Stuart O'Brien, Author at Cyber Secure Forum | Forum Events Ltd - Page 46 of 61
Posts By :

Stuart O'Brien

Security IT Summit 2019 – Everything you need to know…

 960 640 Stuart O'Brien
By:
0
0

The Security IT Summit is a bespoke and highly-targeted one-day event created specifically for senior cyber security professionals like you.

And it’s entirely FREE for you to attend.

Simply register your place here.

When: 2 July 2019

Where: Hilton Canary Wharf, London

Format: Corporate ‘speed-dating’. As our VIP guest, you will be provided with a bespoke itinerary of pre-arranged, 1-2-1 meetings with suppliers relevant to your requirements. A series of seminars will also be hosted throughout the day, and you can network with cyber security professionals who share your challenges. Lunch and refreshments are included with your ticket.

Who Attends: Senior professionals responsible for IT security, including:-

Security Directors

IT Managers, Specialists & Heads of

Compliance Managers

Systems Managers

Network Infrastructure Managers

Information Security Managers

Would you like to join them?

We have just 60 places available so register for your free place here today.

Or for more information, contact Emily Gallagher on 01992 374085 / e.gallagher@forumevents.co.uk.

To attend as a solution provider, call Chris Cannon on 01992 374096 or email c.cannon@forumevents.co.uk.

Semafone warns of stricter checks and invasive auditing for contact centres

 960 640 Stuart O'Brien
By:
0
0

Semafone has called on contact centres to pay heed to changes to the Payment Card Industry Security Standards Council (PCI SSC) guidance for protecting telephone-based payment card data.

Updated for the first time since 2011, the guidance clarifies a number of points relating to compliance with the Payment Card Industry Data Security Standard (PCI DSS).

“Since the guidance was last updated in 2011, new technologies and payment channels are increasing the scope of the cardholder data environment and creating some uncertainty & compliance challenges for contact centres,” said Ben Rafferty, Semafone’s global solutions director and a contributing member of the Special Interest Group (SIG) formed by the PCI SSC to update the guidance. “Drawing on our experience of descoping enterprise contact centres around the globe, we aim to provide advice for anyone securing these critical payment channels.”

The key points of the new guidance, highlighted by Semafone, are as follows:

·        Keep softphones separate. The emergence of VoIP and softphones, which are often connected to the desktop environment processing payments, can result in the entire system becoming “in scope” of PCI DSS and subject to its stringent controls. As a result, it is strongly recommended that contact centres fully segment their data and telephony networks.

·        Any cardholder data captured in call recordings brings more checks than ever. Qualified Security Assessors (QSAs) now have clear guidelines regarding call recordings and the capture of sensitive card details. Both manual and automated “pause and resume” systems, whereby recording is briefly stopped, are deemed to run the risk of accidentally capturing these details. If a contact centre is using either of these solutions, QSAs can demand extensive evidence of measures to protect sensitive data. Multi-factor authentication controls need to be added to call recording solutions, as well as to storage and search tools, and QSAs are empowered to conduct invasive auditing to ensure that additional controls have been put in place effectively.

·        Third-party service providers are in scope if they provide more than a dial tone. The new guidance specifies that any call service, from a “transfer” to a “call recording”, that is provided by a third party, will bring that provider into scope of the PCI DSS. The only service that is exempt is a simple voice communications connection, or “dial tone”.

·        Devices that control Session Initiation Protocol (SIP) Redirection are in PCI DSS scope The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and therefore fall into the scope of PCI DSS and are subject to the full range of controls.

·        Removing the card data from the contact centre is the only secure solution. Lastly, the updated guidance recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions. These remove cardholder data and other personal information from the contact centre environment. Callers enter their card numbers via their telephone keypad, remaining in full communication with the agent throughout. The DTMF key tones are masked with flat bleeps, so they cannot be identified by their sound. This prevents any sensitive card information form coming into contact with the agent, with call recording technology and with any other desktop applications. The card data is sent directly to the payment processor, bypassing the contact centre completely.

“When working with clients looking to attain PCI DSS compliance, the telephone payment channel is the most challenging to address for several reasons,” said Wayne Murphy, a QSA with Sec-1 and contributing member of the SIG. “Contact centre agents often need access to single business systems, which are accessible by all departments within an organisation, bringing most of the business into scope for PCI DSS assessment activities. Plus, integration with VoIP systems make it nearly impossible to simplify the current payment channel to reduce scope.”

Healthcare IT leaders outline cyber security concerns

 960 640 Stuart O'Brien
By:
0
0

Healthcare IT leaders are increasing their spending to defend against cyberattacks and feeling anxiety about Apple, Amazon and Google entering the health care space.

That’s according to a new report from the US-based Center for Connected Medicine (CCM) entitled Top of Mind for Top Health Systems 2019, which focuses on three areas of health IT set to impact health systems next year, namely Cybersecurity, Telehealth, and Interoperability.

Key findings of the report include:

  • Hackers and other cyber-criminals are stepping up their attacks on the health care industry, leading 87 percent of respondents to say they expect to increase spending on cybersecurity in 2019; no health system was expecting to decrease spending.
  • Health IT leaders overwhelmingly expect government and commercial reimbursement to provide the majority of funding for telehealth services by 2022; internal funding and patient payments are expected to provide the majority of funding for telehealth in 2019.
  • 70 percent of responding executives said they were “somewhat concerned” about big tech companies, such as Apple, Amazon and Google, disrupting the health care market; 10 percent were “very concerned.”

The US health care industry was hit with 2,149 breaches comprising a total of 176.4 million records between 2010 and 2017, according to a study published in JAMA Network in September 2018. And the number of data breaches increased in almost every year, starting with 199 in 2010 and ending with 344 in 2017.

The findings are based on quantitative and qualitative surveys of C-suite executives at nearly 40 US health systems. The research was conducted by the Health Management Academy in partnership with the CCM.

UK Government cyber security efforts ‘lack clear political leadership’

 960 640 Stuart O'Brien
By:
0
0

The cyber threat to the UK’s critical national infrastructure (CNI) is as credible, potentially devastating and immediate as any other threat faced by the UK, according to the Joint Committee on the National Security Strategy.

The Committee’s latest report says the Government is not acting with the urgency and forcefulness that the situation demands, with the UK’s CNI a natural target for a major cyber attack because of its importance to daily life and the economy.

The Report on Cyber Security of the UK’s Critical National Infrastructure says that as some states become more aggressive and non-state actors such as organised crime groups become much more capable, the range and number of potential attackers is growing.

In fact, the head of the National Cyber Security Centre has said that a major cyber attack on the United Kingdom is a matter of ‘when, not if’.

The state-sponsored 2017 WannaCry attack greatly affected the NHS even though it was not itself a target and demonstrated the potential significant consequences of attacks on UK infrastructure.

Ministers have acknowledged that more must be done to improve the cyber resilience of CNI and the Government has taken some important steps in the two years since the National Cyber Security Strategy was published.

It set up the National Cyber Security Centre as a national technical authority, but the Joint Committee says its current capacity is being outstripped by demand for its services.

The Joint Committee added that while a tightened regulatory regime, required by an EU Directive that applies to all member states, has been brought into force for some, but not all, CNI sectors, it will not be enough to achieve the required leap forward across the thirteen CNI sectors (including energy, health services, transport and water).

Chair of the Committee, Margaret Beckett MP, said: “We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat.

“It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.

“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.

“My Committee recently reported on the importance of also building the cyber security skills base.

“Too often in our past the UK has been ill-prepared to deal with emerging risks.

“The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”

GUEST BLOG: People and processes are key to effective cyber security

 960 640 Stuart O'Brien
By:
0
0

Alan Calder Founder and Executive Chairman at IT Governance

Cyber security investment continues to spiral, with Gartner predicting global security spend will reach £71.72 billion by the end of the year, as a result of regulatory change, mindset and a growing awareness of threats.

And with over 40 per cent of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, with the attendant cost and reputational damage, it is easy to see how information security teams can argue for ever higher budgets.

But is handing over another tranche of cash really the most effective route to cyber resilience? Look closely at any recent high profile breach and the hack was not achieved through bypassing top of the line security technology but by identifying weaknesses within processes and staff. Whilst technology certainly has its part to play in a business’ overall cyber security strategy, people and processes actually have a much more significant role in ensuring a business is protected. From management commitment to strategic risk assessment to process change and employee awareness, as Alan Calder Founder and Executive Chairman, IT Governance argues, organisations need to reconsider security and rapidly onboard the skills required to achieve this three-fold approach to mitigating cyber risk.

Weakest Link

No organisation is immune to the threat of a cyber attack, especially as the types and methods of attack become increasingly more sophisticated. Given the enormous cost associated with breach, from regulatory fines to lost customers and compromised supplier relationships, this is clearly on the board’s agenda.  Unfortunately, most boards would rather commit to hiking the security budget than take the steps actually required to improve cyber resilience: namely, get involved.

According to the ISO 27001 security standard, board level commitment is an essential requirement – yet this is a message that the CIO or CISO is finding hard to get across. Most senior level individuals perceive that cyber security is too complex and too technical to have a place in any board meeting. Yet this attitude underlines a patent lack of understanding of the cyber criminal: it is not all about incredibly complex and sophisticated threats, attackers will aim at the weakest link in an organisation’s security posture – its people.

People are a risk because they will forget passwords, make errors, click on phishing emails or access web sites loaded with malware. It is not malicious – in the main – but it is a huge problem.  The fact is that the vast majority of breaches are linked to human error – and more often than not, the cause is ill considered processes and education, not inadequate security solutions.

Proving the Point

The massive data breach at Sony came about as a result of hackers getting access to the list of passwords written in plain text, essentially an open door to an extraordinary raft of sensitive information; while at Morrison’s, it was a disgruntled employee who was able to upload the details of 99,998 staff, including bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers, to data sharing websites.  Having spent more than £2 million tackling the breach, the High Court ruled the supermarket was vicariously liable because the individual was acting in the course of his employment when he leaked the information online.

A lack of management understanding of risk also contributes to technology and process compromises that create unacceptable exposure. The WannaCry ransomware attack that ravaged so many businesses in 2017 is a prime example of poor processes – in this case, failing to update software, creating huge vulnerabilities. The attack affected companies globally, although in the UK the media brunt was borne by the NHS, which estimates a cost of £92 million to recover damaged IT equipment; although it has made no public acknowledgement of the cost to patients’ health as a result of cancelled operations and missed diagnoses.

While these events clearly focus management attention on the escalating risk created by cyber security, none of these organisations had failed to invest in security hardware or software. What they had overlooked was that a cyber resilient business is underpinned by highly effective processes and a highly aware and educated staff.

New Information Security Culture

User awareness and education is a huge component of a cyber resilient organisation. Simple steps such as teaching employees to recognise a phishing email or spot a rogue Wi-Fi hotspot at the café, station or conference centre, can radically reduce incidents. But this is just the start: user awareness and training must be part of a complete resilience process.

Continually testing staff awareness – by sending phishing emails and following up with additional training to those who mistakenly click on the email – is essential, but staff also need to know what to do if they do click on a phishing email by mistake. And that means the company needs to put in place a clearly defined process that encompasses everything from ensuring users recognise the importance of immediately notifying the incident response team, to locking down the device and removing it from the network, and critically, undertaking an assessment to determine whether the incident has created a regulatory reportable breach.

In addition to improving awareness and understanding, it is also important to make life easy for the user.  While IT has become obsessed with the concept of complex passwords changed every sixty to ninety days, for the user the only option is to write these down – or continually waste time calling the help desk for a reset.  How much more effective to opt for single sign in and passwords changed only when the user perceives a risk? Or once a year? Not only does the business lose the massive risk associated with passwords written down everywhere, but the help desk calls plummet – and the IT team has time to fix the gaping security hole left by the disturbing number of network devices still operating on easily breached default settings!

Security Standards

This people and process model is at the heart of the global ISO 27001 security standard – a standard which in this post GDPR era is prompting increasing interest as a way of demonstrating the security provision in place should a breach occur. And, to circle back to where we came in, this is where the board needs to get involved: ISO 27001 states that management must be engaged in the information security management process; they must lead by example and provide clear guidance to the organisations on issues such as risk management. That means that security is not just a line on the budget and a chance to pass the buck to the information security management team; the board must actively discuss and consider security policy is certification is to be achieved.

And, to be frank, the board should be actively involved. The creation of a cyber resilience framework is key not only to reducing the likelihood of a breach but also to ensure systems can get back up and running as quickly as possible to minimise business disruption – and that framework is ultimately defined and directed by a corporate understanding of risk.

Simply accepting an ever increasing security cost is not enough. It is not until the board has discussed and agreed upon the risk appetite, which will vary significantly between organisations, that the business can begin to take the correct steps towards managing information security – and that means investing in the right skills to define and implement new processes and staff awareness.

Ransomware and phishing top concerns for IT professionals

 960 640 Stuart O'Brien
By:
0
0
Ransomware (24%) and phishing attacks (21%) are the top two concerns among IT leaders in 2018, according to new research.
Barracuda surveyed more than 1,500 IT and security professionals in North America, EMEA, and APAC about their IT security priorities, how these have shifted over the 15 years and what is expected to change within another 15 years.
Other key finding include:
  • In 2003, viruses (26%) and spam and worms (18%) were noted as the top two threats
  • In 2003 only 3% identified cloud security as a top priority. This number has gone up to 14% in 2018
  • 43% identified AI and machine learning as the development that will have the biggest impact on cyber security in the next 15 years
  • 41% also believe the weaponisation of AI will be the most prevalent attack tactic in the next 15 years

Overall, Barracuda says study indicates that while the top security priorities have remained consistent over the past 15 years, the types of threats organisations are protecting against has shifted significantly.

Looking ahead, respondents believe that the cloud will be a higher priority 15 years in the future and that AI will be both a threat and an important tool.

A full 25 percent of respondents said email was their top security priority in 2003, and 23 percent said the same about their current priorities.

Network security came in a close second for both 2003 and 2018 priorities, with 24 percent and 22 percent respectively.

31 percent of respondents chose AI as the new technology that they will rely on to help improve security, and 43 percent identified the increasing use of artificial intelligence and machine learning as the development that will have the biggest impact on cyber security in the next 15 years.

On the other hand, 41 percent believe the weaponisation of AI will be the most prevalent attack tactic in the next 15 years.

“Artificial intelligence is technology that is top of mind for many of the IT professionals we spoke with — both as an opportunity to improve security and as a threat,” said Asaf Cidon, VP email security at Barracuda. “It’s an interesting contrast. We share our customers’ concern about the weaponization of AI. Imagine how social engineering attacks will evolve when attackers are able to synthesize the voice, image, or video of an impersonated target.”

Do you provide Anti-Malware solutions to business? We want to hear from you!

 960 640 Stuart O'Brien
By:
0
0

Each month on IT Security Briefing we’ll be shining the spotlight on a different part of the cyber security market – in December we’re focussing on Anti-Malware solutions.

It’s all part of our ‘Recommended’ editorial feature, designed to help IT security buyers find the best products and services available today.

So, if you’re a Anti-Malware specialist and would like to be included as part of this exciting new shop window, we’d love to hear from you – for more info, contact Stuart O’Brien on stuart.obrien@mimrammedia.com.

Security IT Summit 2019 – Register now for FREE!

 960 640 Stuart O'Brien
By:
0
0

Registration has opened for the Security IT Summit – the unique one-day event for senior cyber security professionals.

It takes place on July 2nd 2019 at the Hilton Canary Wharf, London and is entirely free to attend.

Simply register your place here and enjoy the following benefits:

  • Talk face-to-face with innovative and budget-saving suppliers for a series of pre-arranged meetings.
  • Attend insightful and inspirational seminar sessions.
  • Network with like-minded peers.
  • Complimentary lunch and refreshments.

We have just 60 places available so register for your free place here today.

Or for more information, contact Emily Gallagher on 01992 374085 / e.gallagher@forumevents.co.uk.

To attend as a solution provider, call Chris Cannon on 01992 374096 or email c.cannon@forumevents.co.uk.

IT employment landscape dominated by AI & cybersecurity

 960 640 Stuart O'Brien
By:
0
0

Nearly one in three organisations plans to increase their IT staff in 2019, with AI and cybersecurity top of the list of skills required.

The 2019 State of IT report from Spiceworks surveyed 1,000 tech professionals in businesses across North America and Europe, and also found that one in four IT pros plans to seek new employment; with millennials are most likely to job hop.

Behind cybersecurity skills, AI tech expertise is the number two skill large enterprises are seeking, while job-hopping IT pros are primarily seeking better salaries and opportunities to advance their IT skills.

The report also found that while 29% of companies plan to increase their IT staff in 2019, most companies (59%) aren’t planning to build up their IT staff next year.

However, Spiceworks says that doesn’t necessarily mean they’re not hiring at all. For example, some companies may be focused on backfilling positions formerly held by IT pros who may have left the building in search of greener pastures.

When comparing the data by company size, enterprises with 1,000+ employees are more likely to increase their IT staff next year than their smaller counterparts – the reports suggests this is because larger companies have more IT needs and data assets to manage, and they’re more likely to increase their tech spend in 2019 too.

IT security/cybersecurity skills are most sought after among companies planning to shore up IT staffing levels next year. When comparing the data by company size, it’s clear large enterprises (5,000+ employees) are more likely to seek AI expertise than their smaller counterparts. In fact, it’s the number two skill they’re looking for after security know-how.

On the other hand, midsize companies (500 to 999 employees) are more likely to seek candidates with DevOps skills. Smaller companies are more likely to prioritise hiring IT pros with end user hardware and infrastructure expertise. This finding comes as small businesses plan to significantly boost their hardware budgets in 2019.

In 2019, 26% of IT pros plan to find a new employer, 8% plan to leave the IT field for a new career, 6% plan to move into IT consulting, and 5% plan to retire.

However, job plans vary significantly by age. For example, 33% of millennial IT pros plan to seek new employment in 2019, compared to 26% of Gen X and 13% of baby boomers. Millennials are also more likely to expect a raise and promotion, while unsurprisingly, baby boomer IT pros are most likely to retire in 2019.

Additionally, when comparing the data by gender, Spiceworks says it’s worth noting that women are more likely to expect a promotion next year: 25% of female IT pros expect a promotion in 2019 compared to 14% of male IT pros. However, men are slightly more likely to anticipate a raise… 37% of men expect a raise next year compared to 33% of women.

Job plans also vary by region. For example, in the UK specifically, 38% of IT pros plan to find a new employer next year, compared to the 28% average in Europe and 24% in North America. Spiceworks speculates that this is because digital tech jobs are on the rise in the UK, which means more job opportunities for IT pros (and more temptation to job hop). In fact, according to the 2018 Tech Nation Report, UK employment in the digital tech sector increased by 13% between 2014 and 2017.

“Companies looking to maximize efficiencies and grow profits understand the potential artificial intelligence has to automate tasks and reduce the cost of doing business,” Peter Tsai, Senior Technology Analyst at Spiceworks. “But to effectively deploy and manage AI-enabled tech, organisations need workers with relevant AI skillsets and experience. And large enterprises, which often have resources dedicated to R&D, are already ahead of the game when it comes to experimenting with and getting value out of AI.”

Symantec snaps up Javelin and Appthority

 960 640 Stuart O'Brien
By:
0
0

Symantec has confirmed the acquisitions of Javelin Networks and Appthority as it looks to bolster its directory-based attack and mobile app vulnerability solutions.

Israel-based Javelin Networks is a privately held company that offers software to defend enterprises against Active Directory-based attacks, with Symantec saying that Microsoft Active Directory (AD) services have become an increasingly popular target for attackers using AD reconnaissance to discover the users, servers and computers in an enterprise network and then move laterally across the network using this information to carry out multi-stage attacks.

Recently, multiple major advanced persistent threat (APT) campaigns have used AD credentials to move laterally in the network beginning with a single compromised endpoint. This challenge is pervasive, as a large number of enterprises worldwide use AD services to manage their users, applications, and computers.

The Javelin Networks team and its technology will become part of Symantec’s endpoint security business.

Appthority, meanwhile, is a privately held company that offers Mobile Application Security Analysis. Symantec says the technology will give its customers the ability to analyse mobile apps for both malicious capabilities and unsafe and unwanted behaviours, such as vulnerabilities, risk of sensitive data loss, and privacy-invasive actions.

Prior to the acquisition, Appthority was a Symantec Ventures portfolio company.

“Mobile apps are a critical threat vector that every company must address to protect their enterprise security,” said Adi Sharabani, SVP, Modern OS Security. “The Appthority technology extends SEP Mobile’s capabilities in limiting unwanted app behaviors, supporting regulatory compliance, and assessing vulnerabilities.”