Certes Networks Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Certes Networks

Protecting data irrespective of infrastructure 

960 640 Guest Post

The cyber security threat has risen so high in recent years that most companies globally now accept that a data breach is almost inevitable. But what does this mean for the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data?

Investing in security infrastructure is not enough to demonstrate compliance in protecting data. Software Defined Wide Area Networks (SD WAN), Firewalls and Virtual Private Networks (VPN) play a role within an overall security posture but they are Infrastructure solutions and do not safeguard data. What happens when the data crosses outside the network to the cloud or a third-party network? How is the business data on the LAN side protected if an SD WAN vulnerability or misconfiguration is exploited? What additional vulnerability is created by relying on the same network security team to both set policies and manage the environment, in direct conflict with Zero Trust guidance?

The only way to ensure the business is protected and compliant is to abstract data protection from the underlying infrastructure. Simon Pamplin, CTO, Certes Networks, insists it is now essential to shift the focus, stop relying on infrastructure security and use Layer 4 encryption to proactively protect business sensitive data irrespective of location…

Acknowledging Escalating Risk

Attitudes to data security need to change fast because today’s infrastructure-led model is creating too much risk. According to the 2022 IBM Data Breach survey, 83% of companies confirm they expect a security breach – and many accept that breaches will occur more than once. Given this perception, the question has to be asked: why are businesses still reliant on a security posture focused on locking the infrastructure down?

Clearly that doesn’t work. While not every company will experience the catastrophic impact of the four-year-long data breach that ultimately affected 300 million guests of Marriott Hotels, attackers are routinely spending months inside businesses looking for data. In 2022, it took an average of 277 days—about nine months—to identify and contain a breach. Throughout this time, bad actors have access to corporate data; they have the time to explore and identify the most valuable information. And the chance to copy and/or delete that data – depending on the attack’s objective.

The costs are huge: the average cost of a data breach in the US is now $9.44 million ($4.35 is the average cost globally). From regulatory fines – which are increasingly punitive across the globe – to the impact on share value, customer trust, even business partnerships, the long-term implications of a data breach are potentially devastating.

Misplaced Trust in Infrastructure

Yet these affected companies have ostensibly robust security postures. They have highly experienced security teams and an extensive investment in infrastructure. But they have bought into the security industry’s long perpetuated myth that locking down infrastructure, using VPNs, SD WANs and firewalls, will protect a business’ data.

As breach after breach has confirmed, relying on infrastructure security fails to provide the level of control needed to safeguard data from bad actors. For the vast majority of businesses, data is rarely restricted to the corporate network environment. It is in the cloud, on a user’s laptop, on a supplier’s network. Those perimeters cannot be controlled, especially for any business that is part of supply chain and third-party networks. How does Vendor A protect third party Supplier B when the business has no control over their network? Using traditional, infrastructure dependent security, it can’t.

Furthermore, while an SD WAN is a more secure way of sending data across the Internet, it only provides control from the network egress point to the end destination. It provides no control over what happens on an organisation’s LAN side. It cannot prohibit data being forwarded on to another location or person. Plus, of course, it is accepted that SD WAN misconfiguration can add a risk of breach, which means the data is exposed – as shown by the public CVE’s (Common Vulnerabilities and Exposures) available to review on most SD WAN vendors’ websites. And while SD WANs, VPNs and firewalls use IPSEC as an encryption protocol, their approach to encryption is flawed: the encryption keys and management are handled by the same group, in direct contravention of accepted zero trust standards of “Separation of Duties”.

Protect the Data

It is, therefore, essential to take another approach, to focus on protecting the data. By wrapping security around the data, a business can safeguard this vital asset irrespective of infrastructure. Adopting Layer 4, policy-based encryption ensures the data payload is protected for its entire journey – whether it was generated within the business or by a third party.

If it crosses a misconfigured SD WAN, the data is still safeguarded: it is encrypted, making it valueless to any hacker. However long an attack may continue, however long an individual or group can be camped out in the business looking for data to use in a ransomware attack, if the sensitive data is encrypted, there is nothing to work with.

The fact that the payload data only is encrypted, while header data remains in the clear means minimal disruption to network services or applications, as well as making troubleshooting an encrypted network easier.

This mindset shift protects not only the data and, by default, the business, but also the senior management team responsible – indeed personally liable – for security and information protection compliance. Rather than placing the burden of data protection onto network security teams, this approach realises the true goal of zero trust: separating policy setting responsibility from system administration. The securityposture is defined from a business standpoint, rather than a network security and infrastructure position – and that is an essential and long overdue mindset change.

Conclusion

This mindset change is becoming critical – from both a business and regulatory perspective. Over the past few years, regulators globally have increased their focus on data protection. From punitive fines, including the maximum with its €20 million (or 25% of global revenue, whichever is the higher) per breach of European Union’s General Data Protection Regulation (GDPR) to the risk of imprisonment, the rise in regulation across China and the Middle East reinforces the global clear recognition that data loss has a material cost to businesses.

Until recently, however, regulators have not been prescriptive about the way in which that data is secured – an approach that has allowed the ‘lock down infrastructure’ security model to continue. This attitude is changing.  In North America, new laws demand encryption between Utilities’ Command and Control centres to safeguard national infrastructure. This approach is set to expand as regulators and businesses recognise that the only way to safeguard data crossing increasingly dispersed infrastructures, from SD WAN to the cloud, is to encrypt it – and do so in a way that doesn’t impede the ability of the business to function.

It is now essential that companies recognise the limitations of relying on SD WANs, VPNs and firewalls. Abstracting data protection from the underlying infrastructure is the only way to ensure the business is protected and compliant.

SASE – The risk of over-rationalising

150 150 Stuart O'Brien

Chief Information Security Officers (CISOs) are being encouraged to build a Secure Access Service Edge (SASE) migration plan to create a robust Zero Trust architecture, while also consolidating the security vendor suite. Yet, while the concept of single vendor SASE solutions may appear to meet goals for rationalising security costs and complexity, it creates untenable risks for any organisation operating in a high assurance industry. Paul German, CEO, Certes Networks, explains why a best of breed SASE framework from a single Managed Service Provider is key to de-risking SASE for high assurance companies…

Trusted Framework

Secure Access Service Edge (SASE) is the future, according to market research analysts including Gartner, which predicts that by 2025 at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.  Encompassing multiple security capabilities into a single deliverable, SASE deployments include Software Defined Wide Area Network (SD–WAN) connectivity, Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Firewall-as-a-Service and Secure Web Gateway.

But while vendors are beginning to flood to the market with branded ‘SASE solutions’, there is a degree of confusion about SASE that is adding significant operational risk, especially to organisations in highly regulated industries, where data sensitivity combined with the threat landscape demands a far more robust approach.

One of the touted benefits of the SASE framework is the opportunity to address the challenges created by a patchwork of vendors and policies deployed incrementally, often over many years, in response to evolving security threats. The result has often led to complexity for both users and administrators, with different product lifecycles creating both confusion and potential weakness within the security posture. SASE is viewed as a pragmatic security model that provides an opportunity to rationalise and consolidate vendors to reduce complexity and potentially cut costs.

High Assurance Risk

For smaller organisations and those in un- or lightly regulated industries, single vendor SASE is a viable option. It provides a clear security framework and, with a single contract and single console, an organisation has a complete view of its security posture in one place, most likely for the very first time.  For those organisations operating in regulated industries, including government, finance, critical national infrastructure and healthcare, however, single vendor SASE creates an unacceptable risk – and one that no CISO should countenance.

A key point is that no vendor can offer best of breed technology across the entire SASE solution, which means organisations will by default compromise the quality of technology in one or more areas. Far more concerning, though, is the risk created by the single source of all security components: one of the many benefits of SASE is its delivery as a cloud orchestrated service, but if there is any vulnerability within the single SASE product set, it will affect every part of the framework, every part of the infrastructure.

In contrast, a SASE framework built upon individual, best of breed suppliers for each part of the solution increases the end to end quality of the SASE deployment. Furthermore, the inevitable overlap between supplier solutions also further reduces risk by adding redundancy – if one firewall is compromised, for example, another part of the SASE solution will likely include functions that provide some degree of protection to safeguard the enterprise. Critically, by implementing a solution based on multiple vendors, an organisation avoids the risk associated with a single code, minimising the chance of a vulnerability affecting the entire security stack.

SASE without Compromise

SASE is becoming an increasingly important security model for businesses of all sizes, in all industries. But there never has been a security silver bullet. While a single vendor approach creates too much risk for high assurance businesses, the concept of SASE as a framework with all of the key components built in is absolutely the right approach. The goal is to find a solution that integrates best of breed security components from multiple vendors to de-risk the security posture, while also delivering the benefits of a single managed solution, including consolidated security dashboard, from one organisation.

Just Say Yes – Why CISOs must now embrace SD-WAN

960 640 Stuart O'Brien

Digital Transformation has become a business imperative, yet rather than pulling together to enable essential change, the friction between network and securityteams is increasing. The business needs to move away from data centres and traditional Wide Area Networks (WAN) to exploit the cost, flexibility and agility provided by the cloud and Software Defined WANs (SD-WAN).

Chief Information Security Officers (CISOs), especially those working in regulated industries, insist the risks associated with public infrastructure are too high. Stalemate.

Until now. Organisations are pressing ahead with Digital Transformation plans and excluding the CISO from the conversation. But at what cost? Who is assessing the implications for regulatory compliance? At what point will the Chief Risk Officer prohibit the use of the SD-WAN for sensitive data, leaving the business running legacy and new infrastructure side by side, fundamentally undermining the entire Digital Transformation project? A new attitude is urgently required, one based on collaboration, understanding and a recognition that a Zero Trust security posture can safeguard even the most sensitive data, while unlocking all the benefits associated with SD-WAN.

As Simon Hill, Head of Legal & Compliance, Certes Networks insists, it is time for CISOs to take a lead role in the Digital Transformation process – or risk being side-lined for good.

Accept Change

CISOs need to face up to the fact that Digital Transformation is happening – with or without them.  Organisations need to embrace the agility, flexibility and cost benefits offered by the cloud, by Software as a Service and, critically, the shift from expensive WAN technology to SD-WAN. For CISOs, while the migration to SD-WAN extends the attack surface, adding unacceptable data vulnerability, saying no is not an option any more. CISOs risk being left out of the Digital Transformation loop – and that is not only adding significant corporate risk but also compromising the expected benefits of this essential technology investment.

Network and IT teams are pressing ahead, insisting the risk is acceptable. How do they know? For any organisation, this is a dangerous compromise: critical risk decisions are being taken by individuals who have no understanding of the full implications. For those organisations operating in regulated industries, these decisions could result in an exposure to $10s millions, even $100s millions of penalties.

Failure to embed security within the initial Digital Transformation strategy is also compromising progress. What happens when the CISO or Chief Risk Officer discovers the business is in the process of migrating from the old WAN to a new SD-WAN environment? Suddenly the brakes are on, and the call is for sensitive data to be encrypted before it hits the network. Adding Internet Protocol Security (IPsec) tunnels will degrade performance – so the business is then stuck using the legacy WAN for data connectivity while still paying for the SD-WAN and failing to gain any of the agility or cost benefits.  More frustration. More friction between teams that should be working together to support business goals.

Drive Change

Security is a fundamental component of Digital Transformation – indeed of corporate operating strategy. Rather than avoiding change, CISOs have a responsibility not only to secure the organisation but proactively advocate change, with security as the key enabler of Digital Transformation.

Digital Transformation does not by default create an inherently insecure environment – but it will require organisations to, somewhat belatedly, embrace a Zero Trust model.  It has been clear for many years that there is no correlation between ownership and trust. Just because a company owns infrastructure and assets does not automatically infer total trust over data security. Similarly, infrastructure outside the business is not inherently untrustworthy. The key is to build trust into a secure overlay to protect data that will allow a business to operate across any infrastructure whether it is owned or public.

A High Assurance SD-WAN overlay, for example, uses crypto-segmentation to protect and ensure the integrity of sensitive data. With this Zero Trust approach, High Assurance SD-WAN means whether the network is public or private, trusted or untrusted, is irrelevant: the data security team simply needs to define the policy and, with ownership of the cryptography keys, can be confident that data is protected at all times wherever it goes.

Working Together

Adopting a Zero Trust security posture changes the outlook for CISOs – and provides a foundation for vital collaboration with the networking and IT teams. With confidence that the data is secure regardless of network location, everyone involved in Digital Transformation can achieve their goals: IT and network teams can embrace the flexibility and agility of the cloud, SaaS and SD-WAN, while the securityteam still has control of the security posture.

This can only be achieved if the business embraces a different mindset. It is essential to think about security by design from the outset – and to break down the barriers between network, IT and security. The introduction of the Secure Access Service Edge (SASE) framework provides clear guidelines for the convergence of these teams to drive additional business value but the onus – and opportunity – lies with the CISO to ensure the entire organisation truly understands the Digital Transformation objectives.

This also demands an essential shift away from a regulatory compliance focused security posture – something that is inherently flawed due to the impossibility of creating regulations that keep up with the ever changing security threats – towards a truly business driven approach. Working together to plan the Digital Transformation process may take a little more time up front but it will result in a secure foundation that will remove any constraints to innovation and agility.

Conclusion

It is time for CISOs to change. There is no value in endlessly blocking essential new technology projects; and no upside in being excluded from vital plans as a result. By taking a proactive stance and driving Digital Transformation strategies, CISOs can redefine the role, become a key strategic player within the business and act as an enabler, rather than a constraint, to operational success.

It is time to find a way to say yes to secure Digital Transformation – without compromise.

Mind the gap: Upskilling cyber security teams

960 640 Guest Post

By Matt Cable, VP Solutions Architects & MD Europe, Certes Networks, is of interest at all?

At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cyber security industry clearly has some gaps to fill.

But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern. 

To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.

Evidentially, ensuring cyber security employees and teams have the right skills to keep both their organisations and their data safe, is essential. However, as Matt Cable, VP Solutions Architects & MD Europe, Certes Networks explains, as well as ensuring they have access to the right skills, organisations should also embrace a mindset of continuously identifying – and closing – gaps in their cyber security posture to ensure the organisation is as secure as it can be.

Infrastructure security versus infrastructure connectivity

There is a big misconception within cyber security teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organisations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other. 

What organisations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organisations can then work towards understanding if they currently do possess the right skills to address the challenges. 

This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organisation truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cyber security be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services, recognising that the skill sets cannot be developed within the organisation itself, and instead utilising external expertise.

It’s not what you know, it’s what you don’t know

The pace of change in cyber security means that organisations must accept they will not always be positioned to combat every single attack. Whilst on one day an organisation might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organisation will not have known that it had vulnerabilities until it was too late. 

By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills – either in-house or outsourced – to combat it, organisations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organisation will open itself up as a target of many forms of new attack vectors. Instead, accepting that cyber security is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams – with the help of security partners – will never be caught off guard. 

Maintaining the right cyber security posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organisations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled. 

Breaking down AI’s role in cybersecurity

960 640 Guest Post

Data security is now more vital than ever. Today’s cybersecurity threats are incredibly smart and sophisticated. Security experts face a daily battle to identify and assess new risks, identify possible mitigation measures and decide what to do about the residual risk. 

This next generation of cybersecurity threats require agile and intelligent programs that can rapidly adapt to new and unforeseen attacks. AI and machine learning’s ability to meet this challenge is recognised by cybersecurity experts, the majority of whom believe it is fundamental to the future of cybersecurity. Paul Vidic, Director, Certes Networks, outlines how AI and machine learning will play a fundamental role in enabling organisations to detect, react to – even prevent – emerging cyber threats more promptly and effectively than ever before...

Why is Cybersecurity so Important?

Cybersecurity is important because it encompasses everything that pertains to protecting our sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, data, and governmental and industry information systems from attempted theft and damage.

As the whole world is becoming more digitalised, cybercrime is now one of the biggest threats to all businesses and government organisations around the world.

According to recent reports, cyber criminals exposed 2.8 billion consumer data records in 2018, costing US organisations over $654 billion. Meanwhile, the 2019 Ninth Annual Cost of Cybercrime Study calculated the total value of risk as $US5.2 trillion globally over the next five years. 

The same report identified the use of automation, advanced analytics and security intelligence to manage the rising cost of discovering attacks.

Enter AI and Machine Learning

Artificial Intelligence (AI) and machine learning technologies address these challenges and are giving rise to new possibilities for cybersecurity threat protection. AI in cybersecurity plays an important role in threat detection, pattern recognition, and response time reduction. Adopting AI in cybersecurity offers better solutions when it comes to analysing massive quantities of data, speeding up response times, and increasing efficiency of often under-resourced security teams.

AI is designed and trained to collect, store, analyse and process significant amounts of data from both structured and unstructured sources. Deploying technologies such as machine learning and deep learning allows the AI to constantly evolve and improve its knowledge about cybersecuritythreats and cyber risk.

For example, by recognising patterns in our environment and applying complex analytics, AI enables us to automatically flag unusual patterns and enable detection of network problems and cyber-attacks in real-time. This visibility supplies deeper insights into the threat landscape which in turn informs the machine learning. This means that AI-based security systems are constantly learning, adapting and improving. 

Risk Identification

Risk identification is an essential feature of adopting artificial intelligence in cybersecurity. AI’s data processing capability is able to reason and identify threats through different channels, such as malicious software, suspicious IP addresses, or virus files.

Moreover, cyber-attacks can be predicted by tracking threats through cybersecurity analytics which uses data to create predictive analyses of how and when cyber-attacks will occur. The network activity can be analysed while also comparing data samples using predictive analytics algorithms. 

In other words, AI systems can predict and recognise a risk before the actual cyber-attack strikes.

Conclusion

Of course, fundamental security measures such as malware scanning, firewalls, access controls, encryption, and policy definition and enforcement remain as important as ever. AI does not replace these; rather, it complements them.

However, as AI and machine learning technologies continue to mature, it is possible to imagine a time when the cybersecurity industry – having long been at the mercy of the malevolent hacker – may finally have the tools to take the lead. 

Proving ROI in cyber security

960 640 Guest Post

Research shows that almost half of businesses have reported cyber security breaches or attacks in the last 12 months. Amongst these businesses that identified breaches or attacks, more have experienced these issues at least once a week so far this year.

Moreover, the unprecedented events of recent months have seen the number of attempted data breaches continue to rise, with cyber hackers using the increase in remote working and individuals’ fears over the coronavirus to their advantage. In fact, a survey showed that 50% of organisations were unable to guarantee that their data was adequately secured when being used by remote workers.

The issue is serious and many businesses are stepping up their cyber security strategies accordingly, with CIOs and their teams increasingly taking a seat at the executive board table. But one thing is still lacking: cyber security ROI. To truly engage with a strategy, board members need to see ROI from every department of an organisation, and cyber security is not exempt from that. However, demonstrating business value in areas such as compliance, risk management or data assurance, has always been challenging. 

Consequently, data security has historically been looked upon as a necessary cost of doing business. However, this no longer needs to be the case. As CIOs, CISOs and network security teams mature into their C-Suite role, proving the value of data security is now both a realistic and achievable corporate objective. Frank Richmond, Vice President Sales Europe, Certes Networks, explains just how CISOs and CIOs can get the Board on board… 

Cyber security as a strategic investment

Today’s current network and data security approaches focus primarily on keeping the cyber hackers out with threat detection and vulnerability management at the core. But modern CIOs and CISOs want – and need – more than this when reporting to the Board; they want “provable security”.

Securing data should be a strategic investment in an organisation’s risk strategy and should quantifiably contribute to the overall value of the business. CISOs expect their network security teams to be equipped with tools that will enable them to make real-time changes to applications based on observable network flow. They want to see that securitypolicies are being enforced properly and, most importantly, prove that their security strategy is actually effective.

To put this into practice, cyber security should be quantifiable, measurable and outcomes-driven. It shouldn’t just be a case of successfully keeping a cyber attacker out of the network after a single breach; a successful cyber securitystrategy is effective only when it is continuously putting data security first and measuring impact against key performance indicators (KPIs) that will instantly show Board members how imperative the strategy – and the technology behind it – really is.

In order to truly demonstrate the effectiveness of the organisation’s security strategy, CIOs and CISOs need to be able to visualise and understand their data, the associated applications, workloads and behaviour, with real-time contextual insight. This, in turn, will enable this understanding to be passed on to other executive Board members. 

The real value of cyber security

Armed with this insight, organisations can then take actionable steps not only to measure the effectiveness of their security strategy, but to gain deep understanding into how to enhance their security posture and to manage and enforce policies. With a data-driven approach to cyber security, the guesswork can be removed and CISOs and CIOs will be able to clearly demonstrate to the Board that ROI has been achieved.

With buy-in from the Board, data security is now more than a ‘necessary cost’, and is instead a fundamental of business operations. The businesses that succeed in enforcing this way of thinking will then truly be able to continuously evolve their cyber security practices to keep their data safe.

The rise of the Chief Cybercrime Officer

960 640 Stuart O'Brien

Matt Cable, VP Solutions Architects & MD Europe, Certes Networks, discusses the role of the CCO and how the CCO and CISO should work in harmony to achieve the common cyber security goals…

The TalkTalk data breach in 2015 was monumental for the cyber security industry. At the time, data breaches were hardly new, but this particular breach resulted in UK MPs recommending that an officer should be appointed with day-to-day responsibility for protecting computer systems from cyber attack.

This governmental guidance was not a consequence of the size of the breach. With the personal details of 157,000 customers accessed, including bank account numbers and sort codes of over 15,000 customers, it certainly was not the largest the industry had seen. Rather, the guidance resulted from the way in which the immediate situation and the following aftermath, were handled.

In most organisations, the responsibility of following this guidance has historically fallen to the Chief Information Security Officer (CISO), with support from the CEO. In the wake of the TalkTalk data breach in particular, the CISO was given ‘free rein’ to strengthen the organisation’s cyber security capabilities.

The many faces of the CISO 

Yet, the role of the CISO was not a new concept. In fact, the CISO dates back to 1994 when Steve Katz was hired to run the world’s first formal cyber security executive office, and was subsequently given the title of CISO. Unsurprisingly, the role has many aspects to it, from security operations, cyber risk and cyber intelligence, data loss and fraud prevention, security architecture, identity and access management, programme management and compliance and governance, to name but a few.

Recently however, the role has come under increasing scrutiny and with the rise of cyber crime and the sophistication of cyber attacks, it’s easy to see why. Research shows that over two-thirds of organisations have experienced at least one security breach in the past year and that the majority of both CISOs and the entire C-Suite believe the CISO is ultimately responsible for the response to a data breach. However, with so many ‘hats’ to wear and multiple day-to-day responsibilities, it is clear to see why, with the increasing threat landscape, many organisations feel that it’s time to add another role to the C-Suite. 

Enter the CCO 

Enter the Chief Cybercrime Officer (CCO), whose remit will entail ensuring the organisation is cyber-ready and who will bear the responsibility of mitigating breaches, taking the lead if a breach does occur and providing the necessary link between the Board and the rest of the company to mitigate risk and work collaboratively to resolve issues as they arise.

With the need for cyber security to become far more central to C-Suite strategies, this new role should ease the load on the CISO and ensure the organisation can get one step ahead of hackers in the cyber crime race. However, organisations must take into account the need for both the CISO and CCO to work in harmony, with clearly defined roles and support from the Board. 

Aligning to boundaries

With both the CISO and CCO working towards keeping the company’s data safe from cyber threats, it is essential for each role to be clearly defined. This definition may look different to each organisation: each role, and the teams working with them, should have clear parameters and responsibilities so that in the event of a data breach, the organisation clearly understands the steps that should be taken, and who should take them.

In practice, this should make every CISO breathe a big sigh of relief. Many CISOs would identify cyber security as the greatest risk within their role, and when they’re also trying to juggle multiple other responsibilities, it’s a lot to have on their shoulders. With the CCO focused on the system architecture and the CISO focused on the security of the information within the organisation, there should be no reason that both roles can’t work collaboratively towards keeping the organisation safe.

Making decisions 

With both roles working in tandem, the next step that organisations need to take is ensuring the CISO and the CCO have enough influence with the Board to make critical decisions and resolve issues immediately. By ensuring that all members of the Board have visibility of the entire cyber security strategy and that the strategy is regularly reviewed and updated in line with new threats and intelligence, the CCO and CISO can be given the responsibility to report and respond to incidents and make rapid decisions on behalf of the business. In the event of a data breach, removing unnecessary approval and authorisation steps ensures that the organisation can respond quickly and put remediating measures in place to minimise potentially catastrophic repercussions.

In a world where cyber security threats can’t be ignored, now is the time for the structure of organisations to truly be considered. Has cyber security been given enough prominence at Board level? Can decisions be made quickly? Can space be made for both the CISO and CCO to work in harmony? By asking these questions and making changes, organisations can ensure they are in a far better position to keep their data safe and protect their reputation.

Who keeps the keys to the smart cities?

960 640 Guest Post

By Sean Wray, VP NA Government Programs, Certes Networks

Smart cities seem inevitable. According to IDC, Smart City initiatives attracted technology investments of more than $81 billion globally in 2018, and spending is estimated to grow to $158 billion in 2022. Similarly, in 2018, the number of major metropolitan cities relying on or developing a comprehensive smart city plan – as opposed to implementing a few innovative projects without an overall smart plan – dramatically increased. 

In the US, for example cities like Philadelphia, Newark and Chicago all have goals to upgrade and to become leading ‘SMART’ cities, while UK innovation is being spearheaded by major conurbations such as Bristol, London and Manchester.

A significant investment is being made by cities in data connectivity providing a number of new technologies such as Wi-Fi 6, smart grid, and IoT sensor devices, all promising to enhance overall visibility and security. However, as we extend the reach of technology and connectivity, there will increasingly be cyber-risks to take into account. As part of their transformation, smart cities serve as a technology hub and gateway to major institutions such as banks, hospitals, universities, law enforcement agencies, and utilities. This means the storage and transmission of customer data such as social security numbers, addresses, credit card information, and other sensitive data, is a potential goldmine for malicious actors. Not to mention an increasing number of projects monitoring roads, traffic, traffic light and metro services, all of which must be kept secure from threats at all times…

Click here to read the full article on sister-site Total Security Briefing.

Shining a spotlight on UK cyber security standards

960 640 Stuart O'Brien

Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.  

In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile.

Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures...

The Principles

For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration. 

The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario. 

Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.

The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.

However, there are challenges.

Challenge #1 – Public Sector Adherence to CAS(T)

Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms. 

Challenge #2 – Impact to Cloud Service Providers and Bearer Networks

This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers’ networks.

The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.

Challenge #3 – Partner Collaboration

NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology. 

The Solution

IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs). 

Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:

  • Be managed by a competent authority in a manner that does not undermine the protection they provide, from a suitable management platform
  • Be configured to provide effective cryptographic protection
  • Use certificates as a means of identifying and trusting other devices, using a suitable PKI
  • Be independently assured to Foundation Grade, and operated in accordance with published Security Procedures
  • Be initially deployed in a manner that ensures their future trustworthiness
  • Be disposed of securely

Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.

Conclusion

There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN.  Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.

Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption – is key in conforming to both today and tomorrow’s cyber security standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.

Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.

Keeping data secure in the oil and gas industry

960 640 Stuart O'Brien

By Jerry Askar, Managing Director Middle East, Levant & Africa, Certes Networks

As automation continues to evolve, the utilities sector is finding that encryption of their network data is a critical to safeguard against cyber-attacks.  And, as organisations across the globe continue to prioritise cybersecurity, the threat landscape continues to expand.  Although good progress is being made, it is evident that critical network vulnerabilities are still being left unprotected. 

This is particularly the case in the oil and gas sector, which is the latest to enter the cyber security spotlight according to the latest threat report by security firm Dragos that highlighted that the sector is a valuable target for adversaries seeking to exploit industrial control systems (ICS) environments.

The report revealed a new activity group targeting the industry, bringing the total number of tracked ICS-targeted activity groups to nine, five of which directly target oil and gas organisations. What’s more, the increased deployment of automation within the oil and gas industry to manage costs, extract the most value from current assets and maximise up-time, only causes the threats to ICS and supervisory control and data acquisition (SCADA) networks to rise.

The threat is clearly high, as are the potential consequences of a cyber-attack on this sector. An attack on an oil or gas organisation would not only have severe political and economic impacts, but it would also have a direct effect on civilian lives and infrastructure. Much of how the population lives and works is dependent upon the energy from oil and gas production, from communication, the use of electronic devices and appliances, and even heating, cooling and cooking. The smallest attack on this sector could result in devastating effects. 

Beyond consumer impact, an oil or gas company hit by a cyber-attack could experience a plant or production shutdown, utilities interruptions, equipment damage or loss of quality, undetected spills and of course safety measure violations. For example, in December 2018, Saipem, an Italian oil and gas industry contractor, fell victim to a cyber-attack that hit servers based in the Middle East, India, Aberdeen and Italy, which led to the cancellation of data and infrastructures.

Mitigating cyber-attack damage 

Understanding not just the threats faced by this sector, but also how the attacks are taking place and the behaviours and capabilities of activity groups targeting oil and gas companies, is essential. As the Dragos report warned, there is currently limited visibility – or observability –into the network ecosystem, including communications to and from operations centers, distribution substations and even home “smart grid” networks. This means that intruders can dwell for longer and the root cause of the attack can remain undetected. As is widely documented, the longer an attacker remains in a network, the more damage the breach will cause.

To protect data in ICS/SCADA environments, organisations in the oil and gas industry need an encryption solution that not only safely encrypts data enterprise-wide, but that is also scalable and easy to implement, without disrupting, replacing or moving the network infrastructure. Furthermore, some encryption technologies will provide organisations with greater visibility of their data to monitor deployed policies. By defining and deploying policies and keys based only on which users should have access to what data, organisations can ensure that only those who need to send or receive the data have the access to do so. In addition, many Observability network features can provide crucial flow data so that IT operators can observe policy enforcement and quickly shut down a policy if compromised to stop further damage and potential escalation.

Conclusion

Lessons need to be learned from the past attacks on the oil and gas industry, such as the Saipem attack which had global consequences. With the sector facing such a high cyber risk, it’s more crucial than ever for oil and gas organisations to inhabit a cyber security culture and move from reactionary to proactive. 

This means employing an encryption management solution, along with the right forensic intelligence tools, to understand and safeguard against future cyber-attacks and their potential for devastating consequences.

Image by Robson Machado from Pixabay

  • 1
  • 2