• Home
• About
• RSS
• Get in touch

Let’s get back to basics in 2012

The proliferation of security issues over the last decade is mind-boggling. Phishing, malware, malicious web sites and, more recently, targeted attacks such as Stuxnet and Duqu are keeping security specialists on their toes. Back in 2005, Symantec would identify and block approximately one such attack in a week. Now we block 20 threats per second on average.

Add to this other challenges such as new technology adoption such as cloud solutions, consolidation among businesses and budget cuts and it no wonder that those in our profession are often spreading themselves thin. As more people want to bring consumer mobile devices into the enterprise, who and how do you deal with accountability for security? And as businesses merge, how do security teams bring disparate security strategies together?

Well perhaps we can’t do it all; at least, not like we used to. In 2012 we have to go back to basics and work out a new way to deal with all of these issues. The world is changing so fast and the cracks are already beginning to show.

This means taking a step back from all the spinning plates that we have been served and working out where we can simplify and be more efficient both in terms of time and cost, while working out what the business really needs and then matching those demands.

Back to basics is all about taking a step back, assessing the business landscape, technology enablers and reviewing our security strategy.  It’s all too easy to get caught up reacting to the current challenges that we end up with an ugly security elephant. By stepping back and consolidating the strategy, process and tools, it is possible to gain more consistent visibility of what’s going on so we, ultimately, get the right balance for a business.

I am sure that by the end of 2012 there will be 101 more issues to be dealing with, so let’s try to get our houses in order now to ensure the next 12 months become less not more daunting.

The challenges of securing industrial control systems

The security of industrial process control systems has suddenly risen to the top of everyone’s agenda over the past 18 months to 2 years – the latest phase of which is the new report from ENISA on security for industrial control systems. This has been largely due to the advent of the Stuxnet worm and, more recently, the Duqu variant, which has identified the sabotage and espionage threat to critical infrastructures running on SCADA (supervisory control and data acquisition) or industrial control systems.

Industrial control systems have long been a part of our critical national infrastructure, providing key automation and control facilities in such diverse systems as power plants, factories, water treatment plants and traffic control. The threats to these certainly aren’t new – if you’ve seen The Italian Job you will know that attacking a computer system may be the way to interact and cause chaos in the real-world. At Symantec, we’ve been tracking real world threats, of varying degrees of severity, for over 20 years, so what makes the concern so different that it is seen as such a cause of concern today?

The key to security in SCADA systems has historically been that it was run by SCADA engineers for SCADA engineers and operated within a closed system over which they had control. These systems had an air gap implemented and were completely disconnected from the wider corporate network. However, in recent years the use of such systems has evolved and they have often been connected to the main IT network in order to provide management information and intelligent control over the systems. This is frequently done via DMZ (demilitarised zone) networks but Stuxnet demonstrated how that can be overcome with the right thought and planning.

As a result, SCADA systems are exposed to all the threats and risks of a modern Internet connected network. This makes it tempting to apply all the same tools and approaches that we’ve developed in general information security to SCADA systems but there are a number of reasons that this is not feasible:

1. AVAILABILITY is the most important area of SCADA system security. Taking a system down to update a patch or apply a fix can have far-reaching
   impact aside from just the inconvenience.
2. SCADA systems are STATIC. The update windows for these systems are often once a year at best.
3. SCADA systems are, in general, old. Often connected to large industrial investment projects, equipment can be up to 30 years old on the investment cycle.

This means connecting old technology to IP networks, which have their own complications and difficulties before there is even an attempt to implement security and controls.

Rather than just trying to migrate Information security principles and controls wholesale, we need to look at merging information security and SCADA engineering best practice in order to provide the best protection and process.

Key to this is intelligence on threats to critical infrastructure and monitoring the environment to understand what works. Workable patch management processes to update SCADA software are also vital, within the constraints of limited operational windows, and implementing controls to protect the systems and environment in the interim should be high on the agenda.

SCADA or real-time systems need to rapidly learn the lessons of the last 20 years of Internet connectivity in order to provide protection against rapidly evolving threats. Through this process it will be possible to learn valuable lessons when protecting the entire environment against today’s cybersecurity threats.

The Power of Collaboration Against Cybercrime

Recently, I once again joined delegates from across the globe in Strasbourg to speak at the Council of Europe’s Cooperation against Cybercrime Conference. Bringing together industry, law enforcement, legal and policy experts, the conference marked the 10th year of the Budapest Convention – the first treaty for online crime that has aimed to define a common framework for cybercrime legislation.

In the decade since the treaty opened for signatures, 47 countries have signed, and 32 of those have converted it into local legislation. During the conference, seeing these countries stand up and proudly announce their efforts to implement cyber laws and, in some cases, even highlight early successful prosecutions, was a very powerful experience.

However, while the convention continues to represent a great step forward, with nearly 200 countries in the world it is important to recognise that there is still plenty of work to be done. Although I realise that not all of these countries are part of Europe, a precedent has already been set with non-European countries such as the USA, Canada and Japan signed up.

It was clear that The Council of Europe’s cybercrime initiative isn’t resting on its laurels with the conference highlighting the next phases we can expect. These include plans to implement training for judges and law enforcement, regional workshops and intelligence gathering and sharing, as well as, looking at the broader picture of international cyber strategy and the role that cybercrime plays in this.

The key topic that comes up year after year at the conference is ‘cooperation’ with the need and want for public private partnership seen as a key for success. As an example of collaboration, 2Centre (www.2centre.eu) aims to bring together academia, industry and law enforcement to drive training and create centers of excellence. Thus far centers of excellence are in the process of being created in France, Ireland, Belgium and Estonia, with requests for many others.

The other key topic is capacity planning. As countries develop legislation, a burden moves along the process. It puts new pressures on law enforcement to have the scalable resource to investigate, handle ever-increasing volumes of forensic data and independently take on the challenge of an internationally standardised evidence gathering processes and techniques.

When you consider these two themes together, a clear risk is apparent. As more collaboration takes place, there simply is not, at this point in time, the resource to scale to the evolving scope of cybercrime.

While security vendors, such as ourselves, could provide insight on the scale and scope of what we are seeing, with twenty plus new threats per second and given the increased interdependency of networks and systems, greater coordination between the public and private sector is vital. This can enable a common understanding, identification and recognition of possible cyber threats and ensure efforts and resources to address specific risks are effectively deployed. Information sharing partnerships have a key role to play in effective cooperation against cyber threats and can help to distill information into tangible actionable data that can then be used to address a specific risk and where possible provide alerts.

My overwhelming thought at the close of the conference was, however, that it’s always amazing to see such international cooperation. We all have a role to play and it’s only with all of our participation that we can succeed.

A View from the London Conference on CyberSpace

In recent years, I’ve attended numerous events looking at the subject of cyberspace and the related threats, so what made the event hosted by the Foreign Office different from those that have come before? One significant variation that comes to mind first is the level of international support – with 60 countries coming together. Consequently, this event has provided a real opportunity to take another step forward in the direction of getting international discussion and co-operation on how to make the Internet a safer place for citizens, for businesses and for governments.

During the conference, I took part in a panel discussing “Policing in the Cyber Age”, focusing on the need for collaboration between the various law enforcement agencies, industry and the security industry. There were some great examples of initiatives to support tackling cybercrime, such as Symantec’s Norton Cybercrime Institute, which provides information on the genealogy of attacks, training and support to law enforcement agencies and judges.

What is evident was that whilst organisations such as the Police eCrime Unit (PeCU) and SOCA (Serious Organised Crime Agency) are able to share some great case studies of how cybercrime cases are effectively investigated, and how cybercriminals have been caught and prosecuted, I heard other nations admit that they have had less success, with fewer than a handful of convictions to date.

What continues to stand out most to me are the additional hurdles and challenges that exist when dealing with cybercrime on an international level, from simple collaboration between agencies in terms of victim attribution, through to evidence and intelligence sharing. Consequently, it would seem that there are still legal and technical challenges and obstacles to developing partnerships needed to tackle cybercrime that unless addressed could become a cybercriminal’s best friend.

You could easily come away from such a conference feeling alarmed at the scale of the challenge still ahead but for me this was all positive for the following reasons: to start with, this was the first event of its kind, and there is already the commitment to repeat the gathering for the next two years. From my perspective, this is encouraging sign that actions will follow.

Secondly it’s only when we openly discuss the challenges today that we can start to see a way forwards, and much of this is about smarter collaboration (between governments, law enforcement, legislation and industry).

Finally we must remember that many countries around the world are at different stages of their digital development and cybercrime is a relatively young problem. Many countries are still trying to get to grips with what legislation, resource and expertise, to name but a few aspects they may need to address the problems they are facing.

My hope is that this collaboration can help to tackle many of these issues, yet even at this first event, some of the most fundamental challenges started to be addressed:
• Knowledge exchange and education are crucial
• The level of networking between people, organisations and countries attending can only help drive the global bar of cybercrime prevision
• Skilled experts in criminology now need to translate their skills into global cyberspace.

Safety first when going virtual

According to a recent Symantec survey, the majority of small businesses see virtualisation as a big priority for the future. Reduced overheads, more flexibility with IT as well as the ability to scale up and down as and when business needs dictate, are just some of the benefits SMEs cite when asked why they are considering it.

But a hunger for greater productivity and efficiency can’t come at the expense of information security. So while virtualisation can offer small businesses a clear route to bottom line benefits, it can also expose them to new risks.

As a result, any small business looking to take advantage of a virtualised IT environment needs to ensure that it is taking a robust approach to security to protect its data, just as it would if it was hosted on on-site servers. Antivirus, disaster recovery and firewalls are as crucial to maintain and deploy on virtual servers as they are anywhere else.

But SMEs needn’t be put off of virtualisation because of potential risks. The following can help the transition to a virtualised environment to be safe and secure:

• Have a clear strategy: Understand what it is you want to achieve from virtualising elements of your IT.  Working with an external consultant can give you a fresh perspective on this. Once you’ve properly identified your objectives, you can properly assess what data needs to be protected and put in place a strategy and polices to ensure that data integrity is not jeopardised.

• Deploy the right security solutions: Deploy all of the necessary security software and technology before you begin to make use of your virtual servers. Firewall, antivirus, and endpoint security solutions all need to be factored to create a protective shell around your virtual IT.

• Backup: Having data stored off-site does not mean that it is necessarily safe from threats. Make sure you regularly backup the data stored on your virtual servers and have in place a disaster recovery solution that can be deployed, should the worst happen.

 

#smbrisk – a great debate

You may have seen last month that I took part in a Twitter debate, hosted by Real Business Magazine, along with UK entrepreneur James Caan. The hour long debate, which went under the hashtag #smbrisk, brought together the small business community, industry experts and even a candidate from this year’s ‘The Apprentice’, all engaging in a debate around the risk-taking nature of entrepreneurs. As organisations of all sizes look to ride out economic turbulence, we wanted to discuss why it’s so important that small businesses are helped to better understand and calculate the security risks to their information; what risks they are taking, and how they can minimise the associated threats?

We had a great response from the Twittersphere, with around 85 people getting stuck into the debate, generating nearly 300 tweets. The debate examined a wide variety of topics, from Government support for small businesses, and the importance of protecting business-critical information, to the risks posed by remote working, cyberattacks and natural disasters. James gave some great business insight and advice based on own experience as a serial entrepreneur, and I got into some interesting conversations around information management and the importance of having the right technology and business processes in place to protect small businesses.

ITPRO’s interview with James and I, following the Twitter debate, has some useful advice for businesses and SME managers, and the top tips below should help any SME to manage their information safely:

1. Know what you need to protect: Today, small businesses’ critical information lives both within and beyond the walls of the office on servers, desktops, laptops and mobile devices. Look at where that information is being stored and protect those areas accordingly.

2. Combine policies and technologies: As the number and sophistication of web-based threats continues to rise, small business need to be secured with more than just traditional antivirus technology. Couple polices and education with an integrated solution to protect information wherever it is accessed.

3. Educate your employees: Empower all employees to keep your information safe. Security awareness programmes can help, providing guidelines that enable employees to carefully consider the security implications of their actions. Password management should form a part of this and maintaining strong passwords will help you protect the data stored on a laptop or smartphone if it is lost or stolen. Strong passwords have eight characters or more and use a combination of letters, numbers and symbols (e.g., # $ % ! ?) and should be changed on a regular basis, at least every 90 days.

4. Encrypt your information: Encryption technology converts information to make it unreadable to outsiders, and should be implemented on desktops, laptops, and removable media. With encryption, confidential information is protected from unauthorised access, providing strong security for intellectual property, and customer information.

5. Protect your endpoints: One of the most important yet simple steps to protect your information is implementing comprehensive endpoint protection. Keep the program up to date and take action to remove threats that are caught—ensuring that nothing malicious is passed through the business to customers.

6. Backup valuable data: Back up important information regularly and store extra copies of it off site. Employees should be trained to perform basic back-up tasks unsupervised and systems as well as applications and files should be backed up daily, and tested to make sure it works.

 

 

Tainted love….remembering the love bug of 2000

I realised the other day that an important anniversary passed me by last month. 4th May 2010 was the 10th anniversary of the love bug, the worm that e-mail servers will never forget.

When the love bug hit the world I was working at an independent security consultancy and this was one of the busiest days of my working life. We realised very early on in the day that this would be a game changer delivering on the threat that Melissa had shown was possible. After all, who can resist finding out why somebody loves them?

Many organisations were hit by the love bug and were struggling because their users kept clicking on the worm to discover why they were loved, despite repeated warnings from their IT departments not to. In a matter of hours this took the numbers of infected e-mails from 1 in every thousand or so to 1 in 30. A number of organisations I spoke to had to turn off their e-mail server to stop their users spreading the virus whilst they waited for the AV vendors to write signatures

The love bug was big news at the time, but in retrospect, now appears to have come in an altogether more innocent age. It was designed to cause as much damage to files as possible but was done so in a vainglorious attempt to maximise the kudos of the author. Now most malware is geared towards financial gain and we are seeing a major increase in both sophistication and targeting that makes us look at the love bug in a different light than we did at the time.

This is a different world we live in now and although we still need signatures to catch and isolate mass spreading worms such as Qakbot or Silly.FDC, the old signature based adage of the first 10 systems get infected the next 10,000 are protected doesn’t play in a world where 75% of malware infects only 50 machines and the average malware infects only 20. In a world where the generation of malware variants has commoditised in a way that office software did 25 years ago anti-malware vendors such as Symantec need to look at new ways of protecting our users. This is why we’ve developed the file insight reputation based technology that allows us to determine the context, prevalence and provenance of a file before allowing it to execute on a system.

We need to do this because malware has moved from hacking for kudos into a profit driven underground economy.

Wouldn’t it be so much simpler if we could go back to a world where malware was created by amateurs and hobbyists, attempting to disrupt as many computers as possible in order to maximise their fame, and where the only problem in determining the impact was how recent and up to date backups were.

Something tells me that this is a dream of the past and we won’t see the innocence of the love bug again.

Get social, not paranoid

A recent survey by HCL Technologies show nearly half of all UK enterprises (48%) ban access to social media sites.  The reason for this was not related to productivity but to concerns about damage to businesses’ reputation from derogatory comments being posted on social networking sites.  The point to consider here is whether this is really protecting the company in the way that it is hoped? In the modern world of mobiles and always on connectivity, employees can post in any number of ways, even if they are within the confines of the corporate network.

In reality, smart companies can permit access to social networking sites by taking advantage of the protection in which they have already invested. Traffic to the sites can be scanned for malware, user postings monitored and scandalous or confidential information can be blocked before being posted to the site…and all while providing a motivational tool to employees by allowing access to social media sites.  It seems that a more social approach to online interactions is here to stay and an approach that accepts this and deals with it will help organisations to understand and manage risk while also making full use of social media in marketing and customer interactions.

Disposing Of Mobile Phones – Potential Data Leaks

In a recent survey, half of mobile phones that are recycled – and past on to a new owner – contain sensitive information. This shouldn’t really come as a surprise, as organizations are only just getting the message about disposing of old computer systems and ensuring the data has been suitably destroyed.

It is very easy, especially as an individual, to rush in and pick up a shiny new phone when the contract expires, or to request a new phone from the IT department when the corporate one dies. However, there needs to be awareness, by the user, that they should clear down all the data on it first. From a corporate perspective, this should also be done – a second time as a precautionary measure.

A quick email out to employees pointing out the issues with data on old phones when they are returned / recycled will go a long way in creating awareness around the problem – from both the personal and the corporate perspectives. And a check / update on security policies and procedures for mobile phone disposal will go a long way to sorting out the problem. Bearing in mind a lot of mobile devices are now just as powerful as laptops (in that they contain considerable quantities of sensitive data, and often have access to corporate applications over the Internet), the check should be made before the auditors come round and check for you…

Guy Bunker

Data breach cost hits £1.9 million per incident

£71 per record is how much data breaches cost UK organisations in 2010 – up 13 per cent from 2009, and amounting to a massive £1.9 million per incident. These findings were part of an annual study looking at the UK Cost of a Data Breach from the Ponemon Institute, sponsored by Symantec.

An interesting highlight of the study is that malicious or criminal attacks were found to be the most expensive form of data breach, at £80 per record. Such attacks accounted for 29 per cent of the total, up 7 percent from last year. The expenses associated with data breaches range from detection, escalation, notification, and customer churn due to diminished trust. The most expensive data breach included in this year’s study cost a company £6.2 million to resolve, up £2.3 million from last year’s most expensive breach. With such high costs, preventing data breaches is serious business.

Another noteworthy point is the increasing importance of mobile device encryption.  The likelihood of insecure mobile devices, like smartphones or tablet computers, accessing company data is 84 percent – an increase of 9 percent on 2009.  Organisations are recognising this risk with 64 percent stating mobile device encryption is very important or important, an increase of 13 points from 2009.

The full report can be found here, and we’d recommend organisations follow these best practices, whether or not they have suffered a data breach:

1.     Assess risks by identifying and classifying confidential information
2.     Educate employees on information protection policies and procedures, then hold them accountable
3.     Deploy data loss prevention technologies which enable policy compliance and enforcement
4.     Proactively encrypt laptops to minimise consequences of a lost device
5.     Integrate information protection practices into businesses processes

- Robert Mol, director of product marketing, Europe, Middle East and Africa, Symantec.

Next Page »

• Connect with us



• Get Email Updates

• Recently Posts

  • Let’s get back to basics in 2012
  • The challenges of securing industrial control systems
  • The Power of Collaboration Against Cybercrime
  • A View from the London Conference on CyberSpace
  • Safety first when going virtual
  • #smbrisk – a great debate
  • Tainted love….remembering the love bug of 2000
  • Get social, not paranoid
  • Disposing Of Mobile Phones – Potential Data Leaks
  • Data breach cost hits £1.9 million per incident

• Pages

  • announcements
  • Application
  • Availability
  • backup
  • botnet
  • Cloud computing
  • Complexity
  • Compliance
  • Consumerization
  • cyber-crime
  • data centre
  • data-loss
  • Denial of service
  • disaster recovery
  • Education
  • Green IT
  • impersonation
  • Information Policy
  • Insider
  • IT equipment
  • Miscellaneous
  • misleading applications
  • Patching
  • Phishing
  • Regulation
  • Reputation
  • SaaS
  • security
  • small business
  • Social Media
  • Spam
  • Speaking
  • Storage
  • trojan
  • Uncategorized
  • Virtualization
  • Virus

• Blogroll

  • Ask Marian Consumer Security Blog
  • Bruce Schneier’s Blog
  • Con Mallon’s Symantec Consumer Blog
  • Gareth’s BE Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Security Bloggers Network
  • Symantec French contributor - A blog from the French pen of Laurent Heslault
  • Symantec Guide to Scary Internet Stuff – Botnets
  • Symantec Guide to Scary Internet Stuff – Drive-by downloads - Video explaining the latest security threats in simple terms, on drive-by downloads
  • Symantec Guide to Scary Internet Stuff – No 5 Rogue AV
  • Symantec Guide to Scary Internet Stuff – No 6 Denial of Service Attacks
  • Symantec Guide to Scary Internet Stuff – No7 Pests on your PC
  • Symantec Guide to Scary Internet Stuff – No8 Losing your Data
  • Symantec Guide to Scary Internet Stuff – Phishing
  • Symantec Guide to Scary Internet Stuff – Underground Economy
  • Symantec podcast channel - A channel of podcasts on current security and availability topics from the experts at Symantec
  • Toby Stevens’ Data Trust Blog