Review of 2015 and 2016 Predictions

From Amicus ITS’s new cyber security specialist, associate Mark Heather.

2015
This year saw all sizes of business see an increase in attacks, but the nature of attack has changed.  Traditionally network and DoS attacks as well as malicious software (malvertising) were the main causes of a breach and continue to be disruptive to business.

However, at the same time there was an increase in networks being penetrated as breaches are becoming more targeted – and small businesses should not presume that they will escape and should ensure that they understand their information assets and networks to enable them to manage risk accordingly.

2016
Next year will see targeted attacks increase.  It is not a case of if, but when will we be breached and what do we do about it?

More will be made of “Cyber Intelligence,” (information about you and your organisation).  Companies will need to understand what is being said about them, what information can be gathered about the organisation and to turn this into meaningful contextualised intelligence.

This will be a major requirement of compliance regulations over the coming years. The lack of people able to interpret this information will lead to Cyber Intelligence platforms becoming automated and drive the need for Security-as-a-Service. This service will also be driven by the internet of things as more devices become internet connected.

Whilst the tenor of this might sound doomsday in tone and that currently there are too few skilled people truly trained in cyber security, organisations can ensure that they are well protected, by aligning themselves with data security experts who understand the Managed Service environment and can be your trusted advisor and partner.  Talk now to have a positive preventative discussion, rather than a remediation discussion after the event.

Lessons learned from the TalkTalk Cyber Attack

The Background to the cyber breach
• TalkTalk customer base 4 million users
• 21 October 2015 attack resulted in 157,000 individual personal records being compromised, with 16,000 bank and sort codes accessed and 28,000 tokenised credit card numbers.

Who was to blame?
Well obviously from a criminal point of view, there were actually five people known to be involved, four of whom were teenagers who have been arrested by the police.  However in truth, the real culprit is TalkTalk, in their failure to protect the data of their customers and learn the lessons from previous breaches across the preceding 12 month period.

So what are the lessons learned from this high profile cyber attack for all UK businesses and organisations regardless of size?
All businesses should expect to be breached.  TalkTalk failed to plan ahead despite the experiences of each breach:

Action 1:  Arrange for a full security review (pen testing, social engineering checks, dumpster diving (ensuring your confidential waste is disposed of properly), remote access connections, patch management etc..

Talk the Tech Talk
Disconcertingly for a company which reported gross revenue in 2014 of £1.7 billion ($2.65 billion), TalkTalk failed to invest sufficiently firstly in information security specialists and secondly, the technology to help withstand breaches.

Action 1: Ensure that your Board’s PR spokesperson has had media training and uses the right technical terms (“sequel” being mispresented for SQL”

Action 2: Ensure that nothing is revealed by a representative of your organisation going on camera (whether video or still) that discloses anything about your company or your technical infrastructure. A simple look up of the Open Web Application Security Project (OWASP) a not for profit software information sharing website, which would have given TalkTalk the heads up to correcting the latest threats and vulnerabilities

Know your network and understand security
Much of the public distress about this high profile cyber attack was that no-one in the management team could confirm whether the stolen customer data had been encrypted.

Action 1:  Ensure that a member of the Board understands data security, comprehends and can talk about Cloud – and understands the technical infrastructure of the organisation.

Speak the truth
In the TalkTalk scenario, the CEO claimed that they were “head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones.”

This fell on ‘stony ground’ for Dido Harding when she said this to The Sunday Times and that under the U.K.’s 1998 Data Protection Act, TalkTalk was “not legally required” to encrypt customer data.   If the customer is a victim of a cyber attack, the deed is done and that bond of trust is forever damaged.

Respect your customer’s data as being your crown jewels
The Data Protection Act 1998 requires a duty of care of the organisation’s data controller to look after everyone’s data – their own and that held by them of their customers.

With the value of data for cyber criminals increasing with every strand of personal detail, criminals can profit from many types of customer data.  This does not have to be actual credit card or bank details, it can be any Personal Identifiable Information (PII), that when pieced together, forms a profile of the individual which the criminal can then sell on to 3rd parties.

Whilst there is no current UK legislation yet to mandate businesses and organisations to encrypt their data irrespective of the type of business, it is an easy preventative software step in order to protect your organisation. This simple move could save your organisation embarrassment and potentially millions of pounds in lost revenue – but critically, lost trust.

Technology & Governance – the year ahead

There is lots of potential in many directions for cyber-security, threat intelligence and risk management in 2016 and I am sure there will be some startling stories.   But the one thing I know for sure is that there will by hyper-growth in online extortion, hacktivism and mobile malware and a pivot for government agencies and corporations towards a much more offensive strategy for dealing with cyber security threats.

I think that both governments and enterprises of all sizes are beginning to recognise the benefits of cyber security foresight and acceptance that there will be cyber attacks – and that it is likely they will be hacked. We see changes in legislation coming down the line and increasing hiring activity around skilled cyber security analysts and officers within enterprises.

Enterprises are now evaluating their risk as it relates to their assets and their position in their supply chain to assess their vulnerabilities and respond with plans to protect and defend accordingly. Individual users are becoming much more aware of online threats and through training and education, are upping their game translating this heightened visibility into increasingly prudent preventative action.  Malvertising is being forced to morph into more sinister approaches due to an almost 50% increase in the use of ad-blocking software in 2015.

This is good and bad, as the new approaches will have figured out a way around the software and will create new and innovative attack vectors that most users won’t see coming. Hackers are really good at evolving to adapt to new environments and for every defensive measure, there must be 50 ways to work around it.

An increase in the sophistication of psychological and analytical techniques and social engineering innovation will create a large bubble in the online extortion business driving hackers to expose even more incriminating information about their victims. Hopefully, the Ashley Madison breach will act as a lesson-learned deterrent, or at least a cautionary tale to help potential victims think twice before posting such potentially incriminating information.

If there is no basis for extortion, then it will be hard to extort.

So here are some of the things I believe we can expect to see during 2016:

•    Evolving cyber criminals will develop new techniques and attack vectors to personalize hacks, potentially making 2016 the year of online extortion (unless we stop posting hyper-personal data in inappropriate spots).
•    Mobile malware will surge along with the sales of smartphones and new online payment systems (these will create a target rich environment that will be impossible for cyber criminals to resist as these payment systems are particularly vulnerable to attack).
•    There will be a significant increase in government regulations designed to increase protection, detection, arrest and prosecution of cyber criminals, but result instead in increased cost and difficulty related to compliance for all businesses.
•    Significant fines and punishment for failure to comply with existing regulations affecting retail, consumer, healthcare, hospitality, finance and manufacturing industries.
•    In spite of increased intention, most companies will not be able to staff cyber security experts in 2016, as the current unemployment rate for analysts is less than zero.
•    There will be a reduction in malvertising but an increase in socially engineered intrusion and the resulting compromise and capture of administrative credentials will lead to an increase in successful breaches.

 

Now is the time to take decisive action to get ahead of all this by installing layered-defence technologies, training in identifying and detecting cyber attacks, moving to immediate compliance with all regulations affecting our and our customer’s industry sector, and developing an internal cyber defence capability as well as partnering with external specialist firms to provide it.

What you don’t want is your emails exposed, your internal documents made public, your assets compromised, your position in your supply chain used as a tool to breach a client company or your name in the paper.

If our assets aren’t more valuable than the investment required to get secure, our customers and reputational impact surely are.   Let’s get moving.

 

 

 

 

 

 

EU data privacy rules – Impact across the pond

A new European privacy directive is about to be signed, one which could see US tech firms fined millions of dollars if they don’t comply.

The directive regulates how tech companies obtain and use user data. According to USA Today, companies must get a clear consent from the user and have to explain just what their data will be used for. Companies must also explain to the user how the data was obtained, and in case the user wants that data changed or completely deleted, the company must do so.

As an example, if they choose to delete their Facebook account, Facebook would have to also delete all the information it had collected about them. The directive has been in production for several years and will replace a patchwork of laws from the 1990s.

“A lot of the language in this regulation has been sharpened in response to US companies walking very close to the line as far as complying with EU data protection regulations,” said Danny O’Brien, the international director of the Electronic Frontier Foundation, a San Francisco-based cyber rights group for USA Today.

The Age of Data Consent will also be raised from 13 to 16 years old, meaning all younger than 16 will have to get their parents’ approval before giving their data to companies.

The European Commission and the European Parliament could not agree on the size of the penalty in case a company fails to comply, but it seems that 4% of the company’s global revenue could be the sweet spot. For companies the size of Google or Facebook, that is a lot of money.

As an IT Managed Service Provider, data controller and data processor, Amicus ITS has had to be proactive in looking at the impact of these changes for us and our customer base.  These changes, which will become law in the member states, reflect positively on individuals as we all obtain more rights over our data.  However, for any organization that holds or processes data these changes will have an impact that cannot be ignored.

Another mobile OS bites the dust

The smartphone OS market is incredibly competitive, made up of just 3 main players. In the UK Android is in the lead with 51.9%, iOS in second with 39.5% and Windows in third with 8.2%, leaving just 0.4% for the rest of the market.

Firefox OS by Mozilla is one of these other OS’s, however this week Mozilla announced it is now throwing in the towel after just a few years of pushing FireFox OS on Smartphones. These were aimed at the low-end without great success. The OS will live on as an open source project but will cease to support smartphones as they were not able to offer “the best user experience possible”.

Firefox OS is not the first in exiting the smartphone market with other examples in smartphone history including: Symbian, Bada, MeeGo, Palm OS and WebOS.

There are also other current OS’s making up the ‘other’ category with Blackberry, Sailfish OS, Tizen and Ubuntu Touch.

Android was the latest introduced platform that has found large success, overtaking at-the-time most popular OS Symbian, back in 2010.

So why have we not seen any companies make a significant impact in the mobile market since Google’s entry with Android?

We’re seeing both a maturation of the smartphone landscape and costs of entry skyrocketing, even with these two large factors it is possible that the ‘other’ category could increase in market share instead of diminish over the next few years as we see more informed consumers looking elsewhere amongst the mature and arguably creatively stagnant platforms.

Empowering the Office with Apps

The novelty of mobile apps has long since faded but their usefulness and functionality is ever increasing with more advance and creative apps being developed every day. Creative apps are not just limited to the big app stores but can also come directly from developers to businesses bypassing the app stores all together.

These apps can streamline processes and naturally enable mobility within an organisation. Some business apps have broader appeal for example providing mobile versions of larger desktop applications other apps have a much more niche appeal and will need to be custom built for its use.

Microsoft has announced a new tool called PowerApps for creating apps, not aimed at developers but anyone familiar with their hugely popular office suite.

The apps created will run on all mobile platforms including Android, iOS and of course Windows Phone.

The tool aimed at businesses, using an office-like interface including the ribbon to create apps to make office life easier. These can be published from the application and then access via an intranet link on other employee’s smartphones, tablets of PCs.

PowerApps has now launched on the Windows Store as a free download and requires a Office 365 account to login. Click here to download.

EU neighbours stand together in fight against cyber threats

In response to the increasing threats from cyber attacks and a lack of any common approach in Europe to digital network breaches, a new ‘Network and Information Security’ directive has been agreed this week by MEPs and ministers. This creates for the first time an EU-wide set of rules on cyber security.

Representatives from 28 EU countries have created a common set of minimum standards for cyber security in Brussels. Primarily designed to target any organisation running critical national infrastructures (eg. airports and power stations), it also sets a minimum benchmark of standards for organisations such as banks, energy and water companies.

On top of this, any company running critical services (plus some technology firms) will be required to report cyber breaches and attacks.  The tech firms likely to be included are online marketplaces such as eBay, Amazon and search engines like Google.

The European Agency for Network and Information Security (Enisa) estimates that such breaches whether from human error, technical failure or malicious attack result in annual losses in the range of €260bn to €340bn (£188bn to £246bn).

The whole driver for creating consensus is based on the strength of shared intelligence and protocols between countries.  In this new digital and dangerous age, countries must swallow historic aversions to sharing security information across Europe, for the greater good of its citizens.  A boost to this is also the EU pledge to offer best practice to others and to assisting member states to secure their infrastructures where they do not have the technologies or cyber security specialists.

Knowing how witheringly slow EU politics can be, this political goodwill collaboration amongst EU partners is in no small part spurred on as a result of the Paris terrorist attacks on 13th November 2015.

There remain many hurdles as the agreement still needs approval from the European Parliament and national governments.  With a vote in Spring 2016, it would then take around two years to put the measures in place.

MEP Vicky Ford (Chairman of the European Parliament Internal Market and Consumer Affairs Committee), who chaired the final round of talks, said that it was “a hugely complex piece of legislation.  We have set up a network which will enable experts from each of the 28 countries in the EU to share and develop best practice in network security, whilst not compromising any individual member state’s own national security measures.”

One can only hope that EU security agencies are prompted by their leaders to be proactive in sharing digital network threat information altruistically in the intervening 24 months.  The old “I’m all right Jack” mentality is now firmly a thing of the past as neighbours must support each other in this darker digital world.

Transparency sought in the Cloud storage market

The Competition & Markets Authority (CMA) is to investigate whether consumers are being unfairly charged for their cloud storage services.  The regulator’s focus is mainly on:

• Unexpected price increases after a contract has been taken out
• Changes or reductions to unlimited storage capacity deals
• Consumers’ data being lost or deleted
• How contracts are automatically renewed at the end of the period
• What happens to consumers’ data when they cancel a contract

With a far wider range of devices now providing storage services (laptops, mobiles and tablets) with demand access from anywhere in the world, it is of little surprise to hear from the Office of National Statistics (ONS), that 40% of UK adults now reportedly use some form of Cloud storage.

The price of Cloud storage is flattening to near zero levels, so many storage providers are offering interesting deals to lure internet users in off the back of tie-ins to more lucrative profit margin services (ie. Amazon Prime and Amazon Web Services).  However, often it’s the small print that trips end users up, because unlike enterprise storage, it doesn’t have to be smart or require management.  These inflated costs to change use volumes or content type can prompt significant excess costs (ie. a user seeks to store videos versus just photos or documents).  The initial free memory included in the bundle, pales into insignificance when top up charges of up to £40 per month for needed extra gigabytes are incurred.

The investigation may result in enforcement action using consumer protection laws, as well as the regulators seeking voluntary change within the sector and guidance to business.  With the new Consumer Rights Act having taken effect in October 2015, price transparency has been tightened, so expect changes in the market to follow.

The question is whether this consumer experience could manifest itself in the higher margined enterprise zone in the future potentially as behaviours do tend to follow in markets?   When a deal sounds too good to be true, it often is.  For MSPs, the answer will come if we start to see cloud providers offering bundled packages that are smart to organisations and include the necessary high performance and high availability for large amounts of data, but at more transparent, reasonable prices.