Month: July 2019

In August 2012, Wikileaks published documents said to expose “TrapWire,” as a US government spy network that used ordinary surveillance cameras to analyse data of people of interest. The Trapwire system was said to use data from a network of CCTV systems to assess the threat level in a number of locations. However, the Wikileaks publications inevitably raised concerns about CCTV cameras’ facial recognition capabilities, leaving people to question whether they were slipping into a total surveillance state without even realising it.

Facial recognition verifies the identity of a person using their face. It captures and compares patterns based on facial details. Whilst continued development and use of the biometric technology is not doubt an exciting subject, there are grave concerns surrounding its arrival and growth.

Normalising facial recognition is arguably aimed at dispelling any fears that we are slipping towards any such surveillance state. Fast forward half a decade and Facebook is using face recognition technology to “help protect you from a stranger using your photo to impersonate you.”In June 2015, Google launched FaceNet, a new recognition system with impressive accuracy. The technology is incorporated into Google Photos and used to sort pictures and automatically tag them based on the people recognised.

Apple is using facial recognition technology to secure devices and authorise payments through those devices; and Aella Credit, a financial services company based in West Africa, uses Amazon Rekognition’s ability to detect and compare faces. The latter can provide identity verification, without any human intervention. Customers upload a profile image to the mobile app, which is then sent to Amazon Rekognition and saved in Amazon Simple Storage Service (Amazon S3). The customers’ facial expression is analysed and saved.

Using face recognition technology for social media, mobile phone devices and banking makes the technology seem like it is part of normal day to day life. Therefore, public views will eventually shift to accepting the technology as being here to stay. The risk being that once it is deployed in public, it may become impossible for individuals to opt out of being monitored and recognised without being targeted as a reclusive enemy of the state.

Facial recognition is undoubtedly an important tool in combating crime and terrorism but the risks for individuals not engaging in any illegal activity are well documented. The General Data Protection Regulation (GDPR) provides a rigorous framework for facial recognition. The regulation ‘seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between member states’ (https://www.eur-lex.europa.eu).

Dubbed as the most important change in data privacy regulation in the last twenty years, the new rules relating to how personal data is collected and processed came into effect in the UK on 25^th May 2018 by way of the Data Protection Act 2018 (DPA 2018). The Government has indicated that the UK’s decision to leave the EU will not alter that position.

Data used to identify any individual is classed as ‘sensitive data’ under data protection law, companies providing facial recognition technology must take considerable care when processing such data. Once data is identified as personal data, the GDPR and DPA 2018 provide a framework for how that data can be processed lawfully and there are obligations when it comes to processing what is described as ‘special categories of personal data.’ Those special categories are defined as ones that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric (including dactyloscopic) data for the purpose of uniquely identifying a natural person, and data concerning health, sex life or sexual orientation. Under GDPR the processing of such data is prohibited unless one of the exemptions in Article 9(2) applies. Schedule 1 of the DPA 2018 sets out how those provisions are to be interpreted under UK law.

Time will tell whether the GDPR and DPA 2018 will be adequate to keep up with rapid developments in facial recognition technology. It is clear that companies offering those services will need to ensure that they have appropriate training and policies in place to prevent any data breaches, ensuring that they are transparent in respect of their processes and procedures if they are to be GDPR complaint. However, if we are to truly counter balance any movement towards a surveillance state it is also of vital importance that the individual is aware of their rights relating to their personal data and in particular ‘the right to be forgotten’ (Article 17 GDPR).

Written by Ernest Aduwa.

Ernest Aduwa regularly defends individuals against serious and complex criminal allegations. His clients include high net worth individuals and those in the public eye.

(101)

Written by John Czupak, CEO, ThreatQuotient

There’s something big brewing in the world of security operations, but what exactly is it? We are regularly inundated with various descriptions of useful tools and capabilities (think Security Orchestration, Automation and Response (SOAR), Threat Intelligence Platforms (TIPs), Security Incident Response (SIR), Hunting and more).

Unfortunately, many of us are equally confused about the fundamental capabilities of these technologies, and more pointedly, what problems they aim to solve. Perhaps we need to refresh the way we look at this space – turn it upside down a bit and start from a different perspective.

What problems are we trying to solve in today’s Security Operations Centre (SOC)?

If you get right to the point, there are many inefficiencies in processes, which result in delayed detection and response times. There are of course many contributing factors, including but not limited to: teams working in silos; applications and data that are not integrated; alert overload and fatigue as well as staff and talent shortages. The industry response has been to add more tools such as IR/ticketing systems, orchestration and automation and TIPs. In fact, if you look back at Gartner’s earliest definition of SOAR, it fundamentally aligns with these technology stacks.

So, what’s different today? The conversation has clearly shifted to a discussion around the specific problem (i.e. – use cases) coupled with the way technology can help. This concept of a use case approach makes a lot of sense as it focuses the discussion on the problem at hand vs. attempting to shoehorn a “silver bullet” technology for every situation. Some of the more common use cases we see include things such as:

Incident Response: an organised approach to the process by which an organisation handles the aftermath of a cyberattack or data breach with the goal of limiting damage and reducing recovery time and cost.

Threat Hunting: the practice of proactively and iteratively searching for abnormal activity within networks and systems for signs of compromise.

Threat Intelligence Management: the practice of aggregating, analysing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment.

Alert Triage: the process of efficiently and accurately going through alerts and investigating them to determine the severity of the threat and whether or not the alert should be escalated to incident response.

Vulnerability Management: the practice of continuously discovering, classifying, prioritising and responding to software, hardware and network vulnerabilities.

Spear phishing: the practice of sending fraudulent emails that targets specific individual(s) or organisation for the purpose of gaining unauthorised access to confidential information.

Investigations & Collaboration: The industry’s first cybersecurity situation room designed for collaborative threat analysis, shared understanding and coordinated response.

A shift in conversation: The emergence of new technology requirements

In Gartner’s latest SOAR Market Guide, published on 27th June 2019, the evolution of SOAR moves towards what we have believed all along – the need for a “full featured” security operations solution designed to support multiple activities for security operations (e.g. – prioritising activities, formalising triage and IR, automating response, enabling investigations, facilitating collaboration and more). This can simply be interpreted as a platform designed for multiple users and use cases.

While SOAR used to mean simply orchestration to many, and TIPs were solely used for threat intelligence programs and SIRs were used for incident response, the definitions and use of these technologies is clearly evolving rapidly. The market needs a security operations platform to improve efficiencies and effectiveness of the SOC.

(102)

Stealth-mode startup announced that it has successfully completed its first round of funding, developing groundbreaking cybersecurity solutions for railways. With Cervello, railway operators can be better protected against cyber threats to their signaling systems and operation.

Cervello, an Israel-based company focused on securing railways against cyber-attacks, has raised 4.5 Million Dollars during a seed funding round. The investment will accelerate the company’s technology and continue its expansion into international markets. Investors include the venture capitals North First Ventures of Israel and Awz Ventures of Canada, along with the founder of Comsec Group, Nissim Bar-El.

Cervello was founded in 2017 by veterans of the IDF Elite Technology & Intelligence Units, Roie Onn, Shaked Kafzan and Nadav Avidan – all three are graduates of The Zell Entrepreneurship Program at IDC Herzliya. Cervello is addressing inherent security vulnerabilities and exploits in the critical systems which railway companies rely on. Utilizing proprietary and railway best practices to predict and identify cyber threats, Cervello helps answering one of the most challenging questions in the railway industry to date, “Is the railway operator currently facing a cyber-attack or malicious activity in its operational network?”

“As operators further digitize their infrastructures, the railway industry is adopting an active approach towards both the security of its critical systems and international compliance,” says Roie Onn, Cervello CEO. “The Cervello Dashboard provides operators with full visibility of their railway signaling systems and critical assets and alerts on cyber incidents in the day to day operation. The solution can be either added to support existing rail equipment or installed during the manufacturing and design process”.

An alarming railway-hacking trend in recent years may lead to catastrophes such as trains derailment, taking over trains for ransom, and publicly embarrassing operators. As the intensity of various attacks increases, disruption of service and damage to goodwill may lead to tragic injuries or even the loss of human lives. Lacking a focused railway-specific cybersecurity platform, operators are seeking effective tools to detect malicious activity and cyberattacks in their operational networks to ensure the integrity of their safety systems and services. Cybersecurity solutions, originally developed for other industries, are insufficient.

Cervello preserves the reputation of railway operators by focusing on the safety of passengers and commercial entities relying on freight trains. Delivering live network status and notifications of any cyber activity in the operator’s signaling system, this deep technology creates a proactive coverage of the critical assets, securing the core of the rail operation and safety measures.

Israel Baron, the former CISO (Cyber Director) of Israel Railways, is now directing the company’s business development activity. He states “I decided to join Cervello because it is offering the most innovative, qualitative, and efficient solutions for successfully confronting the cyber threats to the railway industry”, adding that cyber risks have “existed now for several years, and we must deal with them as soon as possible”.

(74)

(73)

(60)

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black

In the highly regulated industries of finance, healthcare and energy, a focus on governance, risk and compliance (GRC) is crucial to effectively combat a cybersecurity breach. Unfortunately, when considering international data sharing, this can become overwhelmingly complex. In today’s evolving cyber landscape, it’s less about balancing governance, risk and compliance, and more about enacting proactive risk management as the main focus, with governance as an important element of that.

Typically, compliance is based on operational and regulatory risk management. Given the hostility of cyberspace and the rapidly evolving threat landscape, just being technically compliant is not enough. Organisations must also be more proactive in preventing risk in other areas — reputational risk, for example. Reputational risk management, where there is no governing or compliance standard, is an organisation’s worst nightmare. True reputational risk management is not just crisis communications post-breach, it is a part of proactive risk management that starts before you’ve been attacked, and before your impacted network can begin to attack your customers and partners.

Governance, as illustrated by the General Data Protection Regulation (GDPR), can’t slowly be rolled up, and it’s not solely about privacy, as privacy and Cybersecurity are interdependent. If balance is the ultimate goal, organisations should find it by empowering the CISO to be equal to or greater than the CIO. They must have their own resources, authorities, and reporting regime that allows them direct access to the company’s board. Moreover, the CISO and CIO need to be in close collaboration with regards to technology decisions and security implications so these two departments can successfully partner against security risks. Yes, governance will always sit on top. It is the defensive-minded head coach that determines the culture of the team. But without at least equality between the CISO and the CIO, organisations are inviting significant risks as they roll out technologies and mobile apps, or outsource with specific companies, that haven’t been properly vetted from a cybersecurity risk perspective.

Unfortunately, greater priority is always going to be given to traditional compliance, for two key reasons. First, most organisational structures place a CISO under the CIO — whose priorities nearly always come first. These priorities typically put the organisation on the offensive, and include increasing access, efficiency, resiliency, and speed to support the growing needs of the business, all of which expand an organisation’s attack surface. With limited time and budget, and a rapidly changing technological landscape, this often leaves little left for a defensive strategy.

Second, CIOs are encouraged to maintain plausible deniability, where under legal precedent they cannot be criminally liable if a breach were to occur if they weren’t aware that a security gap existed. Unfortunately, this can lead to a tendency to avoid proactive penetration tests and hunt exercises. These would offer evidence that something has gone wrong, and that the CIO was aware of any backdoors or vulnerabilities within the company’s systems and didn’t take any action against them, increasing their personal liability.

With these challenges in mind, organisations can work to achieve a balance between risk management and compliance by taking the following actions:

Create a culture that is focused on privacy and that is underpinned by cybersecurity.
Empower the CISO and the defensive mindset so that it is equal to the authority and budget of the CIO.
Transition the conversation away from just IT, to a conversation around risk management and brand protection, while proactively conducting regular compromise assessments across the infrastructure and the company’s information supply chain. In the long run, it is all about the sustainability of the brand.
We can all agree that taking a strong stance on governance, risk and compliance is necessary to successfully mitigate a cyberattack. It’s how to approach them that needs serious consideration. By focusing on proactive risk management, organisations should reconsider the power governance has, how to effectively address risk, and what being compliant truly means for the CIO, CISO and the entire board.

(70)

Given the recent news that the ICO’s own website failed to comply with GDPR guidelines, a new study from Tripwire has found non-compliance is actually widespread, with 14 percent of organisations failing to meet the 72-hour deadline to notify customers of a data breach.

The study surveyed security professionals attending Infosecurity Europe 2019 and also revealed 29 percent were unsure of how long it would take their organisation to identify, contain and eradicate a security threat, while eight percent admitted it would take them longer than three days.

“These results are fairly encouraging and indicate that knowledge about GDPR’s requirements around data breaches is spreading,” said Tim Erlin, VP, Product Management and Strategy at Tripwire. “There is still room for improvement, however. Anyone in an information security role should be familiar with the basic requirements of GDPR and what their responsibilities are. The biggest opportunities for improvement are around what constitutes a breach and how to respond to an incident.”

Other results from the survey include:

• 34 percent stated they either wouldn’t or were unsure as to whether they would report to authorities about data which was found left exposed through public cloud without evidence of it being exploited by bad actors
• 33 percent of security professionals were either unsure or thought a ransomware attack with no evidence of data stolen did not need to be reported to authorities
• 13 percent of respondents’ organisations either don’t have an incident response plan or did not update it for more than a year
• 15 percent of organisations don’t have incident response training in place for their employees

If you would like to view the full results from the study, please click here: https://www.tripwire.com/state-of-security/security-data-protection/report-infosecurity-europe-security-incidents/

(58)

(48)

Written by Josh Lefkowitz, CEO of Flashpoint

Today, corporate security is everyone’s responsibility. Whether you work in procurement, finance, sales, or legal, you need to identify and manage risks—digital and physical—related to your department. The human resources department is no different and this team faces a specific security risk that is now a major concern for organisations: insider threat. Businesses and their HR teams need to make sure they’re not inviting risk into their ecosystem in the guise of employees who may not be all they seem, or who become a risk during employment.

Recognising the human factor in security breaches

Security breaches, whether deliberate or unintentional, almost always involve a human element. It could be a mistake by a worker who accidentally clicks a malware link, or a deliberate attempt to steal the organisation’s intellectual property. Either way, the impact can be devastating because the employee has privileged access to the company’s systems and data. While IT security departments can deploy a range of technologies to detect and counter threats, there is an important psychological and behavioural element that must also be understood and managed. That is why human resources (HR) departments should be fully involved in insider threat programmes (ITPs).

There are three key high-risk moments in the employee lifecycle when HR and security teams should work together:

Before you hand over the keys to the kingdom: pre-employment screening
Taking references on prospective employees has always been the responsibility of the HR department. These usually focus on competence and suitability for the role plus legal factors such as criminal records and Disclosure and Barring Service (DBS) checks. However, with the wealth of data available on individuals, we’re now seeing wider due diligence checks on the employee’s digital footprint in social media and internet presence to identify red flags that could cause a problem for the organisation’s security and reputation. This is a sensible precaution, but it doesn’t always give the whole picture.

A prospective employee’s presence on illicit online communities—such as deep & dark web (DDW) forums and marketplaces, chat services platforms, and other sites frequented by threat actors—is unlikely to be picked up in general screening. Those using these types of communities want to exist below the radar, yet these individuals are the ones likely to pose a threat to businesses. For example, Flashpoint analysts observing a DDW forum uncovered links between a prospective employee of a Fortune 500 retailer and a threat actor with a history of recruiting insiders to steal corporate data. Once alerted, the retailer was able to halt the individual’s employment application and apply intelligence-led countermeasures to reinforce security of sensitive data which was specifically being targeted.

Without that intelligence from the DDW forum, the retailer would have unwittingly weakened its risk posture. DDW access and the understanding of illicit communities, however, is not something that most HR professionals have. Business risk intelligence can close the gap and enhance the ITP with specialists who have visibility into the DDW and other illicit online communities where insider threat activity is planned, and agents are recruited.

During employment: monitor for disgruntled or compromised employees

Even if an employee is low risk when they join a company, that doesn’t mean they will stay that way.

The internet is home to various active communities aimed at recruiting company insiders to provide access to networks or extract data. After all, it is easier to recruit someone who is already on the inside than place a ‘plant’ from the outside. Operating via forums or through chat services apps, cybercriminals offer very attractive rates of pay to willing insiders at high value targets such as banks, technology companies, and retailers. Companies operating in territories where legitimate pay rates are low are particularly susceptible. Employees who find themselves under financial pressure may be tempted to sell their services to a high bidder.

Alternatively, employees who become dissatisfied with the company may aim to “punish” it and make money at the same time. HR teams need to be aware of staff well-being and potential red flags, such as low morale or if an employee is undergoing a formal grievance procedure or official reprimand and inform the ITP team as a matter of process.

Having identified employees with grievances or known financial pressures, HR can work with IT teams using tools such as user behaviour analytics to track their access to systems and data that wouldn’t usually be part of their remit. Additionally, business risk intelligence gives insight into the organisation’s profile on the DDW and other illicit online communities to indicate the threat level facing the business. If threat actors are actively seeking insiders at your organisation, you know that your employees are being targeted and can mitigate risk accordingly.

At termination: secure off-boarding
An obvious high-risk moment is when an employee leaves an organisation. Even if they exit on good terms, research shows that workers often have a proprietary attitude towards data that they have worked on during their employment. HR should firmly remind departing employees of data security policies to avoid becoming an unwitting threat as they exit the company.

HR teams should also supply security teams with details of all departing employees so that network access can be revoked immediately when they leave their post. An analysis of the employee’s network activity prior to departure should be done to identify any incidents of breach.

We know that the human factor is one of the biggest unavoidable weaknesses in corporate security strategy and the most difficult to manage. That is why HR teams need to work alongside Insider Threat Programme teams to gain a full overview of employee risk and deploy employee verification procedures, robust policies, and intelligence to mitigate insider threat and avoid inviting risk into the organisation.

(65)