Saturday, December 16, 2017

Thales at InfoSecurity 2014

A quick look at the Thales stand and the wider exhibition at Earl's Court.

Interview with Peter Gibbons, Head of Information Security, Network Rail

Interview with Peter Gibbons, Head of Information Security, Network Rail, panellist in the Keynote Theatre at Infosecurity Europe 2013. Peter shares some of the...

Infosec 2014 welcomes Moscow

Various companies from Moscow are here again this year. This is one really great aspect of Infosec, in that there are companies from all over...

Infosec 2014: Firms moving to cloud despite security fears, study shows

Businesses are moving sensitive or confidential data into public cloud services, despite security fears, an independent global study has revealed. Almost a third of companies doing so expect a negative impact on security posture, according to the Encryption in the Cloud report, launched at Infosecurity Europe 2014 in Earls Court, London. In response, the use of encryption is increasing, but more than half of respondents admit sensitive data goes unprotected in the cloud, according to the report by the Ponemon Institute. The study, sponsored by security firm Thales, polled more than 4,000 organisations around the world about who is responsible for security in the cloud and how best to protect the sensitive data in the cloud. The study found the use of the cloud for processing and storing sensitive data is inevitable, with more than half of respondents saying their organisation already uses the cloud for sensitive or confidential data. Just 11% said their organisation had no plans to use the cloud for sensitive operations, down from 19% two years ago. The study found that almost half of respondents believe their use of the cloud has had no impact on their overall security posture. However, those that believe it has had a negative effect (34%) on their security posture outnumbered those who thought it had a positive effect (17%) by two to one. The study revealed that perceived responsibility for protecting sensitive data in the cloud is dependent on the type of cloud service.  In software as a service (SaaS) environments, more than half of respondents see the cloud provider as being primarily responsible for security. In contrast, almost half of infrastructure as a service (IaaS) and platform as a service (PaaS) users view security as a shared responsibility between the user and cloud provider. The study found that visibility in the security practices of cloud providers is increasing, with 35% of respondents considering themselves knowledgeable about the security practices of their cloud providers, compared with 29% two years ago. But half of SaaS users still claim to have no knowledge of what steps their providers are taking to secure sensitive data. “Staying in control of sensitive or confidential data is paramount for most organisations, and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “It is perhaps a sign of confidence that organisations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data, and it is encouraging to find that significantly fewer respondents believe use of the cloud is weakening their security posture,” he said. However, Ponemon said there are still concerns that many organisations continue to believe their cloud providers are solely responsible for protecting sensitive data even though most respondents claim not to know what specific security measures their cloud provider is taking. The study found that while the use of encryption is increasing, data still exposed. For SaaS users, the study revealed an increase from 32% in 2011 to 39% in 2013, and IaaS/PaaS users report an increase from 17% to 26% over the same period, but still, more than half of respondents said their sensitive data is in clear text, and therefore readable when stored in the cloud. There is currently an almost equal division in terms of how stored data is encrypted while in the cloud, the study revealed. Of those respondents that encrypt stored data, just over half apply encryption directly within in the cloud with just over 40% electing to encrypt the data before it is sent to the cloud. When it comes to key management there is a clear recognition of the importance of retaining ownership of encryption keys, with 34% of respondents reporting that their own organisation is in control of encryption keys when data is encrypted in the cloud. Only 18 percent of respondents said that the cloud provider has full control over keys. The need to share keys between organisations and the cloud highlights the growing interest in key management standards, the report found. There is particularly high interest in the OASIS Key Management Interoperability Protocol (KMIP), with 54% of respondents identifying cloud based applications and storage encryption as the area to be most impacted by the adoption of the KMIP standard. “Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, and yet more than half of respondents report that sensitive data in the cloud goes unprotected,” said Richard Moulds, vice-president strategy, Thales e-Security. “Those that are using encryption have adopted a variety of deployment strategies, but once again a universal pain point is key management,” he said. According to Moulds, the way keys are managed often makes all the difference with poor implementations, dramatically reducing effectiveness and driving up costs. “Key management is a critical control issue for respondents, who are increasingly focused on retaining ownership of keys as a way to control access to data,” he said. Deployed correctly, Moulds said encryption can help organisations migrate sensitive data and high-risk applications to the cloud. “This will enable them to unlock safely the full potential for economic benefit the cloud can deliver,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

VASCO Data Security at Infosec Europe 2014

Jan Valcke, President & COO, Vasco Data Security tells us why authentication is important in today's marketplace and how Thales benefits his business.

Infosec 2014: Cyber safety will take joint effort, says top EU...

Cyber safety can be achieved only through the joint efforts of all stakeholders, not just law enforcement, says Troels Oerting, head of Europol’s European Cybercrime Centre (EC3). “We will win, a safe and secure internet will prevail, but it will be a tough ride, and can only be done if everyone works together,” he told the opening keynote at Infosecurity Europe 2014 in London. Oerting also warned that malware is being developed at such a high rate that technological security controls alone are not enough to keep business and consumer data safe. “About 70% of cyber attacks are carried out using malware that is not detected by 40 of the main anti-malware systems in use by business today,” he said. Further evidence that traditional IT security tools are not working is the fact that cyber criminals were able to persist in company systems for an average of 229 days in 2013 before they were detected. Because of the high-level use of social engineering by cyber criminals, businesses need to pay more attention to secure their supply chains and society in raising security awareness in internet users. “Cybercriminals will use social engineering to go after lawyers, accountants and other business partners to gain access to the companies they are targeting,” said Oerting. Phishing is one of the most popular tools used by attackers, both cyber criminals and hacktivists like the Syrian Electronic Army, he said. “It takes just 28 phishing emails on average before attackers are able to gain access to targeted IT systems and move around at will,” said Oerting. Many parts of the world, such as Europe, are highly dependent on the internet for innovation, growth and prosperity, so it must be protected, he said. But law enforcement is facing several key challenges. Chief among these is the fact criminals no longer need to travel to commit crime and cannot be stopped at national borders. “There is no longer any geographical link between the crime and the perpetrators, which means many of the traditional policing techniques do not work in cyberspace,” said Oerting. This means criminals are typically not in the same country as where their crimes are carried out, making it difficult for law enforcement officials to investigate, identify suspects and make arrests. “We have a good level of co-operation between EU member states, but criminals tend to operate in countries that do not have extradition treaties with the countries they are targeting,” said Oerting. The second big challenge is that the top echelons of cyber criminals are increasingly using the so-called “dark web” where it is difficult to track and trace actors and their activities. The use of electronic currencies is also making it increasingly difficult to “follow the money”, said Oerting. Another challenge of cyber crime is that there is usually little or no physical evidence to work with. “And in the very near future, cyber criminals will be streaming everything through cloud services,” said Oerting. This development, he said, will make it even more difficult to gather evidence and be able to attribute criminal actions to specific actors without any doubt. For all these reasons, said Oerting, international co-operation is important around establishing norms of behaviour on the internet to keep it free and prevent it from becoming balkanised. He believes all stakeholders need to work together to raise cyber security awareness and build the digital capacity of their police forces to help prevent and fight cyber crime. In terms of cyber protection, he said products and services need to become more secure by design and end users need to be wary of downloading “free” applications. “If something is free, that means users' information is the product, because in reality, nothing in life is entirely free,” said Oerting. In the light of the challenges to law enforcement and traditional policing methods, he also believes that disruption is likely to become the most effective way to fight cyber crime. “We need to prioritise criminal activity that is causing the most harm and look for ways of disrupting cyber criminal business models because prosecution is extremely difficult,” he said. Oerting returned to his theme of collaboration, highlighting the various ways the EC3 is working with industry, government and security companies. “On the 5 May we will see the launch of the EU Cybercrime Coalition, which will bring together more than 20 banks in the region to share information with each other and with us,” he said. Cyber criminals tend to use the same tools and techniques to attack industry sectors, such as financial services, so it is important for these sectors to share information with their peers on attacks they are seeing, said Oerting. While law enforcement is not seeing complete success, and Oerting admits he is concerned about the developments he is seeing, he remains optimistic that concerted action by all stakeholders will win out in the end. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Verisec at Infosecurity Europe 2014

Anders Henrikson, SVP Global Sales, Verisec stopped by the Thales stand to talk to us about cloud requirement trends.

Infosec 2014: EU cybercrime head blames TOR for making it difficult...

Troels Oerting, the head of the European Cybercrime Centre (EC3), has blamed the "darknet" for making it difficult to catch cyber-criminals in his keynote speech to Infosecurity Europe in London. Furthermore, he added, the revelations of former US Nat...

Day 1 Highlights from Infosecurity Europe 2014

Day 1 from #infosec14 - Security as a Business Enabler

Infosec 2014: make IT security a personal issue for staff, say...

Security chiefs at Infosecurity Europe 2014 urged companies to raise awareness of cyber security by simply talking to employees about how to protect their own home PCs and laptops. Channel 4 CISO Brian Brackenborough explained that the security team a...

Infosec 2014: UK data breaches slightly down but cost way up,...

The number of UK data breaches and victims has gone down in the past year, but the cost of the most serious incidents has risen significantly, a government-sponsored report shows. The average cost of the worst breach for large organisations is £600,000 to £1.15m, up from £450,000 to £850,000 a year ago, according to the 2014 Information Security Breaches Survey. The report, launched at Infosecurity Europe 2014 in London, was conducted by PricewaterhouseCoopers (PwC) and sponsored by the Department for Business Innovation and Skills. The cost of data breaches for smaller businesses with fewer than 250 employees has roughly doubled to between £65,000 and £115,000, up from £35,000 to £65,000 a year ago. This is despite a slight decrease in the number of organisations being hit, down to 81% of large organisations from 86% a year ago and 60% of small businesses, down from 64% a year ago. The median number of breaches suffered by large organisations fell to 16 from 21 a year ago, while the number decreased to six for smaller businesses, down from 10 the year before. Despite these dips, 55% of about 1,100 respondents said they expect more security incidents in the coming year. Science minister David Willetts said: “Although there are some positive and encouraging signs, the fact that the cost of the worst breaches has increased so much indicates there is still work to do. “This report is a reminder of the economic cost of cyber breaches, and the UK government takes this very seriously.” For this reason, the government committed £860m to its cyber security programme for the five years to 2016, said Willetts. Threats outside and in The study found that attacks from outsiders continue to cause the most security breaches, and malicious software is increasingly the means used for such attacks. But the focus seems to have shifted back towards large organisations, with 55% reporting attacks by an unauthorised outsider, compared with 33% of smaller organisations. The 2014 Information Security Breaches report is a reminder of the economic cost of cyber breaches David Willetts, science minister Nearly three-quarters of large organisations suffered from infection by malicious software, compared with 45% of smaller organisations. More than one-third of large organisations were the target of denial-of-service (DoS) attacks, while only 16% of smaller organisations suffered such attacks. Nearly one-quarter of large organisations detected that outsiders had successfully penetrated their network, compared with 12% of smaller organisations. Although 16% of large organisations reported that outsiders had stolen intellectual property or confidential data, only 4% reported the loss of such data. The study found that staff-related breaches had dropped significantly compared with a year ago, but staff continue to play a key role in security breaches. While 58% of large organisations reported staff-related breaches, down from 73% the year before, only 22% of smaller organisations reported staff-related breaches, down from 41%. However, 31% of the worst security breaches in the past year were caused by inadvertent human error and 20% by deliberate misuse of systems by staff. Chris Potter, IT risk assurance partner at PwC, said: “This means just over half of the worst breaches involved members of staff.” Security awareness improving On a positive note, the study found most organisations continue to prioritise security, with a fall in the number of worst breaches caused by insufficient priority. “This highlights an increased awareness of security at executive level,” said Potter. The study found that 79% of senior managers place a high or very high priority on security and only 7% of the worst breaches were tied to senior management giving insufficient priority to security. Security budgets are beginning to reflect this high priority, with a marked increase in spending on information security by smaller businesses, with 15% spending more than 25% of their overall IT budget on security, compared with just 10% of large organisations. But Potter noted that in the past year, the worst breaches took place at organisations that had implemented anti-virus systems, which were all up to date. Many businesses are becoming more aware of the importance of education on security, with more organisations explaining their security risks to staff to ensure they take the right actions to protect information. The study found 68% of large organisations and 54% of smaller organisations provide ongoing security awareness training to staff, up from 58% and 48%, respectively, a year ago. But this is not true for all, the report said, with nearly a quarter of organisations failing to brief their board on security risks in the past year and 13% reporting they have never done so. In 70% of companies where security policy was poorly understood, there were staff-related breaches, compared with just 41% where policy was well understood. Risk management skills The study found there have been improvements in risk assessment and security skills, but many organisations still struggle to evaluate the effectiveness of their security activities. One in five respondents said they had not carried out any form of risk assessment, down from 23% the year before. About 70% of organisations are keeping their worst security incidents under wraps, so what makes the news is just a small proportion of the breaches that are actually taking place Another positive note, however, was that 59% said they are confident they will have sufficient security skills to manage their risks in the coming year, up from 53% last year. But one-third of respondents said they do not evaluate how effective security expenditure is, up from 31% the year before. The use of technology remains a key part of businesses’ daily working, so it is vital to ensure a flexible approach to security, the report said. The study found that 12% of large organisations had a security or data breach in the past year relating to social networking sites, while 7% had a breach involving smartphones or tablets. Cloud computing services were linked with breaches experienced by 5% of respondents and 10% of the worst breaches were due to portable media bypassing defences, up from 4% a year ago. As organisations improve their understanding of the security threats they face, they are doing more to manage associated risks and are seeking new ways to gain assurance over security, the report said. The study found that 52% of large organisations and 35% of smaller organisations have insurance to cover them in the event of a breach, while 69% of respondents invest in, or plan to invest in, threat intelligence. Finally, among the headline findings of the study, it emerged that the data breaches that reach the public domain and are reported in the media account for only about 30% of all breaches. The study found that about 70% of organisations are keeping their worst security incidents under wraps, so what makes the news is just a small proportion of the breaches that are actually taking place. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Infosecurity Europe 2014: Businesses should prepare for Google Glass, say security...

Enterprises should prepare for the introduction of Google Glass within the business, according to the heads of security at insurance firm AXA and the Home Retail Group. Lee Barney, head of information security at the Home Retail Group, the parent comp...