The Politics of Cybersecurity - Infosecurity Magazine

Q2 /// 2015 /// VOLUME 12 /// ISSUE 2 STRATEGY /// INSIGHT /// TECHNOLOGY

PLUS:INFOSECURITY EUROPE 2015 /// GOOGLE VS MICROSOFT /// THE RISE OF CYBER INSURANCE

The Politics ofCybersecurity

How Information Sharing and DataCollection are Igniting Political

Discourse in 2015

Bringing Continuous Security to the Global Enterprise

COVER FEATURE

14 Cybersecurity from Capitol Hill to Whitehall Proclamations on cybersecurity andgovernment surveillance have ignitedpolitical discourse in early 2015. Wendy M. Grossman cuts through the spin

FEATURES

18 The Rising Cost of Cyber-InsuranceYou can insure yourself against cyber-attack,says Danny Bradbury, but be warned, pricesare going up

22 Google vs Microsoft: Let the PatchWars CommencePhil Muncaster investigates whether anongoing dispute between Google andMicrosoft could change the way we fixsecurity flaws in the future

49 Tales from the Crypt: Hardware vs SoftwareEncryption is never out of the spotlight in thisindustry, but the methods that businessescan deploy to encrypt their data are wide-ranging. Daniel Brecht examines the pros andcons of the various solutions on offer

POINT-COUNTERPOINT

52 People are the Most Important Piece of the Cybersecurity PuzzleWhen it comes to strategic investment insecurity operations, KPMG’s StephenBonner argues that people should takeprecedence over the latest, shiniest tools

ContentsAPRIL/MAY/JUNE 2015

www.infosecurity-magazine.com /// 1

@InfosecurityMag

INFOSECURITY EUROPE 2015

26 WELCOME

26 SHOW FACTS

30 KEYNOTE STAGE AGENDA

32 INTELLIGENT DEFENCE: EUROPEANTECHNICAL RESEARCHCONFERENCE AGENDA

34 STRATEGY TALKS AGENDA

36 TECH TALKS AGENDA

38 INFORMATION SECURITY EXCHANGE,TECHNOLOGY SHOWCASE & CYBERINNOVATION SHOWCASE

39 NEW PRODUCTS & SERVICES GUIDE

40 SECURITY WORKSHOPS &SECURITY TRAINING

42 NEW FEATURES

46 EXHIBITOR LIST

INFOSECURITY

2 Q2 /// 2015

53 In Re-assessing Security, TechnologyHolds the KeyPrioritizing investment in perimeter-agnostic and data-centric technologies ishow companies can keep from beingtomorrow’s data breach headline, writesWatchful Software’s Charles Foley

OPINION

58 Decoupling Encryption: BuildingBridges Between CISO and CTOCertes Networks’ Paul German arguesencryption’s role must change

REGULARS

4 EDITORIALEleanor Dallaway says farewell – for now –and looks back on some of her highlightsfrom almost a decade in the industry

6 NEWS FEATUREWhether meddling kids or a serious menace,Lizard Squad is part of a phenomenon thatis here to stay, concludes Fahmida Rashid

10 INTERVIEWEleanor Dallaway interviews Intel Security'sCTO, Raj Samani, a man so passionateabout infosec that he turned a weekend atLegoland into an infosec lesson for some ofthe park's young visitors

54 MARKET ANNOUNCEMENTSProduct news from the vendor space

59 SLACK SPACECar-wash hacks; pay-by-selfie; and USB’sturned computer-killer

60 PARTING SHOTSDeputy Editor Mike Hine confronts the issueof information overload

EDITOR & PUBLISHEREleanor [email protected]+44 (0)208 9107893

DEPUTY EDITORMike [email protected]+44 (0)208 4395643

ONLINE UK NEWS EDITORPhil Muncaster [email protected]

ONLINE US NEWS EDITORTara [email protected]

PROOFREADER Clanci Miller [email protected]

CONTRIBUTING EDITORStephen [email protected]

ONLINE ADVERTISING:Elex van [email protected]+44 (0)20 8910 7810

PRINT ADVERTISING:Melissa [email protected]+44 (0)1462 420009

Rosalia [email protected]+44 (0)1462 420009

MARKETING MANAGERRebecca [email protected]: +44 (0)208 9107861

DIGITAL MARKETING CO-ORDINATORKarina [email protected]: +44 (0)20 84395463

PRODUCTION SUPPORT MANAGERAndy Milsom

ADVISORY EDITORIAL BOARDJohn Colley: Managing director, (ISC)2

EMEAMarco Cremonini: Universita degh Studidi MilanoRoger Halbheer: Chief security advisor,MicrosoftHugh Penri-Williams: Owner,Glaniad 1865 EURLRaj Samani: CTO, McAfee EMEA, chiefinnovation officer, Cloud Security AllianceHoward Schmidt: Former White HouseCybersecurity CoordinatorSarb Sembhi: Past-president, ISACALondon, editor of Virtually InformedW. Hord Tipton: Executive director, (ISC)2

Patricia Titus

ISSN 1754-4548

CopyrightMaterials available in Reed Exhibitions Limited’sInfosecurity magazine and websites areprotected by copyright law. Copyright ©2015Reed Exhibitions Limited. All rights reserved.

No part of the materials available in ReedExhibitions Limited’s Infosecurity magazine orwebsites may be copied, photocopied,reproduced, translated, reduced to any electronicmedium or machine-readable form or stored in aretrieval system or transmitted in any form or byany means, in whole or in part, without the priorwritten consent of Reed Exhibitions Limited. Anyreproduction in any form without the permissionof Reed Exhibitions Limited is prohibitedDistribution for commercial purposes isprohibited.

Written requests for reprint or other permissionshould be mailed or faxed to:

Permissions CoordinatorLegal AdministrationReed Exhibitions LimitedGateway House28 The QuadrantRichmondTW9 1DNFax: +44 (0)20 8334 0548Phone: +44 (0)20 8910 7972

Please do not phone or fax the abovenumbers with any queries other than thoserelating to copyright. If you have anyquestions not relating to copyright pleasetelephone: +44 (0)20 8271 2130.

Disclaimer of warranties andlimitation of liabilityReed Exhibitions Limited uses reasonablecare in publishing materials available in ReedExhibitions Limited’s Infosecurity magazine and websites. However, Reed Exhibitions Limiteddoes not guarantee their accuracy orcompleteness. Materials available in ReedExhibitions Limited’s Infosecurity magazine andwebsites are provided “as is” with no warranty,express or implied, and all such warranties arehereby disclaimed. The opinions expressed byauthors in Reed Exhibitions Limited’s Infosecuritymagazine and websites do not necessarily reflectthose of the Editor, the Editorial Board or thePublisher. Reed Exhibitions Limited’s Infosecuritymagazine websites may contain links to otherexternal sites. Reed Exhibitions Limited is notresponsible for and has no control over the

content of such sites. Reed Exhibitions Limitedassumes no liability for any loss, damage orexpense from errors or omissions in the materialsor from any use or operation of any materials,products, instructions or ideas contained in thematerials available in Reed Exhibitions Limited’sInfosecurity magazine and websites, whetherarising in contract, tort or otherwise. Inclusion inReed Exhibition Limited’s Infosecurity magazineand websites of advertising materials does notconstitute a guarantee or endorsement of thequality or value of such product or of the claimsmade of it by its manufacturer.

Copyright © 2015 Reed Exhibitions Limited.All rights reserved

Ensure Secure Sharing & Protect your Revenue StreamsLocklizard’s document security software prevents unauthorized document sharing and piracy. It controls access to and use of your information both inside and outside your organization, so you can securely, and cost effectively, distribute and manage your digital content.

Stop Unauthorized Access

Control Document Usage

Expire & Revoke Documents

Log Document Activity

Documents are locked to specific users and their devices and will not work if users distribute them to others. You can also enforce the location from where they can be used (e.g. office only).

Decide whether authorized users can print your documents and if so how many times. Stop screen grabbing, and change access controls even after distribution.

Set documents to automatically expire after a given no. of views, prints, days, or on a fixed date. Instantly revoke access to documents at any stage no matter where they reside.

See when users open and print your documents. Apply dynamic watermarks displaying user information to viewed and/or printed information to discourage sharing of printed copies.

1 2 3 4

The drivers that made us go to DRM

for our electronic courses

NetMasterClass develops on-line training courses which cost thousands to produce. Two days after one course was released they found it offered for sale on e-bay. That blew away the costs of development and sales going forwards in one single hit. They had to take positive steps to protect their IPR in order to stay in business.

A greener and more cost effective

means of document distribution

For 25 years TSD policy was to send out paper based manuals for its product lines to new customers. Manuals could take 7-10 business days from ordering to reach the customer, and could be copied and distributed outside of their control. They needed a solution so customers received instant gratification upon purchase and achieve a ‘greener’ result.

Preventing information leakage

CCS Companies needed to protect commercial proprietary documents which they have to share with clients but also keep secret. They often have to provide specific individuals with temporary copies of confidential documents for their review. It is essential that they are able to do this without them being copied or forwarded to unauthorized users.

Start protecting your IPR now. Call us on 800 707 4492 (US) or +44 (0) 1292 430290 (UK & Europe) or visit www.locklizard.com to arrange a free 15 day evaluation and/or an online demo.

The return on investment to our company has been immediately evident. We are now creating new products for our electronic portfolio without fear of seeing them being distributed through

unauthorized channels.

Using Safeguard Enterprise PDF security has meant the elimination of many man hours, printing resources

and postage. We currently estimate that costs have been cut by over 50%.

Proprietary documents are not misplaced, and cannot be

forwarded to the wrong individuals. You cannot place a value on that.

“ “ “

” ” ”

Locklizard document security software is used worldwide by information publishers either selling content or ensuring compliance, corporates protecting trade secrets, or providing a controlled method to share their information, and government agencies concerned over potential misuse of their information.

So what do companies use Locklizard for?Cost and time savings

Secure sharing & Tradesecret protection

Protection from piracy & revenue loss

As of June 4, I will be taking a breakfrom the world of informationsecurity to bring my very own mini

@InfosecEditor into the world. As I get ready to send to press what will

be the last issue of Infosecurity that I workon for a year, allow me to indulge in a tripdown memory lane as I pick nine of myfavourite memories from my nine years atthe best information security magazineand news site there is.

9: Woman of Influence When Microsoft nominated me for the‘women of influence’ awards at the EWFevent in 2013, I was humbled and honored.I flew out for the awards, entirelyexpecting to come home empty handedbut content having spent a week at theincredible Gainey Ranch in ScottsdaleArizona with a couple of hundred inspiringwomen from the world of informationsecurity. Winning the accolade was just theicing on the cake.

8: Digital Evolution When I joined Infosecurity in 2006, we hada static website, and a print magazine. In2008, I launched our webinar series andvirtual conferences. Seven years later, werun astoundingly popular weekly webinarsand quarterly virtual conferences. Morethan 10,000 people attended our 2014summer virtual conference, and ourwebinar channel reaches over 350,000infosec professionals. That’s a digitalevolution to be proud of.

7: Gong After Gong I first won my own BT journalism awardback in 2008, but better still has beenattending the awards every year andpicking up award after award forInfosecurity features. We’ve never walkedaway empty-handed and usually scoopmultiple gongs, testament to our diligent,cutting-edge reporting and editorialintegrity and excellence.

6: Let the Show Commence!I’ve survived nine Infosecurity Europes, butonly four of them as an ‘insider’. Infosec is acrazy week for anyone attending, but forthe show team behind Europe’s numberone information security event, it’s carnage.But nothing beats the buzz, or the intensework that brings the team together.

5: Interviewing Paul Judge Writing the profile interviews for eachissue of Infosecurity ranks pretty highly onmy list of why I love my job. But my all-time favourite was Dr Paul Judge, a serialentrepreneur and noted scholar, whosepassion for business and life left mecompletely in awe. I’ve enjoyedinterviewing Judge on multiple occasionssince, but more enjoyable still were thetens of bottles of incredible wine we’veenjoyed – along with a limousine full ofwonderful infosec people and friends – inNapa Valley after RSA finishes each year.

4: Relaunch, Revitalize It took about two years from planning tolive launch, but when we finally set ourbrand new website live last summer, I wasas proud as punch. Huge kudos goes toRebecca Harper, for leading this projectthrough completion, and to Carlos Gomez-Rios, our then project co-ordinator, whosetechnical expertise and imaginationcontributed greatly to the success of thenew site. Eight months on, it’s still a shinynew toy that I can’t get enough of.

3: Traveling the World My very first overseas conference is specialto me for many reasons. I was young,eager to travel, and couldn’t believe myluck as I arrived in Orlando, eager to learnabout an industry then alien to me. Sincethen, I’ve travelled to eight RSAs in SanFrancisco, five Black Hats in Vegas, andattended events in Miami, Seattle, Denver,Chicago, New York, Washington DC,Philadelphia, and Arizona. Closer to

home, I’ve been lucky enough to travel toIsrael, Russia, and tens of other countriesthat column inches dictate I omit. Notonly have I seen so much of the world, butthe industry is no longer alien to me, andmore importantly still, nor are the peoplein it. I’ve made friends that I know willlast a lifetime.

2: Two Become One In 2011, Infosecurity Magazine andInfosecurity Europe merged to create theInfosecurity portfolio, bringing togethertwo power brands to create a one-stop-shop for industry, and a singularlyauthoritative source of information for theindustry. I gained a whole new team ofwonderful colleagues…and we’ve neverlooked back.

1: People, Wonderful People And finally, there could be no highlightgreater than all of the amazing people I’vebeen lucky enough to work with over thepast nine years, both colleagues andindustry friends. These are the people thatmake saying goodbye – even if it is only fora year – very difficult.

I’ll be at Infosecurity Europe for my lasthurrah and would love to see as many ofyou as possible, so please do find me at theInfosecurity Magazine booth.

Now that I’m feeling appropriatelynostalgic, all that’s left to say is thank-youto all of our readers, and anyone who hascontributed to the above nine memories.I’ll see you in 2016. Until then,keep readingand take care.

Goodbye For Now

EleanorDallaway,Editor

4 Q2 /// 2015

@InfosecEditor

GoAnywhere™ is a managed file transfer solution that

tightens data security, improves workflow efficiency, and increases

administrative control across diverse platforms and various

databases, with support for all popular protocols (SFTP, FTPS,

HTTP/S, AS2, etc.) and encryption standards.

With robust audit logs and error reporting, GoAnywhere

manages file transfer projects through a browser-based

dashboard. Features include Secure Mail for ad-hoc file transfers

and NIST-certified FIPS 140-2 encryption.

Visit GoAnywhere.com for a free trial.

a managed file transfer solution by

GoAnywhere.com 800.949.4696

SAVES US A LOT OFTIME AND HEADACHE

“It’s helpful every single day

as the lifeline for communications

with our customers. ” Matt Booher President WIS:DOM Information Systems

Are Your Files Protected From The Cloud?

Funded in part through a Cooperative Agreement withthe U.S. Small Business Administration.

Last year, over Christmas, millions ofgaming fans were outraged whendistributed denial of service (DDoS)

attacks took down Xbox Live and Sony’sPlayStation Network. A group going by thename Lizard Squad claimed responsibility.This was the same group behind the serveroutages for popular online games League ofLegends and Runescape in August.

In 2015 alone, Lizard Squad has alreadyclaimed responsibility for hijacking thewebsites of Malaysia Airlines, Lenovo, andGoogle Vietnam.

The group’s sole motivation for theseattacks – based on its Twitter activity –appears quite simple: because they can. Thegroup considered the Christmas attacksagainst Xbox Live and PlayStation Networksto be a “sort of a game” carried out for itsown amusement, a self-proclaimed LizardSquad member said in an interview with theUK’s Sky News.

Lizard Squad is becoming a householdname because it is prolific, but also becauseits activities are so visible, says Andrew Hay,director of security research at OpenDNS.The group has relied mainly on DDoS attacksto cause server outages at heavily-traffickedsites. It hasn’t defaced actual company

websites, but rather redirected usersto spoofed websites to make it seemlike the pages are compromised.

“I hesitate to call Lizard Squadhacktivists,” Hay says, noting that hacktivistsgenerally have a call-to-action, a reason forengaging in the attacks. ‘Pranksters’ is abetter description, he suggests.

Cyber-attackers are generally categorizedby their motivations. Nation-state attackersfurther the government’s goals, whetherthat extends to espionage, sabotage, ortheft. Cyber-criminals are financiallymotivated and typically focus on stealingmoney or valuable assets. Hacktivists areideologically motivated, and their activitiesare typically designed to draw attention tosomething they care about, such aspromoting free speech or protesting childpornography. Lizard Squad doesn’t quite fitinto any of these brackets.

For the LulzLizard Squad’s activities may evoke memoriesof LulzSec, an earlier hacking group whichtook on some high-profile organizations andwebsites in 2011. Even though LulzSecpicked its targets based on ‘lulz’, or laughs, itclearly had hacktivist roots.

LulzSec was originally a disillusionedoffshoot of the hacker collectiveAnonymous intent on exposing “just howbad things were” with security at some ofthe world’s largest brands, Hay explains.Lizard Squad, in comparison, is “doing whatit can for fun.”

Dismissing Lizard Squad just because itdoesn’t have an ideology or employsophisticated attack methods would be abad idea, says David Francis, a cybersecurityofficer at Huawei UK. He adds that itdoesn’t matter that the group isn’t usingsophisticated tactics to disrupt operationsand interfere with user experience, becausethe fact remains that Lizard Squad didsucceed in its goals, and there was an impacton reputation and revenue.

“Whether you class Lizard Squad aspranksters or not is irrelevant; the bottomline is that all organizations, large or small,are subject to attacks,” Francis argues.

Tools of the TradeOrganizations operating online should beconcerned about the methods the group

6 Q2 /// 2015

Lizard Squad:

OriginalPranksters

Whether meddling kids or a serious menace,Lizard Squad is part of a phenomenon thatis here to stay, concludes Fahmida Rashid

uses, says Steve Armstrong, a certifiedinstructor at the SANS Institute. Lizard Squadlaunches its DDoS attacks using a botnet ofcompromised routers belonging to homeusers. Lizard Squad also put Lizard Stresser, aDDoS tool which uses the botnet to launchits own attacks, for sale on its website.

LizardStresser is an IRC Linux bot whichattempts to connect to random IP addresseson the internet with default usernames andpasswords. Users who may not have changedthe default credentials on their routers mayfind their network devices hijacked into thebotnet taking part in these attacks.

The source code was eventually leaked onGitHub, and some security experts whoanalyzed the code said it was unoriginal andimpressive. It didn’t have to be sophisticated– Lizard Squad was able to successfullylaunch its own attacks, and so were otherpeople who bought the tool. Home routers

are notoriously insecure since devicemanufacturers may take a while to roll outsecurity updates, and usersmay not know how to installthe firmware, which meansLizardStresser will continue tobe effective.

A recent analysis byRecorded Future, a webintelligence and predictiveanalysis company, identified aWindows-based bot client linked to LizardSquad which has not yet been used.

“It remains unclear what will come of thisbotnet, but it’s related to Lizard Squad andis more capable than LizardStresser,” thecompany said.

Organizations have to understand thatDDoS attacks are serious because theyimpact service availability and inconvenienceend-users. If the gamers can’t get to the

servers to play, they can get annoyed andmove on to other games, Hay says.

While many organizationsmay work with upstreamproviders to fight back and tryto outlast the attack duration,there is the possibility thatorganizations may just pay aransom to make the attackersgo away.

This can be risky, because themoney “could just encourage more attacks,”Hay adds.

Cyber VandalismDuring the DDoS attacks against Xbox Liveand PlayStation Network in December, KimDotcom offered 3000 free vouchers for Mega,his encrypted cloud storage service, to LizardSquad to cease its activities. While thevouchers did stop the attacks, Hay was


@InfosecurityMag NEWS FEATURE

concerned about the message this payoff gaveto Lizard Squad and other hacker groups.

The vouchers were priced at $99, andthere were reports Lizard Squad sold themfor $50 each, netting the group at least$150,000 in cash. Considering that DDoSattacks have been growing in volume andintensity over the past few years, a potentialfinancial windfall may encourage moregroups to launch attacks.

Vandalism and gaming remain the mostpopular reasons for DDoS attacks, butattacks acting as a smokescreen for datatheft and extortion attempts are also on therise, says Darren Anstee, director of solutionsarchitects at Arbor Networks. These attacksare disruptive, can cause damage to brandreputation, and increase overall costs for theorganization. “DDoS attacks cannot beconsidered pranks,” says Anstee.

DDoS attacks aren’t the only tricks upLizard Squad’s sleeve. Earlier this year, thegroup claimed responsibility for a series ofwebsite defacements, including the one forMalaysia Airlines. It didn’t compromise theairline’s site, but likely socially engineeredthe site’s domain registrar to gain access tothe airline’s domain name system records.

Lizard Squad modified the records topoint to a website under its control, butaverage users wouldn’t realize they were onthe wrong site. This is a tactic frequentlyused by other hacking groups, such as theSyrian Electronic Army.

Hijacking DNS records can result inconsiderable damage to the corporatebrand because most users and customers willnot realize the distinction and assume thecompany’s servers have been compromised,Hay explains. And if the attackers modifythe MX records for the mail server alongwith the DNS records, then the attackershave access to all the email messages beingsent to the company. That has even moreserious repercussions to the company’sbottom line.

Organizations need to work with theirdomain registrars to put in mechanisms toprotect themselves, such as two-factorauthentication and domain locking toprevent unauthorized changes to DNS

records, Hay says. Organizations should pickregistrars which have implemented DNSsecurity extensions (DNSSEC) which users canuse to verify the site hasn’t been hijacked.

Childish AnticsWhether or not Lizard Squad is just a groupof kids with a questionable sense of humordoesn’t matter, because it is not the onlyhacking group engaged in these activities.

CoreSec is another hacking group engagedin similar activities. The group launched aseries of DDoS attacks against Finnishfinancial services group OP-Pohjola from NewYear’s Eve to 4 January. The group demandedransom between 10 and 100 bitcoins to stopthe DDoS attack. At least one member in thegroup is a Finn, said Mikko Hypponen, chiefresearch officer of F-Secure. CoreSec’smotives for the attack remain murky, butTwitter activity shows CoreSec andLizardSquad consider each other supporters,if not allies, in their cyber-pranking.

The earlier LulzSec is now defunct, withtwo of its leaders convicted. DerpTrolling hasbeen active more recently, launching a stringof DDoS attacks on multiple gamingcompanies and online gaming servers in early2014. DerpTrolling was likely just trying toboost its collective ego and its “antics wereoften childish,” security company CrowdStrikenoted in its latest Global Threat Report.

“Despite their immaturity, the collectivewas able to consistently carry out DDoS

attacks on targets of their choosing, andthese attacks had a real-world effect on thevictims within the gaming community,”wrote CrowdStrike.

The company also noted that LizardSquad’s antics had real-world consequencesbeyond the cyber-realm. The groupsuccessfully diverted an American Airlinesflight carrying a Sony executive by postingon Twitter a rumor about explosives onboard. The incident evokes memories ofwhen the Syrian Electronic Army hijacked amedia outlet’s Twitter account to post afalse report about an explosion at the WhiteHouse in 2013.

“The threat [Lizard Squad] posed togaming companies was still noteworthy,especially when combined with terroristthreats; although they were bluster, theystill had considerable real-worldconsequences,” CrowdStrike reported.

Analysis from Recorded Future attemptedto identify members of the group by theirinterests, vernacular, and lifestyle to provideinsight into how they operate. Thecompany examined the group’s social mediaactivity for patterns in language anddetermined the leaders and key membersare from the United Kingdom, Canada, orthe United States.

Even though Lizard Squad is still seizingheadlines, the group’s activity has slowedsince December, says Christopher Ahlberg,Recorded Future’s CEO and co-founder. Thismay have been spurred by Finest Squad,another group which came to light inDecember and started reporting LizardSquad accounts to Twitter for abuse, he says.

Lizard Squad’s leaders and key membersare most interested in guns, drugs, gaming,and hacking. The intersection of thug-lifeculture and pro-Nazi sentiments is perplexing,but the fact that one of the accountsassociated with the group’s leaders frequentlyexpressed pro-Nazi sentiments may be anindicator of the direction Lizard Squad will beheading in, the company warned.

Instead of dismissing the group, it would“be prudent” to take LizardSquad’s warnings seriously in2015, Ahlberg said.

8 Q2 /// 2015

Whether you class Lizard

Squad as pranksters or

not is irrelevant… all

organizations, large or

small, are subject

to attacks

David FrancisHuawei UK

Can you see into even the darkest corners

of your network infrastructure?

Are you sure?

Because right now, as you’re reading this, someone is probably trying to fi nd out. Learn how Gigamon and our extensive partner ecosystem can make sure your confi dence isn’t misplaced, shining a light across your whole network:

Visit Gigamon at infosecurity Europe Stand #D180

SEE MORE.

SECURE MORE.

When I meet with Raj Samani ona Monday morning at the Inteloffices in Slough, he’s ‘fresh’

from spending the weekend with his wifeand three children on a “rock hard” bed atLegoland, where he indulged in readingup everything he could find on theCarbanak malware news that broke thatweekend, and gave a technology careerlesson to one of the park’s unsuspectingyoung visitors.

But don’t assume Samani has fallen intothe trap of workaholic – the Carbanaknews is to him what the latest episode ofGame of Thrones is to some people, andeducating children on not only the dangers

of cyber, but the opportunities, is hispassion. “I know how to turn my phone offand have dinner with my family,” he says.“Reading that news isn’t work to me, it’swhat I’m interested in. If I wasn’t doingthis job, I would be reading that anyway.”

To switch off, Samani is an avid gym-goer,and loves to box. “Mainly, I’ve learned tolisten to my body. If my mind says to me,‘you can’t read any more, just watch crappyTV’, I’ll do that. If my body says to me, ‘heylisten – you really can’t go to the gym thismorning’, I’ll go back to sleep.”

Wearing some pretty big shoes as VP &CTO EMEA of Intel Security, formerlyMcAfee, Samani could be forgiven for

finding it all a bit too much sometimes.But, he reassures me, he’s “happy, really,really happy.

“It’s not work to me, sometimes I haveto pinch myself and think, ‘people arepaying me to do this’, because I would dothis for free.”

Those big shoes allow him the ability to“help influence change right across theindustry,” and whilst Samani has worked atthis with industry bodies like ISSA and CSAin previous roles, his current job allows himto “push things on faster and further.

“Would I ever have been able to helpredevelop Bletchley Park when I was in thevoluntary sector, or working as part of the

CTO. Author. Europol advisor. Informationsecurity enthusiast. Husband. Father. Andnot in that order. Eleanor Dallaway talks toIntel Security VP & CTO EMEA, Raj Samani,a man so passionate about his industrythat he manages to turn a weekend atLegoland into an infosec lesson for someof the park’s young visitors

Interview:

Raj Samani

industry forums and associations? No. WouldI have had the ability to be able to standand speak at some of the biggestconferences around the world? Probablynot. Would the white papers I’ve writtenever have got the same exposure? No. Sothat’s why I came to McAfee,” Samaniexplains to me. If those words soundarrogant in print, they didn’t in person, andSamani’s sincerity is always both refreshingand unmistakable.

I’ve known Samani for nine years, andwhen we first met he was working as a CISOin the public sector. I chose him as part ofthe working group that I was asked toassemble in order to present at the House ofCommons to help advise the ConservativeParty on their information security policy.Since then, I’ve always considered Samani anindustry ‘favorite’ and have spent manyinterviews, lunches, and casual chatsenjoying his honesty, sincerity, and passionfor the industry. And these encounters arenever short…the man can talk!

These are Samani’s words, not mine. “I’mjust a skinny little Indian boy from Slough,and now I couldn’t even tell you whichcountry I’m going to be in next week,”Samani laughs, contemplating the path hetook from his small home town in Wembley,North London, where he didn’t even knowthe role of CTO existed, to his jet-settingsenior position at one of the world’s largesttechnology companies.

“I grew up in a time where technologywasn’t ubiquitous. My dad ran a hotel and mymum was an accountant, and we didn’t havea computer.” That was, until Samani’s dadpresented him with a Pentium 75, which hetaught himself how to use. “Technologyallows anybody the ability to be able toexplore the limit of their potential,” he says.“Technology is agnostic – it’s not good, or bad– if you have an appetite to learn, it enablesthat.” And an ability to learn is one of themost powerful skills there is, adds Samani.

It’s abundantly clear that beside his family,Samani’s passion for learning is the only

thing that trumps his passion forinformation security. After earning a degreein economics, and a Masters in businessinformation technology from BrunelUniversity, Samani carried on studying whilstworking in his first role as tech support atRoche Pharmaceuticals. “See, I’ve alwaysbeen a techie,” he smiles.

He took 35 professional exams in his ‘free’time, and read “any piece of information Icould get my hands on, day and night”. Thisincluded Applied Cryptography: The SecondEdition which he took on his honeymoon!

Samani even turned to textbooks toovercome his fear of public speaking. “Ihated it, couldn’t sleep for days knowing itwas coming up, but knew I had to face myfear,” he recalls. “I started to read aboutsome of the best speakers in the world, theirapproaches, how they do it.” Theknowledge he gained, combined with hisbelief in the ‘seven seconds of courage’mentality, allowed him to overcome his fearand accept his first speaking engagement atInfosecurity Europe.

“I always say to my kids, if there’ssomething you’re scared of, just be bravefor seven seconds.” And it worked forSamani, who now loves public speaking, butadmits that he still gets butterflies and stillgets scared.

These days, his passion for learning findsSamani writing books, not just readingthem. “I use writing books as a vehicle toincrease my technical understanding ontopics where I want a deeper knowledge,like smart grids,” he explains. “When I write

my books, my wife is sitting watchingEastEnders, and I’m next to her searching forplaces to buy cheaper email addresses forspear-phishing.”

His latest project is a co-authored bookwith Eric Knapp and Christopher Burgesscalled The Unsocial Network, which aims tostraddle general interest with technicalknowledge, and asks whether we’re lesssocial today than we were in the past.“Social networks have changed from beingbased on physical proximity to being basedupon people with which you share commoninterests. Today, if somebody disagrees withyou, you unfollow them. You disconnectthem from your social network. So thereisn’t anybody that challenges our beliefsystem, you only surround yourself withpeople that reinforce your belief system.”Samani hopes that the book will appeal tohis wife, “and absolutely everyone else.”

No Such Thing as Too Busy When I ask Samani how he finds time topen books whilst balancing his day job,family life, and extra-curricular activities(Samani volunteers in schools educatingchildren about cybersecurity, works withMPs on an all-party parliamentary groupfocused on technology, and acts as amember of the advisory group on internetsecurity at Europol Cybercrime Centre), heanswers simply: “You have to make time.There’s no such thing as being too busy –it’s just not prioritizing stuff.” Samani useshis travel time – and there’s a lot of that, ashe travels weekly – to write, “and the funpart is, it’s not even work, because I lovedoing this.

“This industry isn’t just a job, it’s apassion. What we do is really important. Theindustry can be quite depressing, dark, butwe have an industry that is workingcollaboratively, both public and privatesector, and many of us [partake in] voluntaryefforts outside of normal working hours.”

Could we be doing more on thecollaboration side? “We could always bedoing more, but the reality is thatinformation exchanges and informationsharing has been going on for more than


@InfosecurityMag INTERVIEW

Just a Skinny Indian Boy from Slough

Sometimes I have to

pinch myself and think,

‘people are paying me

to do this’, because I

would do this for free

just a few years now. What we need is morereal-time intelligence and information-sharing to be able to combat these issues.”

Samani considers his job partly reactiveand partly proactive, which is why, heexplains, there is no such thing as a normalday for him. “It doesn’t feel like a job, ifthat makes sense? It’s just something I do.”And he plans to do exactly that for theforeseeable future. “I’m certainly notconsciously thinking about leaving, butthen, never say never, right?”

As a technologist, Samani describes beingacquired by Intel as “like Christmas. Thebreadth and the depth and the capability ofthe individuals here is just awesome,” hegushes. And it’s people that continue toinspire him both within and outside theIntel walls. “There are so many people inour industry that are just really goodpeople. A huge part of my social friendshipnetwork is from industry – as I said earlier,you attract people similar to yourself.”Indeed, it’s the relationships and friendshipsthat Samani has made and maintained thathe is proudest of.

As for regrets, Samani is fairlyphilosophical. “Hindsight’s a wonderfulthing, but equally, mistakes help define whowe are. You learn nothing from success, onlyfrom failure,” he says. “So yes, I have failedon a number of occasions, but I don’t seethem as failures, I see them as learningopportunities, so I wouldn’t change it.” Hismistakes have helped define who he istoday, Samani continues, adding that theindustry’s lack of risk assessment frameworkto quantify security is one objective that heis yet to see fulfilled.

The Most Important Job of All His most important job of all, Samaniconsiders, is being a dad; helping his childrennavigate the rules of the new technical worldthat we’re moving into is his upmost priority.“I kind of bear this burden of responsibility asa father, but also, as a CTO in this company,that I’ve got to not only help my kids, but asmany people as I can.

“When we look at privacy in the 21stcentury, it’s going to be completely different

to how privacy was in the 20th century.There are new rules being created, newsocietal norms, and we need to helppreserve the foundations of trust that weneed to operate in this world.”

So will Samani be encouraging his childrento embark on careers in technology? “I’d justlike them to find their passion. I keep sayingto my kids that they can do anything and beanything they want.” Teaching them a realdegree of technical competence is high onhis agenda, however, “because that’simportant not only for their future careers,but generally in society.”

Perhaps it’s this “burden ofresponsibility” that is to thank forSamani’s involvement in the EuropolCybercrime Centre advisory group. “Mywork and engagement with Europol isreally because of Troels Oerting’s vision.He recognized that cybercrime isn’tsomething that the public sector can doalone, and so began this process ofputting together this advisory council ofspecial advisors.

Samani’s admiration for Oerting isapparent, and he applauds the collaborationhe has enabled between law enforcementagencies across the world, in addition to theprivate-public partnership. “The fruits of hisvision and the fruits of his labor have beenrecognized in some of the takedowns andefforts we’ve seen over the last 12 months.”

So what’s next for Samani? “There used tobe a time when I could almost map out my life.I’d tell you when I would be married, when I’dhave kids, where I’d be working, and what sortof money I’d be earning,” he says, pausing toreflect. “And now, actually the most excitingthing is that there isn’t a path set out for me.”

A self-confessed over-analyzer, and hisown biggest critic, whatever does come nextwill undoubtedly be met with the samecommitment and passion that Samaniaffords to everything else in his life. “Mygoals are always changing,” he admits, withthat mischievous grin that is synonymouswith the Intel Security CTO. Notbad for a “skinny little Indian boyfrom Slough.”

12 Q2 /// 2015

Samani with Troels Oerting, signingthe MoU with Europol's EuropeanCybercrime Center (EC3)

Protecting your enterprise from threats you can’t see requires unifiedsecurity intelligence.

That ’s where we come in. LogRhythm’s next-generation security intelligence platform identif ies high-

impact threats and neutralizes them before they can result in a material breach. It uniquely unif ies SIEM

and log management with network and endpoint forensics and advanced security analytics to provide

comprehensive threat life cycle management and the ideal foundation for today’s cyber security operations.

Improve your Security Intelligence posture today at logrhythm.com/simm

Early 2015 saw multiple announcementson cybersecurity from US presidentBarack Obama and British prime

minister David Cameron. Both wereresponding to recent events, primarily theSony hack (which is estimated to have costthe company $15m) and the shooting inFrance of 11 staff at the satirical magazineCharlie Hebdo. The two countries alsoannounced joint ‘cyber wargames’, wherebyteams from each country will attack theother to test critical infrastructure.

Obama proposed improving cybersecurityinformation-sharing between governmentand the private sector; criminalizing theoverseas sale of stolen US financialinformation; extending the RICO laws toinclude cybercrime; and requiring nationaldata breach reporting.

The Electronic Frontier Foundation hasdescribed the resulting CybersecurityInformation Sharing Act (CISA) introducedin March as a “terrible surveillance bill”because it would allow companies tolaunch countermeasures against attackers.

EFF and the Center for Democracy andTechnology also complain that the billbypasses current privacy protections forprivate-sector information.

In the run up to the UK’s May generalelection, Cameron and the home secretary,Theresa May, proposed reviving long-contentious policies: the principle thatgovernment must be able to read allcommunications, and the CommunicationsData Bill, which opponents have dubbed the‘Snooper’s Charter’.

These policies would add to an alreadysubstantial framework for communicationssurveillance established in multiple pieces oflegislation stretching back to 2001. InMarch, in the first of a series of plannedreviews, the Intelligence and SecurityCommittee (ISC) declared GCHQ’s activitiesas leaked by Edward Snowden to be legal,but said the law lacks transparency andaccountability and could be interpreted as a‘blank cheque’ for the security services.

Britain’s data protection regulator,information commissioner Christopher

Cybersecurity from

Capitol Hillto Whitehall

Proclamations on cybersecurity andgovernment surveillance have ignitedpolitical discourse in early 2015.Wendy M. Grossman cuts through thespin to find out what this means fortechnologists and citizens

14 Q2 /// 2015

Graham, criticized the report for a basicmisunderstanding: “At one point in thereport they say specifically that if citizensare relatively OK about the security servicesreading letters and tapping phones withappropriate authorization, then why is theinternet any different?

“I thought that represented a very naïveview of what the internet actually is,because it isn’t just another communicationschannel, it’s the universe through which weare transacting, doing business, [running]our companies, our work, our personal life,and so on. And the idea that that has got tobe left open to be inspected by theauthorities, whether good or bad, just seemsto me to be ludicrous.”

Meanwhile, he adds, the same politiciansspeak regularly about cybersecurity, but thereis an incompatibility in advocating securingcommunications and infrastructure againstmyriad threats while ensuring the authoritieshave access. “I thought it was naïve of thecommittee to assume that the bad actorswouldn’t take advantage of the vulnerabilitiesthat might be left,” Graham said.

Cameron is not alone in wanting access toencrypted communications. In March 2015,FBI director James Comey asked Congress toenact legislation requiring technologycompanies such as Apple and Google toinclude back doors in any encryption builtinto their products. Around the same time,the FBI removed from its website advice thatconsumers should protect their data byusing encryption.

There are two kinds of objections to keyescrow: ideological and technical. SusanLandau, professor of cybersecurity policy atWorcester Polytechnic Institute Departmentof Social Science and Policy Studies,describes the technical objection.

“Communications tools built with law-enforcement access to the keys will not besecure against skilled opponents. But theuse of encryption where the end-users – andnot Apple or Google, for example – hold thekeys, means, as the president observed,

‘Even though the government has alegitimate request [to wiretap],technologically we cannot do it.’”

Herb Lin, a senior research scholar forcyber-policy at Stanford University, saysthe ideological objection is simpler:individuals should have full control overaccess to their own communications.

However, Lin says, it’s impossible tomake a mechanism that will staylocked down forever, becausecomputing continues to advance.But 1000 (or 100) years of securityis long enough. Meanwhile, 10seconds is clearly inadequate.“Somewhere between 10 seconds and100 years there’s a crossover point,”he says.

Performing a risk analysis based onspecific proposals and an estimate ofhow long the cryptography is likely tobe secure in that application “wouldat least get the debate off thetheological argument and on to thetechnical argument.”

Lin also raises a practical issue: companyhelpdesks are overwhelmed with retrievingand resetting user passwords. “I will betanything that two to three years after allthis unimpeachable encryption getsdeployed, they will start offeringrecovery features,” he says. “People willnot want to lose access to their data.”

Likely true, though privacyadvocates will argue that choosinga (possibly third-party) keyrecovery scheme isn’t the sameas having one forced upon you.

With six years ofcommunications intelligence inhis background, John Walker,visiting professor at theSchool of Science andTechnology at NottinghamTrent University, takes a viewmore in line with lawenforcement concerns about‘going dark’.

“I respect privacy and Iwould like to have privacy,”he says, “but what we have

Content: Return of the Crypto Wars


16 Q2 /// 2015

to look at with a liberal attitude is whetherwe can allow insurgents – we’re talkingabout a global insider threat of which wehave to be aware. If the price I have to pay tokeep my legs attached to my torso is privacy,then so be it.” The key, he says, is ensuringthat the use and exercise of such powers isproportionate and appropriately limited.

Metadata: Bulk CollectionThe requirement for ISPs to retaincommunications traffic data for up to twoyears was implemented in the EU DataRetention Directive in 2006, a response tothe July 7 2005 London bombing attacks.The UK had long favored data retention; agiant centralized database to store the flowwas mooted as early as 2000. The 2012version of this, the Communications DataBill, would have required communicationsservice providers to collect many forms ofdata that they currently do not, and discloseit to a substantial range of actors withoversight that opponents such as the OpenRights Group argued was insufficient. Thebill failed politically.

In April 2014, the European Court ofJustice ruled that the Data RetentionDirective conflicted with the EuropeanCharter of Human Rights, therebyinvalidating the supporting nationallegislation. In July, Parliament hastilyenacted the Data Retention andInvestigatory Powers Act (DRIPA) to ensure

that ISPs did not begin deleting the storeddata during the summer recess.

A key element of the CommunicationsData Bill as proposed in 2012 was ‘blackboxes’ to be installed on ISPs’ networksand through which traffic would pass;these would extract the metadata forretention. The Internet Service ProvidersAssociation complained about the likelyloss of speed; advocacy organizations such

as the Open RightsGroup compared theidea to a man-in-the-middle attack.

Retention practices such as this raise furtherquestions as to whether the principles ofnecessity and proportionality are being usedin the filtering of data – ‘filtering’ being aterm used in early versions of the CDB, thoughnever clearly explained in satisfactory detail.

There is a grey area here around intelligencedemands for data that isn’t necessarily used inlegal proceedings. This is problematic, as is thegeneral opacity of the law.

That opacity is one piece that everyonecan agree on. “They already had Tempora,”says Privacy International researcher RichardTynan. “The police and security agencies said‘we want this, so make it lawful for us to dowhat we’re already doing’. To have that asthe mindset is the opposite to me of anylegal course I’ve done on the rule of law.They will say they can’t do it withoutauthorization, but we don’t know whatcannot be authorized by Theresa May. Tome, that is an unconstrained system.”

Will Semple, vice-president of securityoperations for Houston-based Alert Logic anda veteran of both intelligence and financialservices, has seen both sides, yet does notthink that Cameron’s proposals are “abalanced approach, especially from a militaryintelligence background and understandingthe risks I experienced day in and day out.”

Simon Crosby, co-founder and CTO of thesecurity company Bromium, also calls thegovernment’s policies poorly conceived:“Once [technology companies] start toengineer for security, the ability to providearbitrary back doors to arbitrary interestedparties is just not going to happen – or atthe very least Theresa May will have toanswer the question of, ‘should Yahoo!provide a back door to China?’”

More bluntly, he says, “The ‘Snooper’sCharter’ is techno-babble. It’s nonsense.”

Crosby, too, agrees that today’s genuinethreats require access to data in somecircumstances, but he’s scathing about themethods proposed. “They’ve only come outwith two so far. One: break everything andbe a bad guy, really terrible. Two: they’regoing to pass stupid laws for technologiesthat are literally impossible to develop.”

What’s needed instead, he says, “is arational debate about how one couldlegitimately achieve and deliverdata in the national interest – andnot just the UK and US. Theinternet is a big place; it’s aninternational problem.”

If the price I have to pay

to keep my legs

attached to my torso is

privacy, then so be it

John WalkerNottingham TrentUniversity

Once encryption keys are handed over to a third party,whether 'benign' or not, security is irrevocably weakened


The attackers are looking to gainaccess to corporate or personal dataand control web servers for

secondary infections. The recent Verizon Data Breach

Investigation Report 2015 reported that upto 61% of breaches involve attacks againstweb applications. In fact, vulnerabilities inweb apps are now one of the most commoncyber-threats, accounting for 55% of allserver vulnerability disclosures.

Custom-developed apps are another storyaltogether, but in general, vulnerabilitynumbers are estimated to be much higher inthat area.

The goal of a web app security program isto prevent an attacker from gaining controlof an app and obtaining easy access to theserver, database and other back-end ITresources. However, as hackers find newways to exploit web apps, it’s important forthe security industry to outmaneuver themby quickly finding and fixing thevulnerabilities before an incident occurs.

The simple architecture of web apps –including connectivity and hosting viabrowser-controlled environments – has madeit possible for organizations and individualsto easily adopt them to transact business,conduct research, store information andcollaborate online. Likewise, for IT teams,web apps can dramatically reduce resourcerequirements for endpoint devices, as thebulk of processing occurs on servers locatedat remote sites.

Yet the simplicity driving the adoption ofweb apps is often the same reason whyhackers are inclined to attack them. Part ofthe reason is that the ability to quickly spinup a web app has contributed to an

increased number of vulnerabilities, astesting and quality assurance can often bean afterthought.

Another reason is that web apps areusually connected to valuable data, includingdatabases containing banking informationand consumers’ personal identity data. Oncea web app is compromised, an attacker canuse that data to reap bigger rewards on theblack market or in phishing scams to attacklarger networks.

The good news is that the most prevalentweb app vulnerabilities can be easilydetected with regular, automated scanning.Automated web app scanning enables ITteams to discover and catalog all web appswithin an organization, lower the total costof operations by automating repeatabletesting processes, ensure accuracy byeffectively reducing false positives, andidentify vulnerabilities early.

But what should you do when you detecta web app vulnerability? And how shouldyou react to actual vulnerabilities andpotential exploits?

That’s where web application firewalls(WAFs) have become a critical piece of theweb app security puzzle. WAFs are capableof detecting, alerting and blocking knownattacks on web apps. However, traditionalWAFs are often thought to be too complexto set up and too difficult to manage.

Another piece of good news is that WAFsare evolving and new solutions coming intothe market are providing more simplicity,flexibility and automation than ever before toprotect the data and IT resources behind webapps. The industry is now seeing WAFs capableof automatically integrating scanning data totake on the mitigation of vulnerabilities.

Particularly advanced WAFs also havevirtual patching capabilities, enabling ITteams to fine-tune security policies, removefalse positives and customize rulesleveraging vulnerability data fromautomated scanners. This data providesinsight into common web appvulnerabilities, like those outlined by theOWASP Top 10, as well as critical zero-dayexploits where customized patches are notreadily available.

Overall, the skeleton key for achieving thebest security posture lies within the data –whether it’s as broad as threat data sharedwithin the industry, or as narrow asautomated vulnerability data sharedbetween a web application scanner and aweb application firewall. For the latter,finding a WAF that leverages andintegrates data automatically willput you ahead of the curve forweb app security.

In today’s increasingly digital world, web applications arethe new battleground for attackers and defenders, arguesWolfgang Kandek, CTO, Qualys

ADVERTORIAL

The Web App Security Puzzle

A Hacker’s Attraction to Web Apps

Protecting Data withIntegrated Data

AUTHOR PROFILE

As the CTO for Qualys,Wolfgang is responsiblefor product directionand all operationalaspects of theQualysGuard platformand its infrastructure.Wolfgang has over 20years of experience in

developing and managing informationsystems. His focus has been on Unix-based server architectures andapplication delivery through the internet.Wolfgang earned master's and bachelor'sdegrees in computer science from theTechnical University of Darmstadt,Germany. Wolfgang is a frequent speakerat security events and forums includingBlack Hat, RSA Conference, InfosecurityEurope and The Open Group. Wolfgang isthe main contributor to the Laws ofVulnerabilities blog.

The RisingCost of

Cyber-InsuranceYou can insure yourselfagainst cyber-attack, saysDanny Bradbury, but bewarned, prices are going up

Information security is all about mitigatingrisk. Savvy CISOs spend their time askingwhat threats their organizations face,

how deeply these threats would sink thecompany, and how likely they are. In thatsense, CISOs are suitable customers foranother industry that’s also about riskmanagement: insurance. So why haven’t thetwo overlapped more?

A Young IndustryAt its heart, insurance is about the paidtransfer of risk. Companies have beenhappily transferring their risk to insurancefirms since the late 1600s, when economistscreated insurance services in response to theGreat Fire of London.

Traditional risks, such as fire, flood, theftand injury, are well understood. On theother hand, the insurance industry is justgetting to grips with cyber-risk.

“When we started looking for the firsttime at the issue of cyber-attacks anddetermining whether it would make senseto have a cyber-insurance policy, it was allgreen space,” says Ty Sagalow, former COOfor AIG e-Business Risk Solutions, nowrunning Innovation Insurance, a consultingfirm and brokerage based in New York.

“It was new. There was no actuarial dataon frequency or severity. We had to figureout how to create insurance for a risk thatwe knew very little about,” Sagalow adds.

How do companies manage that risk?Fifteen years is a heartbeat in the insurancebusiness, and so cyber-insurance is still arelatively unknown quantity. The way thatinsurance companies assess risk involvesanalyzing past claims. But in a sector with sucha short track record and quickly changingcharacteristics, that isn’t always easy. As such,the market is segmented from the generalinsurance pool, and covered by special policies.

Insurance companies identify and quantifythe exposure, pinpoint the threats, and thenmake a model of how likely those threatsare to occur.

“You have a lot less certainty about thatfrequency than for more established classeslike life insurance or auto insurance, butthat isn’t to say that there isn’t any

information in the insurance industry,” saysTom Regan, the cyber practice leader forinsurance broker Marsh. “We spend a lot oftime and money looking to assess theprobability of events.”

In any case, insurers have an appetite forrisk. After all, that’s what makes them money.

“You don’t go into a new piece ofbusiness or a new product because you fearlosses. You go in because you hope you’ll be

able to make money.If there’s no risk,there’s no reward,”says Sagalow.

Insurers can mitigate their risk in cyber-insurance as they do in other industries, bysplitting risk with other insurers, and byusing re-insurance, where the insurers arethemselves insured by other companies.They can also impose high deductibles.

What Policies Look LikeTypically, cyber-insurance coverage falls intotwo broad areas: first party and third party.The first party coverage focuses on theinternal costs incurred by the company. Itcovers expenses such as hiring an attorneyto deal with the legal ramifications of abreach, and taking on a PR firm to help getout in front of the problem and minimizereputational damage.

Savvy companies will bring in an externaldata forensics team to find out where thebreach occurred, and remediate it. A firstparty component will also cover the cost of

notifying individuals, and potentially evensetting up contact centers to field calls fromworried customers.

In addition, first party coverage typicallycovers the restoration of lost data, and it willusually compensate companies for lostbusiness, says Michelle Lopilato, director of thecyber-risk solutions practice at North Americaninsurance brokerage Hub International.

“If your network was breached and goesdown, and you’re no longer able to transactbusiness for a certain amount of time, thatloss can be replaced,” she says.

Lost business protection won’t kick in assoon as a disruption occurs. The mostaggressive contracts start around six hoursafter the disruption, but can go as late as 18hours for companies with poor businesscontinuity operations, she said.

Third party coverage handles the falloutfrom cybersecurity events that affect othercompanies and individuals. Typical coveragehere includes network maturity liability (ifyour network is used to infect anothercompany’s systems, for example). It will alsocover financial harm to other individualsfrom a company’s privacy breach, along withthe cost of post-breach regulatoryinvestigations and fines.

Rising PricesInsurance companies are getting better atassessing clients’ cybersecurity readiness,according to Sagalow.

“The industry has matured,” he says. “Wehave determined that, at least for now, wecan continue to underwrite the severity andfrequency of cyber-risks, despite the massattacks that we read about almost everyday, whether that be Target, Home Depot,Sony, or others.”


@InfosecurityMag

The insurance industry

can deal with risks that

grow significantly if they

can be appropriately

compensated

Tom ReganMarsh

Strong security controls,including PoS encryption, areoften prerequisites for companiesseeking cyber-insurance

But for how much longer? There are signsthat cyber-insurance companies, which haveblossomed in number over the last decade,are reacting to industry events.

“The industry is continuing to change andexpand, and in certain areas of the business,we see some prices going up,” says Regan.“The insurance industry can deal with risksthat grow significantly if they can beappropriately compensated for them. Aslong as they can get an adequate premium,they’ll be OK.”

Where are those prices likely to hithardest? Look to retail, says Lopilato.

“We are seeing some tightening of thereins as far as underwriting goes. Theinsurers are looking for best-in-class controlsand securities, and if they don’t have them,then they are getting declinations,” she says.

These controls include encryption at thepoint of swipe for credit card collection,along with point-of-sale networkmonitoring, up-to-date security patching,and PCI compliance. “If you can satisfy thosefour bullet points first, then you do haveseveral carriers still willing to write thisbusiness,” she adds.

Companies that take advantage of thesepolicies may even find themselves battlingto get coverage. Such was the case withAtlantis National Services, a New York state-based title insurance agency licensed in 32states. It obtained a cyber-insurance policythrough Lloyds of London, after theDepartment of Homeland Securitymandated a data center controls standard,SSAE 16, for title insurers. Atlantis co-

founder Radni Davoodi began looking forcyber-insurance not long afterwards.

“It gives banks further comfort using usversus our competitors,” says Davoodi, buthe adds that it wasn’t easy to obtain. Theindustry is still so new that choices arelimited, he warns.

“It took us a while to get a quote, and theonly broker who was able to provide us withone gave us a cookie cutter and said ‘take itor leave it’,” he says, recalling that therewas no option on the deductible or theprotection offered. “We’re hoping that inthe coming years it will be a little moreselective on our end.”

Do customers want insurers to take ontheir business, though? The CorporateExecutive Programme, which monitorscorporate security threats, surveyed 40 of itsmembers for a January 2015 report on cyber-

insurance. Only one in five companies haddedicated cyber-insurance, it found, and thiswas among a base of large companies, halfof which measured revenues in the billions.

Cyber-insurance adoption also differeddramatically between the US (where 40% ofcompanies had it) and the UK (where just13% of firms did).

Regan says that regulation makes a bigdifference in adoption on either side of theAtlantic. In the US, where data breachnotification is mandated in 47 states, morecompanies will be driven to adopt cyber-insurance because of the potential falloutshould a breach occur.

Dr Claudia Natanson, chair of the CEP,suggests another factor.

“There was a point given by one of ourlegal members, stating that it wasn’t somuch that the US had breach notificationthat promoted greater take up, but thatunlike Europe, US [companies] could sufferclass action suits,” she says.

European adoption will likely rise, addsNatanson. But with an average of four infive companies still not adopting dedicatedcyber-risk insurance, there is a lot ofpotential headroom in this young industry.

Sagalow, who first took steps into cyber-insurance 15 years ago, is already expandinginto something new: bitcoin. Thecryptocurrency, which is slowly disruptingtraditional financial markets, has been besetwith security problems. Now, secure bitcoinstorage companies are offering peace of mindto users who might hold thousands of dollars-worth in a software wallet. He is working withthem to insure their customers against lossesincurred in this strange new electronic asset.

“Bitcoin is the new cyber,” Sagalow says,recalling how the internet represented afundamental shift in how business was donein 2000. “Fast forward 15 years later, andthe same thing is happening again.”

Wherever you find uncertainty and risk,you’ll find a forward-thinking insurerexploring ways to underwrite it. Thecustomers may take a little while to come,but if they’re aware of thedangers they’re facing, they’llarrive eventually.

20 Q2 /// 2015

Insurers are looking for

best-in-class controls

and securities, and

if [clients] don’t

have them, they are

getting declinations

Michelle LopilatoHub International

Hiring a PR firm to deal with the mediafallout of a breach is one cost typicallycovered by first-party cyber-insurance

At the start of the year, Microsoftand Google became embroiled in avery public spat over vulnerability

disclosure. The two computing giants,never the best of friends, became moreanimated than we’ve seen them for sometime, exchanging barbed comments viablog posts and social channels. The reason?Google’s Project Zero initiative, announcedlast July, and its strict rule of revealingvendors’ software bugs publicly after 90days if they have not been patched.

So who exactly is the bad guy in all ofthis? Microsoft, for failing to patch asquickly as Google would like, or theMountain View giant, for disclosing flawsbefore security fixes were ready? And is theongoing dispute likely to change how theindustry deals with vulnerability disclosure?

A Bit of HistoryIt all kicked off when Google decided torelease details of a Windows flaw just twodays before it was due to be fixed in

January’s Patch Tuesday. The bug itself wasnot particularly critical, needing a victimmachine to have already beencompromised in order to work. However,plenty of commenters let their feelings beknown on the related Google SecurityResearch forum post.

“Automatically disclosing thisvulnerability when a deadline is reachedwith absolutely zero context strikes me asincredibly irresponsible and I’d haveexpected a greater degree of care and

Google vs Microsoft:

Let the PatchWars Commence

Phil Muncaster investigates whether an ongoing dispute between Googleand Microsoft could change the way we fix security flaws in the future


@InfosecurityMag

maturity from a company like Google,”wrote one user.

Microsoft then waded in with a stronglyworded blog post from Chris Betz, seniordirector of the Microsoft SecurityResponse Center.

“Although following through keeps toGoogle’s announced timeline for disclosure,the decision feels less like principles andmore like a ‘gotcha’, with customers theones who may suffer as a result. What’sright for Google is not always right forcustomers,” Betz wrote in that post. “Weurge Google to make protection ofcustomers our [combined] primary goal.”

This didn’t seem to deter Google, whichreleased details of several additionalMicrosoft product flaws in the weeks thatfollowed. Here’s the twist though. Onebatch of disclosures came about before the90-day deadline, after Microsoft effectivelytold the web giant that the flaws were sosmall they were not worth patching. This isdespite several of them – including anelevation of privilege issue and aninformation disclosure bug – being markedas ‘high severity’ by the Project Zeroresearcher in question.

The waters have been further muddied byMicrosoft’s somewhat controversial decisionin January to effectively make its AdvancedNotification Service (ANS) private. Redmondclaims the decision was taken to meetcustomers’ evolving needs – in other words,that most firms have automatic updates orproper patching regimes which render thepublic blog posts and notices irrelevant.However, experts argue it was a retrogradestep that could at best be viewed as anattempt to hamper transparency intoproduct flaws, and at worse a cynical movedesigned to make money by forcingcustomers to upgrade to ‘premier’ status.

Who’s Right?Google relented recently and allowedvendors a further 14-day grace period ontop of the mandatory 90 if a patch is alreadyslated for release, as well as promising notto disclose flaws on US public holidays or atthe weekend. But there’s still a fair bit of

bad blood about how it has handled thewhole affair.

So is this a dispute we should really takesides on? For Nigel Stanley, cybersecurity

practice director atconsultancy OpenSky,neither firm hascovered itself in glory.

“Both Microsoft and Google need to growup and understand that great care needs tobe taken in disclosing vulnerabilities in acalm, controlled way,” he tells Infosecurity.“This will reduce the opportunities forexploits to be developed and give over-worked sysadmins a chance to test and then

patch their systems. Instead of throwingstones, those that live in glass houses needto give their neighbors support for thebenefit of the broader industry.”

For Ed Skoudis, SANS Institute fellow,Google needs to be a bit more aware of thesheer complexity involved and the hugeresources that are needed to create and testfixes for certain vulnerabilities.

“As [Google’s] systems are in the cloudwith code they control, there are fewhurdles to them throwing resources at aproblem and getting fixes out in 90 days orless. Project Zero is a way of Google draininga swamp very quickly,” he tells Infosecurity.

“However, they don’t have the extendedenterprise customer base with lots of on-premise software and legacy systems alongwith strict controls around applying patches,”Skoudis adds. “In some cases, 90 days is justnot reasonable and a rushed fix might actuallylead to more problems than it solves.”

In fact, that exact scenario has occurredseveral times of late, most notably in August2014 after an August Patch Tuesday fixlocked computers with the dreaded BlueScreen of Death.

Responsible DisclosureMost commentators, software vendors, andsecurity researchers agree that responsible

Instead of throwing

stones, those that live

in glass houses need

to give their

neighbors support

Nigel StanleyOpenSky

The definition of 'responsible' disclosureis something the research and vendorcommunities often disagree on

24 Q2 /// 2015

disclosure is the best way forward. Theproblem is, they don’t agree on exactly what‘responsible’ means.

Some take the extreme view that unless aflaw is made public immediately, the vendorwill procrastinate, downplay its importanceand possibly even use legal means to silencethe researcher – while the bad guys areworking on crafting attacks in themeantime. Others say the vendor should beinformed privately and given a decentamount of time to fix the flaw.

However, once again the debate rages asto how much time should be allowed andfor which kind of flaws, according toSecunia director of research and security,Kasper Lindgaard.

Infosecurity asked Lindgaard whatrepresents ‘a timely fashion’ when it comesto giving vendors a chance to fix avulnerability, before disclosing it.

“Our policy is to give vendors six monthsto fix the vulnerability and issue a patch,and for a huge majority of the vendors thatis plenty of time," he says. "But it is alsonecessary to be flexible and adapt tocircumstances: you have to look at theindividual vulnerability – at how critical it is,how complex it is to fix, and howwidespread the vulnerable product is.”

Jim Fox, director in KPMG’s cyber team, isactively involved in pen-testing andvulnerability identification. He argues that themost important thing from the vendor’s pointof view is to be transparent with its customers.

Even if there’s not a patch immediatelyavailable, he explains, the vendor couldproduce a way to mitigate the problemwhich would quickly keep customers securein the meantime – or their customers could

come up with their own temporarysolutions. Either way, Fox believes theCommon Vulnerability Scoring System (CVSS)provides a ready-made, commonlyunderstood framework which could helpthem prioritize newly discovered flaws.

This is essential given the sheer volume ofblack hats out there researching flaws, hetells Infosecurity.

“People are taking a methodical approachto identifying and exploiting vulnerabilitiesin widespread systems. To think only oneperson will find them is crazy,” Fox adds.“You don’t need to put out a press releaseeach time you find a flaw – that’sirresponsible. But at the same time, if youalert a vendor, say they have a week or 10days to tell their customers and announce apatch or at least mitigation, that’s fair. Thevendors don’t move faster because it’sdisruptive for them, so you need to make itin their best interests to do it.”

ISACA international vice president, RamsésGallego, agrees that greater transparency isthe way forward.

“The most important thing to do in thevulnerability management dimension, froma vendor perspective, is communication,” hetells Infosecurity. Gallego believes that inthe cyber era, threats will always exist – it’snot a matter of if a company faces avulnerability, it’s when and how quicklythey’ll then recognize and mend it.

A Troubled Future?Yet for Fox, Microsoft is moving not towardsgreater transparency, but away from it, aswitnessed by its decision in January to endits Advance Notification Service. He arguesthat failing to inform all customers throughnotifications means many won’t even beaware of vulnerabilities which malwarewriters are actively developing exploits for.

“The only people to get hurt will bethose who need to defend themselves.Less transparency is a mistake; I rarelylearn of a vulnerability through a pressrelease,” he adds.

So what of the future for vulnerabilitydisclosure? Can the vendor communityafford to pour more resources intodeveloping timely patches or will the qualityof security fixes suffer, and patching timesinevitably get longer as the sheer volume offlaws identified mounts?

Skoudis thinks Google’s gung-ho approachcould yet have negative consequences.

“Unfortunately, there is a risk that Googlemay incite copycats that are maybe lesswedded to a ‘don’t be evil’ philosophy,” heargues. “In future, we could have otherspushing out zero days into the publicforums that are incredibly dangerouswithout warning. And then what startedout as a positive approach could turn into amajor issue for everybody.”

In the meantime, it’s the sysadmins – the“poor bloody infantry” – who will be forcedto pick up the pieces, according to Stanley.

“Some vendors forget that there is aworld outside of their products and thatsysadmins are having to test and applypatches from multiple vendors,often at the same time,” he says.

It’s difficult to forsee a timewhen this will ever change.

The most important thing

to do in the vulnerability

management dimension,

from a vendor perspective,

is communication

Ramsés GallegoISACA

Before broadcasting their findings to theworld, researchers should consider theimpact on vendors and end-users

EVENT PREVIEW

Organised by:

Featuring:• Conference Programme• Infosecurity Intelligent Defence• Security Workshops and Training• New Features• Floor Plan • Exhibitor List

Intelligent Security Protect. Detect. Respond. Recover.

2OTH INFOSECURITY EUROPE CONFERENCE & EXHIBITION

See you atOlympia

Kensington,London

Newlocation

The Sony Pictures breach in December2014 made headlines around theworld. Whatever the truth around

who was responsible, the breachhighlighted yet again that no organisation isimmune to cyber-attack.

Consequently, information security is nolonger just about protecting the networkagainst attacks – it’s about building cyber-resilience to minimise business impact inthe event of a breach. Despite that, only35% of respondents to the InfosecurityEurope Industry Survey 2015 are seeing asignificant change in focus from a purelyprevention-based security strategy to onethat balances prevention with detection,response and recovery.

Information security professionals face amultitude of conflicting, complex risks andpriorities, as enterprises becomeincreasingly connected and collaborative,with extended network perimeters, and theadoption of new business practices. Againstthis backdrop, security practitioners areworking to develop intelligent securitystrategies that are aligned with theindividual organisation’s risk profile andbusiness priorities.

Knowing their business andunderstanding the context of thecybersecurity risks they face is fundamentalto aligning security strategy with thebusiness. Yet communicating risk to seniormanagement, speaking the language of thebusiness and developing an enterprise-widesecurity culture continue to be a challenge,and ineffective communication consistentlystands in the way of intelligent security.

Recent incidents suggest that it is takingtoo long for organisations to detectbreaches, as demonstrated by the JP Morganbreach in August 2014. But how doorganisations even know they’ve beenbreached? Most organisations don’t havethe resources to continually monitor anddetect incidents, and if an organisationdoesn’t know it has been breached, it can’trespond appropriately.

With potentially catastrophicrepercussions for a business, the ability torespond to and recover from an attackrapidly and efficiently is critical to buildingcyber-resilience and an intelligent securitystrategy. Infosecurity Europe Industry Survey2015 respondents revealed that in the eventof a security incident, minimising the impact

on the customer is the biggest priority,closely followed by business continuity.Enabling the business to function is crucialto intelligent security strategy.

Against this backdrop, Infosecurity Europeprovides you with the opportunity to gainthe tools, techniques and strategies youneed to develop an intelligent securitystrategy, centred around the businessrequirements of your enterprise andbalancing prevention, detection, responseand recovery. Featuring an extensiveconference and seminar programme, andshowcasing the latest innovations ininformation security, Infosecurity Europe isthe meeting point for the informationsecurity community.

We look forward to welcoming you toOlympia London in June.

Kerry PrinceInfosecurity Portfolio Director

Intelligent Security: Protect. Detect. Respond. Recover.

26 /// www.infosecurityeurope.com Q2 /// 2015

Intelligent Security: Protect. Detect. Respond. Recover.®

Infosecurity Europe is the largest European information securityevent that enables industry professionals to gather vitalinformation about the latest trends and developments ininformation security all under one roof. Come along to exchangeideas, make new contacts and shop for products and services tosecure the future of your business assets where it matters.

• 15,253 information security professionals travelled from 73 countries

• 346 exhibiting companies from 24 countries

• 160+ international thought-leaders and expert speakers were featured

• 3,000+ information security professionals collected CPD/CPEcredits with our certified content

• 98.1% satisfied visitors, 97.2% satisfied exhibitors• 96.6% of visitors are likely to return for Infosecurity Europe

2015 (81% are extremely or very likely)• 100+ influential industry and mainstream press in attendance

reporting about Infosecurity Europe globally

When and Where09.30 - 17.30 - Tue 2nd June 201509.30 - 17.30 - Wed 3rd June 201509.30 - 16.00 - Thu 4th June 2015

Key Facts About the 20th Infosecurity Europe Intelligent Security: Protect. Detect. Respond. Recover.

A Highly Satisfied and Influential Audience -What You Missed in 2014

ut



SITS15 – The IT Service Management Show – is the UK’sLeading Exhibition and Conference for ITSMProfessionals. Discover the latest solutions and gainexpert advice from some of the world’s leading

suppliers. Get inspired and gain insight into the latest issues andtrends in the practical seminars and keynotes, plus network withthousands of your industry peers.

New Venue: SITS15 will be located at Olympia, London on the 3-4June and will be collocated with Infosecurity Europe.

The UK’s leading exhibition and conference for ITSMprofessionals looks set to celebrate its milestone 21th anniversaryin great company, with a host of big name vendors, consultanciesand service providers now confirmed as exhibitors, view the fullexhibitor list online.

Register Once, Benefit Twice

TOP 5Reasons to Attend

1

Be part of the information security discussion thatdrives your industry forward. Come and networkwith a group of the leading voices in theinformation security world and participate in apremium conference programme designed todeliver the biggest learning and knowledgesharing opportunity in Europe.

Take home proven strategies, save money andimprove your businesses’ security posture

of visitors new to InfosecurityEurope were highly satisfied with

their visit in 2014 and 96% are very likely toreturn in 2015!

Find solutions for tomorrow’s threats and challenges.

200+ expert speakers 150+ hours ofconference programming in a variety ofdelivery formats+ information

security peers

Join theCommunity

4 Learn From the Experts

Our event attracts over 15,000 industryprofessionals, from the who’s who of theinformation security world. Over the course of thethree days, you can reconnect with your existingpeer group and meet new contacts to shareknowledge, experiences and common objectives.

5 Grow YourBusiness Network

80%of visitors attending in 2014,were looking for inspiration

and to see what's new94.8%

2

Collect up to 5½ CPD / CPE credits per day and choose from 200+ hours of seminars and workshops.

Select from 345+ global and leading informationsecurity vendors and service providers to help yousolve your burning information security problems.Our comprehensive and diverse range ofexhibitors have been brought together under oneroof to allow you to keep abreast of newcompanies entering the market, see what’s newfrom the vendor names you know and respect, andfind out about new developments in your industry.

Harvest expert advice and gain insight that isrelevant to your needs! The conference includes:• Keynote Stage• Strategy Talks• Tech Talks• Information Security Exchange• Security Workshops• Technology Showcase• Security Training• Cyber Innovation Showcase• DevOps Connect• RANT Forum – Infosecurity Special

16½ CPD / CPE to be gained!

Accelerate Your Career

3 Find Out What’s New

of Infosecurity Europe 2014 visitorsrated the educational sessions as

high quality85%

“Infosecurity Europe is the best forum for

all security professionals to get access to IS and IA vendors, products, experts, peers under one roof.”Paul Ryan, Senior InfoTech Security

Officer, Lincolnshire Police

“The best networking event in security!”Steen Larsen, CEO, Cloud Bastion

“I have made many useful contacts via Infosecurity Europe over the years, a very worthwhile meeting place.” Sean Marks, Senior Consultant,

Serco Group plc15,000+Join

Highly sensitive becomes highly secure.With secunet in CRITIS.

Critical infrastructures (CRITIS) like water and energy supply are vitally important

for society. At the same time, they depend now more than ever on the fl awless

functioning of information and communication technology. secunet protects

these infrastructures sustainably and comprehensively against cyber

attacks with professional IT security strategies and products like SINA.

So that critical does not become dramatic!

Sounds impossible? Put us to the test!

www.secunet.com/critis

IT security partner of the Federal Republic of Germany

As the threat landscape becomes morecomplex, and organisations becomeincreasingly connected, information andcybersecurity professionals face a multitudeof conflicting risks, priorities and challenges.Utilising a deluge of threat intelligence,they need to ensure they implement anintelligent security strategy that identifiesthe key risks to their business, drivingprotection strategies, whilst building cyber-resilience. The Keynote Stage will look atthese challenges and provide strategic andpractical advice on how to address them.

Created for the industry by the industry,following extensive research with theinformation security end-user communityand consultation with an advisory council ofsenior industry practitioners, the KeynoteStage is the vibrant hub of the InfosecurityEurope seminar programme.

Insight, Ideas and InspirationThe Keynote Stage provides attendees withdirect access to information securityknowledge and expertise presented bysome of the industry’s leading end-userpractitioners, policy-makers, analysts andthought-leaders. Delegates will gain newideas, insight, and actionable intelligence toenable them to streamline theirinformation security strategy, accelerate theeffectiveness of their security tactics, andreinforce the critical position of theinformation security function.

• Intelligent security: Risk-basedinformation security strategies to addressprevention and response and aligninformation security to the specific needsof your organisation

• Building cyber-resilience: Effective tacticsand techniques to detect and respond tosecurity incidents

• Next generation information security:Keeping pace with the evolving,connected business and adapting to newtechnologies and working practices

• Threat analysis: Evaluation of the latestthreats and attack vectors and insight intohow to address them

Don't forget to build the Keynote Stage sessions into your Infosecurity Europe agenda!

www.infosecurityeurope.com/keynotes

Intelligent Security: Protect. Detect. Respond. Recover.



Created for the Industry by the Industry

Key Themes to be Addressed inthe 2015 Keynote StageAgenda Include:

10.00- Keynote Presentation10.40 Security and Privacy

Ciaran Martin, Director General, Cyber Security, GCHQ10.55- The 2015 Cyber Security Breaches Survey: 11.55 Official Launch, Key Findings and Analysis

Details of the 2015 security breaches survey results will be discussed and reviewed.Richard Horne, Partner, Cyber Security, PwCAndrew Miller, Cyber Security Lead for Government and Public Sector, PwCChris Potter, Partner, PwC

12.10- Infosecurity Perspectives12.50 Mitigating the Human Risk

Jenny Radcliffe, Social Engineer13.05- Infosecurity Strategy Panel Discussion14.10 Establishing an Enterprise-Wide Cybersecurity Culture

This session will include the White Hat events charity cheque presentations.Panellists:John Meakin, CSO, Richemont InternationalLee Barney, Head of Information Security, Home Retail GroupDavid Jones, Head of Information Security, BBCAndrew Rose, CISO and Head of Cyber Security, NATS

Bruce Hallas, Founder, The Analogies ProjectModerator: Stephen Bonner, Partner, KPMG, Infosecurity Europe Hall ofFame Alumni

14.25- Keynote Presentation15.05 Solving Security Challenges: How Google does Information Security

Eran Feigenbaum, Director of Security, Google Apps15.20- Secure Development Panel Discussion16.15 From DevOps to DevSec: Securing Application Development

Panellists: Pawel Krawczyk, Application Security Manager, Open Web ApplicationSecurity Project (OWASP)Bryan Littlefair, Global CISO, AvivaJames Lyne, Security ResearcherRichard Rushing, CISO, Motorola Mobility

16.30- Cloud Focus Panel Discussion17.30 Solving the Cloud Conundrum: Privacy, Trust and Accountability

Panellists:Quentyn Taylor, Director of Information Security, EMEA, CanonEran Feigenbaum, Director of Security, Google AppsJustin Somaini, Chief Trust Officer, BoxDaniele Catteddu, Managing Director, EMEA, Cloud Security AllianceModerator: Adrian Davis, Managing Director, (ISC)2

Day One: Tuesday 2 June

@Infosecurity #infosec15

®

10.00- Keynote Presentation10.40 Cracking the Cipher Challenge

Simon Singh, Science Writer10.55- Keynote Presentation11.35 How to Hack an Enterprise: Exploitation for Beginners

James Lyne, Security Researcher11.50- Infosecurity Intelligence Keynote Panel Discussion13.00 Know Your Adversary: Who is the Cyber-criminal?

Panellists:Andy Archibald, Deputy Director, National Cybercrime Unit, NationalCrime AgencyProfessor Alan Woodward, Visiting Professor, Surrey Centre of CyberSecurity, University of SurreyWil van Gemert, Deputy Director Operations and Acting Head of EC3, Europol Michael Driscoll, Assistant Legal Attaché, FBIModerator:Brian Honan, Founder & CEO, BH Consulting

13.15- Breach Detection and Response13.55 How Do You Know You've Been Breached? Rapid Breach Detection and

Effective Response To Minimise Incident ImpactBruce Schneier, Infosecurity Europe Hall of Fame Alumnus

14.10- Infosecurity Strategy Panel Discussion15.00 Articulating Risk to Senior Management:

Enabling Informed Decision-MakingPanellists:David Cass, Senior Vice President & CISO, ElsevierMike Pitman, CISO, Head of Information Security, John LewisJames Mckinlay, Head of Information Security UK&I, WorldlineModerator:Peter Wood, Security Advisory Group, ISACA London Chapter

15.15- Infosecurity Intelligence Panel Discussion16.15 Vulnerabilities, Risks And Threats:

Actionable Intelligence for Robust Cyber Defence Panellists:Gianluca D’Antonio, CISO, FCC Group, Chair of ISMS ForumBurim Bivolaku, CISO, The Noble GroupDr Eduardo Solana, Senior Lecturer, Computer Science DepartmentUniversity of GenevaModerator:Wendy Nather, Research Director, Information Security, 451 Research

16.30- Regulation and Compliance Panel Discussion17.30 Smart Strategies to Address Increasing Global Regulatory Oversight

Panellists:Richard R. Starnes, CISO, Kentucky HealthBridget Treacy, Partner, Hunton & WilliamsSteve Wright, Chief Privacy Officer, UnileverJonathan Bamford, Head of Strategic Liaison, Information Commissioner’sOfficeModerator: Stewart Room, Partner, PwC

Day Two: Wednesday 3 June

10.00- Keynote Interview10.40 Infosecurity Europe Hall of Fame

During this session the 2015 Hall of Fame inductee/s will discuss a timelydevelopment in information security, be it a post-incident review of arecent breach, the threat landscape or a presentation on a newtechnological development.

10.55- Risk Insight Panel Discussion11.45 Prevention to Response: Intelligent Risk Management to

Bolster Security PosturePanellists:Shan Lee, Head of Information Security, JUST EATJonathan Kidd, CISO, Met OfficeMark N Jones, CISO and Director IT Compliance & Governance, HeathrowAirportsVicki Gavin Compliance Director, Head of Business Continuity andInformation Security, The Economist GroupModerator: Jean Noel Georges, Global Programme Director, Research Manager, Frost & Sullivan

12.00- Incident Response Panel Discussion12.50 You’re Under Cyber-Attack. Now What?

Panellists:Chris Gibson, Director, CERT-UKTom Mullen, Head of Cyber Response & IT Security, Telefónica UKJon Townsend, Head of Cyber Intelligence and Response, Department forWork and PensionsModerator: Dave Clemente, Senior Research Analyst, Information Security Forum

13.05- CNI Panel Discussion13.55 Securing Critical National Infrastructure:

Managing Cyber Risk in a Hyper-Connected, Physical WorldPanellists:Don Randall, Cyber Ambassador, Bank of EnglandPeter Gibbons, Head of Cyber Security, National RailAdditional speakers to be confirmedModerator: Andrew Kellett, Principal Analyst, Ovum

14.10- UK's Most Innovative Small Cybersecurity Company of the Year: 14.55 Competition Final

During this session the four finalists from the national competitionlaunched through the Cyber Growth Partnership, with the support of BISand techUK, will pitch their technology/service to a judging panel whichwill select the winner and award the title of ‘Most Innovative Small CyberSecurity Company of the Year’. Judges:Nazo Moosa, Managing Partner, C5 Capital David Cass, Senior Vice President & CISO, ElsevierWendy Nather, Research Director, Information Security, 451 Research

15.10- Infosecurity Strategy Panel Discussion16.00 Keeping Pace with the Evolving Business:

Building a Next-Generation Cybersecurity RoadmapPanellists:Michael Colao, Head of Security, Group Technology and Operations, AXA UKJosé A. S. Alegria, Director, CyberSecurity, Privacy and Business Continuity,Portugal TelecomBecky Pinkard, Director, Security Operations, Pearson Moderator: Bob Tarzey, Analyst and Director, Quocirca

Day Three: Thursday 4 June

31



Register Online: www.infosecurity-intelligent-defence.com

08.30-09.00 Registration and coffee

09.00-09.10 Welcome from ChairOpening remarks from the conference chair.

09.10-10.10 Keynote PresentationAdam Laurie, Security Researcher, Director, Aperture Labs

10.10-11.10 POS Attacker Toolkits: Frontline Analysis of POSAttack ToolkitsKyle Wilhoit, Senior Threat Researcher, Trend Micro

11.10-11.30 Morning refreshments

11.30-12.30 Detecting and Responding to Advanced Threats:Exposing the Skeleton in Your ClosetLee Lawson, CTU Special Operations, Dell SecureWorks

12.30-13.30 Smart Home InvasionCraig Young, Security Researcher, Tripwire

13.30-14.45 Lunch

14.45-15.45 The Researcher's Guide to the IoT GalaxyAndrew Hay, Head of Research, OpenDNS

15.45-16.45 Keynote PresentationRegulating Your Nose to Spite Your FaceSergey Bratus, Research Associate Professor,Dartmouth's Institute for Security, Technology, and Society

16.45-17.00 Closing comments from the ChairThe conference chair will review the day’s sessionsand key conclusions.


08.30-09.00 Registration and coffee

09.00-09.10 Welcome from ChairOpening remarks from the conference chair.

09.10-10.10 Keynote presentationDetails to be announced

10.10-11.10 Detecting Malicious Typosquatting DomainsGerben Broenink, Security Specialist, TNOHarm Schotanus, Information Security Specialist, TNO

11.10-11.30 Morning refreshments

11.30-12.30 Wolf in Sheep’s Clothing: Your Next APT is AlreadyWhitelistedJuan Andres Guerrero-Saade, Senior SecurityResearcher, Global Research and Analysis Team(GReAT), Kaspersky LabFabio Assolini, Senior Security Researcher, GlobalResearch and Analysis Team (GReAT), Kaspersky Lab

12.30-13.45 Lunch

13.45-14.45 Data Sanitization: Effective Protection or LatestBuzzword?Szilard Stange, Director of Product Management, OPSWAT

14.45-15.45 The Fault In Our CloudsYonatan Most, Head of Adallom Labs, Adallom

15.45-16.00 Closing comments from the ChairFinal review and summing up by the conference chair.


REGISTER ONLINE NOWwww.infosecurity-intelligent-defence.com

Olympia. London.

02 – 03 June 2015

ARE YOUSMARTERTHAN THEATTACKERS?

Intelligent defence against cyber attacks• Gain in-depth understanding of the latest

vulnerabilities, exploits and threats

• Hear from leading security experts who are at the sharp end of technical research

• Access best practice advice on how to mitigatethe effects of new vulnerabilities and exploits

Find out more at:www.infosecurity-intelligent-defence.com

Meet the Advisory CouncilDr Eric Cole, Jack DanielJames Lyne , Trey Ford , Rik Ferguson

10.00- Overcoming Insider Threats to Intellectual Property10.25 Laurent Porracchia, Chief Information Officer, Safran Morpho

Stephane Charbonneau, Chief Technology Officer, Titus10.40- The Flaws in the Onion: What does Context-Aware Next- 11.05 Next Generation Security Look Like?

Gary Newe, Technical Director, F511.20- Rethinking Enterprise Security: Lifecycle Defence11.45 Felix Leder, Director Advanced Malware Defence, Blue Coat Systems12.00- Dear Executives, Parlez-Vous Security?12.25 Dwayne Melancon, Chief Technology Officer, Tripwire

Brian Honan, CEO, BH ConsultingThom Langford, Director of Global Security, Sapient

12.40- Trouble in Paradise: End Island Hopping by Embracing the 13.05 Tactical Shifts of the Underground

Rik Ferguson, Global VP Security Research, Trend Mirco13.20- FUD or Fact: The Role of the News Media in Security13.45 Anthony Freed, Senior Editor of Publications, Norse Corporation

Thomas Brewster, Journalist, FreelanceBrian Honan, CEO, BH ConsultingRaphael Satter, Investigative Journalist, Associated Press

14.00- UK Public Sector and Healthcare Industry Panel Debate: Managing14.25 Security Risks and Protecting Information Assets

Bruce Wright, Connectivity Technician Consultant, South East CSU (NHS)Bob Tarzey, Analyst and Director, QuocircaPhil Gibson, Chair, PSN Industry Association, Director, Avoca Associates(Speaking on behalf of Forescout)

14.40- ProTips for Tackling Incidents Involving Advanced Attack Techniques15.05 Steve Armstrong, Technical Security Director, Logically Secure15.20- Method for Assessing Risk in a Business: It's Not Just About Vulnerabilities15.45 Matt Alderman, VP Strategy, Tenable Network Security16.00- How Think Money is Utilising Continuous Monitoring to Mitigate Today’s 16.25 Threats, and to Meet Regulatory and Contractual Obligations

Neil Dawson, Senior Information Security Analyst, Think Money GroupRoss Brewer, Vice President & Managing Director of International Markets, LogRhythm

16.40- It’s About the Data, Stupid17.05 Salo Fajer, CTO, Digital Guardian

Intelligent Security: Strategic Insightto Optimise Security Posture



Acquire strategic insight into how to develop a resilientinformation security strategy to support enterprise growth,innovation and transformation.

Strategy Talks Sponsor:


10.00- Where Flow Charts Don't Go: An Examination of Web 10.25 Applications Security Process Management

Gabriel Gumbs, Managing Director, Research and Products, WhiteHat SecurityMatt Johansen, Senior Manager, Threat Research Centre, WhiteHat Security

10.40- Are You Seeing a Return on Your Security Investments? Security as a 11.05 Business Enabler

Sol Cates, CSO, Vormetric11.20- The Plateau Effect: Why Security is Being Reinvented11.45 Hugh Thompson, Chief Technology Officer, Blue Coat Systems12.00- Fridge FUD: Freezing Out IoT Myths12.25 Carl Leonard, Principal Security Analyst, Websense12.40- Automated Security Reviews in a Continuous Integration Environment13.05 Richard Fry, Information Security Manager, Swinton Insurance

(Speaking on behalf of Quotium)

13.20- The Hunted Becomes the Hunter13.45 Darren Anstee, Director of Solutions Architects, Arbor Networks14.00- Beyond Risk Avoidance: Demonstrating the True ROI of your 14.25 Application Security Programme

Gearoid O’Connor, Senior Security Programme Manager, Veracode14.40- Innovation and The European Cybersecurity Research Landscape: 15.05 From Academia to Business

Tom Ilube, CEO, Crossword CyberSecurity15.20- Technology is not Enough: Full Security Relies on Processes and People15.45 Terry Greer-King, Director, Cyber Security, Cisco16.00- Hey You, Want To Come onto My Cloud?16.25 Robin King, CEO, DeepSecure

John Godwin, Head of IA and Compliance, Skyscape Cloud Services16.40- Why Women in Security are Being Paid More17.05 Karla Jobling, Operations Director, BeecherMadden

Gemma Mahoney, Delivery Director, BeecherMadden


10.00- Defining Moments in the History of Cybersecurity Which Have Led to the 10.25 Rise of Incident Response

Paul Ayers, General Manager, EMEA, Resilient Systems10.40- Threat Intelligence – Marketing Hype or Innovation? Discuss11:05 James Chappell, CTO, Digital Shadows11.20- The Inception Framework:11.45 The Strategic Implications of the Modern Threat Landscape

Christophe Birkeland, CTO, Malware Analysis, Blue Coat Systems12.00- Finding Fortune on the Web via Exposed 12.25 Fortune 500 Employee Credentials

Staffan Truvé, CTO and Co-Founder, Recorded Future12.40- Distraction in Depth: Evolving from Defence in Depth 13.05 to a More Coordinated Strategy

Chester Wisniewski, Senior Security Advisor, Sophos

13.20- Threat Information Sharing in Retail: One Year On. Is it Working?13.45 Barmak Meftah, CEO, AlienVault14.00- Simplifying the Adoption of Cloud Applications: Identifying, Classifying 14.25 and Protecting your Organisation's Sensitive Information

Gil Zimmermann, CEO/Co-Founder, CloudLockRussell MacDonald, Head of Digital Solutions, PA Consulting

14.40- Mobile has Changed your Business. Now What about Security?15.05 Chris Taylor, Senior Product Manager, Entrust Datacard15.20- Using Threat Intelligence to Improve Security Response15.45 Piers Wilson, Head of Product Management, Tier-3 Huntsman


For the latest programme and speaker updates visit www.infosecurityeurope.com/strategytalks

Automated threat

detection and resolution

in seconds

Real-time security and

compliance monitoring

Unified Console to

consolidate and

modernise legacy SIEMs

True Behavioural

Anomaly Detection

www.huntsmansecurity.com

Huntsman Security - a Tier-3 company

Defence-Grade Security Intelligence

Manage security events and cyber threats in real time

T: 0845 222 2010 E: [email protected]

10.00- Opening Misfortune Cookie: 10.25 The Hole in 12 Million Internet Gateways Worldwide

Shahar Tal, Vulnerability and Security Research Manager, Check PointSoftware Technologies

10.40- People are the Weak Link in Data Security not Technology: 11.05 What Technical Steps can be Taken to Mitigate This?

Neil Larkins, Chief Operations Officer, Egress Software Technologies11.20- Presentation by Cisco11.45 Details to be announced12.00- Strategic Attack Surface Management: Involving the Business12.25 Wim Remes, Manager, EMEA Strategic Services, Rapid712.40- Protecting Applications on Amazon Web Services13.05 Chris Gove, Enterprise Architect, Imperva13.20- The Challenge Spectrum13.45 Ziv Gadod, Senior Security Analyst, Radware

Werner Thalmeier, Director Security Solutions, Radware

14.00- Tracking Malware in Criminal Internet Neighbourhoods14.25 Dhia Mahjoub, Senior Security Researcher, OpenDNS14.40- Optimising the Mobile Cloud Era Through Agility and Automation15.05 Ian Evans, Vice President and Managing Director, EMEA,

AirWatch by VMware15.20- A Call to Arms: Using a Working Model of the Attack 15.45 Surface to Improve Incident Response

Gidi Cohen, CEO and Founder, Skybox Security16.00- Securing the Internet of Things Without Boiling the Ocean16.25 Tim (TK) Keanini, CTO, Lancope16.40- Android Live Hacking Demo: How Common Coding Flaws, 17.05 Overly-Permissive Permissions and DIY Certificates can

Compromise Android SecurityKen Munro, Senior Partner, Pen Test Partners

Intelligent Security: TechnicalApproaches to Resilient Security

Gain up-to-the-minute technical tools, techniques and skills tosuccessfully combat today’s sophisticated security adversary.

Tech Talks Sponsor:


10.00- From Fiction to Facts: Examining Real-World Exposure to 10.25 Credentials Abuse

Andrey Dulkin, Senior Director of Cyber Innovation, CyberArk10.40- Prepare for Cyber War with the Right Intelligence11.05 Dave Merkel, CTO, FireEye11.20- Presentation by Cisco11.45 Details to be announced12.00- Uncloaking Advanced Malware: How to Spot and Stop an Evasion12.25 Marco Cova, Senior Security Researcher, Lastline12.40- How Forensics and Cybersecurity Must Co-exist13.05 Graham Thornburrow-Dobson, Information Security Consultant and

Official Instructor, (ISC)2

13.20- Windows Server 2003 End of Life: Your Problem and My Problem13.45 Ian Trump, Security Lead, ControlNow

14.00- Understanding the Data Breaches of 2014: Did it Have to be 14.25 this Way?

Patrick Grillo, Senior Director, Product Strategy, Fortinet14.40- Office 365 and its Implications for Networking, 15.05 Security and Compliance

Klaus Gheri, Vice President Network Security, Barracuda Networks15.20- Hacking without Hacking: An Expose into Infrastructure 15.45 Hacking due to Poor Configuration and Design

John Stock, Technology Director, Outpost2416.00- Swimming with Sharks: The Importance of Hardware for Security16.25 Ian Pratt, Co-Founder, Bromium16.40- DDoS Attacks: What You Can’t See Can Hurt You17.05 Dave Larsen, Chief Technology Officer, Corero Network Security


10.00- Ensuring Your Botnet Takedown Results in a Knockout10.25 Brian Foster, CTO, Damballa10.40- The Virtual World Exposed: Hacking the Cloud11:05 Jason Hart, Vice President of Cloud Solutions, Safenet11.20- Presentation by Cisco11.45 Details to be announced12.00- Achieving Governance via your Software Development Life Cycle12.25 David Juitt, Chief Security Architect, Ipswitch12.40- The Node.js Highway: Attacks are at Full Throttle13.05 Maty Siman, Founder and CTO, Checkmarx

Helen Bravo, Head of Product Management, Checkmarx

13.20- Turning Security Against You: How Hackers Take Over Your 13.45 Secure Shell Environment

Kalle Jääskeläinen, VP, Solutions and Services, SSH CommunicationsSecurity

14.00- The Evolution of Malware14.25 Mark James, Security Specialist, ESET14.40- Overcoming Challenges in Deploying NAC Solutions in Highly 15.05 Distributed Networks with 100.000+ End Points: A Case Study

Necati Ertugrul, CTO, NATEK 15.20- Resilient Security Architectures15.45 Paddy Francis, CTO, Cyber Security, Airbus Defence and Space




For the latest programme and speaker updates visit www.infosecurityeurope.com/techtalks

Benefit from the chance to discuss how totackle the latest challenges in informationsecurity and gain fresh perspectives on thelatest technologies and research. Featuringin-depth presentations, panel discussionsand case studies, the Information SecurityExchange brings together end-users andvendors to engage in open dialogue andexchange technical and strategic expertise ina range of formats.

Leave the sessions equipped with newapproaches and techniques to enable you toenhance your organisation’s informationsecurity strategy and tactics.

Hear expert opinions from leadingorganisations including BSI, MobileIron,Bitdefender, L-3 TRL Technology, Radware,Pulse Secure, LRQA, AVG Business, Atos andLevel 3 Communications

Topics to be addressed include:• Moving the Attack Surface: A Coherent

Strategy for Protecting InterconnectedInformation and Operational SystemsL-3 TRL Technology

• The Next Cyber War: Geo-Political Eventsand Cyber-Attacks Radware

• The Benefits of the 3 C’s of BYOD:Connectivity, Compliance &Containerisation Pulse Secure

• Can Technology Save us from EvolvingCybersecurity Threats? Level 3Communications

• What Security Pros Can Learn fromShadow IT: Lessons from theInfrastructure and Operations PlaybookBitdefender

• Say Goodbye to Enterprise IT: Welcome tothe Mobile First World MobileIron

To view the full agenda and the latestspeaker and session updates, please visitwww.infosecurityeurope.com/ise

Next-generation Information Security Methodologies and Tactics



• Hear about new and existing products, services and solutions asexhibitors take to the stage to demonstrate the capabilities oftheir information security technologies.

• Pose your questions directly to the solution providers and find theanswers you’ve been looking for.

• Take this opportunity to gain the insight you need to maximiseROI on your solution purchases.

Hear from leading organisations including Box, Cryptzone,CyberArk, ExtraHop, GB&Smith, Jenrick IT, Lumension, Pulse Secure,BackBox, Secure Islands Technologies, TrapX Security, VMWare,Wallix and Zscaler

To view the full agenda and the latest speaker and session updates,please visit www.infosecurityeurope.com/techshowcase

Innovative Technologies toAddress the Latest InformationSecurity Risks

Showcasing the LatestInnovations in Cybersecurity

The cyber innovation showcase gives you the opportunity to stayabreast of new innovations in information security technologies.This newly added theatre includes presentations from the 11shortlisted companies from the UK nationwide competitionlaunched through the Cyber Growth Partnership, with the supportof BIS and techUK to find the UK's Most Innovative Small CyberSecurity Company of the Year. This showcase will give you deeperinsight into the products these and other companies have designed,developed and brought to market.

Presenting organisations include Abatis, Cambridge Intelligence,Crypta Labs, Geolang, Minded Security, Purelifi, Sedicii, WestgateCyber Security, ZoneFox, Cyberlytic, Pervade Software, BAESystems and SSH Communications Security.

To view the full agenda and the latest speaker and session updates,please visit www.infosecurityeurope.com/cyberinnovationshowcase

39


®

At Infosecurity Europe 2015, Acuity will showcase its new STREAM Version 4 GRC software, whichscales seamlessly from a free single-user edition to an unlimited enterprise edition.

The configurable, scalable and easy to use software has been improved and extended in Version4 with a range of new features including a Custom Report Builder, a new API for third partyinterfaces and exciting new ‘risk delta’ functionality for identifying and prioritizing controlimprovements with the greatest risk return on investment.

STREAM is used world-wide for automation of risk registers; risk and control self-assessments;and integrated cybersecurity management systems, including ISO 27001, ISF and the NIST CyberSecurity Framework. STREAM integrates data from third party tools with self-assessments andaudits to provide a business risk perspective for senior business managers.

A free single-user edition of STREAM Version 4 is available from http://www.acuityrm.com/together with access to Acuity’s on-line STREAM Training Portal.

Stand F123www.acuityrm.com [email protected]+44 20 7297 2086

Acuity Risk Management

Infosecurity Magazine has over 10 years of experience providing knowledge and insight into theinformation security industry. Its multiple award-winning editorial content provides compellingfeatures both online and in print that focus on hot topics and trends, in-depth news analysis andopinion columns from industry experts.

Infosecurity Magazine also provides free educational content, including webinars, virtualconferences and training opportunities endorsed by all major industry accreditation bodies, whichare therefore considered a key learning resource for industry professionals.

Stop by Infosecurity Magazine’s stand at Infosecurity Europe and try your hand at protectingyour network from malware and insider threats in our brand new and exclusive computer game –challenge your colleagues and take on the bad guys for a chance to win prizes and be crowned2015 Infosecurity Chief Protection Officer.

Stand M60www.infosecurity-magazine.com [email protected]

Infosecurity Magazine

Spikes Security, founded in 2012, is a ventured-backed network security start-up based in LosGatos, California. The company is focused on preventing all web malware from targeting webbrowsers and infecting endpoint devices. This is critically important because web browsers arehighly vulnerable and have become a primary attack vector used by cyber-criminals to gain accessto enterprise networks. Spikes Security prevents all web malware through the use of innovative,patent-pending isolation technology, which ensures that all web content is rendered on aspecialised appliance outside the network, then transformed into a benign, malware-free formatand delivered safely to end-users inside the corporate network. Discover how you can make theweb safe for your organisation. Visit Spikes Security at stand #G100.

Stand [email protected]+1-408-755-5713

Spikes Security

NEW PRODUCTSAND SERVICES

• Take advantage of the opportunity to build your skills during in-depth, extended workshop sessions covering a range of business-critical topics in a practical and interactive format.

• Develop your skills whilst engaging with your peers and learningfrom leading security experts.

• Leave the sessions with practical know-how and learning that canbe applied directly to your business.

Organisations offering workshops include (ISC)², cybX, VMWare,Cloud Security Alliance, NextSec and the IISP.

Topics to be addressed include:Professionalising Information Security BCSHave You Got What it Takes to be a Crisis Leader?Infosecurity Magazine• CISSP Preview: Security and Risk Management (ISC)² • CISSP Preview: Security Assessment and Testing (ISC)² • Developing Organisational Cyber Resilience, cybX• European Privacy Compliance and Security SLA: CSA Addressing

the Challenges, CSA

To view the full agenda and the latest speaker and session updates,please visit www.infosecurityeurope.com/securityworkshops

Intelligent Security: Practical Techniques and Strategiesto Protect Information Assets



Certificate of Cloud Security Knowledge (CCSK)Discover how to optimise cloud security within your organisation• Access the strategic and tactical know-how to overcome cloud

security challenges.• Discover how to protect and control sensitive data in the cloud.• Understand how to implement robust security controls to

optimise cloud security.

Date: Thursday 4th June: 9.00-17.00Price: £649+VATRegister and find out more at www.infosecurityeurope.com/ccsk

Cybersecurity Fundamentals• Develop a solid understanding of the principles of cybersecurity

including information security architecture, application security,risks and vulnerabilities and incident response.

• Evaluate the security implications of evolving technologies.• Access insight into the importance of cybersecurity, and the

integral role of cybersecurity.

Date: Tuesday 2nd and Wednesday 3rd JuneStandard Rate: £599 +VATISACA member rate: £499 + VATRegister and find out more at www.infosecurityeurope.com/isaca

DevOps Foundation Certification CourseUnderstand how to utilise DevOps to optimise workflow and maximise business agilityDate: Two-day training course -Day 1: Live, instructor lead, virtual session: Monday 1st June, 8.30-18.00 BSTDay 2: Face-to-face training course at Infosecurity Europe, OlympiaLondon: Wednesday 3rd June, 8.30-18.00 BST

Price: £749 +VATRegister and find out more at www.infosecurityeurope.com/devops

How to Turn the Human Firewall OnDiscover how to create a robust enterprise security culture by effectively engaging the employee• Understand how to secure employee engagement and increase

the likelihood of a positive security choice.• Gain insight into how behaviours are formed and influenced

and learn how to integrate them into security strategy and day-to-day operations.

• Find out how to implement effective training and awarenessprogrammes to positively impact security behaviours.

Date: Thursday 4th June, 9.00-17.00Price: £649 +VAT

Register and find out more atwww.infosecurityeurope.com/analogies

Infosecurity Europe has partnered with leading training providers tobring you four in-depth training opportunities in 2015. Combineyour visit to the show with high-value, practical training that willbuild your skills and benefit your business.

WWW. I N FOSECUR I T Y -MAGAZ I NE . COM

E-NEWSLETTERS

WHATEVER YOUR MARKETING NEEDS -

WHETHER BRANDING, THOUGHT LEADERSHIP OR

LEAD GENERATION - WE HAVE THE PLATFORM TO SUIT YOU:

VIRTUAL CONFERENCES

RSS FEED

WEBINARS

WHITE PAPERS

The Cyber Growth Partnership, in association with The Departmentfor Business, Innovation & Skills and techUK, is supporting a new UKCyber Innovation Zone at Infosecurity Europe 2015. The zone isbeing used to showcase 11 small innovative UK cybersecuritybusinesses. The magnificent 11, exhibiting their innovation atInfosecurity Europe this year, are:• Abatis (UK) Ltd• Cambridge Intelligence• Crypta Labs• Cyberlytic• Geolang• Minded Security UK Ltd.• Pervade Software Ltd.• Purelifi• Sedicii Ltd.• Westgate Cyber Security Limited• ZoneFox

The New ExhibitorZone will bemaking its fifthappearance atInfosecurityEurope this year.This highlypopular area forvisitors is filledby over 50 newexhibitors to theevent, from around the world, showcasing anddemonstrating their innovative products and services never beforeseen at Infosecurity Europe – the ideal place to identify and learnabout the information and cybersecurity solutions of the future.

See a list of all new companies exhibiting at Infosecurity Europe:www.infosecurityeurope.com/nez

DevOps Connect: Rugged DevOps at Infosecurity Europe is a full dayof learning, networking and thought leadership focused on DevOpsand security's role in the software development lifecycle. Bringingtogether the DevOps and the information security communities theday will include panel discussions, presentations, and industry casestudies on the integration of security and DevOps.

Thursday, 4th June 2015, 09:00 -17:00www.infosecurityeurope.com/ruggedDevOps

The Risk and Network Threat (RANT) Forum is a unique communityof information security professionals who work within end-userorganisations. This ever-popular event is created for industry byindustry and allows you to voice your concerns and opinions on allof the pertinent topics and issues that you deal with every day as aninformation security professional. RANT is proud to be workingtogether with Infosecurity Europe and their brilliant partner Zscalerto host a RANT Special within the exhibition in the Henley Suite 1 onthe first day of Infosecurity Europe.

Tuesday, 2 June 2015, 15:00 - 17:30 www.infosecurityeurope.com/rant



Introducing New Features

43


®

USA

• Opswat• Cyphort Inc• Recorded Future• Security Innovation• Adallom• CO3 Sysytems• AccellOps Inc• Observe IT• whiteCryption• Threatstream• Authentify• Firemon• Arxan• Emerging Threats, a Proofpoint

Company• Tanium• Sonatype• US Commercial Services

France

• Bertin IT• Cybelangel• DenyAll• GB&Smith• Hexatrust• ILEX International• OpenTrust• Oveliane• Pradeo Security Systems• Qosmos• Wallix

Germany

• Giegerich & Partner GmbH• Pyramid Computer GmbH• Sirrix AG• Virtual Solution AG

Israel

• Secure Island Technologies• Kaymera Technologies• TrapX Security

Northern Ireland

• CSIT• Sabsa Courses• DiskShred• Titan IC Systems Ltd.

Impressions fromInfosecurity Europe 2014

Security Made in…As a global information security hub, Infosecurity Europeaddresses international information security challenges andbrings together international vendors and service providers to

share their latest industry solutions and technologies. InfosecurityEurope’s country pavilions showcase country-specific technologyand innovations. www.infosecurityeurope.com/countrypavilions



FloorplanE280D270

E242

A60A65

A150

A14

0

A75

G16

2F165

D210

D200

F142

F15

G70

C204

E20 E25

F20

E40

D80

F102F98

F104

F120

C144 D140C142

C140

F145

F140

C120

E65

B20

E180

F125

C100

E85D85

D60

E45D48

F25D25C20

E100

F10

D100

G20

E140

E160D160

D18

4D

182

D180

F123

E83E80

D83

D40

D45

E43

D20

E60 F65

F60 G60B60

G100

G140

D225B222 E224

B240

B260 C265 E269D260

D280

B125

D238

H11

0

A32

C180

F160C164

F85

F45

A105H

150

H95

H60

B160

A17

0

F200C210

E200B2

10

E240

B45 G40

G104

G80

G124

G164

B185

B65

G14

4

C80B80

C60

B100

B140

A180

E204

C162

C160

G14

2G120

F84

F80

B62

B40

C45

C40 F40

E260

E262

C262 E250

D235

D220B220

B200

C200 E202

B180

B182

B120

H90

H45

A100

F82

G10C15 D15

A50

A115

A11

0

H50

B181

D222

A40

B225

D230

C19

D240

E183E185

H160

A30

G68

G65

F48

F290

G178G172

G196

NetworkingBar

Vis

ito

r Lo

un

ge

Inte

rnat

iona

l Tra

de P

ress

and

Visi

tor L

oung

e

Catering & Visitor

Comfort Area

TechnologyShowcase

IntelligentDefence

F180G186

F170

G17

5

F184F182 G184

US PavilionG182

H170

H178

TechTalks

Strategy Talks

MG1

G185

Technical TalksLive Streaming

Stairs to upper level

Entrance

StrategyTalksLiveStreaming

G170

A55

A70

Crossoverto SITSon Weds & Thurs

FrenchPavilion

G160

a to

e

C260

A20

E206

F100

F280

F78

C190

E222

E220

F226

F220

G193

G190 G19

1

A28

0 B280

PressOffice VIP Lounge

i

Ground floor

45


®

N64

K61

N80

P74 Q79

P80

N60 P60 Q60

L71

P66

P64

P62

N70

S62

S60

S52

S50

S70

R62

R60

R52

R50

L60 R70

S74

Q76

Q74Q70Q72

M79K75

K77K72

K50K51

K60

K62K64

L77

L79

P70M71K71K70 K73

M60

L75

K52K53

K44K47

K48

K42

K40 K41

K32

K30

K45

K24K22

K20

K12

K10

K21

K27

K23

K25

K49 K43

Key

no

te S

tag

eFo

yer

& Q

ueu

ing

Keynote StageInformationSecurityExchange

New Exhibitor Zone IsraeliPavilion

UK

Cyb

er In

no

vati

on

Zo

ne

Cyb

er In

no

vati

on

Sho

wca

se T

hea

tre

Vis

ito

r Lo

un

ge

R42

R40

K67

K69

M77

K35

K33

K31

K11

K13

Speaker’s Room

M73L73

K65

N62

N65 P68

Q62

Q64Q66Q68

Q69

Q78

P94

K39

P90

K29

P63

S72

P72M75

Organiser’sOffice

Seating

Exhibitor Lounge

Security WorkshopsSecurityWorkshops

InfosecurityTraining

Level 1

(ISC)² UK Ltd A32 3M (UK) Plc E204

AAbatis UK Ltd R40AAccellion, Inc. D235 AccelOps, Inc. F182 AccessData E185 activereach Ltd F45 Acuity Risk Management F123 Acumin Consulting Ltd. F80 Adallom F180 Aerohive Networks C200Agileise Ltd N60 Airbus DS limited D45 AirWatch C100 Akamai Technologies Ltd. D25 Algosec B60 Alienvault F65 APM Group C144 APM Group Smart Space ARBOR NETWORKS UK LIMITED B125 Arxan G175 Authentify G184 Avecto Ltd H50 AVG Technologies UK Ltd. F85

BBAE Systems B160BalaBit IT Security G70 baramundi software AG D184 Barclay Simpson B62 Barracuda Networks D140 BCC Risk Advisory L74 BCS A115 BeCrypt Ltd E85 BeecherMadden A105 Bertin IT F200BeyondTrust F145 Bit9 D238 bitdefender C180 Black Duck Software E83 Blancco UK C15 Blue Coat Systems Limited D220 Bob's Business Ltd. A55 Bomgar F220Bournemouth University L77Box.com (UK) Ltd C190 Bromium D240 BSI Q79 Bull S.A.S. F78 BusinessFrance F200

CCambridge Intelligence R40BCentrify C265 Certes Networks A110 CertiVox UK Ltd K73 CESG C142 Check Point Software Technologies C60 Checkmarx B45 Chemring Technology Solutions D222 Cigital A170 CipherCloud G60 Cisco International Limited CIL F120 Citrix Systems (UK) Ltd F100 City University London G164 CloudLock, Inc. B210 Codenomicon A50 Commissum G104 ControlNow K75 Corero Network Security E269 CoSoSys Ltd. E183 CREST K48Crossword Cybersecurity K77 Crypta Labs R40CCryptzone UK Ltd F290 CWT Meetings & Events on behalf of Gemalto G120 CYBELANGEL F200Cyber-Ark Software (UK) Ltd. E60 Cyberlytic R40JCyberoam Technologies Pvt. Ltd. G140 Cybertinel B200Cyphort G193

DDamballa, Inc. C80 Darktrace Limited N80 Deep-Secure Ltd. F104 Dell Corporation Limited D270 DenyAll F200DeviceLock, Inc. P11 Digital Guardian Inc B181 Digital Shadows Limited H160 DOSarrest Internet Security LTD F142Druva Europe Ltd Q68

Ee92plus F25 eco- Association of the German Internet Industry G160ECSC E160 Egress Software Technologies Ltd C160 Emerging Threats G178

Encode UK Ltd B222 Endace Europe Ltd B40 Enforcive Systems Ltd. A100 Entrust (Europe) Ltd E40 E-Recycling Limited t/a Euro-Recycling A40 eSentire Inc A70 Eset spol.sr.o D40 European Reseller M61 Evolution Recruitment Solutions Ltd P64 Exclusive Networks G124ExtraHop C262

FF5 Networks B240 Feitian Technologies Co., Ltd. Q60 FireEye UK Ltd C120 FireMon F170 ForeScout Technologies, Inc. G20 Fortinet Inc E140

GGB&Smith F200GB&Smith F200Geolang Ltd R40DGiegerich & Partner GmbH G160Gigamon UK Limited D180

HHEXATRUST F200Hitachi ID Systems G142

IIasme Consortium Ltd P63 iboss Network Security Ltd E45 Identiv F48 Idax Software K25ILEX INTERNATIONAL F200Imperva UK Ltd C20 Imprivata UK Limited G65 Infinigate UK E280 Infosecurity Magazine M60Information Security Forum Ltd. C204 Institute of Information Security Professionals A65 Invest NI N70 Ipswitch File Transfer F140 ISACA H60 ISMG, Corp. P18 ISSA UK Q69 iStorage Limited B260 ITSA A60Ixia B120



A-Z Exhibitor List

JJenrick:IT A180

KKaymera Technologies M79

LL-3 TRL Technology B80 LampKicking Ltd L71 Lancope Inc F20 Lastline, Inc K53 Level 3 C45 LibraEsva Srl G10 Link11 GmbH C162 Lloyds Register Quality Assurance D15 Logically Secure Ltd F15 LogRhythm Ltd E25

MManageEngine B180 Metacompliance Ltd G40 Minded Security UK Ltd R40EMobile Iron International H110 Mozy H45 MWR InfoSecurity A20 My1login B225

NNatek A.S. C19 NetSupport Ltd B65 NETWORK TECHNOLOGY SOLUTIONS (UK) LIMITED C200 Network Utilities (Systems) Ltd P60 Netwrix Corporation C260 Neustar Inc H150 Nippon Control Systems K54Norse Group E202 NQA G162 NSFOCUS Information Technology Co., Ltd. D85

OObserve IT G186 OpenDNS G68 OpenTrust F200OPSWAT G196 Origin Storage L11 Outpost24 UK E65 Oveliane F200

PPalo Alto Networks (UK) Ltd D100 Pen Test Partners D80 Pentesec Limited A150 Pentest Limited P74 Pentura Limited D225 Perforce Software K50Perspecsys Corp. G144

Pervade Software R40KPhishMe Inc F165 Ping Identity E250 Plixer E224Pradeo Security Systems F200Protection Group International B220 Pulse Secure F280 Purelifi R40FPyramid Computer GmbH G160

QQosmos F200Qualys E20 Quotium Technologies F102

RRadware E180 RandomStorm Ltd E43 RAPID7 E242 Recorded Future G190 Red Island Consulting Ltd B185 Resilient Systems Europe Limited F184 Restricted Intelligence F290Royal Holloway, University of London N62

SS2S Electronics Ltd D210 Safeway Solutions LTD D230 SC Magazine A140 Secunet C164 Secure Islands Technologies Ltd M73 Security Cleared Jobs M20 Security Innovation G191 Sedicii Ltd R40GSerbus Limited P72 Serco cybX P68 ServerChoice E240 Sirrix AG G160Skybox Security Inc. C40 Skyhigh Networks D182 SmoothWall B140 Sonatype, Inc G172 Sophos Limited D260 Spikes Security, Inc. G100 Splunk Services UK Ltd B20 SSH Communications Security Corporation D83 SSL247 C210 SureCloud D48 Swivel Secure Ltd. F82

TTabernus Europe Ltd B182 Tanium G170 Tatius K27 TeleTrusT – IT Security Association Germany G160 TeleTrusT – IT Security

Association Germany G160 Tenable Network Security Limited E260 The Open University K65 Threat Finder Ltd P66 ThreatStream G182 Thycotic Software Ltd H90 Tier-3 Security Ltd D160 Titania F40 TITUS Inc E262 TrapX Security M75 Trend Micro EMEA (GB) Ltd D60 Tripwire D20 Tufin Software Technologies Ltd F125 Turnkey Consulting K67

UUniversity Of Oxford Q70 Utimaco IS GmbH H95

VVaronis UK Ltd E80 Vasco Data Security SA F160 Veracode, Inc F10 Verisec LTD. P70 VERISIGN E200 VÍNTEGRIS SL N65 Virtual Solution AG G160VMware International Limited F98 Voltage Security, Inc. F60 Vormetric C140

WWallix F200Watchful Software Inc E206 WatchGuard Technologies D280 Webroot International Limited B100 Websense UK Ltd D200 Westgate Cyber Security Ltd R40HwhiteCryption G185 WhiteHat Security G80 Wick Hill Ltd E100

YYoh Solutions Limited K70

ZZonefox R40IZscaler Inc K61

47


®

This information was correct at the timeof going to print. For the latest exhibitorlist, please visit:www.infosecurityeurope.com/exhibitors

Organised by:

2OTH INFOSECURITY EUROPE CONFERENCE & EXHIBITION

Intelligent security Protect. Detect. Respond. Recover.

SEE YOU THERE

Download the

InfosecurityEurope

Mobile App

New Features Include: Networking Live Feed,

Conference Programme,Exhibitor Directory,

My Agenda, Interactive FloorPlan, Product Directory,

Polls & Surveys

Encryption is never out of the spotlightin this industry, but the methods thatbusinesses can deploy to encrypt theirdata are wide-ranging. Daniel Brechtexamines the pros and cons of thevarious solutions on offer

Tales fromthe Crypt:

Hardwarevs Software

With the use of mobile devicesbooming, and attacks againstgovernment networks and

business databases escalating, datasecurity has become a hot topic for ITsystem managers and users alike. Today’stechnology advances have spurred anumber of solutions to meet therequirements and the pockets ofeverybody who needs to secure a machine,from a simple home computer, to the mostsophisticated networks. Sorting throughso many different solutions, however, canbe overwhelming.

Whether to opt for software-based orhardware-based solutions is the firstdecision users are faced with, and it’s not aneasy choice. Although both technologies

combat unauthorized access to data, theydo have different features and must beevaluated carefully before implementation.

Software-Based EncryptionSoftware encryption programs are moreprevalent than hardware solutions today. Asthey can be used to protect all deviceswithin an organization, these solutions canbe cost effective as well as easy to use,upgrade and update. Software encryption isreadily available for all major operatingsystems and can protect data at rest, intransit, and stored on different devices.Software-based encryption often includesadditional security features thatcomplement encryption, which cannot comedirectly from the hardware.

The protection granted by these solutions,however, is as strong as the level of securityof the operating system of the device. Asecurity flaw in the OS can easilycompromise the security provided by theencryption code. Encryption software canalso be complicated to configure foradvanced use and, potentially, could beturned off by users. Performancedegradation is a notable problem with thistype of encryption.

Hardware-Based EncryptionHardware-based encryption uses a device’son-board security to perform encryptionand decryption. It is self-contained and doesnot require the help of any additionalsoftware. Therefore, it is essentially free


from the possibility of contamination,malicious code infection, or vulnerability.

When a device is used on a host computer,a good hardware-based solution requires nodrivers to be loaded, so no interaction withthe processes of the host system is required.It also requires minimum configuration anduser interaction and does not causeperformance degradation.

A hardware-based solution is mostadvisable when protecting sensitive data ona portable device such as a laptop or a USBflash drive; it is also effective whenprotecting data at rest. Drives containingsensitive data like that pertaining tofinancial, healthcare or government fieldsare better protected through hardware keysthat can be effective even if drives arestolen and installed in other computers.

Self-encrypted drives (SEDs) are anexcellent option for high-securityenvironments. With SEDs, the encryption ison the drive media where the diskencryption key (DEK) used to encrypt anddecrypt is securely stored. The DEK relies ona drive controller to automatically encryptall data to the drive and decrypt it as itleaves the drive. Nothing, from theencryption keys to the authentication of theuser, is exposed in the memory or processorof the host computer, making the systemless vulnerable to attacks aimed at theencryption key.

Hardware-based encryption offersstronger resilience against some common,not-so-sophisticated attacks. In general,malicious hackers won’t be able to applybrute-force attacks to a hardware-encryptedsystem as the crypto module will shut downthe system and possibly compromise dataafter a certain number of password-crackingattempts. With software-based solutions,however, hackers might be able to locateand possibly reset the counters as well ascopy the encrypted file to different systemsfor parallel cracking attempts.

Hardware solutions, however, might beimpractical due to cost. Hardwareencryption is also tied to a particulardevice and one solution cannot be appliedto the entire system and all its parts.Updates are also possible only throughdevice substitution.

The DebateThere is no single answer to companies’encryption needs, stresses Bruce Schneier,CTO of Resilient Systems and creator of theblog Schneier on Security.

“Software is easier because it is moreflexible,” he says, “and hardware is fasterwhen that is needed. My preference issoftware, because I tend to use generalpurpose hardware and specific software. Somy email encryption, web encryption, IMencryption is all software. But the software

might use the hardware-specific instructionsin the Intel chip for encryption.”

Nico de Corato, telecommunicationengineer and founder of DubaiBlog, has asimilar approach when it comes to choosingencryption solutions: “Each device requiressoftware in order to operate, and a device isnothing else than hardware. You could notreally choose between hardware andsoftware; there is a total interdependence.”

The solutions used depend on the needsof the individual, he adds: “In some casesyou can choose, and often I’m the onepreferring software solutions. For example,if you need to buy a new GPS, the bestsolution is probably to download theapplication on your existing devices (eg asmartphone). This way, you are always goingto have the GPS with you; you are going topay much less than buying a new GPS-device. The same goes for encryptionsoftware solutions.”

Companies need to consider factors likeimpact on performance, backup, securityand available resources to decide on properencryption implementation. Businessesshould consider the risks involved in losingthe data they handle, but also how longthey need to keep data encrypted and howwell they would be able to manageencrypting keys with each solution.

It is also important, in light of the strictregulations that have been issued for dataprotection (such as HIPAA and PCI), thatbusinesses choose the solution that allowsthem to be fully compliant.

Different considerations guide the choice.According to Tom Brennan, managingpartner of cybersecurity consulting companyProactiveRISK, “In the commercial space it ismostly about price. With .GOV clients, it ismore about data classification right.”

When budget is a concern, the choice isoften to steer away from hardware-basedsolutions in favor of software solutions thatcan be implemented across the board. Inaddition, “rather than deal with theexpense and inconvenience of being lockedinto upgrading one proprietary hardwareplatform every few years, some prefer to usesoftware,” Brennan adds.

50 Q2 /// 2015

Hardware encryption is mostadvisable when protectingdata on portable devices

Industry Models“Recent security breaches in multipleindustries – including entertainment, retail,and healthcare – tell us that large enterprisesare not paying enough attention to securitybest practices,” says Dan Timpson, CTO atcertificate authority DigiCert.

“In addition, many of these companies lackbasic security measures. According to theOnline Trust Alliance, 90% of data breachesin 2014 could have been prevented.”

The potential consequence of a data,privacy, or network security breach is verysignificant. According to the PonemonInstitute’s 2014 Cost of a Data Breach Study,data breaches now cost $3.5m on average,and the cost per lost or stolen record is $145.In a previous report, the Ponemon Institutereported that the average value of a lostlaptop is $49,246, with only 2% accountingfor the hardware replacement costs.Encryption could abate this sum by $20,000as it prevents criminals from accessing andusing data contained within.

Sometimes the size of a company makesfor a different approach. Larger companieswith massive security departments and largebudgets probably already have a validsecurity posture, but smaller businessesmight not be treating the issue with theimportance it deserves. Many SMB managersbelieve that only larger companies are thetarget of malicious hackers. That couldn’t befurther from the truth.

Symantec’s 2014 Internet Security ThreatReport showed that companies with less

than 250 employees accounted for morethan half of all targeted attacks (61%) in2013, an 11% increase from the previousyear. A study by the National Cyber SecurityAlliance reported that 20% of smallbusinesses fall victim to cybercrime each year.

Timpson comments that “using software-based encryption is straightforward and maybe more approachable for a smaller businessthat does not have an on-site IT admindedicated to data security measures.”

However, this is a valid solution only ifcompanies realize that “the need tooutsource this work brings the responsibilityto find companies that are trustworthy andvet their products and services to ensure agood fit,” he adds.

Timpson believes that “introducing a thirdparty increases the potential forvulnerability.” Although hardwareencryption is perceived as more costly due tothe upfront investments that are needed to

supply an entireorganization, Timpsonbelieves that “in thelong run, hardware canreduce costs with ITlabor, user productivity,and licensing fees.”

So, what is the bestsolution to protectdata? It depends onwhere you are trying toprotect it.

When data is at rest,especially onremovable devices,

hardware-based encryption is often best.By encrypting entire disks or USB drives,everything is secure, from directories to filesystems to content. Authentication shouldbe done prior to booting so that not eventhe OS is started if the user isunauthorized. However, smaller companiesmight find it hard to justify the expenseeven for the added security and bettersystems performance.

If data is in transit, however, file levelencryption is more appropriate: files andfolders are singularly encrypted and stayencrypted regardless of how and where theyare transferred. Possibly less expensive,these solutions are prone to a number ofdrawbacks from performance degradationto less-than-perfect protection due tohackers exploiting OS and memoryvulnerabilities that expose encryption keys.

New theories and technology advancescould eventually change that. As AndrewAvanessian, executive vice-president ofconsultancy and technology services atendpoint security software firm Avecto,explains, “AES instruction sets, which areincluded in some modern processors,allow software encryption to be moreefficient and perform better withoutrelying on dedicated hardware butapplications need to be optimized to takeadvantage of this.”

Choosing carefully is paramount, butthere is no place for indecision. Avanessianbelieves the real problem is that “someorganizations can get hung up aboutencrypting devices and end up delayingimplementations. With the increasingportability of devices and BYOD, it isimportant to get some level of encryptionsetup as soon as possible.”

Encryption is necessary and is the bestmechanism to protect data confidentiality,integrity and genuineness. It minimizes thechance of security breaches and adds layersof protection to secure data. Costs related todata loss and requirements dictated by lawshould be incentive enough for all businessesto adopt solutions, regardless ofwhether they are hardware-basedor software-based.


@InfosecurityMag

Software is easier

because it is more

flexible and hardware is

faster when that is needed

Bruce SchneierResilient Systems

Mobile working practicesnecessitate a considered approachto encryption for organizations

52 Q2 /// 2015

In IT, there is a common belief that agood programmer is 10 times morevaluable and productive than a mediocre

one. But developers are working in arelatively static environment. Their goalsare constant – once you’ve written codethat works really well, the environmentdoesn’t adapt to break it. There is businesschange, but the underlying approach is stilloptimal for that environment.

Cyber is another world – once we solve aproblem, the environment and the attackersin it evolve to attempt to invalidate oursolution. We must refresh our knowledge,and continually update our work, just tostay in the same place.

If we give a mediocre programmer a valueof one, and the rock star equivalent 10, wemight find that a mediocre securityprofessional, even after all their tools arefactored in, is still a one. The rock starequivalent, with the addition of tools, willbecome a 100.

Tools are a force multiplier, but multiplesof zero are still zero. In the worst case, anincompetent security professional, givenpowerful tools, may actually becomedangerous. For example, it is easy to blocklegitimate business emails with a poorlyconfigured data loss prevention system,while still allowing essential information tobe stolen.

A poor-quality security professionaldoesn’t just fail to implement good security– they can cause a security breach. Socialengineering and phishing succeed becauseof a failure on the part of staff – a failurethat cannot be prevented with technology.

There are plenty of people selling tools tosolve your problems and superficially thiscan seem tempting. But default

configurations are for default organizations,and your organization isn’t default.

In the right hands, tools can be useful, butin the wrong hands, tools can also be turnedagainst us. Attackers will often attempt togain access to security control systems andexploit these to extend their footprintwithin organizations.

Because tools are predictable, attackers trainagainst them until they can defeat them, thenthey launch attacks – only a swift response byskilled people can outwit attackers.

In my years of cybersecurity work, I’ve foundthe key ingredients to successful cybersecurityare context, creativity and communication.

You need to look at the context of asituation to understand whether a particularbehavior is cause for concern, or perfectlynormal. Tools are beset with false alarms –they don’t understand context, and hencethey over-alarm or miss subtle cues that askilled human would pick up.

In order to respond to an incident andoutwit the attackers, you need creativity.Attackers become familiar with responses,so new ones are more likely to trip them up.Although cybersecurity is a higher priority inmany organizations than it once was, it isstill rarely a high priority for a developmentteam – you need creativity to help themmeet your goals without missing their own.

Communication, within and beyond yourorganization, is key to cybersecurity success.Approachable, friendly members of staffwith strong people skills get betterinformation from all directions and convincethe entire organization to do the rightthing. When was the last time a robotconvinced you of anything?

When users are given automated responsesthat do not convey the logic behind them,

they focus their creativity on circumventingyour controls, not embracing them.

Context, creativity and communication areall things that tools are unfortunatelyterrible at. Pop-up browser warnings arelaughably ineffective – most users click ‘Yes’without even reading the associated text,but an informed discussion by a passionatesecurity professional can swiftly strengthena user’s online behavior.

I concede that tools are essential to dealwith low-level repeated attacks. Theyautomate much of the growing workloadthat we all face. The shortage of skilledpeople elevates their importance, but onlywhen properly configured,managed and maintained. Toolswithout craftspeople give a falsesense of security, while they rustin the corner.

People are the Most Important Piece of the Cybersecurity Puzzle

AUTHOR PROFILE

Stephen Bonner is a partner in thecybersecurity team at KPMG, where heleads a team focused on financialservices. Before KPMG he was grouphead of information risk management atBarclays. Bonner was inducted into theInfosecurity Europe Hall of Fame in 2010.

Should Companies Invest

More in Skills or Tools?


@InfosecurityMag

We’re now facing the next phase ofcybersecurity attacks, with new‘bad guys’ and attack vectors. As

with any paradigm shift, pundits are up inarms, asking ‘How is this happening? Whydon’t our defenses hold up?’ This hasballooned into one of the stronger debatesoccurring in IT meetings – and evenboardrooms – globally.

It raises a key dilemma: budget is finite, sodo we hire more security experts, or spendon advanced technology to keep us safe?

Unfortunately, that’s a flawed decisionprocess from the start, with either roadleading to failure. Simply hiring more ITsecurity experts won’t necessarily enhancecompetency; you may simply find yourselfwith a greater number of uninformed people.

Likewise, throwing money at an ever-escalating array of firewalls and networkappliances is not guaranteed to pay offeither. You could find yourself broke andexposed (with lots of iron). So does thismean you’re damned if you do, and damnedif you don’t?

Not necessarily. The fact is that, to fightthe current (and future) onslaught of cyber-criminals, organizations must revitalizethree core areas: strategies, competencies,and technologies. Start by revisiting yourcore strategy of defense.

The starting line in the post-Snowden,Target-sensitized, Sony-aware era is onefundamental question: ‘Do we have the rightstrategy to secure data in today’s world?’

Most experts agree that the IT industryneeds to enact a rapid shift from ‘network-centric’ to ‘data-centric’ strategies. With thetidal wave of BYOD and wholesale defectionto the cloud, legacy strategies built on asecure-the-perimeter mind-set are no longeradequate; there simply is no networkperimeter to secure any longer.

Incredibly sensitive communications – suchas confidential emails – are done on BYODsmartphones. Users tap ubiquitous cloudstorage for housing product plans, IP, andfinancials with no idea of the securityparameters. Board presentations aredelivered to Wi-Fi tablets in coffee shopsaround the world. Hence, the strategy focusmust shift from ‘protect the perimeter’ to‘protect the data’.

Only a move from ‘castle walls’ to‘bodyguards’ can ensure that information issafe regardless of where it’s created, whereit’s sent, where it’s stored, or who finds away to get their hands on it.

And you can’t scale enough to do this withjust people – it must be done with technology.

This doesn’t mean you should stopinvesting in intellectual capital. But don’t relyon acquiring more so-called experts. Today,every single corporate user is a potentialbreach point; you can’t assign an IT expert toeach employee and stay in business.

It’s simple math: when all users were in asingle network perimeter (circa 2000), youcould invest in a stronger perimeter, with afew ‘guards’ patrolling. But now that thereis no perimeter (circa 2015), you must realizethat the only path to safety is to assign a‘bodyguard’ to each user, in essence makingsure each user has a mini-CISO ridingshotgun at all times. To scale, these mini-CISOs can’t be people, they must betechnology instances.

This thinking should drive your newtechnology investment strategies.

Technology to protect today’s mobile,cloud-based information has to beubiquitous, all-encompassing, and smart. Itshould be ubiquitous in that it protects dataon any device users employ; all-encompassing in that it analyzes any kind ofdata to see if it’s sensitive and potentially

toxic; and smart in that it identifies andencrypts sensitive information the momentit’s created, staying with it regardless ofwhere it’s sent, stored, or used, even if theuser doesn’t know this is going on.

Prioritize your IT investment strategy toincrease and re-validate the competency ofyour team (~10%); fill ‘gaps’ that might existon the team (~10%); and invest intechnologies (~80%) that are perimeter-agnostic, and data-centric. That’show you keep from beingtomorrow’s data breach story ofthe day.

In Re-assessing Security, Technology Holds the Key

AUTHOR PROFILE

Charles Foley is chairman and CEO ofWatchful Software. He has over 20 yearsof experience leading both private andpublic company teams to success. Priorto Watchful Software, he was thechairman and CEO of TimeSightSystems. He has also held seniorpositions at IBM and Memorex-Telex, andsits on the board of directors aschairman for Critical Links and PhutureConcepts, LLC, while holding advisorypositions with RackWare and myPlanit.

OPINION

54 Q2 /// 2015

MARKET ANNOUNCEMENTS

Mizuho Bank Deploys VASCO’s DIGIPASS 275 toProtect Customers’ Online Banking TransactionsMizuho Bank, the core institution of Mizuho FinancialGroup and one of Japan’s three majorbanks, has selected VASCO’s DIGIPASS 275authenticator with electronic transactionsigning to secure its online retail bankingservices. The bank wanted to be the firstto implement electronic signatures in theJapanese retail banking segment.

The solution from VASCO DataSecurity International helps secure thebank’s online and mobile services,called Mizuho Direct, against fraudulenttransactions initiated by hackers. It provides superior

protection against the latest fraud activities such asman-in-the-middle and man-in-the-browser attacks.

The one-time password function in DIGIPASS275 is used for both authentication at account

sign-in and for an electronic signature duringtransactions such as bank account transfers and

payment settlement services.In March 2008, Mizuho Bank initiated a

program of security enhancement for its onlinebanking service, using the VASCO’s DIGIPASS GO6

and its VACMAN Controller. This latest upgradeprovides further protection against the latest attacks

online banking customers may be exposed to.

Good Technology Extends PartnershipWith Microsoft Good Technology recently announceda range of innovations that extendGood Work’s secure mobilitycapabilities for Microsoft customers.Good Work now integrates withMicrosoft OneDrive for Business foreasier document storage and a newGood Dynamics SDK simplifiesdevelopment of Windows 8.1 andWindows Phone 8.1 apps.

Good also announced the ability to host Good Work in the cloud, on-premise, or inhybrid environments, continuing the company’s efforts to deliver maximum flexibility indeployment options. Organizations can confidently and securely support aheterogeneous environment, extending its applications on both Microsoft and non-Microsoft devices with strong security on a unified management platform.

Microsoft and Good Technology have also collaborated for Microsoft Dynamics CRMfor Good, which brings Good’s secure containerization and government certified securityto Microsoft’s CRM solution.

As organizations move beyond MDM to mobile apps that drive productivity, CRM appsare in demand by sales organizations. As customer data is highly sensitive and oftenregulated, IT may be unwilling or unable to offer more CRM access without providingmore stringent security controls. Microsoft Dynamics CRM with Good’s secure containertechnology helps to meet the needs of both sales and IT, delivering high valueintegration for enterprises wanting to accelerate CRM deployments to iPads.

Acunetix Clamps Down onCostly Website Security WithOnline SolutionAs cybersecurity continues to hit theheadlines, even smaller companies canexpect to be subject to scrutiny, and securinga website is more important than ever. Inresponse to this, Acunetix is offering theonline edition of its vulnerability scanner ata new lower entry price. This new optionallows consumers to opt for the ability toscan just one target or website at just $345.

A vulnerability scanner allows the user toidentify any weaknesses in its websitearchitecture which might aid a hacker. Theyare then given the full details of the problemin order to fix it. While the scanner mightpreviously have been a niche product used bypenetration testers, security experts andlarge corporations, Acunetix has recognizedthat such products need to be made availableto a wider market. To address this, its productand pricing has become more flexible andtailored to multiple types of user. Use of thenetwork scanning element of the product isalso currently being offered completely free.

Users can sign up for a trial at:www.acunetix.com/vulnerability-scanner/register-online-vulnerability-scanner/



On-premise Cloud Storage and SharingAlternative from Linoma Software

Cleo Wins Xerox Partnerof the Year Award Cleo, provider of secure enterprise data integration solutions,recently announced that it has been awarded the XeroxOutstanding Customer First / Service Support Partner of the YearAward for 2014.

Presented for excellence in customer and service support, thisaward recognizes the significant contribution of partners to thesuccess of Xerox Corporation and its customers. Xerox has awardeda Partner of the Year award to Cleo for the past five years.

“Cleo is extremely honored to again receive this prestigiouspartner service award from Xerox Corporation,” said MaheshRajasekharan, PhD, CEO of Cleo. “This award underscores the depthof Cleo Streem integration with Xerox multi-function products,providing our customers with highly productive solutions for theirnetwork fax and dynamic interactive messaging and communicationengagement needs. The strategic partnership between Cleo andXerox for more than a decade demonstrates a continuedcommitment to providing outstanding value to our joint customers.”

Cleo is a member of the Xerox Business Innovation Program. CleoStreem helps automate and centralize workflows from Xeroxmultifunction printers, allowing customers to send, receive, store,and track communications securely. For more information visit www.cleo.com

Globalscape recentlyannounced the releaseof Workspaces, thelatest addition to itsmanaged file transfersolution suite, EnhancedFile Transfer.

Workspaces allowsusers to share folders and files with other users withoutsacrificing governance, visibility or control. The new offering isan on-premises solution that eliminates the risk of shared-infrastructure or cloud-based services, utilizes multiple secureprotocols including HTTPS, FTP, FTPS and SFTP, includesworkforce automation to support compliance, and provides fora flexible authentication and encryption. Workspaces alsoallows IT administrators to retain full control and visibility ofthe file transfer infrastructure, ensuring the highest levels ofsecurity and compliance.

Workspaces Provides End UserChoice and Ease-of-Use

Last year, The US National Institute of Standards andTechnology (NIST) released a framework for ‘Improving CriticalInfrastructure Cybersecurity’.

Acuity Risk Management, the governance risk and compliance(GRC) specialist, and provider of the popular STREAM IntegratedRisk Manager software solution, recently released thisframework as the latest addition to its library of pre-configuredcontent. This new addition is a scalable framework originallydeveloped for use by organizations of all sizes.

Use of the NIST framework will raise awareness andcommunication levels with stakeholders; this can be furtherenhanced by making use of the STREAM action management,workflow and report builder functionality, to produce boardlevel and other stakeholder reports.

Implementation of the NIST framework will help prioritizecritical activities that relate to cybersecurity helping to promotecost-effective cyber security risk management within organizations.

The NIST Cyber Security Framework content for STREAM isavailable as a free download from the Acuity website for usersof any of its STREAM subscriber editions which start at just £295per year: www.acuityrm.com/store

Acuity Adds the NIST Cyber SecurityFramework to Its STREAM GRC Tool

Linoma Software recently released GoDrive by GoAnywhere, asecure on-premise Enterprise File Sync and Sharing (EFSS) solutionthat takes document storage out of the cloud and puts ITadministrators back in control.

With GoDrive, files and folders can be easily shared betweenauthorized employees and partners with advanced collaborationfeatures including file revision tracking, commenting, a trash bin,media viewing and synchronization with computers runningWindows and OS X.

End-to-end encryption protects sensitive files and, since no data isstored in the cloud, organizations maintain local control to meetcompliance requirements. GoDrive combines:• Familiar tools like drag-n-drop and image previews, allowing

employees to quickly and easily adopt GoDrive• Detailed audit logs giving management and compliance officers

the peace of mind that all activity is well documented• Proven security features of the GoAnywhere Services

administrative tools, with the addition of device authorizationand remote wipe capabilities

GoDrive has no subscription fees, so organizations currently usingtraditional private or public cloud services could see considerablecost savings.

The multi-platform software can be installed using an on-site orhosted server and allows for unlimited scalability of storage. Findout more at www.GoAnywhere.com

56 Q2 /// 2015

CipherCloud recently unveiled its inaugural edition of itsGlobal Cloud Data Security Report, the industry’s first globalstudy on cloud data protection challenges and strategies.

The report examines the kinds of data security challengesfacing Global 2000 companies and the steps being taken byorganizations to mitigate these risks in the cloud. NorthAmerican organizations represent 65% of the companies.Approximately 23% of the organizations are European. AsiaPacific (APAC) and Latin American (LATAM) organizationscomprise the remaining 12%.

Security needs include a combination of technology, legal, financial and politicalfactors at play. In Q1 2015, 64% of organizations identify audit / compliance / privacy asa top challenge, 32% name unprotected data in the cloud as a primary concern, 2%cited malware protection for documents, and 2% cited lack of enough secure cloud filesharing solutions.

Key Findings on the State of Cloud Data Protection include:• Across geographies, data encryption (81%) led tokenization (19%) at enterprises with

a cloud security deployment • Of the 12 vertical industries profiled, healthcare (38%) topped finance (25%) as the

leading sector adopting cloud data protection • Healthcare and finance respectively protected 100% of all electronic protected health

information (ePHI) and personally identifiable information (PII)• Of the top four sectors, only Government (9%) favored the use of tokenization

over encryption

Centrify recently announced the industry’s first privileged identity management solution forApache Hadoop-based big data infrastructures, as well as partnerships with big datavendors Cloudera, Hortonworks and MapR Technologies. With Centrify Server Suite 2015,organizations can now leverage its existing Active Directory infrastructure to control access,manage privilege, address auditing requirements and secure machine-to-machinecommunication with, and across, its Hadoop clusters, nodes and services.

The global Hadoop market, powered by the rise in demand for big data analytics, isforecast to grow from $2 billion in 2013 to $50.2 billion by 2020, according to Allied MarketResearch. Hadoop clusters often contain sensitive personally identifiable information (PII)and other highly regulated data, so auditing and controlling user and administrator accessto Hadoop and its underlying server infrastructure is critical to address both security andcompliance requirements for regulations such as SOX, PCI and HIPAA.

Centrify has built new features and compatibility enhancements, including Kerberosnetwork authentication, service account management and Active Directory and Hadoopinteroperability into Centrify Server Suite 2015. These features address these concerns andextend the security capabilities provided by the Hadoop platform vendors to now offerrobust privilege management for Hadoop environments.

Centrify Delivers Industry’s First PrivilegedIdentity Management Solution for Big Data

LockLizard AddsDocument Watermarkingto Its DRM browser

Locklizard’s Web Viewer, which enablesDRM protected PDF files to be viewed in abrowser without requiring installation ofany software, has been updated to includedynamic text and image watermarks. Userinformation is applied when viewing andprinting protected PDF documents as anadditional security measure to discourageusers sharing printed documents.

Locklizard’s Web Viewer delivers a highlyflexible, granular and secure document DRMsolution for PDF documents that enablesdocument publishers to control who can viewdocuments, for how long, where and when.

Locklizard is used worldwide by fortune1000 companies, governments, small & largepublishers, training companies and researchinstitutes, to help prevent unauthorized useand misuse of information. To learn morevisit www.locklizard.com

CipherCloud Unveils New GlobalCloud Data Security Report

Thycotic Secret Server8.8 Enhances PrivilegedAccount SecurityThycotic’s newest privileged accountmanagement solution, Secret Server 8.8,includes improved support for Secure Shell(SSH) keys, allowing customers with largeLinux or UNIX environments or networkequipment to more easily control and auditthe usage of all of its organization'sprivileged account passwords regardless ofthe platform each user is running. ThycoticSecret Server 8.8 also features revampedsupport for security-conscious customersusing hardware security modules (HSM) toprotect encryption keys.

“Thycotic is a reliable and agile partner inidentity management,” said Peter Koch,system administrator for Thycotic customerDataport. “With the latest release of SecretServer, Thycotic supports one of the bestways of storing your key material – anetwork HSM. The smart interface allowsconfiguration in a matter of minutes.” Formore information visit www.thycotic.com

Protect Sensitive InformationBefore It Gets to the Cloud

New Barracuda Security SuiteNow Shipping From Wick Hill Now available from Wick Hill is the Barracuda Security Suite, which allows customers topurchase and deploy proven protection across three common threat vectors – email, webbrowsing, and network perimeters – and independently scale these functions with apurpose-built virtualized platform.

This latest solution is part of Barracuda’s Total Threat Protection initiative, which isaimed at providing powerful, robust protection across multiple threat vectors withsimplified management. The Barracuda Security Suite integrates next-generationnetwork and content security – including individual virtual instances of the award-winning Barracuda Firewall, Barracuda Web Filter and Barracuda Spam Firewall – on asingle appliance.

Ian Kipatrick, chairman of Wick Hill Group, commented: “Many early generationUTMs have not been able to scale to defend against today’s threat landscape, neitherin capacity nor in throughput. The Barracuda Security suite delivers a market-leadingsolution for users looking to upgrade to a cost-effective, high-performance, high-security solution. We have seen considerable interest in the security suite from ourchannel partners.”

Protegrity recently announced the availability of the Protegrity Cloud Gateway to helpenterprises adopt software-as-a-service offerings such as Salesforce.com, Box, Gmail,Office365 and Xactly without risking data exposure, impacting business processes orsacrificing SaaS functionality.

Protegrity Cloud Gateway sits between cloud applications and users, replacing sensitivedata with flexible, format-preserving tokens or encrypted values before being sent to thecloud. A gateway server cluster handles the traffic to and from the cloud, while theProtegrity EnterpriseSecurity Administrator (ESA)provides client securityteams with central controlof policy, protectionmethods, automated keymanagement, security event alerting, reporting,and auditing.

Protegrity Cloud Gatewayoffers customization viaconfiguration, stateless architecture, continuous discovery and monitoring, and Protegrityvaultless tokenization. Marty Weiss, Director of Protegrity’s Cloud Security businesscommented: “During proof-of-concept tests performed by a client, Protegrity CloudGateway was proven to have flexible, empowering performance, be more cost efficient, andable to accomplish many things that the competition was simply not able to do at all or asfast as the Protegrity solution.” For more information go to www.protegrity.com/products-services/protegrity-cloud-gateway



PowerBroker Password Safe 5.5: Advanced ThreatAnalytics and SimplifiedSSH Key Management

BeyondTrust, a cybersecurity companydedicated to proactively eliminating databreaches from insider privilege abuse andexternal hacking attacks, recently releasedversion 5.5 of PowerBroker Password Safe.

PowerBroker Password Safe 5.5 is asolution for automating privileged passwordand privileged session management.

This new release features:• Clarity Threat Analytics: Clarity Threat

Analytics correlates data from Retina CSEnterprise Vulnerability Management andother third-party vulnerabilitymanagement solutions, privileged userand account data from PowerBroker forWindows and PowerBroker for UNIX andLinux, and threat data from thePowerBroker Endpoint ProtectionPlatform. With version 5.5, BeyondInsightnow supports data feeds fromPowerBroker Password Safe, whichenables the patent-pending Clarity ThreatAnalytics engine to analyze privilegedpassword, user and account behavior.

• Simplified SSH Key Management:Between the lack of rotation and thesharing of SSH keys, organizations canlose accountability over its systems whichcould lead to those systems beingvulnerable to exploits. Version 5.5,PowerBroker Password Safe can simplifythis process by automatically rotating keysaccording to a defined schedule andenforcing granular access control andworkflow to access SSH keys. Forcompanies with few or no tools orprocesses in place to protect againstprivilege misuse on tier 1 UNIX and Linuxsystems, this capability can greatlysimplify the management and secures theuse of SSH keys for better control,accountability and security.

BeyondTrust is hosting daily demos atInfosecurity Europe 2015, Stand F145.

58 Q2 /// 2015

OPINION

Data encryption is the gold standardfor corporate security. Yet for mostorganizations, data in motion

remains the big corporate conundrum. Withthe rise of mobile devices and changingworking practices, more data than ever isflowing within and outside organizations,and unencrypted data is becoming a majorsecurity concern.

The problem, however, is not one ofunderstanding; 51% of organizations wantto use encryption to secure sensitive datatraffic, but can’t, according to Spiceworks’Global IT Manager Survey. The problem isthat the industry continues to ask businessesto make a compromise by bundlingencryption into other parts of the security ornetworking infrastructure.

For the CISO, under huge pressure fromstandards bodies such as PCI and ISO, thekey requirement is to lock down thenetwork and encrypt all data in motion. Forthe CTO, tasked with implementing thisstrategy, while the need to improve securityand avoid any breach makes perfect sense,the priority is to deliver a high-performancenetwork and application infrastructure.These two mandates are in directopposition and lead to conflict that isthorny to resolve.

Escalating RiskFacing the reality of a potential 75% drop innetwork performance as a result of turningon encryption within the firewall, router orswitch, most CTOs have no option but torenege on the encryption commitment,leaving the CISO powerless and theorganization at risk of serious breach.

However committed to the concept of asecure infrastructure, as soon as any usercomplains about slow throughput orapplication access problems, the IT team’simmediate response is to switch offencryption and deliver a hike inperformance. Furthermore, the problemwith traditional data-in-motion security isnot only the impact on the performance ofnetwork devices and applications. The CTOalso faces a big resource drain – it can takehours to configure a new site and devicelevel encryption is both easy to misconfigureand hard to monitor and audit.

The issue for both CISO and CTO is beingcompounded by the rise in BYOD, remoteaccess and cloud-based applications. The useof personal devices and access to externallyhosted applications continues to grow – yetthe CTO cannot deliver the security requiredin line with the CISO’s requirements. Theresult is shadow IT.

Flawed ModelThis whole problem is due to the securityindustry’s persistence in expectingnetwork devices such as firewalls androuters to double up and deliverencryption. For a firewall, encryption is ahobby, not its main purpose; this approachis simply not adequate for today’s threatlandscape. For the defense-in-depth modelto truly work effectively, organizationsneed to decouple encryption and deploydedicated devices designed specifically forthis purpose. In addition to avoiding anydegradation in network performance,dedicated data-in-motion solutions offer asingle point of control, removing the

complex, time-consuming configurationand management overhead.

With one central point of control,responsibility for encryption no longer lieswith the IT team but can be handled by theCISO. The process is not only transparent tothe essential network equipment, but withuser-specific encryption, control is, finally,back in the hands of the person with amandate to protect the business.

Today, the fact CISOs have theresponsibility for protecting sensitive data inmotion but no control over theimplementation of those controls is clearlyflawed. But the need for truly effectiveencryption has never been greater. It is onlyby decoupling encryption that anorganization can maintain networkperformance and, critically, enablethe CISO to realize the goldstandard security vision.

Data encryption is ever more important; indeed, it is demanded by regulators. AsCertes Networks’ Paul German explains, it is only by decoupling encryption from itscurrent ‘add-on’ role that the needs of both CTO and CISO can, finally, be addressed

Decoupling Encryption:

Building Bridges

Between CISO and CTO

AUTHOR PROFILE

Paul German is VP EMEA of CertesNetworks. He has spent more than 18years in the industry, gaining a broadexperience from roles at Sipera Systems,Cisco, Siemens Network Systems andLehman Brothers.


@InfosecurityMag

Car Washes LOVE FacebookThe internet of things (IoT) has gottenbuzzier and buzzier as hundreds ofheretofore deaf and dumb consumer devicesstart to come online. But connected thingsexpand the attack surface to entirely newconcerns – insecure refrigerators that spy,watches that track, cars that can murderand, drumroll… automated car washequipment that can post to Facebook.

Independent researcher Billy Rios(formerly of the Google security team) hasfound that running your car through thewash after a fill-up at the gas station canhave consequences.

In the course of an IoT analysis, he foundcar wash equipment out there running aversion of Windows CE on an ARM processor(just like a smartphone), with Telnet enabledand a default five-character password anddefault username.

“If you know that default username anddefault password you can do a lot ofinteresting things,” Rios said during theKaspersky Lab Security Analyst Summit.“Your car wash can send you emails and yes,your car wash is on Facebook, too.”

Car washes can freak out their patronswith social media shout-outs includinglicense plate pics, let’s say. Or, taken over bythe wrong people, car washes could be usedto wreak basic prank-related mischief, likechanging the type of wash being given oroffering a double dose of Turtle Wax. Will#RainyDaysSuck become a trending topic?

However, Rios noted that hackers cancarry out more serious damage. For instance,an attacker could disable the safety sensorson the back and front doors of the washbay, which prevent them from coming downon a person or vehicle.

For the car wash industry though,cybersecurity isn’t a main focus.

“Remote access changes your threatmodel. But to be honest, I don’t think we

can trust the makers,” Rios said. “Thepeople who made that car wash won’tunderstand any of things we just talkedabout, like SQL injection or bufferoverflows. We’re going to see this in otherIoT places as well.”

Pay-by-Selfie: It’s a ThingAlibaba has a mobile payments idea for theKardashian age: why not use selfies forpayment processing?

Jack Ma, the founder and executivechairman of the Chinese e-commercebehemoth, debuted the idea at CeBIT.Onstage, he demonstrated the function byscanning his face and, via mobile facialrecognition, using the scan as a digitalsignature to purchase a German stamp online.

The service, called ‘Smile to Pay’, iscurrently in beta mode, and will beincorporated into the company’s AlipayWallet NFC service in China, with othermarkets likely to follow. For now, Apple Payand Google with Google Wallet – both ofwhich use tap-and-pay mechanisms –dominate the mobile payments arena in theWest, which has been projected to reach$16.25bn by 2022.

It’s unclear whether it would be used as anextra layer of security or as a standaloneauthentication mechanism – if it’s the latter,there are of course, serious security concerns.Facial recognition has been fooled in thepast by simply holding up photographs ofthe user, or with animated gifs.

But, arguably, it’s more secure than simplyrequiring the verification code on the backof a credit card when buying stuff online ora signature in-store. But, a PIN may still bethe safest way to go.

Kill-switch, EngageUSB drives are notorious for acting asmodern-day Trojan horses for malware andviruses. But a Russian blogger known as

Dark Purple has created a different kind ofdoomsday weapon – a thumb drive that willliterally fry a computer’s circuit board with ahigh-voltage surge.

“The device is designed to pull in powerfrom USB ports using a DC-to-DC converteruntil it reaches negative 100 volts, at whichpoint the power is pushed back into thecomputer to overload its components,”reported ESET researcher Kyle Ellison. “Thisprocess is run on a loop so that everythingpossible is broken down.”

Goodbye forever, CPU.ESET noted that Dark Purple is said to

have come up with the idea after readingabout a case where someone stole a USBdrive from a friend’s backpack, only to havehalf of his laptop ‘burnt down’ when heinserted the device.

Feeling entrepreneurial, the blogger thendeveloped the idea himself, ordered thecircuit boards in China, and made a prototype.

The takers for this kind of thing aremyriad, from disgruntled employees tosociopathic high school kids, to spies outthere in the field. Obviously, to avoid ameltdown, know your thumbdrive before you use it, and try toavoid sharing them.

Slack Space

Anyone who wants to share their grumbles, groans, tip-offs and gossip with the author of Slack Space should [email protected]

Selfies may now have apurpose beyond vanity

Events and conferences come thick andfast in the security industry, and it’ssometimes hard to find time to sit and

reflect on each one. Add white papers,webinars, and roundtables to the equation,and it’s easy to end up with a head-spinningamount of security information, daily.

Many people in this field get used to lifeon the road, or in the air, traveling far andwide on the speaking circuit to spread thesecurity gospel, and meet with like-mindedprofessionals all over the globe. Then thereare the infosec practitioners, who take timeout of pressured schedules to join thecongregation, attending conferences andvirtual events in a bid to expand theirunderstanding and industry knowledge,with the aim of making their organizations– and the world at large – a safer place toconduct online activity.

But with many events offering a slew ofdifferent conference sessions and tracks,sometimes it’s easy to come away feelingbludgeoned by knowledge. There are somany dedicated and impassioned speakersdelivering razor-sharp insight into all facetsof this diverse industry, that the glut ofquality information can feel overwhelming.The question is: How to step back and focuson the key actionables for you, theindividual, who attends events with the hopeof bolstering your security intel arsenal?

In a sense this is analogous with some ofthe concepts of ‘threat intelligence’ –eradicating the noise on your network tohelp you establish the security incidents andevents that matter: hearing the vital messageamid the cacophony, or, to use the old cliché,finding the needle in the haystack.

A theme across security is that incidentresponders and network defenders don’thave enough time to deal with everything;they have to prioritize. If you can identify

sophisticated actors carryingout attacks and spend timefirefighting that, and not spendyour day tackling nuisance anduntargeted malware, you’ll berunning a more effectivesecurity operation.

Prioritizing intelligence isalso integral if you’re going tokeep up-to-date with the

constantly mutating landscape of threats –both to your organization and those facingthe world at large. Just as securityprofessionals seek to spend less time siftingthrough false alarms and get to the nuggetof information that will help them stop acatastrophic event on the network, they alsoneed to cut through the noise that theindustry generates to make sure that they’regetting the right insight in their ongoingquest to become the best securitypractitioners possible.

Identifying what information is worthtaking the time to assimilate is hard. Thereare innumerable magazinearticles, white papers,independent and vendorblogs, research reports,government bills, intel-sharing forums,conference speakersessions, webinars andmore. Each of these couldprovide the epiphany youneed to drive forwardyour security ambitions.

An additional challengein keeping track of thesecurity industry’s directionis that all too often itsvarious components seemto operate in silos. Government, privatesector and the security community all have arole to play and a message to communicate,but trust between each isn’t always optimal.So when a government makes anannouncement, like the recent ProtectingCyber Networks and National CybersecurityProtection Advancement acts in the US, theinstinctive response from much of thesecurity industry is skeptical at best – and thisdrives a whole debate that can be bothengrossing and distracting.

Consider too the ‘white noise’ that sellersof security products produce. Manytechnologies are marketed as the miraclepill to cure all ailments, and practitionersare confronted with a number ofbuzzwords and passing trends that can bemisleading. Endpoint security is the holywrit one year; then it’s incident response;once it was the perimeter. All these thingshave their place, but the promotion of oneabove the other through noisy marketingand pitching can often distract from thefact that so many security incidents areeasily avoidable. It’s education and a soundunderstanding of infrastructure that formsthe bedrock of security.

So if you’re reading this at InfosecurityEurope or another event, and you’rewondering how to make the most of all theintel and information being served up,consider what really matters to you. Whatdo you need to know to become a bettersecurity professional? The conversationsthat will make a difference are the ones that

buck the silo mentality trend. A discussionthat takes place in an echo chamber –security crowing to security about acertain product

or technique to prioritize – won’t deliverlong-term action points.

Find the conversations that lookoutwards, that aspire to push the industry ina new, more open direction, and that buildbridges between sectors. Then, when thedust settles, you may have thatnugget of information you needto drive your security practice tothe next level.

60 Q2 /// 2015

Parting

Shots

Mike Hine, Deputy Editor

@InfosecDepEd

Many technologies are

marketed as the miracle

pill to cure all ailments,

and practitioners are

confronted with buzzwords

that can be misleading

You can’t put a price onhigh-quality education

REGISTER for the world’s biggest free Infosecurity Education Programme!www.infosecurityeurope.com

• Access to the experts and industry leaders

• Learn from inspirational speakers

• Network, share, collaborate and build relationships

• Discover new and innovative security solutions

• Earn CPD and CPE credits by attendingthe free education programme

®

02-04 June 2015 Olympia London

Intelligent securityProtect. Detect. Respond.Recover.

Managed by:

Part of:

CELEBRATING 20 YEARS

02-04 JUNE15O L Y M P I A L O N D O N U K

Engage with Infosecurity Europe on Twitter: @infosecurity #infosec15

REGISTERFREE NOW

The Politics of Cybersecurity - Infosecurity Magazine

Documents

Transcript of The Politics of Cybersecurity - Infosecurity Magazine