Infosecurity Europe 2013: Round Up

This week saw London bathed in glorious spring like sunshine, just as the 3 day annual Infosecurity Europe conference took place at Earls Court.  Over 330 vendors, 190 press representatives  and 12,000 attendees converged to make a interesting and thought provoking look at information security in 2013.

The keynote panel discussions focused on best practices as identified by experiences CISO's and security managers, with the general theme of education, awareness and training being top priorities, for organisations wishing to develop a sustainable and adaptive security posture.  Budget management is also a tough nut to crack, but it is becoming clear that technical point solutions don't always deliver what is required and properly training security practitioners, coupled with cross department accountability make for a more cost effective approach.

Advanced Persistent Threats, cyber attacks and SCADA based vulnerabilities were all up for hot discussion, by both vendors and attendees alike.



See below for a detailed write up of some of the keynote sessions.

Hall Of Fame Inducts Shlomo Kramer & Mikko Hypponen
Keynote Panel: Smarter Security Spending
Technical Strategy: Defining APT
Keynote Panel: Battling Cyber Crime
Keynote Panel: Embedding Security Into The Business
Technical Strategy: SCADA The Next Threat
Analyst Panel: Future Risks

Infosecurity Europe 2014 will run from April 29th to May 1st 2014

By Simon Moffatt

Infosecurity Europe 2013: Smarter Security Spending

Information security should be focused on "moving from the 'T' in IT, to the 'I' in IT' according to panel moderator Martin Kuppinger from KuppingerCole Analysts.  Information security has often been focused on technical related controls, with point solutions based on software and hardware being deployed, in the hope that a 'silver' bullet style cure is found for all attacks, breaches and internal issues.  This is an unsustainable model, from both a cost and effort perspective, but what areas provide a good return on security investment?  An expert panel in the keynote theatre at day 3 of Infosecurity Europe, aimed to find out.

The People, In People, Process & Technology

Michelle Tolmay, from retailer ASOS, commented that the people, in the people, process and technology triad, is increasingly more important that simply installing and configuring technology.  Dragan Pendic, from drinks manufacturer Diageo, also described how building the information security business case, requires focus on the 'right people' within the organisation.  As budgets are finite, all spending needs to be fully justified and explained in business language to key business stakeholders.  Dragan articulated, that whilst the majority of the security budget is ring fenced for legal and regulatory compliance, any remaining funds are spent wisely, focused on identifying security stakeholders with the correct role and responsibilities in order to the make existing and new security technology work smarter.

Education, Training & Awareness

Graham McKay,  of DC Thomson, described, that whilst risk should be decided by the business, countermeasures should be implemented by the IT and security teams, with a key focus on sustainable education.  He argued point solutions are nearly always breachable at some point in time, and that employee training and awareness is a much more effective and sustainable way to protect information.

Cal Judge from Oxfam explained that for training to be effective, it needs to take a personable and story based approach, trying strongly to avoid the dry, theoretical policy lead content.  Michelle also added, that by making examples of the security implications employees face in real life, helps to articulate what measures need to be implementated in the work place.

Accountability -v- Commerciality 

In any organisation, there is a clear trade off between business effectiveness and security implementation.  Graham described that an organisation will never be 100% secure, as commerciality will always take hold.  Whilst technology obviously has a major role to play, learning the full technical limitations, integration steps and implementation paths are key to fully maximising a return on investment commented Pendic.  Often technology is not implemented to the maximum of it's capability, resulting in cheaper alternatives being overlooked or not evaluated.  Cal Judge promoted the use of vulnerability scanning of existing technology as an effective spend, arguing that this can help to simulate what an external attacker would look for, from an internal and external asset perspective.

Michelle Tolmay added that overly restrictive policies are actually counterproductive and costly, resulting in employees taking shortcuts and workarounds that will ultimately put the business at risk.  She also commented that relationships are the underlying success factor for effective infosec spending.  Relationships between internal employees across departments and external relationships between the organisation, audit teams and external regulators all play a key part in understanding how to fuel infosec project spending.


By Simon Moffatt

Infosecurity Europe 2013: Defining APT

Targeted and complex malicious software has seen a significant increase in infection rates since 2007 according to Fireeye's Alex Lanstein.  "Since the US Air Force used the APT label to describe specifically Chinese origin attacks, multiple variations, from different geographies are now common place".

Malware Occurrence & Complexity On The Rise

The occurrence and complexity of malicious software has lead to numerous significant breaches.  Powerful state sponsored and organised crime lead groups, have developed powerful automated ways of generating sophisticated, hard to identify, track and block, malware payloads.  Many payloads are now masked as basic everyday application files such as PDF's, Word and Excel documents and images, whilst underneath, harbour well crafted executables, that can seamlessly connect to multiple remote command and control servers.  These command and control servers are often accessed through intermediary instruction sets, distributed via well known domains such as Twitter, Yahoo and Wordpress blog sites, that wont look suspicious to organisational outbound traffic analysis tools.  The instruction sets are often encrypted, or at least masked as base64, to prevent detection.

Sophisticated Social Framing

As anti-virus and signature based scanning tools become more accurate, malware designers are leveraging the human factor as a means of entry into an organisations network.  By identifying  key employees via social media tools such as LinkedIn and Twitter, malware payloads are delivered directly to an individual via spear-phishing techniques.  Basic social framing such as good-news stories or studies looking for work placements or advice are typical according to Lanstein.

Automation

Many of the payloads being delivered are being manufactured using small utilities to help create a 'factory' of malware operators who can quickly craft a malicious document or image in minutes.  These payloads are created specifically for individual organisational targets, with subtle differences and nuances, in order to look realistic.

The Human Element Behind APT

The human element is not to be overestimated in the entire APT food chain.  Whilst the payloads are technical in nature and command and control centres allow for hundrads if not thousands of remote bots , human decision making, framing and social engineering are playing a large part in overcoming first line defences.  As technical protection gets better, the human factor at both the malware operator and target level becomes ever more important, with increased awareness and training a key tool in malware defence.

By Simon Moffatt

Infosecurity Europe 2013: Battling Cyber Crime Keynote

Cybercrime, either for financial gain or hacktivist tendencies is on the rise.  The US and UK governments have invested significant sums in the last 12 months on new defence measures and research centres.  The sci-fi talk of 'cyber war' is becoming an increasing reality, but what are the new attack vectors and what can be done to defend against them?

Changing Priorities, Changing Targets

Arnie Bates from Scotia Gas Networks described that freely available tools, are now commonplace  and can help a potential cyber attacker, to initiate distribute denial of service (DDOS) attacks simply and easily, without complex development skills, that would have been required only a few years ago.  The simplicity of attack initiation, has lead to 'simple' attacks resulting in more sophisticated impact, as highlighted by Misha Glenny, Writer and Broadcaster, who pointed to the recent attack on the Associated Press' Twitter account.  The attack itself seemed simple, but the resulting impact on the NYSE was tangible.


Hacktivism -v- Financial Reward

DS Charlie McMurdie from the MET Police's cyber crime unit, articulated the need to identify the true motive for each cyber crime attack.  The majority of attacks being reported, derive from a financial motive.  Whilst hacktivism is still an important protest tool, the greater complexity and rise in attacks is based on a monetary reward, either directly through theft or via indirect theft of identity credentials, that in turn lead to a cash reward for a successful attacker.  From a government perspective, Adrian Price from the UK's MoD, described how state level espionage is still a major concern, as it has been for decades, but now the attack vectors have simply moved online.  And whilst state level attacks could ultimately lead to government involvement and ultimately war and loss of life, national defence related attacks still fall under the protest category, if a government's political and foreign policy is openly objected to.

Defence Via Shared Intelligence

Whilst DS McMurdie described there isn't a "signal bullet to defend against" when it comes to cyber attacks, there equally isn't a silver bullet that will provide ultimate protection.  Private sector organisations still need to promote cyber awareness and education to generate a more cross-departmental approach to defence.  At the national and critical infrastructure level, shared intelligence initiatives will help provide a more adaptable and responsive defense mechanism.

By Simon Moffatt

Infosecurity Europe 2013: Embedding Security into the Business

A strong keynote panel discussed the best practices for embedding security into the business, and how the changing perceptions of information security are helping to place it as a key enabler to business growth.

Infosec Is The Oil Of The Car

Brian Brackenborough from Channel 4, best described information security as being "the oil in the car engine".  It's an integral part of the car's mobility, but shouldn't always be seen as the brakes, which can be construed by the business as being restrictive and limiting.  James McKinlay, from Manchester Airports Group, added that information security needs to move away from just being network and infrastructure focused and start to engage other business departments, such as HR, legal and other supply chain operators.

The panel agreed that information security needs to better engage all areas of the non-technical business landscape, in order to be fully effective.

Business Focused Language

Many information security decisions are made on risk management and how best to reduce risk, whilst staying profitable and not endangering user experience.  A key area of focus, is the use of a common business focused language when describing risk, the benefits of reduction and the controls involved in the implication.  According to James, organisations need to "reduce the gap between the business and infosec teams view of risk, and standardise on the risk management frameworks being used".

Education & Awareness

Geoff Harris from ISSA promoted the argument of better security awareness, as being a major security enabler.  He described how a basic 'stick' model of making offenders of basic infosec controls, buy doughnuts for the team, worked effectively, when used to reduce things like unlocked laptops.  James also pointed to "targeted and adaptive education and training" as being of great importance.  Different departments, have different goals, focuses and users, all which require specific training when it comes to keeping information assets secure.

All in all, the panel agreed, that better communication with regards to information security policy implementation and better gathering of business feedback when it comes to information security policy creation, are all essential.

By Simon Moffatt

Infosecurity Europe 2013: SCADA The Next Threat

Physical and industrial control systems are now all around us, in the form of smart grid electrical meters, traffic light control systems and even basic proximity door access control panels.  These basic computer systems can hold a vast array of sensitive data, with fully connected network access, central processing units and execution layers.  Many however lack the basic security management expected of such powerful systems.  Many 'don't get a quarter of the security governance an average corporate server' gets according to Greg Jones, of Digital Assurance.

Characteristics and Rise In Use
Micro computers with closed control systems have been in use for a number of years in industrial environments, where they are used to collect processing data or execute measurement or timing instructions.  Their popularity in mainstream use has increased, with the likes of TV set-top top boxes and games consoles following a similar design.  These more commercially focused devices however, often have stronger security due to their makers wanting to protect revenue streams, say Jones.

Lack of Security Management
Many of the control type systems in use, aren't manufactured or managed with security in mind.  Performance, durability and throughput are often of greater importance, with basic security controls such as secure storage, administrative lockdown and network connectivity all potential hotspots.

Protection Gaps
The main security focus of many smaller control devices, is around physical protection.  Devices such as traffic light systems or metering boxes, are generally well equipped to stave off vandalism and physical breaches, but much less so from a logical and access control perspective.

Data is often stored unencrypted, with limited validation being performed on any data collection and input channels.  This can open up issues with regards to data integrity, especially in the field of electrical meter reading.  This will certainly become of greater significance, as it is forecast that by 2020, 80% of European electricity supplier customers, will be using a smart-style.

By Simon Moffatt


Infosecurity Europe 2013: Analyst Panel Keynote: Future Risks

At the end of day 1, of the Infosec Europe conference, on a wonderfully warm Spring afternoon at Earls Court, saw the keynote theatre host an interesting panel discussion focusing on future risks.  Andrew Rose from Forrester, Wendy Nather from the 451 Research group and Bob Tarzey from Quocirca provided some interesting sound bites for what future threats may look like.

Hacktivism versus Financial Reward
All panelists acknowledged that hacktivism has been a major concern for the last few years, with Andrew pointing out that attacks are now becoming more damaging and malicious.  Bob produced a nice soundbite of "terrorists don't build guns they buy them", highlighting the fact that hacktivists can easily leverage available tools to perform sophisticated and complex attacks, without necessarily spending time and effort developing bespoke tools.  Wendy pointed out that attacks driven by financial reward have somewhat different attack patterns and targets, with new avenues such as mobile, smart grids and CCTV devices being identified as potential revenue streams for malicious operators.

Financial reward is still a major driver for many attacks, with new approaches likely to include mobile devices, to leverage potential salami style SMS attacks.  Intellectual Property theft is still a major obstacle at both a nation state and organisational level.

Extended Enterprises
Andrew commented on the increasing complexity many organisations now face from a structural perspective.  Increased outsourcing, supply chain distribution and 3rd party data exchanges, make defensive planning difficult.  Bob also pointed out that the complexity of supply chain logistics have made smaller organisations, traditionally thought to be more immune to larger scale attacks, are now more likely to be breached, simply due to the impact it may have on their business partners.

Insider Threat and Privileged Account Management
Trusted employees can be still be a major headache from a security perspective.  Non-intentional activity such as losing laptops, responding to malicious links and being the victim of spear-phishing attacks, were all highlighted as being the result of poor security awareness, or a lack of effective security policy.  Bob argued that privileged account management should be a high priority, with many external attacks utilising root, administrator and service accounts with their escalated permissions.

Data Chemistry and Context Aware Analysis
Whilst there is no 'silver bullet' to help prevent against the known knowns and unknown unknowns, the use of security analytics can go some way to help detect and ultimately prevent future attacks.  Wendy used the term 'data chemistry' to emphasise the use of the right data and the right query to help provide greater detail and insight to traditional SIEM and log gathering technologies.  Bob promoted the use of greater profiling and context aware analysis of existing log and event data, to further highlight exceptions and their relevance, especially from a network activity perspective.  Andrew also commented that information asset classification, whilst a well known approach to risk management, is still a key component in developing effective defence policies.

By Simon Moffatt

Infosecurity Europe 2013: Hall of Fame Shlomo Kramer & Mikko Hypponen

London, 23rd April 2013 - For the last 5 years the medal of honour of the information security world has been presented to speakers of high renown with the ‘Hall of Fame’ at Infosecurity Europe. Voted for by fellow industry professionals the recipients of this most prestigious honour stand at the vanguard of the technological age and this year both Shlomo Kramer and Mikko Hypponen will be presented with the honour on Wednesday 24 Apr 2013 at 10:00 - 11:00 in the Keynote Theatre at Infosecurity Europe, Earl’s Court, London.


Shlomo Kramer is the CEO and a founder of Imperva (NYSE:IMPV), prior to that he co-founded Check Point Software Technologies Ltd. in 1993 (NASDAQ:CHKP). Kramer has participated as an early investor and board member in a number of security and enterprise software companies including Palo Alto Networks (NYSE:PANW), Trusteer, WatchDox, Lacoon Security, TopSpin Security, SkyFence, Worklight, Incapsula and SumoLogic.

Shlomo Kramer commented “I am delighted to have been chosen by Infosecurity for the “hall of fame” in 2013 – it’s a great honour to be recognised for the work that I have done in the IT security industry as a founder of companies such as Check Point and Imperva. I love nothing more than creating and fostering successful enterprise IT- focused businesses and will continue to put my energy into combating the ever increasing onslaught from the cyber-criminal world.”

Mikko Hypponen is the Chief Research Officer of F-Secure in Finland. He has been working with computer security for over 20 years and has fought the biggest virus outbreaks in the net.  He's also a columnist for the New York Times, Wired, CNN and BBC. His TED Talk on computer security has been seen by over a million people and has been translated to over 35 languages. Mr. Hypponen sits in the advisory boards of the ISF and the Lifeboat foundation.

"I've worked in the industry for 22 years and haven't had a boring day yet. I'm honoured to be inducted to the hall of fame", commented Mikko Hypponen. "The enemy is changing all the time so we must keep up."

Previous speakers have included some of the world’s leading thinkers in information security including Professor Fred Piper, Professor Howard Schmidt, Bruce Schneier, Whitfield Diffie, Paul Dorey, Dan Kaminsky, Phil Zimmerman, Lord Erroll, Eugene Kaspersky, Charlie McMurdie, Stephen Bonner and Ed Gibson. To view all previous speakers, along with a short biography, you can visit the Infosecurity website:  http://www.infosec.co.uk/Education-Programme/fame/

The 2013 Hall of Fame will be conducted in the Keynote theatre where both Shlomo and Mikko Hypponen will join Professor Fred Piper in a panel chaired by Raj Samani from the CSA which will address other industry professionals in what always proves to be a compelling and exhilarating event.
The speakers inducted into the Hall of Fame have met the following criteria:
  • Be an internationally recognised and respected Information Security practitioner or advocate 
  • Have made a clear and long-term contribution to the advancement of Information Security 
  • Have provided intellectual or practical input that has shifted the advancement of Information Security 
  • Be an engaging and revolutionary thought leader in Information Security 
The Hall of Fame has proven to be the highlight of previous shows and this year is no different. Setting the standard for other industry professionals and defining contemporary issues, the Hall of Fame speakers aim to challenge conventional thought with a mix of pragmatism and provocation. It really is the must see event of the year.

Microsoft Security Intelligence Report Volume 14

Yesterday, Microsoft released volume 14 of its Security Intelligence Report (SIRv14) which included new threat intelligence from over a billion systems worldwide.  The report was focused on the 3rd and 4th quarters of 2012.
One of the most interesting threat trends to surface in the enterprise environment was the decline in network worms and rise of web-based attacks.  The report found:



·         The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12.
·         In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites.
·         Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12.
·         One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide.   
·         IframeRefwas detected nearly 3.3 million times in the fourth quarter of 2012.

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.”  New research showed that, on average, computers without AV protection were five and a half times more likely to be infected

The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software

Whilst many of the findings surrounding real-time protection seem pretty obvious, the numbers are pretty startling.  As security is often best implemented using a strength-in-depth, or rings approach, anti-virus or real time malware detection seems to be taking a back seat.  For mobile devices, or devices based on Linux this can become a significant issue, especially if those devices carry email destined for Microsoft based machines.

By Simon Moffatt

Who Has Access -v- Who Has Accessed

The certification and attestation part of identity management is clearly focused on the 'who has access to what?' question.   But access review compliance is really identifying failings further up stream in the identity management architecture.  Reviewing previously created users, or previously created authorization policies and finding excessive permissions or misaligned policies, shows failings with the access decommissioning process or business to authorization mapping process.



The Basic Pillars of Identity & Access Management


  • Compliance By Design
The creation and removal of account data from target systems falls under a provisioning component.  This layer is generally focused on connectivity infrastructure to directories and databases, either using agents or native protocol connectors.  The tasks, for want of a better word, are driven either by static rules or business logic, generally encompassing approval workflows.  The actual details and structure of what needs to be created or removed  is often generated elsewhere - perhaps via roles, or end user requests, or authoritative data feeds.  The provisioning layer helps fulfill what system level accounts and permissions need creating.  This could be described as compliance by design and would be seen as a panacea deployment, with quite a pro-active approach to security, based on approval before creation.
  • Compliance By Control
The second area could be the authorization component.  Once an account exists within a target system, there is a consumption phase, where an application or system uses that account and associated permissions to manage authorization.  The 'what that user can do' part.  This may occur internally, or more commonly, leverage an external authorization engine, with a policy decision point and policy enforcement point style architecture.  Here there is a reliance on the definition of authorization policies that can control what the user can do.  These policies may include some context data such as what the use is trying to access, the time of day, IP address and perhaps some business data around who the user is - department, location and so on.  These authorization 'policies' could be as simply as the read, write, execute permission bits set within a Unix system (the policy here is really quite implicit and static), or something more complex that has been crafted manually or automatically and specific to a particular system, area and organisation.  I'd describe this phase as compliance by control, where the approval emphasis is on the authorization policy.
  • Compliance By Review
At both the account level and authorization level, there is generally some sort of periodic review.  This review could be for internal or external compliance, or to simply help align business requirements with the underlying access control fulfillment layer.  This historically would be the 'who has access to what?' part.  This would be quite an important - not to mention costly from a time and money perspective - component for disconnected identity management infrastructures.  This normally requires a centralization of identity data, that has been created and hopefully approved at some point in the past.  The review is to help identify access misalignment, data irregularities or controls that no longer fulfill the business requirements.  This review process is often marred by data analysis problems, complexity, a lack of understanding with regards to who should perform reviews, or perhaps a lack of clarity surrounding what should be certified or what should be revoked.

SIEM, Activities and Who Has Accessed What?

One of the recent expansions of the access review process has been to marry together security information and event monitoring (SIEM) data with the identity and access management extracts.  Being able to see what an individual has actually done with their access, can help to determine whether they actually still need certain permissions.  For example, if a line manager is presented with a team member's directory access which contains 20 groups, it could be very difficult to decide which of those 20 groups are actually required for that individual to fulfill their job.  If, on the other hand, you can quickly see that out of the 20 groups, twelve were not used within the last 12 months, that is a good indicator that they are no longer required on a day to day basis and should be removed.

There is clearly a big difference between what the user can access and what they actually have accessed.  Getting this view, requires quite low level activity logging within a system, as well as the ability to collect, correlate, store and ultimately analyse that data.  SIEM systems do this well, with many now linking to profiling and identity warehouse technologies to help create this meta-warehouse.  This is another movement to the generally accepted view of 'big data'.  Whilst this central warehouse is now very possible, the end result, is still only really trying to speed up the process of finding failures further up the identity food chain.

Movement to Identity 'Intelligence'

I've talked about the concept of 'identity intelligence' a few times in the past.  There is a lot of talk about moving from big data to big intelligence and security analytics is jumping on this band wagon too.  But in reality, intelligence in this sense is really just helping to identify the failings faster.  This isn't a bad thing, but ultimately it's not particularly sustainable or actual going to push the architecture forward to help 'cure' the identified failures.  It's still quite reactive.  A more proactive approach is to apply 'intelligence' at every component of the identity food chain to help make identity management more agile, responsive and aligned to business requirements.  I'm not advocating what those steps should be, but it will encompass an approach and mindset more than just a set of tools and rest heavily on a graph based view of identity.

By analyzing the 'who has accessed' part of the identity food chain, we can gain yet more insight in to who and what should be created and approved, within the directories and databases that under pin internal and web based user stores.  Ultimately this may make the access review component redundant once and for all.

By Simon Moffatt