Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
JULY
-AU
GU
ST
20
15
WW
W.S
CM
AGA
ZIN
EUK
.CO
M
What’s wrong with CBEST?The industry grapples with how best to ensure critical infrastructure deploys first-rate practice P19
Women in securityChanges are afoot, while the reasons for the lack of women in IT security remains a topic of debate P21
THREATAttacks on critical
national infrastructure are a growing concern
set to present even more of a problem as SCADA systems
become internet enabledA CRITICAL
Guest speaker Ian Glover, President of Crest
Best Security Company - Tenable Network Security (Left) Matthew Alderman; (Right) David Cummins
Do you workin Cyber Securityor want to?Then join the UK’s largest online job board
for cyber security professionals...
Register
now to receive ob alerts tailored to your particular skill set
Upload
your CV now and be seen by companies that are hiring right now
Relax
Sit back and let us do all the hard work for you...
BIO
ME
TR
ICS
IT SECURITYINTELLIGENCE
MALWARESOURCE CODE AUDITOR
ETHICAL
HACKER
INTELLIGENCEINT
RU
SIO
ND
ET
EC
TIO
N
COMPUTER CRIME
INF
OS
EC
COMPLIANCE
CYBER SECURITY
INFORMATION ASSURANCE
CYBER THREAT
ARCHITECTPENETRATION TESTING
C R Y P T OGRAPHER
LOSSPREVENTION
FRAUD PREVENTION
SECURITY ANALYST
SECURITY
VIR
US
TE
CH
NIC
IAN
VULNERABILITY
FO
RE
NS
ICS
SECURITYC O N S U LTA N T R
ISK
CISO
CSJ 10/10/12 Cyber Ad ert.qxp_CSJ 24-4-15 Cyber A4 Ad ert 197x267 19/06/2015 15:11 Page 1
67_1069_CyberFPnew_ADVURN43878.pgs 19.06.2015 16:36 FMG-Advent
www.scmagazineuk.com • July-August 2015 • SC 3
website scmagazineuk.com • twitter twitter.com/scmagazineuk • facebook facebook.com/scmagazineUK
NEWS/FEATURES
6 IQ Debate -Are the lack of role models and
negative image the main reasons for the scarcity
of women in IT security?; 2014 breach highlights;
2 mins on Duqu 2.0; plus news and movers and
makers
12 A critical threat Attacks on critical national infrastructure are a
growing concern as SCADA systems become
internet enabled
19 What’s wrong with CBEST? The industry grapples with how best to ensure
critical infrastructure deploys first-rate practice
21 Women in security Changes are afoot, while the reasons for the lack
of women in IT security remains a topic of debate
24 Case Study: North Wales Fire and Rescue Service Encryption solution secures email
25 Security on the agenda Report from SC Magazine UK’s recent roundtable
26 SC Awards Europe 2015 winners
Cov
er im
age:
CER
N
JULY-AUGUST 2015
OPINION
5 Editorial A critical problem
34 Last word Cyber-blackout: The dangers within and without the grid by Oliver Eckel
PRODUCT REVIEWS
28 What makes DLP so hard?
You can’t get to DLP without data
classification
by Peter Stephenson
29 Bolden James Classifier v3.7
30 Code Green Networks TrueDLP
31 Identity Finder Sensitive Data Manager
32 Titus Classification Suite
33 Varonis DatAdvantage and Data
Classification
Dr Stefan Lüders explains control systems under cyber-attack P12
Jennifer Steffens sheds light on the improvements of female engagement in IT security P21
CBEST has its critics - and defenders P19
Code Green Networks TrueDLP
Titus Classification Suite
Best Security Company - Tenable Network Security (Left) Matthew Alderman; (Right) David Cummins
Academic excellence for business and the professions
Bridge the gap between IT security and business risk.
Start here.Aimed at IT professionals (with at least two years of work experience), MSc Management of Information Security and Risk will help enhance the skills needed to progress to a management role in information security and business risk management areas.
Students on the course have been employed full-time in companies in various sectors, from aviation, auditing (e.g. KPMG), media (e.g. Sky, Sony), fnance (e.g. Deutsche Bank, Charles Stanley), small and medium enterprises, government and NHS trusts.
• Learn about the technical and business issues that can bridge the gap between IT security and business risk
• Understand how to communicate these risks to both technical staf and executive business teams (CEO, CIO, CFO and COO) in a language they share
• Focus on human-machine interaction and decision-making within today’s increasingly complex Political-Economical-Socio-Technical (PEST) systems
• Find out about the latest industry and government standards, legislation and best practice from leading technical experts
• Network with peers to compare and contrast best practices from diferent industries.
Scholarships are available.
We ofer other postgraduate computer science courses, including an MSc in Data Science and MSc in Cyber Security. To learn more, please visit www.city.ac.uk/subjects/computing.
Email enquiries [email protected]
Telephone enquiries +44 (0) 20 7040 0248
Find out more, visit www.city.ac.uk/misr
67_1069_City_University_ADVURN43877.pgs 18.06.2015 15:55 FMG-Advent
Editorial
already happened, so knowing what devices are connected to the network and monitoring for anomalies is vital. As Peter Gibbons, head of cyber-security, National Rail (p16) explains, we need to understand our requirements and ensure they are put in at product development.
However, Robert Malmgren, senior security expert, ROMAB (p18) notes that because SCADA communication patterns are simple and deterministic, good defence-in-depth strategies make it possible to combat high-level attacks.
The keys to control system security include covering the basics—patch-ing, use automation to overcome skills shortages, build-in security, create standards for secure products and apply the same to your supply chain.
To aid resilience, CBEST (p19) advises use of the latest threat intelligence - parterned, proprie-tary, government or private - while Oliver Eckel (p34) con-cludes—prepare for blackouts!
Meanwhile, the tide finally appears to be turning for women in security (p21).
It’s been five years since Stuxnet helped shut down an Iranian nuclear power station, but according to Czech security firm Kleissner
& Associates at least 153 devices around the world are still infected with the worm. Since then Shamoon hit the Saudi Aramco oil com-pany, and physical damage was caused by a cyber-attack on a German steel mill’s blast fur-nace. This year, the FBI reported a passenger hacking into a plane’s controls in flight.
We know our critical infrastructure is under threat and in this issue SC looks at the problem and what can be done. With thousands of attacks recorded on utilities, it only takes one sophisticated attack to be successful, as Oliver Eckel acknowledges (p34).
Dr Stefan Lüders, head of computer security, CERN (p14) told SC that organisations need to ask the same questions about how to secure control systems that they would ask when securing a computer centre. Others feel it’s necessary to segment systems. There are calls for mandatory standards, while some say that voluntary compliance and a risk-based approach will allow expenditure on real security issues.
But all agree that the risk owner must be identified at the outset. The breach has often Ph
oto:
Jul
ian
Dod
d
A critical problem
Editorial VP, EDITORIAL Illena Armstrong [email protected]
EDITOR-IN-CHIEFTony Morbin +44 (0)20 8267 [email protected]
SENIOR REPORTERSDoug Drinkwater +44 (0)20 8267 [email protected] Reeve +44 (0)20 8267 [email protected]
TECHNOLOGY EDITOR Peter Stephenson
Production PRODUCTION MANAGERAlison Boydall +44 (0)20 8267 4215 [email protected]
PRODUCTION CONTROLLER Laura Bajorunaite +44 (0)20 8267 [email protected]
ART DIRECTOR Michael Strong [email protected]
PRODUCTION EDITOR Danielle [email protected]
Events PROGRAMME DIRECTOR, SC CONGRESS Eric S Green +001 914 244 0160
VIRTUAL EVENTS COORDINATORPayal Padhiar +44 (0)20 8267 [email protected]
Circulation and Subscriptions+44 (0)8451 55 73 55 [email protected]
List Rental Alex Foley +44 (0)20 8267 4964
Sales VP, SALES David Steifman [email protected]
ACCOUNT DIRECTORMartin Hallett +44 (0) 20 8267 8280 [email protected]
ACCOUNT MANAGER Dennis Koster +001 646 638 6019 [email protected]
Publishing PUBLISHING MANAGER Gary Budd
CHIEF EXECUTIVE Kevin Costello
How to contact us: SC Magazine, Haymarket Management Group, Teddington Studios, Broom Road, Teddington, Middlesex TW119BE, UK TELEPHONE: +44 (0)20 8267 8016 PRESS RELEASES: [email protected] rates SC ONE YEAR: UK £85, EU ¤161, RoW $224 SINGLE ISSUE: £12; +44 (0) 8451 55 73 55 to subscribe Repro: Born Group, London. Printer: Stephens and George Print Group, Goats Mill Road, Dowlais, Merthyr Tydfil, Mid Glamorgan CF48 3TD
Published by Haymarket Media Group, Teddington Studios, Broom Road, Teddington, Middlesex TW119BE, UK. No part of this publication may be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form, without written permission of the publisher. All material published in SC Magazine™ is copyright © Haymarket Business Media. The views expressed
by contributors and correspondents are their own; responsibility for the contents of the magazine rests solely with the editor. All rights reserved. All trademarks are acknowledged as the property of their respective owners. While every care is taken, the publishers cannot be held legally responsible for any errors in articles or listings, nor can they be held legally responsible for any injury and/or damage to persons or property from any use or operation of any methods, products, instruction or ideas contained in the material published herein.
www.scmagazineuk.com • July-August 2015 • SC 5
Haymarket is certified by BSI to environmental standard ISO14001
www.scmagazineuk.com • July-August 2015 • SC 76 SC • July-August 2015 • www.scmagazineuk.com
4 million Number of US government employees
whose data was lost in the OPM breach
30% Amount that women in
cyber-security get paid more than men
57%of CEOs hold themselves
accountable for major cyber-security incidents
–Veracode and Cebr– BeecherMadden
NEWS BRIEFS»Following re-election of the Conser-
vative Party into government in the
UK, the new government confirmed
plans to push on with the Draft
Communications Bill, known as the
‘Snooper’s Charter’, ostensibly to help
to monitor online terrorist commu-
nication and keep citizens safe from
cyber-attacks.
The government says that “new
legislation will modernise the law on
communications data”, ie the Draft
Communications Data Bill, which
now comes under the Investigatory
Powers Bill. The Bill would force UK-
based ISPs to keep vast amounts
of data on customers, and make it
available to government and security
agencies on request.
Its justification is to “provide the
police and intelligence agencies with
the tools to keep you and your family
safe”, whilst addressing “ongoing
capability gaps that are severely
degrading the ability of law enforce-
ment and intelligence agencies ability
to combat terrorist and other serious
criminals”.
»Industrial cryptography company
Eris Industries is the second UK firm
to relocate over fears of surveillance
imposed by the incoming Draft Data
Communications Bill (see above). The
company, which builds Blockchain
infrastructure, promised to move out
of the country should the Draft Data
Communications Bill come to law.
“Eris Industries’ position is that this
proposed bill would impinge vital and
legitimate business interests of our
company,” said the company’s COO
Preston Byrne.
Eris Industries is, with immedi-
ate effect, moving its corporate
headquarters to New York.
Meanwhile PGP (Pretty Good Pri-
vacy) creator Phil Zimmermann
says he is moving his privacy start-
up, Silent Circle, from the US to
Switzerland due to surveillance fears.
Social media start-up Ind.ie vowed to
leave the UK over these same fears.
»90 percent of large companies
suffered a data breach over the last
year, compared to 81 percent the
previous year according to the PwC
‘2015 Information Security Breach-
es Survey.’ Among Small SMEs 74
percent reported breaches compared
to 60 percent a year earlier.
Average breach cost for a large
firm is now between £1.46 million and
£3.14 million, compared to between
£600,000 and £1.15 million in last
year’s report. The average breach
cost varied between £75,000 and
£311,000 for SMEs, up from £65,000
to £115,000 in 2014. Staff-related
breaches affected three-quarters
of large firms, and 31 percent of smaller firms,
representing rises from 58 percent and 22 percent
compared to a year ago.
Half of the worst incidents were caused by
“inadvertent human error”, while deliberate misuse
of systems by employees and contractors account-
ed for 18 percent of the most serious breaches.
»The US government should have been better pre-
pared for the massive data breach that exposed
the personal details of more than four million of its
employees say experts.
The Department of Homeland Security (DHS)
said that the FBI is investigating a breach at the
Office of Personnel Management (OPM) and the
Interior Department.
The Chinese Foreign Ministry in Beijing has
denied a claim by Republican Senator Susan Collins
that China is to blame. The breach, thought to have
started in May, and detected by the EINSTEIN
intrusion detection system, could impact every
federal agency, as OPM serves as the human
resources department for the federal government.
James Maude at Avecto, said: “Federal
employees will be especially concerned as OPM
will store highly detailed information that would be
more than enough to identify someone, compro-
mise their identity or monitor them.”
»The government’s emergency surveillance law,
The Data Retention and Investigatory Powers
Act (DRIPA), is being challenged in the courts by
the human rights organisation Liberty on behalf
of two MPs, former Conservative minister David
Davis and Labour’s Tom Watson. They are calling
for a judicial review saying that when the bill was
fast-tracked through Parliament in single day in
July 2014, the justification was false, making the
decision unlawful.
The government claimed that
without the new law the UK’s
ability to fight crime and
protect the country against
terrorism would be seriously impeded as a ruling by
the European Union’s Court of Justice had rendered
existing powers illegal.
»German daily, Der Spiegel, reports that Russia
is the primary suspect in a cyber-attack on the
Bundestag.
German government officials simply advised
that all evidence points to a state-sponsored attack.
Trojan malware infiltrated the entire Bundestag
network - including lawmaker’s computers—all
thought to be defenceless. It is a strong possibility
that this malware could have been sitting on
computers for months, or even years. The malware
used firmly resembles that used in a prior 2014
attack on a German data network according to Der
Spiegel’s report.
»The US sought to launch a cyber-attack against
North Korea’s nuclear weapons programme
but failed, according to Reuters. It says that the
US tried to deploy the malware in a bid to stifle
the country’s nuclear ambitions but the attack,
allegedly led by the NSA, was prevented by North
Korea’s secrecy.
The Stuxet-attack was reportedly conducted in
tandem with the similar, but successful campaign
against Iran’s nuclear programme in 2009. US
intelligence sources said that developers created
a related virus that would activate when it encoun-
tered Korean language settings on an infected
machine.
But in North Korea, this malware could not
access core machines that ran Pyongyang’s nuclear
programme.
– US Department of Homeland Security
Venom spat out
I nitial reports of ‘Virtualised Environment Neglected Operations Manipulation’, or ‘Venom’, vulnerability portrayed another Heartbleed, but while it is potentially serious it’s relatively easily defended against.CrowdStrike security researchers discovered the zero-day which affects virtual
machines, and which could allow an attacker to “escape out of the virtual machine and execute code on the host with full privileges”. The Venom flaw itself is found within the QEMU virtual Floppy Disk Controller, used in KVM and Xen hypervisors.
It affects virtual machines - pervasive across enterprises and core to public cloud platforms - plus it’s the first large-scale vulnerability of its type, a virtualised system known to host vulnerabilities. If weaponised it could potentially be used for a mass-hack of a virtualised environment.
However, it’s less easy to exploit than Heartbleed or Shellshock. Releasing proof of concept code would make it easier than now. But the exploits would only work on unpatched code. Vendor updates mean ‘very limited’ impact for most public clouds. The most vulnerable targets will be users running downstream packages, that is companies running their own in-house virtualisation stack with poor patch management. Even then an attacker needs remote code execution to a guest VM for a successful exploit.
»Christos Dimitriadis has been elected
as international president of ISACA.
Dimitriadis has more than 14 years of
experience in information security and has
written more than 110 security publications.
»Intel Security has appointed Andrew
Elder as the new president of EMEA
operations. Elder has more than 25
years of experience in the sector and
says he is committed to delivering the
best service possible.
» Emily Baum, business development
director at PrePay Solutions, has been
elected to serve on the board of the Prepaid
International Forum (PIF). Baum has been
at the helm of the market for eight years.
»FireMon has appointed Brandy
Peterson as chief technology officer.
Peterson brings over 18 years of IT secu-
rity and software engineering experience.
»The British Computer Society (BCS)
awarded the 2015 Lovelace Medal to Prof.
Ross Anderson, for his oustanding
contribution to the understanding and
advancement of computing.
»Elbit Systems has signed an
agreement to acquire NICE Systems’
Cyber and Intelligence Division. It will
merge into CYBERBIT LTD, an Elbit
Systems subsidiary.
Movers and makers
Christos Dimitriadis
2014 BREACHHIGHLIGHTS
42.8 m detected attacks in 2014.
48% increasein incidents since 2013.
40% of the largest breaches took place.
37% 90% due to insider threats.
increase in targeted attacks.
91%
could have been prevented.
What attacker presents the greatest cyber threat to your organisation?
Maliciousinsider
Criminalsyndicates
State sponsoredattacker
Hacktivists Loneworkerhacker
Other
37%
28%
19% 18%
2% 1%
Businesses large & small- Your chance of attack
39%
31%
30% 31%
50%
19%
2012 2013
Large Enterprises(>2,501 employees)
Medium Businesses(251 -2,500 employees)
Small Businesses(1-250 employees)
1 in 5.2
1 in 2.3
Risk of being targeted
229average # of days
threats sit on network before detected
Longest presence:
2,287 DAYSSources: www.pwc.com; www.ponemon.org; www.cybersecurityventures.com; www.otalliance.org • Mandiant 2014 M Trends Report – Beyond the Breach; Secure:Data Infographic – Managed Security Services on the Rise; OTA 2015 Data Protectio n & Breach Readiness Guide
www.scmagazineuk.com • July-August 2015 • SC 98 SC •July-August 2015 • www.scmagazineuk.com
The news last month (June) that Kaspersky Lab, one of the leading international cyber-security compa-
nies, was hit by a “next-generation” mal-ware attack is an indication of both how far we have come in cyber-warfare and how much further we still have to go.
Eugene Kaspersky, founder of Kaspersky Lab, is certain that the software used in the attack represents version 2.0 of Duqu. According to Kaspersky Lab’s analysis of Duqu 2.0, it is highly sophisticated malware which shows all the signs of having been crafted by someone with the resources of a nation-state behind them.
Duqu 1.0 is a malware discovered in 2011 by the Budapest University of Technology and Economics in Hungary. Thought to be related to the Stuxnet worm, it got its name from the prefix “~DQ” it gave to the names of files it created.
As Eugene Kaspersky has been at pains to explain, Duqu 2.0 is a massive advance on Duqu 1.0, exploiting three zero-day vulnerabilities, spreading through the sys-tem using MSI files, not creating or modi-fying any disk files or system settings and existing almost totally in memory.
Other cyber-security experts are in agreement about its sophistication. “After reviewing the technical analysis from Kaspersky, it’s safe to say that Duqu 2.0 represents both the state of the art and the minimum bar for cyber-operations,” Tod Beardsley, engineering manager at Rapid7, told SC Magazine UK.
Such was its stealthiness, Kaspersky believes the attackers were confident that they would not be discovered.
2 MINUTES ON...
Duqu 2.0: a massive advance
So this was a super-sophisticated zero-day attack but the method of entry into the network was distinctly old-school – an email attachment – which was sent to one of the company’s sales representatives, purportedly from a customer or trusted
supplier. The
industry will be alarmed that a company with Kaspersky Lab’s expertise found itselfinvaded in this way. Eugene
Kaspersky blames modern operating sys-tems and their distinctly archaic security.
“Unfortunately modern operating sys-tems were designed in a way, based on ideas and architecture of 40 to 50 years ago, and they are not immune to this kind of attack,” Kaspersky told SC during a live video interview.
If there’s one part of this attack that Eugene Kaspersky is downplaying, it’s the value of the information that the hackers managed to get from his network.
Although the attackers were in the net-work for months, exfiltrating data about Kaspersky Lab research and processes, he insists that anti-malware software is evolv-ing so quickly that the value of the infor-mation to the hackers is decaying rapidly.
Industry experts aren’t so sure. By its nature, Duqu 2.0 operated in memory,
possibly in a way that ensured nothing was written to the system, so that when the system was rebooted it would be almost impossible to detect.
This leads some to think that it’s impos-sible for Kaspersky Lab to know what information was compromised.
So what are the likely long-term ramifi-cations of this attack on the industry and Kaspersky Lab?
Gautam Aggarwal of Bay Dynamics is one expert who believes we haven’t seen the end of this story. He says there are similarities to what happened to RSA in 2011 in which over 100,000 OTP authentication tokens were stolen. Weeks later Lockheed Martin was attacked by someone using legitimate usernames and OTP tokens, enabling them to steal secret blueprints.
Aggarwal speculates that the Kaspersky attackers could be looking for vulnerabili-ties in the Kaspersky secure OS to be able to launch attacks on client sites.
As damaging as it might be to admit to being hacked in this way, Kaspersky Lab has clearly decided to own this story by releasing it on its own terms. Kaspersky said the company has shared the infor-mation with its technology partners, law enforcement agencies and customers.
It has won plaudits for being open, with a company official telling SC that this is proof of the company’s commitment to transparency.
Discovering this vulnerability is also a success story of sorts. Although Duqu 2.0 remained undetected for months, it was discovered while the company was test-ing a new APT detection tool on its own servers, a fact that Eugene Kaspersky was more than happy to share. As SC went to press, further concerns arose as it seems Duqu 2.0 successfully hid behind a legitimate digital certificate stolen from Foxconn, potentially undermining certificate credibility.
– Source: www.cyberseer.net
As APT sophistication grows we’re all at risk – even security vendors
Eugene Kaspersky’s company attacked by Duqu 2.0.
Lutatue te duipsum duisl ero iriLureet irilla augiat erit, consequis nos adit wis alit vel eriure feugait at eugait ullamet ureet irilla augiat erit, consequis nos adit wis alit vel eriure feugait ureet irilla augiat erit, consequis nos adit wis alit vel eriure feugait ureet irilla augiat erit, consequis nos adit wis alit vel eriure feugait
Lureet irilla augiat erit, consequis nos adit wis alit vel eriure feugait at eugait ullamet ureet irilla augiat erit, consequis nos adit wis alit vel eriure feugait
Facidunt adipsusci blam, consed ming eraessequam vel doluptat vullumm odolessent la feugiatumsan ulla facillup-tate modolorem dunt ea feugue modolor eratinis adit wis at dit vent dolesto essi et auguerilis ametuer sequat. Equat ing ex exeros numsandit ing eros nis numsandiat lam ea faccum zzrit lum quisi blam auguerostie dolese feum autpat, quisit nos alit init nibh eugue consequi tionsenis delit praesto eugiam digna feum zzriure vulluptat lutatinim autat diatie etum ad euguero conulputat eugiam quatum nos eugueros nullamc onummol oborper sequam non hendio con et incidunt wisi et ulla autpat at. Uptat lobortisl ut praesto dolorpe riuscidunt laore magnit enit laore do duis eu faccum quam zzrit la adipsus cidunt at. Wisl ute magniam commolobore magna feum zzriustrud del ex exer sum irit nos at.
Im velestrud magnibh ex eu faci te feugait utpat utpat ex el ullan vent volestrud min hent dolore magna feu feugue feuip eugiat prat nit la ad min euis ad dunt ip ero odolore feu faccumsan eugait, quis deliscil il irilis euipis nibh ercidunt alisi tie voloborer suscil ilis nissectem veros niat nosto ea feugiat. Tat wisi.
Ecte corercing erit et vullaorer alit at vent dolobore dolorti onulput ate eugue dolestrud ex eugait, quamconsecte ming et lum quat augait ip et in enim dolortie velit numsandigna feugait atio el ea feum nullaorem in hent nos nisi bla feugait, vent at nismodio commodolore dio odolore rillutpat, conulput lut lan utationsecte elesectem alit praesendrem
dolor iriuscinim zzril dolobore dipis ea consecte coreet velenisl ea aliquis nit venisis nostrud tem ipsuscidunt volobor tincidunt adigna faci tat ad tismodit prat ulluptatisi tie velit, veliqua tumsandre et, sequi blan hent at veros accum delit niatet, sectet euisl ut prat prate molore facillut alis ex elisi tet nismodo lendip ea feu facipisl dolobor sendre ming ea faccum in heniam nonsent alit la cortis duisit, cor iureet autpat vel ea faccum ilit nonsed tis augiam zzriliq uatismod erat. Ut ipsummy nulput alismod dui tat at at, si.
Si tatis eum vel dolor at augueOreet lor suscipi smodolorero od eugiati scipit ing er ilit ilissi.
Ibh exercip eugue molum velessit lan henis nit vendre dolorperosto od et amet doloreet nonum ad tin ullaorper adiam, consent lore enim alismolortie con utem dolor sisi tat nonsectet, quam inim veros nibh eugiamc onsequi sissenim num vent prat. It, quat, quip eniam quismolore magnit ip enisl eum dolenim ilit wis aut vel do eugiamet, sum vullamet, volore dolor at num dip ercipsum vullaor summy num vulla am, consecte do dunt auguerci erostie faccumsandre mod eugiam irilit aliquis etue et wis nosto et, quat lum dignibh exero do dolestin velent volore faccum nonse vendre modio con vel duip exer susto commodolore tisci bla feuguero odipit ad dolorper ilis do odiam, conse feum dolor iure magna aut ut ing euiscinim ea alit laor se min et, conum incidui ssequat inissed dolore mincillaor illummo dipisim zzrilit, vullum ver sum quisi et, sequatet et, commodigna feu faciduisl ulputat nim dignim zzrit nulput la aci bla accum el dolore consequissed dolortio do consectetum nim dipsummo-diat elenibh et, sim duipsustio cor summolesed dolore dip er si tionsectem
verat. Dui et nonsed minciduisl utpatio et, sissi etue enisi.
Iquisim quat. Duisciduipit alisim in et dunt prat, volore core tis nullaor sum euis adit acidunt velit illam velestio estisisl ut ullupta tionsequat et ad tie velis adignis modolor peratin et ex exero essiscing euisi er accummy nibh eummolesecte mincin eumsan utpationulla consequis nisit venim quipsum ilis nit velisi.
Bortio consed te consed tie faccum adigniam velesto odit, conse dolorer inisis augiat accumsan ea consequam dit iril dolortio odolendipis dio con ex euisisis nulla corem adionsenis ex erat.
Bore facidunt amcon henim quis nulputpat aci et nulput accum alis alit nim elese conummy nonulla adit la feummolor at adit velit, quam ipit ad et, consequis ad dolenim irit praessed te modio odit vel duis eu facilissed endreraesto doloborper sum eliquam, velisi bla facincipit la facinci pismod el ea amconsenim iuscillum quamcon sequisi tet, si.
Loreetue vendit am, ver sit niscilisi ea atue do erosto er inim nim nos nulput iure dolum doloborperos duis dunt nulla feugait praesse feugiat. Ut do odit augue dolummod eu feuis nos nonsequisl ipsumsan vent ute etum irit ute del in hent dunt iurem quipsum amet, conse magna feum acip ex enim incipsustisl dolorer ostrud magna augiat adit alit wismodo esenit do commy nullut accummy nos nulputpat la facip eu facillutpat. Tuero dolortinim eugait ero od dolortisit ip exer adipisim accummolore min eugue dolobor iure velit laore vel utatum volorti onsequat dolore veniamcommy nullamet lamet lobore minci blamcor eraestie facidunt nullandre del ut luptat.
Equissectet lamcon vullam nulla faccum
Quote goes here and aligns with large quotemark.—Name, prema ipsum nobis opilnum dolor ipsum
www.scmagazine.com • Month 2013 • SC 0000 SC • Month 2013 • www.scmagazine.com
Head hereHead here
10 SC • July-August 2015 • www.scmagazineuk.com
Debate» IT Security’s male image and lack of female role models are the main reasons for the scarcity of women in the industry
The lack of women in IT security stems from women’s vast underrepresenta-tion in computer-related careers. The
number of women in computing peaked in the 1980s at 38 percent and has declined to its current 20 percent.
The decline correlates to 1980s mass marketing of PCs as toys/games to boys. The movie WarGames famously portrays a boy hacker saving the world while his girlfriend watches adoringly.
College Board reports 50 percent more boys than girls leave high school with computer experience and of those reporting no computer courses, two-thirds were girls. With declining interest and exposure, girls enter college and the workforce lacking confidence that they possess the skills and personality neces-sary for successful IT security careers.
The solution lies in multi-pronged approaches that provide girls with hands-on experiences, provide women and men in successful careers in IT/IT security as mentors/role models, and give girls confi-dence from computer-related coursework.
ProPhyllis Kolmus, immediate past president, Women in Technology, womenintechnology.org
The main reason there are not more women in IT security is due to the lack of learning resources. This lack
of resources has created a barrier to the opportunity to learn. Practical IT security is not offered in schools. Available training has been too expensive, as individual classes have traditionally cost between £1,609 to £3,219. That price point also has made training impractical. You pay a premium for a class and then the technologies become obsolete almost immediately. Also, classes for advanced topics aren’t readily available.
Further, given that the industry started out as male-dominated, women are often automatically excluded from participat-ing in other sources of learning, such as forums and online communities.
So again, the lack of accessible learning resources has been the primary factor for why there is a lack of women in IT security up until now.
AntiRyan Corey, cofounder, Cybrary,cybrary.it
THEY SAID IT“Men have long dominated the technology industry,
but the growing number of women entrepreneurs and business leaders can’t be ignored.”
– VANESSA VOLTOLINA, LIFESTYLE EDITOR AND WRITER, ENTREPRENEUR.COM
THREAT OF THE MONTH
CryptolockerWhat is it?Cryptolocker/Cryptowall is ransomware targeting Microsoft Windows devices. This trojan selectively encrypts your data. Once encrypted, your data is held for ransom by the attacker (who holds the key).
How does it work?The trojan is commonly delivered through spear- phishing. Once installed it contacts the attacker’s infrastructure (C&C) to register and generate a new set of keys. The public key is then sent back to your device and the trojan starts looking for data to encrypt. You are then presented with the ransom note threatening to destroy the private key (which is in the attacker’s possession) unless you pay.
Should I be worried?Yes. This is a very profitable crime. If your data gets encrypted with the attacker’s key, it is difficult to decrypt without the private key.
How can I prevent it?Backup your data regularly. Watch out for spear-phishing. Use dynamic network blocking to prevent infections and to disrupt communica-tions with the attacker’s infrastructure.
thank you!SC Magazine thanks all sponsors for their
generous support of the 2015 SC Awards Europe.
Their involvement made possible this event,
which helped raise professional standards in the
information security industry worldwide.
2015Full page ad Sponsors.indd 50 6/18/15 1:04 PM
67_1069_p11_ADVURN43899.pgs 19.06.2015 10:46 FMG-Advent
12 SC • July-August 2015 • www.scmagazineuk.com www.scmagazineuk.com • July-August 2015 • SC 13
Analysis
Believed to have been perpetrat-ed by a nation state, and most likely the US and Israel, the attack on Iran’s nuclear plants demonstrated the level of damage that can be done with relatively little effort. Though the worm was sophisti-cated enough to hide its disruption by ensuring that the operators’ monitoring data continued to show everything was normal, when that was not the case.
Another large-scale attack took place last year, when hackers manipulated and disrupted control systems in a German steel mill, making it impossible to safely shut down a furnace.
The ease with which critical infrastructure can be penetrated is leading to an increase in malware targeting control systems. The Flame Trojan was discovered in 2012, while in 2014 a variant of remote access Trojan Havex emerged with the ability to target supervisory control and data acquisition (SCADA) systems.
Therefore, insecure SCADA devices are a growing concern for firms running critical infrastruc-ture. These systems were not
designed with security in mind, which opens up a multitude of risks when they are connected to the internet.
According to a recent report by Dell Security, this has resulted in an increase in the number of criminals targeting SCADA. The report found that attacks had more than doubled from 2013 to 2014, with the majority of these targeting Finland, the UK and the US - countries where a growing number of SCADA systems are internet-connected.
A global issueThe risk is fuelling legislation across the globe. The US has passed laws that are designed to protect its national infrastructure through new technology and information sharing. Germany is looking at specific legislation, while the UK is keen to create awareness in the area. Meanwhile, in Europe,
the cyber-security directive aims to expand breach reporting for companies involved in critical national infrastructure.
Critical national infrastruc-ture was previously defined as companies dealing with communications, transport, water and energy. But the area for attack is widening, says Andrew Rogoyski, head of cyber-security at consultan-cy firm CGI. “Now it also spans
financial systems, healthcare and the food supply chain.”
According to Rogoyski, penetrat-ing such systems can do significant harm with “relatively little effort and cost”. He says: “Shutting down a power grid using a small team of hackers, rather than physical
means, is much easier.”This makes the area
particularly attractive for nation states: many attacks on SCADA systems - including Stuxnet – are mentioned as being motivated by political means.
It is possible countries are already testing each other’s infrastructure for weaknesses, experts have told SC Magazine UK. Of the nation states, China is known to be capable and have scale, while the Russians are increasingly sophisticated in the cyber-space.
But the US is also known to have
C ritical infrastructure forms an attractive target for both criminals and nation states. The most well-known attack took place in 2010, when the computer worm Stuxnet targeted industrial
control systems running centrifuges in an Iranian nuclear power station.
Andrew Rogoyski, head of cyber-security, CGI.
A critical threat
Attacks on critical national infrastructure are a growing concern, not just the banking and civil infrastructure, but also control systems used in the physical delivery of services. This is set to become even more of a problem as SCADA systems become internet enabled, reports Kate O’Flaherty
www.scmagazineuk.com • July-August 2015 • SC 15
Analysis
14 SC • July-August 2015 • www.scmagazineuk.com
When the Higgs Boson was discovered using the Large Hadron Collider, tabloid head-
lines screamed that the universe could be destroyed in a cosmic death bubble. Another case of inappropriate sensationalism of course, otherwise Dr Stefan Lüders, CERN computer security officer, Head of Computer Security, European Organisation for Nuclear Research (CERN) could have claimed to be protector of the universe or canny in its end.
Instead, he has a genuinely vital role defending one of the largest, most sophis-ticated and interesting bits of scientific experimental kit in the world.
And rumours about the end of the world? Just a misunderstanding of Steven Hawk-ing’s suggestion that the Higgs potential could become metastable and the universe undergo catastrophic vacuum decay, with a bubble of the true vacuum expanding at the speed of light. Not the CISO’s problem.
Even though an attack on CERN won’t result in the end of the universe, it has enough publicity value for the complex to endure more than its fair share of attacks.
Real world things, specifically control systems, tend to be more vulnerable than computer systems, simply because they weren’t designed with security in mind. Why is that?
Lüders explains: “It’s because there has been a revolution as we have moved away from proprietary hardware and control systems to more IT-based systems, taking the cherries from the IT world cake: Windows PCs, data storage, HMIs, TCP/IP for communications, web protocol, emailing – because there is a use-case for them. However (despite the benefits), there was no incentive to look at the security side because the old paradigm was – we have an air gap, we’re disconnected, everything is proprietary, obscure, nobody will hack us. But this is no longer the reality.”
Today there are tools such as SHODAN scanning for SCADA control systems on the internet, (https://icsmap.shodan.io), and there are attackers specifically looking for vulnerabilities in control systems. Lüders suggests that the biggest problem is how to create incentives for software vendors and control system vendors to create more secure products.
Yet Lüders doesn’t blame the vendors for not putting in security – abuse was never an issue, apart from physical sabotage, because
the systems were isolated. Now there are layers of connectivity and you have to ask not only what is the use case for your device, but what are the possible routes for abusing the device, and how do you mitigate or prevent that?
One of the solutions CERN uses to secure its vast range of com-
plex control systems is to delegate a lot of responsibility for security to the people who are managing those devices, with Lüders commenting: “The expertise is with the
control system experts – making them responsible for their security has benefits because they know the system best. Some control experts will forego some efficiency and availibility of the controls process and put security second or third. Risk is owned by the management which sets the param-eters of what is acceptable – so at CERN the accelerator management is responsible for that sector and Lüders ensures they know what the risks are, so they can judge whether to invest in more secure control systems or not.
Lüders concludes that the revolution whereby control systems sucked in IT technology, now needs them to suck in IT security methods and apply the same means to secure the control systems – looking at software development life cycles, penetration testing, vulnerability scanning, agile patching where possible, using similar access controls and protection as used in the IT world.
On the human side this means bringing together the IT and Control System depart-ments, as similar technologies apply on both sides. So where can you benefit – do you still need your own control system network team? Lüders comments: “At CERN our network is run by one group – the requirements are the same so we use the same team – I don’t believe CERN is special in this regard.”
So the advice is, ask the same questions about how to secure control systems that you would ask when securing the computer centre – take account of their differences but treat both the same – how to guarantee availability, how to protect yourself without creating inefficiencies, making the same risk assessment – what are the different threat scenarios, who can attack the control systems. Now you need to ask what are the possible routes for abuse and how do you prevent or mitigate them? For a CISO it’s the same toolkit as used for a computer centre. And talk to the control system experts who know the system best. n
Out of control?Control systems are under cyber-attack – from power plants to steel mills, and even the Large Hadron Collider at CERN – but most of these devices were never meant to be connected to the internet. They need even more protection than computer systems – often using the same approach, as Tony Morbin discovers
*Part of this interview with Dr Stefan Lüders has appeared in SC online.
Dr Stefan Lüders, CERN computer security officer, Head of Computer Security, European Organisation for Nuclear Research (CERN)
© 2
015
CER
N, f
or th
e be
nefit
of t
he C
MS
Col
labo
ratio
n
elite cyber-capabilities, says Rogoyski: “The US is sophisticated: it has scale and owns much of the IT industry.”
RisksIndustrial control systems are vulnerable because generally they use proprietary hardware, software or legacy operating systems that are no longer supported. “Some were designed before the age of networks, when security involved nothing more than access control,” says Florian Malecki, international product director, Dell Networking Security. “Therefore, it has no mechanism for authentication, or for ensuring data integrity and confidentiality.”
Malecki explains: “Most SCADA systems are vulnerable to network attacks that work by exploiting weaknesses at protocol level. SCADA systems management terminals connected to a network, particularly an external one, are exposed to the usual threats associated with malicious software downloaded by a user who has clicked on a link, or opened an email attachment, or an infected file on removable media.”
Therefore SCADA systems are arguably more vulnerable than enterprise networks, says Ross Brewer, vice president and managing director of international markets at LogRhythm. “Much of the existing infrastructure was developed and implemented prior to the wide uptake of the internet and so their protection was based on securing physical aspects of these critical systems. A lot of SCADA devices employ extremely basic - and easily defeated - authentication methods, transmitting data in clear text, with many cyber-assets operating on old and vulnerable code bases.”
Dai Kennett, security consultant at Context Information Security, agrees: “The lack of understanding of security within our industrial processes and the rate at which new technologies are being introduced are not symmetrical. This
has created a wide gap, ripe forexploitation.”
One way of exploiting and controlling a device is through buffer overflow attacks. Kennett explains: “The operating system underneath will often be using real-time systems, which can forego modern defence mechanisms such as ‘address space layout randomisa-tion’, a technology used to help prevent shellcode from being successful; and ‘data execution prevention’ - which prevents certain memory sectors from being executed.”
However, Kennett says that complex buffer overflow attacks are “unnecessary” in the current threat landscape. “Simple and archaic packet replay attacks are just as effective and can be used by even a novice attacker.”
Lack of intelligenceThe problem is elevated by the lack of intelligence built into devices, says Clive Longbottom, analyst at Quocirca. This is made worse by the lack of true standardisation around how ‘Internet of Things’ (IoT) SCADA devices are being brought to market.
He warns: “A black hat with knowledge of one vendor’s product line can easily break into their devices using API calls or faults in coding. This would not be the case if the industry had come up with a full and agreed standard around how these devices should operate and interoperate.”
Additionally, says Brewer, the nature of SCADA systems sees them deployed and controlled across wide area and local area communication links, fuelling the risk further. “These systems are often dispersed across a variety of geographic locations, such as field sites, control rooms at processing facilities and control centres. Point security solutions, including anti-virus, simply don’t offer the required protection.”
Adding to complexity, the life cycle of SCADA-type devices is particularly long: they are often in use for over 10 years. The older the operating system,
the more vulnerability, the easier it is to exploit, says Benny Czarny, CEO and founder, OPSWAT.
“SCADA systems are put into place to sometimes last decades,” says Rogoyski. “So you get technologies that are out of date and not maintained as they should be - and you get people making mistakes when patching them. I’ve seen telemetry systems out in the field and connected to the equivalent of a mobile phone.”
Fixed line or mobile networks can be secured reasonably well, says Rogoyski. But attacks on energy companies are often perpetrated via spear-phishing with “booby-trapped emails loading malware onto the IT systems and accessing data”.
Managing security Managing the threat requires a thorough and wide-reaching approach. Security needs to be part of business planning: firms must do a risk analysis and ensure they are doing security testing - as well as monitoring existing systems, Dr Klaus Kursawe, chief scientist at the European Network for Cyber Security, says. “The hard part is to find a way to make the effect of security measurable to build a solid business case: managers hate to spend large amounts of money without having any measurable outcome,” he adds.
Overall, experts agree that monitoring is key to control systems’ security. Securing SCADA requires a centralised system that can provide
visibility across all IT network activity in real time, says Brewer. “Such continuous monitoring of all the data generated by systems enables
security teams to automatically identify anomalous activity and react as quickly as possible. A centralised system can correlate events and provides key intelligence detailing the threats that pose a risk and need a fast response.”
Amol Sarwate, director of vulner-ability labs at Qualys, advises implementing proper access control, making sure that necessary patching processes are in place and followed, and says that removing debug services “will help minimise risk”.
Firms must ensure that they have a strict user account management policy, Malecki agrees, adding: “This advice may seem obvious, but it is vital to change default passwords immediately after an attack.”
In addition, says Malecki, firms should identify behaviour that puts systems at risk ensuring they are updating operating systems, applications, and firmware.
www.scmagazineuk.com • July-August 2015 • SC 1716 SC • July-August 2015 • www.scmagazineuk.com
Analysis
Shutting down a power grid using a small team of hackers, rather than physical means, is much easier ”Andrew Rogoyski, head of cyber-security at CGI
(Left) Benny Czarny, CEO and founder, OPSWAT; (Right) Dr Klaus Kursawe, chief scientist, European Network for Cyber Security
National Rail (NR) has a huge 150 year-old legacy rail infrastructure with operational structural dia-
grams signed by Brunel still in use, but con-vergence of digital with mechanical systems is well underway. In the next five to 10 years, temperature monitors may be making deci-sions about brake speeds, and red and green track-side signals are going, with all the infor-mation to be inside the cab. “It’s important to understand what the risks are as we move to a digital infrastructure, ...while delivering the service, which in 2014/15 comprised 1.65 billion rail journeys. We need to think about the hard line between our systems of IT and our business systems, our control systems and our infrastructure. That line through the middle is getting blown away, they are the same things and information systems will run the infrastructure,” comments Gibbons.
Security of railways entails managing the risk to the infrastructure relied on to deliver its service, the movement of goods and passengers. Why is it critical? It’s about the output and so the focus is on the systems that matter most. Not just NR’s customers, but their customers, too.
Gibbons elaborates: “We have the 3rd or 4th largest telecoms network in the UK – not
all of that is critical infrastructure but some is. Some of our regional stations are very important, but critical? Maybe not. Waterloo – definitely. We need to be clear what we have to protect. Trying to understand the impact when things go wrong, so a small branch line out to the east coast may seem not critical, but it might be a key shipping route without which we’d have serious economic problems.”
Secure products Prioritisation includes use of a risk method that is skewed toward the high impact events, prioritising the type of cyber-security breach, and its impact on service.
But Gibbons says he’d prefer not to talk about ‘cyber-security’ and just talk about security. Protecting an asset. He explains: “We know about security, it’s built in to what we do. So stop looking at cyber-security bods as providing the solution ... we need to help (all) our people do their jobs, to be able to know what good and bad is and be able to respond to the information they get in their jobs and see that as a threat to the security of their as-set. Call in experts when they need them, from an emergency response team or whatever ...rather than having them on tap all the time. We need to stop thinking of cyber-security as
In his Keynote panel, Securing Critical National Infrastructure: Managing Cyber-Risk in a Hyper-Connected, Physical World, at InfoSec, and in conversation with SC’s Tony Morbin afterwards, Peter Gibbons, head of cyber-security, National Rail described how railways are adapting to the digital age
Keeping on track
a specialism – it’s something that all of our people should know about, and should all do as an integral part of their job.”
But to do that, Gibbons says he’d like to stem the “flow of people telling me how they can grab more and more data that’s relevant to organisations. What I am not getting is the bit where you take all that intelligence and reduce it to what’s relevant to the organisation, and I want to go a stage further so the companies supplying the information help the analysts looking at this information to take further action to make it as effective as possible.”
Gibbons says that NR has a large digitisation agenda, with most benefit occurring in the supply chain, from signals, points management etc. However he says: “We are very good at asking our suppliers to deliver a product that does what we want it to do – but we are not very good at telling them what we don’t want it to do. So we end up with suppliers who deliver products that work but aren’t necessar-ily as secure as we’d like them to be, then throw all manner of product over the top of it to make it secure. So the whole software development life cycle piece happens somewhere else, outside of my business. We need secure products from secure suppliers, and we then need to be able to integrate them in a secure way so we need a common way of connecting those devices so that they understand each other. We need standards on the provision of secure products (or)....we’ll end up spending mil-lions putting security products on top of our poor infrastructure because it wasn’t built securely in the first place.”
Automation and convergence are seen as the keys to coping with future attacks, while an important issue for the future is patching – how to patch rail and rolling stock, located in disparate sites, while in operation deliver-ing a service and without impacting the public. The plan is that this would be done over the air with a modular patching system as its known when stock is at a particular location allowing updates at a safe time, so that it won’t affect service delivery. n
18 SC • July-August 2015 • www.scmagazineuk.com
Analysis
“These are very targeted attacks, impacting a niche industry,” Malecki says. “However, with many software vendors leaving large timeframes between update patches, it requires internal IT teams to ensure they go above and beyond to protect the network and data.”
Rogoyski underlines the importance of asset management: businesses should know where devices are and what they are connected to.
As part of this, it’s important to understand the impact of such an attack on the company and its customers, Rogoyski says. “Businesses must develop an understanding of the risks they face - and have a look at assets: where they are deployed and how vulnerable they may be.”
As Stuxnet and similar attacks have demonstrated, the potential to cripple critical systems is getting bigger. It is
seeing the critical infrastructure attack landscape widen, making it essential for firms to be prepared.
Optimum defence can be achieved through strong boundary devices and secure architectures, says Kennett. “But there also needs to be a change of mentality for the SCADA and ICS communities: security must become a high priority objective for all critical infrastructure or industrial processes.” n
W hy have we seen so few verifiable big hacks of control systems? Have they not been admitted, or are they particularly hard to hack?
Malmgren responds emphatically: “No. SCADA or ICS are definitely not hard to hack, I know this from first-hand exper-ience. I also know from checking the SHODAN database that there are a number of SCADA/ICS systems and components directly available on the Internet. From those two pieces of information (we can) deduce that SCADA/ICS hacking is actually happening. I agree that it is not being admitted. Or even worse, not discovered by the asset owners.”
Is transport a particularly vulnerable area, more dramatic or actually safer because there are more regulations?
Malmgren: “My personal opinion based on the experiences with examination of different products in the ICS area, both communications equipment, computers and control equipment, is that most products, regardless of their market or use case, actually contain flaws and vulnerabilities. In markets that are regulated, the products might be tested and certified for their intended purpose, eg that there is a guarantee that a specific operation is actually triggered by a certain input value, (certified) from a safety perspective, not from an IT security perspective. ...(But they) can still be hacked, since, for example, a buffer overrun exploit, that uploads and replaces some of the certified code with new executable content, is still possible.”
What can organisations do to defend against state-sponsored APTs? “One of the few real advantages of SCADA and ICS is that the communication patterns are rather simple, deterministic
and it is possible to set firewall rules that are very predeter-mined and strict.
“One important step to cope with this is Network Security Monitoring. Even if it is hard to provide complete protection against an aggressor with enormous resources and unique attacker competence, it is less hard to do detection. Always make sure that you have a good overview over the technical
alarms and security logs (from firewalls, switches, servers, etc).”Is the Internet of Things the biggest risk control
systems face? “I would argue that it is. Major problems with IoT include:
“IoT attracts a lot of new people that have to re-invent and experience for the first time things that others solved five, 10, 20 years ago. It’s bad with a single, simple security vulnerability. And if we get them in extremely large batches, like in 100’s of millions or billions of installed IoT devices with enclosed vulnerabilities, it’s a disaster.
“Compare IoT devices with all the SOHO equip-ment with daily or weekly reports of newly discov-ered vulnerabilities. In these low-margin markets,
there seems to be very little incentive to do ‘after-market’ fixes, eg firmware updates or patches. I would be extremely surprised if we don’t see similarities in the IoT world.”
“I’m positively surprised to see that some players, notably Google, trying to push security into its brillo IoT platform.”
And the next 4SICS conference? “We have four different 4SICS submissions from people that have setup ‘honey-pots’ on the Internet simulating Internet-reachable SCADA-systems. ...all of them have very interesting results! Keep your eyes open for our announcement on speakers and topics!” n
SCADA hacks firmly on the radarSweden’s Robert Malmgren, senior security expert, ROMAB, discusses Industrial Control Systems (ICS) vulnerabilities with SC
Robert Malmgren senior security expert, ROMAB
Gone are the days when all a bank had to do to secure its assets was build an impregnable vault and
hire some heavies to protect it. Now some of the oldest institutions in the world are having to get to grips with something called “cyber” security, a term which some bankers readily admit they were unfamiliar with up until a few years ago.
These days it’s truly on the agenda, with £700 million being spent annually on cyber-security by the financial industry in the UK alone, according to the British Banking Association (BBA) and PricewaterhouseCoopers (PwC).
With that much being spent – and a recognition that cyber-crime is a threat
to not only the growth but the very stability of the sector – the Financial Policy Committee of the Bank of England issued a recommen-dation in 2013 that the cyber-resilience of the UK financial sector should be subjected to robust penetration testing.
There’s nothing new about the concept of pen-testing, but against critical systems, there were always two things holding the industry back from performing realistic simulated attacks.
First, there was a reluctance to unleash
the simulated attackers – called red teams – against production systems for fear that the test
might accidentally bring the real-life
system crashing to its knees. At the same time,
there was a recognition that only targetting dummy systems might fail to discover the hidden vulnerabilities which are the bread and butter of the criminal hacker.
Secondly, there was a belief that
Analysis
www.scmagazineuk.com • July-August 2015 • SC 19
CBEST has its critics – and defenders – as the industry grapples with how best to ensure critical infrastructure deploys
best practice, as Tom Reeve reports
What’s wrong with
CBEST?
While there are conflicting views on what should be done to improve the number of women
in security, there is consensus on the root cause – too few women take computer courses.
Late last year, SC analysis of UCAS undergraduate acceptances revealed that just one in every 10,000 women in the UK undertakes computer-science degrees, with professors suggesting that this figure drops further as students switch courses in their second and third years. There’s a perception too that students of both genders would rather build the next Facebook than a next-gen firewall.
In 2013 Frost & Sullivan found women represented 11 percent of the information security industry - while
recruitment agency BeecherMadden put the figure at 14 percent in 2015.
Closing the gapThere are several support groups, including the (ISC)² Women in Security, the Women’s Security Society, the Fraud Women’s Network and Executive Women’s Forum (in the US), as well as one-day events organised by Cyber Security Challenge. Some large companies, including KPMG and EY, have implemented their own networking groups, while Google has given grants for female ethical hackers to attend security conferences.
More generally on the skills gap, we’ve seen the proposed new computer science GCSE (with cyber-security a key element)
and the introduction of GCHQ-certified post-graduate degrees. Cyber-security is moving mainstream in education – and that must help young women, too.
Where’s the problem?Despite this, some say that, if women are to be enticed into this industry - fixes are needed in education, and in society. “To get to the root of the problem, we have to engage kids in school,” says Barbara Nelson, general manager and vice president at Imation Mobile Security, in a blog post.
“My love of maths led to great jobs in security; I was very lucky that early on I was shown how I might apply my passion in many different industries. That’s where we are missing a trick. Rather than
Analysis
www.scmagazineuk.com • July-August 2015 • SC 21
The lack of women in information security is a constant topic of conversation and debate but, as Doug Drinkwater reports, changes are afoot
Women in security: Is the tide turning? Women in security:
simulated attackers often don’t have access to the latest threat intelligence, so that they would, in short, be missing out on the most up-to-date attack tools. UK financial authorities including the Bank of England, HM Treasury and the Financial Conduct Authority (FCA) created CBEST as a framework for conducting realistic attacks against real infrastructure.
They wanted to ensure that there were four parties involved in testing the resilience of institutions that they judged to be essential to the stability of the UK financial system: the Bank of England, the intelligence community, private sector cyber-security practitioners and the financial institution itself.
It was decided that the intelligence community, represented by GCHQ and commercial providers, would provide the threat intelligence to make the tests as realistic as possible. The tests would be conducted by practitioners who were certified by CREST (Council for Registered Ethical Security Testers) as certified simulated attack managers (CCSAM) and certified simulated attack specialists (CCSAS), using a plan that had been agreed by all parties involved.
Difference of opinionBut does CBEST go far enough? Not according to some people including the chief technology officer at Intelligent Environments, a company with a 15-year pedigree in bank security solutions.
CTO Clayton Locke, writing in an opinion piece published on SCMagazineUK.com, says CBEST is a strong step forward for cyber-security but he laments the fact that it doesn’t go far enough. He calls for the introduc-tion of a financial services industry data security standard, modelled on the PCI DSS for the card payment industry.
“Even though CBEST has robust certification requirements for testing companies, it does not provide a certifica-tion standard for the financial services institution itself,” Locke says. “Although the [Bank of England] sees the tests as critical to maintaining the integrity
of the financial system, performing an assessment is entirely voluntary.”
He adds: “Making these assessments voluntary highlights an inherent weakness in the financial services industry outside of payment cards. It would be stronger to make the assessments compulsory, as is the case for PCI DSS.”
Disagreeing with Locke is Ian Glover, president of CREST, the organisation that’s been given the task of certifying the individuals who will be conducting the CBEST penetration tests.
Glover says CBEST has enjoyed very high levels of support from the financial services industry but doubts it would have received such support if it had been made compulsory from the beginning.
“Financial institutions that have been subject to CBEST activities have provided very positive feedback and many organisations in financial services and other sectors are asking how they can carry out similar activities. There has also been significant interest from overseas,” Glover says. “All parties involved in these activities have common aims, to validate the security arrangements and where appropriate recommend and implement improvements for critical systems and processes. Working in collaboration towards a common aim is much more effective than mandating.”
Also arguing for voluntary compliance is Darren Anstee, director of solutions architects at Arbor Networks. “The problem with mandatory compliance requirements is that security becomes focused on meeting the standard, rather than reducing business risk,” he says. “Once compliance criteria are met it can become increasingly difficult to justify additional expenditure on security.”
Locke’s critique of CBEST doesn’t end there, however. He believes
that accountability to the consumer is fundamentally lacking from the programme. While organisations can be – and have been – held accountable for data breaches by the Information Commissioner’s Office (ICO), there is no requirement to make a formal disclosure in the event of a data breach.
“Rather than be proactive in taking accountability for security breach and data loss, the typical approach is to downplay the losses and focus on controlling damage to reputation,” he says.
He welcomes the prospect of amendments to the EU General Data Protection Regulation which, “will require any company with European dealings that suffers a data breach to inform both the regulator and affected individuals ‘without undue delay’”.
In this case, while Anstee has some sympathy for the organisations affected and the potential harm to their reputations, he supports Locke’s view that the balance should be tipped in favour of consumers.
And Glover says CREST is sympathetic to this view, as well.
Final thoughtsIn the final analysis, Locke believes the industry needs a set of cyber-security standards that are specific to financial services and that ultimately this might lead to the creation of an FSI DSS. “By cooperating around such a standard, the industry will be able to deliver a stronger collective response to the cyber-crime threat than any single company could do alone,” he says.
Whether there are too many standards or the industry is too complex to fit under a single regulatory umbrella remains to be seen, but one thing they can all agree on is that the current system is the CBEST that we’ve got. n
Analysis
20 SC • July-August 2015 • www.scmagazineuk.com
CBEST is a strong step forward for cyber-security”-Clayton Locke, CTO Intelligent Environments
trying to get kids excited about maths, we need to paint a picture of what maths, and related sciences, make possible.”
Angela Knox, director of engineering at Cloudmark, believes more can be done at school level: “I’d like to see computer science, including IT security, added to the school curriculum for both secondary and primary school children. This is the best way to introduce this awesome career opportunity to a diverse group of both male and female children as well children from lower socio-economic backgrounds.”
Many women fall into security by chance. Cyber-security consultant Dr Jessica Barker, says that a lot of young women view security as a “male subject” which is “quite complicated”. “If I hadn’t been approached for a job, I probably wouldn’t have thought about it,” she admits.
This, according to Dr Christopher Richardson, head of the cyber-security unit at Bournemouth University, is proof that the problem lies with society:
“It’s not a STEM problem, it’s a social problem…we’ve lost them before they even get to university. They don’t realise about [cyber-security], there’s a perception that it is geeky and for boys.”
He says that some of his finest students have been women, graduating with first-class honours degrees and going on to jobs like penetration testing or in consultancy. But he questions whether this societal issue also relates to how these courses are taught at a young age.
Dr Olga Angelopoulou is senior lecturer of digital forensics at the University of Derby, and she believes that female students often don’t trust their own abilities. Citing her university’s findings, that female digital forensics students often drop out in the second year to pursue psychology, criminality or other computing courses, she says: “In the second years, a lot of them give up. I guess the competition, especially in an
area where boys are very passionate, can be stressful for the girls, who may feel that they can’t compete…Boys see it as a hobby which becomes a profession.” She adds that those who did persevere would usually end up with “very good marks”.
Jennifer Steffens, CEO of security firm IOActive, has been in the industry for more than 15 years, and suggests this cultural problem could take time to fix:
“I think that culturally we don’t encourage girls to get involved with technology at a young age. Security is a very demanding and often critical industry so it can be difficult to break into later in life, regardless of gender. Breaking down the gender biases for kids will have a long term positive impact for the field.”
Knox agrees: “The low percentage of women working in security is a reflection of the same issue within the field of computer science. The main cause is marketing and messaging about what the job involves and who can do it. The graphs for computer science are evidence of this: the percentage of women studying computer science started falling when computers were marketed to consumers. Male children were chosen as the target market, which resulted in male children having more access to computers than female children. As they grew older, at univer-sity level, men had more experience with programming than women.
“Computer security in movies and popular culture is made to look like
something that men do and women don’t. There’s still an image of geeks in a basement and those that have been widely publicised still happen to be male.”
Less sexism, better paySpeakers acknowledge they’ve suffered from sexism in the past, but are not sure that it happens much now. KPMG’s Caroline Rivett has worked in security in two career stints, currently residing in the Information Protection and Business Resilience (IPBR) team. “I see a lot less discrimination – I think people are more aware of their biases, either consciously or subconsciously,” she says.
Sarah Clarke, managing director of consultancy Infospectives, has worked in the security industry for 14 years, and she believes that the tide is turning away from male ‘elitism’. “These days, in bigger firms, managers need the right kind of analytical and logical mind to quickly grasp technical concepts, but political, strategic and risk sense are far more vital to get security to the place it needs to
be in businesses and keep it there. [This is] a far less daunting career prospect for highly effective female staff coming up through other areas in the business.”
Rowenna Fielding, information governance manager for the Alzheimer’s Society and committee member for the Data Protection Forum, agrees that
the view of what an IT security manager should look like is changing: “I think that as essential elements of psychology, communications skills and business-savvy are becoming more widely recognised as critical to information security. The
Analysis
www.scmagazineuk.com • July-August 2015 • SC 2322 SC • July-August 2015 • www.scmagazineuk.com
traditional view of the security pro as a scruffy male hacker is changing to a more professional and gender-neutral role within the business environment.
“With the realisation that there is more to infosec than writing clever exploit code has also come the understanding that the role of the infosec professional benefits from diversity in skills, abilities and focus - as well as gender. This is now levelling the playing-field for women who no longer have to compete with the outdated perceptions about suitabil-ity for the role.”
KPMG director Caroline Rivett and cyber-security manager Janina Herrmann are part of the consultan-cy’s 100-strong ‘Women in security’ group, focusing on retaining female members in the IPBR team, through networking, awareness sessions, mentoring and speaking. The firm advocates transferable skills rather than having to “fit a certain mould”, even if Herrmann admits there remains a challenge with diversity at senior level.
“We need to get far better at analysing what makes a successful security specialist,” adds Clarke, who urges firms to visit schools and universities.
Steffens, though, sees traction in the boardroom. “I certainly see improvements throughout the industry. I know more women in CISO/CSO roles today. I also see far more women engaged in the industry – attending conferences, giving talks, being active. Discussions on how to engage young girls in STEM programmes early on are happening and ideas are being implemented.”
Surprisingly BeecherMadden’s report found that women are now getting paid up to 30 percent more than men in cyber-security, whereas nationally women earn 19.7 percent less than men. Speaking at InfoSecurity Europe, COO Karla Jobling cited one example of a woman with a year’s less experience than a man being paid £10,000 more.
“Women are being paid more than men because they are coming into cyber-security with skills that enable them to communicate to the business,” said Jobling. “Typically, women come from a non-IT background and bring skills in sales, PR, communication and project management.”
“Two years ago, cyber was dominated by technical roles, now there are more roles in strategy and policy. The CEO
knows about cyber now and that makes cyber more exciting for everyone, but especially women who are maybe not as interested in the tech.”
Jobling added that the number of women in the sector has grown almost 50 percent in the last year, and suggested we might talk often of women CISOs in the future
“rather than pinpointing the few.”Meanwhile Barker believes it should
also be easier to cross over. “How do you suddenly specialise in cyber-security? What I’d like to see is more opening up, more jumping across industries. In that way, we don’t make it easy for people, it’s hard to find a way in”. Bournemouth University’s Richardson advocates mid-career apprenticeships, to ease women into new careers.
And Steffens says: “I believe it’s important for women to be themselves and not try to conform to a ‘man’s way’. The industry as a whole benefits from having all points of view included.”
Encouragingly Rivett believes that discrimination and paternity leave issues are a thing of the past.
So what more can be done? “Continue focusing on providing opportunities for women in the field,” says Steffens. “Highlight the ever-growing number of women who continue to raise the bar in our industry so we create more role models for young girls and women looking to enter the field. Show them it’s not scary – it is the best job in the world.”n
A lot of young women view security as a ‘male subject’ which is ‘quite complicated’.”-Dr Jessica Barker, cyber-security consultant
Dr Olga Angelopoulou,senior lecturer of digital forensics
Caroline Rivett,KPMG director
Top tips for women in security
“Brave social media – the infosec community online
is incredibly supportive,” says Clarke.
“Build a good network of fellow infosec professionals of all
genders that you can learn and seek mutual support from,” says Fielding. “Also, keep up
with soft skills like influencing, negotiating and management
as much as technical knowledge.”
“Don’t limit yourself,” says Barker. “You might not think you tick every box on a job application or know
enough to speak at a conference, but if you don’t
put yourself forward and have faith in yourself,
who will?”
“Be yourself and be positive about your own
capability,” says Richardson. “Believe in yourself,” concurs
Angelopoulou.
“If you are not getting promoted where you are,
move jobs. It’s OK to move every 18 months to three years,”
says Jobling.
Jennifer Steffens,CEO IOActive
24 SC • July-August 2015 • www.scmagazineuk.com
North Wales Fire and Rescue Service is using the CPA-certified encryption solution Egress Switch
to protect all confidential electronic information leaving the organisation, improving its communication, security and speed in the process.
NWFRS works to protect a residential population of more than 600,000 people, in addition to the thousands of tourists that visit the area each year. Employing approximately 1,000 staff, NWFRS attends to more than 3,200 fires, 500 road traffic collisions and 500 other emergency incidents every year, in addition to delivering initiatives to schools, business-es and local communities to promote fire safety and prevention. Carrying out this work involves collaborating with a network of external third parties, which in itself represents a security risk given the confidentiality of some of these documents being sent and received.
However, NWFRS has recently improved its security by adopting an encryption tool to ensure that electronic information is shared and stored securely, not just in house but also with other emergency services, local authorities and agency partners.
Sarah Roberts, head of ICT at NWFRS, told SC Magazine UK that this safe sharing of information was vital, especially as fire safety referrals often go out to external organisations, like charities not on the government’s Public Services Network (PSN). “We used to share this information face to face, on the phone or via the post,” she said.
“Basically, we wanted to be able to share confidential information with a number of organisations and to do that securely. Our email system just isn’t secure enough”, she
said, citing the group’s use of Microsoft Exchange. “Emailing internally doesn’t have the same risks as when emailing out over the Internet.”
Roberts said the group was attracted by simplicity of the encryption product; it’s a three-step process to sign up and it’s free for recipients to use. NWFRS also put together a one-page document on how to use the solution, which was useful for everyone from HR and finance to occupational health.
One example, said Roberts, was
Conway Country system which pays invoices and also needs access to mission critical services in the private sector.
“The whole process is faster than sending CDs through the post,” she said. “It makes it a lot easier when dealing with local authorities,” she added, continuing that the solution’s roll-out came after heads of local authorities discussed how to improve service across North Wales, as well as other issues raised by information steering groups.
Other benefits of the encryption tool were seeing an audit log of who was sending information on behalf of group mailboxes, flexible deployment platform, integration with mail scanners (so they could scan in clear text), easily and securely communicate information about North Wales to those most vulnerable.
Roberts said that the group is particularly wary of protecting information – especially on vulnerable citizens – and added that Egress complements NWFRS’s existing encryption solutions and mail scanners in place on desktop, laptop and radio. Certain information is restricted by a government classification policy, and there’s a secure email gateway in place to block information that gets out. Roberts said that they had a ‘few cases’ where often a flagged word doesn’t necessarily mean a breach.
“IT is about educating people about information security and trying to put enough technology in place so you don’t have to think that much about it,” said Roberts.
NWFRS doesn’t allow USB stick use due to potential data loss, and says the ROI is easy to judge: “It’s the speed in which you can share information freely and securely. There are tangible benefits. If there’s a vulnerable citizen we need to know about that person now.” Roberts added that it’s easy to comply with the Data Protection Act as it’s UK based and on the premises.
The public sector body built the servers in a day and Egress helped with the configuration, something Roberts said was more timely given the rules over sensitive and restrictive data. n
Case study
“We have seen real benefits throughout the organisation as a result of our usage of Switch,” says Sarah Roberts, head of ICT at NWFRS
Email encryption improves security
The software is free for recipients to use. It’s an easy process for them to register and securely share info.
Phot
o by N
WFR
S
R ecently at an SC Magazine Roundtable, editor Tony Morbin opened with the observation that
while cyber-security is now a boardroom issue, boards are still not taking it seri-ously enough. A KPMG survey found that 61 percent had an acceptable understand-ing of what their key data assets were, but only 24 percent were reviewing their information-risk policies.
Is lack of priority due to confusion about lines of responsibility or simply a lack of resources to deal with the problem of cyber-security? Delegates say it’s not simple, and it’s made more complex depending on whether you are talking about large or small- to medium-size enterprises (SMEs).
Who is responsible?The KPMG survey of large companies asked where primary responsibility for information security lay: in 16 percent of cases, it was with the chief executive officer (CEO). For 31 percent, it was the chief financial officer and only 15 percent said it was with the chief information officer.
Sarb Sembhi, director at Storm Guidance, said many organisations lacked a clear understanding of the board of director’s approach to risk management.
For Roger Dean, head of specialist projects at EEMA, securing the supply chain was a major issue for most companies, and this was a theme picked up by Darren Argyle, global CISO at Markit.
According to Argyle, CISOs agree that supply chain security is a priority, but there are two sides to the issue: reporting on security issues to clients and how your own vendors report their security issues to you.
He suggested the need for a shared platform for security reporting.
There was support for Stephanie Daman, CEO of Cyber Security Challenge UK Ltd, who said that at the board level it was about convincing directors that the issue is information security, not IT security – that the threat comes from losing control of the information rather than controlling the technology.
Ultimately it’s the CEO’s responsibility to address the issue of information and cyber-security, said Lorraine Spector of the LS Consultancy. Even if the CEO doesn’t understand the issues he or she is dealing with, a value can still be put on the information and the consequences of losing control of it. From there, the focus on the issue should cascade down through the organisation, but it has to come from the CEO with budget responsibility.
Argyle added that to do this, the CEO and the board have to determine the organisation’s appetite for risk.
Rajan Chada, director at IBN, noted that in the UK there are 4.9 million SMEs, each holding data on an average of 10,000 customers.
Sembhi said there is a danger in assuming that all SMEs are alike when in fact they are diverse in size, markets, experience and skills. These factors will
influence how organisations approach security and who is responsible.
Dean asked if cyber-insurance was the answer. Insurance mitigates against losses with the insured risk put under the scrutiny of an insurance company.
Daman expressed concern that outsourcing risk could encourage a lax ‘tick box’ approach, but Argyle countered by reiterating Dean’s point that it could encourage companies to increase security.
Sembhi said that insurance can be used as a risk management tool but in reality it is only one of many.
All of which suggests that liability and insurance may be the levers by which the CISO will be empowered to influence the CEO and the board to tackle information-security. n
For more information on SC Magazine's Editorial Roundable Series, please go to www.scmagazineuk.com
Security on the agenda Cyber-security has become a boardroom issue, but too few boards give the topic the time or resources required, our experts agreed at a recent SC Magazine Roundtable. Opinions were split over how to respond
Expert opinionis divided on the causes and solutions.
Event
www.scmagazineuk.com • July-August 2015 • SC 25
The wınners!
Hundreds of industry guests gathered at the Grosvenor Hotel, Park Lane in
June for the SC Awards Europe 2015, a gala dinner to celebrate excellence,
innovation and achievement in the information security industry.
SC Magazine UK Editor in Chief Tony Morbin reminded guests how a year of
major high profile breaches and subsequent industry growth had put information
security firmly on the boardroom agenda. He then introduced Ian Glover,
president of Crest who emphasised the professionalisation of the industry, and the
further steps needed to ensure it is a viable and attractive career option for today’s
school students. Then after dinner, compere Ed Byrne entertained guests and
presented the Award winners with their trophies.
The evening culminated with the Editor’s Choice Award, presented to Richard
Bach, assistant director, Cyber Security Digital Economy Unit, BIS, Department
for Culture, Media and Sport, on behalf of the Cyber Essentials programme, a
government-backed, industry-supported scheme to help organisations protect
themselves against common cyber-attacks – praised as possibly the most
significant initiative to reduce cyber-crime.
All other awards were chosen by our highly esteemed panel of independent
industry experts, with the full list of winners opposite and details about the winning
entries available on http://www.scmagazineuk.com/sc-awards-europe-2015-
winners-announced/article/418346/
CISO of the Year Daniel Barriuso, Chief Information Security Officer (CISO) at BP
Guest speaker Ian Glover, President of Crest
Best Security Company - Tenable Network Security (Left) Matthew Alderman; (Right) David Cummins
Compare for the night - the talented and very funny, Ed Byrne
• Best Advanced Persistent Threat (APT) Protection ................. FireEye • Best Cloud Computing Security Solution ..........................Radware
• Best Computer Forensics Solution .........................Guidance Software
• Best Customer Service ...............Mimecast
• Best Data Leakage Prevention (DLP) Solution ............................ Websense
• Best Email Security Solution .... Clearswift
• Best Emerging Technology .....Cybereason
• Best Enterprise Security Solution ................................Kaspersky Lab
• Best Fraud Prevention Solution ...........IBM
• Best Identity Management Solution .... HP
• Best Managed Security Service ......... CSC
• Best Mobile Security Solution ....Accellion
• Best Multifactor Solution .. Encap Security
• Best NAC Solution .................ForeScout Technologies
• Best Newcomer Security Company of the Year .... Skyhigh Networks
• Best Professional Training or Certification Programme ....... (ISC)2 EMEA
• Best Security Company ............Tenable Network Security
• Best Security Team ...........................BP Plc
• Best SIEM Solution ................... SolarWinds
• Best SME Security solution ....... AlienVault
• Best UTM Solution ...........................Sophos
• Best Vulnerability Management Solution ...................................GFI Software
• Best Web Content Management Solution ......................................... Entensys
• CSO/ CISO of the Year ................Daniel Barriuso, CISO, BP Plc
• Risk/Policy Management and Regulatory Compliance Solutions .............Tenable Network Security
• Editor’s Choice Award......Cyber Essentials Presented to Richard Bach, assistant director, Cyber Security Digital Economy Unit, BIS, Department for Culture, Media and Sport, on behalf of the Cyber Essentials programme
Editor’s Choice, Cyber Essentials, received by Richard Bach, assistant director, Cyber Security Digital Economy Unit, BIS, Department for Culture, Media and Sport
Best Fraud Prevention Solution - IBM, received by Carmina Lees, UK & Ireland director of security IBM
26 SC • July-August 2015 • www.scmagazineuk.com www.scmagazineuk.com • July-August 2015 • SC 27
Phot
os: J
ulia
n D
odd
Products
Many products help assign classification when the data item is created, while classifying
legacy data requires both identification and classification. Classification depends on assigning ownership and needs a classification scheme. Once a scheme is established, assign owner-ship, classify, and docu-ment thoroughly.
Pick a group within the organisation - IT security, privacy or any other group appropriate for the task and assign all legacy data ownership to them. Going forward, the worker who creates a data item owns it and must classify it.
Simple is better - just tag each data item with a meaningful description that tells the item’s sensitivity at a glance.. eg three levels of classification: public, internal use and confidential.
Some data items scream out “confiden-tial” - credit cards, personally identifi-able information that could be used for id theft or that must be protected by law. Tag these items and configure the DLP system to behave appropriately with the
confidential data type.Unlike the obvious candidates for con-
fidential, the next layer may be harder to find. That means tuning your clas-sification tool so that it knows what your policy – or the law – considers sensitive.
Finally tell your classification tool to find and tag data items that your policy -restricts to employee use, eg com-pany phone books, then tag these.
This entire process is policy-driven. If you don’t have a solid, well-defined classification policy, all of the above is for naught.
Now, implement. Data classification will tell users the sensitivity level of the item - and control the
exfiltration of those items that should not leave the organisation or should be limited to privileged users. It is useful to be able to de-duplicate emails and docu-ments, especially in large environments. Defining our DLP needs seems straight-forward, but it has one little wrinkle: It needs to be compatible with our classi-fication system. In other words, it needs to spot our classifications and behave in
accordance with our policy requirements for that classification.
What that means, simply, is: If you have nothing, you should buy the two tools at the same time and ensure that they are compatible. If you have one and not the other, make sure of compatibility before you buy the remaining piece.
—Reviews by Sal Picheria, Ben Jones and James Verderico
Code Green P30Advanced tool to mitigate DLP risks
TITUS P32Approaches data classification in a unique way
28 SC • July-August 2015 • www.scmagazineuk.com
The Boldon James Classifier bundle is a comprehensive data leakage prevention solution that is easy to implement in
organisations large and small. Various licence options are available, which gives organisa-tions flexibility in choosing only the features they need, while still retaining the option to purchase others later if needed. The pack-age seamlessly integrates with the Microsoft Office suite, which gives users the same user interface, but adds the ability to implement a classification to documents and emails. User-defined classifications can then be checked against defined policies to ensure compliance – and be adjusted as necessary.
The comprehensive software kit that we received came in the form of several CDs, but it took us only minutes to integrate the software into our SC Lab system. We began by setting aside a machine to install the cen-tralised administration console. All of the administration for Boldon James Classifier is handled from within its Microsoft Manage-ment Console (MMC) snap-in, which makes configuration simple and familiar. We insert-ed the provided CD into the drive, extracted the ZIP file with the installer, and then fol-lowed through with the software installer wizard to complete preliminary setup. After that, we opened the snap-in MMC andfollowed instructions to complete first-time setup, which was straightforward and well documented.
After we had the administration console
setup, we imported our licences and began tailoring the product to our environment. We configured our labeling configuration, which let us set classification options. Then, we set up our messages, which included alerts and warnings for when a user violated a classification rule. We also configured watermarking for sensitive documents at the top and bottom of the page. We imported our users from Active Directory before deploy-ing the agent to our clients, which we easily accomplished by deploying the provided MSI with group policy on all of our machines. When we opened Office, the Classifier fol-lowed all of our policies perfectly. Classifier is easy to configure as its administration console is entirely wizard driven.
Boldon James offers a free 60-day software warranty with the purchase of Classifier. Support includes eight-hours-a-day/five-days-a-week telephone and email aid as well as access to its website support features. This can be expanded to a software support and maintenance contract priced out at 20 per-cent of the license cost for one year. Support can be further expanded.
Overall, we were pleased with this tool. It thrives in massive deployments, yet is still easy to set up and configure. Licensing is a reasonable £9.750 per user when a 5,000-user license is purchased along with a support contract.
– Sal Picheria
www.scmagazineuk.com • July-August 2015 • SC 29
GROUP TEST Data classification/DLP
Boldon James
Classifier v3.7
DETAILS
Vendor Boldon James
Price £9.750 per user when pur-chased as a 5,000-user bulk pack with maintenance contract.
Contact boldonjames.com
Features ★★★★½
Ease of use ★★★★★
Performance ★★★★★
Documentation ★★★★★
Support ★★★★★
Value for money ★★★★½
OVERALL RATING ★★★★½
Strengths Ease of use, strong feature set.
Weaknesses None found.
Verdict An excellent enterprise solution with almost no learning curve.
What makes DLP so hard?
You can’t get to DLP without data classification, possibly the most difficult security task an organisation undertakes—because nobody likes to take ownership of data that they must share. So it’s data classification first and DLP second explains Technology Editor Peter Stephenson
*In the original testing, we looked at several products. Some of the top performers are shown here. All reviews are shown on SCmagazineUK.com.
**Prices are indicative only as they are direct conversions from the US pricing which may vary outside the US.
What the recognition meansBest Buy goes to products the SC Lab rates as outstanding. Recommended means the product has shone in a specific area.
Identity Finder Sensitive Data Manager takes a robust approach to data leakage preven-tion, offering maximum security across
almost any networked device. The tool comes in two parts: the Identity Finder console and the endpoint. The endpoint is installed on clients where it scans existing files on the machine based on a schedule and also scans new files as soon as they are created. The console provides administrators with a cen-
tralised way of managing policies organisation-wide and also allows them to schedule and review the results of previous scans.
We received Sensitive Data Manager as a set of software installers for Windows. After reviewing the prerequisites, we set up a Windows Server pod to host the console. The console requires that IIS, Application Server and MS SQL Server be installed, as well as several versions of .NET. In a production environment, the SQL server should reside on a different computer, but we followed the recommendation of Identity Manager and configured it on the same server as the console using SQL Server Express. While this was fine for our deployment in the SC Lab, a full-featured licence would have to be purchased for full deployment in a produc-tion environment, which adds to the cost of this solution. Once we had all of the prereq-uisites checked off, we proceeded to launch the software installer. After clicking through the wizard, it automatically configured the
IIS and application and asked us for our SQL Server information. We told the installer where to find the database engine and cre-dentials, and installation completed without further stoppage.
Once the console was running, we imported our licence and set the administrator pass-word. After navigating to the console web server, we were prompted to install Silverlight and we redirected to the download page. We returned to the console login page after installing Silverlight and entered our login info. Once the page loaded, we were brought to a well-designed web interface with many graphs and other user-friendly features. The console is easy to navigate and looks visu-ally similar to the Microsoft Office suite of products. Even though it was our first time using Sensitive Data Manager, it felt familiar. We were pleased that this product comes preconfigured to discover common sensitive data and we configured our own template in only a few clicks. During our testing we were pleased to see that it is able to redact compat-ible file formats without locking down access to them completely.
Identity Finder Sensitive Data Manager is a high-quality product designed for maximum security in medium to large organisations. The only real downside is its price. If you are able to foot the bill, Identity Finder is the best product we saw in this Group Test. It is our selection for Best Buy.
– Sal Picheria
www.scmagazineuk.com • July-August 2015 • SC 31
GROUP TEST Data classification/DLP
Identity Finder
Sensitive Data Manager
DETAILS
Vendor Identity Finder
Price £11,229 for 100 seats.
Contact identityfinder.com
Features ★★★★★
Ease of use ★★★★★
Performance ★★★★★
Documentation ★★★★★
Support ★★★★★
Value for money ★★★★½
OVERALL RATING ★★★★★
Strengths Excellent high security features, fast and scalable.
Weaknesses Price.
Verdict Best-of-breed security with a premium price tag. We rate this Best Buy for its robust feature set, performance and ease of use.
Code Green Network’s TrueDLP product is an extremely effective solution to data leak protection. The
implementation of this device will allow your security team to properly analyse, monitor and maintain the integrity of sensitive data on your network. TrueDLP will both detect and prevent data in-store, in-use and in-transit from unauthorised exit in an enterprise network.
TrueDLP’s installation and initial con-figuration was extremely simple to set up. After we removed the product from the box, connected a monitor and keyboard and turned it on, it took less than 15 minutes to effectively integrate the device into our network. We followed the quick-start guide during configuration. Implementing from the provided information, we used the appli-ance’s command line to assign an IP address and reset the password. After we configured the management interface, we then were able to access the device via a web browser. The web-based interface allowed us to immedi-ately access and configure the device into our network, with no hassle effectively integrat-ing it with our Active Directory server.
Interestingly, the tool ships with precon-figured network interfaces for inspecting different types of network traffic. The device provides two network interfaces for packet monitoring, one for management and the three remaining allowed for email, web and central management traffic monitoring.
TrueDLP inspects traffic for sensitive data (keywords, phrases, file types, structured data) regardless of port, protocol or file type. The solution also provides policy manage-ment on the web console for logs, quarantine functionality, encryption options and alerts for both sender and administrators. TrueDLP uses a powerful discovery engine that is able to efficiently monitor the traffic and filter, block or remediate any possible data leak incidents.
Code Green Network provides custom-ers with basic no-cost and premium support options. Standard assistance includes email and phone aid from 8 a.m. to 6 p.m. PST on business days and is priced at 18 percent of the purchase price. Premium support expands the time to 24/7/365 and is priced at 28 percent of purchase price.
TrueDLP is a necessary solution to strengthen security on your network to provide ease of mind for admins guarding sensitive data. The product’s powerful func-tionality can provide security teams with a plethora of implementation strategies to miti-gate data leakage risks on networks. Seeing as the solution is easily installed, configured and integrated into networks, there is effectively no downtime during this process. If you are looking for a powerful and efficient product that will limit data loss on your network, Code Green’s TrueDLP hardware solution is your answer.
– James Verderico
Code Green Networks
TrueDLP
30 SC • July-August 2015 • www.scmagazineuk.com
DETAILS
Vendor Code Green Networks
Price Ranges from £4,811 to £8,916
Contact codegreennetworks.com
Features ★★★★★
Ease of use ★★★★½
Performance ★★★★★
Documentation ★★★★½
Support ★★★★
Value for money ★★★★★
OVERALL RATING ★★★★½
Strengths The product’s robust feature set and ease of integration into the network.
Weaknesses None found.
Verdict The product’s advanced functionality and easy-to-use GUI makes enterprise DLP easy.
GROUP TEST Data classification/DLP
Varonis DatAdvantage and the Data Classification Framework work to identify where any and all of your sen-
sitive and proprietary information lies. Criti-cal to any data leakage prevention operation is access control, and that is where Varonis shines. The tool enables administrators to specifically find a file anywhere on a network, or look for any file in a category.
The setup was aided by a WebEx session with support, so installation was a breeze. Varonis requires a version of Microsoft SQL Server (supported versions are listed on its website), and from there the installer can take over and set almost everything up on its own. But, once the Varonis solution is installed, that really is just the beginning: Setting up which rules you want to be enacted is the more intensive portion. This depends on your organisation and will vary anywhere from default install to pages of rules.
Varonis DatAdvantage tied into our Window File Server with a point-and-click without any issues. The scheduled scanning of network resources worked cleanly. The tool can either install an agent to the file server or retrieve everything itself with existing Windows protocols. We ran into no issues with the functionality of this product whatsoever. It was a pleasure to use. The offering found all of the information and classified it correctly using default compli-ance rules provided by Varonis. This includes a dictionary of provided words that may indi-
cate sensitive information, PCI-compliance, along with a long list of other compliance-based rules.
Varonis has a site containing all of its documentation arranged in an orderly fash-ion. Although we would have liked to see a bit more detail, the information that was there was good, well laid out and filled with effective screen shots. In fact, the documen-tation was some of the cleanest we’ve seen. That said, this product was easy to use and in-depth documentation was unlikely to be needed for our purposes.
Varonis DatAdvantage assistance costs 20 percent of the purchase price annually. The company keeps it simple by providing one level of support, 9 a.m. to 5 p.m., five days a week, via email or phone. The contract also includes a software subscription including all updates.
Varonis DatAdvantage was, overall, a great product with a full feature set with some of the best ease-of-use in the category. Having Varonis set the product up for us, and explain everything in-depth during the installation process, shows huge dedication to customer support. Varonis was also the most expensive product in the category, but this was not a problem in our eyes because users certainly get what they pay for with DatAdvantage, one of the most extensible data classification frameworks on the market.
– Ben Jones
www.scmagazineuk.com • July-August 2015 • SC 33
GROUP TEST Data classification/DLP
Varonis
DatAdvantage and Data Classification
DETAILS
Vendor Varonis Systems
Price DatAdvantage: £10,907; Data Classification Framework: A bit more than £5,133 for 100 users.
Contact varonis.com
Features ★★★★★
Ease of use ★★★★★
Performance ★★★★★
Documentation ★★★★½
Support ★★★★★
Value for money ★★★★★
OVERALL RATING ★★★★★
Strengths Full feature set.
Weaknesses Price.
Verdict Strong features and performance, but could use a little refinement of its documentation.
TITUS Classification Suite approaches data classification in a unique way: By giving power back to the user while
double-checking with automated analysis. The tool also looks at files in an unstructured way that allows for more flexibility than one might otherwise get from other permissions-only-based products. TITUS supports Micro-soft Outlook, Microsoft Office and Windows Desktop for its classification.
Setup was a bit longer than we would have liked, and at nearly 80 pages the deployment guide was far from the usual quick-start guide. However, once we got started, it was a relatively easy install. TITUS requires Micro-soft SQL Server but, for demonstration pur-poses, quickly and easily installs an instance of SQL Server Express.
The TITUS Administration Console was one of the cleanest interfaces we’ve seen. It was simple and easy to manage permissions in a fresh way. TITUS allows users to assign the classification of files – with suggested clas-sification or automatic classification – based on context, key words and content. The tool looks at permissions based on an entirely unstructured format and the classifications are stored as metadata.
The solution then enforces policies at mul-tiple levels. For instance, certain users could get a warning for classifications in emails that they could ignore or override, where other users could simply have the information redacted. Others, still, could have an email
blocked altogether, and any or all of these situations could force the email to be copied to an inbox for later analysis if necessary. The controls are granular.
TITUS Classification Suite can integrate with other products, including Microsoft Dynamics RMS and S/MIME, to behavioural analytics tools like McAfee Data eXchange Layer (DXL). As well, the offering is tied tightly with Active Directory and Windows
File Explorer. The Windows File Explorer integration is absolutely seamless. The extra right-click menu added by TITUS seems like it was meant to be there all along.
This is how users would be able to assign a classification to a file manually – simply two clicks away to compliance and data leakage prevention.
TITUS Classification Suite is a product that approaches an old problem in a new and innovative way: It could be applied to any file server without having to change the struc-ture. But, it classifies each file at different levels and restricts permissions accordingly, with large, existing datasets. We can see this being an absolutely critical feature. While setup for the TITUS Classification Suite was not as easy as we would have liked, it makes up for it – and then some – by providing a unique solution, handing power back to users, the data creators of your business.
– Ben Jones
TITUS
Classification Suite
32 SC • July-August 2015 • www.scmagazineuk.com
DETAILS
Vendor TITUS
Price £38/user; volume discounts apply.
Contact TITUS.com
Features ★★★★★
Ease of use ★★★★½
Performance ★★★★★
Documentation ★★★★★
Support ★★★★★
Value for money ★★★★★
OVERALL RATING ★★★★★
Strengths Unique and innovative.
Weaknesses Setup.
Verdict A very different way to approach an old problem. Our choice for Recommended product.
GROUP TEST Data classification/DLP
www.scmagazineuk.com • January-February 2014 • SC 334 SC • July-August 2015 • www.scmagazineuk.com
Last word
Speaking as someone who lives and works in Western Europe, and
having spent more than 15 years in Africa, I have first-hand experience of some of the world’s most and least reliable infrastructures.
In Africa, I was used to working around daily black-outs. In Vienna and London, where I’m based now and where there’s virtually 100 percent availability, we’re wholly dependent on our interconnectivity. We have done little to prepare for the blackout threat because there simply hasn’t been the need.
This kind of thinking cannot go on. We must
increase social risk awareness now. Even on the most reliable infrastructures, we face an increasing danger of blackout due to cyber-attack, which could be devastating.
Renewable energyGiven the increasingcomplexity of our critical infrastructure, the growing cyber-security threat and geo-political landscape today, real dangers lie within and without the grid. Energy, like the water supply, tele-coms, mobile and banking is increasingly dependent on IT connectivity. The integration of intelligent, internet-dependent mea-surement systems that form so-called smart-grids, means energy infrastructure is more vulnerable to ‘acts of God’ and cyber-attack than ever. Indeed, the increasing use of renewable resources is a prime example of how our systems are becoming more complex and vulnerable to external threats. There’s a strong argument to be made that secure infrastructure has not grown with the rapid expansion of renewables. As renewable energy plays a bigger part in the national grid, the increased network complexity and number of entry points translates to greater risk.
It’s not just the number of entry points that is on the rise. There are a growing number of individuals who have the technical expertise to carry out devastating cyber-attacks, as amply dem-onstrated in other industries, in recent years. On the con-trary, thousands of attacks are recorded on utilities and their infrastructure on a daily basis worldwide. It only takes one sophisticated attack to be successful. Take Norway for instance. A few years ago every second power plant was infested with Tro-jans. Most of the country’s facilities were built prior to the internet and couldn’t cope when they were con-nected to IT systems, mak-ing itself a prime target for hackers.
Most attacks today are car-ried out by electronic means, but this tectonic shift can-not be downplayed. Where once national infrastructure
only needed to be protected from direct physical attack, every IT device and user in the world now represents a potential threat. Many countries are struggling to come to terms with this, as the majority of armed forces currently have insufficient capacity for the protection of IT infrastructure, lacking in the resources, personnel and expertise required.
Evaluate the threatI suggest that the UK and Austria are not top targets for attack but potential targets. As hackers have proved, merit is not always a factor. In some cases hackers will vandalise a site or organisation, not for commercial gain, but because they can.
Because electricity, IT connectivity and the inter-net have penetrated almost every aspect of life, the consequences of a 24-hour large-scale power outage would be huge. In a devel-oped European country, the resulting economic damage would be millions, possibly billions of pounds. It is with this backdrop in mind that I believe we should evaluate the potential threat. Not as an abstract disaster scenario but a very real threat.
Oliver Eckel, CEO, Cognosec
Cyber-blackout: The dangers within and without the grid
Utilities face thousands of cyber-attacks every day, but we are not prepared for a successful take-down despite the very real threat says Oliver Eckel
We must increase social risk awareness now”
www.barclaysimpson.comBarclay Simpson, Bridewell Gate, 9 Bridewell Place, London EC4V 6AW
Information security appointments
Barclay Simpson’s Information
Security Division is the
leading provider of contract
recruitment solutions to the
information security profession.
For more information on these
and other opportunities and for
general advice on the
information security contract
recruitment market please
contact Owanate Bestman
Information security contract appointments
Business Information Security Offcer – AVP level Munich £Competitive OD/117350
This global bank is seeking a Business Information Security Offcer
to help liaise security issues to different business units and serve
as a SME for security. You will participate in security incident
response programs representing the business area to detect and
to respond to incidents in a timely manner, as well as provide
guidance and approval of Information Security Risk Management
profles for applications owned by the business unit.
Privacy and Information Protection Team LeaderWiltshire £Competitive OD/117100
This global company is seeking a Privacy and Information
Protection Leader, who will be responsible for managing and
developing the team, setting the standard for Privacy and Data
Protection and supporting the business with compliance to
legislation and public expectations. This role will involve educating
and offering support to key stakeholders and leading a team of
Compliance Analysts.
IT Security AnalystWiltshireTo £58,000+Bens SJF/111770
This global organisation is seeking an IT Security Analyst to work
within its growing info/ cyber security function. This is a hands-on
role that requires business insight; technical insight; and the
ability to think, write and communicate to various levels within the
wider business. Good knowledge across a number of IT Security
technologies (e.g. Firewalls, IDS/IPS, DLP, End Point Security, Data
Encryption, SIEM) is required.
Security AnalystLondonTo £45,000+Bens SJF/112020
This FTSE 100 fnancial services business is seeking a Security
Analyst to develop its security solutions to meet business
requirements. The role will require implementing and maintaining
security infrastructure and software in alignment with security
processes, policies and compliance requirements. Proven
experience in maintenance of security infrastructure is required as
well as experience of working within an outsourced multi-vendor.
Information Security Awareness ManagerLondonTo £70,000+Bens MA/116760
This well known fnancial services business is seeking an
awareness and training focused information security specialist
to manage all aspects in regards to the training and awareness
strategy and to design and deliver all types of security training for
the UK and internationally. You will provide training courses using
a variety of different channels and devise appropriate mechanisms
and key performance measures.
Information Security SpecialistLondonTo £60,000+Bens MA/117960
This UK headquartered FS group is seeking an information security
risk specialist who will deputise for the Global Information Security
Manager, carry out risk assessments (application, infrastructure
and projects), providing advice and assist in the development of
policies and procedures. You will participate and contribute to
the information security governance committee and build strong
relationships with internal clients.
Deputy CISOLondonTo £84,000+Bens MA/116230
This diverse corporate is seeking a senior manager who will act
as deputy CISO and head the risk and compliance team within
Information Security. With 4 reports and up to 10 matrix reports
you will take a lead in terms of gaining and recertifying ISO 27001
and PCI DSS certifcations for the business. You will guide the risk
and compliance team in implementing and maintaining GRC tools,
undertaking impact assessments and identifying risks.
Senior Manager- Cyber SecurityLondonTo £100,000+Bens HP/113810
This market leading Security Practice is seeking a Senior Manager
to join their established FS Cyber Security division. The Senior
Manager will provide expert technical advice, guidance and
support on cyber security. Candidates must have demonstrable
experience of managing and developing client relationships and
have a broad range of security experience. Qualifcations such as
CISSP, CISA, CISM and GIAC are desirable.
For more information on these and
many other information security
opportunities, please contact:
Mark Ampleford
Owanate Bestman
Harish Parmar
Chris Meager
Olivia Daly
Sam Freedman
Lorraine Pimienta
020 7936 2601
London PCI DSS Consultant Retail £550 per day
London Pentest Assurance Manager Commerce £500 per day
London IdAM Business Analyst Banking £450 per day
London Information Security Consultant Retail £500 per day
London Information Security Manager Banking £550 per day
London Security Architect Banking £550 per day
Scotland Security Analyst Financial Services £450 per day
South East Business Continuity Manager Insurance £450 per day
South East Security Operations Manager Retail £500 per day
Midlands Security Project Manager Telecoms £600 per day
North England Security Network Engineer Retail £400 per day
67_1069_BARCLAY_ADVURN43887.pgs 18.06.2015 17:05 FMG-Advent
00 SC • January-February 2014 • www.scmagazineuk.com
67_1069_Bridewell_FP_ADVURN43544.pgs 16.06.2015 12:02 FMG-Advent