Massachusetts and Utah have the safest online habits.

Only 24% of Americans are aware of the best practices that will increase online security, such as regularly monitoring bank and credit card statements and understanding how to block pop-ups, updating online account passwords, and taking precautions before clicking on an email. Additionally, only half of Americans use antivirus or other internet security software on their laptops, desktops or smartphones.

Nearly two-thirds (72%) of survey respondents living in Florida reported that they share passwords or other access credentials with others, while more than half (53%) of New Hampshire residents claimed that they never share passwords with others.

Interestingly, the number of devices an individual owns is a greater indicator of their cyber-risk than is their age. The survey results found that the more devices an individual owns, the lower their level of cyber-hygiene. In fact, 75% of respondents 30 and under reportedly engage in riskier online behaviors than older respondents. 

“Regardless of the region, the riskiest states index shows that many people in the US are jeopardizing their safety with inadequate cybersecurity practices. To help fight widespread threats like ransomware and phishing attacks, internet users should run a security solution on their personal devices and make sure that all security and other software applications are up to date,” said David Dufour, vice president of engineering and cybersecurity, Webroot.  

Categories: Cyber Risk News

#Infosec18: Experts in EFI Update Warning

Info Security - Tue, 06/05/2018 - 14:29
#Infosec18: Experts in EFI Update Warning

Security experts have warned that Extensible Firmware Interface (EFI) updates often lack transparency, and fail to cover all hardware models and software versions, leading to dangerous gaps in protection.

Duo Labs director, Rich Smith, told attendees at Infosecurity Europe today that securing the EFI layer is particularly important as its position in a computing system means compromise could give hackers the upper hand in terms of stealth, persistence and access to anything above it.

Although efforts to compromise EFI are most often carried out as part of highly targeted attacks, they remain a major threat to organizations, he warned.

Smith revealed newly updated research from Duo Security which details shortcomings in Apple’s EFI update processes.

Drawing on data collected from 73,000 customer machines, the findings show that 4.2% were running the wrong EFI version – much higher than the 1% or so expected.

That rose to nearly 43% for the oldest Mac model on the market, dating back to 2015.

The results also showed that organizations could be “software secure but firmware vulnerable.”

For the latest Mac update, 10.12.6, the researchers found 43 EFI bundles issued. This figure dropped to 31 for Mac version 10.11 and just one for the previous version, 10.10.

“This makes it difficult for administrators to do good rigorous analysis across their fleets. It’s difficult to understand your threat profile and attack surface,” Smith claimed.

“The only way to ensure you’re getting the best firmware updates is ensuring your on the latest software version.”

He called on tech firms to introduce “the same degree” of transparency into the firmware update process as they do with software updates.

Duo Security chose to study Apple because the firm’s singular ecosystem made it easier to analyze, but Smith warned that failings in the Wintel space are arguably even more acute.

Categories: Cyber Risk News

Cybercriminals Work Around Road Blocks

Info Security - Tue, 06/05/2018 - 14:02
Cybercriminals Work Around Road Blocks

Though somewhat deterred by the major takedown of two popular underground marketplaces, cybercriminals have found alternative solutions that are growing more popular, according to new research from Digital Shadows

A new report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Agefound that the cybercriminal community has only been slightly quieted by the Operation Bayonet takedown of AlphaBay and Hansa, which forced tens of thousands of vendors and buyers to find new places to conduct business. Mistrust and fear have contributed to the decline of centralized marketplaces, as has the significant cost factor involved in establishing a new market.

Rather than investing in new marketplaces, criminals are focusing their processes and procedures on improving marketplace security and trust in existing sites. These tactics include blockchain DNS, user vetting and site access restrictions, domain concealment, and migration to chat and peer-to-peer (P2P) networks.

Vetting and limiting the user base is an additional challenge for site operators, who need to ensure only reputable and genuine users have access, particularly since forum users are skeptical of each other, aware that law enforcement can be posing as sellers. 

To confront the issues of trust, communities have created a forum life cycle, a process by which administrators can limit new users’ access to a forum through mechanisms such as posting limits and area access restrictions.

Moving away from the centralized marketplace in favor of a more diffuse model was trending even before Operation Bayonet, and criminals are now using Telegram to conduct transactions across decentralized markets and messaging networks.

"Over the last six months, the Digital Shadows analyst teams have detected over 5,000 Telegram links shared across criminal forums and dark web sites, of which 1,667 were invite links to new groups," the report said. These covered a range of services, including cashing out, carding and cryptocurrency fraud.

Rick Holland, CISO and VP of strategy at Digital Shadows, said, “The FBI takedown has for now made the dark web marketplace model less viable. As it stands, the marketplace model appears to be in decline, but it would be naive to assume that law enforcement efforts such as Operation Bayonet have drastically reduced cybercriminal risks to both businesses and consumers." 

"Instead," he continued, "as recent developments have shown, cybercriminals have taken to incorporating new processes, technologies and communication methods to continue their operations. The barriers to entry have shifted upwards and criminals are more likely to be deceived by each other. However, cybercrime ‘will find a way.’”

Categories: Cyber Risk News

Regulate virtual currency exchange platforms, EU law makers urged - Tue, 06/05/2018 - 13:21
EU law makers have been called on to regulate online platforms that allow users to exchange virtual currencies for other virtual currencies "as a priority".
Categories: Cyber Risk News

Big Bank Blunder from Down Under

Info Security - Tue, 06/05/2018 - 13:12
Big Bank Blunder from Down Under

Despite the awareness that they are dutybound to protect the sensitive information of their customers, banks continue to suffer data breaches as the result of human error, as was the case for the Commonwealth Bank of Australia (CBA). The Sydney Morning Herald reported that CBA breached the privacy of 10,000 customers by sending their data to the wrong email addresses. 

After conducting an information security investigation, the bank learned that 651 internal emails were incorrectly sent to email addresses at the wrong domain from 2016 to 2017. The sender inadvertently omitted the ".au" on the end of the intended domain,

In order to prevent these human errors, CBA purchased the domain name in April 2017; however, the investigation looked into events that would have occurred prior to the takeover when the domain was used by a US cybersecurity firm. 

CBA revealed that the 651 emails were indeed sent during that time frame and contained the data of 10,000 customers. "An extensive and detailed investigation by CBA confirmed the contents of all 651 internal emails were automatically deleted by the domain owner's system, which only collected information on CBA sender and recipient email addresses and the subject of the email," the bank wrote in a 1 June 2018 statement.

The bank's investigation confirmed that no customer data was compromised as a result of the mistake, but it accepted responsibility and acknowledged that customers want to be informed about data security and privacy issues. To that end, the bank has started to notify affected customers. 

In the aftermath of the EU's GDPR compliance deadline, this type of privacy breach will continue to get more scrutiny, especially as today's large banks and enterprises serve global clientele. The moral of the story, said Anthony James, CMO at CipherCloud, is that customer data must be carefully protected. 

"Note that if the breach involved even the records of one European customer, then they would have also likely been subject to 72-hour notification requirement and extremely onerous provisions of the EU General Data Protection Regulation," James said. "New best practices require a deeper focus on data and threat protection, especially in support of challenging new compliance requirements.”

Categories: Cyber Risk News

#Infosec18 Cybersecurity can Enable Businesses to be more Agile

Info Security - Tue, 06/05/2018 - 12:40
#Infosec18 Cybersecurity can Enable Businesses to be more Agile

Cybersecurity can be an enabler of digital transformation, if an agile environment works for you.

Speaking in the keynote session “Security at the Speed of Business: Supporting Digital Transformation with Cybersecurity” at Infosecurity Europe 2018, a panel of experts considered the impact of digital transformation and how to enable secure agility into your organization.

Moderator Maxine Holt, research director at Ovum, asked the panel how delivery at pace can be supported. Lee Barney, head of information security at M&S, said that his company had adopted an agile methodology, and this was appropriate for a company who were going through a change in customer demographic and in-store experiences.

“Where cybersecurity comes in is not on top or an addition, and those who succeed will be those who bake in cybersecurity,” he said.

John Meakin, CISO at GSK, said that the lesson for the security team is to “be confident and work out how the cycle works for you,” and determine what the risk is for you and be confident in doing that. He said that there is no point in trying to work security into agility “if you have got to think about it for a week or an hour, you have got to be there and be confident” in the decisions you make.

Asked by Holt how to encourage employees and partners to change their security behavior so it is at the front of their mind, Graeme Hackland, CIO of Williams Grand Prix Engineering, said that the best way for his company was to “put people at the heart of your security” as they are protecting your reputation and it is your work to protect them.

Looking at how to implement an agile and DevOps environment, Hackland acknowledged that some developers see “adding security by design as slowing down,” while Barney said that agile and DevOps were “one and the same thing, and it is not an ‘or’ but an ‘and’.”

Barney said: “When you understand agility, you understand what to do with it.”

In an audience poll of 150 people, 59% said that cybersecurity was an enabler and a hindrance of digital transformation projects, while 31% said it was an enabler and seven percent said it was a hindrance.

Meakin said that good agile and DevOps is about enabling developers, and trusting them “as they will deliver security.”

“You cannot do digital transformation without security, it is a critical part of it,” Meakin said.

Categories: Cyber Risk News

#Infosec18: Infosec Pros Must “Get Their Hands Dirty” with Quantum Computing

Info Security - Tue, 06/05/2018 - 12:13
#Infosec18: Infosec Pros Must “Get Their Hands Dirty” with Quantum Computing

Quantum computing could unlock innovation and advance the human race in virtually all industries, but the information security community must act now to ensure it doesn’t expose them to greater risk, a leading CISO has argued.

Jaya Baloo, CISO at Dutch telecoms firm KPN, told attendees at Infosecurity Europe 2018 that quantum computing offers organizations a potentially exponential scalability when it comes to speed and computing power.

However, this “quantum speed-up” poses serious risks to traditional cryptography, in that a current problem that would take “the lifetime of the universe” to solve could end up taking just a few seconds.

With quantum computers potentially emerging in the next 10-20 years, information security professionals must act now, Baloo argued.

“You need to ask yourself which threat model do you have and how long do you have to keep it safe?” she added. “I need us all as an information security community to get our hands dirty now.”

Those organizations that need to secure data over an entire customers lifetime could have a problem if they don’t prepare for the possibility that the crypto they use to secure it now may be effectively obsolete in a couple of decades, Baloo claimed.

What’s more, governments around the world including the US National Security Agency (NSA) are hoovering up encrypted communications with a “capture now, decrypt later” strategy which could see old state and trade secrets fall into the wrong hands in time.

As it currently stands, security pros could extend the lifetime of AES-256 encryption through the quantum computing era by increasing the key size, while SHA-256 and SHA-3 could still work securely with a larger output, claimed Baloo.

However, RSA, DSA, ECDSA and ECDH standards would no longer be effective, she warned.

Quantum computing could offer advances in everything from earlier detection of cancer to MRI scanning and even metrology.

Categories: Cyber Risk News

#Infosec18: Security Pros Must “Speak Truth to Power”

Info Security - Tue, 06/05/2018 - 11:25
#Infosec18: Security Pros Must “Speak Truth to Power”

Security leaders must “speak truth to power” more often to succeed in the boardroom, although the board needs to listen better and ask more questions related to risk, according to baroness Harding.

The former TalkTalk CEO spoke to attendees at the opening keynote of Infosecurity Europe 2018 in London this morning about her experiences in charge during the infamous breach at the UK telco.

She urged introverted security professionals to be “brave and honest” rather than “hide and be heroic” in their dealings with the board – on everything from skills shortages to incident response.

She also had strong words for board leaders everywhere, claiming “no one is asking the right questions” when faced with their organizations’ security experts.

“The vast majority of boards want to abdicate responsibility by asking their security professionals ‘are we ok?’,” she argued.

CISOs should resist such questions, or steer them towards discussions around risk, Harding urged.

For those organizations in which security and business leaders both make an effort to “lean in” to better understand each other, there are potentially great rewards.

“That’s when you do brilliant product development,” argued Harding. “The danger with cybersecurity is that it becomes taboo. I’m willing to talk about [what happened] because if we make it a taboo the bad guys have won.”

Among the most crucial areas for security leaders to focus on is advising board members on the importance of decommissioning old pieces of the IT infrastructure that could be increasing their cyber-risk, she said.

It was a legacy website which ended up costing TalkTalk dear as it suffered an SQL injection attack which resulted in a breach affecting over 100,000 customers.

Despite conducting thorough pen testing the firm’s security team did not find the vulnerability “although we should have done,” said Harding.

She also expressed regret at not having disclosed the incident to customers sooner, despite commentators at the time arguing that the firm’s confusing media statements ended up doing more harm than good.

The Met Police wanted the firm to delay its announcement to see if they could get their hands on the suspects, she said.

Categories: Cyber Risk News

#Infosec18: Stealthier Attacks are Blurring the Lines Between Cybercrime & Statecraft

Info Security - Tue, 06/05/2018 - 10:19
#Infosec18: Stealthier Attacks are Blurring the Lines Between Cybercrime & Statecraft

Speaking at Infosecurity Europe 2018 in London George Kurtz, CEO and co-founder of CrowdStrike, reflected on the current global threat landscape and latest cyber-trends.

Kurtz explained that some of the most advanced tactics, techniques and procedures commonly used by nation state actors are finding their way into mainstream online criminality, enhancing the challenges companies are facing to keep their data secure.

“Today’s threat landscape looks blurry,” he said, with significant changes in adversary types, attack methods and geography all playing a part. “Launching cyber-attacks has never been easier” for adversaries who are adopting and commoditizing more and more sophisticated techniques traditionally used by governments and the military, he added.

The speed of attacks is also a factor having a big impact, with Kurtz stating that the average time for an intruder to begin moving laterally to other systems on a network is now just one hour and 58 minutes, so “speed is everything.”

With regards to the best practice strategies organizations should implement to defend against increasingly sophisticated attacks, Kurtz pointed out that traditional security is based on a castle-like “defense in depth” approach which is, in today’s landscape, indefensible, as eventually the castle will be overrun.

Instead, he advocated a new approach of “defense in breadth”, using breadth of platform and breadth of protection.

Breadth of platform must “provide all of the elements of an advanced, adaptive and truly integrated security architecture,” whilst breadth of protection must “give all organizations access to equal protection against all threats from the most common to the most advanced, 24 hours a day, 365 days a year.”

Categories: Cyber Risk News

UK accountancy watchdog lodges complaints in Autonomy case - Tue, 06/05/2018 - 09:39
The UK's accountancy watchdog has lodged formal complaints against two former senior executives of Autonomy, the UK software company, and two of the company's former accountants.
Categories: Cyber Risk News

#Infosec18: Regulation is Top Driver of Cybersecurity, Now & in the Future

Info Security - Tue, 06/05/2018 - 08:05
#Infosec18: Regulation is Top Driver of Cybersecurity, Now & in the Future

Infosecurity has released the findings of a recent survey of senior industry professionals to determine the key trends that are currently driving cybersecurity spending and behaviors, and what factors will drive it in the next five years.

Launched today at Infosecurity Europe 2018, the State of Cybersecurity Report written by Infosecurity contributing editor Dan Raywood, revealed 46% of the 32 CISO and analyst respondents polled considered GDPR and regulations to be the main driving force behind cybersecurity at the moment. In second place was the expanding threat landscape and evolving attacks (34%) and in third was greater board level recognition of cybersecurity as a business risk (21%). Use of the cloud (21%) and selling via FUD/panic (18%) completed the top five.

“The GDPR is putting mitigation technologies such as encryption, tokenization and anything under the banner of anonymization/pseudonymization very firmly into public consciousness,” and will drive innovations in the tech and governance spaces, said consultant Neira Jones.

For Raef Meeuwisse, author of Cybersecurity for Beginners, the rapid evolution of the cyber-threat landscape was “without doubt the main driver for change” in the information security sector, with Scott Crawford, research director of the information security practice at 451 Research, adding that defenders are forced to make the best of limited resources to secure the entire attacks surface. “How they make those decisions has been a key driver in everything from risk management to the embrace of modern analytics to better recognize and respond to threats,” he explained.

With regards to greater awareness of cybersecurity as a business risk, Dr Jessica Barker, co-founder of Redacted Firm, said the issue is increasingly in front of boards “who want the [security] team to tell them what they are doing,” so that management are aware of how the business is affected. However, Andy Samsonoff, CEO of invinsec, warned that “IT security is still seen as a niche or largely technical activity,” arguing that businesses that take this approach put themselves at greater risk of security and data breaches.

Looking to future and the factors that will drive cybersecurity over the next five years, GDPR and regulations still came out on top (34% of respondents), with greater use of cloud platforms (34%), adoption of AI and automation technologies (28%) and increased creativity of attacks (28%) also proving popular.

To conclude, respondents were asked if they thought the cybersecurity industry was in a good place. Of the pros surveyed, 27 answered with 20 undecided on a ‘yes and no’ viewpoint, four answered positively and three said it was not in a good place.

Dan Raywood, contributing editor, Infosecurity, will be presenting an overview of the research findings on Thursday June 7 at 12.45 pm in the Talking Tactics theatre at Infosecurity Europe.

You can download and read the report in full here

Categories: Cyber Risk News

Qualys Expand Military Presence with Acquisition

Info Security - Mon, 06/04/2018 - 15:07
Qualys Expand Military Presence with Acquisition

Qualys has announced its intent to acquire Second Front Systems, expanding its market presence in building and delivering cybersecurity solutions for the US federal government.

“This acquisition would enable us to strengthen our federal division and expand the reach of the Qualys Gov Platform to various government sectors including military and defense,” said Philippe Courtot, chairman and CEO, Qualys.

Second Front Systems sources cutting-edge solutions in cybersecurity and advanced intelligence analytics, and delivers these solutions by working to engage the appropriate government stakeholders and modifying technology platforms to address mission requirements. 

Courtot said: “The Second Front team has significant expertise helping federal agencies build state-of the-art cybersecurity solutions as they embark on their digitization efforts. We hope to welcome the entire team to our federal division.”

The transaction is expected to close in either in Q3 or Q4 of this year.

The announcement came on the same day as Microsoft announced that it had reached an agreement to acquire software development platform GitHub for $7.5bn.

Together, the two companies will empower developers to achieve more at every stage of the development lifecycle, accelerate enterprise use of GitHub and bring Microsoft’s developer tools and services to new audiences.

“Microsoft is a developer-first company, and by joining forces with GitHub we strengthen our commitment to developer freedom, openness and innovation,” said Satya Nadella, CEO, Microsoft. “We recognize the community responsibility we take on with this agreement and will do our best work to empower every developer to build, innovate and solve the world’s most pressing challenges.”

Microsoft corporate vice-president Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub’s current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to executive vice-president Scott Guthrie, to work on strategic software initiatives.

“I’m extremely proud of what GitHub and our community have accomplished over the past decade, and I can’t wait to see what lies ahead. The future of software development is bright, and I’m thrilled to be joining forces with Microsoft to help make it a reality,” Wanstrath said.

“Their focus on developers lines up perfectly with our own, and their scale, tools and global cloud will play a huge role in making GitHub even more valuable for developers everywhere."

Categories: Cyber Risk News