Certes Networks continues to bring new innovation and product features to its encryption management solutions and is proud to announce the launch of its Observability feature to deliver on its promise to keep data secure.
Many organizations are in the early adoption stages of cloud-native technologies, with the failure modes of these models still not widely understood. To successfully manoeuvre this new, but often obscure world, gaining visibility into the behaviour of applications has become more pressing than ever, and bringing better visibility into network systems through observability remains a key way to do this.
With the launch of Observability, customers can now have both visibility and observability of their data in transit. Logs, metrics and traces are useful tools that help with testing, understanding and debugging systems. However, an observable system isn’t achieved by simply having monitoring in place, nor is it achieved by having an SRE team carefully deploy and operate it.
With the Certes Networks Observability feature, organizations are now not just trying to monitor and identify threats and keep them out of their network. Through generating and defining policies, network policy enforcement will allow organizations to ensure that only authorized applications and users are communicating with one another while enabling them to meet their own governance, security and compliance requirements.
Through the export of network flows and Certes’ proprietary metadata, organizations can gain a deeper understanding of network policy deployment and enforcement and analyze every application that tries to communicate across the network, all the while monitoring pathways for potential threats, now that each policy is observable.
“Our solution allows you to program security policies in a simple and flexible way. This improves your overall security posture and makes it very difficult for attackers to make lateral ‘east-west’ moves in your WAN or data center. Our ability to visualize and observe the real-time state of the network, even when the traffic is encrypted, allows the security team to spot exfiltration attempts or unauthorized accesses easily. This greatly increases the ability of the user to prevent and manage breaches. This ability to see the impact of policy on the network significantly enhances security,” commented Sean Everson, CTO, Certes Networks.
Everson continues, “Observability is a feature that needs to be fully integrated into a network system and the launch of Certes Networks Observability addresses the security and operations concerns of our customers and delivers on our promise to keep their data secure.”
Cranfield University is investing £3.5 million in the latest forensic science technology at its Cranfield campus. Building on Cranfield’s distinctive strength in defence and security, this forensic science teaching and research facility will be unparalleled in the UK.
Students and staff will have access to new facilities such as a virtual reality autopsy table, crime scene investigation rooms and a simulated mass grave excavation site, from summer 2020.
Cranfield Forensic Institute is one of the world’s leading forensic science departments specialising in areas such as archaeology, ballistics, engineering failures, explosives and materials science. Students who have graduated through the Institute have gone on to leading roles in the police, the Home Office and academia.
To celebrate the investment the University is also announcing that five full scholarships will be available through to prospective students demonstrating excellence in their field.
Professor Andrew Shortland, Director of Cranfield Forensic Institute, said: “The investment in these new technologies will create unparalleled facilities for our students and staff to develop their research and learning. For decades, Cranfield Forensic Institute has been at the forefront of forensic science globally; these new facilities will enable us to raise our ambitions even further and enable our students to continue to be at the front of the queue for careers in organisations such as the police, Home Office and DSTL.”
Professor Sir Peter Gregson, Chief Executive and Vice-Chancellor, said: “Cranfield has a proud track record of leading forensic science research and education. I’m delighted that the University is able to invest in these new leading facilities for our students and our staff.”
Matt Cable, VP Solutions Architect and MD Europe, Certes Networks
Shining a Spotlight on UK Cyber Security Standards
Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.
In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile. Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, therefore outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures.
For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration.
The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario.
Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.
The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.
However, there are challenges.
Challenge #1 – Public Sector Adherence to CAS(T)
Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms.
Challenge #2 – Impact to Cloud Service Providers and Bearer Networks
This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers’ networks.
The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.
Challenge #3 – Partner Collaboration
NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology.
IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs).
Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:
Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.
There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN. Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.
Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption – is key in conforming to both today and tomorrow’s cyber security standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.
Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.
It has been reported that security researchers are urging Docker customers to upgrade to the latest version after detailing a proof-of-concept (PoC) attack exploiting a critical vulnerability, which could lead to full container escape. The CVE-2019-14271 flaw was fixed in Docker version 19.03.1, but if left unpatched could give an attacker full root code execution on the host.
Commenting on this, Satnam Narang, senior research engineer at Tenable, said “CVE-2019-14271 is a critical code injection flaw in the Docker copy (docker cp) command, which is used to copy files between containers. Exploitation of this flaw can lead to full container escape by an attacker. It is important to note that to exploit this vulnerability, an attacker would need to include the exploit code in a malicious Docker container image or compromise a container either via another vulnerability or using previously leaked Docker secrets.
The wheels are now in motion and it’s sure to be an interesting journey. OEMs, insurers and new market entrants are all jockeying for position. The question is how do industry players identify a roadmap through new and different business models, data exchanges and partnership structures, that lead to workable, exciting new ecosystems; one able to deliver on customers’ high and still rising needs and expectations.
Sanjeev Mirle, Managing Director, Automotive & Mobility Strategic Partnerships, Liberty Mutual Insurance, a contributor to the upcoming Insurance Nexus by Reuters Events webinar on “Auto Insurers, OEMs and Supply Chains: Collaborating for the New Consumer” had this to say on the topic:
“Insurance can be a natural extension of many OEMs’ brand promise of safety, convenience, and peace of mind. The growth of advanced safety systems, connected vehicle data and analytics, and online shopping for both vehicles and insurance is prompting collaboration across the auto and insurance industries to create new business models and differentiated value for their shared customers.”
Be sure to join the free webinar now “Auto Insurers, OEMs and Supply Chains: Collaborating for the New Consumer” (December 6nd, 10.00 Central US time).
The free to listen to session which will also canvass opinions from: Stephen Applebaum, Managing Partner, Insurance Solutions Group (Moderator), Pete Frey, Commercial Telematics & Connected Business Director, Nationwide and Clint Marlow, Director, Allstate.
Key lines of questioning and debate will include the challenge of leveraging real core competencies to successfully navigate disruption and connectivity and Inter-and-cross industry partnerships; their selection, design and execution being the key differentiators. Data privacy and security are also critical; and understanding the design for these new “rules of the road.”
The session moderator, Stephen Applebaum feels this topic is a critical area for modern carriers to consider: “‘Gradually, then suddenly’ best explains how the demand for totally new and very different relationships have emerged between auto insurers, OEMs, collision repairers and the broad transportation industry supply chain – all focused on the new consumer and the data-rich connected vehicle ecosystem. The question is no longer if, but how?“
What role will you play as part of a mobile, information-rich and profitable working relationship that will serve your common customers? Join the free webinar today, and if you can’t listen live you can still access the recordings.
For more information please contact Graham Proud:
Insurance Nexus by Reuters Events
Tel: +44 (0)20 7375 7221
About Insurance Nexus
Insurance Nexus is the central hub for insurance executives. Through in-depth industry analysis, targeted research, niche events and quality content, we provide the industry with a platform to network, discuss, learn and shape the future of the insurance industry.
Insurance Nexus by Reuters Events is part of FC Business Intelligence Ltd. FC Business Intelligence Ltd is a registered company in England and Wales. Registered number 04388971, 7-9 Fashion Street, London, E1 6PX, UK
Written by Tony Pepper, CEO of Egress
Whilst working from home during the festive period represents a well-meaning attempt by staff to maintain productivity, it can also expose a business to considerable risk, much to the delight of cyber criminals looking to exploit the Christmas holidays for their own gain. Without due consideration for the security of what they are doing, a careless employee could compromise corporate data and information and, in the worst-case scenario, create a data breach.
Likewise, outside of normal working environments, unsuspecting employees are an easy target for phishing and other forms of attacks during holiday times. Cyber criminals are increasingly exploiting the noise created by Black Friday and Cyber Monday, where unsuspecting shoppers are often more concerned with the latest bargains from retailers, rather than worrying about the safety of their personal information. Furthermore, with colleagues covering busy holiday workloads, less familiar with procedures and controls, it is easy for an email to end up in the wrong hands.
With employees’ intentions in the right place, it is up to organisations to stay one step ahead to ensure that security is not being compromised. A lot of the time this comes down to education and training, because all too often employees are blissfully unaware of the scale of the problem and how they may be compounding it.
To this point we recently obtained, via a Freedom of Information (FOI) request, statistics from the Information Commissioner’s Office (ICO) on human error, which today remains the main cause of personal data breaches (PDBs). The figures showed that, of the 4856 PDBs reported to the ICO between January and June this year, 60% were the result of human error. Of these nearly half (43%) were the result of incorrect disclosure. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.
These statistics show how easily this can happen in the day-to-day working environment, so imagine how this could be amplified when you have employees remotely ‘dipping in and out of work’ whilst on holiday.
Likewise, we commissioned research earlier in the year that explored the reasons why insider data breaches occur. In the research we asked employees if they had accidentally shared data and why they thought this had happened. Of those who had accidentally shared data, almost half (48%) said they had been rushing, and 29% said it happened because they were tired. The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. Sending data to the wrong person can be as simple as mis-typing or auto-complete of an email address, a mistake when sending to a distribution list, or simply using the wrong attachment.
However, rather than discouraging employees from keeping up to date with work – because it is inevitable in our 24/7 always-on world – what holiday tips can employers give their employees and what should organisations be thinking about?
Taking organisations first, we recommend that they adopt a people-centric approach. By focusing on people as part of their data security strategy, organisations can build a safety net for users’ behaviour to prevent accidental, as well as malicious, data breaches. This means putting in place solutions that surround the user, providing them with simple and easy-to-use tools so that they can protect sensitive information.
Additionally, comprehensive data analytics and e-discovery can help security administrators establish a baseline of normal behaviours and therefore provide the ability to spot anomalies. Here at Egress we provide a people-centric data security platform that protects and supports users, helping them to make the ‘right’ decisions when sharing sensitive data. By building machine learning into everything we do, we help detect threats and provide a wide range of insights into behavioural patterns to identify anomalies across the organisation. So, for example, if you take the mistyping of email addresses and accidental sends, our platform detects and alerts even on Cc and Bcc recipients that may not belong in a certain message.
But what tips should employers pass onto their employees? Here are my top five recommendations, all quite simple, but combined with an organisation taking a people-centric approach, should help keep data safe and hackers at bay during the holiday season.
Use unique passwords and change them often
Don’t make it easy for them! Birthdays, nicknames, pet and children’s names – these make for terribly insecure passwords that are constantly exploited by even the most amateur of hackers.
Log out when you have finished
It’s not just something we need to worry about at internet cafes; Wi-Fi, Bluetooth, and network technology have advanced far enough that people accessing your devices is the real concern. That’s why it’s always a good idea to log out of any account if you have finished using it, or if you will be away from the device for an extended period of time.
Only send sensitive information over email if it is encrypted
Whenever possible, it’s a good idea to only send sensitive information via email that is encrypted. It is never a good idea to send credit card numbers, bank details, passwords, and so on if you haven’t encrypted this data, even if you are sending to a family member or close friend. The fact remains that any critical information sits waiting in their inbox or archives for the day it is accidentally forwarded, phished, or stolen.
Check any link before clicking
Even if an email looks like it is from a credible source, there is nothing guaranteeing that any links contained within the message lead back to a legitimate source. It’s important that you know where a link is going to take you before you click it. Otherwise, you may unintentionally reveal sensitive information. If an email asks you to click on a link, button, or other hyperlink elements, you should first hover over (or preview) that link to see its address. If in doubt, seek advice from your IT team.
Never download something in an email from an unknown sender
It’s common for hackers to use attachments and downloads in emails to introduce malicious programmes into user’s devices. More often than not the user remains completely unaware that they have downloaded these scripts which can do anything from slowing their device’s performance to stealing their sensitive information. That is why you should never open or download anything inside an email from a sender you don’t recognise or know.
Now, go and enjoy your Christmas festivities!
It has been reported that one of Iran’s most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries. At the CyberwarCon conference today, a Microsoft security researcher plans to present new findings that show this shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin.
Commenting on this, Sam Curry, chief security officer at Cybereason, said “Microsoft’s research into APT33’s recent targeting of industrial control systems reminds us that in the great cyber game, it’s about using peacetime to build “optionality”; amass assets, resources and access. The Iranian cyber forces are masters of this, and seeing increases in the cold war that is cyber conflict, it makes sense that they would continue to grow what’s worked in the past: expand penetration of weak networks with high access, produce tools for use in the ecosystem of cyber aggressors and build capacity.
Forbes reported that the security research team at Checkmarx has discovered vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, the biggest to date. Researchers discovered a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser.
In response, Craig Young, senior security researcher at Tripwire, stated:
One of the most important aspects of Android app security is to lock down exported activities. Within Android, Intents serve as the glue for cross-application interaction at runtime allowing, for example, one app to invoke an activity from another. Poorly designed activities can be leveraged by malicious apps to perform actions or access data that would normally incur a permissions request.
In this case, Google left an open activity for triggering the CameraActivity specifying that it should take a picture or record a video. A malicious app with storage permission could trigger the activity and then access the resulting media files from the phone’s internal storage. It is frankly quite shocking that Google would make such a mistake in their own camera app.
In the long-term, I think AOSP needs to seriously consider finer grained access controls between apps. Something like a firewall for Intent messages so that users have some control over which other apps a given app can interact with.