Month: November 2019

(63)

Certes Networks continues to bring new innovation and product features to its encryption management solutions and is proud to announce the launch of its Observability feature to deliver on its promise to keep data secure.

Many organizations are in the early adoption stages of cloud-native technologies, with the failure modes of these models still not widely understood. To successfully manoeuvre this new, but often obscure world, gaining visibility into the behaviour of applications has become more pressing than ever, and bringing better visibility into network systems through observability remains a key way to do this.

With the launch of Observability, customers can now have both visibility and observability of their data in transit. Logs, metrics and traces are useful tools that help with testing, understanding and debugging systems. However, an observable system isn’t achieved by simply having monitoring in place, nor is it achieved by having an SRE team carefully deploy and operate it.

With the Certes Networks Observability feature, organizations are now not just trying to monitor and identify threats and keep them out of their network. Through generating and defining policies, network policy enforcement will allow organizations to ensure that only authorized applications and users are communicating with one another while enabling them to meet their own governance, security and compliance requirements.

Through the export of network flows and Certes’ proprietary metadata, organizations can gain a deeper understanding of network policy deployment and enforcement and analyze every application that tries to communicate across the network, all the while monitoring pathways for potential threats, now that each policy is observable.

“Our solution allows you to program security policies in a simple and flexible way. This improves your overall security posture and makes it very difficult for attackers to make lateral ‘east-west’ moves in your WAN or data center. Our ability to visualize and observe the real-time state of the network, even when the traffic is encrypted, allows the security team to spot exfiltration attempts or unauthorized accesses easily. This greatly increases the ability of the user to prevent and manage breaches. This ability to see the impact of policy on the network significantly enhances security,” commented Sean Everson, CTO, Certes Networks.

Everson continues, “Observability is a feature that needs to be fully integrated into a network system and the launch of Certes Networks Observability addresses the security and operations concerns of our customers and delivers on our promise to keep their data secure.”

(40)

Cranfield University is investing £3.5 million in the latest forensic science technology at its Cranfield campus. Building on Cranfield’s distinctive strength in defence and security, this forensic science teaching and research facility will be unparalleled in the UK.

Students and staff will have access to new facilities such as a virtual reality autopsy table, crime scene investigation rooms and a simulated mass grave excavation site, from summer 2020.

Cranfield Forensic Institute is one of the world’s leading forensic science departments specialising in areas such as archaeology, ballistics, engineering failures, explosives and materials science. Students who have graduated through the Institute have gone on to leading roles in the police, the Home Office and academia.

To celebrate the investment the University is also announcing that five full scholarships will be available through to prospective students demonstrating excellence in their field.

Professor Andrew Shortland, Director of Cranfield Forensic Institute, said: “The investment in these new technologies will create unparalleled facilities for our students and staff to develop their research and learning. For decades, Cranfield Forensic Institute has been at the forefront of forensic science globally; these new facilities will enable us to raise our ambitions even further and enable our students to continue to be at the front of the queue for careers in organisations such as the police, Home Office and DSTL.”

Professor Sir Peter Gregson, Chief Executive and Vice-Chancellor, said: “Cranfield has a proud track record of leading forensic science research and education. I’m delighted that the University is able to invest in these new leading facilities for our students and our staff.”

(89)

Matt Cable, VP Solutions Architect and MD Europe, Certes Networks

Shining a Spotlight on UK Cyber Security Standards

Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.

In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile. Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, therefore outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures.

The Principles

For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration.

The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario.

Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.

The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.

However, there are challenges.

Challenge #1 – Public Sector Adherence to CAS(T)

Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms.

Challenge #2 – Impact to Cloud Service Providers and Bearer Networks

This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers’ networks.

The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.

Challenge #3 – Partner Collaboration

NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology.

The Solution

IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs).

Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:

• Be managed by a competent authority in a manner that does not undermine the protection they provide, from a suitable management platform
• Be configured to provide effective cryptographic protection
• Use certificates as a means of identifying and trusting other devices, using a suitable PKI
• Be independently assured to Foundation Grade, and operated in accordance with published Security Procedures
• Be initially deployed in a manner that ensures their future trustworthiness
• Be disposed of securely

Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.

Conclusion

There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN. Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.

Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption – is key in conforming to both today and tomorrow’s cyber security standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.

Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.

(33)

(82)

The wheels are now in motion and it’s sure to be an interesting journey. OEMs, insurers and new market entrants are all jockeying for position. The question is how do industry players identify a roadmap through new and different business models, data exchanges and partnership structures, that lead to workable, exciting new ecosystems; one able to deliver on customers’ high and still rising needs and expectations.

Sanjeev Mirle, Managing Director, Automotive & Mobility Strategic Partnerships, Liberty Mutual Insurance, a contributor to the upcoming Insurance Nexus by Reuters Events webinar on “Auto Insurers, OEMs and Supply Chains: Collaborating for the New Consumer” had this to say on the topic:

“Insurance can be a natural extension of many OEMs’ brand promise of safety, convenience, and peace of mind.  The growth of advanced safety systems, connected vehicle data and analytics, and online shopping for both vehicles and insurance is prompting collaboration across the auto and insurance industries to create new business models and differentiated value for their shared customers.”

Be sure to join the free webinar now “Auto Insurers, OEMs and Supply Chains: Collaborating for the New Consumer” (December 6^nd, 10.00 Central US time).

Simply register for free here.

The free to listen to session which will also canvass opinions from: Stephen Applebaum, Managing Partner, Insurance Solutions Group (Moderator), Pete Frey, Commercial Telematics & Connected Business Director, Nationwide and Clint Marlow, Director, Allstate.

Key lines of questioning and debate will include the challenge of leveraging real core competencies to successfully navigate disruption and connectivity and Inter-and-cross industry partnerships; their selection, design and execution being the key differentiators. Data privacy and security are also critical; and understanding the design for these new “rules of the road.”

The session moderator, Stephen Applebaum feels this topic is a critical area for modern carriers to consider: “‘Gradually, then suddenly’ best explains how the demand for totally new and very different relationships have emerged between auto insurers, OEMs, collision repairers and the broad transportation industry supply chain – all focused on the new consumer and the data-rich connected vehicle ecosystem. The question is no longer if, but how?“

What role will you play as part of a mobile, information-rich and profitable working relationship that will serve your common customers? Join the free webinar today, and if you can’t listen live you can still access the recordings.

Simply register for free here.

For more information please contact Graham Proud:

Graham Proud

Insurance Nexus by Reuters Events

Tel: +44 (0)20 7375 7221

graham.proud@insurancenexus.com

About Insurance Nexus

Insurance Nexus is the central hub for insurance executives. Through in-depth industry analysis, targeted research, niche events and quality content, we provide the industry with a platform to network, discuss, learn and shape the future of the insurance industry.

Insurance Nexus by Reuters Events is part of FC Business Intelligence Ltd. FC Business Intelligence Ltd is a registered company in England and Wales. Registered number 04388971, 7-9 Fashion Street, London, E1 6PX, UK

(22)

Written by Tony Pepper, CEO of Egress

Whilst working from home during the festive period represents a well-meaning attempt by staff to maintain productivity, it can also expose a business to considerable risk, much to the delight of cyber criminals looking to exploit the Christmas holidays for their own gain. Without due consideration for the security of what they are doing, a careless employee could compromise corporate data and information and, in the worst-case scenario, create a data breach.

Likewise, outside of normal working environments, unsuspecting employees are an easy target for phishing and other forms of attacks during holiday times. Cyber criminals are increasingly exploiting the noise created by Black Friday and Cyber Monday, where unsuspecting shoppers are often more concerned with the latest bargains from retailers, rather than worrying about the safety of their personal information. Furthermore, with colleagues covering busy holiday workloads, less familiar with procedures and controls, it is easy for an email to end up in the wrong hands.

With employees’ intentions in the right place, it is up to organisations to stay one step ahead to ensure that security is not being compromised. A lot of the time this comes down to education and training, because all too often employees are blissfully unaware of the scale of the problem and how they may be compounding it.

To this point we recently obtained, via a Freedom of Information (FOI) request, statistics from the Information Commissioner’s Office (ICO) on human error, which today remains the main cause of personal data breaches (PDBs). The figures showed that, of the 4856 PDBs reported to the ICO between January and June this year, 60% were the result of human error. Of these nearly half (43%) were the result of incorrect disclosure. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.

These statistics show how easily this can happen in the day-to-day working environment, so imagine how this could be amplified when you have employees remotely ‘dipping in and out of work’ whilst on holiday.

Likewise, we commissioned research earlier in the year that explored the reasons why insider data breaches occur. In the research we asked employees if they had accidentally shared data and why they thought this had happened. Of those who had accidentally shared data, almost half (48%) said they had been rushing, and 29% said it happened because they were tired. The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. Sending data to the wrong person can be as simple as mis-typing or auto-complete of an email address, a mistake when sending to a distribution list, or simply using the wrong attachment.

However, rather than discouraging employees from keeping up to date with work – because it is inevitable in our 24/7 always-on world – what holiday tips can employers give their employees and what should organisations be thinking about?

Taking organisations first, we recommend that they adopt a people-centric approach. By focusing on people as part of their data security strategy, organisations can build a safety net for users’ behaviour to prevent accidental, as well as malicious, data breaches. This means putting in place solutions that surround the user, providing them with simple and easy-to-use tools so that they can protect sensitive information.

Additionally, comprehensive data analytics and e-discovery can help security administrators establish a baseline of normal behaviours and therefore provide the ability to spot anomalies. Here at Egress we provide a people-centric data security platform that protects and supports users, helping them to make the ‘right’ decisions when sharing sensitive data. By building machine learning into everything we do, we help detect threats and provide a wide range of insights into behavioural patterns to identify anomalies across the organisation. So, for example, if you take the mistyping of email addresses and accidental sends, our platform detects and alerts even on Cc and Bcc recipients that may not belong in a certain message.

But what tips should employers pass onto their employees? Here are my top five recommendations, all quite simple, but combined with an organisation taking a people-centric approach, should help keep data safe and hackers at bay during the holiday season.

Use unique passwords and change them often

Don’t make it easy for them! Birthdays, nicknames, pet and children’s names – these make for terribly insecure passwords that are constantly exploited by even the most amateur of hackers.

Log out when you have finished

It’s not just something we need to worry about at internet cafes; Wi-Fi, Bluetooth, and network technology have advanced far enough that people accessing your devices is the real concern. That’s why it’s always a good idea to log out of any account if you have finished using it, or if you will be away from the device for an extended period of time.

Only send sensitive information over email if it is encrypted

Whenever possible, it’s a good idea to only send sensitive information via email that is encrypted. It is never a good idea to send credit card numbers, bank details, passwords, and so on if you haven’t encrypted this data, even if you are sending to a family member or close friend. The fact remains that any critical information sits waiting in their inbox or archives for the day it is accidentally forwarded, phished, or stolen.

Check any link before clicking

Even if an email looks like it is from a credible source, there is nothing guaranteeing that any links contained within the message lead back to a legitimate source. It’s important that you know where a link is going to take you before you click it. Otherwise, you may unintentionally reveal sensitive information. If an email asks you to click on a link, button, or other hyperlink elements, you should first hover over (or preview) that link to see its address. If in doubt, seek advice from your IT team.

Never download something in an email from an unknown sender

It’s common for hackers to use attachments and downloads in emails to introduce malicious programmes into user’s devices. More often than not the user remains completely unaware that they have downloaded these scripts which can do anything from slowing their device’s performance to stealing their sensitive information. That is why you should never open or download anything inside an email from a sender you don’t recognise or know.

Now, go and enjoy your Christmas festivities!

(67)

(108)

(53)

(56)