Follow the leader: defend, deter, and most of all develop!

Last week I wrote an article on why the Dutch underestimate cyber security. In this article I want to point out what the United Kingdom does to protect itself against the increasing cyber threats.

Strong cyber security strategy

Compared to the Netherlands, the UK opts for a more centralised strategy. The National Cyber Security Centre, which was established early 2017, is the UK’s authority on cyber security and part of GCHQ. It draws cyber security together into a single, expert organisation (CESG, CPNI, CERT-UK and CCA) and drives the UK’s National cyber security strategy. Supported by 1.9 billion pounds of transformational investment the UK’s National Cyber Security Strategy sets out policies and initiatives to defend our data, systems and networks, deter our adversaries, and develop the critical capabilities:

·        DEFEND:  To have the means to defend the UK against evolving cyber threats, to respond effectively to incidents, to ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves.

·        DETER: The UK will be a hard target for all forms of aggression in cyberspace. This will involve detecting, understanding, investigating and disrupting hostile action, pursuing and prosecuting offenders. The country will have the means to take offensive action in cyberspace, should it choose to do so.

·        DEVELOP: To have an innovative, growing cyber security industry, underpinned by world-leading scientific research and development. The country will have a self-sustaining pipeline of talent providing the skills to meet its national needs across the public and private sectors. This cutting-edge analysis and expertise will enable the UK to meet and overcome future threats and challenges.

Investing in development pays off

I believe that the development pillar really sets the UK apart from the rest of the world. The UK shows that a clear strategy and investment in this area pays off. The UK has a thriving 22 billion pounds cyber security sector, made up of over 1,000 cyber security companies, offering the latest advice, products and services. These range from Cyber Strategy Consultancy, Training, Secure Network Infrastructure and Data Analytics to Cyber Incident Response and Recovery. And indeed, the country’s cyber security export industry is growing at a rapid pace. In 2016, UK exports in cyber security grew to £1.5 billion. That’s nearly three times faster than the global export market.

To ensure quality, the NCSC runs a variety of schemes for accrediting different products, from encryption solutions to incident response services. This helps cyber security customers navigate the cyber marketplace and ensure they can have confidence that they are working with high quality UK providers.

However, this growth would not happen without a strong supply of new talent. In order to inspire a new generation the Department for Digital, Culture, Media and Sport (DCMS) have created numerous initiatives. These are all part of the government’s National Cyber Security Programme to find, finesse and fast-track tomorrow’s online security experts. These include for example the government’s Cyber Security Apprenticeships for Critical Sectors Scheme and the CyberFirst programme.

If you want to know more about the UK’s National Cyber Security Strategy or want to get in touch with British cyber security companies, feel free to contact me! In addition, the website of our UK-NL Cyber Security Showcase provides an overview of the companies that participated in this event.

Cyber Security: why the Dutch underestimate it

Security and prosperity depend on an ability to safeguard the digital information, data and networks at home and abroad, that underpin our society and economy. The Wannacry ransomware attacks on the NHS in the United Kingdom and the NotPetya cyber attack on the APM Terminal of Maersk in the Port of Rotterdam showed once again that both the Netherlands and the United Kingdom are very vulnerable. And, these cyber threats continue to grow in scale and sophistication. It also makes effective cyber security such a crucial part of our economies. And the stakes are high. Deloitte calculated that the yearly damages to the Dutch economy are more than 10 billion euros. This is 1.5% of its GDP, higher than anywhere else in the world. According to Lloyds of London the next global cyber attack will lead to more economic damage than a severe natural disaster. This could cause damage up to 121 billion dollars.

Why is the Netherlands not “cyber ready”?

Whereas the UK and the Netherlands have similar economic stakes and operate in the same highly digitalised environment, the UK scores much stronger on the cyber readiness index developed by the Potomac Institute for Policy Studies. The Cyber Security Assessment Netherlands 2017 shows that the resilience of individuals and organisations in public and private sectors is staying behind in relation to the increased threats. The majority of individuals and organisations seem to severely underestimate and downplay the risks they face.

I believe that there are two main reasons for this. On the one hand this can be blamed on the more laid back security philosophy of the Dutch (“keep everything as open and accessible as possible”). On the other hand the Dutch polder model, their famous system of consensus decision-making, makes that there is a lack of a clear, central strategy that defines responsibilities and resources.

Within the Dutch government the responsibilities for cyber security fall under five (!) different government departments. Organisations such as the National Cyber Security Centre, the Defence Cyber Command, the Police’s Team High Tech Crime, and the General Intelligence and Security Service have to work together in a complex “polder” system with public and private partners.  Their primarily focus is protecting the Dutch critical national infrastructure and large enterprises. This makes information sharing and the process of defining and executing a national cyber security strategy time consuming and complex.

“Triple Helix”

This also affects the development of knowledge and talent. Innovation in the Dutch security sector is often a complex dance between the government, industry and knowledge institutions: the triple helix. The idea behind this concept is that this hybridisation of elements will lead to increased innovation and knowledge development. However, in the Netherlands a central approach is lacking. In a country that is only the size of the State of New York, “accelerators”, “ecosystems” and “clusters” such as The Hague Security Delta pop up everywhere and compete for the same companies, researchers and/or talents. My personal experience is that it is very difficult to get an overview of who does what and who adds value where. Don’t get me wrong, collaboration in this field is key. But collaborating without a clear strategy, structure, or end goal becomes messy and is a waste of (public) money.

So change is needed.

The extra investments up to 95 million euros per year by the new Dutch government are welcome, if used wisely, but just a very early start. The new Digital Trust Centre, for example, is a good initiative. It will close the gap in the current national cyber security strategy by looking after SME’s as well.  But at the same time this adds yet another player to the many other organisations with some kind of responsibility in the field of cyber security.

Learning from each other!

Against this background, the Department for International Trade here in the Netherlands organised the second UK-NL Cyber Security Showcase back in September 2017. We believe that collaboration is key. The economic prosperity and social well-being in both the UK and the Netherlands increasingly depend on the openness and security of networks that stretch beyond our borders. We all benefit from a free, open, peaceful and secure cyberspace. And we have a shared responsibility and mutual interest in improving our collective cyber security. That is why we aim to bring British and Dutch cyber security companies, end users, resellers, and other stakeholders in the cyber security industry together. To share best practices. And to investigate potential partnerships in cyber security in both the Netherlands and the United Kingdom.

In my next blog I will dig into the UK’s strategy to protect against cyber threats and how the Dutch could (and should) can learn from that! Stay tuned!

If you missed the UK-NL Cyber Security Showcase and want to see real collaboration in action, have a look at this video:

An impression of the UK-NL Cyber Security Showcase 2017

Seminar: Getting to know the Dutch Cyber Security Market

As part of the UK-NL Cyber Security Showcase the Department for International Trade organised a seminar together with its partners for the UK delegation and others that were interested in the Dutch Cyber Security market. The presentations can be downloaded below:

  • Invest in Holland Workshop – Innovation Quarter

Download presentation

  • The Dutch Cyber Security Market – Department for International Trade

Download presentation

  • Towards Trusted Cyber Public-Private Partnership: how to do successful business with the Dutch government – Bridgehead

Download presentation

  • Cyber Security and legal possibilities: a practical approach – Van Doorne

Download presentation

The Driving Forces of DDoS Attacks Around the World

The later part of 2017 has seen a marked increase in the number and size of DDoS attacks around the world. The political crisis in Qatar was coupled by an attack on the Al Jazeera website – one of the largest news networks in the world, presidential elections in France were disrupted by attacks on Le Figaro and Le Monde websites, and in Great Britain, the website that was used for Brexit voter registrations was rendered useless due to an attack that stopped certain voters from registering.

In North America, the Federal Communications Commission (FCC) revealed plans for abolishing the principle of net neutrality and the ‘comment’ feature on the commission website was rendered inoperative for a day, and then totally disabled due to a massive attack on the website. It is interesting to note that money continues to remain one of the main driving forces for DDoS attacks. Cryptocurrencies, and the increasing interest in their exchange-value in the second quarter of 2017, continues to draw attention from cybercriminals. Bitfinex – the largest bitcoin exchange was under attack around the same time a new IOT-currency (IOTA) was launched. Apparently, the aim was to try and manipulate currency rates, which can be achieved quite easily due to the high volatility of cryptocurrencies. (Kaspersky Labs, 2017)  The list of attacks seems never ending in the types of targets and the severity of the attack types being used.

The first quarter 2017, saw yet another advancement in the average attack duration – due to an increase in the ‘botnet-for-hire services’ like booters or stressers. These enable their users to launch short, low-volume bursts, causing such attack tools to be commonly used by non-professional offenders.

Law enforcement agencies have started to take attack initiators more seriously, as there have been growing financial losses from DDoS attackers. Mid-2017 saw a young man in Great Britain be sentenced to two years in prison for a series of attacks which were carried out half a decade ago, when he was still a student. The man had created the Titanium Stresser botnet – this is a simple-to-use service that let paying customers launch crippling online attacks against websites and individual Internet users. This caused over 1.7 million attacks against over 650,000 IP addresses, including Xbox Live, PlayStation, and plenty of other servers. The creator was able to yield a profit of over $500,000 by selling this botnet on the darknet.

The most discussed attack of the second quarter was a DDoS attack on Skype servers, leading to users being unable to make audio/video calls and over 1.5 billion users of this service all over the world experienced connectivity problems for over two days. The responsibility for the campaign was claimed by CyberTeam, but the motive behind this attack remain unknown.

The cyber-attack that brought down much of America’s internet in October 2016 was caused by a new weapon called the Mirai botnet and was likely the largest of its kind in history. Unlike other botnets, which are typically made up of computers, the Mirai botnet is largely made up of so-called “Internet of Things” (IoT) devices such as digital cameras and DVR players. Because it has so many internet-connected devices to choose from, attacks from Mirai are much larger than what most DDoS attacks could previously achieve. There are reports that Mirai’s attack strength was an extraordinary 1.2 terabits per second.

Overall, 80% of all DDoS attacks lasted less than one hour and, for the first time, 90% of network layer attacks lasting less than 30 minutes, compared to 78.2% in the fourth quarter 2016.
At the same time, there is a continued growth in the sophistication of DDoS offenders, reflected by a steep rise in multi-vector attacks. In the first quarter 2017, these accounted for more than 40% of all network layer attacks, up from 29% in the fourth quarter.

It is evident that DDoS attacks come in many shapes and forms, and Spirent’s CyberFlood offers two primary vectors to preemptively test:

  • Testing against the actual ‘flood’ attack itself – Since a DDoS attack is a well-coordinated attack caused by manipulating 1000’s to 10’s of thousands of IoT devices simultaneously, the traffic that this attack generates is enormous. CyberFlood aids in finding these pain-points to ensure that you are prepared against attacks of this scale.
  • Malware Constructs that are the BOT – CyberFlood has capability to test your traffic mix using active BOT’s that would typically install themselves on a compromised system and be the attack generator if they were to be activated.

In conclusion, DDoS attacks are getting stronger and more disruptive with every passing moment, and organizations need to be preemptively testing and be prepared in the event of such attacks.  Not every person has access to ethical hackers, but enterprises do. The time to start leveraging experts to aid in managing your security arsenal is now, and Spirent is positioned to be your partner in your fight against cybercrime.

If you’re interested in learning more about our security solutions visit Spirent’s CyberFlood page. If you would like this level of security expertise for your company and want to speak to our security experts directly, contact us or register for our Cybersecurity live and on-demand webinars.

Spirent is Silver Sponsor of the UK-NL Cyber Security Showcase


Eventbrite - UK-NL Cyber Security Showcase 2017

Your Cyber Risk isn’t just “Yours”!

Data security and privacy are the foundations of today’s world. A world where the boundaries between business processes, people and technology are getting blurred. Organisations are facing a new reality in which they have little IT infrastructure and the biggest cyber security and data privacy risk is coming from vendors and third parties outside their control. Do you remember Target, Google Docs, Yahoo, AT&T and data security breaches? All of them have been a consequence of third party cyber security failure. Research indicates that approximately 70% of data security and privacy breaches are caused by third parties.

The scope of organisation’s digital risk is expanding due to the new digital business environment. An environment that consists of a broad external eco-system and high levels of emerging intersections between technology and the physical world, such as: intelligent chatbots, IoT and connected and autonomous vehicles. For customer-facing organisations like banks, publishers, insurance companies, and many others, this will be a big challenge. Digital business as we know it today is dependent on the use of third party services and software. From business intelligence and analytics to social media and marketing, many of these services are not provided by the organisation itself, but by third parties. Most of these organisations do not have a quick and easy way to gain instant and on-going visibility of their partners’ data security and privacy posture.

On 25th May 2018, on-going visibility of your third party data security and privacy posture will become paramount for organisations interacting with or serving European customers around the world. At that point the new EU General Data Protection Regulation (GDPR) will come into effect. Organisation that collect and process EU customers’ personal data, such as: name, address, email, financial records, IP address, etc., must obtain clear and specific permission to do so. The regulation requires organisations to institute strong data security and privacy measures. They must know where every piece of customers’ data is stored, where it came from and with whom it is being shared with, appoint a data protection officer and inform users within 72 hours of a data breach so they can take steps to protect themselves.

Organisations that fail to comply with the regulation could find themselves facing steep fines of 2% and 4% of total annual turnover. Accordingly, the likes of AT&T, Target, Google and Wal-Mart, could be fined between €53 Million and €5.83 Billion, if their third party acted negligent again and caused a data security breach. Consequently, organisations must not only protect customer data across their own IT environment, but also ensure that the processes and practices of their third parties are also secure and compliant with GDPR requirements.

Traditionally, third party risk assessments have been conducted manually, collecting answers in surveys and questionnaires via emails, spread-sheets and planned visits to third party organisations. This is an extremely labour intensive, highly time consuming and expensive process, which organisations oftentimes outsource to yet another third party! With this approach organisations, will never gain an on-going visibility and clear insight into their third parties’ data security and compliance posture. They will only gain a snapshot at the time of the assessment, which quickly becomes outdated and irrelevant due to system and/or business process upgrades. Accordingly, organisations will fall short across number of articles and controls in the GDPR and end up not being compliant as well as being at risk of business disruption, financial loss, reputational damage and huge fines.

Fulfilling GDPR third party compliance requirements requires a materialistic shift in how organisations assess the risk of their current and potential third party. Organisations must be able to have clear, comprehensive and frequent insight into their third party data security and GDPR compliance in order to align and reflect data security risks of their business processes, people, and IT infrastructure instantly.

At CyNation, we provide organisations with solutions that allow organisations to accelerate third party security and compliance risk assessment and monitoring to verify if their third parties are compliant with the GDPR and other industry standards, such as: ISO27001, ISO31000, ISO 27017, and PCI DSS.

Our cloud-based solutions automate and streamline the lifecycle of third party security risk assessment from distributing assessment questionnaires, responses monitoring, response aggregation and analysis, evidence collection and analysis, instant reporting and action plan generation. CyRegTM GDPR, relieve organisations from the tedious manual tasks of third party risk assessment, offering a systematic, step-by step approach to evaluate organisation’s GDPR readiness as well as quickly and accurately identifying data privacy and compliance gaps within the organisation and its third parties. CyNation’s Security Scorecard enables organisations to get in-depth insights into the cyber health of their third parties, including their supply chain, vendors or other parties.

Shadi Razak is the Chief Technology Officer of CyNation Ltd.

Eventbrite - UK-NL Cyber Security Showcase 2017

For Cyber Security, fix the Human Factor

It’s really not fair. No sooner do we generally come to terms with one cybercrime threat than another appears, attacking our lives from afar, using ever more advanced technology and connectivity to do so.

Our unspoken deal with the internet is that we allow it to invade our lives for positive reasons such as economic gain, personal growth or just convenience – or at least we feel we have to submit to its pervasive influence or lose out, big time. The problem is that, as with all morally neutral and relatively unmoderated instruments, that same deal can be abused. Through exposure to the internet’s downsides we, our families or our general lives can be hurt.

There are of course deeply technical mitigations to these threats – sometimes ahead of, although more often slightly behind, the development curve. Generally speaking, we hope to keep up, although most of don’t understand the technology involved and are content to entrust it to those who sound like they know what they are doing. But to rely purely on that technology to protect us is like relying purely on the lock on our front door to prevent a burglary at our home.

As in our private lives, so at work. Our organisations – governmental, corporate, any of them – are tempting targets and often more vulnerable than they would like to think. To minimise that vulnerability, there is a lot of investment in technical services – antivirus, firewalls, network configuration, penetration testing – in which we put our faith. But still, the attacks keep coming, and too many of them succeed.

In our private and work lives, we can’t just rely on the technology to protect us. We have to protect ourselves, and those around us.

If you look at the most prominent cyber threats, most rely on human vulnerability to achieve their objective. The National Crime Agency’s list of top threats include the sexual exploitation and abuse of children, of which a massive amount occurs online; and economic crime, where much of the gain is made by deceit of an unwitting person or exploiting vulnerability through extortion.

Even in the category of cybercrime, the human factor is a constant, whether by allowing data loss or, through poor decision-making, failing to protect systems, organisations and people against predictable and avoidable threats. There’s a good reason why the recently established UK National Centre specifies User Awareness and Training as one of the first steps to Cyber Security.

The UK based, non-profit organisation, Get Safe Online (GSOL), is part of the solution. GSOL has insight into the threats faced by all sections of the population, and by organisations, and seeks to target harden people through the same principles. For example, go on the websites of most of the UK’s police forces, and look for help with cybercrime, and it’s probably GSOL’s content you can see. Our partnerships extend into the private sector as well – where there is vulnerability, that’s where we want our messages to be.

The extra good news is that, in my view, the objectives of personal cyber security training -awareness, empowerment, and access to support when needed – can protect us in our own lives, and help us protect our organisations too. We just need to get it right once.

Eventbrite - UK-NL Cyber Security Showcase 2017

Why we need more UK NL cyber collaboration

The UK and Netherlands should collectively invest more in infosec collaboration.

As a Dutchman who regularly travels to London, I can’t help comparing our nations every now and then. On the DLR into the city, it’s obvious there are big differences. Having worked for a British boss, I can distinguish between a proud UK management style and the more hands off Dutch approach, whilst having an appreciation for both. UK North Sea shores primarely face east, while ours mostly face west. Political consensus varies between both nations. And of course, we drive on the right side of the road.

But there are similarities too – there are densely populated areas on both sides of the pond. We all love football. And with regards to fintech and cyber threats there are similarities too. In the mid 2000’s, when the first wave of cybercrime struck financials in Europe, the UK and the Netherlands were among the first to be hit. Often, criminal gangs would set up campaigns targeting banks in both countries at the same time. With financial hubs in London and Amsterdam, the banks pushed the cyber security industry to the next level, and cyber and fintech startups in both countries flourished. For what it’s worth, we gained a lot of experience in building our defenses.

That’s why both countries have a relatively well developed security and infosec industries. Both countries have developed law enforcement capabilities, with the NCA in the UK and Team High Tech Crime in the Netherlands. The former works with international LE against organized crime like Dridex, the latter with successes in botnet and underground market takedowns, such as Bredonet and Hansa. Lawmakers, from both sides, adopt the same kinds of approaches towards building resilience.

And that’s fantastic, because criminial organisations are now interested in everyone. It’s not just criminals and spies in our networks anymore, activists and nation states have joined the action to make the internet increasingly unsafe. The UK and the Netherlands have a great opportunity to join forces. Our experiences align, our laws on the subject align, our LE aligns, and a flight from Amsterdam to London City takes just 50 minutes.

Eventbrite - UK-NL Cyber Security Showcase 2017

Eward Driehuis is Chief Research Officer for SecureLink Group, which has over 700 specialized employees across mainland Europe and in London.

Advanced security awareness and training initiative

“Ultimately, the security chain is as strong as its weakest link and once a cybercriminal has compromised one account – even a junior employee – they can then leverage that account and move upwards through the organization, eventually getting to the final target like the CEO or CFO,” Mark O’Hare explains.

That’s why everyone, from the executive suite to the front desk and back office, needs to be involved in promoting and protecting cybersecurity.

Here are five steps to get started:

  1. Identify a project champion and leadership team.

“Cybersecurity should not be an afterthought, it needs constant focus and attention to be effective,” O’Hare says. “Without a high-level champion there is no backing of the security program and it will lose its effectiveness.” The champion should have the trust and the ear of the executive team and can secure the necessary financial and human resources. S/he must have a stake in the project’s outcome, such as performance or outcome accountability. A project leader or manager handles the strategic and tactical work of a team charged with developing and executing cybersecurity communications and training. Build out the team with employees from different departments and at different organizational levels to ensure a diversity of insights during the planning process. This also shows employees that this is truly an all-organization endeavor. It’s especially important to have someone from training and learning/human resources and public relations on the team since they are your internal experts on teaching and communicating.

  1. Perform a threat assessment and internal audit.

This is the best way to understand the kinds of threats aimed at your organization, and gives you a clear sense of vulnerability to them. Your IT team may be able to perform these tasks, but the American Institute of Certified Public Accountants(AICPA) encourages organizations to work with an outside vendor specializing in cybercrime. The review should include encryption and archiving requirements, data residency, and the technology and processes related to privileged credentials, email wire transfer requests and the sharing of personally identifiable information via email.

At the very least, launch an email threat assessment audit of your existing email security system to understand how many suspect emails – garden-variety spam or bona fide attacks – are getting through. Recent email security data from Mimecast shows that 24% of “OK’d” emails are actually suspect, and a lot of those include malware, and impersonation attacks.

  1. Review general risks.

Make sure your staff is familiar with the most prevalent forms of email-based cybercrime, such as:

  • Ransomware. This malicious software takes control of your computers or its data when a user clicks a malicious link, downloads a file or opens an attachment, so the cybercriminals can demand ransom money to get regain access. Ransomware attacks like WannaCry and Petya showed us that organizations of every size are at risk. “People who say, ‘I’m not doing anything interesting, I don’t have anything that hackers would want.’ – it may not matter,” notes Jamie Winterton, director of strategy at the Global Security Initiative at Arizona State University. “Your system has the right kind of profile, and could be locked up whether you’re an individual or a small business or a huge company.”
  • Email Impersonation Fraud (Whaling). Savvy scammers can easily impersonate a CEO or senior member of your organization by scanning social media accounts, websites and search results to create authentic looking and sounding emails requesting everything from wire transfers to highly valuable information like W-2 forms and other confidential information. While any top-level executive is at risk of being impersonated, the CEO, CFO, and chief legal counsel are the most frequently spoofed in a whaling attack.And not just at large organizations. Even small companies and nonprofits should be on the lookout for this kind of fraud. “You should not feel immune because you are the most vulnerable and the least knowledgeable about it,” says Jessica Robinson, CEO of New York-area security firm PurePoint International.
  • Email Wire Transfer Fraud. The data shows that a lot of well-meaning employees are falling for this kind scam, in which an email from an official-looking source, such as a long-time external contractor or an internal colleague, requests a wire payment. Sometimes, scammers say they’ve switched banks, and offer new routing information to their bank (and not your vendor’s). Frequently, fraudulent internal requests are time-boxed so the recipient feels a lot of pressure to comply with the request, often skipping important verification steps. Implement a strict policy on how, when, and can wire transfers be done. “Do not rely solely on the email, do not rely solely on a phone call — also known as vhishing, for Voice Phishing or VoIP Phishing,” says Mimecast’s Product Marketing Manager, Security, Bob Adams. “There needs to be a protocol in place to allow, authorize, and process a wire transfer within the business.”
  1. Include personal risks.Get more buy-in from staff by including tactics that threaten their personal accounts, such as how to protect your Gmail and Facebook accounts, per O’Hare.
  2. Focus your efforts.Develop awareness and training programs that address your known and anticipated vulnerabilities and threats. Your goal is to give people enough information to be vigilant about cybercrime without feeling like it’s too big a problem to address, or that they’re going to make a giant mistake every time they open an email. “We’ve instilled a lot of cyber-fear in people, and it’s actually working against them,” Winterton notes. “We’ve scared people out of best practices, and I think that’s something that we as technologists need to be aware of.”


Mimecast Secure Email Gateway uses sophisticated, multi-layered detection engines and intelligence to protect email data and employees from malware, spam, phishing, and targeted attacks 100% from the cloud.

With over 20,000 customers, Mimecast’s adaptive systems are constantly improving defenses to block both known and unknown threats. Contain spear-phishing attempts by reviewing every URL for threats and make sure spam and malware don’t reach your email system.

The majority of organizations have no solution for preventing data leakage in emails. With Mimecast policies are set centrally so organizations don’t risk compliance and policy violations whether in an on-premises, cloud or hybrid email environment.

Eventbrite - UK-NL Cyber Security Showcase 2017

Mimecast is the platinum sponsor of the UK-NL Cyber Security Showcase. Visit Mimecast for more information.