I’ve been neglecting this blog a bit of late. That’s due in part to being overwhelmed with the sheer number of security breach stories and features to write up this summer. I can’t recall a time when there’s been so much going on, and such a great variety of incidents — apart from last year, and the year before …. and possibly the year before that.
It’s becoming something of a cliché to say “it’s not a case of ‘if’ but ‘when’ your organisation is successfully attacked” — but that doesn’t make it any less true. That puts even more pressure on firms to get incident response right. Succeed, and you could get away with little more than a slap on the wrist from the regulators — you may even find your organisation’s reputation enhanced. I asked the experts their views for an upcoming Infosecurity Magazine feature.
First and foremost, IR plans should be drawn up by an organisation-wide team, according to IISP board director, Chris Hodson.
“The IR team must be cross-functional and comprised of senior business stakeholders that understand the importance of the data, applications and infrastructure across their enterprise,” he told me.
“An effective plan must consider not only the nefarious, but also accidental and environmental events. In a world where technology and internet connectivity is baked into everything, safety has become a key consideration too — it’s no longer just considerations of ‘confidentiality, integrity and availability’ (CIA), we need to look at safety being of paramount importance.”
PwC’s US cybersecurity and privacy lead, Sean Joyce, was more prescriptive.
“The incident response plan (IRP) should include but not be limited to the following types of information: event and incident definitions; incident categories, descriptions, and criticality levels; escalation matrices; incident life cycle workflows; a listing of internal stakeholders and external partners with their roles and responsibilities; and reporting requirements,” he explained to me.
Certified SANS instructor, Mathias Fuchs, added much more to the list, including a communications plan, police liaison, mapping out of standard operating procedures, and how to deal with outsourcers like cloud providers.
“As message control is one of the key points in incident response, a predefined circle of trust that limits information flow to people not working on the case as well as to the outside world is key,” he added. “Particularly for publicly traded organisations, information about security incidents has to be treated with great caution as it usually does have an impact on the stock price once publicly available.”
My plan’s in place, now what?
Once you’ve got a plan drawn up, it’s essential to test it regularly, according to Joyce.
“Preparation is a key component to any incident response event. In our experience, organisations that take the time to develop and test their IRPs and playbooks are more prepared to respond and likely reduce the impact of an incident,” he argued.” Decisions that are made in the first 24 hours are extremely impactful in a positive or negative way.”
For Ian Glover, president of accreditation body CREST, it’s also vital to determine how ready the organisation is to respond to an incident, covering people, process and technology.
“CREST has developed a maturity model and free tool to enable assessment of the status of an organisation’s cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective),” he told me. “The tool enables assessments to be made at either a summary or detailed level and has been developed in conjunction with a broad range of organisations, including industry bodies, consumer organisations, the UK government and suppliers of expert technical security services. It delivers an assessment against a maturity model based on the 15 steps within the three-phase Cyber Security Incident Response process.”
Even the best laid plans can come apart when a cyber-attack actually strikes. But well-defined and practiced playbooks can help, said PwC’s Joyce.
“An organisation, in consultation with their external partners, should proceed forward with identifying any additional requirements related to preservation, investigation, containment, and longer-term remediation related actions. The results of the investigative work stream should be communicated in a defined/repeatable process that will directly support internal and external messaging related to the incident,” he explained.
“Depending on the incident, organisations should pre-plan their internal briefing requirements to the board and the frequency and detail of those updates. For external messaging, organisations should work with external partners such as counsel and PR organizations to begin drafting an appropriate hold statement as well as media release should notification be needed prior to the conclusion of the investigation.”
SANS’ Fuchs urged IR teams not to act too quickly, especially if they don’t yet know how the attacker got in.
“Find all ways the attacker might have into your network. Try to develop intelligence about the attacker as you investigate, that helps you when they come back. Figure out what they were looking for and what they have already exfiltrated,” he advised. “Conduct a full investigation and then execute the remediation plan on a weekend where you disconnect the whole organisation from the internet.”
Post IR processes are also vital in helping build long-term resilience.
“If they didn’t get what they were there for, they will return,” warned Fuchs. “Find better ways to detect them and avoid them getting back in the same way they did the first time.”
PwC’s Joyce recommended organisations conduct an IR “post-mortem”.
“The results of this may lead to revisions of the incident response plan, policies, procedures, and key reporting metrics; additional training for the board, executives, staff; and additional investments in technologies in the organisations efforts to mitigate risk and evolve with the constantly evolving cyber threat,” he concluded. “In addition, organisations can schedule table-top exercises to provide training opportunities for all key internal and external stakeholders whose support will be needed in response to an incident. Table-tops provide opportunities to evaluate an organisation’s incident response plan and to assess key components such as escalations, internal and external communications, and technical proficiency of the incident response team.”
Today the cybercrime economy is estimated to be worth anything from $600bn to over $1.5 trillion. “Estimated” is the key word here, because in many ways it’s impossible to know for certain just how much money is made off the back of fraud, data theft, ransomware, crypto-mining etc. But what we do know is that the “as-a-service” model is a key component, enabling unskilled criminals to cash in on the cyber-craze and get rich relatively quickly off the back of poor corporate security and fallible consumers.
For a recent feature I interviewed some experts to better understand the scale of the problem, and what hope there is of some kind of comeback for good guys.
The web of profit
One of the best recent reports into the cybercrime economy was the Bromium-sponsored Into the Web of Profit analysis by University of Surrey senior lecturer, Michael McGuire. He explained that the popularity of the cybercrime-as-a-service (CaaS) model boils down to the sheer range of opportunities it affords the criminal fraternity.
“If you accept cybercrime as a hi-tech crime then you need hi-tech tools and methods to facilitate it, and the CaaS model is opening this market up. There are many extremely well organised criminal groups that are developing these tools, and the everyday man on the street is able to make use of their work as a result,” he told me.
“Given the wide range of perpetrators that are looking to make use of some form of CaaS, there really aren’t many types of cybercrime activity where it doesn’t play a role. Everyone can now get hold of various types of attack and varying levels of sophistication. Of course, it isn’t just malware – we are seeing all sorts of CaaS that is helping money laundering and breaking into banks.”
SANS-certified instructor Matthew Toussain explained that CaaS has rapidly matured over the past 10 years.
“The service offerings originally began over a decade ago as Distributed Denial of Service-for-hire before growing into exploit kit rentals and now ransomware as a service. Now the model and process for attackers has settled into a highly mature state where iteration of process and method is no longer necessary for intrusion sets to maintain these services,” he told me.
“Often the differentiator today is which malicious ‘provider’ offers more features or lower prices. These systems are generally driven by a modern web interface. While transactions are generally handled in Bitcoin it is not uncommon to see PayPal used as a method of payment.
Hope for the future?
For those who believe that cybercrime is a relatively harmless form of criminal activity in the grand scheme of things, McGuire had some home truths. His report explained that cyber-criminals often re-invest their profits, not just into online activities but narcotics, human trafficking and more.
“Anything that furthers criminal activity, whether it is CaaS or more guns on the streets is bad for society, and CaaS is certainly doing just that,” he added. “CaaS is also growing the potential opportunity for crime – even people that don’t have a criminal background can now contribute towards cybercrime. It is raising the criminal threat to a level where organisations, and even nation states that can make use of these tools.”
So is there any hope of a fightback by governments, organisations and law enforcers? Not according to Toussain.
“Law enforcement is by its very nature reactive, and for many organisations this may already be too late. Moreover, law enforcement has failed to effectively combat existing threats and continues to allow these black-market services to grow into a burgeoning industry,” he said. “There are a host of difficulties including international and extradition restrictions imposed upon the law enforcement community that make it unlikely we will see a marked improvement in the short-term.”
In fact, many experts suggested that a bigger impact on the problem could be made if organisations just got better at cybersecurity, making themselves a harder target.
“Law enforcement tries to disrupt trust in the black markets. These are anonymous activities, so if people don’t trust the seller, the market goes away. But the are many, many markets,” said James Lewis, director of the technology and public policy program at thinktank the Center for Strategic and International Studies. “Better security is always good, and this includes basic hygiene and thinking about encryption and backup to manage ransomware risk.”
Bromium CEO, Gergory Webb unsurprisingly believes that security technology can play a part here, providing innovative solutions to help keep corporates safe.
“The platform criminality model is productising malware and making cybercrime as easy as shopping online. Not only is it easy to access cyber-criminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum,” he explained. “We can’t solve this problem using old thinking or outmoded technology. By focusing on new methods of cybersecurity that protect rather than detect, we believe we can make cybercrime a lot harder.”
However, responsibility lies not just with law enforcement, CISOs or the security industry, but also the online platforms like Facebook that are abused by cyber-criminals to steal personal data, spread malware, trade attack tools and techniques, launder money and more.
“In terms of industry, the reactive security posture that many firms adopt is not enough and must improve if we are to disrupt hackers’ revenue channels, whether that is software enabled or developing better security skills for staff members,” concluded McGuire.
“But the missing element of responsibility is what legitimate platforms themselves can do. They have to get organised with regards to cybercrime and step up to the plate with better measures and much more transparent data practices.”
Here’s a version of a piece I wrote for IDG Connect recently about the escalating tech trade war between the US and China. While Trump is blowing hot and cold on what to do with ZTE, an even bigger potential problem is looming.
A full-on trade war between the United States and China just got another step closer after Washington opened an investigation into whether Huawei broke US sanctions on Iran. The Department of Justice (DoJ) has already slapped tariffs on $60bn worth of Chinese steel and aluminium, but this turn of events could have arguably more serious repercussions.
On the one hand it could cause panic in US tech boardrooms if China ends up banning sales of electronics components made in the Middle Kingdom. But in the longer term, this could accelerate China’s push towards self-sufficiency, locking out US firms like Qualcomm for good.
A seven-year ban?
The Justice Department investigation is said to have stemmed from a similar probe into whether Shenzhen rival ZTE broke US sanctions by exporting kit with American components in it to Iran. It was found guilty not only of breaking the sanctions, which resulted in an $892m fine, but of breaking the deal’s terms by failing to punish those involved. The resulting seven-year ban on US firms selling to ZTE will severely hamper its growth efforts, especially as it relies on chips and other components from the likes of Qualcomm and Micron Technology.
The probe of Huawei, which is said to have been ongoing since early 2017, could result in a similar punishment if the firm is found guilty of breaking sanctions. Washington has belatedly realised that the US is being supplanted by China as the world’s pre-eminent tech superpower and that has meant increasing roadblocks put in the way of the number one telecoms equipment maker and third-largest smartphone maker in the world. National security concerns have been used to keep Huawei down, first in 2012 when it and ZTE were de facto banned from the US telecoms infrastructure market after a damning congressional report, and more recently when AT&T and Verizon were lent on to drop plans to sell the latest Huawei smartphones, and Best Buy stopped selling its devices.
Like ZTE, Huawei could be severely restricted if it is hit with a US components ban. But is Washington shooting itself in the foot with this heavy-handed approach?
A global problem
First, China and its new leader-for-life Xi Jinping is more than ready and willing to fight back against what it sees as unfair trade practices by the Trump administration. It has already fired back with retaliatory tariffs on US food imports and will do so again if a mooted additional $100bn in tariffs from the US goes through. By the same rationale, could China respond to orders banning sales of US components, by banning the sale of China-made components to US tech firms?
Potentially, believes China-watcher Bill Bishop.
“The US-China technology war may run much hotter than the overall conflict over trade. Xi continues to make clear that China can no longer rely on foreign technology and must go all out to end its reliance on it,” he wrote in his popular Sinocism newsletter. “Technology CEOs the world over with supply chain dependencies in China — so probably all of them — should be increasingly nervous and focused on their firms’ efforts to have viable contingency plans for a US-China technology cold war.”
Beijing-based Forrester principal analyst, Charlie Dai, told me the potential for disruption to US supply chains could be “significant”.
“It’s hard to find effective contingency plans and the only way is to have everyone, especially the US government, to realise the importance of collaboration,” he added.
“In a world where the global supply chain and value ecosystem have already become critical drivers for the business growth of large countries like US and China, any further action like ZTE’s case will hurt the economic relationship between the US and China, which is the last thing that companies and customers want to see.”
In the longer term, this could be the reminder Beijing needs that it must become self-reliant in technology to achieve its “rightful” place at the global number one superpower. This has been a goal of Xi’s for years. In fact, that’s what the controversial Made in China 2025 initiative is all about – reducing reliance on foreign suppliers.
“Heavy dependence on imported core technology is like building our house on top of someone else’s walls: no matter how big and how beautiful it is, it won’t remain standing during a storm,” Xi said as far back as 2016. The Chinese government has already set up a fund which aims to raise up to 200 billion yuan ($31.7bn) to back a range of domestic firms including processor designers and equipment makers. But although chips are the number one target, China’s efforts to become self-sufficient in tech expand to other spheres. It has long been trying to nurture a home-grown rival to Windows, although efforts so far have not been hugely successful.
It’s not just Chinese firms the US must be wary of, according to James Lewis, SVP at the Center for Strategic and International Studies.
“The seven-year ban on US components will only encourage foreign suppliers to rush into the space vacated by US companies,” he said of the ZTE case. “It will reinforce the Chinese government’s desire to replace US suppliers with Chinese companies. And it will lead others to begin to make things they did not make before, causing permanent harm to the market share of US companies.”
One final word of warning to US tech CEOs: if China is looking to close the gap on technology capabilities, be prepared for a new deluge of cyber-espionage attempts focused on stealing IP. Innovation may be the first of Xi’s “five major concepts of development”, but that hasn’t stopped the nation pilfering in epic quantities in the past to gain parity with the West.
“It’s impossible for most countries, if not all, to be self-sufficient in all tech components,” claimed Forrester’s Dai. “One chip relates to many different hardware and software components. It requires continuous investments which are hard to realise in the short-term.”
That may be so, but bet against China at your peril. If any country has the resources and now the determination to do it, it’s the Middle Kingdom.
Nation state cyber attacks have never had a higher profile. The sheer volume and sophistication of threat activity today means reporting of incidents has flooded the mainstream media over the past few years. In another post I’ll asked several experts how they characterise the current threat, and the implications of the thorny attribution problem.
But that leaves us with a difficult question to answer: what happens next? Are we headed towards inevitable cyber-conflict?
Not according to former GCHQ deputy director of cyber, Brian Lord.
“It is highly unlikely for a fair time yet that cyber will be the only domain in which a full-blown conflict will occur, and for the foreseeable future will be complementary to traditional warfare not instead of,” argued Lord, now MD of cyber at PGIO. “But the road to conflict will have a very heavy cyber-dimension.”
Could the establishing of cyber-norms help prevent a major conflict in the future? Experts were sanguine about the prospect. Lord claimed the journey to such an end would be “very slow”.
“The abilities of international (and indeed national) legislation and treaties to keep pace with the speed of technological risks challenges (and opportunities) is, in todays’ world sadly lacking and those who want to sidestep outdated rules can easily find a way to do so,” he told me by email.
FireEye senior analyst, Fred Plant, claimed countries are already negotiating cyber-related issues on one-on-one, which could form the basis for wider agreements.
“However, ‘cyber-norms’ are still ultimately rooted in what states determine to be acceptable behavior among other states, and this can differ greatly from one country to another. Cyber-espionage activity against dissidents, for example, can be considered a natural extension of long-standing norms in many authoritarian states whereas Western countries consider such operations to be highly controversial and intertwined with domestic surveillance,” he added. “Serious incidents can occur when these disagreements collide. Conversely, escalations can also occur when rogue countries are already regularly violating international norms, as North Korea-sponsored actors have demonstrated.”
For SecureData head of security strategy, Charl van der Walt, the world’s superpowers are already “preparing the battlefield” via a “cyber-land grab” which involves compromising key machines, probing CNI for weaknesses and compromising supply chains whilst removing risk from their own. The effect of this is to slowly balkanise cyber-space, as smaller nations ally themselves with one side of the other and the world sinks into a protracted Cyber-Cold War, he claimed.
“Day by day, it seems as if the ‘global’ internet is slowly splintering along geopolitical lines. While this ‘cyber-balkanisation’ may have many fronts, it’s perhaps seen most clearly in the recently renewed focus by the US government on integrity in its supply chain, blocking foreign tech providers from competing for contracts in strategically important sectors. Foreign providers in this complex chain of inter-dependencies have been caught in the crossfire as collateral damage,” he told me.
“As we can expect that all cyber super powers are engaging in this activity this presents smaller or developing nation-states with a challenge. As recent history and basic logic clearly shows, for a nation-state that does not have the skill, finance or other resources required to secure and control the hardware and software it uses all the way from the up, it is effectively impossible to protect itself from the offensive operations of more capable nations. So the smaller nation is thus forced to choose the lesser of the evils: aligning itself with the cyber super power it distrusts the least and accepting that it can no longer engage the others for fear of being compromised.”
In the meantime, it’s likely that the escalation of nation state offensive activity will trickle down into the cybercrime underground – as evidenced most clearly in the NSA exploits used to spread WannaCry ransomware in 2017. For van der Walt, “government investment into offensive cyber capabilities is like air being blown into a balloon.”
“Everything offensive is getting bigger and badder and governments are producing an entire new generation of ‘cyber warriors’ with training, skills, experience and exposure that has never been seen before,” he concluded. “Eventually these people will leave military service (like all soldiers eventually do) and find their way into the civilian landscape in one form or another. Many will undoubtedly end up somewhere else in the Cyber Military Complex, but the rest of the world (including crime) will no doubt also be impacted by their experiences.”
The US and China have rarely seen eye-to-eye. But with years of appeasement getting it nowhere fast, the US is now not only talking tough on trade with its biggest rival but also taking steps to harm the business interests of Chinese firms. Here’s my latest for IDG Connect:
This month a deal between Huawei and AT&T to sell its smartphones in the US collapsed after pressure from senators worried about unspecified security concerns. It was a major blow to the world’s third largest device maker and could result in tit-for-tat retaliation by Beijing. In China, Apple announced it would be handing over management of iCloud services to a local government-owned partner — in order to comply with Chinese laws created as a result of escalating tensions and protect its revenue stream in the Middle Kingdom.
These two tech giants are at the center of what could well become a major trade dispute between the world’s pre-eminent superpowers. If it continues to escalate, it could spell disastrous news, not just for IT buyers, but the global economy.
A long time coming
It’s a battle that’s been brewing for years. On the one side, US firms — and technology players in particular — are desperate to access China’s vast market of over one billion internet users. To do so, they’ve been prepared to put up with strict Chinese laws which demand partnering with domestic firms, and technology transfers which can expose IP to the local partner. Along with out-and-out IP theft in the form of cyber espionage — carried out with the blessing or perhaps even backing of the government — this has helped Chinese firms catch up fast in the technology stakes over the past few decades. Censorship of various US platforms — think Twitter, Facebook and Google — also helped to provide a useful vacuum for local players to thrive.
China’s new Cybersecurity Law (CSL) may overlap with GDPR, but could still deliver the opposite effect from the intended one. How will China’s GDPR-like Cybersecurity Law impact business?
Now the US is hitting back. The first big move came when lawmakers effectively banned Huawei and ZTE from touting for telecoms infrastructure contracts in the US, citing national security concerns. Then came the NSA leaks and revelations from the portable USB drives of Edward Snowden, describing how US intelligence had been spying on China for years by intercepting and bugging US-made Cisco routers. That was all Beijing needed to escalate its own policy of prioritising homegrown products and putting yet more roadblocks in the way of US firms.
Huawei rival Cisco was hardest hit, seeing its China market share reportedly plummet over 30%. But some reports suggest that the number of government-approved foreign tech firms in China fell by a third between 2012 and 2014, while those with security-related products fell by two-thirds.
Microsoft has also been singled out, with Windows 8 banned for government use, while Qualcomm was hit with an anti-trust fine of nearly $1bn. Then China introduced a rigorous new Cybersecurity Lawwhich — although seemingly designed to improve baseline security for local organizations — could also provide a legal basis for forcing US firms to hand over source code during national security ‘spot checks’.
This law is the reason Apple has been forced to transfer local iCloud operations to partner Guizhou on the Cloud Big Data (GCBD). It claims to have “strong data privacy and security protections in place” and says that “no backdoors will be created into any of our systems”. But experts are sceptical. Threat intelligence firm Recorded Future previously claimed that the law could give the government “access to vulnerabilities in foreign technologies that they could then exploit in their own intelligence operations.”
That’s not all. By handing over local control of iCloud accounts to a Chinese partner, Apple may be putting at risk the privacy and security of employees of US firms operating in China.
“This latest move by Apple to essentially cede control and operation of its cloud services in China to the Chinese government is part of a larger and disturbing trend by Western technology companies to limit user privacy in exchange for continued access to the Chinese market,” Recorded Future director of strategic threat development, Priscilla Moriuchi, told me.
Hackers could have a head start on researching exploits that US firms have not yet caught wind of. Why does China spot security vulnerabilities quicker than the US?
“Per Apple’s security procedures, GCBD would have access to metadata about Chinese users’ iCloud documents, as well as complete access to any unencrypted @icloud email activity.”
While it’s not clear if this is the case for foreign firms operating in China, the vagueness of the CSL certainly makes it possible.
The big freeze
Now the speculation is that President Trump could escalate what is already a de facto tech Cold War by imposing unilateral sanctions on China in retaliation for claimed IP theft and forced tech transfers. So is a full-blown trade war looming?
China-watcher Bill Bishop is pessimistic of future US-Sino relations. In his popular Sinocism newsletter he had the following:
“I think the forced termination of the Huawei-AT&T deal significantly raises the likelihood that a major US consumer electronics firm with meaningful operations in China will be smacked down at the first sign of a real US-China trade war.
“Beijing assumes the US government is so paranoid about Huawei because it uses US firms to do what it says Beijing does with Huawei, and the Snowden revelations confirmed many of those suspicions. If anything, Beijing has been remarkably tolerant of some US consumer electronics firms given the treatment of Huawei and what we learned from the documents Snowden stole.”
Given the large percentage of US tech firms with manufacturing facilities in China, a trade war would have a catastrophic impact on global supply chains, making parts and products more expensive, reducing choice for IT buyers in the West and devastating parts of the US economy. If the revenue made by large multi-nationals in China were to dry up, jobs would be lost — not only in those firms but all their partners, suppliers and local economies.
Canalys analyst, Jordan De Leon explained just how reliant on foreign suppliers both Chinese and US organisations are.
“In the US Lenovo is the fourth-largest PC vendor and has a massive installed base. It also has key clients in its datacentre business in the US. Similarly, in China, Dell is number two and HP is number four in PCs,” he told me by email.
“In the event of a trade war, though unlikely, these three brands will be impacted. The extreme scenario is if there is legislation that is made to totally ban US-products in China and vice versa, which means businesses in those markets have to comply. China is also an important market for Apple, not to mention the fact that China is a vital manufacturing base for Apple.”
However, Forrester principal analyst, Andrew Bartels, believes strong opposition from big business could be enough to prevent Trump from creating such a scenario.
“A US-China tech war is more likely than US-China trade war, despite Trump’s periodic Tweets, because there are strong institutional forces built around supply chains that would cause big businesses to resist through legal and political action any imposition of trade barriers,” he told me by email.
“The US-China tech war is kind of in an uneasy truce, with the US government tacitly accepting that the Chinese government is favouring its own technology developments and vendors in China, and the Chinese government tacitly accepting that the US is going to put up barriers periodically to Chinese firms buying US companies.”
Ultimately, this dynamic should be enough to temper the policies even of a dogmatic populist like Trump. This is a numbers game, and China has the numbers — both in the size of its domestic market, and the $340bn+ surplus it’s running with the US. Acting tough with Beijing can be a dangerous game to play, and the tech industry is first in the firing line.
It might not have escaped your notice that critical infrastructure (CNI) organisations are increasingly being probed by nation state hackers. Traditionally, IT managers in these environments might have relied on “security-by-obscurity” to get by. But with many now connected to the public internet and running Windows systems, that defence is no longer valid. One of the main challenges appears to be mitigating risk on legacy systems which can no longer be patched.
I’ve been speaking to experts in this area for an upcoming feature and thought I’d share their best practice advice.
CNI under attack
There’s certainly no doubt that CNI firms are coming under attack far more frequently than they used to. Witness the alleged North Korean WannaCry attacks, which hit 34% of NHS Trusts and nearly 600 GP practices, leading to cancellation of an estimated 19,000 operations and appointments. Or arguably more sophisticated attacks – think China and Russia – designed to carry out reconnaissance work on key systems, or even in some cases disrupt power supplies, causing widespread black outs.
Recognising the uptick in threats, the European Commission’s NIS Directive will look to enforce a minimum standard of security across providers of “essential services” in the UK and Europe. However, from what I’ve heard, there are varying levels of awareness about the new law, set to come into force on 9 May 2018.
“Yes, awareness and activity has been on the rise, but generally still behind where it should be I think,” KPMG cybersecurity practice partner, Martijn Verbree, told me. “Many organisations haven’t realised to what extend this applies to them and the impact.”
So how exactly do CNI firms keep legacy, unpatchable, systems secure — appeasing regulators in the process? Most experts I spoke to pointed to SCADA and ICS systems as exposing organisations to most risk. Interestingly, air-gapping isn’t necessarily going to work, according to Michail Maniatakos, assistant professor at the NYU Tandon School of Engineering.
“Given the rapid increase in the numbers of mobile computation devices, air-gapping has proven to be an illusion as individuals enter air-gapped locations using their laptops, smartphones, smartwatches etc. There are documented cases of USB drives breaching the air-gap, ie Stuxnet,” he told me by email.
“The most appealing option is layered security, and the assumption that every layer can be breached. The advantage of this method is that even if a layer is breached, the window of opportunity for the attacker will be limited to go through all the layers of security — similar to the security offered by multi-factor authentication. Needless to say, this approach needs also advanced intrusion detection capabilities as well, in order to quickly understand whether an adversary is in your control network.”
BeyondTrust VP of technology, Morey Haber, explained that layered security should include ACLs and port filtering, which would have protected against threats such as WannaCry and Bad Rabbit.
“If networks are properly zoned, malware or ransomware that leverages exploits can’t attack additional assets if the ports and IP ranges are blocked against lateral movement from adjacent resources or untrusted zones,” he told me. “This mitigates the threat temporarily while patches are being deployed but is good practice to block an infection in the first place.”
Another key technology to consider is continuous network monitoring, baselining normal behaviour and then alerting when suspicious activity is spotted.
“This includes looking for command and control using DNS or communications obscure IP addresses or unapproved resources via lateral movement,” continued Haber. “It is not enough to monitor TCP/IP traffic alone but also all the supporting services from NTP or DNS that can be used in a modern attack. Deviations in these patterns may allude to a growing or persistent threat.”
He also recommended removing all admin rights — citing a Microsoft estimate from last year that 84% of vulnerabilities can be mitigated by doing exactly this. Risk exposure can be further minimised by turning off all unnecessary services, ports, and features, he added.
Advanced security controls are also vital, such as network and web firewalls, IDS/IPS.
“While these may be integrated technologies, when was the last time they were upgrade to the latest firmware, pen test for best practice rules, or planned for replacement due to end of life?” said Haber.
“While every security professional would agree the perimeter has dissolved due to the cloud and Internet, local area network resources still need to be protected. Using the latest technology and verifying your devices are not obsolete is key to defend against attacks and stopping modern threats like ransomware.”
In addition, there’s always the option of paying for extended support — a deal the NHS had with Microsoft until 2015, for example. This might be expensive, but with some firms like FedEx and Maersk claiming NotPetya cost them hundreds of millions of dollars, it might not be such a bad investment.
Last week, the Irish High Court made a judgement on transatlantic data flows that could have far reaching implications for US tech firms and point the way towards economic disaster for the UK.
Yes, it might not have received much coverage at the time, but the court’s decision was a biggie.
It asked the European Union Court of Justice (CJEU) to scrutinise the mechanism by which Facebook and many other firms transfer data: standard contractual clauses (SCCs).
Why? Because Austrian law student Max Schrems is still not happy that his personal data could theoretically be snooped on by the US authorities whilst residing in Facebook datacentres over there. His previous battle with Facebook over this issue led to the collapse of the Safe Harbour agreement between the EU and US.
Its replacement, Privacy Shield, is the other main legal mechanism – aside from SCCs – that govern data transfers outside the US.
“In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that,” Schrems said in a written statement following the court’s decision. “As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”
Emily Taylor, CEO of Oxford Innovation Labs and Chatham House associate fellow, took time out to discuss the issue with me.
“The reference to the CJEU is no surprise, and the fact that the US government applied to be joined as party shows how high the stakes are on all sides – for governments, for big data platforms like Facebook, and for individuals,” she told me.
“The case shows that the Snowden revelations continue to reverberate on both sides of the Atlantic. The CJEU has taken a consistently hard line against mass data collection and retention, and increasingly relies on the EU Charter of Fundamental Rights. The Charter allows for ‘more extensive protection’ of fundamental rights such as privacy, compared with the more familiar European Convention.”
That spells some uncertain times ahead for Silicon Valley, especially with Privacy Shield also facing an uncertain future.
That’s not all though. The case tells us much about what may happen to post-Brexit Britain.
Our digital economy is worth around £160bn and responsible for over 1.5m jobs, by some estimates. That makes it a vital part of the economy, and means unhindered data transfers with the EU – our biggest trading partner and the largest trading bloc in the world – are absolutely essential.
So how do we square the EU’s requirements around strong privacy protections for citizens, with the round hole of the UK’s brand spanking new Investigatory Powers Act? Also known as the Snoopers’ Charter, the new law has given the UK authorities probably more power than any country on earth – save for China and North Korea – to snoop on their own citizens.
“It is difficult to see how the UK’s mass data collection requirements under the Investigatory Powers Act could satisfy the EU Charter and this could have a severe impact on EU-UK data flows, potentially damaging UK business interests post-Brexit,” Taylor concluded.
That should be getting people in all sorts of high places very nervous indeed.