I was delighted to see a recent survey that young adults in the UAE are more likely to consider a career in cyber security than their peers elsewhere in the world.  While it is heartening that the world – and especially the UAE – is waking up to the issues and the skills we need, it got me thinking about how cyber security careers are developed and a gap that I don’t believe is being addressed.

In the course of my work, I regularly meet chief executives and C-suite directors to discuss their businesses and executive search needs – particularly in financial services.  Over the last year or so, concerns over IT and security have become a running theme. And at the CFO Strategies Forum in November, there was considerable discussion around the role of CFOs in the face of automation – which of course includes IT and cyber security.

The big gap that is not being discussed or addressed is communication.

An organisation may have all the latest technical expertise in the world, but in the end security comes down to the practices of thousands of individuals in the organisation.  And if the IT team cannot influence and persuade those individuals to change their behaviours, the most expensive kit becomes useless.

Let me give a practical example of where I see the weakness.

Last summer the world was hit by Wannacry ransomware attacks in 150 countries and this included attacks on many hospital trusts in the NHS in the UK.  After an investigation by the UK government, a report by their National Audit Office concluded the NHS was vulnerable to attack ‘because cyber security recommendations were not followed’.  A former chairman of NHS Digital blamed the attack on lack of time and resources but also ‘frankly a lack of focus, a lack of taking it seriously’ in keeping up with cyber security improvements.

But while the hospitals are being blamed for ignoring the advice, no-one seems to be challenging the people giving the advice and their ability to explain, persuade and influence the hospitals that these issues are serious.  Rory Cellan-Jones, the BBC’s technology correspondent, added his own commentary to this story, “To be fair, the Department of Health had developed a plan – it was just that it had not been properly communicated or tested in the NHS trusts”.

For me, perhaps the most depressing element of this story is that at the end of last year, NHS Digital announced £20m investment to ‘boost its ability to support the NHS with digital security’ in response to the attacks. This money is to be spent on

  • A monitoring service analysing intelligence and sharing guidance, advice, threat intelligence and remediation to relevant contacts in health and care
  • On-site data security assessments for NHS organisations, to enable them to identify any potential weaknesses and to get the best value from local investment
  • Specialist support for any NHS organisation which believes it may have been affected by a cyber security incident
  • Ongoing monitoring of NHS Digital national systems and services

As far as I can tell, NHS Digital was already doing all this – to a lesser or greater extent. The reason the hospitals were attacked was not because there hadn’t been assessments or advised of the risks and even what they needed to do (some basic patches added to Windows 7) – it was because they hadn’t implemented the advice they were given. 

So what will change?  What needs to change?

I believe we need to redefine what cyber security means.  Do a Google search and you will see definitions around ‘body of technologies … to protect networks, computers, programs and data from attack’.  What we need to recognise is that technology is not enough on its own. You must have great communication and influencing skills alongside the technical ability.

Just as we agreed at CFO Strategies Forum that CFOs must be great communicators to be effective, so we need cyber security experts who are also great communicators.  They must be able to understand and influence human behaviour (everyone knows they should have different passwords and change them every month – how many do?) and find solutions to human frailties – these are the weak links in cyber security.

And that means those who are creating courses for the next generation of cyber security experts – such as Khalifa University of Science and Technology and Raytheon’s Cyber Academy which carried out the survey I mentioned earlier – must include skills in communication and influencing behaviour as much as focusing on technical skills.  This also applies to those leading national policies such as Omar Bin Sultan Al Olama – recently appointed the country's first Minister of State for Artificial Intelligence at the age of 27.

As with most boardroom and leadership issues, the theory and the logic are nothing if you cannot bring people with you. 

Published in Cyber security

Cyber security has become one of the hottest topics for leadership teams – both in terms of the risks from breaches and the skills needed to manage and address cyber security, which few leaders have.  Rumi Contractor, in his blog Cyber Security – getting it right in the boardroom sets out the issues that boardrooms face.  As we start the New Year, I want to help executives understand how they can mitigate against threats that put their company assets at risk.

Where do you start?  Once you have identified the risks and threats, you need to put controls in place to mitigate against impacts on tangible and non-tangible assets. As examples, your assets will range from hardware – hosting servers – to customer PII (Personable Identifiable Information).   The key is to assume and plan for the worst and set up controls in advance to counter cyber breaches. This highlights the need for strong Incident Response Plans, Disaster Recovery Plans and Business Continuity Plans.

In these plans, you need to differentiate between an incident and a breach. Quoting Verizon’s 2017 Data Breach Investigations Report:

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.”

Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”

To summarize,

Breach - successful attempt and full access to systems

Incident - active attempt that might fail in gaining access to systems

The three plans mentioned earlier all contribute to what is referred to as ‘Contingency Planning’. Given the frequency of breaches nowadays in multiple sectors/industries (financial, automotive, retail, healthcare), let’s first consider how companies should react on the identification of a breach. Take a moment to study the diagram below, which paints a picture of the whole Contingency Planning Timeline.

 timeline

Creating an Incident Response Plan

To kick-start creating an Incident Response Plan (IRP), we must cover the identification of, the classification of and the response to an incident. Companies need to develop guidelines for how they will react to and recover from an active threat. This can only be made possible if the company has an Incident Response (IR) team in place that is able to actually detect incidents in the first place. This team should include individuals who confidently hold the expertise to handle critical company systems in real-time as incidents unfold. Evidence of an attack should be documented at all stages - in case the company ends up prosecuting the perpetrator.

To give you a better idea of realistic indicators, I have compiled the table below. It should be read from the perspective of a member of the IR team.

We might be getting attacked

We are probably being attacked

We are definitely being attacked

Presence of unfamiliar files on systems

Unexpected activities taking place at unusual times

Changes to logs indicating the use of dormant accounts

Presence of unknown programs & processes on systems

Unauthorized accounts now present in systems

Notification by partners/peers of the presence of known hacker tools

Unusual number of system crashes

User-base reporting attacks against accounts

Notification by hackers (randsomware?)

Unusual consumption of system resources

Notifications from Intrusion Detection and Prevention Systems (IDPS)

Evidence against the -Availability (resources down), Integrity (corrupted data), Confidentiality (leaked data) - of data

Whilst still in the Incident Stage, we could also briefly consider certain techniques a company could follow to stop an incident and regain full control of systems before it is too late. Methods include

  • Disconnecting affected systems from the global company network
  • Revoking access rights/permissions from unauthorized accounts
  • Disabling compromised accounts
  • Block incoming malicious traffic by temporarily reconfiguring firewalls
  • Temporarily disable a compromised service
  • Final resort: shut down all company systems and networks to reduce impacts

All decisions should be made according to the IR plan - with full approval by the IR Manager.

Although at this point a successful breach may not have occurred, you may still need to recover from the effects of an attempted incident. Once the incident has been contained and insiders have re-gained full access to all systems, we move to the recovery stage.

Before even attempting recovery, the appropriate individuals must be identified. These should include employees who have special training that enables them to assess the full extent of the damage on company assets and systems. Following this,they’ or ‘this team’ should re-draft a full risk assessment which needs to be presented to and have the approval of the leadership team.

This enables the company to revaluate threats and vulnerabilities in its systems thus re-implementing updated/improved controls.

Sources of information on damage

System logs

Intrusion Detection Logs

Configuration Logs and Documents

Documentation from the IR (Incidence Response)

Results from a detailed assessment of the system and its data storage

Below are the steps for creating a useful Incident Response Plan - ‘useful’ meaning the process has been tested and proven to work

1.      Planning

  1. Distribute the Incident Response Plan to each team member
  2. Allow time for each member to perform an evaluation of the plan based on their role
  3. Walk-through each member’s steps at a joint conference following a ‘round-table’ style of discussion of actions at each juncture.

2.      Testing (a) - Simulation

  1. Put team members in isolation and allow them to simulate their own steps.
  2. Stop testing in places where testing would affect normal business operations (for example take down server X)

3.      Testing (b) - Parallel

  1. Team members simulate their steps in tandem as if a real incident is on-going
  2. Stop testing in places where testing would affect normal business operations (for example take down server X)

4.      Testing (c) - Full Interruption

  1. Team members simulate their steps in tandem as if a real incident is on-going
  2. Keep testing and simulate all procedures including those with denial/interruption of service
  3. Attempt to restore data from previous backups

Clearly the third method of testing is the most realistic and effective approach. However, this may be too risky of a method for some businesses or testing time may be a deciding factor.

Creating a disaster recovery plan (DRP)

Looking back at the Contingency Plan timeline, we can see a second layer that deals with ‘disasters’. Although the contingency planning team decides where exactly to draw the line between an incident and a disaster, a disaster, an incident declared as a disaster is typically one where

  • The organisation cannot mitigate the impact of an incident on company assets in real-time
  • The level of damage is extremely severe and swift recovery is impossible

When dealing with a disaster, the response from the team shifts from a focus on countering the attack to securing the most valuable company assets - thus preserving value in the long run. I will also later talk about the BCP (Business Continuity Plan). The difference between that and the current Disaster Recovery Plan (DRP), is that the BCP also focuses on re-establishing primary business operations at a different site.

The execution of a DRP closely follows that of the IRP described above. There are some differences which include key decisions on where to prioritise recovery efforts during/after a disaster.

  • Prioritization - human life preservation to securing customer database
  • Assign different roles / responsibilities to DR team members based on the incident rather than following a template
  • Notify key personnel immediately - CEO/CIO/CISO
  • Assign a role that focuses solely on documenting every step of the disaster - with sufficient legal detail

Business Continuity Plan (BCP)

The inevitable has happened - key assets for the running of your business network have been attacked and business operations at your primary site have come to a halt. This is where a strong Business Continuity Plan (BCP) can save the day.

The BCP outlines how a business can re-establish critical business operations - at a second backup site - during a disaster that impacts operations at a primary site, thus enabling the continuation of service providing. A BCP should be added to and “piggy-back” onto the IRP/DRP - since it is so simple to implement. It consists mainly of continuity/recovery strategies to follow and how/where to integrate off-site equipment (data storage, servers and offices).

Many companies may choose to not implement a BCP for one or more of the following reasons

  • The company is too small to afford a BCP
  • The company is asset/cash-rich enough and accepts they can simply ‘wait it out’ if operations are halted at their primary site
  • The company may not physically be able to shift operations elsewhere, such as in the manufacturing industry

How should business continuity sites be configured? The main deciding factor is cost of implementation and trust. There are three main choices

1.      Hot Site

A facility which mirrors all services offered by the primary site. It is fully configured and ready to go at any given time

2.      Warm Site

Very similar to the hot site but it does not have all necessary equipment installed. Applications and latest back-ups are already in place with some minimal time needed to reach full operation

3.      Cold Site

Rudimentary site which needs equipment, applications and data to be installed and configured before it is ready

 Other options that are less-favourable but cheaper could include

  • Service Bureaux - outsourcing continuity sites to a service provider
  • Time-sharing / Mutual Agreement - sharing hot/warm/cold sites with other companies and agreeing to help each other

Example of a consolidated Contingency Plan

Rather than implementing IRP, DRP and BCPs as separate documents, companies should aim to produce a single document. It should support concise planning by developing, testing and using Contingency Planning.

This single document should include the six concrete steps of the Contingency Planning process as shown here

steps

“Plan for the worst - hope for the best”

Published in Cyber security

Rumi Contractor recently spoke to Metin Mitchell about cyber security in the boardroom  and as a follow up, has written this guest blog on the biggest cyber security risks facing businesses.

I collected this list of cyber security risks, based on some of the reports and trends I read and came across on the Internet. These are risks as they exist today and will continue proliferating at a fast pace, impacting all of us individually and as corporates going forward ….

1) IoT device manufacturers will need to address major threats

The Internet of Things or IoTnternet of Things or IoT refers to the litany of devices that have come online in recent years. Everything from your dishwasher to your coffeemaker is online now—your refrigerator probably has a Twitter account at this point. With all of these devices coming online – and perhaps more importantly, networking with other devices online – it creates a new attack surface that is extremely vulnerable.

Until IoT manufacturers identify authentication risks and establish identity assurance requirements, the threat will ensue. Many organizations are trying their hardest to build Open Platforms to allow manufacturers such as Alexa and others to access other vendor products – I personally am wary of this technology as it exists in its current guise and maturity! As a matter of fact I shy away from using technology which is still very much bleeding edge and not established through industry accepted standards.

jonas leupe 426231 2

2) Mobile payments will come under attack

If you’ve been to a Wallgreens, a Starbucks or any of the other large retailer lately, you know how many people are paying for things on their phones these days.

It seems like everyone – from retailers to technology titans like Apple and Google to banks – are designing NFC (Near Field Communication) and RFID (Radio Frequency Identification) mobile payment platforms these days. The idea is to make us all transact electronically without the need of any physical currencies! The other reason is that as humans we have a tendency to spend more when we are not transacting with physical tokens and currencies, this is a human, psychological issue which the retailers love to exploit in the name of convenience.

As you can imagine, this is an exciting new target for cybercriminals, who are already actively looking for a way to breach these systems and gain access to money and valuable financial details. Think about the Open Banking Platforms and PSD2 standards etc. that are already coming to banks in Europe. This is where regulators are asking banks to open up client accounts to established APIs so that Fintechs can piggyback on banking accounts and the power goes from a bank to the client! Crazy stuff is coming our way …….

3) Ransomware will continue to evolve as a threat

Ransomware is just one part of a larger threat: digital extortion. To date, it is the most effective weapon in the digital extortion tool box. The ability to take over a system and effectively hold it hostage until a financial (aka Ransom) is made is an attractive new business for the cybercriminals and this form of extortion will likely grow substantially from here onwards.

Even with certain strains, such as the CrySiS Ransomware strain having been defeated in 2016, others are already actively taking its place. Watch this space – this is a money making solution and while at the moment the target is unsecured individual PCs, the reality is that this will affect corporations in a big way in the future.

4) Autonomous vehicles and the lack of security standards

Each year more and more automobile manufactures advertise advanced digital systems that they have added to their cars and trucks in order to stay competitive and technically relevant. From promises of ‘hands-free’ driving to providing an in-house internet experience to passengers when they are in their automobiles!

While this is exciting, it also creates a brand new attack vector. Consider for a second just how terrifying it would be if any of your car’s online systems were to come under attack while you’re in transit on a highway—or anywhere really. This is something the automobile manufacturers will need to address quickly.

Worse than this, if a virus were introduced in a car’s digital DNA it could ‘leak’ itself into your mobile phone or tablet – which we also connect to these days while driving in the car!

5) Learning to live and operate in the Cloud

As part of a continuing trend, expect to see a greater number of attacks on cloud-based management platforms, workloads and enterprise Software-as-a-Service (SaaS) applications. This, in turn, will cause the majority of companies and organizations to reassess their security budgets and redistribute a greater portion of it to cloud-based security, which could weaken the level of security on traditional servers and desktops.

The reality is that more and more systems are going to be hosted in the Cloud or Hybrid Environments where some systems will be in your premises, some with AWS, some at Azure and some others with Dell/EMS etc. This means that not only do you have to worry about your environment being secure, you also need to worry about your partner hosting environments also being secure and hacker-proof.

6) Password hygiene @ Client and Server end will be challenging

Major password breaches at established Internet Services organizations such as Twitter and Yahoo should have scared all of us into a greater awareness about our password hygiene. These breaches will continue in 2018++.  At the core of the issue is our human tendency to re-use the same password across multiple accounts. Meaning with just a single compromise, the hacker gains access to passwords across multiple other accounts as well.

The right behaviour for all of us should be to use varied passwords or password sequence, and whenever possible to use two-factor authentication or other biometric recognition technologies. These technologies are becoming more and more mainstream and worth investing in. Using multiple biometrics across all devices by clients and employees can help mitigate this risk but all of this comes at a cost.

7) Social engineering attacks on employees will continue to grow

With companies and organizations across the world spending more and more time on their digital security strategies, cybercriminals have been forced to become increasingly creative in their attacks. We are now entering an era where Social Engineering Attacks are reaching the level of an art form.

Social Engineering is a tactic where cybercriminals attempt to create a believable cover from which to breach a network or to take advantage of a known vulnerability. In this context, it’s usually an email-based phishing attack which impersonates an employee’s co-worker or superior in a believable-enough way to get them to click a link or open an attachment—though it can take other forms as well.

It’s absolutely crucial that all companies and organizations spend time and resources training all their employees on threat detection and how to handle anything suspicious that gets sent their way.

8) Open Source risks

The move to Open Source has been an amazing change in the world of Information Technology over the past 20 years with the early advent of Linux in the late 90s to the myriad number of systems, applications, software development enablers and applications. How does one protect and ensure that code and functionality that is being developed by many of the commercial organizations is not fraught with some time bomb(s) hidden within the code? IT teams in organizations will need to develop new techniques, skills and processes to ensure that this new vulnerability does not destroy their organization in the days, weeks, months and years after the code is released into production.    

9) Commercialized anti-DDoS will emerge

This is a threat with the potential to affect entire countries—not just companies and industries. Recently, we’ve seen DDoS (Distributed Denial of Service) attacks in excess of 100’s of GB. This is a staggering amount of power on the part of the attacker. These attacks can take entire server farms down for as long as they continue to be executed, and put companies and organizations at the mercy of their attackers.

It’s only a matter of time before a start-up is formed in a largely unregulated country that can directly attack or patch botnet systems. This will mark a new chapter in the history of cyber warfare as it will give lesser developed countries access to a powerful weapon while forcing entire nations to reckon with the threat.

10) The attack of the Bots

The future looks amazing with the advancement in technology and programming languages. There is an opportunity truly to turn many of the science fiction and Hollywood imaginations into realities.

Humans can handle exception processing and reasoning better than machines can ever do. However, machines can handle repetitive processes which are voluminous much better than humans can ever do. And the one place where ‘software robots’ can truly make a difference for the better is in handling repetitive client requests and manual processing AND unfortunately this strength is also going to be aimed at bombarding networks and millions of servers and routers in the ever expanding world of connected devices. This means that going forward the amount of DDoS  attacks will multiply at an alarming rate – and ‘HW based software patching’ will continue to pose a big challenge for the large hosting organizations, as they try to manage the growing number of devices and automatic software updates. The Attack of the Bots is coming at a theatre near you – shortly.

Published in Cyber security

Rumi Contractor is President & COO @ Quinnox Inc., a technology-driven services organization for businesses. Here Metin Mitchell interviews the former CIO and Group General Manager for HSBC  on the security risks facing corporates and how boards, in particular, should respond.

Metin Mitchell (MM): What are the cyber security threats facing businesses and how well are boards managing these risks?

Rumi Contractor (RC): Cyber security has become a hot potato in recent times with more and more high profile cases emerging – just this week we heard Uber paid off hackers who stole the personal details of 57 million riders last year. However, the reality is that most board rooms do not really grasp the high stakes they are risking each and every day - as the trustees of companies and businesses they are required to help protect as well as manage and grow those businesses.

MM: I recently chaired a panel for CFO Strategies Forum and the role of CFOs in automation. What should boardrooms be doing to address cyber risks?

The world is becoming more and more connected and this trend is only going to keep getting bigger and more complex. The more connected systems become, the more breakpoints – these are opportunities to ‘hack’ or ‘leak’ in the fabric of an organization. I do not claim to be an IT security expert but I understand the risks that are out there and I understand how they can happen and I also know the possible ways to breach those gaps. This experience is not easy to come by for most boards. I have always believed that boards need to stop hiring and using the CIO has a technical fixer and more as an expert who has an ability to translate business goals and needs into technical strategies and blueprints WHILE taking technical issues and translating them into business speak and plans.

MM: What are the main cyber security risks for corporates?

RC: At the end of the day, a security breach which causes real damage involves ‘stealing data’ or ‘manipulating data’ or ‘denying access to YOUR data’. That’s the crux of what really happens in a cyber-breach.

MM: Can you give me some examples of these security breaches?

RC: The first is when someone tries to get into your systems from the outside. These could be hackers trying to bombard your networks and find a vulnerability to get access to your servers, computers, networks and databases.  Usually they get into YOUR environment through a loophole that they have managed to identify from a vendor related weakness – say, because your team did not ‘harden’ the peripherals in your IT landscape.  Or because your customer and/or employees have allowed these hackers to get into devices they use to access your corporate systems and networks. Or maybe people have left their devices and systems unsecured and through social engineering, access has been gained by those who are intent on causing you harm.

2

To bring an analogy of a house, this is where the burglar finds a window left open and climbs in, or someone finds your telephone line outside and taps the connection and listens into your darkest secrets, or finds a lock that is really weak and easily manipulates the same and gains access to your home.

The second category of cyber security breach is one which is most common – internally generated. This is where people have opened connections from inside the corporate environment intentionally (to provide access to others from outside) or done this through sloppy work or non-conformance to stated policies.  In either case this access is not because the systems were not ‘hardened’ or that you did not have solid security policies, it is either through stupidity or malicious intent. This is usually harder to identify and avoid. Hence it becomes important that you have systems and monitoring tools that are able to detect such abnormalities as and when they occur.

This is akin to someone in your home intentionally or through carelessness leaving the door to your home unlocked or a window open. You might have a WiFi router with a default password (Admin) which is then accessed by someone from outside the house (from close proximity) and gaining access to data that is flowing between the devices inside the house and the internet!

The last category is one where the house is secure both from the outside and the inside BUT the appliances you have inside the house are probably tainted with ‘loopholes’ that allow access to someone with a bit of sophistication and understanding of these matters.

More and more devices are connecting to each other (through the Internet of Things - IOT).  Some examples would be WiFi Routers, Amazon Alexa, Google Home Devices, Android Operating Systems on your TV, streaming video dongles, connected refrigerators, mobile phones and more.  If they have any loophole – because of a recent operating system update or downloading a Trojan horse during an internet or social media surfing session – then it may end up tainting other devices or rendering them ‘exposed’ – and possibly under the control of Ransomware security ‘bots’.

Published in Cyber security

Read more

To read more of Metin Mitchell’s insights on leadership, leave your email here:

Categories

Elsewhere online

Popular Posts

Recent Posts

Tweets