Matt Cable Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Matt Cable

Mind the gap: Upskilling cyber security teams

 960 640 Guest Post
By:
0
0

By Matt Cable, VP Solutions Architects & MD Europe, Certes Networks, is of interest at all?

At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cyber security industry clearly has some gaps to fill.

But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern. 

To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.

Evidentially, ensuring cyber security employees and teams have the right skills to keep both their organisations and their data safe, is essential. However, as Matt Cable, VP Solutions Architects & MD Europe, Certes Networks explains, as well as ensuring they have access to the right skills, organisations should also embrace a mindset of continuously identifying – and closing – gaps in their cyber security posture to ensure the organisation is as secure as it can be.

Infrastructure security versus infrastructure connectivity

There is a big misconception within cyber security teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organisations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other. 

What organisations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organisations can then work towards understanding if they currently do possess the right skills to address the challenges. 

This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organisation truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cyber security be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services, recognising that the skill sets cannot be developed within the organisation itself, and instead utilising external expertise.

It’s not what you know, it’s what you don’t know

The pace of change in cyber security means that organisations must accept they will not always be positioned to combat every single attack. Whilst on one day an organisation might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organisation will not have known that it had vulnerabilities until it was too late. 

By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills – either in-house or outsourced – to combat it, organisations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organisation will open itself up as a target of many forms of new attack vectors. Instead, accepting that cyber security is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams – with the help of security partners – will never be caught off guard. 

Maintaining the right cyber security posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organisations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled. 

The rise of the Chief Cybercrime Officer

 960 640 Stuart O'Brien
By:
0
0

Matt Cable, VP Solutions Architects & MD Europe, Certes Networks, discusses the role of the CCO and how the CCO and CISO should work in harmony to achieve the common cyber security goals…

The TalkTalk data breach in 2015 was monumental for the cyber security industry. At the time, data breaches were hardly new, but this particular breach resulted in UK MPs recommending that an officer should be appointed with day-to-day responsibility for protecting computer systems from cyber attack.

This governmental guidance was not a consequence of the size of the breach. With the personal details of 157,000 customers accessed, including bank account numbers and sort codes of over 15,000 customers, it certainly was not the largest the industry had seen. Rather, the guidance resulted from the way in which the immediate situation and the following aftermath, were handled.

In most organisations, the responsibility of following this guidance has historically fallen to the Chief Information Security Officer (CISO), with support from the CEO. In the wake of the TalkTalk data breach in particular, the CISO was given ‘free rein’ to strengthen the organisation’s cyber security capabilities.

The many faces of the CISO 

Yet, the role of the CISO was not a new concept. In fact, the CISO dates back to 1994 when Steve Katz was hired to run the world’s first formal cyber security executive office, and was subsequently given the title of CISO. Unsurprisingly, the role has many aspects to it, from security operations, cyber risk and cyber intelligence, data loss and fraud prevention, security architecture, identity and access management, programme management and compliance and governance, to name but a few.

Recently however, the role has come under increasing scrutiny and with the rise of cyber crime and the sophistication of cyber attacks, it’s easy to see why. Research shows that over two-thirds of organisations have experienced at least one security breach in the past year and that the majority of both CISOs and the entire C-Suite believe the CISO is ultimately responsible for the response to a data breach. However, with so many ‘hats’ to wear and multiple day-to-day responsibilities, it is clear to see why, with the increasing threat landscape, many organisations feel that it’s time to add another role to the C-Suite. 

Enter the CCO 

Enter the Chief Cybercrime Officer (CCO), whose remit will entail ensuring the organisation is cyber-ready and who will bear the responsibility of mitigating breaches, taking the lead if a breach does occur and providing the necessary link between the Board and the rest of the company to mitigate risk and work collaboratively to resolve issues as they arise.

With the need for cyber security to become far more central to C-Suite strategies, this new role should ease the load on the CISO and ensure the organisation can get one step ahead of hackers in the cyber crime race. However, organisations must take into account the need for both the CISO and CCO to work in harmony, with clearly defined roles and support from the Board. 

Aligning to boundaries

With both the CISO and CCO working towards keeping the company’s data safe from cyber threats, it is essential for each role to be clearly defined. This definition may look different to each organisation: each role, and the teams working with them, should have clear parameters and responsibilities so that in the event of a data breach, the organisation clearly understands the steps that should be taken, and who should take them.

In practice, this should make every CISO breathe a big sigh of relief. Many CISOs would identify cyber security as the greatest risk within their role, and when they’re also trying to juggle multiple other responsibilities, it’s a lot to have on their shoulders. With the CCO focused on the system architecture and the CISO focused on the security of the information within the organisation, there should be no reason that both roles can’t work collaboratively towards keeping the organisation safe.

Making decisions 

With both roles working in tandem, the next step that organisations need to take is ensuring the CISO and the CCO have enough influence with the Board to make critical decisions and resolve issues immediately. By ensuring that all members of the Board have visibility of the entire cyber security strategy and that the strategy is regularly reviewed and updated in line with new threats and intelligence, the CCO and CISO can be given the responsibility to report and respond to incidents and make rapid decisions on behalf of the business. In the event of a data breach, removing unnecessary approval and authorisation steps ensures that the organisation can respond quickly and put remediating measures in place to minimise potentially catastrophic repercussions.

In a world where cyber security threats can’t be ignored, now is the time for the structure of organisations to truly be considered. Has cyber security been given enough prominence at Board level? Can decisions be made quickly? Can space be made for both the CISO and CCO to work in harmony? By asking these questions and making changes, organisations can ensure they are in a far better position to keep their data safe and protect their reputation.

Shining a spotlight on UK cyber security standards

 960 640 Stuart O'Brien
By:
0
0

Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.  

In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile.

Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures...

The Principles

For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration. 

The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario. 

Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.

The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.

However, there are challenges.

Challenge #1 – Public Sector Adherence to CAS(T)

Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms. 

Challenge #2 – Impact to Cloud Service Providers and Bearer Networks

This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers’ networks.

The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.

Challenge #3 – Partner Collaboration

NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology. 

The Solution

IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs). 

Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:

  • Be managed by a competent authority in a manner that does not undermine the protection they provide, from a suitable management platform
  • Be configured to provide effective cryptographic protection
  • Use certificates as a means of identifying and trusting other devices, using a suitable PKI
  • Be independently assured to Foundation Grade, and operated in accordance with published Security Procedures
  • Be initially deployed in a manner that ensures their future trustworthiness
  • Be disposed of securely

Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.

Conclusion

There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN.  Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.

Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption – is key in conforming to both today and tomorrow’s cyber security standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.

Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.