He was joined by Tim Rawlins, Director & Senior Adviser of NCC Group, global experts in cybersecurity and risk mitigation, and Dr [Danny] Daniel Dresner FInstISP, Academic Coordinator for Cyber Security for the University of Manchester.
Dr Sloggett started the session with a part-fact, part-fiction amalgam of an employee who was a huge cycling fanatic, posting about it on social media, and who succumbed to a malicious email scam because of that and compromised their company’s security as a result.
He then ranged through the spectrum of threats from individuals to governments that include “old viruses still floating around” through to bots created by the IoT to “tit-for-tat” state-actor games involving energy companies and so on.
Cybersecurity threats: evolutionary or revolutionary?Sloggett then opened up conversation by asking if the cybersecurity threat was an evolutionary threat or a revolutionary threat. Tim Rawlins responded that machine learning and AI were being used to defend networks and data but that “the opposition will be using them very soon – it’s a constant arms race.”
One example given was the use of AI-generated photographs to create ‘legends’, “they’re using AI to generate the image and we are using it to spot them.”
As Rawlins would say later about Big Data: “If it’s of value to you, it’s probably of value to someone else”, thereby underlining the determination of bad actors.
“You normally think of older things dying off, but with cybersecurity the old stuff doesn’t die off”
“It’s an interesting kind of evolution” said Dresner. “You normally think of older things dying off, but with cybersecurity the old stuff doesn’t die off and so a lot of the basics aren’t being dealt with while the threat is evolving. Security affects everything that we do. Focusing on just the access control paradigm is actually stopping us from evolving a proper, converged and integrated situation.”
Rawlins doubled down on this and warned that “the longer you leave legacy systems around, increasing vulnerabilities, the more damage can be done.” He told a stark tale of how this priority had slipped down the business risk agenda, with the example of a trading firm getting rid of the staff member who was the Linux specialist, unaware that the Linux box was supporting their fast frequency trading until it stopped working!
Secure by Default and Secure by Design were flagged as key to avoiding new systems bringing in new vulnerabilities. These measures put the onus on the manufacturers. Meanwhile, security users can help themselves too. Dresner flagged Cyber Essentials – a kind of 5-a-day for tech users, staying ‘healthy’ by keeping up-to-date. It was at this point that Sloggett asked the audience how many people had updated their phones! Not many. “If you can’t secure your own phone” Sloggett responded, “what chance have we got of securing the internet and everything that is connected to it – which is pretty much everything else!”
Dresner picked up on this to remind everyone that many data breaches and hacks have come from targeting third-party suppliers, so good practice across the board is vital.
Sloggett then steered the discussion to the cloud and the economic and safety cases for it. Rawlins felt that the former was “irrefutable” adding, “but you have to do it securely. The access and configuration has to be safe.” He added that while you may have given a company your data “the risk stays with you” and flagged that “most cloud environments don’t come with Security by Default ticked all the way through the systems.”
The focus then switched to the nature of the insider threat, from a physical and corporate IT point of view. Rawlins distinguished between the accidental insider that might be ‘spearfished’ and the malicious insider using big data and scraping information from, for example, LinkedIn. On the latter group, Rawlins said that he has reviewed 300 such cases and that “time and time again it came down to poor management.”
“How many of your management training courses cover the insider threat?”
“How many of your management training courses cover the insider threat? How many of you have gone to your HR department and explained the threat? It’s still not covered in regular HR training.”
Dresner acknowledged that training was important but added that “there’s a raft of people on minimum wage and you’re expecting them to be the frontline and the support for multi-billion pound assets, and then we are trying to compensate with a few security controls around that, hoping that they will work.”
Before taking questions, Sloggett recommended that people look up ‘Operation Newscaster’ to see just how intricate and sophisticated cyber crime can be.
The first question from the floor asked about tech in everyday, connected objects. In his answer, Rawlins invoked a tweet from Jeff Jarmoc, head of security for global business service Salesforce: “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” Rawlins added that the number of items will only get bigger, with 5G etc.
He added: “forget about your minimum viable products and getting that out into the market…we’ve got to get into the design of these items and building security right from the very start, and to see the convergence of physical and cybersecurity.”
Danny Dresner felt that it was incredibly irresponsible of companies passing in security measure to consumers, e.g. the issue with Samsung advising customers to run antivirus on their smart TVs, “without coming up with a simple way of doing them.”
Dresner has found, anecdotally, that entrepreneurs feel that dangers and problems were “in the words of Douglas Adams, ‘somebody else’s problem’!” He further pointed out that guidelines from the Department for Digital Culture Media and Sport issued about cybersecurity and the capabilities of IoT were being considered to become mandatory.
“Are we going to have a raft of products that can’t go on the market unless they reach a certain standard of security, or are they going to leave it up to us?” Taking the example of the Mirai botnet, Dresner ended his contribution by asking: “for allof those things that are now in place, how long will they be introducing vulnerabilities for?”
Another delegate asked about air gaps between physical and IT security and whether that was an excuse for having legacy systems? “It is a challenge running security systems over operational IT,” observed Rawlins. He gave the example of IT switching off facilities to update/patch “at exactly the same time as I want to make sure that my CCTV and my access control is still running. There has to be a design plan.”
Danny Dresner said that we will be hearing more and more about ‘virtualisation’: different sorts of virtual machines running on one physical box and being able to have “different containers for different operations.”
The challenge, of course, is to manage to the risks around that. “You have to focus on your core business objectives, and what you need to do to protect those and what you need to do to recover them to that state that we used to call business continuity and we now call resilience. And don’t stop there – think about your supply chain as well.”
