Bruce Schneier keynote from the ISF conference

I recently attended, and presented at the ISF annual congress in Berlin.  One of the highlights of the conference was the keynote talk from Bruce Schneier.

The talk focussed on some of the current developments in IT, the internet, machine learning, IoT (Internet of Things), and what these may mean for IT security and basically everyone’s safety and security.

My notes from the talk are below, they are relatively rough, but I thought worth sharing as there are some great points and things to think about!

Internet now Senses, Sees and Acts – definition of a Robot?

Does this mean we are building a world size robot?

It’s a distributed robot…

Combination of;

Mobile, cloud, persistent computing, big data, IoT

And Autonomy..

 

This means – Computer security becomes Everything security…!

That means that all the things we understand from patching and vulnerabilities to security vs. complexity to network effects become relevant to everyone / everything.

As computers become more integrated with real life – medical, cars etc.  We likely move from confidentiality being the most important part of the security ‘triad’ to safety..

How do we deal with things like;

Algorithms that choose where police go or who gets parole?

How can we allow police to safely stop a car, vs. criminals being able to stop any car?

 

Tech / security arms races;

  • Spam
  • Click jacking
  • Ad blocking
  • Credit card fraud
  • ATM fraud

 

5 trends affect this security arms race (currently, may change in the longer term);

  1. Attack is easier than defence
    1. For a bunch of reasons, like complexity
  2. New vulnerabilities in the interconnections
    1. The more you connect things, the more vulnerabilities in one thing can affect another
    2. E.g. recent massive DDoS – was from cameras etc. – so vulnerabilities in these led to massive impacts elsewhere
  3. More critical systems mean more power to attackers
    1. Internet allows criminals to scale
    2. Allows attacks from anywhere / everywhere – e.g. I live in the UK, so don’t care about burglars living in Germany.  But with connected systems I can be attacked from anywhere.
    3. You don’t have to worry about the average attacker, you always have to worry about the best, as the best guy will be the one writing the tools..
  4. The economics of computer security don’t trickle down to the Internet of Things
    1. E.g. how do we secure and patch the billions of very low value devices
    2. Computers and phones – updated all the time, staff at MS etc employed just to patch
    3. Low cost embedded systems – written somewhere, dev / company moves on.  Some can’t even be patched.  So the only way to patch is to throw away and replace.  Is this a viable patch strategy?
    4. We also regularly replace things like phones and computers – this provides improved security and ensures updates.
    5. IoT stuff isn’t like this.  How often do you replace your DVR, your home thermostat etc?? 5 years, 10 years? Never??
    6. Owner and producer of these devices don’t care about the issues.
  5. Copy write laws, make it very hard to do security research on these devices
    1. It can be illegal to circumvent the security of these devices, even for research.
    2. Criminals don’t care, obviously.
    3. Criminals will do the ‘research’ and will hack the devices.
    4. Researchers likely will not do the work if they will be threatened and unable to publish the research..
    5. How will we ever improve?

How to fix this;

  • Do it right in the first place
  • Agile security- rapid prototyping, fix failures fast

 

Doesn’t work – Chrysler recalled >1M cars to update software

Does work – Tesla – remotely updated software of all cars

 

Technology and Law must work together or both will fail

Example – Snowden papers showed that technology could circumvent the law, as well as the other way round

Need clear government policies on this

Do we need a new regulator for this stuff?

What regulations do we need?

Does this need to be international, not national?

Governments will get involved, can we lead this to help drive sensible and usable regulations?

 

Main points

  • IoT changes everything – computers impacting the world in a physical manner
    • Less off switches
    • Not designed just growing
  • Threats getting worse in several dimensions
  • This is all coming, fast.  Government involvement is coming
  • We need to get ahead of this – we need to start making serious choices.  We need relevant, workable laws.  We have moral and ethical choices to make.
    • We need to change how we code.
      • When software didn’t matter we let developers code how they wanted and how they saw the world..  Bugs just get fixed later.
      • Now when lives more and more st stake we need society to decide what is OK, and hold developers to account.
  • We need to bring together policy makers and technologists!

 

Government response will be fast and likely unplanned – e.g. ransomware against cars – millions of people cant get into cars.  OR power plant goes offline.

This will lead to very fast and possibly badly thought out action, and regulations

Hence the need for us to get ahead of this!

We wont get to choose – once lives at stake you don’t get to decide if you’re regulated.  Airlines, drug companies etc.  Don’t get to say hay don’t regulate us..  Once internet / IoT etc as important as drug companies it will have now choice but to be regulated.

 

Do we really need to connect everything together?

E.g. could some systems (SCADA for example) connect to a SCADA only network?  Not a new internet, just secure / controlled networks for some systems?

Does believe we will solve this, but it is challenging 🙂  He is actually optimistic about this!

 

I’m sure you will agree, some great thinking points.  We live in very interesting times, IT security is going to become increasingly critical as more and more systems that genuinely and immediately affect life become connected to the same internet as everything else.

What are your thoughts?  Can we safely and securely enable all of these interconnected systems?

K

 

 

Low friction, secure online payments

Online payments whether made from a traditional PC or any mobile device must be secure, strongly resistant to fraud, and convenient.

Currently online payments suffer from a couple of key issues relating to ease of use and security;

·         Extra security features such as 3DS (3D Secure) provide a frustrating consumer experience.  This leads to consumers abandoning shopping carts and merchants disabling the feature where they are provided the option to do so.

·         False rejections of payments by the issuers, again this provides a terrible user experience and shopping cart abandonment.

 

Both of the above issues lead to frustrating situations.  Examples of these are when people forget their 3DS credentials, or when you call your bank to be told the rejection was because of the merchant, then the merchant says it was the bank!

 

In addition to this the upcoming EU rules on electronic payments authentication, how we verify that the person who is paying is the right person, are likely to add to this complexity.

 

These regulations are the Revised Payment Services Directive (PSD2).  They have three objectives: harmonization, innovation and security.

On security, PSD2 requires ‘strong customer authentication’ to be applied for all electronic payments in Europe.  Strong authentication in this case refers to using at least two of these three factors;

·         something you know such as a password,

·         something you have such as a card

·         something you are, for example, a biometric.

 

The EBA (European Banking Authority)  is responsible for the regulatory technical standards to deliver strong customer authentication.

 

The above issues and potentially increasing complexity leads to a poor experience and shopping baskets being abandoned.  This is due to either friction in the process or false rejections of payments by the issuers.

 

So how can this situation be improved upon? We need a solution that meets the needs of consumers, merchants and issuers as well as the intent of the proposed PSD2 regulations?

Breaking these down;

 

Consumers want a safe, seamless and reliable payments ecosystem.

Merchants want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

Issuers want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

The EU and EBA want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.  Additionally they specify through PSD2 that we must verify that the payer is the correct person using ‘strong authentication’.

 

As you can see the needs of the majority of people in the payments ecosystem are basically the same, safe, seamless and reliable payments!

 

Can we solve this and provide a solution that will minimise fraud, improve acceptance rates while maintaining or improving the customer experience.  The short answer is YES.

 

By combining advanced authentication solutions with card details it is possible to provide strong assurance that a user and card are correctly linked and that a payment is genuine.

 

Utilising relatively simple code and an authentication solution fast enough to be in the online transaction flow enables us to reliably link a card to a device.  Note when I say device I include laptops / desktops as well as phones and tablets etc.

 

By doing this we can immediately identify multiple attributes about the card, device and behaviour such as;

  •  Have we seen this device and card combination successfully used before?
  • Have we seen the same name on a different card from this device before?
  • Does this behaviour align with previous successful payments from this combination such as volume, velocity, amounts etc?
  • Where were these payments made from?

 

This is in addition to all the traditional fraud analytics applied to the card behaviour alone.

 

3DS can still be incorporated if required, even with all this additional information.  However its use can be minimised by asking questions such as; 

  • Have we seen successful 3DS from this device and card combination within a predefined period? 
  • have we seen the same name on a different card from this device successfully authenticate with 3DS?

If so then trust this as if it was a 3DS payment.  This would enable the ability to provide the assurance of 3DS, while minimising it’s adverse impact.

 

This requires some innovation and for the issuers, schemes and processors to work together, along with the EBA recognising that this meets the intent of their proposed regulations.

What are the next steps?

Schemes and issuers, work with the processors to enable these benefits.  Accept greater assurances and risk based decisions from processors.  A higher payment acceptance rate and lower fraud, all with minimal effort clearly benefits everyone.

To the EU, EBA and those writing PSD2, engage in the discussion and realise there are ways to meet your intent without adversely affecting the payments ecosystem.  Intelligence and innovation can provide ‘strong authentication’ without the need for any extra complexity in the payments process. We can in fact reduce the friction while improving the security.

 

Everyone involved in the payments ecosystem wants pretty much the same things, let’s be innovative and achieve these in ways that improve the experience for merchants and consumers.  This ultimately improves things for everyone!

 

Feel free to contact me via this blog, or find me on LinkedIn to discuss further and if you’d like to know some more details around how this really can work in practice.

K

Gartner Security and Risk Summit; Cool Vendors

 

Hi All,

I know I promised a post on the insider threat and how to best manage the risk.. That is on it’s way, it’s a big topic!

In the mean time I attended the first day of the recent Gartner Security and Risk Management Summit earlier this week.

While not deeply technical or focussed on a specific risk topic, the presentation on their top 10 ‘cool vendors’ was quite interesting.  In a similar way to my recent ‘Innovative End User Technology Security’ post, this one will hopefully give you some new vendors to consider when solving issues for your business.

The Gartner definition of ‘Cool Vendors’ is that they are;

  • Technologies that help security leaders embrace;
    • New approaches to business enablement
    • New approaches to threat prevention
    • New responsibilities for IoT, OT and embedded systems
  • On the left of their own ‘hype cycle’

They must however be real vendors with solutions that are available today, not vapourware or soon to be released.

The recommendation is that action, even if it is just investigation and understanding, is needed today.  This is to help ensure the security of your organisation today and tomorrow.

Things you should be asking when looking at your organisations security architecture and defence in depth / diversity strategy;

What technology areas should information security invest in, to;

  • Protect digital assets from advanced and targeted threats?
  • More rapidly adapt to changing digital business requirements?
  • Support building a next-generation intelligent SOC capability?

Which interesting vendors and solutions should be investigated in order to achieve these goals?

The presentation split the ‘cool vendors’ into 10 categories across 3 groups;

  1. Threat Facing
  2. Enablement and Access Facing
  3. Intelligence-Driven SOC

 

  1. Threat Facing

These are technologies primarily aimed at detecting or preventing malware and attackers.

EDR – Endpoint Detection and Response

New solutions that aim to respond to advanced attacks that evade traditional endpoint protection solutions.  If you know compromise is inevitable and are looking at ways to improve your end point protection companies in this space should be considered.

Example players in this space include;

  • Tanium
  • CounterTack
  • Carbon Black
  • Cisco
  • FireEye
  • Cybereason
  • CrowdStrike
  • RSA
  • Ziften
  • Triumfant
  • Confer
  • Bromium
  • Invincea
  • Symantec
  • Intel
  • Trend Micro

Non Signature Approaches for Endpoint Prevention

Solutions that use technologies such as machine learning, exploit prevention and memory injection prevention.  The aim of these is to supplement or replace traditional signature based / ‘heuristic’ anti malware solutions.  Another possible application is where project to implement timely patching and maintenance of systems have stalled and compensating controls are required.

Example players in this space include;

  • Cylance
  • Palo Alto Networks
  • SentinelOne
  • Morphisec
  • Bromium
  • Deep Instinct
  • Invincea

Remote Browser

These are solutions that separate the browser function from the local desktop.  The premise being that a lot of attacks originate from malicious or compromised sites on the internet.  If you can separate the browser into a secure environment and effectively just send a video and audio stream to the desktop you can prevent these attacks.  This is the category that the Garrison solution I previously wrote about fits into.

Example players in this space include;

  • Spikes Security
  • Menlo Security
  • Light Point Security
  • Authentic8
  • Fireglass

Microsegmentation and Flow Visibility

These solutions can provide visibility can control of east-west traffic flows across the enterprise.  The aim of this is to detect and prevent lateral movement of attackers or malicious users across the network.

Example players in this space include;

  • VMware
  • Cisco
  • Illumio
  • vArmour
  • Trend Micro
  • Catbird
  • CloudPassage
  • GuardiCore

Deception

Technologies designed to device attackers into thinking closely monitored security systems are real business systems hosting data they would want to access.  These have been around for a long time and are often referred to as ‘honeypots’ or ‘honey nets’.  Recently some technologies have become a lot more mature and realistically deployable.  Businesses are also increasingly understanding the need for more advanced security solutions.

Example players in this space include;

  • Attivo Networks
  • TrapX Security
  • Cymmetria
  • GuardiCore
  • illusive networks
  • Javelin Networks

 

2. Enablement and Access Facing

Cloud Access Security Brokers (CASB)

The aim of these solutions is to provide a single point of control for cloud use in the organisation.  These can detect, control and apply various security functions such as access control lists and encryption to cloud use.

Example players in this space include;

  • Skyhigh Networks
  • Netskope
  • CipherCloud
  • Microsoft (Adallom)
  • CloudLock
  • Blue Coat (Elastica, Perspecsys)
  • FireLayers
  • Palerra

User and Entity Behavioural Analytics

No presentation this year would be complete without a mention of behavioural analytics of some sort!

The aim or user and entity behavioural analytics is to analyse and correlate user behaviour across systems and networks for indications or malicious behaviour.  This is in order to detect things like compromised accounts or malicious insiders.

Example players in this space include;

  • Securonix
  • Gurucul
  • Fortscale
  • Splunk
  • Niara
  • Interset
  • E8 Security
  • LightCyber
  • Microsoft
  • Rapid7
  • Exabeam
  • Forcepoint
  • Bay Dynamics
  • BottomlineTechnologies
  • CynetSystems
  • DtexSystems

Pervasive Trust Services

This is a particularly interesting area.  These are trust services that are designed to scale to cover billions of devices, including IoT devices that may have limited processing capability.

This requires a fundamental paradigm shift to the web of trust model with distributed consensus.  We must realise trust is shades of grey, not the traditional yes / no authentication.  If the trust is higher than the risk, proceed.

This is another area I’m likely to write up in more detail as it is an exciting space.  Likely to become a lot more relevant as IoT grows, and also as regulations like PSD2 / GDPR come into play that require more identification and authentication for every payment.

Example players in this space include;

  • Certes Networks
  • CSS
  • ForgeRock
  • ARM Holdings (Sansa Security)
  • Guardtime
  • HyperledgerProject
  • Tyfone

Security Testing for DevOps

Tools and solutions that enable the integration of security testing into the automated DevOps workflow.  This enables secure development and applications, without adversely impacting delivery timelines.

Example players in this space include;

  • Hewlett Packard Enterprise(HPE)
  • IBM
  • Veracode
  • Amazon
  • Contrast Security
  • Synopsys (Quotium)
  • Immunio
  • SecuPi
  • Sonatype
  • Black Duck

3. Intelligence-Driven SOC

These are solutions that aim to provide greater intelligence and orchestration to the SOC (Security Operations Centre) in order that it can scale and spot the key security events.  These tools also enable greater use of threat intelligence feeds to support the SOC.

Example players in this space include;

  • CyberSponse
  • Hexadite
  • I.D. Systems
  • Phantom Cyber
  • Swimlane
  • IBM (Resilient Systems)
  • FireEye (Invotas)

 

I hope this has provided a useful overview of some key areas you should be thinking about in your security strategy.  The companies to look into are a mix or new players and more established companies trying to get into new areas either via development or acquisition – as always interesting times in the security space!

Many of these, especially areas like behaviour analytics and trust are getting a lot of hype, so be prepared for questions from your more security aware board members!

Feel free to ask any questions you have.

K

 

 

Innovative End User Technology Security

Back to something more ‘exciting’ than getting the basics right (which is and always will be critical).

Everyone knows how important it is to apply the myriad of ‘standard’ controls to end user environments such as patching, anti-malware, host IPS, DLP (Data Leakage Prevention), running with minimum permissions and proxying all external access.

However the end user environment still poses the greatest threat to many organisations. This is through a combination of the challenges faced in securing these environments, and the fact that people are often the weakest link in security either due to error, manipulation or malicious activity.

How many end user environments really have all the controls, applied appropriately and consistently to all devices and all users?  This becomes especially true when you consider how broad the end user environment is in many companies in terms of both locations and devices.

How many companies really have a full appreciation of and appropriate control of the ‘insider threat’.  When I say insider threat I don’t just mean malicious insiders, I’m referring to all ways insiders can be a threat to your systems and data, from breaching the rues with the best intention through accidental error to clicking the phishing link, to coerced all the way to the genuinely malicious people.

I’ll be writing a post on the insider threat and how to mitigate it in the near future, keep your eyes peeled!

In light of this I have recently been looking at how to best secure the end user environment, with a view to newer, more innovative solutions.  There are some very interesting innovations occurring in this space at the moment that provide additional / complementary or better protection than the more traditional solutions.

Four of the most interesting solutions I have looked into recently are;

  1. Garrison Technology – http://www.garrison.com/ – providing safe browsing
  2. ReSec – http://www.re-sec.com/ – ensures all the files that get to your end user environment are safe creates replica files with no harmful content
  3. Hypori – http://www.hypori.com/ – virtual mobile infrastructure
  4. Ionic Security – https://www.ionic.com/-  ACL based encryption, anywhere

What do these companies do, and why do I think they are worth highlighting?

Garrison;

The risks associated with web browsing are well known and documented, whether from accessing malicious sites, or accessing ‘trusted’ site that have been compromised.  There are various software solutions that claim to segregate / isolate your browser or it’s tabs from the rest of the O/S, such as Bromium.  If you have concerns with relying on software based security and the fact that the isolation solution could itself be compromised or circumvented by malware on the O/S then there are few choices to provide a good user experience and security when browsing the web.

One relatively new company that is just coming out more publicly that has a great solution to the problem is Garrison Technology.  They provide a hardware solution using ARM chips in a server platform.  These are configured in pairs to provide a solution where the end user device effectively watches a ‘video’ of the internet sites they are browsing.  Even if there is malicious content, all the end user device sees is an image of the content, not the content itself.  I can’t go into too much detail here yet, but the solution appears very complete, allowing images, video, audio etc to be seamlessly viewed in the browser, and also permitting keyboard and mouse data to be sent to the site, so you can browse as normal.  All while effectively having genuine physical isolation from the internet!

There are definitely some great use cases here, fan example would be protecting your users with access to the most sensitive data.

ReSec;

Malicious files reaching the end user environment are a huge risk, whether as email attachments or downloaded files.  For many years the anti malware industry has been playing catch up with increasingly complex solutions comprising traditional AV, heuristics engines, virtual execution environments etc.

How much safer would you be if the files reaching the end user environment were guaranteed to be safe and free from malware?

This is now possible, ReSec offer a solution that will decompose files like pdfs and office documents, then rebuild the content into known good templates that contain no malicious content.  They call this Disarm and Reconstruction.  Using this technology any potential malicious content isn’t just blocked or stripped out, the whole file is recreated containing only known good content.

This capability is obviously starting to get noticed as I have seen some similar capabilities in Checkpoint literature, so it may be becoming more mainstream in the near future.

Hypori;

This is a very interesting one, they offer cloud based mobile phone capabilities.  The idea here is that mobile devices are holding more and more data, and are being permitted to access more of our environments.  As such they are becoming an increasingly attractive attack vector.  Mobile devices can also be notoriously hard to control, especially when you need to balance control with usability expectations.

What if you could move all of your phones capabilities to a secure, managed cloud based virtual ‘phone’, effectively turning your smartphone into a glorified terminal?

Hypori offer just such a solution with the capability to support calls, SMS, applications, video calls, in short pretty much everything your phone can do locally.  The key benefit here is that there is never sensitive data on the phone, it is all on the virtual device in the cloud.  So if your phone is hacked or lost, there is no risk to your data.

If you are working on your mobile strategy or have an upcoming mobile refresh I’d highly recommend investigating this or similar solutions.  Like the Garrison solution above, executives and key users with access to sensitive systems and data would be great initial use cases.  Depending where you work geographically, but I can think of a few countries where providing this solution to your teams would definitely benefit your security posture!

Ionic Security;

Encryption, encryption, encryption!  This is definitely one of the topics of the moment.  Many organisations are getting pretty good ad encryption of data at rest, and basic encryption of data in transit.  But how do we ensure our data stays encrypted where ever it is, whatever device it is on?

With most solutions, once a permitted user has access to the data they can then save it or forward it on unencrypted.  This is to me a pretty large hole in most companies data security strategies.

Ionic have a solution that plugs into various applications such as office tools and embeds itself into each file that is created. Using uniquely generated key pairs for each file, or element in the file, Ionic encrypts the data based on ACLs.

Then no matter where the file is sent or what device it is on you can only open the file or see the redacted elements if you have the Ionic solution and are listed in the ACLs.

It has a pretty decent user experience with a ‘splash’ page being shown if you can’t access the file informing you what you need to do, and all the key management is internal to the solution with the capability to scale to trillions of key pairs.

Having seen a demo of this I can agree it is easy to use and appears to work pretty seamlessly.  There are some excellent use cases outside of the obvious one of all your files always being encrypted and no one being able to access them who is not permitted to.  Think for example of a legal document where some of there content is public, but certain elements such a company names or monetary amounts may be highly confidential.  In this example you can encrypt just those ‘elements’ that need to be confidential so only the valid users can see those and for everyone else they are redacted.  You can also have different permissions, e.g. some people can view and some can edit a document or element within the document.

I hope you have found this interesting, I’ll write up some more details on these and other solutions as we progress our investigations.  What solutions and capabilities are you currently looking at to secure your end user environments?

K

Justifying Security Spend

Given that  this often relates to proving a negative, justifying security spend can be extremely challenging.  Before we continue, I’ll freely admit I don’t have all the answers here, but wanted to share some of the things I’ve been thinking about and discussing recently about just how hard this is, and possible ways to help.

We weren’t hacked therefore we spent enough..  Did we spend too much?  Could we spend less and still ‘not be hacked’?

We suffered a data leak, did we not spend enough?  Did we spend on the wrong things?

 

One example I am using to demonstrate how hard it could be to justify seemingly obvious security spend is around DDoS.

Take the following scenario;

Your organisation has suffered some DDoS incidents, these were volumetric attacks and the board urgently wants protection from these types of attacks in place.  You duly implement a premium cloud service, and provide them with an overview of the service and how it protects against volumetric attacks.  Over the next few months the service proves it’s worth and protects the business from any further attacks.

The next year, gaining approval for spend on this service is easy, everyone knows what it does and that it is needed.

Over time volumetric attacks against your business cease to occur, and a couple of years later the board are challenging the need for a large spend on protection from these attacks.

However the question clearly is; did the attacks cease because you are no longer a target of this type of attack, or because it is common knowledge you have very effective protection so there is no point in launching these attacks against you?

 

From this example you can see that justifying spend on something as seemingly obvious as DDoS protection could be challenging as how do you go about proving why the malicious actors have not done something?

 

Taking another example I read in the most recent issue of the ISACA magazine;

Before the Best Buy breach, what were the chances that they would be a target and suffer a breach?  After the Best Buy breach, what are the odds they will be breached again?

 

We have models for things we think we can predict from sporting events to the weather that have varying degrees of accuracy.  However the various malicious actors that could be targeting your organisation do not act in ways we can easily predict and quantify.

So given this how do we clearly state to the wider business the actual likelihood of an event, and the impact?

I’ll leave the impact discussion for now, but while it many seem more obvious, consider the wide range of impacts and how hard they can be to accurately quantify.  It is relatively easy to state how much you loose for a given amount of downtime, but how long does reputational damage last? How many sales are lost over the next year with downtime or a breach being factors in the customers decision? etc.

 

Some key things to help this situation include;

  • Moving the security discussion from IT to the ‘business’, all security risks are actually business risks, or translate directly to business risks.
  • Running scenario based exercises with the board to understand their risk appetite and educate them around what can happen and the impacts it would cause.
  • Gathering industry information on the prevalence of attacks and breaches against what are considered ‘peer’ organisations to understand the threat landscape you are operating in.

What are your thoughts?

How are you ensuring the  executive board and the wider business understand the need for the security spend and how you are managing risk?

 

Thanks!

 

K

CYBERRisk Europe conference

I’ve spent a little time at the CYBERRisk Europe conference this week, both as an attendee and as part of a panel discussion.

One of the most interesting things about this conference is it has been formed as part of the OpRisk Europe conference.  This is a conference focussing on Operational Risk.  I think it is great that people are trying to bring these things together as while “Cyber”, however you choose to define it, is a category of risks, these all come back to business / operational risk and impact.

Cyber / information security / <insert latest buzz word name here> risk must be considered as a part of the overall business risk, while the people assessing the risk may be from different teams this still needs to feed into one central, organisation wide process.  Doing this ensure all risks are considered together, clear business owners of any risk can be identified, and those owners along with the wider board have a clear view of their cumulative risk.

I don’t think that many companies are necessarily there yet, but brining your risk processes and recording / reporting under single organisation wide umbrella would definitely be beneficial.

Other highlights from the conference included some great discussions around;

  • The importance of working with your business and the board to understand and define the risk appetite
    • A great way to help with this is to use various scenarios around what is and isn’t acceptable
  • Ensuring Security is seen as a business, not IT issue, despite Cyber being very IT centric
  • Using Cyber exercise and playbooks
  • The fact that Cyber / Security is a ‘wicked problem’ – look this up!
  • How related Cyber and wider risk is, but that Cyber is likely a faster moving space than organisational / operational risk are used to
  • Where the CISO / security organisation should sit in the organisation.  There was not consensus, other than not within IT, especially for regulated industries.  Thoughts included within the CRO or COO office, or even the CEO office
  • The need to think outside the box to find better ways to solve difficult security problems was frequently discussed – think of the Gordian knot.  Are we solving security problems in the right way?
  • Ensuring that the relevant people in the business understand and care about cyber risk is key to getting buy in for the correct mitigation / remediation / acceptance decisions
  • Being realistic about aspiration vs. realism vs. appetite, for cyber risk – but likely applies to many areas!
  • The fact that contain and respond need to be seen as at least as important as prevent and detect
  • The importance of people, culture and awareness as well as tools and processes must not be overlooked
  • How challenging it can be to justify cyber / security spend, even for seemingly obvious things as we are often ‘proving the negative’ – more on this in a following post.

 

This was a relatively small conference, but well focussed, with some good content and discussion, I’d definitely recommend it.

If you have any questions about the above topics, feel free to ask and I will happily expand on them.

Cheers

K

We must not forget the basics!

Short and sweet post today!

While I regularly talk about new security things such as predictive analytics, machine learning and making security a profit centre, we must never forget the basics!

I was recently asked how I would spend a limited security budget, by a vendor after I suggested HSMs were possibly not the best investment vs. other capabilities if your physical environment is secure, but that is definitely another topic!

My response was that regardless of the latest new security trend or capability, getting the basics right has to come first.  I don’t recall where I first heard it, and it’s certainly not original but the mantra;

“Be brilliant at the basics”

This definitely applies to security as much as many other areas.

I’m not going to list what I consider to be the basics here, I have talked about them before, and there are plenty of great sites covering this topic already.  Two places I would recommend looking are;

SANS / CIS critical security controls for a general list of key basic controls you really must have in place;

https://www.sans.org/critical-security-controls

OWASP top 10 for a more application specific list of the basics you need to be getting right in relation to applications, with a focus on web applications, but many of the points can be applied to pretty much any development;

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Happy reading, and remember while the latest tool or solution is likely more interesting, without a solid base of the security basics no matter what you do you will likely be breached via a very simple method!  Fix the ‘low hanging fruit’ first, then do more advanced security.

K

Turning Security into a Profit Centre

Security is still seen very much as a cost centre or necessary evil that is a ‘cost of doing business’.  This, along with a historical challenge around gaining traction at board level has driven the slow move of security to being a key part of most businesses.

This is true even in the industries where security is now seen as critical, and where the board has time and an appreciation for it.  In these industries such as financial services, gambling, big pharma and even gaming, getting funding, resourcing and executive support for security programs is less of a challenge.  However even with this support, the view is still one of security being a cost of doing business.

In order to progress further and make security genuinely a key part of the business, we need to move the conversation on again.

Over the last few years CISOs and security teams have worked diligently to understand their business and speak in the language of their business peers.  This has been a key factor in gaining board support for security.

The next step is to move this further, and work out how security can become a key pat of the business offering for your organisation.

This should likely begin in terms of how you differentiate yourself in the market.  Start thinking along the lines of;

  • How is your companies security different or better than others in the market?
  • How do you ensure your customers data is kept secure?
  • What reassurance can you offer your customers?
  • If your business involves medium to longer term partnerships can you become your customers ‘trusted partner’?
  • Do you have an impeccable record e.g. never been breached, never lost customer data etc.?

The aim here is to think about ways you can make your strong security a part of how your organisation sells itself.  Security needs to become a part of ‘who the organisation is’.  By doing this you’ll move security to the ‘next level’ in the business where is isn’t just a boardroom topic because it has to be, but it is a boardroom topic as a key part of what you do.

By making security a key differentiator for your business, you’ll also make security much more part of the conversation across the business as it becomes part of how your organisation sells itself.

 

Now for the really big bet! Can we move security even further, to not just be a differentiator, but to become something you actually sell?

Whether this is possible or not will depend on your industry, company size, customer base etc.  However if it is possible, think of how powerful this could be!

Imagine not only the benefit to the standing of the security team if you are able to actually sell services and solutions to your customers, but also the benefit to the actual security / risk posture of your organisation!

Have a think;

  • Do you hold large volumes of data on your customers, or their customers?  Could this be used to provide valuable security analytics such as fraud or unusual behaviours?  Could it even be used to provide predictive analytics?
  • Do you run enterprise scale services that you could provide at a relatively low incremental cost to your customers such as encryption, tokenisation, authentication,  …?
  • Could you support your customers in achieving compliance with whatever regulatory environment you work in?
  • Is it possible to securely host your customers services in your own DCs?  This has the added benefit on ensuring communications from the customers systems to yours are secure.
  • Can you provide them other capabilities such as monitoring, vulnerability scanning / management, secure coding guidance …
  • Insert your ideas here!

Seriously, if you work in security, and especially if you have a leadership role think about this.  It’s time for a step change to really make security front and centre of your organisation.  Lets stop being one of the ‘costs of doing business’ and become a core part of what our organisation does!

K

Secure Mobile Applications, part 3 – Bringing it all together!

Hopefully it is fairly obvious from the last couple of posts how I think a mobile application can be made ‘secure enough’ to replace hardware security devices and enable many other capabilities from mobiles / tablets etc.  However I thought it may be useful to provide an overview of how the detailed components will work together to provide this capability.

Many organisations such as banks have or are already launching payment applications that enable you to make payments with your phone rather then needing your bank card, and of course there are Apple Pay and Samsung Pay etc.

So it’s clear people are becoming comfortable with mobile devices for some use cases, sometimes purely software, sometimes with hardware components involved such as Knox or TEE (Trusted Execution Environment).  This is likely helped by the rise of ‘contactless’ payments in many parts of the world.

While hardware components and secure operating system components can form part of a secure mobile application solution, they  are by no means a silver bullet.  As you still need some part of the application to run in normal, untrusted space, you still face the same problems as if there were no hardware solution in place.  What is to stop a malicious application attempting to man-in-the-middle the communications between the secure and insecure environment?  Indeed what is to stop a malicious application from just impersonating the secure component to the insecure one?

Hardware based solutions also face challenges around support and different capabilities on different devices.

This is why I have focussed on a software only proposal.

If we get to the point where we can trust and monitor a software only solution, this opens up so many possibilities – as long as you are on a supported O/S version, you can run our secure application(s) on any device, anywhere.

While we have the above mentioned payment applications, there are much wider use cases when we get to the point that we really do trust the mobile application I mentioned some of these in my original post on this topic.

As a recap, these were;

  • Become your payment instrument.  Not like Apple pay that still uses your card in the background, but actually being your card(s).
  • This can also provide a much richer user experience such as alerting the user every time there is a transaction on the ‘card’
  • Take payments in stores without the need for a physical card payment solution.
    • EMV (chip and pin) becomes EMV mobile devices and PIN / other
  • Replace your drivers license / passport / age card etc. as a valid form of ID.
  • Enable secure signing of legal / contractual documents.
  • Combine with technology like RFID and GPS etc. to revolutionise the retail experience.
  • ‘Card not present’ becomes ‘card present’ (the end of ‘Card not present’ fraud!)
  • Secure mobile banking becomes actually secure and fully featured
  • Support (or deny) any disputed transactions by providing more detailed information about the device, location and users involved
  • Become your mobile medical record – no longer do doctors or hospitals have to look up your records (or not find them), you carry a copy with you, that syncs from the central repository when it is updated

I am sure you can think of many others!

So how do the components previously detailed components all come together to proved a secure, monitored environment?

In ‘real time’ there are 5 main components;

  • The mobile app
  • Secure decision point
  • Real time risk engine
  • Authentication
  • Monitoring

 

The mobile application – this comprises all of the security components deployed to the mobile device, along with the actual application capabilities of course!  These components are the key to understanding the security status of the device.  They also providing details of behaviour, from things like location to the users activity, and authentication information.  These components have the responsibility for securing and monitoring the device and user behaviour, plus ensuring this data and telemetry is securely provided to the secure decision point and monitoring services.

The secure decision point is to provide a central (resilient of course!) control point for all application traffic to pass through.  This enables relevant data to be passed to the correct components such as the risk engine and monitoring solution(s).  In addition this provides an added layer of protection for the back end application services.  Any time the application or user behaviour is deemed unacceptable, the connection can be blocked before it even reaches the back end services.

Real time risk engine enables risk based decisions to be made based on the information from the other security components.  The secure decision point, authentication solution and ‘external’ source like threat intel and the big data platform all feed the risk engine.  This can be applied to  many activities including authentication, user behaviours, and transactions.

Authentication does what the name implies – it authenticates the user, and likely to at least some extent device.  The difference between this an ‘traditional’ authentication is that as well as authenticating at logon, and supporting multiple factors and types of authentication, is that it can authenticate constantly in real time.  Every time the application is used, information about the device, location, user behaviour etc. is passed to the authentication solution, enabling authentication decisions to be made for any application activity.  In addition to providing rich risk information for the risk engine this also enables fully authenticated transactions.

Monitoring, refers in this case to security monitoring of the system components and their data.  This provides expert analysis and alerting capabilities to augment the automated processes of the risk engine, authentication solution and security decision point.  This may be internal staff, a dedicated SoC (Security Operations Centre),  or a dedicate mobile security monitoring centre, or a combination of multiple options.

 

As you can see, all these components combine to provide an understood and secure environment on the mobile device, backed up by real time monitoring, risk based decisions and authenticated activities.

These ‘real time’ components are further backed up by external feed from intelligence sources, and by analytics performed in the big data platform.  This enables learning from the behaviour of users and devices in the environment so that the risk based rules and manual alerting can be refined based on previous and current activities and outcomes.

Depending on a combination of the security requirements for your application, and the resources available, you may not need or want to implement every component here.  Overall the detailed environment provides a software only solution that is capable of providing enough security to enable pretty much any activity.  I’d love to hear your thoughts, and any experiences of deploying and proving secure mobile applications!

 

K

Secure Mobile Applications, part 2

My last post covered some of the benefits of getting to a point where a mobile application can be considered ‘secure enough’ to replace dedicated hardware solutions, including the required mind set move from ‘assumed secure hardware’ to ‘constantly monitored and assessed software’.

As part of the post I included the high level security architecture components / building blocks that be part of the secure mobile application ecosystem.  This post will provide some detail about what each component is and cover their features / capabilities.

For ease of reference I’ll repeat the diagram here.  Observant readers will notice one extra box added since my previous post..

Mobile app security concept - New Page (2).jpeg

I’ll start by covering the security components that will be included in the application on the mobile device;

‘Mobile Security Solution’

This forms the core of the security solution on the device.  Most likely implementation would be an SDK that is integrated with the mobile application and ideally has a dedicated security ‘decision point’ in the architecture before the mobile app connects to the back end services.

This component will provide the core security component on the mobile device providing multiple capabilities including;

  • Jailbreak / root detection
  • Malware detection
  • Key management and secure communications
  • Bot / remote control behaviour detection
  • User and device behaviour analytics
  • In field encryption
  • Potentially fraudulent transactions (e.g. amount sent differs from the amount entered in the field)
  • Application and device tamper detection
  • Application checksumming
  • Code obfuscation and tamper detection

These outputs are all used to create a risk profile of the application environment covering device, application and user behaviour.

This component will also have the capability to send the telemetry to a dedicated third party SOC (Security Operations Centre) for direct 24*7 monitoring and alerting.

‘Authentication solution’

The core authentication component of the solution that will enable the use of various authentication methods to log into the app and also ‘step up’ authentication when performing certain in application activities.

It would be expected that the authentication solution would be FIDO compliant (https://fidoalliance.org/) and provide a variety of authentication solutions from photos to positive device use such as shaking it to push notifications through SMS to actual passwords.  Risk based authentication should also be supported.

What do we mean by risk based authentication?  This is where were utilise a variety of behaviour and device attributes to confirm or support the identification of the user.  This can be used to support other authentication, e.g. fingerprint, plus uninfected device, plus location, plus time and behaviour is much stronger than the finger print alone.

Risk based authentication can also help provide an improved user journey.  For example you may decide that when logging into an application or dashboard, if the user only wants to view certain information or perform low risk tasks risk and behaviour based authentication may be all that is required.  e.g. bob in his business logging in from the same, uninfected device, at the same location at the same time, to view that days sales.. might need no further authentication.

This is where ‘step-up’ authentication then comes in.  Should bob then want to perform a more ‘administrative’ task such as changing the account money is paid to, increased authentication would automatically be requested such as biometrics, one time SMS’d pin etc.

It is likely that the capabilities of the authentication solution will have some limited overlap with the security solution, however this will likely be complementary and provide an improved level of protection.  This aligns with the ‘defence in depth’ security stance.

‘White box crypto / Hardware Security Module’

This box provides the capability to use encryption within the mobile device in a more trusted manner.  This is especially important if there are any concerns that there may be malware trying to access the data on the device.

White box cryptography is a software solution that purportedly provides secure cryptography in even should the keys etc. be compromised e.g. it provides secure crypto in insecure environments.

Hardware security module in this instance refers any hardware security solution available on the device such as ‘secure element’ or TEE (trusted execution environment).

‘Secure Data Entry Solution’

Where there is a need for trusted data entry, e.g. a pin, there may be a requirement for a dedicated solution to this that provides extra security and obfuscation for any inputs to the application.

As with the crypto solution this may or may not be required depending on the security requirements, risk profile and how much the security software and monitoring is trusted.

‘Dedicated Mobile Security SOC’

As mentioned earlier, the mobile security component(s) can report directly to a dedicated SOC that will provide an expert layer of monitoring and understanding of the current risk posture of the device and app.

This would provide an added layer of security and expertise, which may be especially relevant in high risk and / or high transaction environments.

‘Reverse proxy / application delivery device’

The premise of this component in the ‘data centre’ (DC, or cloud) is that it provides a dedicated security device that sits in the transaction path.  This provides a dedicated secure ‘choke point’ to make decisions and prevent malicious connections before they reach any of your back end servers / services.

This solution would effectively be a conduit / connector between multiple security components on the mobile device and within the DC, including the real time risk engine and the log monitoring and alerting solution.

The benefit of having this component in place vs. some of the solutions that provide similar capabilities but rely on decisioning within the application back end is that it provides a hardened device to protect the solution.  This also minimises required changes to the back end of the application in order to provide this security capability.

‘Authentication Provider’

This is the back end of the ‘Authentication Solution’ that will provide the policy based authentication capabilities and ensure the appropriate level of authentication is required for any given activity.  Based on the implemented policies of course.

Ideally this should support multiple policies to enable different applications, user groups and behaviours to have different authentication requirements.  This should also be able to support different authentication methods for the same behaviour depending on a combination of device capabilities and risk.

Another key theme for the authentication solution is that you ensure you work with a vendor who is committed to remaining current as new authentication methods become available.  Once your application is integrated with the authentication solution you can then remain current and support what ever authentication methods you deem appropriate with no further application changes.

‘Real Time Risk Engine – Risk Based Transactions’

This block indicates the capability to provide real time risk scoring of activities or transactions as they happen.  As this has to be in real time and potentially support 100s or 1000s of activities per second it is likely that the rules will need to be relatively simple and easy for a machine to check against in real time.

These will however be refined and improved over time via the longer term analysis performed in the big data platform.

The benefit of having real time risk scoring, and blocking of transactions is that you will prevent a lot of potentially bad activity such as fraud before it even gets to your core systems.

The risk engine will be able to combine the current session profile information from the various tools in the environment, along with some understanding of expected user behaviour.

An example of the kind of contextual risk scoring the solution may provide would be;

Alice logs into her device using strong authentication, there are no indicators of compromise on the device or application and she is in her normal place of business.  Some unusually large transactions are sent from Alice’s device, but there are still no indicators of any issues  These can likely be permitted with very low risk.

Alice logs into her device using her password, there is an indicator of some potential malware, but nothing that should impact the application.  Alice and the device are not one of their usual locations.  Some unusually large transactions are sent through.  While not definitely fraudulent these would definitely carry a higher risk score and may want to be blocked or investigated immediately.

The real time risk engine would receive contextual information from the various components in the mobile application security ecosystem, general threat intel about fraudulent behaviour etc. from the external threat feeds, and updated algorithms and intelligence from the big data platform.

There may also be a link to a dedicated fraud system if this is a financial organisation.

‘Big Data Predictive Analytics’

If your organisation has one, this would be the big data analytics solution that is in place.  Data from all the security tools and threat feeds, not just those for the mobile app, should end up here.

This will then use analytics, machine learning, data scientists expertise etc. to learn the environment and understand how well the real time risk engine is working.  This data would then be used to improve and refine the rules to maximise performance and detection while minimising false positives.

Outside of providing analytics and improvements to the mobile platform, there is immense business and competitive advantage that can be gained from analysing and learning from your security tooling if you can get the whole picture into one place.  This is especially true if you have enough data to start making accurate predictions for you and / or your customers!

‘External Threat Intel Services’

These are exactly what they say on the tin, your organisations sources of external threat data.  While the value of these can be questioned, if you have them, especially if you have found a reliable source of accurate, timely and actionable contextual data then they should certainly feed into you risk engine and data analytics.

‘MSS Monitoring Service’

This is your organisations general security monitoring and alerting service.  This will likely comprise a SIEM (Security Information and Event Monitoring) solution or Continuous Monitoring solution of some sort and a team of dedicated security analysts.  I have shown this as an external service as this is usually the best way to deliver this to small and medium organisations, along with many larger organisations that do not have security as a core competency.  This could of course be provided by an in house solution and team if that is in place in your organisation.

This service will provide monitoring and alerting on any potential security issues and either investigate and initiate incident response and remediation directly or work with your security operations team to do so.

 

This post has turned into quite the essay, I’ll stop here as we have briefly covered the various security components within the mobile application ecosystem.  How this all hangs together and provides a cohesive secure environment will be the subject of my next post.

K