Avatu - A To Z Cyber Security

The A-Z
of cyber
security
A plain English guide to
online risk and resilience
01 Cyber security cover.indd 1
15/09/2015 15:33:48
IN PARTNERSHIP WITH AVATU
Time to stop playing

Russian roulette
These are the five simple questions you should be asking to demystify cyber security
and protect your business (and career), writes Joe Jouhal
our pieces of enlightening news landed on my desk on the same day recently. First, there was a story in the Financial Times, quoting the new chairman
of the Institute of Directors, Lady Barbara
Judge, saying that cyber security is so
overwhelming to boards that their reaction is to le it in the too difcult category her words not mine rather than
tackle the issue head-on.
Then there came research from Marsh,
the global insurance broking and risk management rm, which showed that many
UK companies are failing to assess their
customers and trading partners for cyber
risk adequately, and are more vulnerable
to cyber attacks themselves as a result.
Third was a story from the Telegraph
which highlighted that the average cost of
a cyber attack is now 1.46m a year.
And last of all came news from the
United States, that the head of the governments personnel ofce had abruptly
resigned because hackers had stolen the
sensitive information of some 21 million employees, including bank account
details, health reports and even security
clearance assessments.
It was a big news day for information security. But what struck me most was that
collectively it painted a picture of a serious
and expensive problem, which was being
dealt with ineffectively.
By not facing up to the changing world,

leaders are playing Russian roulette with
their companys success, and the future
of their careers. Boards and chief ofcers
need to understand that cyber security is
no more than a complicated business risk.
And executives can choose to be a victim
(and leave the challenge in the too difcult
tray) or go on the offensive.
In my experience, leaders of the most successful, growing companies usually tackle
Leaders are playing a

risky game with company
and career alike
challenges squarely, rather than passively
wait to deal with the consequences.
The issue does not have to be complicated or confusing. It can start with some
very simple questions, such as these below.
Questions that chief officers and
boardsshould be asking about
information security
1. Do we know if weve ever been
breached? Companies often dont know
theyve had a data leak until long after it
has happened. There are advanced detection systems that can do this as part of
a layered info security monitor system.
2. Where is our most sensitive, potentially

damaging and most valuable information?
All of it, every piece of it, every copy (this
could be customer information, staff records, IP, nancial information, business
plans, emails between executives and
much more). Who has access to it? What
special arrangements do we have to protect it within our systems?
3. How do we protect our sensitive data
when its outside our perimeter? How
do we stop it being seen or shared with
unauthorised people?
4. These days most of us use more than
one device for work. How do we protect
all of these end-points? Are they a potential weak point of access to our systems
and data?
5. Do we have insurance to make us more
risk-aware and more prepared to mitigate
the risk?
There are tools, technology and practices to mitigate all these issues. And facing this information security challenge
head-on demonstrates stronger leadership, strengthens a businesss resilience
and protects chief ofcers current roles
and future job prospects. l
Joe Jouhal is managing director at Avatu,
the information security specialists
Join a one-day seminar free to
New Statesman readers, see page 13.
2 | NEW STATESMAN | 18-24 SEPTEMBER 2015
02 Avatu advertorial.indd 2
15/09/2015 11:34:50
IN PARTNERSHIP WITH ENCRIPTION
First line of attack

and weakest defence
What level of investment is needed for the UK to deal effectively
with a rapidly expanding global cyber-threat landscape?
he threats posed by cyber breaches to

the UK government, critical national
infrastructure, nancial institutions
and all levels of corporate entities within
our sovereign shores are irrefutable. Yet
while the agenda regarding the skills gap is
never more relevant to the UK than at present, too little is being done to reduce our
risk of a cyber attack by increased training
and awareness.
Several schemes have been created in
recent years to address what is perceived
as the cyber skills gap. However, these
schemes, and government policies, only
focus on the two realms of attack and recovery. Certication available today either
develops simulated attack expertise, intended to identify weakness, or recovery
expertise, designed to recover from or investigate an attack. Both of these strategies
are ne and play an important role in shoring up our defences, but the cyber skills
gap is bigger than this.
When we ask why computer systems
are vulnerable we can identify two main
areas of weakness: the software developers and the computer users. Not enough
is being done to enhance the skills of the
software developers to better defend
against cyber attack, and too little is being done to upskill the computer users to
identify socially based and other attacks
aimed at gaining user credentials and other
sensitive information, which can be used
in a cyber attack.
30 Encription advertorial.indd 30
Government policies are mandating IT

security health checks and simulated attacks on a regular basis; however, little to
no security quality checking is being carried out on the software solutions prior
to procurement. There is no certication
path for software developers to identify
that they have been trained in the discipline of secure coding.
In part, this issue is a cultural one. Software companies are looking to ship software within a dened project development life cycle in order to meet customer
demands and to remain protable. With
the ever increasing number of software
platforms, developer companies now
need to ship their products to Apple,
Linux, multiple Windows platforms and
a vast variety of mobile phones and, more
recently, wearable devices; not to mention
the advent of the Internet of Things.
Studies have been conducted into the
overheads created when consciously creating secure code using an established secure development life cycle, and surprisingly it is as little as 14 per cent additional
resource. However, 14 per cent additional
resource to the bottom line of any business is unpalatable.
It is clear that focus on providing the
next generation of software developers
with a clear understanding of security
and how their work may be attacked and
abused will prevent a large number of attacks from occurring in the rst instance.
The computer users are the rst line of

attack and generally the weakest defence.
They must be made aware of the threats
and educated in how to respond to them
and defend against them. At the very
least this should be a standard part of any
induction programme that should be refreshed frequently. Why not introduce
formal certications that lead to a licence
to operate, a little like the driving licence
theory and practical tests? Organisations,
both large and small, need to invest more
in educating staff in cyber security and it
must be an ongoing process. l
Established in 2006, Encription is a UKand Ireland-based IT security specialist
company delivering services worldwide
to a diverse client base, including the
UK central government, the Ministry of
Defence, police, re and rescue services,
nancial institutions, professional service
companies, manufacturers, small,
medium-sized and large businesses, and
charities. With experienced consultants
at your disposal, Encription is able to meet
your IT security needs, no matter how
simple or complex, including penetration
testing in all disciplines, advanced
research, digital forensics at evidential
standard and training
We are ISO 27001 and ISO 9001 certified
and also CESG CHECK, TigerScheme and
CyberScheme members. Contact us on +44
(0)330 100 2345, or at: encription.co.uk
00 MONTH 2014 | NEW STATESMAN | 30
15/09/2015 11:49:49
CONTENTS
New Statesman
2nd Floor
71-73 Carter Lane
London EC4V 5EQ
Tel 020 7936 6400
Subscription inquiries,
reprints and
syndication rights:
Stephen Brasher
sbrasher@
newstatesman.co.uk
0800 731 8496
Supplement Editor
Jon Bernstein
Design and Production
Leon Parks
Graphics
Leon Parks
Sub-Editor
Prudence Hone
Account Manager
Penny Gonshaw
+44 (0)20 3096 2269
COVER: SHUTTERSTOCK/DESIGN BY LEON PARKS
Commercial Director
Peter Coombs
+44 (0)20 3096 2267
First published as
a supplement to the
New Statesman of
18-24 September 2015.
New Statesman
Ltd. All rights
reserved. Registered
as a newspaper in the
UK and USA.
The paper in this
magazine originates
from timber that is
sourced from sustainable
forests, responsibly
managed to strict
environmental, social
and economic standards.
The manufacturing
mills have both FSC and
PEFC certication and also
ISO9001 and ISO14001
accreditation.
20
A-Z of cyber security
31
View from the experts
Facts and figures
Countering the threat

Between the day when this
supplement was conceived and
the moment it was sent to press,
the name Ashley Madison
the dating site that facilitates
extramarital affairs was added to
the hall of cyber security shame.
Hackers stole personal details of
37 million members of the morally
ambiguous website, causing
embarrassment and ignominy.
The US governments Office of
Personnel Management is another
recent inductee to the hall of
shame, victim of a hack attack that
resulted in 21.5 million federal
employee records being stolen.
There have been many others;
and there will probably be more
between printing and distribution,
and then distribution and reading.
Perhaps that makes 32 pages
devoted to cyber security
especially timely but, in truth, it
would have been timely at any
point in the past two decades.
Cyber security is a complex

concept, not least because it acts as
an umbrella term to cover an array
of threats as well as methods to
address those threats.
Countering the challenge falls
into three broad categories: threat
management (keeping the bad
guys out); security information
management; and identity and
access management (locking the
front, back and side doors).
As for the threats themselves,
the terminology can be baffling.
Working on the assumption that
many people dont know their
APTs from their DoS or their
malware from their zero-day
attacks, the centrepiece of this
supplement is an A-Z of cyber
security terms (see page four).
Cyber security is complex for
at least another three reasons.
First, a security breach is just
as likely to be the result of the
actions of an internal member
of staff (sometimes deliberate,

often accidental) as it is the effect
of external actors. Consider
this: three-quarters of the
security breaches that affected
large UK companies last year
were the result, at least in part,
of employee-related activity
(see page 31).
Second, given cyber security
is now a multibillion-dollar
products and services industry,
the sceptical response is to
suggest that some unscrupulous
suppliers trade on peoples
fears. That assertion is robustly
addressed by four security
experts (see page 20).
And third, as one of those
experts, Mark Brown from EY,
acknowledges, 100 per cent
security is a futile concept.
What is needed instead is best
endeavours. That requires
informed decision-making. Its
time to start reading. l
This supplement, and other policy reports, can be downloaded from the NS website at:
newstatesman.com/page/supplements
4 A-Z of cyber security
U is for . . . understanding
Unravelling the code from advanced persistent threats to zero days
20 View from the experts
Total security is a futile concept

Where does the biggest threat lie?
31 Facts and Figures
Security breaches by numbers

How UK businesses, big and small, are coping with cyber threats
18-24 SEPTEMBER 2015 | NEW STATESMAN | 3
03 intro & contents.indd 3
15/09/2015 15:40:45
A-Z OF CYBER SECURITY
U is for . . .
understanding
Cyber security comes with a language all of its own, often opaque and replete with acronyms.
With some expert help, we unravel the code, from advanced persistent threat to zero days
A is for advanced
persistent threat
An APT is an attack carried out by an
adversary that targets and exploits individuals instead of computers and operating systems. Its intent is to be stealthy,
targeted and data-focused. Typically an
APT targets individuals in an organisation. The adversary performs extensive
reconnaissance and then sends a targeted
piece of information such as a web-link or
email to trick the user to open up vulnerabilities. From this breach, the adversary
uses the compromised system as a pivot
point into the organisations network.
The trick in dealing with APTs is
recognising that prevention is ideal but
detection is a must. Organisations will
get compromised by APTs. The goal is to
minimise the frequency and impact of
this by controlling where the adversary
can get to in the network and how much
damage it can perform.
Here are things you can do to limit the
impact of an APT:
1. Content-ltering and examination of
behavioural anomalies.
B is for biometrics
Biometrics refers to authentication tools
and technologies such as facial recognition, ngerprinting and retina-scanning.
With traditional password-based security features increasingly hacked by cyber criminals, biometrics are becoming
popular as they can be a much harder target for hackers.
Biometrics are more difcult to hack
but should not be seen as a replacement
for password technology. Whether its
voice recognition or ngerprint technology, biometrics do solve some of the aws
inherent in modern password systems,
but they also bring a different set of challenges. For example, ngerprints can be
reproduced; some prints are stronger
than others; and changes in the physical

appearance of the user can throw off the
results in facial recognition.
Used together, passwords and biometrics provide a stronger form of protection.
One serves as a backup for the other, raising the barrier further for unauthorised
users attempting to gain access and hack
a system. For example, security tools
that incorporate multi-factor authentication, including encryption, alongside biometric ngerprint technology and typical
password security can ensure that devices
are covered at all bases.
Nicholas Banks is a vice-president of
IronKey by Imation
B is also for bot, backdoor, boundary
protection and BYOD
C is for cloud
computing
As dened by Gartner, cloud computing
is a style of computing in which scalable and elastic IT-enabled capabilities
are delivered as a service using internet
technologies. In other words, cloud
2. Create highly segmented networks to

prevent lateral moment.
3. Monitor outbound trafc for the
attackers command and control channels.
Eric Cole is a faculty fellow and course
author at the SANS Institute
A is also for authorisation, active attack
and anti-virus software
04-18 A-Z of Cyber Security.indd 4
15/09/2015 15:29:43
SHUTTERSTOCK
E is for encryption: the process is at once intellectually simple and morally complex
15/09/2015 15:29:45
IN PARTNERSHIP WITH TRUSTED MANAGEMENT
Why infosec is the

great enabler
Just as a cars brakes take the risk out of driving, so information
security makes business possible, writes Peter Wenham
nformation security (infosec or just

security) often gets a bad press and is
often seen in a negative light. Why is
this? Is it the inuence of sensationalism
in the media about the bad guys getting
heaps of credit-card data? Or is the coverage causing fatigue because the messages
are seen as being overhyped and in a sense
that its not happened here yet? Is it that
the costs associated with infosec are seen
as coming off the bottom line, with no apparent benet? Perhaps an expensive infosec project failed or costs spiralled.
Whatever the reason, infosec needs to
be better understood. It is, after all, a business enabler but can we demonstrate
that? A good analogy is to ask why are
cars built with brakes. Ask an audience,
and the majority answer will be because
it stops the car. The real reason is that the
brakes enable car to be driven. In other
words, they take the risk out of actually
driving the car at speed, because brakes are
used to slow or stop the car.
We can extend the analogy by comparing a Formula 1 racing cars brakes to
a family cars brakes. Fit a family cars
brakes into an F1 car and they will fail before the F1 car completes its rst circuit.
The quality of the brakes, or control, is
proportionate to the risk. An F1 car needs
far better brakes than those tted to a family car, due to higher speeds, acceleration
and deceleration rates.
What is infosec actually doing in an organisation? It is protecting company data,

be it intellectual property, nance and
HR records or customer data. And each
data type has a value. For example, sales
and marketing information is of value to
rivals planning to make a hostile bid. According to the data/information value, we
can identify the threats, threat sources and
business exposures.
By identifying the threats, sources
and exposures, a set of general controls
governing access to any data set and
the processing it can be subject to can
be determined.
So who owns infosec? In many organisations infosec is thrown lock, stock and
barrel over the fence to the IT group, but
they are the wrong people. While IT can
devise, implement and manage technical
controls in support of identied threats,
it is the core business that understands
what the organisation does and the threats
and exposures.
The business owns the information
that drives an organisation. Information
and the data it is derived from can and
must only be owned by only one person
for due diligence, auditability and legal/
regulatory reasons. Hence the HR director
(or equivalent) will own HR data, the nance director owns nance data and so on.
What does owning the data mean?
It means saying who can access data and
for what purpose. Just because a person is

the MD, CEO or director does not mean
that he or she should have access to all the
company data. Information should be restricted on a need to know basis.
Nevertheless, care is needed in this area,
to ensure this principle is not overly strict.
Generally directors in large organisations cannot have hands-on decision making for all the data under their control, so
any decision making regarding access and
use will be devolved down in their organisations; but in the end they set the policy
and retain overall responsibility.
In summary, you will have come to realise that for any specic informational area
such as HR, the business has identied the
value of the information (public, company
internal, sensitive and so on) and who (or
which groups) can access the information
and what they can do to it (create, delete,
edit, copy, transmit and so on).
This is the information necessary to
build a sane and sensible infosec strategy
for a company that an IT department can
take and turn into usable technical controls and an HR department can turn into
user policies. l
Peter Wenham is the director of
Trusted Management, specialists in
information assurance
To find out more, visit:
trusted-management.com
06 Trusted management advertorial.indd 6
15/09/2015 11:37:22
D is for denial
of service
A denial of service (DoS) is a type of cyber
attack that aims to overwhelm a website
or cloud service so that it cannot function
or accept legitimate requests from other
internet users.
To perpetrate this attack, cyber criminals will stealthily instal software, often
on the PCs of unsuspecting home users,
that on command can generate spurious
trafc directed at the victims website.
These botnets can include tens of thousands of PCs and are referred to as a distributed denial of service (DDoS) attack.
Imagine a telephone switchboard with a
total of eight available phone lines. If attackers keep calling, never giving a chance
for a line to be freed, then the switchboard
can never answer a legitimate call.
DoS attacks are often used by groups
A movie about the North Korean leader Kim Jong-un triggered cyber attacks on the film company
with a grievance against a particular brand

or political issue, and can be a smokescreen to confuse the target while other
more sophisticated attacks take place.
DoS attacks can be mitigated by countermeasures such as certain types of application trafc-management devices that
can be congured to identify and discard
trafc that appears to be coming from a
botnet. There are also third-party services
that act as a type of clearing house for web
trafc that can counteract DoS attacks.
Stephen Sims is a course author and senior
instructor at the SANS Institute
D is also for decryption and data breach
individual, business or government.

The strength of the encryption depends
on how the technology is applied. Broadly, this happens in two ways symmetric
encryption uses the same key both to encrypt and to decrypt a message, whereas
asymmetric encryption uses a different
key at the beginning and end of the process. From a security point of view, encryption can be viewed as an unalloyed
good thing, but there is also an ethical
dimension. Should technology rms provide governments with access to encryption keys in the name of averting terrorism, for example? If they withhold those
keys, are they wilfully putting national
security at risk? But if they share keys, are
they blatantly invading personal privacy?
Jon Bernstein
E is also for event and exploit
E is for encryption
Encryption is at once intellectually simple
and morally complex.
At its most straightforward, it is the
act of encoding data, turning plain text
into cipher text. Only those with a key
or password can decode or decrypt
the data, meaning that, in theory at least,
sensitive information can pass securely
across networks and be stored safely by an
F is for Flashback
malware attack
The conventional wisdom dictates that
Apple-made devices are less prone to
computing enables companies to tap in

to extended resources situated anywhere
in the world, creating efciencies and
scale and allowing users to pay for services as they are used.
While the cloud brings a host of nancial and business benets, it also brings
risks in the form of cyber theft, accidental data leaks and privacy nes. As sensitive information is of enormous value to
criminals, cloud defence is imperative for
businesses that hold such data.
A logical starting point is to identify
all cloud applications in use, classify the
types of data they hold and assess the risk
level of each app. This then helps rms to
map the appropriate security controls to
protect data, such as through encryption,
tokenisation and data-loss prevention.
And nally, organisations should continuously monitor activities to detect and
ag up any anomalies in the use of data.
Willy Leichter is the global director for
cloud security at CipherCloud
C is also for critical infrastructure,
cipher and cryptography
15/09/2015 15:29:48
security breaches than Microsoft Windows equivalents. Although a quick ick

through the technology press cuttings of
the past two decades is likely to bear out
this view, the Apple Mac operating system is not impervious to attack.
The Flashback malware attack is one
example of when Apples defences and
those of its OS X operating systems
were breached. Using a form of malware
known as a Trojan Horse, it was rst
detected in 2011. As the term suggests,
a Trojan Horse attack is based more on
deception than stealth, and Flashback
was initially hidden as an Adobe Flash
Player plug-in before moving on to exploit vulnerabilities in the Java programming language. The malware drops a
small application on to the host computer,
allowing a hacker to run malicious code
from a remote location.
Why are such attacks effective? First,
the malicious intent is hidden behind
something mundane and useful, such as
a software update. And second, many of
those software updates are automated so
the victim is a passive participant, oblivious to malicious intent. According to reports at the time, Flashback infected more
than 600,000 machines.
Jon Bernstein
F is also for fraud and firewall
G is for
gateway crimes
In the world of addiction prevention,
the notion of a gateway drug is well
understood a relatively benign narcotic
becomes a gateway to harder and more
harmful alternatives. Criminality and
illegality are important components in
the transition. A similar theory can be
applied to the criminality that surrounds
computer hacking.
According to Andy Archibald, head of
the National Crime Agencys cyber crime
unit, digital piracy can become a gateway
to more serious online crime.
Speaking at the Infosecurity Europe

conference in June, Archibald noted that
many young people were developing sophisticated digital skills and that it was
important that they put those skills to
good use and are not tempted, unwittingly, to cyber criminality.
Jon Bernstein
G is also for graduated security
I is for identity
management
H is for Heartbleed
Heartbleed is the open-source software
aw that affected more than 60 per cent
of the internet over a year ago. It allowed
access to the private key used by individuals and businesses to encrypt web
trafc. In particular, it allowed anyone
with the right skills to retrieve data from
the memory of a web server without
leaving a trace.
Heartbleed served as a long overdue wake-up call for the IT industry; in
some IT organisations, the percentage of
open-source code used is greater than 25
per cent, meaning theres a lot of opensource code being reused by information
technology programmers. While some
claimed that open-source code was more
secure than in-house-generated code, because millions of eyeballs were looking
at it, the reality showed there were still
basic aws in popular software. OpenSSL is arguably one of the most cared-for
components in the open-source community, yet that community still completely
missed the zero-day vulnerability posed
by Heartbleed.
The moral of the Heartbleed story is
that while IT may continue to rely on
open-source components as it develops
applications, IT personnel must check,
analyse and measure those components
for software quality and security risks.
Lev Lesokhin is an executive
vice-president at CAST Software
H is also for honey pot and
hot wash
For practical purposes, an identity is a

combination of username and password
(you might call it a login, or account) used
to access websites such as Facebook, your
bank or a favourite internet shopping site.
Between home and work, we have
too many identities to keep track of, and
most of us add new ones every week. To
ease the headache of remembering many
complex passwords, we use simple ones,
reuse them for various accounts and never
change them. This leaves us, and the companies we work for, open to cyber attacks
and data breaches.
Identity management generally addresses problems caused by having multiple identities. It denes methods for a user
to prove who they claim to be known as
authentication and, in a corporate environment, it ensures employees have access only to those systems, applications
and accounts they need for their job, and
that access is updated appropriately as
roles change referred to as authorisation.
Third-party identity management software and services should provide identity
and access management across systems,
devices and applications, whether in the
data centre, cloud or mobile devices.
Bill Mann is the chief product ofcer
at Centrify
I is also for incident,
informationassurance, intrusion
andintellectual property
J is for jamming
Jamming is a technique used by
15/09/2015 15:29:48
IN PARTNERSHIP WITH SAFEONLINE
Threat and the

innovation dilemma
New aircraft technology, designed to enhance safety, gives hackers
a fresh target, warns Jack Elliott-Frey
ven though there are an estimated

100,000 or so flights every day globally, for many people air travel still
retains a large fear factor for the simple
reason that aircraft disasters, although
statistically incredibly rare, still dominate
news headlines when they occur. Regardless that you are more likely to die falling
out of bed (a one in two million chance)
than in a plane crash (a one in 11 million
chance), many people still fear flying.
Unfortunately this article will hardly
help to assuage those fears. As many businesses will know, the increasing threat of
a cyber attack is something that has been
gaining a great deal of media attention in
recent years, and the aviation industry
now finds itself a target for cyber attacks
of various kinds. So is it now possible for
hackers to seize control of an aircraft?
Not yet, but the industry is coming
under sustained attack from a variety of
sources. A security researcher, Chris Roberts, reportedly hacked into an aircraft
flight system to demonstrate its vulnerability, only to tweet about it and subsequently find himself under arrest by the
FBI when he landed.
More recently, LOT, Polands national
airline, had its aircraft grounded following a hack that targeted computers issuing
flight plans at Warsaw airport.
What these examples highlight is the
vulnerability of the aviation industry to
the growing threat of a cyber attack; a direct consequence of the proliferation of

technology within the industry. New
Boeing models are flown with the help of
advanced computer systems, with pilots
ceding aspects of control to technology.
While this has allowed for great strides in
aircraft safety, particularly during landing
and take-off, it has also given hackers and
other cyber criminals a new target.
There are a multitude of attack methods
that pose a threat to airlines. On a ground
level, phishing attacks are a popular
method used by criminals, whereby fake
emails are sent to staff in order to attempt
to retrieve sensitive company information, such as passwords. According to the
Centre for Internet Security (CIS), 75 US
airports were targeted with attacks of this
sort in 2014, highlighting the frequency at
which cyber criminals are operating.
Remote hacking and wifi attacks are another form of attack, with flight control
systems and wifi networks offering a new
means for hackers to compromise an aircrafts command centre. Couple this with
ghost flights, when a hacker inserts or
removes a planes projection on to radar
screens, and there is plenty for the aviation
industry to consider alongside existing
stringent safety measures.
The aviation industry is just one facing up to this new threat, as it becomes
more reliant on technology. Shipping and
ports, rail networks, retail and finance

are just some of the other areas of business that are facing serious cyber threats
as their core business moves online and
relies on increasingly connected networks
to operate.
The aviation industry offers businesses
foresight in how to adapt to this threat
without compromising on innovation.
While the threat of a hacker taking down
a flight is unlikely, the potential to disrupt other airport or airline systems and
create widespread disruption is higher and
could be incredibly damaging to both the
economy and passenger confidence. The
aviation industry has taken pre-emptive
steps, with major airports in the US stresstesting networks and manufacturers such
as Boeing investing more in the security of
their on-board systems and the code that
supports them.
As the famous FBI quote goes, for businesses it is not a matter of if you are
hacked, but when. For the aviation industry, and other industries that are becoming hot cyber targets, this is a quote that
should certainly not go unheeded. l
Jack Elliott-Frey is a broker at
Safeonline, a Lloyds insurance broker
based in the City of London, specialising
in cyber insurance
safeonline.com
18-24 SEPTEMBER
00 MONTH 2015
2014||NEW
NEWSTATESMAN
STATESMAN||99
09 safe online advertorial.indd 9
15/09/2015 11:37:43
attackers to interrupt authorised wireless communication. Jamming techniques

fall into one of three categories:
1. By ooding spectrum using a signal
generator.
2. By attacking the transmission collision
avoidance protocols to prevent other
stations from transmitting.
3. By exploiting a vulnerability in the
protocols that process transmissions.
While the blocking or disrupting of
the authorised transmissions may be the
end goal, jamming techniques are often
deployed as a smokescreen to hide other
attacks. In this case, the communications
being attacked are often detection or alerting capabilities.
It is impossible to stop the impact of all
forms of jamming because of the shared
nature of all radio-spectrum communications. The best advice is to set up an alternative communication path that can be
used if a device is impacted by jamming.
Steve Armstrong is a certied instructor
at the SANS Institute
J is also for joint authorisation
K is for Kim Jong-un

Unwittingly or otherwise, the leader of
North Korea is intimately connected to
one of the biggest, most commercially
embarrassing and politically contentious
data breaches of all time. In November
2014, Sony Pictures Entertainment fell
victim to a massive leak of sensitive information more than 100 terabytes of data,
claimed the assailants ranging from
internal emails, employee salaries and
details of yet-to-be-announced movie
projects. A group called the Guardians of
Peace claimed responsibility and threatened further disclosures unless Sony cancelled one of its forthcoming movies.
The lm in question was a comedy
called The Interview, about a plot to assassinate Kim Jong-un. Sony didnt cancel
and the leaks kept on coming. The United
States government blamed North Korea,
believing Guardians of Peace to be a proxy
in an act of state-sponsored cyber crime.

Samantha Power, US ambassador to the
United Nations, described the Sony hack
as both absurd and exactly the kind of
behaviour we have come to expect from
North Korea. For its part, the country
continues to deny any involvement.
Jon Bernstein
K is also for key and key escrow
L is for licensing
It is one of the key weapons in the ongoing
ght against hackers. The importance of
licensing to businesses, software providers and intelligent device manufacturers
cannot be underestimated as we usher in
the Internet of Things. Tamper-resistant
software licensing should help to reduce
the risk of hacking and protect intellectual
property, with techniques such as code
obfuscation and hacker detection being
implemented to help reduce piracy.
The constant struggle to keep a companys software estate correctly licensed
and optimised means that rms often
seek the advice of specialists who are able
to help manage these security, risk and
compliance issues in one fell swoop. Failure to license and manage software assets properly will leave businesses open
to hefty nes from software publisher
audits and invariably leaves them paying
signicantly more than they should for
the technology they use in their business.
Gareth Johnson is the CEO of Crayon
L is also for the law and logic bombs
infecting at least 100,000 computers

during the rst weekend of its release.
Its ability to spread quickly was tied to a
propagation technique that at the time
was highly innovative: Melissa embedded
its code inside a Microsoft Word document and emailed itself to 50 individuals
from the victims address book. Once the
recipient opened the infected attachment,
Melissa would repeat the process to pursue the next set of victims.
Since most security tools allowed
incoming email attachments and didnt
have signatures for Melissas les, the
virus was able to bypass many anti-virus
and rewall defences. Moreover, an element of social engineering increased the
likelihood that the victim would open
the malicious document. Because the
list of message recipients was compiled
from the previous victims address book,
the person would recognise the senders
name and, thinking the message came
from a friend or colleague, not be cautious
about double-clicking the attachment.
The Melissa virus demonstrated how
malicious software could spread semiautonomously by means of difcult-tocontrol channels such as email and could
attach itself to document les that people
routinely share.
Variations of these techniques are employed to this day to infect individual and
corporate systems worldwide.
Lenny Zeltser is a senior instructor at
the SANS Institute
M is also for McAfee (John),
malicious code, malware
and mobile
N is for network
resilience
M is for Melissa
The Melissa virus struck in May 1999,
We all rely on network connectivity in

our day-to-day lives from the mobile
networks that keep us in contact with the
world to the internet, where we increasingly run our lives. Network resilience
ensures that these essential services
15/09/2015 15:29:49
IN PARTNERSHIP WITH WYNYARD GROUP
Big data,the future

ofUK cyber security
Serious crime-fighting requires new tools, argues Paul Stokes
n the past three years we have created

more data than was created since the
beginning of humanity; data is ofcially becoming bigger. Data volumes
are exploding as the number of gadgets
recording and transmitting data from
smartphones to intelligent fridges, industrial sensors to CCTV cameras are developing and adapting.
For a business, this vast universe of data
could consist of 10,000 devices connected
to the network transmitting terabytes of
data every day. This means that securing data is more difcult than ever, as
cyber threats can now be a virtual needle
in a haystack. Companies therefore face
a huge challenge in how best to protect
themselves against serious threats to their
networks. In this age of connectivity, it is
no longer a case of if your security can be
breached but when.
The question many businesses therefore
need to ask themselves is this: which technologies are truly effective at safeguarding
their networks?
Cyber security and big data analytics are two sets of technologies that are
seen as the top investment opportunities for savvy companies keen to protect
themselves against online attacks by organised cyber criminals, syndicates for
hire or state actors.
According to a survey by MeriTalk, a US
government IT network, cyber threats are
now a national emergency in the Americas. The survey went on to say that 86 per
cent of government cyber security professionals believe big data analytics is the key
to helping improve cyber security.
This is because many organisations currently only possess the ability to protect
themselves against previously detected
threats and concentrate on endpoint protection. By combining big data analytics
with cyber security, companies will be able
to identify the threats before they damage
the organisation, enabling rapid activation
of cyber defence strategies against operational, nancial or reputational damage.
The serious crime-ghting software
expert Wynyard Group helps government, nancial institutions and critical
infrastructure organisations nd serious
threats in the masses of network data, by
leveraging the intersection of big data analytics with cyber security.
According to Wynyard, what companies need is a solution that analyses all of
the data that is currently collated, but not
currently analysed, which will provide organisations with a holistic view of threats
to their digital networks and devices, uncovering high-consequence cyber threats.
By monitoring the network and identifying what is normal using rigorous analytical algorithms, anomalies are identied
and presented to the security operations
team for investigation via a powerful anal-
ysis component. Providing the ability to

identify, explore and interpret the critical
information is key to identifying threats.
Businesses can more effectively monitor the security of their network by
highlighting the highest priority threats
that lie hidden amidst the large volume
of data, and feed these threats directly
to the security teams for immediate human investigation.
By identifying the unknown unknowns on a network (the identication
of previously unknown and unusual patterns and anomalies), advance notice of
potentially malicious activity is provided,
which in turn can quickly be identied
and managed by the security team.
The future of cyber security for organisations with data to protect is therefore
the understanding that malicious threats
against a network are constant, current
and increasing in number and complexity. By combining big data analytics with
cyber security, companies can arm themselves against this insidious threat by
identifying it at source, investigating highpriority threats, and rapidly responding to
compromise before irreparable damage is
done to the organisation. l
Paul Stokes is the chief operating ofcer
for Wynyard
wynyardgrroup.com
18-24 SEPTEMBER
00 MONTH 2015
2014||NEW
NEWSTATESMAN
STATESMAN||11
11
11 Wynyard Group advertorial.indd 11
15/09/2015 11:38:14
IN PARTNERSHIP WITH AVATU
How safe are your

crown jewels?
No business would leave the office front door unguarded, but when it comes to access to their
most valuable or sensitive information the door is often left wide open. It makes no sense, says
Joe Jouhal, especially astherearenew tools and techniques that will help slam the door shut
few months ago, a chain of Yorkshire tea shops found themselves

in the spotlight because someone
stole all their customers information.
Its hard to think of a more unlikely
target for a hack. But it happened. And
Bettys had to apologise to all its customers, review its information security
and no doubt spend many thousands of
pounds trying to put things right.
This summer, the cyber hacking nger
of fate pointed at Carphone Warehouse.
Before that, the high-prole hack was
the US federal governments HR department; and a while back, the name on all
information security lips was Sony . . . and
Target . . . and eBay . . . and Home Depot . . .
and JPMorgan Chase.
When it comes to information security, there is no typical victim. Anyone and
everyone has the potential to enter the ring line. Next week it could be you.
How to protect yourself: start with

yourcrown jewels
Companies today have an overowing
amount of information and multiple
routes in to reach it. For many, the challenge is where to start. And our answer
is always: begin with your crown jewels.

Step one is to decide what your companys crown jewels look like. What information constitutes the lifeblood of your
business? What is secret, sensitive or potentially damaging?
Step two is to nd it, all of it (which is
trickier than you might think for many
companies). Step three is to decide on
which layers are needed to keep it safe.
Many and multiple

devices can be the weak
point in your security
There is no one single policy or piece
of technology that will provide total
protection and a layered approach is recommended to business by the governments cyber and information security
advisers at GCHQ.
In this unnerving and threatening landscape, we need good old-fashioned perimeter prevention. But we need added
layers of protection, detection, mitigation and a plan in place to put things right
when they go wrong, too.
Six activities to help protect

your crown jewels
1. Make detection part of your strategy
Many organisations have already been
breached; they just dont know it yet. And
the longer a threat sits within your systems, the more potential there is for damage (as Sony can testify). Detection can be
a more expensive option. But if you cant
afford to take the risk, its a step you need
to take. Detection systems such as Damballa Failsafe will give you the reassurance
that anything that does get through will
be dealt with as quickly and efciently as
possible, before it can do unimaginable
and devastating damage.
2. Know where your sensitive
data is (and protect it)
Many organisations dont know where
its most sensitive data is held or who has
access to it. This increases the risk, and
doesnt allow for proper risk assessment
or threat mitigation. Nuixs Information
Governance tool can solve this situation.
3. Look after your data when its
inside, and outside, your organisation
Today, in our interconnected world, our
12-13 Avatu advertorial.indd 12
15/09/2015 11:39:15
data often has to be shared with people

outside our systems. Dont make it easy
for hackers and thieves to steal and share
it. Information rights management, such
as Seclore FileSecure, can allow you total control of your data whether inside or
outside your organisation.
4. Review and limit access
arrangements
Removing admin rights can mitigate 97
per cent of Microsoft vulnerabilities.
5. Protect the endpoint
Access to company data through many
and multiple devices can be a weak point
in your security plan. Introducing technology such as Avectos Defendpoint
which is already used by many banks,
government agencies, aerospace companies and Formula 1 teams will keep your
devices secure but still easy to use.
6. Look seriously at insurance
Insurance will lessen the impact nancially and will help mitigate cyber risks.
It will give a nancial cushion to help you
deal with the fallout of an attack and encourage best, risk-limiting practices. l
Find out more at a one-day seminar for senior professionals

Free to New Statesman readers
Join an Avatu seminar for senior professionals to discover more about the challenges
faced by business and the ways in which leaders can put organisations back on the
offensive by protecting their crown jewels.
Are you really protecting your crown jewels?

Organisations hold an abundance of information which is essential to their business,
but can also bring down chief officers and hit share prices if it gets into the wrong hands
(through internet hackers or rogue/careless insiders).
But companies do not always understand or appreciate the full extent of the risk,
and how they can proactively mitigate it.
This free seminar for senior personnel will:
l Explore the risks from cyber and insider threats
l Discuss some of the proactive solutions to put you back on the front foot
l Hear from chiefs of well-known companies about how they protect their
most valuable information, and the lessons they have learned
Date: 22 October 2015

Venue: Institute of Directors, Pall Mall, London SW1
Suitable for: people in senior positions, particularly those in a strategic role,
such as MDs, CEOs, CIOs, CISOs, CTOs, IT directors, etc.
Also suitable for: senior people with direct responsibility for information security,
information governance, IT or network security, cyber security or risk management.
Joining fee: free to NS readers. Email: cybersecurity@avatu.co.uk or phone: 01296 621 121 to
join or to find out more. Quote New Statesman when you book and theevent will be free.
18-24
18-24 SEPTEMBER
SEPTEMBER 2015
2015 || NEW
NEW STATESMAN
STATESMAN || 13
13
12-13 Avatu advertorial.indd 13
15/09/2015 11:39:17
are maintained to an acceptable level

whenever there is disruption.
In cyber security, this is typically when
the service is under attack by an unusually high level of requests, or incorrect or
invalid requests. This is usually characterised by a denial of service (DoS) attack
launched from a large number of compromised systems and is known as a distributed denial of service attack (DDoS).
Network and service providers put
in place technologies that detect this
increase in requests and scrub the network
to provide resilience and maintain services.
They must also ensure that the applications are not vulnerable to attack.
Garry Sidaway is a senior vice-president
at NTT Com Security
N is also for non-repudiation
Edward Snowden: the ultimate breach-of-privacy dilemma
As opposed to insider threat, this represents the majority of threats to an organisation. Insider threats typically have some
level of knowledge and privilege.
There are different levels of outside
threat, ranging from reconnaissance
attacks to determine weaknesses in the
perimeter defences of an organisation,
to social engineering where the outside
attacker uses social networking, news
articles and personal calls to gain an insight into the person or companys defences. This knowledge is then typically
used to write a specic email that contains
malware (malicious software).
The majority of organisations focus
their attention on outside threats and put
in place a range of technologies that protect the perimeter of an organisation. But
with the advent of cloud computing and
an increased mobile workforce, these defences are being bypassed.
This is where, with the right security
processes and policies, businesses can
educate their workforce to help reduce the
risk of outside threats.
P is for password
The comedian John Oliver recently
observed that cyber security is the only
reason we know our mothers maiden
name. The use of passwords to grant
access to software and services online is
the most common security measure we
use, and the most vulnerable. To combat
these vulnerabilities, many companies
insist on the use of more complex passwords longer with a mix of letters, upper and lower case, and numbers. They
also insist that the password is changed at
regular intervals.
As more than one security expert insists, the only secure password is the one
you cant remember.
However, theres no getting away from
the impact of human behaviour and the
limits of memory. According to gures
Q is for quarantine
Quarantine is a method of isolating a le
when it is thought to have been infected
with a virus. The aim is to protect other
les on the same or connecting devices
from the spread of the software virus.
Anti-virus software and tools will
O is for
outside threat
from the credit-checking agency Experian, we have an average of 26 online

accounts at any one time. Duplicate use
of passwords and scribbled reminders
on Post-it notes are an inevitable consequence. While two-factor authentication can help mitigate misuse, biometrics
and other forms of identity management
appear to be likely rivals to the alphanumeric password. Nevertheless, no solution is entirely safe or foolproof.
Jon Bernstein
P is also for passive attack, personally
identifiable information and phishing
REX FEATURES
Garry Sidaway is a senior vice-president

at NTT Com Security
O is also for offline attack
15/09/2015 15:29:51
IN PARTNERSHIP WITH GRIFFIN HOUSE CONSULTANCY
Seven steps to
effective training
Company guidelines, training and policy documents are often not fit for purpose.
Griffin House Consultancy offers an alternative approach
n the event of a signicant data breach

due to a cyber attack, malicious act,
negligence or human error the Information Commissioners Ofce (ICO)
will conduct an investigation. The commissioner will want to know what action
you took to protect the personal data entrusted into your care and what you did
to mitigate any loss, damage or distress to
the data subject.
As part of the investigation the ICO
will ask: What training did you give
your team? An inadequate response to
this question will inuence the ultimate
decision and potential enforcement, and
possible monetary penalties.
We have conducted many compliance
reviews and audits and often company
guidelines, training and policy documentation are not t for purpose. Many
organisations are aware that they need a
data protection policy or training guide,
but simply provide staff with an A4 sheet
of paper stating: Staff must process personal data in accordance with the Data
Protection Act. Some elaborate by listing
the eight principles.
While any policy is better than none,
this would fall far short of demonstrating
to the ICO a commitment to protecting
data. To help you, these are our top tips for
creating an effective data protection training programme.
1. Perform a privacy impact assessment
(PIA) to understand what personal data
you hold. This will tell you the nature of

the information, where it is held and how
securely. Crucially it will identify the impact of a breach on the data subject.
2. Armed with the results of the PIA, decide
what level of training you need to give
your team members to protect this data.
3. Identify the different levels of responsibility and segment your training
accordingly. It may be sufcient to train
entry level staff with little access to data
using an e-learning package, or get them
to watch one of the ICOs free training
videos. Supervisors and managers may
benet from external courses, such as our
Level 2 Certicate in Data Protection. For
Data Protection Ofcers and in-house
trainers, longer residential courses may
be suitable.
4. Ensure the training you provide is upto-date and relevant to the task in hand.
Provide real life examples, such as at
Grifn House we ensure that information
is fairly and lawfully obtained by giving
a clear statement on our website, before
any data is collected.
5. Keep the training interesting and appropriate to the level of experience. For example, if you are training your reception team
how to handle inbound telephone enquiries, try role-playing. Academic study has
its place, but people tend to engage more
when the training is personalised.
6. Keep records of your training. You
will need to prove to the ICO that it was
delivered; getting your employee to sign

off the training record is best practice.
Make data protection part of your new
employee induction process and update
the team at regular intervals.
7. Remember to tailor policies and provide
training for all stakeholders who can access or inuence your data ows, including volunteers, subcontractors and data
processors. A data breach may not just
result in the loss of personal information,
but also commercially sensitive and condential information.
Never underestimate the positive effect
of culture in an organisation. If you instil
a culture of good governance and actively
encourage and praise best practice, your
team will take ownership of compliance
and seek out vulnerabilities, propose improvements and apply pressure to their
peers to keep the organisation safe.
Training is a critical element in protecting your organisation, but even with all
of these precautions, sadly it is not a case
of if you are a victim of a cyber attack
but when, and we therefore also recommend that organisations consider additional security regimes such as Cyber
Essentials or ISO 270001. l
Grifn House Consultancy is a data
protection and information governance
consultant, auditor and trainer
griffinhouseconsultancy.co.uk
18-24 SEPTEMBER
00 MONTH 2015
2014||NEW
NEWSTATESMAN
STATESMAN||15
15
15 Griffin House advertorial.indd 15
15/09/2015 11:40:14
HEADING
IN PARTNERSHIP WITH STUART J GREEN DIGITAL ENGINEERING LTD
Stuart J. Green
digital engineering
So youre serious
about cyber security?
What better way to demonstrate that youre meeting the challenge than by having
someone independent assess your performance, asks Stuart Green
he phrase Were very serious about

cyber security seems to have become a standard party line. Usually,
this statement follows a very public announcement of a breach or cyber attack, or
when shortcomings have been highlighted in a gap analysis and an organisation is
about to justify doing nothing about it.
Yes, you read that right. Some organisations will pay for a gap analysis to highlight their vulnerabilities and weaknesses
and then will simply do nothing about it.
Why? Sometimes its the perceived cost of
rectifying the problems. Sometimes there
are personalities within the organisation
(often the nance director or IT manager)
who strongly object to the independent
ndings and block any subsequent action.
Often, though, its because the organisation just doesnt get it weve always
worked this way and weve been ne so
far is often a closing remark.
With larger and more sophisticated
cyber attacks now being reported on
at least a monthly basis (Ashley Madison, Carphone Warehouse, and so on),
as consumers we want to know that the
companies that we are dealing with are
protecting our identities and any information that they hold on us. As consumers
we are becoming more savvy, with higher
expectations.
Why then, do a vast majority of small
and medium-sized enterprises forget this
when they deal business-to-business?

Why is supply chain security such an alien concept to some? An organisations
supply chain is vital to its existence and it
doesnt take an experience of the likes of
Target to appreciate that.
Take the eld of accountancy. Arguably there is an accountant or accountancy practice in every supply chain and
this professional area of expertise often
remains unchallenged around how they
are protecting data. Furthermore, this one
profession appears to be the rst to resist
any form of change to protect themselves
and their clients from cyber attack. Yet
many claim were very serious about cyber security. Really? Prove it.
So, in the world of all things cyber, what
can be done to strengthen a supply chain
and combat this apparent apathy?
Well, the UK government has an answer to that in the form of their Cyber Essentials scheme. Launched in 2014, Cyber
Essentials is a recognised certication that
any organisation can attain and it consists
of a number of technical controls that can
be easily implemented to strengthen an
organisation against cyber attack. CESG,
GCHQs cyber advisory body, will be
the rst to point out that an organisation
which meets the Cyber Essentials standard is resistant to around 80 per cent of
common cyber attacks. Now that sounds
like a great place to be.
With two levels of certication, Cyber Essentials and Cyber Essentials Plus,
organisations can demonstrate that they
have self-assessed or have been assessed
by an independent auditor. In this age of
consumer cyber-enlightenment, what
better way to demonstrate that youre
meeting the challenges of cyber threats
head on than by having someone independent come in and formally say what a
jolly good job youre doing? Thats worth
shouting about marketers take heed!
Cyber Essentials is in its early days, but
more and more organisations are feeling
the benet of going through the process
of attaining the certication. Even those
with ISO 27001 nd the process reveals
something they didnt know about their
organisation and they see the value in the
process. Cyber Essentials is the one element that we should be insistent about
having in our supply chains.
So, the next time you hear were very
serious about cyber security, look for
that Cyber Essentials badge. Those who
are will have it and can prove how serious
they are. Those who arent? Theyre probably speaking after a cyber attack. l
Stuart Green is managing director of
Stuart J Green Digital Engineering Ltd,
an information security specialist
sjgdigital.com
16 | NEW STATESMAN | 00
MONTH
2014 2015
18-24
SEPTEMBER
16 Stuart Green advertorial.indd 16
15/09/2015 11:42:02
quarantine a le if they are unsure of

the provenance of the attack or, simply,
unable to eliminate it (remember, the
virus maker is always one step ahead of
the virus eliminator). The quarantined
le is often sent for analysis before being
destroyed. This helps anti-virus software
rms develop and update protocols to
deal with similar attacks in the future.
Jon Bernstein
Q is also for quadrant and
qualityofservice
and does it actually work in practice?

Panos Dimitriou is chief technology ofcer
and co-founder of the Encode Group
R is also for resilience and rogue devices
S is for
Snowden, Edward
R is for risk
assessment
A broad set of steps that help an organisation understand the likelihood, implications and potential damage resulting from
a cyber attack. Risk assessments should
be carried out on a regular basis to counter threats that take advantage of large,
highly dynamic and complex IT environments, new technology vulnerabilities
and evolving human processes in other
words, your attack surface.
Risk assessments are often used to support regulatory guidelines and include a
broad series of activities. These can range
from basic steps, such as automated vulnerability scans, to more advanced assessment methods, including replicated
attacks carried out by professional penetration testers. These real-world attacks
culminate in a comprehensive report of
how the attack was perpetrated and the
potential ensuing damage. Such exercises
highlight the exposure of your detect,
contain and respond capabilities missing
in traditional risk assessments.
Consider these questions when contemplating a risk assessment:
1. Is there a set of security policies such as
employee internet and email usage that
meets best-practice guidelines?
2. Is there a dened and regularly carriedout process for detecting an attack or an
actual breach?
3. Is there a response plan for an attack
Hows this for an ethical dilemma? What

would you do if the only way to demonstrate a breach of privacy and trust on an
industrial scale was to reveal highly condential data? In effect, that is the predicament Edward Snowden, a former National Security Agency contractor, faced
before he leaked a raft of documents from
a top-secret surveillance programme
sanctioned by the US government.
In early summer 2013, he shared the information with a handful of journalists.
Soon stories appeared in the New York
Times, the Washington Post, Germanys
Der Spiegel and the Guardian in the UK.
Snowden a traitor to some, a heroic
whistleblower to others was charged on
two counts under the Espionage Act 1917,
including wilful communication of classied material to unauthorised personnel.
Jon Bernstein
S is also for spam, spoofing
and spyware
T is for Target
If ever there was a case of corporate
nominative determinism, this was it.
Think: if your company is called Target,
beware attack. The US retailer with that
name on its back suffered a catastrophic
cyber breach in the run up to Christmas
2013. Malware placed in the retailers
security and payments system extracted

the names, addresses, phone numbers
and email addresses of 70 million customers and obtained credit-card details of
a further 30 million.
Reputational and nancial damage
followed. The attack had a human cost
too: chief executive and chairman Gregg
Steinhafel and chief information ofcer
Beth Jacob both lost their jobs.
The winners? The hackers who reportedly sold between one to three million of
the credit-card numbers for $54m; and
the technology suppliers who beneted
from Targets subsequent multimilliondollar investment in cyber security.
Jon Bernstein
T is also for threat and Trojan Horse
U is for user
You may not realise it, but you are
a target. If you have an email address,
a mobile device, a computer or any online accounts, cyber criminals are targeting you. Fortunately, you can protect
yourself and your family by taking some
simple steps.
1. Use common sense. If you receive an
email, message or phone call that seems
odd, suspicious or too good to be true, it
may be an attack.
2. Use strong passwords to secure your
online accounts and make sure you use
a different password for each account.
Cant remember all your passwords?
Not a problem. Consider using a
password manager. Finally, use twostep verication for all of your accounts
whenever possible; its the most secure
step you can take to secure an account.
3. Protect your mobile devices with
a strong PIN or pass code, or use the
ngerprint authentication. That way, if
its lost or stolen, no one can access your
photos, data or apps.
4. Keep your computers and mobile
devices updated and current.
Lance Spitzner is an instructor at the
SANS Institute
U is also for unauthorised access
15/09/2015 15:29:52
V is for verification
Online verication is established through
cryptographic keys and digital certicates, which act as the foundation of all
cyber security. It is a critical element in
establishing online trust for secure communications, commerce, computing and
mobility. A certicate is a digital form of
identication. Like a passport or other
user identication, digital certicates provide generally recognised proof of identity and are intended to verify and secure
data between users, systems and applications and devices.
Digital certicates rely on public key
cryptography for authentication. When a
certication authority issues a digital certicate, it is signed with a private key. In
order to verify the authenticity of a digital
certicate, the user can obtain the public
key and use it against the certicate to
determine if it was signed by the certication authority. Unfortunately, even this
verication process can be subverted.
Cyber criminals are able to compromise keys and certicates that are
not properly protected to get around
security controls, hiding in your system,
monitoring what you do online and compromising personal data.
Kevin Bocek is a vice-president at Vena
V is also for vulnerability and virus
W is for worm
The one characteristic shared by all computer worms is the capability to replicate.
Whereas a conventional computer virus
will attach itself to le or a software program, a worm will commonly use failings
in the computer security to gain access
and then spread itself across the network

without human intervention.
Some worms have a malicious payload
attached that might delete or corrupt les,
for example. Others do not. Nevertheless,
the simple act of replication at speed can
cause signicant disruption. By consuming sufcient system memory or network
bandwidth, it can degrade or stop web
and network server or standalone computer access. An example of a payload-less
worm was MyDoom that hit Microsoft
Windows PCs in 2004. It became the
fastest-spreading email worm to date and
caused signicant disruption.
Jon Bernstein
W is also for white team and wifi
employees are more aware of the cyber

risks posed by new social, mobile and
cloud technologies than older, probably
management-level colleagues.
According to a recent Blue Coat survey
of the online behaviour of UK employees,
62 per cent of 18-to-24-year-olds take effective precautions against unauthorised
access to their social media data on mobile apps. They routinely check the identities of strangers before connecting with
them, according to the survey results. By
contrast, only 33 per cent of 45-to-54year-olds check requests before accepting
invitations to connect.
Christophe Birkeland is chief technical
ofcer of malware analytics at Blue Coat
Y is also for you
Z is for zero day
X is for X-rated
Beware dark recesses of the web. That
seemed to be the verdict of researcher
Conrad Longmore, who analysed diagnostic data from Google and concluded
that many popular pornography websites are infected with multiple instances
of malware. Longmore told the BBC in
2013 that the root of the malicious les
was some of the adverts featured on these
sites. We call these malicious advertisements malvertising, he said. The website owners disputed the ndings.
Jon Bernstein
X is also for X.509 Public Key Certificate
A zero-day vulnerability is a previously

undisclosed and exploitable weakness
in a computer application for which no
security patches are publicly available.
The term refers to how many days the
vendor of the compromised software has
known about the vulnerability. Zero-day
attacks or zero-day malwares are computer programs developed to exploit this.
Best practice is to disclose new vulnerabilities responsibly and condentially,
by sending information about vulnerable
software to the party responsible for its
creation so xes can be made available
before it is disclosed to the public.
However, there are individuals who
identify and use zero day for nancial,
political or social gains. These agents
include black-hat hackers, criminals and
private companies who research, develop
and sell zero-day vulnerabilities.
Some government agencies exploit
zero day as part of their attempts to disrupt, degrade or disable a rival governments operations. A real-life use of a
zero-day vulnerability was Stuxnet in
2010, which disabled uranium enrichment facilities in Iran.
Christophe Birkeland
Z is also for zombie
Y is for Generation Y
The term Generation Y applies to those
who were born after 1980 and were raised
in a world of technology. As a result they
are more tech-savvy and knowledgeable
than previous generations. Generation Y
15/09/2015 15:29:53
IN PARTNERSHIP WITH BRONZEYE
bronzeye
IBRM
Cyber security,
a must do for SMEs
For many small businesses, cost has become a barrier to
good protection. It neednt be, says Bronzeye
yber crime is a top priority, says

the government. The police barely
scratch the surface of the problem,
says the commissioner of the City of London Police. Most cyber crimes we hear
about involve banks. Perusing victim lists,
you would be forgiven for thinking that
this is an American disease. You would
be wrong. We are equally vulnerable and
suffer successful attacks just as frequently.
Were just better at hiding it.
Cyber crimes that make the news invariably involve victims who have been
negligent giving a conman banking details he then uses to raid the bank account,
for example. But where money goes walkies and nancial companies cant determine how it has happened, they refund
the losses and keep very quiet about it
usually under non-disclosure terms.
There are many companies whose
security has been breached and had intellectual property stolen. Many will
not know that this has happened, and
for small to medium-sized enterprises
(SMEs) that lost data may ultimately be
a cause of their demise and they will
probably never know.
The cyber security industry paints itself
as a superhero ghting off hackers. This
is nonsense. It is a multibillion-dollar industry which relies on bad guys to stay
lucrative, according to John Prisco, a man
who has made it his mission to highlight
its many failings. Much of the software

doesnt work anyway, and they know it,
he says.
Hyperbole? Probably not. Scale and
deep pockets are the primary drivers for
vendors. They are much less interested in
SMEs. They have herds of cash-cow solutions to sell and they are going to sell them!
The cumulative cost hardware, software,
licensing, people quickly zooms out of
the reach of most SMEs. For any company,
the consequences of being insecure, getting hacked and subsequently deemed
negligent are horrendous. And it is easy to
get there. Goong PCI compliance, which
is pretty easy, equals big trouble into
Kerplunk! territory for many. Thats a real
dichotomy for SMEs.
Things are changing. New laws create
liability and dictate responsibility. Most
regulations are written with big companies primarily banks in mind. Unfortunately, a law for one is a law for all and
compliance is a massive drain. It is meant
to force enterprises to focus on their cyber security. For SMEs it quickly becomes
a barrier. In response, many do nothing
and hope for the best: It hasnt happened, so its not a problem. That is becoming suicidal. When it does happen,
it will be too late. If you are not ready, in
a moment, it becomes an insurmountable problem and you are probably going
out of business.
Three-quarters of large breaches enter

through third-party systems. Hackers
know defences will be weaker here. Only
about 15 per cent of larger businesses conduct meaningful checks on supply-chain
cyber security.
Criminals work on risk/reward. Cyber
criminals are criminals. Good cyber security increases hackers risks and makes you
less of a target more attractive to customers and partners, too. Every enterprise can
improve cyber protection surprisingly
inexpensively. Soon it will be a prerequisite to have excellent cyber security. Regulators will bear down on larger companies
who will simply pass the requirement on.
No one can guarantee that any system is
unbreachable, but that doesnt mean doom
and gloom. An engaged management that
has identied the threat can create strong
cyber defences through judicious use of
resources and sensible governance. Then,
when an intruder gets in, it is identied and removed promptly. This can be
achieved for a budget within reach of all.
Einstein said that insanity was doing
the same thing over and over again and
expecting a different result. Lets cut the
insanity and change the way we think. l
Bronzeye IBRM offers an affordable,
subscription-based, information and
cyber security service to SMEs and others
To find out more, visit: bronzeye.com
18-24 SEPTEMBER
00 MONTH 2015
2014||NEW
NEWSTATESMAN
STATESMAN||19
19
19 Bronzeye advertorial.indd 19
15/09/2015 11:42:26
VIEW FROM THE EXPERTS
Total security is
a futile concept
Where does the biggest threat lie? And what steps should organisations, large and small,
take to mitigate risk? We ask four cyber specialists
Catherine
Askam
Senior manager of
cyber risk services
at Deloitte UK
The recent large-scale
cyber incidents have
demonstrated the increased need for improved security in UK
organisations. Cyber threats are growing
and cyber attacks are moving from disruptive to destructive.
The UK has experienced many largescale point-of-sale compromise and
credit-card thefts, but now were also
seeing new targeted attacks. For example,
there have been large-scale compromises
of healthcare companies and hospitals for
the theft of personal records.
This isnt surprising the personal-data
trading market is starting to generate real
rewards for criminals. The loss of data
from any organisation and the rise of the
destruction of data is very concerning.
John Berriman
Chair of cyber security practice at
PricewaterhouseCoopers
Every
organisation
needs to be condent
that it is t for the digital age. As they have
capitalised on new operating platforms, the
amount of data they hold has increased
phenomenally. Data is the lifeblood of a
business: it underpins its every relationship, decision and interaction.
Information is now a greater source of
competitive advantage than ever before,
but only if it is secure. It is essential to create a risk-aware culture led from the top,
with the boardroom showing it recognises the potential risks at the same time as it
embraces opportunities for growth.
Mark Brown
Executive director, cyber security
andresilience at
Ernst & Young
Cyber threats remain
one of the most signicant risks facing
UK businesses today. The blistering pace
of technological change and the cyber
threats that come with it are only going to
accelerate. The UK government has made
cyber security one of its priorities, so UK
plc should need little convincing about
the seriousness of this threat.
Businesses should remember that cyber

security is not just about threats; it also
offers a tremendous opportunity for organisations to turn the challenge around.
The risks associated with cyber security
must not be viewed solely as a danger,
but more innovatively as opportunities
for business to benet by better leveraging technology. Cyber security can make
good business sense, and those businesses
embracing cyber opportunities stand to
gain signicant advantage over competitors in an ever more global marketplace.
Paul Taylor
UK head of cyber
security practice
at KPMG
Businesses are increasingly realising that cyber security is something that they cannot
ignore. Our own survey of FTSE-350
companies found that 74 per cent of them
thought their boards were taking cyber
security very seriously, yet just 39 per
cent of board members saw cyber risk as
an operational one when comparing it to
other threats.
Businesses need to consider that if
subject to a cyber breach, they risk losing
money or intellectual property, regulatory nes, clear-up costs, reputational
damage and perhaps most importantly
losing customer condence.
1. How would you

convince UK plc to
take cyber security
more seriously?
20-25 View from the experts vox pops.indd 20
15/09/2015 12:03:08
SHUTTERSTOCK
Cyber security makes good business sense and should be seen as an opportunity
15/09/2015 12:03:16
IN PARTNERSHIP WITH LOCKTON
Protection for when

your defences fail
Looking for comprehensive and inexpensive insurance?
Max Perkins explains where to start
usinesses are beginning to realise the

potential costs of a cyber breach and
theyre asking us what they can do
to protect themselves. We help them to
understand their risks and whats in the
insurers minds, so they can address these
issues and get the best cover possible.
Cyber insurance can offer businesses
protection against a host of risks.
The call from boards and shareholders
for adequate insurance cover is growing.
The good news is many insurers are offering cover or are in the process of building
teams to assess and insure the risks.
Businesses can easily buy insurance
to cover:
l costs incurred to manage breach crisis
l regulatory nes proceedings
l legal liability
Also, they can now nd cover for:
l consequential losses due to damage of
business reputation
l consequential losses due to
interruptions in network operations.
From an insurers point of view
Insurers are nervous. They are facing
regulatory scrutiny over whether they
can afford the risks they are insuring and
the possibility of escalating claims. At the
same time, they are trying to maintain
their protability. As a consequence, the
cost of insurance is going up.
To understand their exposures and
the ripple effects of claims, underwriters
22 Lockton advertorial.indd 11
constantly monitor claim trends. They

look at the severity and frequency of cyber breaches across all industries. So they
know what the losses are for small, common breaches, while being ready to pay
for the hugely expensive catastrophes,
which are relatively rare.
Unlike other types of insurance, generating predictable models for cyber losses
is difcult for two reasons. First, the insurance sector only has ve years of good
loss data. Compare this to property insurers, who have losses dating back hundreds
of years. And second, the risks constantly
evolve, so data from ve years ago may already be useless.
How to get the best insurance
for your cyber risk
Insurers are trying to improve their understanding of the risks they are taking on
from clients. They are asking for more and
more information about how the business
is run, and how information is handled.
The key to nding inexpensive cover is
to demonstrate you have strong defences
and the capability to monitor your network and shut it down quickly if needs be.
More specically, insurers will ask questions about:
l Privacy governance Do you have policies in place for users to follow?
l Privacy culture Are you making employees, vendors and other visitors to the
organisation aware of privacy risks?
Network security Do you protect and

monitor your IT infrastructure?
l Data encryption tools Encrypting data
on portable electronics is now as important as having re sprinklers in a building.
l Network segmentation Separation of
networks, or at least data, is important.
Would you keep all of the money you have
in the world stored in one place for someone to steal?
l Point-of-sales systems We have all
seen the problems with storing creditcard information.
We recently helped a large corporation
avoid a 35 per cent increase in the cost of
its insurance by showing it took privacy
culture seriously. And a small business in
Bristol was able to increase its insurance
capacity from 5m to 15m by showing
that it had put proper controls in place for
its point-of-sales systems. l
Max Perkins is a member of Locktons
global technology and privacy practice.
He helps clients manage their professional
liability, cyber, data breach and other risks
that can damage their reputation. The
team serves clients in Europe and the US.
Recently the rm was asked to give evidence
to the US Senate on cyber security on
behalf of the insurance industry.
Max Perkins can be contacted at:
max.perkins@uk.lockton.com
l
Lockton is a global insurance broker.

Visit: lockton.com/cyber-and-technology
00 MONTH 2014 | NEW STATESMAN | 11
15/09/2015 11:42:50
IN PARTNERSHIP WITH DIGITAL PATHWAYS
Keep calm and carry

on is not an option
Attitudes to data security must change if businesses are to guard
against cyber attacks, writes Colin Tankard
he headlines may be about cyber war

and digital Armageddon, but cyber
attacks affecting businesses of all
sizes and are on the increase. Criminals
know that electronic crime offers fast returns, with a much-reduced chance of
being caught. The growth in cyber crime
coincides with the explosion in the number of digital devices such as smartphones,
laptops and tablets. Meanwhile, social
media and the web have become integral
parts of life.
Yet many businesses are operating as
if the data revolution hadnt happened.
They face two challenges: their conventional defences against cyber attack are
likely to be inadequate, and their employees are often unaware of the tricks that cyber criminals will use to get information.
Basic technical precautions are still important. Anti-virus software and server
security patches should be applied, and
email systems, as a minimum, have spam
lters. A rewall acting as a barrier between the outside world and the company
is still a requirement. Important data or
devices must be protected by strong passwords and subject to access controls to
prevent accidental or deliberate leakage.
The problem is that such basics were designed for a different, more static, business
environment. The world has gone mobile
and the data along with it. Attackers know
that many employees use their personal

devices for business use as well. They
share emails across web-based email, and
download ofce documents to unprotected devices or cloud-based storage.
This means that increasing amounts of
company data and access points exist outside the traditional company perimeter,
way beyond the protection of the rewall.
Criminals are also adept at exploiting
the vulnerability of employees through
social engineering techniques. They send
fake emails that look as if they originate
from ofcial bodies. These contain web
links that, once clicked, may download
malware designed to steal company data
or passwords and login details from unsuspecting employees.
Hackers will obviously go after data that
they can see on company servers, but what
if it was hidden from prying eyes? After all, you cant hack what you cant see.
Technology exists that can do just that and
make data servers go dark. Such stealth
technology puts a virtual cloak around
servers so only the rightful owners and
those users, devices and applications that
are authorised to access the data can see it.
Businesses should also consider twofactor authentication, where users need
more than a password to access data that is
essential. This can be in the form of a randomly generated pin or biometrics such as
a ngerprint scan. And, of course, passwords should also be as strong as possible.

Encryption is great, but not enough on
its own. Again only those authorised to
read the data should be able to decrypt the
data fully for example, system administrators should be able to know that the
data exists, but cannot read it.
Effective business security is more
than just a one-time x. Protecting the
companys crown jewels is an ongoing
process and needs regular checks to ensure
that the processes put in place are good
enough to keep cyber attackers at bay.
According to research by Kaspersky
Lab, a security rm, one-third of UK small
businesses wouldnt know what to do if
they suffered a security breach, while a
quarter admit they wouldnt be able to recover any lost data.
All businesses need to get wiser about
cyber security and think beyond simply
spending more on an ad-hoc basis. Cyber
defences need to be planned and technology choices made carefully.
With the sophistication of cyber criminal gangs increasing all the time, the option for keeping calm and carrying on
is not on the table. l
Colin Tankard is the managing director
of Digital Pathways
To find out more, visit: www.digpath.co.uk
23 Digital Pathways advertorial.indd 23
15/09/2015 11:43:25
VIEW FROM THE EXPERTS
2. The cyber
security industry
trades off peoples
fears often
unsubstantiated.
Discuss
John Berriman
PwC research conducted for the government has shown that nine out of ten organisations reported a cyber-security
breach in the past year, so the threat
businesses face is very real. The cybersecurity industry is driven by the genuine
experiences of organisations that suffer
security breaches.
Others are in denial about the extent to
which they are vulnerable or fail to prepare adequately and then nd themselves
hit by a major breach that causes serious
business disruption.
At PwC we are trying to make organisations more aware and better prepared.
There is a lot that can be done to prevent
a breach becoming a serious issue that
causes long-term and costly damage to a
business, its brand and reputation.
Mark Brown
The fear aspect of cyber security is well
documented, but there are alternative
viewpoints. A modern approach to viewing the role of cyber security is evolving
one rooted in the heart of enterprise riskmanagement rather than compliance. As
organisations recognise that 100 per cent
security is a futile concept, a move towards cyber resilience is evolving, where
detection and response is as important, if
not more so, than prevention.
This change requires a new breed
of cyber-security professional, one as
comfortable in the parlance of business
management as technology, and who can
sell the concept of risk enablement rather
than simply being seen as the inhibitor
of progress.
The risk is very real, but can be managed without detrimentally impacting
operations where a business-centred approach is adopted.
Paul Taylor
Theres a great deal of scaremongering out
there that isnt necessarily helpful. The
constantly evolving threat landscape promotes a feeling of vulnerability for many

and has resulted in some organisations
spending signicant sums of money on
ineffective programmes with poor alignment to risks and business imperatives.
Cyber security is not achievable by a quick
technical x, nor is it a matter solely for
the IT department.
We often see that these behaviours
leave leadership wondering what they
really need to do, how much is really
enough and who they can trust to help
them get it right.
The reality is that cyber security is a
business risk, just like physical security. If
measures are put in place to deal with it,
then businesses can mitigate and protect
against future attacks as a matter of business as usual.
Catherine Askam
Cyber risk is often associated with highprole cyber espionage, rather than the
more common reality of direct threats
to day-to-day activities. The basics, such
as regularly updating security software,
are often forgotten as a means to prevent
attacks. The answer is not to stop worrying, but to turn defences in the right
direction. Security ofcers should prioritise the training of employees to understand and prevent the security risks
the organisation faces, instead of being
paralysed by the fear of being blamed in
the event of an incident.
3. Internal or
external: where
does the biggest
threat to a firms
security lie?
Andwhy?
Mark Brown
Although the actual threat remains the
technical vulnerabilities exploited by
the cyber criminals, the biggest risk
is that most of these technical vulnerabilities are exploited in the rst place
due to the actions of internal employees.
Well-intentioned but misinformed staff
continue to expose otherwise safe prac-
tices in an organisation; therefore, failure

to provide continual education, training
and awareness to staff is a key risk.
Notwithstanding internal aspects, if a
cyber criminal wishes to break into a corporate organisation, technical defences
alone are insufcient. An ardent attacker
will attack an organisation until they nd
the exposure.
Paul Taylor
Both internal and external threats exist. It
really depends on the core business of the
company you are dealing with. The key is
to take a holistic view of the threat thinking about who your adversaries might be,
what they might be after and the various
ways they might achieve their goals.
Moreover, keeping the different aspects
of security in the front of your mind by
means of cyber exercises or resilience
games is a good way of making sure that
all relevant parts of the organisation can
work together to deal with any incident.
In short: attackers wont respect your
stovepipes and you need to think.
Catherine Askam
Employees and non-employees accessing
buildings, data and critical IT systems are
probably an organisations biggest threat.
While malicious users may attack from
the inside of an internal system, causing
greater harm than any cyber attack, employees could also make mistakes that
put the company at risk. Security information and event-management tools can
prevent these, as they can ag up irregular activity. This leads to timely incident
detection and containment.
Smartphones are also becoming a
cyber-security mineeld. The ability to
log in automatically, steal credentials and
break into the back-end systems poses a
real risk.
John Berriman
Theres no doubt that external threats
regularly grab the headlines. Malicious
threats and breaches cause genuine,
serious and high-prole breaches. Many
organisations prioritise external threats,
but internal ones can be just as damaging. Staff can be the strongest or, indeed,
weakest point in the security chain.
PwC research for the government
found that 75 per cent of large organisations suffered staff-related breaches, up
from 58 per cent a year ago. Inadequate
15/09/2015 12:03:30
training, poor security awareness or general negligence can lead to breaches just as
readily as hackers and criminals.
Employee awareness is a difcult area
for information security and many organisations struggle to get it right.
4. What single
statistic should act
as a wake-up call
to those who need
convincing?
Paul Taylor
Every day we hear of new vulnerabilities,
attacks and incidents. The Centre for Strategic and International Studies estimates
that the likely annual cost to the global
economy from cyber crime is between
$375bn and $575bn. These startling gures are more than the national income of
many countries.
Catherine Askam
According to CYRENs 2015 Cyberthreat
Yearbook, the number of successful cyber
attacks on businesses of all sizes increased
by 144 per cent between 2010 and 2014.
Therefore, cyber attacks are clearly a
growing concern for UK businesses. We
often say that its no longer a case of if you
get hacked, but when.
John Berriman
The average cost of the most severe
security breaches for big business is now
1.46m, according to PwC research. That
doesnt take into account the impact on
an organisations reputation and relationship with its stakeholders. Every organisation needs to wake up to the very real
threats they face.
SHUTTERSTOCK
Mark Brown
Cyber crime today is prevalent as a global criminal industry. Organisations are
hacked daily, but the scale of attacks is
often difcult to comprehend.
During 2014 the biggest reported hack
was conducted by the Russian organisedcrime gang CyberVor, which captured
more than 1.2 billion personal IDs the
equivalent of hacking the entire population of India.
Organisations are hacked every day, but it can be difficult to comprehend the scale of cyber crime
5. What three steps

should businesses
take now in order to
improvetheir own
cyber security?
appropriately upfront and align security

strategy with business objectives, they
prevent having to pay signicantly larger
sums of money for breach responses at a
later date.
3. They need to focus the entire organisation on thinking about risk, setting the
tone from the top.
Catherine Askam
1. Fix the basics such as passwords and
update security patching and new joiner,
mover and leaver processes.
2. Review current security operations and
invest in them to strengthen this area of
your business.
3. Focus on prevention in addition to
how you would respond to an attack, for
example threat intelligence (detecting
the methods of hackers and using this
intelligence to plan responses) and datadestruction protection, such as technology or insurance policies to avoid data or
information being destroyed if a hacker
accessed it.
1. Activate make sure you switch on the

defences that exist and congure them
properly. Failure to do this leaves you
unnecessarily exposed to todays threats.
2. Adapt analyse your business and
understand what information makes you
a target for cyber crime. Personal data
and credit-card data are obvious targets,
but also think about IP and who your
customers and suppliers are to protect
against threats.
3. Anticipate get on the front foot and
rehearse threat scenarios to understand
your organisational weaknesses. If they
exist, cyber criminals will nd them so
better that you nd and resolve them rst.
John Berriman
Paul Taylor
1. Organisations need to accept breaches

will happen and put in place controls to
protect systems with additional security
for the assets that matter most.
2. They need to make sure that they
are investing effectively in cyber security. That means focusing investment on
preventing, detecting and responding
to breaches. When organisations invest
1. Identify what data and processes are the

most important to your business.
2. Undertake a cyber-maturity assessment to see where you are now. Benchmark yourself against your industry.
3. Put a long-term plan in place, using a
balance of internal resources and appropriate help. Dont try to be 100 per cent
secure thats simply not possible. l
Mark Brown
15/09/2015 12:03:34
IN PARTNERSHIP WITH PGI CYBER ACADEMY
To fight cyber crime,

first invest in closing
the skills gap
Its time to close the knowledge gap, writes Matthew Olney
worryingly large number of IT professionals believe that there is a

huge shortage in the number of cyber security professionals and most expect that their organisation will be hit by
a cyber attack at some point over the next
12 months.
The 2015 Global Cybersecurity Status
Report released by ISACA showed that 83
per cent of respondents believe the biggest
threat to business today is the one posed
by hackers and other tech-savvy criminals.
The report also shows that 87 per cent of
its British members believe that there is a
shortage of skilled cyber security professionals. In the United States that gure is
as high as 90 per cent.
The British government further highlighted the dangers posed by cyber
criminals in July, when they released a
report which showed that 90 per cent of
businesses in the country had suffered a
security breach in 2014. Fortunately, it appears as though the UK is starting to take
the matter of cyber security seriously, but
as for businesses, most remain woefully
unprepared to tackle the ever growing and

evolving threat posed by cyber crime.
A cyber attack can do huge damage to
businesses, the theft of sensitive business
data or customers details, for example,
can do serious harm to a companys reputation. A damaged reputation is also likely
to lead to customers being wary of your
business and in turn result in a substantial
loss of revenue.
The best way to tackle this menace?
Governments and businesses must do
more to train their staff, close the knowledge gap and increase specialist skills education. Everyone must also be taught that
when online, everybody is a target and that
none of us is too small or unimportant.
The skills shortage is so bad that the lack
of cyber-security skills has been classed as
the biggest problem faced by the IT industry for four years in a row. Universities are
offering courses to try to ll this skills gap,
but it will be years before there are enough
graduates to satisfy demand adequately.
People with these skills can expect to receive very good salaries from companies
and organisations ghting over them.

This high rate of pay may not be much
of an issue for corporations or governments, but smaller businesses are unable
to compete.
Waiting around for the latest batch of
graduates may sound like a good idea, but
in reality it is a awed method of obtaining
staff with the necessary skills and knowledge. Most graduates are headhunted
straight out of university and the competition to recruit them is erce. A better way
to close the skills gap is to train staff currently on the payroll.
Having staff that are cyber aware gives
a business an advantage over its rivals and
can increase customer condence. Ask
yourself whether you would rather do
business with a company that has taken
cyber security seriously, or one that has
not? Its not difcult to guess the answer.
Another problem faced by organisations looking to recruit cyber security personnel is that professionals able to cope
with the ever advancing cyber threat are
few and far between. With threats always
26-27 PGI Academy advertorial DPS.indd 26
15/09/2015 11:46:37
evolving, businesses and governments are

forced to react and defend, rather than take
the offensive.
With the launching of various programmes by the British government, it
is hoped that smaller and perhaps more
vulnerable businesses will take action to
tackle the cyber security threat. In July
it launched a scheme offering small and
medium-sized enterprise up to 5,000
worth of funding to team up with external
experts such as Protection Group International (PGI) to help provide staff training.
The scheme is certainly a step in the right
direction but more needs to be done, especially in sectors such as transport.
The story of Jeep Cherokee, which was
subjected to test hacking in the US, hit
the headlines in July and brought into
the public eye the vulnerabilities of the
car industry when it comes to hacker attacks. At Augusts Black Hat conference in
Las Vegas, hackers demonstrated how the
cyber attack was carried out.
Please stop saying whatever you have
and whatever thing you make is unhackable, because youre going to look
silly, said a security expert at the Black
Hat conference.
If someone with some skills and a laptop
can hack into and take control of a car from
miles away, then what is to prevent the
same from happening in the aviation and
maritime sectors?
The maritime sector in particular has
been found to be especially vulnerable to
cyber threats. In some cases the sector is
ten or even twenty years behind the curve
when it comes to cyber defence.
With the sector becoming increasingly
reliant on technology and the fact that
the vast majority of the worlds goods
are transported by sea, the possibilities
for disruption by hackers or cyber terrorists is vast. A hacker could send a ship
off course or disable it to make it an easy
target for piracy. According to the European Network and Information Security
Agency (Enisa), awareness of cyber security in the maritime sector is currently low
to non-existent.
Given the global importance of the sector this lack of awareness needs to change.
Fiat Chryslers Jeep Cherokee was the subject of a hacking test earlier this year
No one is immune from cyber threats

and there are many attacks aimed at the
maritime sector on a daily basis. Insufcient investment in training and upgrading cyber security measures means that
the sector is falling behind in the fastpaced world of cyber security, said Ben
Swindlehurst, commercial development
director at PGI.
According to the InfoSec Institute, the
aviation industry is also struggling to ll a
shortage of skilled cyber security professionals. With the industry hosting some
of the most integrated and complex information and communications technology
systems on the planet, it faces threats on a
multitude of fronts.
The leading threats to the aviation industry range from phishing attacks to
remote hijacking. The implications of a
hacker breaching an aeroplanes or an airports security should send a cold shiver
down all of our spines.
Without adequate numbers of new
cyber security professionals, we are all
vulnerable to the acts of cyber criminals
and cyber terrorists. It is a skills gap that
needs to be lled, and this is where PGIs
Cyber Academy comes in.
PGI aims to be a major contributor in
the struggle to close the skills gap in the
cyber sector. At our state of the art Cyber

Academy based in Bristol we implement
our unique approach: Understand, test,
monitor, respond, educate.
All of our instructors are established
cyber security professionals, holding both
leading industry certicates and having a
wealth of real world experience. Whether
you are a small company or a large
organisation, we have the skills, experience and expertise to offer businesses and
governments tailored solutions that will
make the difference in this informationenabled world.
PGI believes in education and awareness, therefore cyber security education
and training for both IT professionals and
non-IT executives stand at the core of our
business. Our world-class information
security specialists, certied against national and international standards, come
from a multitude of backgrounds, ranging from multinational corporations to
government institutions. We also operate
on a global scale and believe in making the
world a safer place to do business. l
Matthew Olney is the communications
ofcer at Protection Group International
Find out more about PGI at:
pgitl.com
26-27 PGI Academy advertorial DPS.indd 27
15/09/2015 11:46:40
HEADING
IN PARTNERSHIP WITH DIGITAL ASSURANCE
Cyber, cyber,
cyber essentials
A five-step security assessment is an excellent introduction,
writes Digital Assurances Michael Minchinton
n todays reality of increasing cyber

threats, the Cyber Essentials Scheme
is the UK governments endeavour to
help businesses and organisations secure
their digital assets by undergoing a security assessment. Cyber Essentials is an
optional requirement for most businesses,
unless you wish to bid for some government tenders, when it becomes a mandatory requirement.
I must confess, as a security consultant
with Digital Assurance, when the Cyber
Essentials scheme was rst launched in
June 2014, I felt sceptical and somewhat
disenchanted, certainly as a pen-tester and
a fellow of the tin-foil hat brigade.
Cyber Essentials was not a traditional
pen test that involved vigorous testing,
staring at the only light emitting in the
room at 2am and wondering what can be
obtained from some odd memory leak
vulnerability. Neither was it a physical
security test where we were sneaking
into your building and hiding, ninja-like,
behind your employees or sitting at your
desks. (Yes, yours, the one with password
Post-it notes all over the monitor . . .)
And it certainly doesnt include trying
to contemplate how to debug a cars onboard computer over drinks with friends
at a local pub after successfully exploiting
and unlocking said car remotely.
I also felt somewhat sullied when I
compiled some of the rst of the Cyber
Essentials reports for Digital Assurance,

because low-risk issues did not have to
be included in the nal report. How preposterous!
Now, having completed several assessments against all kinds of infrastructure
belonging to companies large and small,
I can eat my tinfoil testing hat and declare
that I was wrong.
If adapted by industry, Cyber Essentials
has the potential to improve UK cyber
security dramatically. It is especially benecial to companies that do not operate a
regular or annual security review.
So what does a Cyber Essentials certication include?
It comes in two avours: Cyber Essentials and Cyber Essentials Plus. The basic
one, Cyber Essentials, consists of a comprehensive questionnaire with ve stages,
covering security controls which are later
assessed by the overseeing body of the Cyber Essentials certication.
The ve stages covered are:
l boundary rewalls and internet
gateways
l secure conguration
l access control
l malware protection
l patch management.
arising in common, off-the-shelf products. The Cyber Essentials avour is a respectable starting point that helps protect
your digital assets from the perspective of
an unauthenticated remote hacker across
the internet.
The second, the Cyber Essentials Plus,
includes all the elements of the Cyber Essentials together with an additional review
against internal systems including rewalls, laptops, PCs and email gateways.
The Cyber Essentials Plus variant is a
comprehensive addition, embracing the
unauthenticated remote hacker aspect,
which includes malicious intent to propagate malware and ransomware threats.
For companies that have not had any
security assessment of any kind, I suggest
that going through the ve Cyber Essentials stages is a comprehensive introduction to cyber assurance. l
Michael Minchinton is a security
consultant for Digital Assurance
Digital Assurance is CREST- and
CESG-accredited. Based in ofces in
Westminster, it delivers Cyber Essentials
certication along with conventional
penetration testing services, social
engineering campaigns and the odd bit
of car hacking just for the heck of it!
To add a further level of assurance we

also offer a vulnerability scan against your
external perimeter and analyse the issues
For more information visit:

digitalassurance.com
or phone: 020 7060 9001
28 | NEW STATESMAN | 00
MONTH
2014 2015
18-24
SEPTEMBER
28 Digital Assurance advertorial.indd 28
15/09/2015 11:48:22
IN PARTNERSHIP WITH ATKINS
The threat to digital

infrastructure
Despite the risks there is room for optimism, argues Andrew Cooke
What is digital infrastructure?
We have all heard of the digital economy,
but perhaps are less familiar with the term
digital infrastructure. It refers to the digitisation of the services that run our critical national infrastructure. It describes
our ability to convert physical assets, such
as signalling equipment, into digital code
run by computers. It also encompasses the
increased information systems that capture data about those assets and allow us
to run them more efciently.
With the rapid growth of this digital
infrastructure, more services are accessed
or delivered online. More and more data
is being collected by organisations, about
policies, procedures, staff, clients, commercial behaviour and the condition and
use of its assets. To exploit the data effectively, it needs to be made available in
different geographic and virtual environments and at varying levels of granularity.
and network facilities are increasingly being run across the same internet protocol
(IP) networks as customer management
systems. These systems have features that
make risk more severe and the proximity
of the threat greater.
For example, the operational systems
that are being accessed across the internet
have longer life cycles than the IT equipment that is used to run enterprise client
management and accounting systems. As
a result, the underlying computer systems
are older and this means that operating
systems are potentially no longer supported and vulnerabilities are not patched.
Similarly these systems are operated from
the shop oor and system management is
carried out on a part-time basis by an infrastructure engineer rather than a dedicated IT professional.
Security is a secondary concern to keeping the plant operational.
What are the risks?

All of this brings great societal benet but
also presents an opportunity for competitors or criminals seeking to prot. Opportunity and threat go hand in hand.
When it comes to a nations infrastructure, the potential risks go beyond the
threat of theft of customer or employee
information. As well as more general
threats, an infrastructure organisation
has to deal with risks to the industrial and
process control systems that maintain its
daily operations.
Industrial control (or Scada) systems that
control power plants, signalling systems
What can we do about it?

Despite the gloomy assessment, there is
cause for optimism. The current focus
on renewing or replacing infrastructure
means that we have the opportunity to
build a secure modern digital infrastructure for future generations.
As we design tomorrows infrastructure, we need to consider the future needs
of our society. These not only include
considering what services are needed but
also how those services are accessed will
change over the whole life of the asset. We
can make future digital infrastructure secure by design.
How can we help make this happen?

Infrastructure organisations are experts in
understanding the whole life cost of their
assets. This can now be leveraged to ensure security of service delivery.
Taking a digital enterprise asset management (d-EAM) approach allows the
design of infrastructure to take account
of present and future objectives and the
security of the physical and the information assets that deliver organisational and
societal objectives. Threat, vulnerability
and risk information are linked to the delivery of the organisations objectives and
consequently to the assets that are needed
to achieve them. Vulnerability and threat
need to be managed on an asset by asset
basis, to ensure the threat to the delivery
of organisational, and in this case national,
objectives are mitigated.
The approach is not exclusively used
in the design of new infrastructure and
should be used with legacy assets as well.
Understanding what is critical to delivering the goals of the organisation means
that infrastructure providers can ensure
that they secure what needs to be secured
and make the information they need to be
available accessible.
Protecting digital infrastructure is a
matter of understanding the digital asset,
its use and value, and making sure that
security is at the heart of the way it is designed and exploited. l
Andrew Cooke is the client director
for infrastructure at Atkins
To find out more, visit: atkinsglobal.com
18-24 SEPTEMBER
00 MONTH 2015
2014||NEW
NEWSTATESMAN
STATESMAN||29
29
29 Atkins Global advertorial.indd 29
15/09/2015 11:49:04
FACTS AND FIGURES
Security breaches by numbers
74%
of small businesses experience security
breaches, up from 60% a year ago
1.46m-3.14m
90%
Average cost of worst security

breaches to large organisations
of large organisations
experience security breaches,
up from 81% a year ago
75k-311k
Average cost of worst security
breaches to small businesses
50%
of worst breaches
caused by inadvertent
human error
Security breach by type
SHUTTERSTOCK/GRAPHICS BY LEON PARKS
30%
75% 69%
Staff-related
Unauthorised
outsider
31%
38%
16%
Denial of
service
attack
Staff
related
Large organisations
Unauthorised
outsider
Denial of
service
attack
Small organisations
Source: 2015 Information Security Breaches Survey (commissioned by HM Government and conducted by PwC)
31 facts & figures.indd 31
15/09/2015 11:51:07
Download our free guide from

www.7safe.com/cyber-skills or
email contact@7safe.com to see us at
IP EXPO (Cyber Security

Europe exhibition)
7-8th October
ExCel London
Its time to develop

your own Cyber
Security capabilities
Professional development guidance for senior decision-makers

to help them counteract data loss and cyber-attacks
Accredited by leading professional bodies and institutions:
7Safe_NewStatesman_ad_FP_Sep15_aw.indd 1
15/09/2015 18:47
IN PARTNERSHIP WITH (ISC)2
Cyber security skills

for a digital future
The connected world offers great promise and heralds fundamental
change with new risks, writes Adrian Davis
wareness of cyber security has risen

on the back of high-profile news stories and consumer recognition of the
threats. But though everyone is talking, most
businesses are still in the early stages of recognising the sheer scale of the task ahead.
Consider this summers recall of 1.4 million cars by Fiat Chrysler after researchers
remotely took control of a Jeep, turning off
the engine by using wireless networks and
a vulnerability in the vehicles radio. Similar
stories have emerged of compromises with
aircraft and washing machines. The accusations fly easily: corporations do not prioritise
security, or worse, they wilfully ignore it. Its
more likely that the opposite is true.
The onset of the connected world with
an estimated 50 billion devices connected
together by 2020 heralds a fundamental
change in the way society and its economies
are developing. The impact of technology on
the way we function is already evolving at
anunprecedented rate.
You will hear technology and businessdriven innovators alike talk about how the
cloud is the new core and mobile devices the
new edge. In plain English, they mean that
employees and suppliers, from disparate
companies, business units and countries, can
work together using myriad systems, social
networks and business tools (many of which
stem from consumer services such as Skype
or WhatsApp that no one organisation oversees). And there is no turning back.
Main mag ISC2 advertorial.indd 46
(ISC)2 has tracked these trends since 2004.

Our most recent study concludes that the
changing organisational footprint has left information security professionals, and the organisations they protect, cornered in a reactionary role of addressing security incidents
as they occur. There is little opportunity to
plan for the future.
Connected cars that analyse driving, fridges that can do the weekly shop, and light and
heating systems that can be controlled with
an app on a mobile phone are accelerating the
pace of change. Its time to help those driving
this change work with a much clearer understanding of how it is moving us forward, and
where it is leaving us vulnerable.
We need to examine developments in areas such as robotics and health care to evaluate how dependent these fields are on technology and how those dependencies could
affect legal and regulatory concerns. This
goes much further than the need for technical excellence in forensics, technical analysis
or penetration testing.
The call is for a comprehensive effort, one
that spans industry and management disciplines, to develop of a broad pool of talent
capable of reassessing business risk, product
and service development requirements, and
organisational resilience.
At the moment, such considerations are
shouldered by an overburdened cyber security function, straining under a now wellknown skills gap in the field.
The current (ISC)2 Global Information

Security Workforce Study forecasts a global
shortfall of 1.5 million qualified professionals (379,000 in Europe, the Middle East and
Africa) by 2020. Many laudable efforts to
define apprenticeships, cyber security challenges and other initiatives address focused
requirements. That overall push to enhance
abreadth of understanding and accountability still eludes us.
As a professional community of nearly
110,000 working in the field, (ISC)2 members are motivated to change this. We have,
for example, worked with the Council of
Professors and Heads of Computing (CPHC)
on curriculum guidelines now incorporated
within the accreditation criteria for most
computing science degrees in the UK. The
aim of this and similar projects is to help
those working on that Jeep of the future
understand the cyber security concepts that
should be a core part of what they do.
The connected world and the digital economy offer great promise. We must be guided,
however, by a much broader appreciation for
how we must evolve. l
Dr Adrian Davis is the managing director
for EMEA at (ISC), the largest not-forprofit membership body of certified cyber,
information, software and infrastructure
security professionals worldwide, with
nearly 110,000 members
To find out more, visit: isc2.org
15/09/2015 11:26:41
This supplement, and other policy reports, can

be downloaded from the NS website at:
newstatesman.com/page/supplements
32 outside back.indd 32
15/09/2015 11:51:31

Avatu - A To Z Cyber Security

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Avatu - A To Z Cyber Security

Hochgeladen von

Copyright:

Verfügbare Formate

The A-Z

01 Cyber security cover.indd 1

IN PARTNERSHIP WITH AVATU

Time to stop playing

By not facing up to the changing world,

Leaders are playing a

2. Where is our most sensitive, potentially

2 | NEW STATESMAN | 18-24 SEPTEMBER 2015

IN PARTNERSHIP WITH ENCRIPTION

First line of attack

he threats posed by cyber breaches to

30 | NEW STATESMAN | 18-24 SEPTEMBER 2015

Government policies are mandating IT

The computer users are the rst line of

COVER: SHUTTERSTOCK/DESIGN BY LEON PARKS

A-Z of cyber security

View from the experts

Facts and figures

Countering the threat

Cyber security is a complex

of staff (sometimes deliberate,

20 View from the experts

Total security is a futile concept

31 Facts and Figures

Security breaches by numbers

03 intro & contents.indd 3

A-Z OF CYBER SECURITY

than others; and changes in the physical

2. Create highly segmented networks to

4 | NEW STATESMAN | 18-24 SEPTEMBER 2015

04-18 A-Z of Cyber Security.indd 4

04-18 A-Z of Cyber Security.indd 5

IN PARTNERSHIP WITH TRUSTED MANAGEMENT

Why infosec is the

nformation security (infosec or just

What is infosec actually doing in an organisation? It is protecting company data,

for what purpose. Just because a person is

6 | NEW STATESMAN | 18-24 SEPTEMBER 2015

06 Trusted management advertorial.indd 6

A-Z OF CYBER SECURITY

with a grievance against a particular brand

individual, business or government.

computing enables companies to tap in

18-24 SEPTEMBER 2015 | NEW STATESMAN | 7

04-18 A-Z of Cyber Security.indd 7

security breaches than Microsoft Windows equivalents. Although a quick ick

Speaking at the Infosecurity Europe

For practical purposes, an identity is a

A-Z OF CYBER SECURITY

8 | NEW STATESMAN | 18-24 SEPTEMBER 2015

04-18 A-Z of Cyber Security.indd 8

IN PARTNERSHIP WITH SAFEONLINE

Threat and the

ven though there are an estimated

the growing threat of a cyber attack; a direct consequence of the proliferation of

ports, rail networks, retail and finance

09 safe online advertorial.indd 9

attackers to interrupt authorised wireless communication. Jamming techniques

K is for Kim Jong-un

in an act of state-sponsored cyber crime.

infecting at least 100,000 computers

We all rely on network connectivity in

A-Z OF CYBER SECURITY