As part of the UK-NL Cyber Security Showcase the Department for International Trade organised a seminar together with its partners for the UK delegation and others that were interested in the Dutch Cyber Security market. The presentations can be downloaded below:
- Invest in Holland Workshop – Innovation Quarter
- The Dutch Cyber Security Market – Department for International Trade
- Towards Trusted Cyber Public-Private Partnership: how to do successful business with the Dutch government – Bridgehead
- Cyber Security and legal possibilities: a practical approach – Van Doorne
The later part of 2017 has seen a marked increase in the number and size of DDoS attacks around the world. The political crisis in Qatar was coupled by an attack on the Al Jazeera website – one of the largest news networks in the world, presidential elections in France were disrupted by attacks on Le Figaro and Le Monde websites, and in Great Britain, the website that was used for Brexit voter registrations was rendered useless due to an attack that stopped certain voters from registering.
In North America, the Federal Communications Commission (FCC) revealed plans for abolishing the principle of net neutrality and the ‘comment’ feature on the commission website was rendered inoperative for a day, and then totally disabled due to a massive attack on the website. It is interesting to note that money continues to remain one of the main driving forces for DDoS attacks. Cryptocurrencies, and the increasing interest in their exchange-value in the second quarter of 2017, continues to draw attention from cybercriminals. Bitfinex – the largest bitcoin exchange was under attack around the same time a new IOT-currency (IOTA) was launched. Apparently, the aim was to try and manipulate currency rates, which can be achieved quite easily due to the high volatility of cryptocurrencies. (Kaspersky Labs, 2017) The list of attacks seems never ending in the types of targets and the severity of the attack types being used.
The first quarter 2017, saw yet another advancement in the average attack duration – due to an increase in the ‘botnet-for-hire services’ like booters or stressers. These enable their users to launch short, low-volume bursts, causing such attack tools to be commonly used by non-professional offenders.
Law enforcement agencies have started to take attack initiators more seriously, as there have been growing financial losses from DDoS attackers. Mid-2017 saw a young man in Great Britain be sentenced to two years in prison for a series of attacks which were carried out half a decade ago, when he was still a student. The man had created the Titanium Stresser botnet – this is a simple-to-use service that let paying customers launch crippling online attacks against websites and individual Internet users. This caused over 1.7 million attacks against over 650,000 IP addresses, including Xbox Live, PlayStation, and plenty of other servers. The creator was able to yield a profit of over $500,000 by selling this botnet on the darknet.
The most discussed attack of the second quarter was a DDoS attack on Skype servers, leading to users being unable to make audio/video calls and over 1.5 billion users of this service all over the world experienced connectivity problems for over two days. The responsibility for the campaign was claimed by CyberTeam, but the motive behind this attack remain unknown.
The cyber-attack that brought down much of America’s internet in October 2016 was caused by a new weapon called the Mirai botnet and was likely the largest of its kind in history. Unlike other botnets, which are typically made up of computers, the Mirai botnet is largely made up of so-called “Internet of Things” (IoT) devices such as digital cameras and DVR players. Because it has so many internet-connected devices to choose from, attacks from Mirai are much larger than what most DDoS attacks could previously achieve. There are reports that Mirai’s attack strength was an extraordinary 1.2 terabits per second.
Overall, 80% of all DDoS attacks lasted less than one hour and, for the first time, 90% of network layer attacks lasting less than 30 minutes, compared to 78.2% in the fourth quarter 2016.
At the same time, there is a continued growth in the sophistication of DDoS offenders, reflected by a steep rise in multi-vector attacks. In the first quarter 2017, these accounted for more than 40% of all network layer attacks, up from 29% in the fourth quarter.
It is evident that DDoS attacks come in many shapes and forms, and Spirent’s CyberFlood offers two primary vectors to preemptively test:
- Testing against the actual ‘flood’ attack itself – Since a DDoS attack is a well-coordinated attack caused by manipulating 1000’s to 10’s of thousands of IoT devices simultaneously, the traffic that this attack generates is enormous. CyberFlood aids in finding these pain-points to ensure that you are prepared against attacks of this scale.
- Malware Constructs that are the BOT – CyberFlood has capability to test your traffic mix using active BOT’s that would typically install themselves on a compromised system and be the attack generator if they were to be activated.
In conclusion, DDoS attacks are getting stronger and more disruptive with every passing moment, and organizations need to be preemptively testing and be prepared in the event of such attacks. Not every person has access to ethical hackers, but enterprises do. The time to start leveraging experts to aid in managing your security arsenal is now, and Spirent is positioned to be your partner in your fight against cybercrime.
If you’re interested in learning more about our security solutions visit Spirent’s CyberFlood page. If you would like this level of security expertise for your company and want to speak to our security experts directly, contact us or register for our Cybersecurity live and on-demand webinars.
Spirent is Silver Sponsor of the UK-NL Cyber Security Showcase
Data security and privacy are the foundations of today’s world. A world where the boundaries between business processes, people and technology are getting blurred. Organisations are facing a new reality in which they have little IT infrastructure and the biggest cyber security and data privacy risk is coming from vendors and third parties outside their control. Do you remember Target, Google Docs, Yahoo, AT&T and Play.com data security breaches? All of them have been a consequence of third party cyber security failure. Research indicates that approximately 70% of data security and privacy breaches are caused by third parties.
The scope of organisation’s digital risk is expanding due to the new digital business environment. An environment that consists of a broad external eco-system and high levels of emerging intersections between technology and the physical world, such as: intelligent chatbots, IoT and connected and autonomous vehicles. For customer-facing organisations like banks, publishers, insurance companies, and many others, this will be a big challenge. Digital business as we know it today is dependent on the use of third party services and software. From business intelligence and analytics to social media and marketing, many of these services are not provided by the organisation itself, but by third parties. Most of these organisations do not have a quick and easy way to gain instant and on-going visibility of their partners’ data security and privacy posture.
On 25th May 2018, on-going visibility of your third party data security and privacy posture will become paramount for organisations interacting with or serving European customers around the world. At that point the new EU General Data Protection Regulation (GDPR) will come into effect. Organisation that collect and process EU customers’ personal data, such as: name, address, email, financial records, IP address, etc., must obtain clear and specific permission to do so. The regulation requires organisations to institute strong data security and privacy measures. They must know where every piece of customers’ data is stored, where it came from and with whom it is being shared with, appoint a data protection officer and inform users within 72 hours of a data breach so they can take steps to protect themselves.
Organisations that fail to comply with the regulation could find themselves facing steep fines of 2% and 4% of total annual turnover. Accordingly, the likes of AT&T, Target, Google and Wal-Mart, could be fined between €53 Million and €5.83 Billion, if their third party acted negligent again and caused a data security breach. Consequently, organisations must not only protect customer data across their own IT environment, but also ensure that the processes and practices of their third parties are also secure and compliant with GDPR requirements.
Traditionally, third party risk assessments have been conducted manually, collecting answers in surveys and questionnaires via emails, spread-sheets and planned visits to third party organisations. This is an extremely labour intensive, highly time consuming and expensive process, which organisations oftentimes outsource to yet another third party! With this approach organisations, will never gain an on-going visibility and clear insight into their third parties’ data security and compliance posture. They will only gain a snapshot at the time of the assessment, which quickly becomes outdated and irrelevant due to system and/or business process upgrades. Accordingly, organisations will fall short across number of articles and controls in the GDPR and end up not being compliant as well as being at risk of business disruption, financial loss, reputational damage and huge fines.
Fulfilling GDPR third party compliance requirements requires a materialistic shift in how organisations assess the risk of their current and potential third party. Organisations must be able to have clear, comprehensive and frequent insight into their third party data security and GDPR compliance in order to align and reflect data security risks of their business processes, people, and IT infrastructure instantly.
At CyNation, we provide organisations with solutions that allow organisations to accelerate third party security and compliance risk assessment and monitoring to verify if their third parties are compliant with the GDPR and other industry standards, such as: ISO27001, ISO31000, ISO 27017, and PCI DSS.
Our cloud-based solutions automate and streamline the lifecycle of third party security risk assessment from distributing assessment questionnaires, responses monitoring, response aggregation and analysis, evidence collection and analysis, instant reporting and action plan generation. CyRegTM GDPR, relieve organisations from the tedious manual tasks of third party risk assessment, offering a systematic, step-by step approach to evaluate organisation’s GDPR readiness as well as quickly and accurately identifying data privacy and compliance gaps within the organisation and its third parties. CyNation’s Security Scorecard enables organisations to get in-depth insights into the cyber health of their third parties, including their supply chain, vendors or other parties.
Shadi Razak is the Chief Technology Officer of CyNation Ltd.
It’s really not fair. No sooner do we generally come to terms with one cybercrime threat than another appears, attacking our lives from afar, using ever more advanced technology and connectivity to do so.
Our unspoken deal with the internet is that we allow it to invade our lives for positive reasons such as economic gain, personal growth or just convenience – or at least we feel we have to submit to its pervasive influence or lose out, big time. The problem is that, as with all morally neutral and relatively unmoderated instruments, that same deal can be abused. Through exposure to the internet’s downsides we, our families or our general lives can be hurt.
There are of course deeply technical mitigations to these threats – sometimes ahead of, although more often slightly behind, the development curve. Generally speaking, we hope to keep up, although most of don’t understand the technology involved and are content to entrust it to those who sound like they know what they are doing. But to rely purely on that technology to protect us is like relying purely on the lock on our front door to prevent a burglary at our home.
As in our private lives, so at work. Our organisations – governmental, corporate, any of them – are tempting targets and often more vulnerable than they would like to think. To minimise that vulnerability, there is a lot of investment in technical services – antivirus, firewalls, network configuration, penetration testing – in which we put our faith. But still, the attacks keep coming, and too many of them succeed.
In our private and work lives, we can’t just rely on the technology to protect us. We have to protect ourselves, and those around us.
If you look at the most prominent cyber threats, most rely on human vulnerability to achieve their objective. The National Crime Agency’s list of top threats include the sexual exploitation and abuse of children, of which a massive amount occurs online; and economic crime, where much of the gain is made by deceit of an unwitting person or exploiting vulnerability through extortion.
Even in the category of cybercrime, the human factor is a constant, whether by allowing data loss or, through poor decision-making, failing to protect systems, organisations and people against predictable and avoidable threats. There’s a good reason why the recently established UK National Centre specifies User Awareness and Training as one of the first steps to Cyber Security.
The UK based, non-profit organisation, Get Safe Online (GSOL), is part of the solution. GSOL has insight into the threats faced by all sections of the population, and by organisations, and seeks to target harden people through the same principles. For example, go on the websites of most of the UK’s police forces, and look for help with cybercrime, and it’s probably GSOL’s content you can see. Our partnerships extend into the private sector as well – where there is vulnerability, that’s where we want our messages to be.
The extra good news is that, in my view, the objectives of personal cyber security training -awareness, empowerment, and access to support when needed – can protect us in our own lives, and help us protect our organisations too. We just need to get it right once.
The UK and Netherlands should collectively invest more in infosec collaboration.
As a Dutchman who regularly travels to London, I can’t help comparing our nations every now and then. On the DLR into the city, it’s obvious there are big differences. Having worked for a British boss, I can distinguish between a proud UK management style and the more hands off Dutch approach, whilst having an appreciation for both. UK North Sea shores primarely face east, while ours mostly face west. Political consensus varies between both nations. And of course, we drive on the right side of the road.
But there are similarities too – there are densely populated areas on both sides of the pond. We all love football. And with regards to fintech and cyber threats there are similarities too. In the mid 2000’s, when the first wave of cybercrime struck financials in Europe, the UK and the Netherlands were among the first to be hit. Often, criminal gangs would set up campaigns targeting banks in both countries at the same time. With financial hubs in London and Amsterdam, the banks pushed the cyber security industry to the next level, and cyber and fintech startups in both countries flourished. For what it’s worth, we gained a lot of experience in building our defenses.
That’s why both countries have a relatively well developed security and infosec industries. Both countries have developed law enforcement capabilities, with the NCA in the UK and Team High Tech Crime in the Netherlands. The former works with international LE against organized crime like Dridex, the latter with successes in botnet and underground market takedowns, such as Bredonet and Hansa. Lawmakers, from both sides, adopt the same kinds of approaches towards building resilience.
And that’s fantastic, because criminial organisations are now interested in everyone. It’s not just criminals and spies in our networks anymore, activists and nation states have joined the action to make the internet increasingly unsafe. The UK and the Netherlands have a great opportunity to join forces. Our experiences align, our laws on the subject align, our LE aligns, and a flight from Amsterdam to London City takes just 50 minutes.
Eward Driehuis is Chief Research Officer for SecureLink Group, which has over 700 specialized employees across mainland Europe and in London.
“Ultimately, the security chain is as strong as its weakest link and once a cybercriminal has compromised one account – even a junior employee – they can then leverage that account and move upwards through the organization, eventually getting to the final target like the CEO or CFO,” Mark O’Hare explains.
That’s why everyone, from the executive suite to the front desk and back office, needs to be involved in promoting and protecting cybersecurity.
Here are five steps to get started:
- Identify a project champion and leadership team.
“Cybersecurity should not be an afterthought, it needs constant focus and attention to be effective,” O’Hare says. “Without a high-level champion there is no backing of the security program and it will lose its effectiveness.” The champion should have the trust and the ear of the executive team and can secure the necessary financial and human resources. S/he must have a stake in the project’s outcome, such as performance or outcome accountability. A project leader or manager handles the strategic and tactical work of a team charged with developing and executing cybersecurity communications and training. Build out the team with employees from different departments and at different organizational levels to ensure a diversity of insights during the planning process. This also shows employees that this is truly an all-organization endeavor. It’s especially important to have someone from training and learning/human resources and public relations on the team since they are your internal experts on teaching and communicating.
- Perform a threat assessment and internal audit.
This is the best way to understand the kinds of threats aimed at your organization, and gives you a clear sense of vulnerability to them. Your IT team may be able to perform these tasks, but the American Institute of Certified Public Accountants(AICPA) encourages organizations to work with an outside vendor specializing in cybercrime. The review should include encryption and archiving requirements, data residency, and the technology and processes related to privileged credentials, email wire transfer requests and the sharing of personally identifiable information via email.
At the very least, launch an email threat assessment audit of your existing email security system to understand how many suspect emails – garden-variety spam or bona fide attacks – are getting through. Recent email security data from Mimecast shows that 24% of “OK’d” emails are actually suspect, and a lot of those include malware, and impersonation attacks.
- Review general risks.
Make sure your staff is familiar with the most prevalent forms of email-based cybercrime, such as:
- Ransomware. This malicious software takes control of your computers or its data when a user clicks a malicious link, downloads a file or opens an attachment, so the cybercriminals can demand ransom money to get regain access. Ransomware attacks like WannaCry and Petya showed us that organizations of every size are at risk. “People who say, ‘I’m not doing anything interesting, I don’t have anything that hackers would want.’ – it may not matter,” notes Jamie Winterton, director of strategy at the Global Security Initiative at Arizona State University. “Your system has the right kind of profile, and could be locked up whether you’re an individual or a small business or a huge company.”
- Email Impersonation Fraud (Whaling). Savvy scammers can easily impersonate a CEO or senior member of your organization by scanning social media accounts, websites and search results to create authentic looking and sounding emails requesting everything from wire transfers to highly valuable information like W-2 forms and other confidential information. While any top-level executive is at risk of being impersonated, the CEO, CFO, and chief legal counsel are the most frequently spoofed in a whaling attack.And not just at large organizations. Even small companies and nonprofits should be on the lookout for this kind of fraud. “You should not feel immune because you are the most vulnerable and the least knowledgeable about it,” says Jessica Robinson, CEO of New York-area security firm PurePoint International.
- Email Wire Transfer Fraud. The data shows that a lot of well-meaning employees are falling for this kind scam, in which an email from an official-looking source, such as a long-time external contractor or an internal colleague, requests a wire payment. Sometimes, scammers say they’ve switched banks, and offer new routing information to their bank (and not your vendor’s). Frequently, fraudulent internal requests are time-boxed so the recipient feels a lot of pressure to comply with the request, often skipping important verification steps. Implement a strict policy on how, when, and can wire transfers be done. “Do not rely solely on the email, do not rely solely on a phone call — also known as vhishing, for Voice Phishing or VoIP Phishing,” says Mimecast’s Product Marketing Manager, Security, Bob Adams. “There needs to be a protocol in place to allow, authorize, and process a wire transfer within the business.”
- Include personal risks.Get more buy-in from staff by including tactics that threaten their personal accounts, such as how to protect your Gmail and Facebook accounts, per O’Hare.
- Focus your efforts.Develop awareness and training programs that address your known and anticipated vulnerabilities and threats. Your goal is to give people enough information to be vigilant about cybercrime without feeling like it’s too big a problem to address, or that they’re going to make a giant mistake every time they open an email. “We’ve instilled a lot of cyber-fear in people, and it’s actually working against them,” Winterton notes. “We’ve scared people out of best practices, and I think that’s something that we as technologists need to be aware of.”
Mimecast Secure Email Gateway uses sophisticated, multi-layered detection engines and intelligence to protect email data and employees from malware, spam, phishing, and targeted attacks 100% from the cloud.
With over 20,000 customers, Mimecast’s adaptive systems are constantly improving defenses to block both known and unknown threats. Contain spear-phishing attempts by reviewing every URL for threats and make sure spam and malware don’t reach your email system.
The majority of organizations have no solution for preventing data leakage in emails. With Mimecast policies are set centrally so organizations don’t risk compliance and policy violations whether in an on-premises, cloud or hybrid email environment.
Mimecast is the platinum sponsor of the UK-NL Cyber Security Showcase. Visit Mimecast for more information.
In May this year, the world witnessed the largest ransomware outbreak in history, with over 250,000 computers in over 150 countries being held to ransom by the WannaCry ransomware worm. WannaCry’s exploitation of the vulnerability in the Windows Server Message Block (SMB) protocol affected public and private sector organisations including Britain’s National Health Service and global companies such as FedEx, Renault, Nissan, Hitachi and Telefónica.
The outbreak of the WannaCry ransomware resulted in significant consequences: hundreds and thousands of computers became instantly unusable, causing hospital appointments to be cancelled, lives were endangered, transport links were suspended, employees were sent home and business operations drew to a halt. Although the ransomware outbreak caused significant disruption across the globe, it was evidenced that the cyber criminals only managed to get away with £105,000 worth of bitcoins in pay-outs; a paltry sum of money for such a wide-scale attack. Since the attack the bitcoins have been moved – likely by the criminals, one by one, to new wallets, awaiting further action and eventually cash out.
But what has changed since WannaCry and what lessons have we learnt?
Although Cyber-attacks are not unusual by modern standards, the local impacts of WannaCry truly opened the eyes of the public to the potential of large scale malware attacks. Previous ransomware families such as Locky have had similar effects in terms of disruption, but WannaCry and its consequences have now forced the issue of Information Security and Information Assurance into the spotlight more than ever before. And now since May, a successor called Petya (and derivations thereof) has been circulating, causing additional real-world damage as well as ‘logical’ damage to systems. Ransomware has ‘come of age’ in the international consciousness, yet many organisations are simply not doing enough to safeguard themselves from this often untargeted, unforgiving and relentless threat.
Holistic Cyber Security
The ‘WannaCry’ attack highlighted the level of global interconnectivity, with over 150 countries being affected. It also brought into sharp focus the fact that end-to-end encryption and the Internet make it an almost impossible task to keep everything under effective surveillance. Implementing the principles of holistic Cyber Security is essential to businesses; these include effective training and understanding for situational awareness, better nuanced risk appetites, and secure intelligence sharing on an international basis. It is paramount that whilst Brexit may mean changes to the physical border of the United Kingdom, it should not disrupt the ability to share critical information in a secure and dynamic manner, particularly in light of the evolving international component of malicious threats.
It took twenty years for Robert Hansen to be discovered when he was doing his final dead drop. He left important intelligence under a bridge for the Russians to pick it up. No doubt he was one of the most highly capable double spies in US history. He had been spying for three different Soviet and Russian intelligence agencies in the 80s and 90s when working in counterintelligence for the FBI. At one point he even lead the investigation against himself when the FBI got suspicious of a mole. Hanssen was also one of the first ‘moles’ or ‘insiders’ who used some basic hacking techniques to attain information from the FBI computers. He caused unprecedented damage to the FBI, its operations and its people. Before his arrest, the FBI’s security program was based on trust. Pre-employment screenings were limited and in-employment screenings non-existent. This incident raised the awareness that simply trusting people with such secrets could not be maintained. It required a new vision on managing insider risks.
The internet fundamentally changed the problem of ‘insiders’
If we fast forward to this day and age. Computers are fully intertwined with our lives, and the internet changed insider risks on all levels. This includes our responses to minimize the risk. Part of our world has moved from the physical to online space. The majority of organizations have become totally digitalized and the internet is being used for distribution. We did too, including our behaviours, our work life (working from the cloud) and our private life (FaceBook) and both lives have become intertwined. Access to and availability of information is now heavily facilitated by the internet and all at very high speed. The flip side of this is the increased vulnerability to information leaks. Chelsey Manning and Edward Snowden have demonstrated the vast amount of information that can be taken from even the most secured agencies in the world, but they’ve also been able to have a global reach by distributing this information via the internet at great speed. The impact has, hence, been gigantic.
Insider versus whistle blower
Both Manning and Snowden instigated and even polarized the debate between whistle blowing or being an ‘insider’. To a certain extent this poses the question of who did actually ‘derail’: the person or the organization or even the institute of the government. Their cases pose an important point that, whatever label it has, there is always a responsibility of an organization to uphold strong ethical standards and have proper processes, procedures and care for the employee to promote and uphold a healthy culture of trust. At the same time this organizational ‘health’ and care for the employee means that there needs to be a good understanding of indicators of ‘derailing’ employees. And here’s the good news: people don’t derail instantly. Case upon case have shown it’s a gradual process in which the environment plays its part and, thus, is also part of the solution.
Roads to derailment
Debates about right or wrong, insider or whistle-blower have often clouded similarities between people accused of espionage, theft of intellectual property, sabotage or acts of violence. Perhaps surprisingly, there are clear commonalities in disgruntled individuals in their predispositions, motivation, experiences and interactions with their environment.
Understanding there is a pathway is understanding there are options for prevention, detecting and early response. The “critical pathway to insider violations” (Shaw and Sellers) explains there’s a pattern with cumulative risk factors, but also that there’s a role for the environment to mitigate the risk. So why is this important to know?
Solutions require a comprehensive effort in technology, processes but especially people
Depending on risk profile and risk appetite, companies are offering technological solutions to organizations to gain a better understanding of employee online behaviour and to intervene early if employees cross ethnical and organizational boundaries. Nowadays all activity is online and the risks have also moved to the online space. However, the pathway explains this can never be a standalone solution and neither a starting point for a solution. The ‘why’ comes first. Why is such a solution needed? This comes down to first and foremost understanding organizational, system and employee risks. As a consequence proportionate actions can and should be taken to maintain a safe working environment for all. With respect for company culture.
The pathway or road to derailment also indicates the need for comprehensive action. Action and due care towards the employee every step of his/her way: from recruitment towards end of employment or even longer. Actions towards the organization internally include the mentioned risk assessments, policies and controls, detection, incident and response mechanisms, governance and living by the book. Practicing what you preach!
No quick fixes!
There is no one quick fix, but there are good steps to take that will improve organizational strength to manage such risks, both on the technical as well as non-technical side. Digitalization requires a more systematic approach for systems to be built and operated to detect early warning signals. However, we don’t just live and work online, we are still physically present somewhere as well and hopefully interacting too! Often times, your employees are said to be your weakness but let them be your strength in detecting odd, off the mark behaviours. Not even because they could be derailing, but because you care for each other’s wellbeing. When you get to work tomorrow, try to be aware of your colleagues’ personal and professional stressors and what can be done about it!