If one lesson has been drummed home from my position as Chairman this year of the Gulf Information Security Exhibition & Conference (GISEC 2016) it is that NO company or individual is alone in their defence against Cyber threats and shared insights. Everyone is impacted. Furthermore, in a trusted environment, the sharing of experience, guidance and best practise are some of the greatest resources we can draw on.
If there was to be one headline statement it would be that this is a boardroom level business critical priority issue that will have wide ramifications across industry and workforces. We can expect the headline hacks of 2015 to be overtaken by greater more invasive and widespread attacks as the threat landscape continuous to adapt and evolve faster than its quarry can react. In nature this would be a species threatening event. What it means for our digital realm is still unfolding. What is important is that organisations end the culture of denial and get optics onto the problem and keep them there. Just because they have not had a breach does not mean they have not been breached or they can relax.
All senior management should realise that ‘World War Web’ started a long time ago and their organisation is in the thick of it.
This report on the Gulf Information Security Exhibition & Conference (GISEC 2016) incorporates the security details from the Gulf Enterprise Mobility Exhibition & Conference (GEMEC 2016), as it will come as no surprise to anyone active in these spaces to hear that the Enterprise Mobility Conference agenda was dominated by security. This overriding security theme and the predominance of mobile now as one of the principle computing platforms means the shared security insights from each of the conferences, GEMEC and GISEC, can be conveniently managed under a single cover as there was rich cross pollination between the conference session content, panel debates and questions and answers. The Panel Discussions were most insightful and stimulated much debate and questions from the floor. The topics covered included:
- How Critical national Infrastructure (CNI) and government are winning the struggle to protect themselves from SCADA and Computer Network Exploitation.
- The evolution of malware. Understanding the current threat and knowing how to counteract it.
- Is innovation with big data and medical records the enemy of security in the cyber arms race?
- IoT and the inherent risks brought by increasingly connected living.
- Will we see a major commercial sector killed by cyber-attacks in our lifetimes?
Please see the separate ‘Gulf Enterprise Mobility Exhibition & Conference (GEMEC 2016) report‘ for specific enterprise mobility insights.
GISEC was a veritable feasts of insight, shared experience, industry research, best practices and showcasing of some of the latest and greatest technologies. This report represents a thin veneer of key points and is by no means exhaustive in detail. Please also see the separate summary notes of my Chairman’s opening and closing statments and the Conference Agenda detailing all the speakers and session topics covered across the two days – GISEC 2016 Agenda – Day 1 and GISEC 2016 Agenda – Day 2
The Centricity of Data
We and our organisations are the product and our data is the currency that is bartered and ransomed online. It is the hidden asset on the corporate balance sheet that is at the target of all hacks and the heart of all exposures. The flip side of this is the advertising and rental economy of the internet that also leverages this data as its raw currency. The former is a security issue with privacy connotations. The latter a privacy issue with personal security connotations. The catch is that at both individual and corporate level, we are being hounded by both malicious and friendly adversaries after our data.
This is big business for criminals. The only saving grace being that there still remains a barrier for individual hackers in the monetisation of their activities. However there is no such barrier for organised crime who are masters of the art of monetising their illicit gains. The trend is for individual hackers to operate as part of organised crime webs.
Malware (malicious software programs)
At the root of much organisational IT pain is malware and John Bumgarner (Chief Technology Officer – US Cyber Consequences Unit) gave a very sobering session on the current state and flavours with a view as to the dynamism of what we can expect in the future.
Ransomware was a highlight, representing the new generation of revenue generating activities focused on by hackers. A twist in this tale is that even organisations with recourse to dutifully implemented backups, that were diligently insulated from such attacks cannot rely on ignoring these attacks. Hackers confronted with an organisation that will not pay simply escalate the ransom to blackmail and threaten to start seeping the encrypted data out to public forums and media agencies. This is a vicious turning of the screw that means a Ransomware infestation can be expensive beyond just the remediation.
The writing is also on the wall for Anti-Virus with the waves of Metamorphic and Polymorphic malware categories of malware that have the ability to change their code as they propagate. This means the malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one making signature based Anti-Virus redundant. The difference between the two classes is somewhat academic. The Polymorphic varieties have one part of its code that remains the same with each iteration, which makes it a little easier to identify, not a lot of comfort though.
One light at the end of the tunnel is to turn the threat on the threat actors and use encryption internally to protect data. This at least mitigates the escalation into blackmail, and to be honest is an option all companies should be using when reflecting on the increased mobility and hyper-connectivity of corporate networks. If data is encrypted and only accessible by those who have the rights then this circumvents privilege escalations, as administrator accounts, whilst empowered with access systems wide should not have unilateral data level access.
The report on the Confiker ‘worm’ malware first detected in 2008, offers a most disturbing insight as it remains the most prevalent malware ever. This is a strain of malware that has demonstrated a resilience to a point where it not only still exists infecting millions of PC’s, its actual functional and purpose has never been properly determined. It has never done anything truly malicious apart from install itself forcefully onto PC’s and just sit there consuming modest resources and has avoided removal due to its use of advanced malware techniques. The suspicion is, that the complexity and resilience of this malware could only be the makings of a nation state. If this is the case, then it is quite possibly the first real Cyber WMD (Weapon of Mass Destruction) that is just sitting there ready and waiting to be fired. It may not be the only one, but it is the only one we can see.
One of the most insightful outcomes of the various industry focused session and panel debates was the consensus that the current model of IOS and other academic standards are outmoded. Current industry based standards are more an encumbrance to efficiency and the agility needed to manage effective governance, risk and compliance (GRC) at internet speeds of evolution. There is a need for more real world, business focused and orientated standards and or kitemarks. The basis of this premise being current standards are predominantly industry constructed using theoretical norms and classifications. They lack a relevance to the operational real world and are failing businesses. There is a lot of talk of interoperability so the question arises, why then do we have so many industry segmented standards that act as operational and financial barriers to true interoperability? Furthermore, the speed for many standards ratification can be painfully slow.
Supply Chain Risk
The supply chain risk dimension came up across all areas of discussion during the conference. All organisations of any size will have third party supply chain dependencies. These are increasingly managed through shared IT resources or even direct API (application programming interface) interconnects. The lack of true supply chain accountability is leaving the company back door open whilst they throw all their Cyber budgets at the front door.
This comes from two perspectives:
- Supply Chain resilience.
- Supply Chain vulnerability.
Business has always been better at evaluating the upside risk, that of something happening or appreciating in value but bad at pricing the downside risk, the vulnerability. The accountability landscape has changed and to do business suppliers will need to get to grips with the demands of Cyber disciplines and partner transparency in both these dimensions.
IoT – Internet of Things
The summary of IoT from the conference was one of complete resignation to a feral environment. IoT came out as a veritable market feeding frenzy, devices constrained by resources, limitations, vendors are almost ignoring security and privacy considerations for commercial gain. Enterprises are left bereft of any traditional means of device management let alone patching and with a projection of 34% of them expected to engage IoT in some, form this is a recipe for disaster. Experience from the PC and Server world illustrates the harsh reality that persistent attacks will succeed in compromising these devices and their associated silo’d networks.
This view is supported by the ‘Online Trust Alliance’ comprising Microsoft, Symantec, Verisign, ADT and TRUSTe. It reckons the Internet of Things (IoT) market is being pushed with no regard to either security or consumer privacy and calls on gadget vendors to stop acting like clowns. Are we learning nothing?
Malware is already targeting IoT systems ‘Kaiten’ and this is going to be a growing trend. The worry is, this has the potential to take the current state of enslaved systems to a whole new level. With Gartner predicting over 20 billion IoT devices by 2020, the potential for automated, enslaved IoT devices being deployed as collective digital weapons is now a reality. This has all the hallmarks of what is classed as an ‘unrecoverable event’.
In order to stop the rot before it gets any worse the view is, that some form of rating system is required to provide consumers with clarity into the real security state of an IoT device or classes of devices. The problem with using regulation is it risks inhibiting innovation at a critical stage of this sectors evolution. So as IoT gets smaller, the resource constraints drive even greater compromises and the capability to deliver secure solutions becomes harder and more expensive and the problem simply gets compounded.
For enterprise adoption, IoT will need to adopt some form of management layer so that firmware and software can be readily patched and IoT devices centrally managed and monitored. Currently this is non-existent or confined to a few specialist vendors.
For now, the debate rumbles on with an increase interest in seeing vendors shouldering some of the responsibility and accountability of what they are putting out into consumer homes, sticking on their bodies or promoting to enterprises and industry. Companies that try to ‘contract out’ in lengthy screeds of terms and conditions will likely be turned upon, if not by regulators by customers. The industry has an opportunity to do the right thing and accept its responsibilities.
This comes from a number of perspectives:
- User Awareness – With over 42% of organisations lacking a coordinated Cyber Awareness program and 34% of CIO’s saying their greatest threat is from their employees, of which the majority is inadvertent rather than premeditated, the need for end user awareness training was flagged as critical.
- Organisational Awareness – Through the sharing of Cyber Threat Intelligence (CTI) in trusted networks of peers and use of vendor CTI tools. CTI is too big for any one organisation to cope with alone and in many cases the same goes for vendors. So organisations relying on single vendor dashboards can be getting skewed views of the true state of the external threat landscape.
- Dwell Time http://www.wordstream.com/blog/ws/2014/06/10/dwell-time – The most important metric you are not measuring to help drive predicative insights and behaviours.
Organisations and users need to think intelligently and conduct themselves accordingly. This will only happen when a state of continuous awareness is reached and that requires application of effort and resources. The truth is that every hacker knows there is slack in all organisations and that slack is where the hackers will focus and then it’s just like picking up power off the floor that is just been left lying around. The old social engineering example of how to get into a building; carry a box, someone will always open a door.
The dark art of remediation after an attack. A discipline that is poorly understood and not fully appreciated as a critical part of an organisations response program. There is a value gap in the recognition of the important role of forensic analysis. The ability to clean up an attack properly and understand fully the compromise is critical to future defence and essential to avoid the costly re-contamination or compromise from poor remediation. Aggressive remediation must be the norm following an attack to remove the modern trend for deeply embedded attack assets.
What forensic analysis has identified is that organisations suffer the majority of their losses due to lack of response time. The goal should be to get from months down to hours, if not into the ‘Golden Hour’. The Sony hack for example, required months of work to carry off and export the volumes of data that were extracted. Key Factors that assist this objective are:
- The ability to see across silos of information and to apply expert systems to the analysis of that body of data. Expert Systems that are overseen by humans. Humans can better assimilate the complexity of data and subtleties whilst allowing the Expert Systems to do what they do best and that is crunch through large volumes of data.
- Applying the Expert System and human analysis to established baseline ‘norms’. The Achilles heel of many smart semi-autonomous threat prevention, machine learning, big data analytical security assets is the lack of a true ‘norm’ for an organisations many operational states down to individual users in some cases. Without a true baseline ‘norm’ how can these systems know what is ‘not-norm’?
- Independent testing. Get in experts with fresh eyes and different ways of doing things. Find your own compromises first before the bad guys and be surprised at how many you may find that have already set-up shop!
Industry & Critical Infrastructure
To be holding the event in Dubai was propitious, for Dubai is the epitome of a modern smart city with its ambitions. Technology is being adopted in increasingly imaginative and creative ways for the World Expo 2020.
Dubai’s healthcare ambitions alone targeting 500,000 healthcare tourists by 2020 and more than 20 new world-class hospitals is a prime challenge for data management and international exchange that will be required. Dubai healthcare authority makes it clear that they are defining new models of data management and interoperability with other countries healthcare data systems and standards. That is even before we look at the fact that Healthcare represents one of the highest risk sectors to Cyber-crime because of its real time highly sensitive nature of data and high rotation of mobile shift staff combined with an increasingly technical environment that is becoming more and more interconnected and networked.
At a time when buildings are becoming smarter and networked for ease of management and end user enhanced experiences, the work environments we occupy are now threatened. It is one thing having a hacker disable the air conditioning in a London Office block, staff can just take their jackets off. In Dubai they will be lucky to get out of the building before it turns into an oven.
The discussions then extended into Critical Infrastructure and the potential for a commercial sector killing event. The IoT sessions and discussions already flagged up the potential for an irrecoverable event. One such scenario is that of critical infrastructure as the target of a huge harnessed IoT array of devices.
The new regulation coming into force in many regions enforcing disclosure will drive greater awareness and collective adoption of responsibility. The mending of which, bodes well for an acceleration of learning and adaptation to a similarly dextrous threat environment. It is felt that this disclosure discipline will come just in time. Why do we never learn?