Tuesday, 27 September 2016

CLOUDSEC takeaway – Cyber security is not just an IT issue [Link - Trend Micro Blog]

After attending CLOUDSEC 2016, I was asked to create a guest blog on the Trend Micro blog site, including standout statistics and take-away lessons: http://blog.trendmicro.co.uk/cloudsec-takeaway-cyber-security-is-not-just-an-it-issue/

===========================

With a fantastic turnout at CLOUDSEC 2016, attendees comprised of security and IT practitioners from numerous industries. Despite these varying sectors, one thing became abundantly clear: the same issues are keeping IT security professionals awake at night – securing cloud environments, securing privileged access accounts and user education.


Many enlightening statistics were shared. Trend Micro’s research found that in the last two years, 44% of UK businesses were hit by ransomware attacks, and a third (33%) of their employees were affected by the infection. We also heard that over $2.3 billion was lost to phishing attacks over the past three years (FBI), though the real figure is likely to be higher.

While this makes the somewhat abstract world of cyber threats very real indeed, if there’s one point to take away from CLOUDSEC, it’s that cyber security isn’t just an IT issue. When the entire workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced.

Everyone needs best practice training 

Organisations can defend against cyber-attacks; they don’t have to be victims. While in any organisation the CIO ultimately takes responsibility for cyber security, the rest of the organisation needs to accept responsibility too and not just shrug their collective shoulders. Regardless of seniority, companies should invest in best practice training when using a corporate network.

Best practice knowledge should percolate through the entire organisation from board directors, to employees and IT people involved in daily operations. It should explain why businesses have approved channels for storing data, the risks of using personal cloud storage platforms for data storage, and the need to question email content if it arouses suspicion – even if it’s from the CEO’s office.

Employees must understand the importance of cyber defences within the context of the business and how to safeguard against internal and external intrusions. Are they aware of the importance of setting difficult to crack passwords, as well as understanding that password variations of existing passwords are a source of vulnerability when used in other parts of the network? Do they know that in the last six months or so, ransomware attacks have spiralled as ransomware-as-a-service kits became commonplace on the dark web?

Serious business implications

The whole organisation must realise the possible business implications of a major hack – spiralling revenues, lost customers and plummeting share price, and this could all happen well after the event. Furthermore, jobs could be on the line if declining income hits the business badly.

Despite the growing evidence suggesting otherwise, many organisations still believe they won’t be hacked. With that said, however, if cyber security education is a part of the organisational culture, the chances of a serious breach are dramatically reduced.

Wednesday, 21 September 2016

The Right Train of Thought [Link - Computing Security]

I was asked to contribute to an article for Computing Security, focusing on IT security practices on how an effective cybersecurity strategy must include employee training: http://www.btc.co.uk/Articles/index.php?mag=Security&page=compDetails&link=7074

===========================

INSIDER THREATS

Any effective cybersecurity strategy should include information about how employees can safeguard against, not only external threats, but insider threats too, cautions Andrew Tang, service director, security, MTI Technology. "It also needs to include perimeter protection, but, as companies are increasingly working with cloud-based solutions, remotely and from various devices, it also needs to be sophisticated and fool-proof. Companies should invest in training all employees, regardless of seniority, on best practice when using a corporate network.

"Staff should understand how to protect against internal and external intrusions, as well as how to stay safe when accessing and sharing sensitive corporate data, opening emails from non-trusted sources and why businesses have approved corporate channels for storing data. It shouldn't just be a case of setting procedures and guidelines; staff should understand the consequences and risks of misuse or misjudgement when accessing corporate networks," he says.

"Employees should also be educated on the importance of password setting, as those that use a variation of the same password across different platforms leave the network vulnerable to attack. IT can also implement two-way authentication to add an extra layer of protection," adds Tang. "While the CIO should ultimately be responsible for implementing and monitoring employee guidelines and policies around cyber security, they should work closely with the HR team and heads of departments to ensure that safe computer usage becomes company culture. When a workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced."

Thursday, 15 September 2016

Managing the keys to the kingdom [Link - Professional Security Magazine Online]

After the recent breach at Sage, I was asked to write a piece about insider threat for Professional Security Magazine Online: http://www.professionalsecurity.co.uk/products/cyber/managing-the-keys-to-the-kingdom/

==================================

The recent data breach at Sage, in which sensitive customer data was accessed internally, raises a wider question on whether UK companies are doing enough to defend against hacks, writes Andrew Tang, Service Security Director, MTI Technology, pictured.


After all, data breaches have become so commonplace that the widely accepted maxim of ‘Not if, but when’ stands true for most companies. The implication is that every major company is going to be hacked at some point. Of course, some keep it quiet and do their best to roll down the blinds so it stays in-house, while others have no choice but to come clean, usually when the breach is made public. The irony is that it doesn’t have to be like this. Attacks can be defended against. Internal breaches can be stopped. Data can be protected. It’s just a question of refocusing and committing to security as a business priority, rather than an IT need. The problem with internal attacks is that they undermine trust; a finger of doubt is pointed at all employees. People who were once held in high regard are now viewed with narrow-eyed suspicion. Paranoia rules.

In with the new

Traditional security has focused on building the castle, digging a moat and raising a drawbridge. Or in other words, putting in place rigorous and robust network defences that keep hackers out. But today we need a zero-trust model, one in which the enterprise is viewed as a hotel. Access to rooms, for example, are restricted to certain people. You can’t just walk through the front door and roam around unchallenged. You can only gain access to certain rooms according to the authorisations you have been given.

At the technology level it’s about introducing internal controls such as micro segmentation of the network, access controls and reducing administrators’ rights. Admin rights are often available to a wide number of people in any given organisation, but it’s a fact that between 80 and 100 per cent of system compromises have been carried out using admin credentials. For someone who knows what they are doing, and it doesn’t require a lot of technical knowledge, admin rights can be used to erase firewall logs, scrub back-ups, disable antivirus software and even erase CCTV footage if cameras are digitally connected to the network.

Only the few

Securing an organisation internally is about introducing privileged access, so only a small number of people who have the need can move through a company’s systems. It’s about recording these sessions so there is an audit trail and it’s easy to see who has gone where and when. It’s about introducing two factor authentications for internal access so people can’t just roam through the network at will.

In small organisations it’s relatively easy to introduce these controls precisely because the operations are small. As you step up in size, however, analytics engines need to be introduced so you can see what is going on internally and also set rules. Is someone, for example, trying to access Dropbox and have they just visited a corporate database that holds customer payment details? Of course, if this is the case the klaxons should be blaring loudly. While this is an obvious example, it illustrates how with the right technology you can see and stop potentially deviant behaviour and in fact can block it before it happens. For instance, you might want to stop all access to cloud-based storage for some employees while allowing it for others, depending on role-based needs. Data loss prevention (DLP) technologies have been around a while and are a powerful tool for identifying sensitive data and raising alerts if sensitive data suddenly starts moving across the network when it shouldn’t.

Transformation

This approach to security is transformative for the business because it introduces fundamental changes to the way people work, limiting their ability to roam around networks at will, pick up information from databases, or probe internal servers. But internal security is not just about getting the right technologies in place; it’s about a different mindset. It’s about looking at IT spend through the eyes of a realised IT soul. Do you really need an all singing and all dancing firewall or would a next generation firewall suit you better? Do you want to keep spending on the same technology or should you be looking at two factor authentication? Do you want to put 80 per cent of your budget into traditional security or would an investment in proactive analytics and DLP serve you better?

Ironically, this zero-trust approach engenders greater trust. You know who is doing what, and if someone does try to walk off with a rake of customer credit cards numbers, they will be stopped in their tracks.

Wednesday, 14 September 2016

Are our data centres insecure? [Link - SC Magazine]

I was asked to contribute to an article on whether datacentres are secure following from the disclosure of the Fortinet and Juniper firewall vulnerabilities: http://www.scmagazine.com/are-our-data-centres-insecure/article/522463/

===============================


Likewise, Andrew Tang, service security director for MTI Technology said: “Data centres are only as secure as you configure them to be. You can have a top of the range burglar alarm and locking system on your front door, but if you don't use them, or use them incorrectly, they aren't going to be very secure. Most data centres will have two firewalls: the front firewall which will come from one manufacturer, and a second firewall from a different manufacturer, with the ‘crown jewels' inside. If you're using two different firewall manufacturers, it's rather unlikely that someone will find the first firewall and then go on to find the second firewall – though that can't be ruled out completely. But again, while bad programming causes some issues, bad configuration causes more issues in data centres than the actual manufacturer of the firewall.”

Wednesday, 7 September 2016

WatchGuard Secure Cloud Wi-Fi

Today I attend a WatchGuard wireless training session.  I like to think of myself as a bit of wireless geek, as I have seen a few wireless solutions in my time.  Over three years ago, I created this blog post around Planning a Wireless Network.

I have seen high density wireless solutions, secure wireless solutions, retail solutions, education solutions, hospitality solutions, bean flexing solutions, controller based solutions, cloud controller solutions, cloud managed solutions, etc.

When I'm told that I'll be looking at a cloud-based secure wireless solution from WatchGuard, my mind wondered off the some of market leaders in this area, and I started to analyse what I was being told.

I was told that this solution had a military grade WIPS (Wireless Intrusion Prevention System) which sounded too familiar to me.  You see around 4 years ago I was introduced to a solution which was sold to me in the same way, which was the solutions offering from AirTight Networks, which recently rebranded to Mojo Networks.  It turns out WatchGuard is partnering with Mojo Networks, which assured me that we were looking at one of the most secure wireless solutions available in the market.

The solution is able to detect rouge access points on your network.  A rouge access point is an unauthorised access point plugged into your network, giving wireless access to your network, where you haven't deployed one.  Using patented technology, the wired network will send a packet out of the authorised access points, which can then be detected by the wireless network.  By connecting and analysing both the wired and wireless networks, it is able to detect the access points you have authorised, and disable the ones which are not.


When I attend the AirTight training around 4 years ago, I pulled in a USB access point into the network, and hid it in the wiring.  Look at the picture above and see if you can find the access point.  A physical search of the server room wouldn't have uncovered the rogue access point, but the solution was able to detect and disable the access point in less than a minute.

The WatchGuard wireless solution will give wireless access, wireless security, marketing portals and user analytics.  A very rounded solution already, but combined with the WatchGuard UTM, you have the preferred solution to meet the Friendly WiFi criteria.

Tuesday, 6 September 2016

CLOUDSEC 2016

Today I attend CLOUDSEC 2016 in London, which gave an insight in how to take control of the cloud and have a good cyber security strategy.


The speaker of the day for me was Rik Ferguson, who made a few interesting points.

During the Panel Discussion: "Key Questions Every CEO Should be Asking About Cyber Security", he made the comment, that we should sandbox our users.  This may have brought a laugh to some of the more technically focussed audience who would blame users for everything!  What Rik clarified was that organisations should allow users to make mistakes safely, and be able to learn from their mistakes.

During his session "Take Control: Empower the People", there was a delay setting up the presentation, where Rik began to discuss the IT Skills Shortage.  Why do employers looks for certifications rather than people?  Many job adverts look for qualifications such as CISSP, CISA, CISM, etc but not character traits.  As Rik points out, organisations should be looking for people with tenacity, who are analytical, lateral thinkers, natural problem solvers, and people who can think differently.  Much like my belief, there isn't an IT Skills Shortage, employers aren't looking for the right things!

A few takeaways include:

  • "The board don't understand Security" - They don't need to, security need to understand the business.
  • "Compliance is the obligation, Security is the aspiration" 
  • Have an Information Security program in place
  • Ensure employees are educated, aware and engaged
  • Form an incident response team - Include technical, legal, finance, PR, marketing and the board
  • Investigate and fix incidents in a timely fashion - Look at people, process and technology
  • Notify customers in the event of a breach
  • Learn and Improve

Monday, 5 September 2016

How Technology and Employees Must Combine to Fight Cyber Crime [Link - VMware Blog]

VMware asked for my opinions around Cyber Security for a guest blog piece to appear on the VMware EMEA Blog site: http://vmwareemeablog.com/uk/guest-blog-how-technology-and-employees-must-combine-to-fight-cyber-crime/

=============================

Risk and security are two of the most often debated topics in IT in terms of the smooth and effective running of any organisation. Following our research campaign into the subject, we have been busy collecting the views of our partner community, gathering perspectives from across the market on all things security.



Here is Andrew Tang, Service Director of Security at MTI, a global provider of IT & security solutions and VMware partner, to share his views and explain how IT departments can make sure the board is listening…

Although used as a plot device for countless Hollywood movies – from Swordfish to Die Hard 4 – it is only more recently that cyber security breaches have become a significant talking point for businesses, especially when it is their reputation, IP and competitiveness that is at risk. Due to the misfortune of security breaches at brands such as TalkTalk, Sony and Ashley Madison, business decision makers are beginning to look to cyber security, not simply as an IT afterthought but as an important investment.

And it’s about time. Cyber security has never been so crucial.

The landscape is changing, with organisations becoming more open in how they manage data and IT services. This has caused difficulty for the tech community, and many IT departments are struggling to balance the demands of employee mobility with traditional security methods.

At the same time, we are seeing numerous specialised players popping up with new fixes for niche problems. However, these incremental tactics are proving ineffective – like trying to fix a broken leg by covering it in sticking plasters – and organisations are crying out for a holistic solution that can go beyond the perimeter defence and siloed data. This is where VMware NSX comes in.

However, technology is only half the story. Effective cyber security will always be limited if the end-users continue to let threats in through the back-door. Phishing scams and Trojan viruses often get their entrance through employee mistakes. It’s vital that everyone – from the CEO to the receptionist – is clear on the organisation’s security policies. And while all employees should have a basic understanding of cyber security, training can’t simply be a one-size-fits-all lecture. The board will be targeted in different ways than other roles in the business, so training should be bespoke and appropriately suited to the day-to-day risks employees can expect.

Ultimately, we advise customers to ask three critical questions to tackle the insider threat:

Where is your data?

Data is crucial, it is the lifeblood of your organisation. Keeping track of it means that you are best placed to protect it.

Who can access it?

This is just as much about who should access data, as who should not. To this end, MTI has a dedicated department of fully qualified Penetration Testers – also known as white hat/ethical hackers – who can test your infrastructure to identify weak points and ensure that your data is only seen by those with the right permissions.

How is it protected?

What safeguards do you have in place? Is this enough? Cyber attacks, especially using ransomware, have increased exponentially in recent years and its now a case of when – not if – an attack will occur. Have you secured all endpoints?

It might seem paranoid, but when it comes to cyber security paranoia is good! It’s vital that businesses are able to ask these questions. It is only when you can answer them that you know your organisation is once again safe. Additionally, putting into place solutions such as VMware NSX can help mitigate the inevitable insider threat. Thanks to microsegmentation even if an employee mistakenly clicks on a malware link the threat can be locked down and dealt with, instead of compromising the entire system. Although nothing is as effective as eradicating poor employee behaviours – after all, an ounce of prevention is worth a pound of cure – NSX offers a backstop in case something does go wrong. And the more checks and balances in place, the better.