Factory 4.0 and beyond: the challenges of operational technology security
Posted: November 3, 2023 Filed under: Uncategorized | Tags: cybersecurity, operational technology, OT Leave a commentThis article was first published on ISMSonline.
When a report revealed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products last year, experts hailed it as a wake-up call for the industry. The study highlighted an endemic problem with OT equipment: a need for more basic security-by-design best practices. The fact that three-quarters of those products assessed to contain vulnerabilities had valid security certifications should cause further nervousness among IT/OT managers.
The bottom line is that the issues highlighted in the report run so deep they’re unlikely to be resolved industry-wide anytime soon. That puts the onus on enterprise security programmes to ensure OT risk is managed with the same attention to detail as IT.
The What and Why of OT
Whereas IT systems manage information and applications, OT covers the hardware and software used to monitor and control the physical world. It could be anything from an ATM to an industrial control system (ICS), a factory robot to a programmable logic controller (PLC). The technology can be found most obviously on the factory floor. But it spans a huge range of industries beyond manufacturing, including healthcare, oil & gas, utilities, and transportation.
Historically, OT systems were not internet-connected, and devices tended to be purpose-built, running specialised software. That meant security was treated as an afterthought. However, most equipment has connectivity today, meaning remote attackers can probe it for vulnerabilities. At the same time, it often runs Windows or other commercial software. That makes it an attractive target.
Because OT controls physical processes, security breaches could enable attackers to sabotage or disrupt critical operations. Vulnerable endpoints may even be used as a stepping stone into IT networks for sensitive data theft. One 2022 report claims 83% of organisations suffered an OT breach in the previous 36 months. According to figures cited by McKinsey, the cost per incident of severe attacks can be as much as $140m. It’s not just financial risk organisations must consider. OT is also regulated by the NIS 2 Directive and its UK equivalent.
What Are The Risks?
The specialised nature of OT means that systems are exposed to certain cyber risks that may not apply to IT environments. They include:
- Use of legacy, insecure communications protocols
- Vendors that don’t pay enough heed to vulnerability management
- Hardware lifecycles of 10+ years, meaning admins are forced to run outdated OSes/software
- Patching challenges, as equipment often can’t be taken offline to test updates (even if they are available)
- Equipment that’s too old to deploy modern security solutions to
- Security certifications which don’t recognise severe defects, giving admins a false sense of security
- Security-by-design issues that aren’t reported/assigned CVEs, meaning they fly under the radar
- Siloed IT/OT teams, which can create gaps in visibility, protection and detection
- Insecure passwords and misconfigurations (although this is also common in IT environments)
From a technical perspective, the Forescout report cited earlier highlights several categories of vulnerability in many OT products:
- Insecure engineering protocols
- Weak cryptography or broken authentication schemes
- Insecure firmware updates
- Remote code execution (RCE) via native functionality
- How To Mitigate Risk From OT Systems
How To Mitigate Risk From OT Systems
As per IT security, defence in depth is the best way to mitigate OT cyber risk. According to Carlos Buenano, Principal Solutions Architect for Operational Technology (OT) at Armis, it starts with visibility of OT assets and then prompt patching.
Since it is very common for OT environments to have vulnerable assets, organisations need to create a comprehensive asset inventory of their network and have additional intelligence on what those assets are and what they are actually doing,” he tells ISMS.online. “Contextual data enables teams to define what risk each device poses to the OT environment and assess their business impact so that they can prioritise remediation of critical and/or weaponised vulnerabilities to reduce the attack surface quickly.
Here’s a quick checklist for organisations:
Asset discovery/management: You can’t protect what you can’t see. So, understand the full extent of OT in the enterprise.
Prompt patching and continuous scanning: OT assets should be continuously scanned for vulnerabilities once discovered. And a risk-based patching programme will ensure CVEs are prioritised effectively. Consider building a non-critical testing environment for patches. And if certain assets can’t be patched, consider alternatives, like virtual patching, network segmentation, SIEM and integrity monitoring.
Identity and access management: Deploy role-based access controls, follow the principle of least privilege and support multi-factor authentication (MFA).
Segmentation: Separate corporate from OT networks, and segment OT networks, to contain the spread of malware.
Threat prevention: Deploy controls such as intrusion detection (IDS), AV software and file integrity-checking tools to prevent and detect malware.
Encryption and backup: Protect OT data at rest and in transit and have backups to mitigate the impact of ransomware.
Breaking Down IT-OT Silos
As OT and IT systems converge in many organisations, threats once confined to IT, such as remote compromise, become more commonplace for industrial systems. Therefore, preventing, detecting and responding to such threats will require more interaction between IT and OT teams. OT teams can learn much from the experience IT has built up over the years regarding security controls, and both have a vested interest in business continuity.
“By working together, IT and OT teams can identify and mitigate cybersecurity risks that affect both IT and OT environments, thus protecting the organisation from cyber-attack,” Trend Micro UK & Ireland technical director, Bharat Mistry, tells ISMS.online. “Additionally, collaboration between the teams will improve the efficiency of security operations teams and ultimately help to reduce costs.”
From a compliance perspective, this may require the organisation to go beyond the limits of ISO 27001 and seek out complementary certifications in the OT space.
“We see frameworks like ISO 27001 used in enterprise IT and bespoke or tailored frameworks like IEC 62443 for OT,” Mistry explains. “On paper, there is some overlap between these, but in reality, these frameworks are start points and are often customised to suit the organisation’s environment.”
Ultimately, it’s in everyone’s best interests to work together, says Armis’s Buenano.
“From an organisational perspective, having a risk-based approach to vulnerability management must go hand in hand with OT and IT departments working together to help coordinate mitigation efforts,” he concludes. “Cross-departmental projects will help streamline process and resource management and achieve greater compliance and data security.”
The government’s new risk register is heavy on cyber. Is that a good or bad thing?
Posted: September 8, 2023 Filed under: Uncategorized | Tags: cyber resilience, cybersecurity, government, national risk register Leave a commentWhat are the chances of a catastrophic cyber incident occurring in the UK in the next two years? How many might die, or be maimed in such an incident? And how much might it cost the country? These are the kinds of unpleasant questions the government seeks to answer in its latest National Risk Register (NRR).
Since 2008, the report has been published to help businesses running critical national infrastructure (CNI), and other organisations, to enhance their resilience to potential risks. The big difference between now and then is that cyber is now one of nine key “themes” examined in the report.
I recently spoke to some experts to write an upcoming feature for Assured Intelligence.
What the NRR says
For the first time, the NRR was compiled from information in the National Security Risk Assessment (NSRA), a classified document written with help from government experts. It highlights potential cyber risk across multiple scenarios. These involve data theft and/or disruption to:
- Gas infrastructure
- Electricity infrastructure
- Civil nuclear facilities
- Fuel supply infrastructure
- Government
- The health and social care system
- The transport sector
- Telecommunications systems
- UK financial infrastructure
- A UK retail bank
The NRR ranks the likelihood of such attacks happening in the next two years as a “4” on a scale of 1–5, with 5 being the most likely (>25%). That equates to a “highly unlikely” risk with a “moderate” impact. However, as mild as this sounds, even a moderate incident could lead to up to 1000 fatalities and casualties of up to 2000, with losses in the billions of pounds. By contrast, the estimated economic damage from cyber incidents in 2000 was pegged at £10-100m.
That’s a reflection of the digital world we live in, as is the mention of AI as a potential chronic risk (as opposed to the acute risks highlighted above). Chronic risks, the NRR says, are manifest over a longer period of time and can make acute risks “more likely and serious”.
Should we be concerned?
Egress VP of threat intelligence, Jack Chapman, believes the government has it about right.
“I agree with the government’s risk assessment and its accuracy based on historic threats. Obviously this strongly depends on the geo-political landscape and how it evolves,” he told me.
“However, there’s been an increase in digitalisation in this space, meaning the risks and impact are increasing. There’s also a far higher level of uncertainty with the government’s assessment in comparison to previous reports.”
However, it’s not all doom and gloom, as steps are being taken to mitigate these acute cyber risks and build resilience into CNI, he added.
“It’s important to note that more active work is being done around cybersecurity than ever before; from putting security-by-design at the heart of new projects, to the impact the NCSC is having in the sector to help mitigate this risk,” Chapman said.
How can CNI hit back?
The big question is how exactly can CNI providers enhance resilience? Arun Kumar, regional director at ManageEngine, believes AI may hold the key, in helping to identity threats “faster and more accurately” than humans. But he goes further.
“Regulation will also play a vital role in carefully managing the negative impact of AI. It’s important to maintain strong security practices such as compliance with NIST and GDPR regulations,” he told me.
“Change needs to be foreseen and carefully managed—striking a balance between utilising the benefits of AI and limiting the negative side. To this end, collaboration is also paramount, both internally and externally within the cybersecurity community, encompassing researchers, professionals, enterprises and policymakers.”
Other best practices could include enhanced password management, vulnerability scanning and prompt patching, and user education to ward off the threat of phishing. To that we could add several other best practices, outlined by the National Cyber Security Centre (NCSC) here. It’s a tall job for CNI firms on an increasingly tight budget. But the alternative is undoubtedly worse.
How do US cities tackle the ransomware threat in 2020?
Posted: January 1, 2020 Filed under: Uncategorized | Tags: cybersecurity, disaster recovery, information security, outages, ransomware, us municipalities, US ransomware Leave a comment
If there’s one cybersecurity story that dominated the headlines more than any other in 2019, it was the surge in high-profile ransomware attacks on the US public sector. Municipalities all over the country were caught out, leading to major disruption of local schools, emergency services, courts and other public services. It was a reminder, if any were needed, of the absolutely critical role IT systems now play in society.
But what can IT security chiefs learn from the travails of the past year to improve resilience as we head into a new decade? I spoke to several experts recently for an upcoming Infosecurity Magazine feature.
Drowning in ransomware
According to estimates from Emisoft, 103 municipalities and 759 healthcare providers, along with 1,224 schools, may have been impacted by ransomware as of December 2019. These include major cities such as Baltimore and New Orleans, as well as countless other smaller local authorities like Pensacola and Riviera Beach.
Why are these organisations suffering in such great numbers? According to the experts I spoke to, it’s a combination of under-investment in cybersecurity, and the propensity of some high-profile targets to pay-up — encouraging copycat attacks.
“Public sector bodies have been very heavily targeted by ransomware lately. This trend has likely been helped by some public sector entities paying substantial sums to ransomware criminals,” said SANS Institute dean of research, Johannes Ullrich. “Access to information is also very important to public sector entities to conduct business, and under-investment in business recovery plans has led to a lack of backups or other fallback mechanisms.”
According to Scott Styles, data orchestration and resiliency lead at Raytheon Intelligence, Information and Services, current security systems are struggling to keep pace with evolving threat techniques.
“Ransomware is designed to avoid detection and exploit the social nature of the network by hiding in files or hyperlinks that businesses need for day-to-day operations. In addition, ransomware only has to be executed once to be successful and it must be detected as well as removed quickly before it can lock or overwrite files. This is unlike other malware that may need to remain in a system for a significant amount of time, or evade detection within a vulnerable system, allowing more time for detection and removal,” he told me.
“While the time-sensitive value of data and services within these organisations makes them prime targets, the main challenges are not much different than other sectors. Vulnerabilities are numerous, people make mistakes and the threat evolves quickly, creating a perfect storm.”
Weathering the storm
The good news is that a defence-in-depth approach utilising key best practice controls can make a big difference, he added. These include AV, up-to-date patching and configuration management, regular backups, and employee security awareness training.
“They should also consider a multi-dimensional approach that integrates hardware, software, network, and behavioural monitoring into a zero-trust resilient solution,” explained Styles. “These solutions typically have the ability to remain operational even if the threat has defeated perimeter defences or is an insider threat.”
For Kevin Lancaster, general manager of security solutions at Kaseya, one of the biggest threats to US public sector bodies is their use of legacy systems. This makes prompt patching more challenging, but also more important than ever.
“The US Department of Homeland Security (DHS) recently issued a new Binding Operational Directive (BOD 19-02) instructing government organisations to patch critical vulnerabilities within 15 days, and high severity vulnerabilities within 30 days,” he told me.
“Patching on time helps reduce the attack surface and ensures vulnerabilities are mitigated quickly. Automating patch management is moving a step ahead. With tight budgets and limited manpower, government agencies can make sure that patches are not missed across the entire network with an automated patch management solution.”
Local governments must get proactive, by developing and testing incident response and business continuity/disaster recovery plans — if necessary, in concert with third-party providers. However, city staff are also a vital asset in helping to mitigate the threat, Lancaster added.
“For government organisations to be fully prepared to tackle cyber threats, IT directors should have a long-term vision which includes up-skilling their employees in areas of cybersecurity,” he concluded. “With budget constraints always at the forefront of concerns, it might not be feasible to routinely train every member of the team. Instead, areas to focus can be prioritised and worked upon to implement effective up-skilling.”
Credential stuffing: why it’s time to retool for 2019
Posted: April 29, 2019 Filed under: Uncategorized | Tags: account takeover, credential stuffing, cybersecurity, dark web, identity theft, infosecurity, SANS institute, shape security Leave a comment
Credential stuffing has been around for years. But the signs are that 2019 might well be a stand out year, as the black hats start to monetise the huge volumes of breached identity data flooding the dark web. While historically many firms’ response has been to blame customers for poor log-in security, this approach is not going to wash going forward. To protect the brand and bottom line, they need to be more proactive.
I spoke to some experts for an upcoming Infosecurity Magazine feature to better assess the scale of the challenge, and what can be done to tackle it.
At its heart, credential stuffing is a pretty straightforward attack. Take large volumes of username/password data from dark web troves, many of which are now arranged in easy-to-use “combo lists”, and feed them into bot-powered automated programmes designed to try and unlock other accounts. Because users share passwords across multiple sites, the hackers will usually succeed: which is bad for consumers and possibly enterprises, if those accounts are corporate ones.
“I’ve seen password reuse on corporate accounts many times and it’s a standard operation to check our password leak database during the reconnaissance phase in every red team engagement,” SANS Institute certified instructor, Matthias Fuchs, explained to me. “Still, many organisations allow outside access to some corporate services like webmail. If they don’t use MFA there, the accounts are at equal risk as on private platforms. After all it’s just another website to try the creds on.”
Experts were agreed that credential stuffing will only grow as we head through the year.
“The sheer volume of credential stuffing attacks since the start of 2019 is alarming. The success of recent attacks against consumer services — TurboTax and Dunkin’ Donuts, to name a couple — is just continuing proof that protecting data instead of protecting identities and people is a failing security model,” Ping Identity CCIO, Richard Bird, told me.
“Unfortunately, organisations are not taking even the most basic steps necessary to thwart these types of attacks, so it’s likely that they will continue to proliferate. Companies must come to the table with better security solutions for their customers. Leveraging available technologies like MFA, device fingerprinting and artificial intelligence to detect anomalous behaviours are just a few steps that can be taken to protect customers and their data.”
Shape Security director of engineering, Jarrod Overson, claimed that credential stuffing would increase “at the rate that bandwidth and hardware allows.”
“Credential stuffing, like all attacks, involves a cost/value justification for the attacker and, right now, it costs virtually nothing to execute an attack that can take over thousands to millions of accounts,” he told me. “Without automated defences in place then an attacker’s best interest is to execute an attack as rapidly as possible to get results before the company recognises and puts in countermeasures. Even with protections in place, Shape recorded its biggest attack ever in January with nearly three billion attacks against one customer in one week against one user flow (the login).”
Innovation-fuelled growth
The bad news is that the black hats continue to evolve their tactics.
“Attackers are getting more creative in how they use personal information to either reset accounts, gain trust or establish online access to accounts. I think one big issue is that attackers are getting smarter in how they use the information and how they monetise stolen information,” SANS dean of research, Johannes Ullrich, told me.
“In the past, there used to be some obvious ways to monetise stolen information, like credit card theft. But the value of this information has been steadily decreasing because first of all, there is already more information out there then can be used, and entities like banks are getting better at blocking access. But attackers are slowly discovering the social component of this. They are now better able to identify trust relationships and to use leaked data to authenticate and take advantage of these trust relationships.”
Overson and his team are seeing the same patterns as cyber-criminals look to ape human behaviour in new ways.
“These advanced attacks involve the exploitation of mobile applications, browser extensions, or third-party scripts to drive the behaviour of an application even after a user has logged in,” he said. “We’re calling the trend towards attacks that simulate human behaviour ‘Imitation Attacks’ — this is an umbrella term that encompasses all illegitimate transactions made seemingly on behalf of a real user. This includes advanced phishing attacks, credential stuffing, password spraying, and other attacks that exploit the inherent functionality of an application.”
Fighting back
The big question for CISOs is how to stop it. Credential stuffing could lead to compromise of enterprise accounts, enabling multi-staged info-stealing raids or BEC attacks. It could also have a devastating knock-on effect on customer confidence and brand loyalty if consumer accounts are hijacked en masse.
For Overson, the answer is rapid response, but countermeasures which should also be removed when the attack subsides. He also recommends a “variable” response, which will make it harder for hackers to predict what defensive tactics the white hats are going to use next.
“There is no silver bullet against automated attackers, because the actors behind the attacks are human adversaries who will always attempt to retool around defences. The paths attackers are taking are the same paths that our users are taking and too much security-related friction in critical user experience flows leads to loss of revenue and business,” he warned.
“Mitigation requires fast-moving collaboration across teams along with security vendors to roll out targeted countermeasures for specific attackers while leaving average users unaffected. As attackers start to retool with more artificial intelligence and machine learning then rapid, limited, variable feedback becomes even more important.”
Tech in 2019: what’s in store for APAC
Posted: January 4, 2019 Filed under: Uncategorized | Tags: AI Speech Lab, apac, apple, china, cybersecurity, deep tech nexus, hacking, huawei, india, microsoft, modi, MSS, SGInnovate, singapore, smart cities, state sponsored cyber espionage, trump, US Leave a comment
In today’s globalised business world, what happens in Shenzhen or Singapore may be just as important as trends closer to home. To that end, I recently offered IDG Connect the following round-up of the past year in APAC, and a few notes on what we can expect from the months ahead. As Apple’s dire performance in China has shown, Asia increasingly matters to Western tech firms, their customers, shareholders and partners:
Asia’s technology market had more global exposure in 2018 than in many recent years. There’s just one problem: most of it was negative. President Trump has begun a de facto trade war with China which has now morphed into a full-fledged stand-off on several fronts, with cyber-espionage and perceived unfair Chinese trading practices at the heart of US grievances. As we head into 2019 expect tensions to increase, with other south-east Asian nations potentially benefitting as US firms pull their supply chain operations from the Middle Kingdom.
It could be an extremely nervy time for Silicon Valley CEOs.
The trade war continues
The tit-for-tat trade war started in 2018 might have so far steered largely clear of tech goods, although some firms have begun to warn of an impact on profits. But the industry has certainly been at the heart of the stand-off between the world’s superpowers. In January a deal between Huawei and AT&T to sell the former’s smartphones in the US collapsed after pressure from lawmakers worried about unspecified security concerns. Then came a seven-year ban on US firms selling to ZTE — the result of the Chinese telco breaking sanctions by selling to Iran, and then lying to cover its tracks. Although part of the ban was subsequently lifted temporarily, it highlighted to many in the Chinese government what president Xi Jinping had been saying for some time: the country needs to become self-sufficient in technology. It was reinforced when Huawei became the subject of a similar investigation.
This is about America, and Trump in particular, fighting back against what it sees as years of unfair trading practices by China. The argument goes that the Asian giant has been engaged in cyber-espionage on an epic scale to catch up technologically with the West, and unfairly forces IP transfers on foreign firms as the price for access to its huge domestic market. Thus, the coming year will see a ratcheting up of tensions. China on the one side will look to increase its espionage in areas like mobile phone processors to accelerate plans to become self-sufficient. And the US will continue to find ways to crack down on Chinese firms looking to access its market — probably citing national security concerns. There are even reports that the US has considered a total ban on Chinese students coming to the country over espionage concerns.
“Technology CEOs the world over with supply chain dependencies in China — so probably all of them — should be increasingly nervous and focused on their firms’ efforts to have viable contingency plans for a US-China technology cold war,” wrote China-watcher Bill Bishop in his Sinocism newsletter. That could spell good news for other ASEAN nations like Vietnam, where Samsung has made a major investment in facilities — although few countries in the region boast the infrastructure links and volume of skilled workers China does.
Cybersecurity takes centre stage
As mentioned, cybersecurity and online threats are at the heart of the Sino-US stand-off. The stakes got even higher after a blockbuster report from Bloomberg Businessweek which claimed Chinese intelligence officers had implanted spy chips on motherboards heading for a US server maker. Although the claims have been denied by Apple, Amazon and the server maker in question, Supermicro, they will confirm what many have feared about supply chain risk for a long time and accelerate efforts in 2019 to move facilities out of China. Further fanning the flames is a US indictment alleging Chinese spies worked with insiders including the head of IT security at a French aerospace company’s China plant to steal IP.
In a move likely to enrage China, the US also recently arrested and charged a Ministry of State Security (MSS) operative with conspiracy to steal aviation trade secrets. A major backlash is likely to come from Beijing. But more could also come from Washington after a combative congressional report from the US-China Economic and Security Review Commission called for a clampdown on supply chain risk and warned of China’s efforts to dominate 5G infrastructure and IoT production.
Aside from state-sponsored attackers, there’s a growing threat from Chinese cyber-criminals, according to one security vendor. Western firms suffer millions of attacks per year from financially motivated Chinese hackers, according to IntSights. Expect that to increase in the future as the state encourages criminals to focus their efforts outside the country, or even to team up with hacking groups at arm’s length. Also expect the country’s Cybersecurity Law to have a growing impact on how Western firms do business there. Ostensibly meant to vet such firms for interference by the NSA and CIA, the law could also serve as a pretext for Chinese officials to access sensitive IP and source code belonging to Western firms operating in China.
For other countries in the region, improving cybersecurity is vital to their efforts to attract more foreign IT investment and nurture start-up friendly environments. Although there are pockets of good practice, APAC is thought to be among the least mature regions worldwide. AT Kearney has called on ASEAN nations to increase cybersecurity spending to around $170 billion, warning that they are in danger of losing $750 billion in market capitalisation otherwise.
The threat from Chinese spies and local hackers is compounded by the growing danger posed by North Korea. Its state-sponsored hackers are acting with increasing impunity. FireEye recently identified a new group, APT38, which was responsible for the attacks on Bangladesh Bank and other financially motivated raids. Expect more attacks aimed at raising funds for the regime, as well as destructive campaigns and politically motivated information theft.
Taking a lead
On a more positive note, APAC is increasingly seen as a leader in emerging digital technologies: led by the two regional giants of India and China but also mature nations like Singapore, Taiwan, Hong Kong and South Korea. Microsoft believes that digital transformation will inject over $1 trillion to APAC GDP by 2021, with artificial intelligence (AI) a key catalyst for growth.
AI continues to be major focus for the region. Singapore is a leader in AI thanks to heavy government investment in schemes such as AI Singapore (AISG) and its AI Speech Lab, while government-owned investment company SGInnovate has recently unveiled its Deep Tech Nexus strategy. India is also is also poised to become “one of the most active centres of expertise in AI” according to experts, thanks to government backing.
Asia is leading the way on smart city projects. Investment in initiatives was set to reach $28.3 billion in 2018 in APAC (ex Japan), and is forecast to reach $45.3 billion in 2021 — partly out of necessity. The region’s cities are forecast to add another one billion citizens by 2040, which will require up to 65% of the UN’s Sustainable Development Goal targets to be met.
India’s Modi government has led the way with an ambitious plan to transform 100 cities, although 2019 will be a crucial year, given that recent reports claim 72% of these projects are still only at the planning stage. Many more examples are springing up all over the ASEAN region, however, from flood awareness programmes in Danang to a free public Wi-Fi and CCTV camera network in Phuket. IDC celebrates some of the best examples each year, showing the breadth of innovation in the region.
However, governments will need to do better in 2019 to tackle major barriers to digital transformation identified by the UN. These include excessively top-down approaches; security, privacy, and accountability problems; and digital exclusion. It claimed just 43% of APAC residents were internet users in 2016. There’s plenty of work for governments and the private sector to do next year.
Some Best Practice Tips for Effective Cyber Incident Response
Posted: October 5, 2018 Filed under: Uncategorized | Tags: CREST, cybersecurity, data breach, incident response, pwc, SANS Leave a comment
I’ve been neglecting this blog a bit of late. That’s due in part to being overwhelmed with the sheer number of security breach stories and features to write up this summer. I can’t recall a time when there’s been so much going on, and such a great variety of incidents — apart from last year, and the year before …. and possibly the year before that.
It’s becoming something of a cliché to say “it’s not a case of ‘if’ but ‘when’ your organisation is successfully attacked” — but that doesn’t make it any less true. That puts even more pressure on firms to get incident response right. Succeed, and you could get away with little more than a slap on the wrist from the regulators — you may even find your organisation’s reputation enhanced. I asked the experts their views for an upcoming Infosecurity Magazine feature.
First and foremost, IR plans should be drawn up by an organisation-wide team, according to IISP board director, Chris Hodson.
“The IR team must be cross-functional and comprised of senior business stakeholders that understand the importance of the data, applications and infrastructure across their enterprise,” he told me.
“An effective plan must consider not only the nefarious, but also accidental and environmental events. In a world where technology and internet connectivity is baked into everything, safety has become a key consideration too — it’s no longer just considerations of ‘confidentiality, integrity and availability’ (CIA), we need to look at safety being of paramount importance.”
PwC’s US cybersecurity and privacy lead, Sean Joyce, was more prescriptive.
“The incident response plan (IRP) should include but not be limited to the following types of information: event and incident definitions; incident categories, descriptions, and criticality levels; escalation matrices; incident life cycle workflows; a listing of internal stakeholders and external partners with their roles and responsibilities; and reporting requirements,” he explained to me.
Certified SANS instructor, Mathias Fuchs, added much more to the list, including a communications plan, police liaison, mapping out of standard operating procedures, and how to deal with outsourcers like cloud providers.
“As message control is one of the key points in incident response, a predefined circle of trust that limits information flow to people not working on the case as well as to the outside world is key,” he added. “Particularly for publicly traded organisations, information about security incidents has to be treated with great caution as it usually does have an impact on the stock price once publicly available.”
My plan’s in place, now what?
Once you’ve got a plan drawn up, it’s essential to test it regularly, according to Joyce.
“Preparation is a key component to any incident response event. In our experience, organisations that take the time to develop and test their IRPs and playbooks are more prepared to respond and likely reduce the impact of an incident,” he argued.” Decisions that are made in the first 24 hours are extremely impactful in a positive or negative way.”
For Ian Glover, president of accreditation body CREST, it’s also vital to determine how ready the organisation is to respond to an incident, covering people, process and technology.
“CREST has developed a maturity model and free tool to enable assessment of the status of an organisation’s cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective),” he told me. “The tool enables assessments to be made at either a summary or detailed level and has been developed in conjunction with a broad range of organisations, including industry bodies, consumer organisations, the UK government and suppliers of expert technical security services. It delivers an assessment against a maturity model based on the 15 steps within the three-phase Cyber Security Incident Response process.”
Lessons learned
Even the best laid plans can come apart when a cyber-attack actually strikes. But well-defined and practiced playbooks can help, said PwC’s Joyce.
“An organisation, in consultation with their external partners, should proceed forward with identifying any additional requirements related to preservation, investigation, containment, and longer-term remediation related actions. The results of the investigative work stream should be communicated in a defined/repeatable process that will directly support internal and external messaging related to the incident,” he explained.
“Depending on the incident, organisations should pre-plan their internal briefing requirements to the board and the frequency and detail of those updates. For external messaging, organisations should work with external partners such as counsel and PR organizations to begin drafting an appropriate hold statement as well as media release should notification be needed prior to the conclusion of the investigation.”
SANS’ Fuchs urged IR teams not to act too quickly, especially if they don’t yet know how the attacker got in.
“Find all ways the attacker might have into your network. Try to develop intelligence about the attacker as you investigate, that helps you when they come back. Figure out what they were looking for and what they have already exfiltrated,” he advised. “Conduct a full investigation and then execute the remediation plan on a weekend where you disconnect the whole organisation from the internet.”
Post IR processes are also vital in helping build long-term resilience.
“If they didn’t get what they were there for, they will return,” warned Fuchs. “Find better ways to detect them and avoid them getting back in the same way they did the first time.”
PwC’s Joyce recommended organisations conduct an IR “post-mortem”.
“The results of this may lead to revisions of the incident response plan, policies, procedures, and key reporting metrics; additional training for the board, executives, staff; and additional investments in technologies in the organisations efforts to mitigate risk and evolve with the constantly evolving cyber threat,” he concluded. “In addition, organisations can schedule table-top exercises to provide training opportunities for all key internal and external stakeholders whose support will be needed in response to an incident. Table-tops provide opportunities to evaluate an organisation’s incident response plan and to assess key components such as escalations, internal and external communications, and technical proficiency of the incident response team.”
Trump’s Tough Talk on Chinese IP Theft: Too Little Too Late?
Posted: August 18, 2017 Filed under: Uncategorized | Tags: china, cybersecurity, economic espionage, hacking, IP theft, joint venture, made in china, obama, silicon valley, tech transfer, trump, xi jinping Leave a comment
Donald Trump made some questionable remarks this week that have rightly caused an almighty backlash. But one thing he did that may have more support, is sign an executive memorandum which will most likely lead to a lengthy investigation into alleged widespread Chinese theft of US IP. This is a big deal in Silicon Valley and something that has irked US business in general for years.
The question is, will this latest strategy actually result in any concrete changes on the Chinese side? As you can see from this new IDG Connect piece, I’m not convinced.
Years of theft
There are few things Democrats and Republicans agree on, but one is that China has had things far too long its own way when it comes to trade. The US trade deficit between the countries grew to $310 billion last year, helped by the growing dominance of Chinese businesses. Many of these have been able to accelerate their growth and maturation thanks to IP either stolen by hackers from US counterparts or take via forced joint ventures and tech transfers. Many of them are selling back into the US or their huge domestic market, undercutting American rivals.
Chinese firms don’t have the same restrictions around forced JVs and tech transfers to enter the US market. In fact, the likes of Baidu even have Silicon Valley R&D centres where they’re able to recruit some of the brightest locals, while government-backed VC firms have been funding start-ups to continue the seemingly relentless one-way IP transfer.
There are, of course, more nuances to the dynamic, but you get the point.
All talk
So, will this investigation get us anywhere? After all, it will empower the President to take unilateral action including sanctions and trade embargoes. Well, on the one hand, little gain can be made from stopping Chinese IP hackers, as they have stopped outright theft ever since a landmark Obama-Xi deal in 2015, according to FireEye Chief Intelligence Strategist, Christopher Porter.
“If anything, discontinuing straightforward theft of intellectual property for strictly commercial purposes has freed up Chinese actors to focus more on these other targets than ever before, so the risk to companies before and after the Xi Agreement depends heavily on what industry that company is in and what sort of customer data they collect,” he told me via email.
That’s not to say the Chinese aren’t still active in cyberspace, but it’s less around IP theft, which is the focus of this investigation, Porter added.
“We have seen an increase in cyber threat activity that could be Chinese groups collecting competitive business intelligence on US firms selling their products and services globally—several companies that were targets of proposed M&A activity from would-be Chinese parent companies were also victims of Chinese cyber threat activity within the previous year, suggesting that they may have been targeted as part of the M&A process to give the Chinese company a leg-up in negotiations,” he explained.
Which leaves us with JVs and tech transfers, which have provided Chinese companies with vital “know-how” and “know-why” over the years. To my mind, if there’s any area where the US can and should focus its diplomatic and negotiating efforts, it’s here. However, as reports in the past have highlighted, it took China years to construct a gargantuan, highly sophisticated tech transfer apparatus, and it won’t be looking to bin that anytime soon, especially with the Party’s ambitious Made in China 2025 strategy now in full swing.
Neither side will want to become embroiled in a trade war. The US has too many companies which count China as a major market – it’s Apple’s largest outside the US, for example – and Chinese firms are doing very well selling into the US, as that huge trade deficit highlights.
In the end, my suspicion is that this is just another bit of Trump tough talk which will actually produce very little.
“This long-awaited intervention should also probably be viewed in the larger picture of the way the Trump administration operates: in terms of ‘carrot and stick diplomacy’,” Trend Micro European Cyber Security Strategist, Simon Edwards, told me.
“It is also well documented that the US administration is trying to use trade deals to get action on the situation in North Korea; and perhaps this is more of a stick to be used with the accompanying ‘carrot’ of a greater trade deals?”
Time will tell, but it’s unlikely that US tech companies operating in China, and their global customers, will be any better off after this latest test.
Women in Cybersecurity: The Time is Now
Posted: August 4, 2017 Filed under: Uncategorized | Tags: cobalt, cybersecurity, infosecurity magazine, skills, skills shortages, women in cybersecurity Leave a comment
We all know that skills shortages in IT, and information security in particular, are endemic. Globally, the industry is expected to need 1.8 million more workers by 2022, according to the Center for Cyber Safety and Education and (ISC)². One sure fire way to reduce this imposingly large total would be to encourage more women into the industry.
With that in mind, a new report, Women in Cybersecurity, makes for fascinating reading.
The report was compiled by Caroline Wong, VP at pen testing firm Cobalt, on the back of interviews with hundreds of female IT security practitioners in the US, UK, Singapore, Australia and elsewhere.
“Recent press coverage on the topic has a tendency to focus on the negative – under-representation, unfair pay, and challenges in the workplace,” she told me.
“These aspects are true, however I know there’s a story that’s just as true, and that’s how many women in the field are thriving. I personally know so many women – and now I have the data to back it up – that love their jobs, feel deeply satisfied by the work they’re doing, and are tremendously successful.”
One of the key takeaways from the report is the need for employers to prioritise diversity in their hiring. Often firms narrow their options too far by failing to consider candidates from other backgrounds. According to Wong, it’s critical that hiring managers are engaged in the process and thoughtful about what skills are needed for particular roles. In fact, over half of those women she spoke to had no IT or computer science background when entering the industry – but instead had experience in areas as diverse as compliance, psychology, internal audit, entrepreneurship, sales, and even art.
“I was pleasantly surprised by the seniority and diversity of the women who responded to the survey. The topic of women in cybersecurity has received more press in the past few years than ever before, and I think it’s possible for readers to assume that women working in this field is something new – it’s not,” concluded Wong.
“Some 36% of respondents have been working in the field for 10 or more years, while 53% have been working in the field for more than five years.”
So, listen up hiring managers. Try thinking outside the box when you’re next looking for candidates. The cybersecurity industry desperately needs fresh blood, and women make up a paltry 11% of the workforce globally at present. This needs to change – and fast.
phil muncaster 