It wasn't an attacking Manchester United squad, but a defensive team of some 200 cyber-security professionals that gathered at Old Trafford football ground yesterday to discuss The Future of Cyber Security in a whistle-stop tour through some of the main threats currently faced, along with expert advice on mitigation strategies.
Delegates were primarily from Manchester and the north west, but with a strong Leeds and Scottish contingent plus a few from the Midlands, South West and London, with attendees from the nearby BBC centre, universities, defence and other public sector as well as industry including manufacturing, finance, services, and retail among others.
Presentations were from a mix of government, academia, hackers and the vendor community – rounded off with a comedian with a message – Bennet Arron who spoke about his own experience of identity theft and subsequent documentary in which he stole the identity of the Home Secretary.
Aaron Booth, digital tool lead for the Defence Cyber Protection Partnership (DCPP) encouraged delegates to log on to the DCCP at www.gov.uk to ensure they were adopting best practice – including cyber essentials – which many of the delegates appeared to dismiss due to its lack of rigour in ensuring compliance.
Next came the tag team of former hackers Cal Leeming and Darren Martyn. Their overall theme was, “we're all doomed, cyber-security is rubbish” and that the tools available to the hacking community are so commoditised that anyone can do it, while large companies have failed to protect themselves from school kids, so stand no chance against state actors. But they did provide advice, on how every environment is different, so start afresh when you go to a new company and don't expect what worked in your last place to necessarily work here. Plus the need to focus on exploitable vulnerabilities and not theoretical ones that only work under lab conditions. Most frightening was the number of ISPs described as ‘truly hackable', leaving their customers wide open to attack – and the call for these, and manufacturers in the industry, to be held liable for weaknesses such as default passwords.
Bea Gully, cyber-security account manager at Darktrace understandably focussed on behavioural monitoring and machine learning to spot new attacks, especially the increase in attacks via non-traditional IT, from CCTV to, in one case, a coffee machine. Another example was a compromised biometric scanner which was not a known attack method, but by clustering servers and comparing behaviour, the abnormal behaviour of a device exporting more data than expected was spotted – as was a conferencing camera which also exported too much and was connecting to other computers. The message was, rules and signifiers of attack are not enough to cope with complexity – new approaches need to be spotted too.
Chris Few, UK business manager at Foreseeti described how all attack routes have their hardest step, and by comparing systems and approaches these could be identified, a level of difficulty assigned to each step, and defences strengthened accordingly by applying whatever makes escalation of privilege more difficult. It was advised that this modelling of attack path analysis should happen both at the design stage and thoughout the life cycle as different resources are connected together.
If you don't help users do the right thing, they'll find a work around, as Terry Bishop, solutions architect at RiskIQ explained when describing how threats beyond the firewall had increased the attack surface, and now 80 percent of attacks are from outside, 50 percent from assets unknown or outside the firweall – often a third party component. For most organisations, their digital footprint is bigger and more complex than they realise. Ransomware is becoming more targeted, custom-written for specific victims, plus there is an increase in doxing – where the ransomer has also copied your files that they'll threaten to release if you don't pay. With more use of AI by attackers, more data integrity attacks, including on your cloud provider, and use of Botnest to attack critical infrastructure, the need has become 24x7 so more companies are now expected to use managed security services – not just SMEs but enterprises too.
Over the past week the ICO has issued a £50,000 fine for a spammer sending out 400,000 messages on debt, and Dr Simon Rice, group manager, technology at the ICO, cited this and £2.5 million fines issued last year as examples of his organisation's ongoing activity, noting how he -99 percent – expects the ICO to be the privacy enforcer under EU GDPR. His primary theme was what compliance looks like today compared to under EU DGPR, and he advised companies to learn from case studies where others got it wrong, go use free tools that hackers use to find out your vulnerabilities, and work through the top ten points in the DWASP (see ICO website – www.ico.org.uk ). Noting how organisations such as schools had increased ICT and no extra staff, just teachers made responsible, they may consider it almost impossible to comply – but there are no exceptions. But in some cases there is funding to help achieve compliance. Also, each case will be judged on the basis of, have you done what is appropriate for your organisation?
As John Hughes, enterprise sales director, Varonis UK noted, there are 100,000 new infections per day, two thirds of employees can see data they probably shouldn't and only 29 percent of companies enforce least privilege. Bitcoins have changed the economics of ransomware making it more worthwhile. To get a handle on the insider threat, it was advised that administrators need to baseline user behaviour, and lock down data, limiting access, eliminating ‘everyone' groups, know the data owner and know who should and shouldn't have access – and use workflows to grant and revoke access.
Alan Calder, CEO at IT governance provided a tour-de-force of the current state of the market, covering both cyber and compliance risk and their overlap, noting how the EU GDPR fines are legislated to be ‘dissuasive' thus will not be trivial, while the rights of those whose details were breached have no financial limit. Among the advice that we would hope SC readers have been taking on board as they read the publication, were a seven steps to cyber resistance strategy, but a warning that for those who fail to comply, the authorities have said, “Yes, people will need to go to jail.”
Among other presentations was an entertaining and informative reminder of why we need to engage with encryption, and not relegate it as ‘too difficult' , delivered by Professor Bill Buchanan from Napier University, providing, as he described it, a warm up act for the aforementioned Bennett Arron.