- Security TWENTY
- Women in Security
Cybercrime, cyber espionage, and cyber warfare are in fact part of a continuum; we cannot disaggregate some the risks, he told the Whitehall think-tank on January 11. He suggested that those who leave themselves vulnerable to cyber frauds ‘make themselves part of a national security threat’. He said: “For example, the confusion caused by the attack may be used as an opportunity to implant malware into the system which can subsequently be used to extort ransom by threatening to cripple the system itself. Nokia were recently a victim of such an attack when blackmailers successfully persuaded the company to part with a suitcase containing millions of dollars in exchange for a crucial piece of smart phone software.”
As for espionage, he pointed to failure of companies to properly security clear the most junior staff, especially those such as cleaners. “A few minutes, while they clean an office or a room, can be enough time to insert a USB into a computer port and infect the system with malware, especially where employees add to the risk by leaving computers on while they simply switch off their monitors. How many of us can honestly put up our hands and say that we have never been guilty of this particular piece of negligence?”
If someone asks to use your mobile phone to make a quick call because they have left theirs at home, think twice, he advised. “Likewise, when someone offers you the use of their laptop or tablet to access your email account, or asks for your password, it may be the key to opening up vast amounts of data that you would not want them to have.”
As for the crime, the Conservative MP said: “Cybercrime has at least three elements which make it more attractive: it is generally low risk and high return, it largely has the advantage of anonymity and it is often goes unreported.” And he described cyber warfare as based upon the ability to bring developed rivals, who depend on advanced technologies, to their knees by denying them IT.
As for what to do, while it is no more than common sense to install anti-viral software in our computers, we would be wise not to put too much faith in this as a means of protecting us, he said. He touched on the security of business and supply chains. “Those involved in cybercrime or espionage, particular, will be looking to find the weakest link as a way into a wider system and minimum standards of cyber security need to be applied not just at the highest level in any business chain but throughout.”
He called for two changes to the law. First: denial of cyber intrusion is too often the response of companies worried about their reputation, he said. “This encourages entirely the wrong culture. If the fund holding my pension is being hacked and my money lost, I want to know about it. That is why I believe the government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders.
“The second change I believe we need is in relation to those who do business with government. As I have already pointed out, it is much easier to penetrate a small company in a supply chain than a major organisation such as the Ministry of Defence. That is why I believe the government should insist, legally, that any organisation that does business with government should have a minimum defined level of cyber security or they will be excluded from government contracts.”
For the speech in full visit http://www.liamfox.co.uk/news/war-invisible-enemy.
Terry Greer-King, director of cybersecurity, Cisco UKI, said after the speech: “The persistence and complexity of cybercriminal activity today has meant that it is no longer a case of if businesses will be targeted but when. It is therefore critical that organisations protect the business and their customers by adopting an integrated, threat-centric security policy that addresses the entire threat continuum – before, during and after an attack.
“Given the extent of the issue, businesses of all sizes need greater awareness of the current threat landscape to ensure they are best prepared to protect against the risks, therefore we welcome the call for greater disclosure around the number and severity of hacks taking place. Collaboration between enterprises, government and law enforcement is vital to allow for efficient detection and remediation of cybercriminal activity.
“Proactively addressing cyber risk is crucial, as Cisco research reveals 60 per cent of data is stolen within the first few hours of an attack, while 50pc of attacks manage to persist for months if not years without detection. This means that by the time a company realises they have been breached the damage has most likely already been done. Addressing the time it takes to detect an attack will have a huge impact on the severity of an attack yet greater awareness and industry collaboration is needed to solve this.”
Clayton Locke, CTO at digital banking software firm Intelligent Environments, said: “Making it compulsory for companies to come forward when they have been a victim of cybercrime would definitely mark a strong step forward for consumers. Firms need to do all they can to protect their customers online and they must certainly be held accountable when their details may be compromised because of a security breach.
“However, it would be best for regulation of this nature to be accompanied with adequate support to help companies defend themselves against cybersecurity threats. Firms, especially small ones would benefit from more advisory help. As Liam Fox referenced in his speech, vulnerabilities often occur due to a lack of understanding. There needs to more education for businesses to help them understand the threats of cybercrime and how to negate them, rather than purely a regulatory requirement.
“The reality is there are still gaps and vulnerabilities in companies’ software systems that must be closed. At present, the easiest way to break into someone’s bank account – for example – is to get their valid user ID and password. Social engineering bypasses the traditional cyber-security of user IDs and passwords – the hacker just steals valid credentials and they’re in.
“Financial services (FS) companies also have an important role to play. Perhaps nowhere else is data security more paramount than in this industry, and providers need to up their game in order to address threats in real-time. Currently, the FS industry has invested heavily in securing the ‘perimeter fence’ of security. There is very little attention paid to securing the business applications themselves. It should be obvious by now that relying on perimeter security to prevent data breaches is a seriously flawed strategy. Organisations now need to look past the point of entry for hacking threats, criminals will always find a way in. Just as with building security where systems include alarm systems and sensors both at the point of entry as well as within the building, banks also need to focus on cyber-security within the banking application itself.”
And Chris Wysopal, CTO and CISO at Veracode, said: “There is no question that responsible disclosure is a good policy, however globally there remains limited precedent for it. In the US, companies listed on the NASDAQ Stock Market or the New York Stock Exchange are required to notify the public if the leaked information would “reasonably be expected to affect the value of a company’s securities or influence investors’ decisions.” While in Europe, the General Data Protection Regulations, set to come into force in 2018, will require companies to tell the DPA and the data subjects if a breach occurs. But while a good precedent, the cyber liability trend is being tied to the damage of the breach itself and where the organisation’s previous cybersecurity measures were not found to be reasonable. For instance, the case of Wyndham Hotels in the US affirmed the Federal Trade Commission’s authority to hold companies to account for failing to securely store customer data, and the UK government launched an inquiry after the most recent Talk Talk breach.
“It’s extremely positive to see that British MPs are engaging with the problem of cybersecurity and considering what legislative steps they can take that will enable them to positively influence corporate cybersecurity culture. We know that personal liability and regulation can have a massive impact on changing norms and encouraging safer behaviour: just this month marks 50 years since the first seatbelt legislation in the UK which has subsequently saved thousands of lives. It is essential that companies take cybersecurity seriously and if such measures would force them to address these threats more comprehensively, it can only be a positive thing.
“If we don’t talk about breaches no one gets blamed. No one did anything wrong. No one is liable. No outside criticism, positive or negative. But if we do this no one learns. Well except for the attackers. They learn. In engineering we learn from every failure. Structural engineers study bridge failures or building failures so they can learn to not make the same mistakes. Pilots and aeronautical engineers learn from every plane crash how to improve procedures, the manufacturing process and the design of planes. Keeping the engineering and process that led to security failures is like science and engineering in the old Soviet Union. It didn’t turn out so well for them compared to the open science and engineering of most of the world. Secrecy hurts the builders and defenders of secure systems and helps only the attackers.”