6 C
London
Wednesday, November 22, 2017
Home Tags Infosec14

Tag: infosec14

Join Stuart Sumner, Sooraj Shah and Peter Gothard as they discuss their main takeaways from this year's Infosecurity Europe 2014 conference in London. We ask: Is investment in cyber security now a major pull for investors in your company? What kind of...
Actionable security threat intelligence is mainly about having the right people with the right skills, a panel of information security professional has told attendees of Infosecurity Europe 2014 in London. “Invest in people who clearly understand the business, the objectives of intelligence gathering, and what can be achieved,” said Michael Paisley, head of Santander’s operational risk unit. Barry Coatesworth, chief information security at retailer New Look, said that people are key but many organisations are failing to focus on people as much as they should. “There is still too much focus on technology,” he said. But technology itself can be a problem without the right people, said Joerg Weber, global head of attack monitoring at Barclays. “It is no use having the technology to deliver threat intelligence if no one is able to do anything with it,” he said, so organisations should ensure they have a commitment to the staff and funding required. There is a need for technology and people, and the value is in the right combination of the two, said Paisley. It is also important to have people who understand the stakeholders, who do not get hooked up on the technology, said Weber. “These are the kind of people who can translate threat intelligence into something that can be understood by everyone,” he said. Retailer, Marks and Spencer, has invested a lot in the people that make up its security intelligence team, said Matt Denny, head of information security and compliance at M&S. “The company has also invested a lot in training those people to ensure they are able to make the most of all the threat intelligence they receive,” he said. The essential thing about “actionable intelligence” is that it is information that the security team can do something with, said Marco Thorbreugge, operational security head at EU cybersecurity agency Enisa. “This has to be information that can be used to adapt or change and organisation’s defence strategy in a way that adds value,” he said. Weber said security intelligence must enable security teams to do their job better by focusing on the right things and putting the right resources in the right places. But, if threat intelligence is to be truly useful, said Paisley, it not only has to be “actionable”, but it also has to be relevant, timely, and contextual. And, said Weber, organisations need to ensure they have the necessary infrastructure in place to do something with the information.   “Organisations should ask themselves what would be the impact if they were to stop their threat intelligence operations to get a measure of its value,” he said. “If there would be little or no impact, then it is a waste of time and money,” said Weber. Denny said another way of evaluating the value or effectiveness of threat intelligence operations is to ask if it has saved time and money, and reduced exposure. Panelists agreed that threat intelligence is still far from mature, and that some organisations are lagging far behind the front runners. Overall maturity of threat intelligence would be greatly helped by the adoption of a single standard for expressing and communicate threat intelligence, said Weber. “A lack of a standard for threat information exchange and collaboration is holding us back because the present system does not scale,” he said. A greater degree of information sharing is vital to improve the maturity of threat intelligence, said Coatesworth, while Denny said a greater degree of correlation capability would help save time and money. Read more about Infosec Europe 2014 Enablement key to mobile security, says AirWatch Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO US tech dominance Europe's fault, says Mikko Hypponen Datacentre security key to cloud security, says Google Threat knowledge is key to cyber security, say experts Cyber safety will take joint effort, says top EU cyber cop UK data breaches slightly down but cost way up, report shows Firms moving to cloud despite security fears, study shows Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
As the world approaches 1.3 billion mobile devices, businesses should approach adoption in terms of enablement, says VMware’s mobile device management firm, AirWatch. “When tackling mobile security, businesses need to aim to make it simple and empowering,” Ian Evans, managing director of AirWatch told attendees of Infosecurity Europe 2014 in London. The easier it is to use mobile devices in a secure way, he said, the less likely the risk of employees finding workarounds to circumvent the policies and procedures approved by the company. “All processes, such as the procurement, enrolment and management of devices, should be as simple and easy as possible,” he said. By enabling users to manage devices themselves, organisations can reduce the pressure IT administrators and encourage user responsibility for how the device is used. But an important part of empowerment is education, said Evans, which includes ensuring employees are aware of security threats and potentially risky behaviour. Instead of attempting to support every mobile operating system, for example, Evans said organisations should choose up to six of the most popular, and standardise on supporting only those. Next, organisations should evaluate which devices and applications are necessary to support the business and then look at ways of enabling just those in a secure way. AirWatch recommends a multi-layer approach to security, setting a terms of use policy that users must accept, and setting user policies based on business roles. To avoid privacy concerns, Evan said location data, non-business applications and telecommunications data should all be kept private. One security and privacy option, said Evans, is to do everything work-related in a container that is isolated from the operating system and personal data. “This makes it easier to control and secure work-related data and applications, and enables businesses to wipe all business-related data without affecting anything else on the device,” he said. When it comes to cost controls, Evans said it is important to make it as easy as possible for employees to manage costs themselves through providing relevant data plans and limit alerts. Organisations need to recognise that mobile data access is not for everyone, he said. The sensitivity of data or the size of typical files in the industry, for example, could make it impractical. Read more about Infosec Europe 2014 Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO US tech dominance Europe's fault, says Mikko Hypponen Datacentre security key to cloud security, says Google Threat knowledge is key to cyber security, say experts Cyber safety will take joint effort, says top EU cyber cop UK data breaches slightly down but cost way up, report shows Firms moving to cloud despite security fears, study shows Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner’s Office. “But, get your house in order now under the current law, to ensure you are ready for the coming changes, because the principles are not very different,” Smith told attendees of Infosecurity Europe 2014 in London. By acting now, UK businesses can ensure they will not face huge challenges in future, said Smith. Giving an update on process of issuing new laws, based on the draft EU Data Protection Regulation, he said there had been some progress in the past year, but it had been at a “snail’s pace”. Smith said that, while the European Parliament had agreed on a version of the proposed regulation, members of the European Council were still working on theirs. “Optimists hope that the European Council will reach agreement on the matter by June 2104,” said Smith. Enacting final text The next step in the process is to hammer out a final text, agreed by the European Parliament, the European Council and the European Commission (EC), which proposed the original draft in 2012. Smith does not expect the tripartite negotiations to get underway before December 2014, which means the legislation is likely to be passed in 2015, followed by a two-year period of preparation for enactment. “In this time the data protection laws in the EU member states will have to be replaced with the new EU laws and each data protection authority will need to prepare for a new way of working,” said Smith. “The ICO will also have a big job to prepare guidance for UK companies on what they should prioritise to ensure they can comply with the new laws once they are enacted.” Smith said the current data protection directive took five years to get turned into law, which suggests it will take at least another two years before the proposed regulation reaches completion. Start preparation now But he emphasised that there is no need to wait, and UK businesses should start preparing now, according to the “direction of travel” of the proposed legislation. The top priority should be around the principle of obtaining explicit consent from people to gather and use their personal data, he told Computer Weekly. “Businesses that plan to collect information that will require explicit consent must ensure that, in all their processes, it is very clear what data is being collected and for what purpose,” said Smith. “It is important that the consent to collect data and use it for a specific purpose is prominent and not tucked away somewhere in a user agreement.” Data breach notification The next priority for UK businesses is to ensure they have a system in place for dealing with data breaches, and this should include processes for notifying anyone affected by a breach. Data breach notification is likely to become compulsory for all companies in the EU, so UK companies should look at what processes they have in place, said Smith. “If a company does not yet have any data breach notification process, they are lagging behind and risk incurring penalties if they are not ready by the time the new laws are enacted,” he said. Culture of privacy The third priority is to create a company culture where privacy is taken into account in every business activity and new processes are designed with privacy in mind. “Businesses should think about things like necessary data retention periods because, if privacy is not part of the design from the start, it is typically much more difficult to fix in response to complaints,” said Smith. The approach to retention is not expected to change. Organisations should ensure that personal data is not retained any longer than necessary for the purpose it was originally collected. For future data analysis purposes, only anonymised or pseudonymised data should be used, said Smith. “Businesses should not rush products and services to market without thorough testing, and they should listen to their privacy advisors before giving into pressures from the marketing department,” he said. Balancing enforcement and guidance Looking to the future, Smith expressed the hope that the final version of the revised data protection regulation is not highly prescriptive, nor too focused on enforcement. “There are different cultures and legal traditions in Europe, so hopefully there will be enough wriggle room for each member state to allow for local sensitivities,” he said. If there is too much focus on enforcement, the ICO is concerned that its educational and guidance activities may have to be curtailed. The ICO recently published a code of practice on privacy impact assessments and plans to publish guidelines about online security soon, to pass on learning from the mistakes of others. Smith said the ICO hopes that, under the new regulation, the UK will be able to make “sensible laws” that will not place “unnecessary burdens” on businesses. Powers to chase the 'crooks' The ICO is hoping for additional powers that will enable it to go after the “charlatans” and “crooked individuals” who “never pay up” and simply re-open for business under a new name, he said. “The ICO is no longer a ‘toothless tiger’ and we have used our new powers to good effect, but more imaginative powers are needed such as the ability to impose periods of mandatory audits,” he said. Smith said he believes the controversial Safe Harbour agreement does have a future, but only with tighter data protection assurances after it is revised in line with an EC review. “One of the biggest problems is the element of self-attestation because, in its current form, the system provides no way of checking or verifying that companies are abiding by the rules,” said Smith. The EC has submitted proposals for improvements to the Safe Harbour agreement. He said the US is working on those and a response is expected soon. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
BlackBerry has told Computing that its "EZ Pass" BlackBerry Enterprise Server migration scheme is experiencing "tremendous interest" from major customers who are willing to stick with the struggling smartphone maker as it transitions to an enterprise ...
Business should improve awareness of current cyber risks and threats to stay ahead of cyber criminals, security and law enforcement professionals have told delegates at Infosecurity Europe 2014 in London. “While security technology will help, a contemporary and dynamic awareness of real-world risks and threats is very important,” said Lee Miles, deputy head of the UK’s National Cyber Crime Unit (NCCU). The NCCU, which underpins all operations under the new National Crime Agency, currently tracks about 320 cyber criminal forums to keep up to speed with cyber and cyber-assisted criminal activity. “These are trusted places in cyberspace where criminals come together, providing one of the best streams of intelligence on criminal business models,” said Miles. For this reason, businesses should get involved in threat intelligence forums across their industry, said the FBI’s Michael Driscoll, assistant legal attaché to the US Embassy in London. “If businesses fail to share information with others in the same business sector, criminal cyber attack methods will continue to be successful,” he said. Miles said the UK’s Cyber Information Sharing Partnership (CISP), now part of the new national CERT-UK, is an “excellent route” into sharing intelligence and learning about real-world threats.   Independent security analyst Graham Cluley said intelligence about the threat landscape should be supplemented with intelligence about a company’s own flaws and weaknesses. “Hack yourself to find out what your technical and human vulnerabilities are before the bad guys do it, so you can close those gaps before you are compromised,” he said. In terms of security controls, Cluley said businesses should consider encrypting all data to ensure that even if they are breached, no personal or commercially sensitive data will be lost. Driscoll said organisations should take a step back and look at what they are doing and why. “Organisations should ask themselves if they really need all their data to be accessible online,” he said. They should also look at how they are sharing data, and what contingency measures they have in place for dealing with the inevitable attacks when they occur. Miles said that at the very least, UK businesses should follow the 10 steps to cyber security guide published by the Department for Business Innovation and Skills. “The point has been made by GCHQ head Iain Lobban that most threats can be eliminated by simply doing good, basic security well,” he said. Miles said firms should also ensure cyber threats are on the agenda at every board meeting, that they are taken seriously at that level, and that board members know and understand the risk. All members of the panel emphasised the need for international and cross-industry collaboration over cyber security. For this reason, the FBI and the NCA are partnering with all the big internet firms and law enforcement agencies around the world. “Unless we work with key partners, we realise that we cannot be effective,” said Miles. One of the biggest challenges to collaboration is concerns about commercially sensitive information, but Miles said there is a willingness among tech companies to work with law enforcement organisations. One of the biggest challenges, and one of the biggest changes, is the move to an as-a-service model among cyber criminals. This has significantly lowered the barriers to entry because anyone who is willing to make a relatively modest investment in time and money can become a cyber criminal. Driscoll added: “There is no longer the need to have technical knowledge. The availability of attack tools and services in criminals' forums means it is all too easy to become a cyber criminal for financial gain.” Miles said this new services-enabled era of cyber criminal collaboration means that an ever-increasing number of people are becoming involved in cyber criminal activity. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Troels Oerting, the head of the European Cybercrime Centre (EC3), has blamed the "darknet" for making it difficult to catch cyber-criminals in his keynote speech to Infosecurity Europe in London. Furthermore, he added, the revelations of former US Nat...
Europe has "completely failed in producing alternatives or competing services" to large US web firms, and so cannot complain about US government snooping on European business data stored in US clouds, F-Secure's chief research officer, Mikko Hypponen,...
Europeans only have themselves to blame for the dominance of internet data by big US technology firms, says Mikko Hypponen, chief research officer at Finnish security firm F-Secure. Europeans continue to use US-based online services even though data is accessible to the US government because they have no alternative, he told attendees of Infosecurity Europe 2014 in London. “And for this we largely have ourselves to blame because Europe has failed to produce alternatives, and the few successful firms like Skype are being sold to the US,” he said. Hypponen, as an alumnus of the Infosecurity Europe Hall of Fame, was tackling the topic of whistleblowing, which has been hugely enabled by the internet and storage technology. “Whistleblowing has always existed, but now it is possible to remove what would be truckloads of information on storage media like micro SD drives,” said Hypponen. And through organisations like Wikileaks, he said, it is possible to expose wrongdoing within organisations internationally without getting caught. “Companies know this, they know their employees know this, so they must either do no evil or be prepared to deal with the consequences of data leaks,” warned Hypponen. This is also true of groups outside organisations such as hacktivist groups like Anonymous that can use leaks to advance some agenda. “Typically, leaks are in retaliation for something, so organisations should be able to anticipate such actions by disaffected parties with a response plan,” he said. No discussion on whistleblowing would be complete without reference to Edward Snowden, who used his position as a contractor to the US National Security Agency to leak top secret information. “Typically, leaks involve information classified ‘secret’ or below, but ‘top secret’ information very rarely leaks, making Snowden responsible for the biggest leak of ‘top secret’ data in history,” said Hypponen. “Arguably, Snowden is the most powerful man to never finish high school,” he said. Whether Snowden is ‘hero’ or ‘traitor’ remains unclear, he said. “While I would love the truth to be that he is a ‘hero’ who sacrificed himself the common good, I am not entirely convinced,” said Hypponen. There are several small details that challenge this characterisation of Snowden’s actions, he said. Chief among these is the fact that Snowden agreed to release information on the NSA roughly six weeks before he got the job that enabled him to access top secret data. “This seems to be more unethical than true whistleblowing, which typically involves someone leaking information about wrongdoing that cannot be addressed in any other way,” said Hypponen. In conclusion, he said the technologies that have enabled mass surveillance by the US intelligence agencies and their allies also enable whistleblowing on an unprecedented scale. “While governments watch over us, they know we are watching over them,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Security chiefs at Infosecurity Europe 2014 urged companies to raise awareness of cyber security by simply talking to employees about how to protect their own home PCs and laptops. Channel 4 CISO Brian Brackenborough explained that the security team a...
Pen Test Partners are performing live penetration testing against Android devices. infosecurity 2014
The security challenges of the cloud are fundamentally the same as those of any in-house datacentre, says Peter Dickman, engineering manager at Google. This means securing data in both can be tackled in the same way, he told attendees of Infosecurity Europe 2014 in London.  “It is a question of adding as many layers of controls as possible without impairing usability,” said Dickman, which is the approach Google uses to continually evolve and improve security. Although cloud computing is at an unprecedented scale, he said there are really no new security challenges in the cloud. “Security is still about balancing controls with usability and, while it is not necessarily easy, it is also not impossible to achieve,” said Dickman. Security professionals know there is no such thing as perfect security, but he said there are many things that can be done to ensure data in the cloud is as secure as possible. Google, like most other cloud service providers, has had the advantage of building infrastructure with scalability and security in mind from the start. “We recognised that devices could be compromised, some applications could be malicious and that we could not assume that users were security savvy, so we planned accordingly,” said Dickman. First, this means that the computers in cloud datacentres are largely homogenous, making it quick and easy for service providers to update application software and security controls whenever needed. “This homogeneity enables us to treat each datacentre like a single computer, which makes it easier to do security and get it right,” said Dickman. Google uses a single, custom-built and security-hardened Linux-based software stack for all its servers in a single datacentre. The servers are designed so they do not include unnecessary hardware or software to reduce the number of potential vulnerabilities. This is important for cloud service providers, he said, as their business relies on preserving the trust placed in them as stewards of data belonging to hundreds of millions of users. Although cloud computing tends to raise concerns about data security, Dickman said this approach was developed in response to the demand for access to data everywhere. “People attempted to achieve this by making copies of data on portable media and mobile devices, but that was a security risk, and cloud computing essentially meets the need without the risk,” he said. The next step, said Dickman, is to ensure physical security at the cloud datacentres, using multiple layers of access control technologies and processes. “It is also important to build devices against possible malicious insiders, which is why our security teams build systems to check each other,” he said. Also within the datacentre, Dickman said it is important to follow the principles of isolation, segregation and sandboxing, and deploy encryption wherever, and whenever possible. “Encryption is no panacea, but it is worth the cost and Google is continually working to ensure our encryption algorithms are as fast and as secure as possible,” he said. Unfortunately, many organisations still fail to keep things separate, said Dickman. “This is not rocket science, just tricky engineering,” he said. Availability is another important component of security he said, but because cloud service providers take security seriously, they tend to build their datacentres to be fault tolerant. “We test our fault tolerance by turning things off, which should work if systems have been designed and implemented correctly,” said Dickman. Google has robust disaster recovery measures in place due to its ability to shift data access to other datacentres in various parts of the world, selected for their relatively high political stability. Google does not store each user's data on a single machine or set of machines. Instead, the company distributes all data, including its own, across many computers in different locations. The data is then split into chunks and replicated over multiple systems to avoid a single point of failure, and the data chunks are given random computer-readable only names as an extra measure of security. Google also rigorously tracks the location and status of each hard disk in its datacentres, and it destroys hard disks that have reached the end of their lives in a thorough, multi-step process. “No one knows yet how to build perfect security, but Google is continually working to make it better,” said Dickman. All companies are faced with the security challenge of finding the correct balance between what is needed and what can be afforded, he said. But Google, like most other cloud service providers, argues that because of the economies of scale, it is able to build and maintain security to a higher level than most companies could achieve on-premise. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK