network SECURITY ISSN 1353-4858 June 2017 www.networksecuritynewsletter.com

Featured in this issue: Contents Fighting application threats with cloud-based WAFs NEWS ompanies that conduct business application firewall (WAF) must itself be NSA leak details Russian attack on US electoral system 1 online must ensure that their web constantly evolving and gather the intel- C Attacks on industry 2 applications and APIs are protected ligence needed to protect against applica- from attack. However, defending an tion layer and DDoS attacks – and to do FEATURES online operation is no mean feat. it with great speed and scale, says Daniel Fighting application threats with cloud-based WAFs 5 Whichever route a company takes to Shugrue of Akamai Technologies. Companies must ensure that their web protect itself, what is clear is that any web Full story on page 5… applications and APIs are protected from attack, but this is easier said than done. Whichever route a company takes to protect itself, what is clear is GDPR: a milestone in convergence for cyber-security that any web application firewall (WAF) must itself be constantly evolving and gather the intelligence and compliance needed to protect against application layer and DDoS attacks – and to do it with great speed and ne of the greatest misconceptions landscape. The EU’s General Data scale, says Daniel Shugrue of Akamai Technologies. in business today is that compli- O Protection Regulation (GDPR) presents GDPR: a milestone in convergence for ance equates to good business practice an opportunity to level the scales and cyber-security and compliance 8 – particularly with regard to security. Compliance does not equal security. And as drive greater convergence between cyber- cybercrime evolves at a rapid pace, it is often difficult Cybercrime is evolving at an exceed- security and compliance – two areas for regulations and legislation to keep up with a ingly rapid pace, meaning it is often changing security landscape. The result is outdated often seen as disparate by business lead- requirements that are often unfit for purpose. The difficult for regulations and legislation ers, explains Jesper Zerlang of LogPoint. EU’s General Data Protection Regulation (GDPR) presents an opportunity to level the scales and drive to keep up with a changing security Full story on page 8… greater convergence between cyber-security and compliance – two areas often seen as disparate by How automating data collection can improve business leaders, explains Jesper Zerlang of LogPoint. How automating data collection can cyber-security improve cyber-security 11 he fallout from a data breach can The fallout from a data breach can be catastrophic. analysis. And the storing of alert-related And In recent years, hackers have become much Tbe catastrophic. And hackers have packets allows specialists to look for so- better at developing smarter, better targeted and become better at developing smarter, more automated tools that help them fly ‘under far undetected breaches. The security the radar’. The security industry needs to develop better targeted and more automated industry needs to develop automated automated processes that automatically collect relevant ‘suspicious’ packet data and make it readily tools that help them fly ‘under the processes that automatically collect rel- available for analysis, says Jay Botelho of Savvius. radar’. evant ‘suspicious’ packet data and make Leaks and ransoms – the key threats Security analysts need tools and pro- it readily available for analysis, explains to healthcare organisations 14 cesses that enable them to work much Jay Botelho of Savvius. Of all the personally identifiable information (PII) that could be leaked, healthcare data is arguably more efficiently, especially for real-time Full story on page 11… the most intimate and worrying. You would think that healthcare organisations would try their hardest to protect that information and yet they NSA leak shows Russian attack on US electoral are constantly in the headlines following leaks and cyber-attacks. In this interview, Niall MacLeod of system Anomali explains how healthcare organisations are document leaked from the US the one publication to fully report on getting better at managing information security, but that the road ahead isn’t easy. National Security Agency (NSA) them – The Intercept online magazine A News in brief 3 shows that Russian hackers had some which regularly runs material from Reviews 4 success in attacking 122 election offi- whistleblowers – said it had not previ- The Firewall 20 cials and a vendor of voting software ously seen the NSA documents. (It has Events 20 prior to the 2016 presidential election. since published a story based on them, Rumours about Russian attacks started available here: http://bit.ly/2skBHUc.) Come and visit us at 8 circulating in September 2016. But even Continued on page 2… www.networksecuritynewsletter.com

ISSN 1353-4858/101353-4858/17 © 20112017 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. NEWS

…Continued from front page On average, ineffective cyber-security

Editorial Office: The NSA report squarely points the costs industrial organisations up to Editorial Office: Elsevier Ltd Elsevier Ltd finger for the attacks at Russian military $497,000 a year. Companies are strug- The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom intelligence, particularly the General gling with the challenges raised by the Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Staff Main Intelligence Directorate convergence of IT and operational Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com (GRU), and that the hackers were mem- technology (OT) and the availability of Publisher: Greg Valero bers of a team with a “cyber-espionage industrial control networks to external PublishingE-mail: [email protected] Director: Bethan Keall mandate specifically directed at US and providers. Despite high awareness about Editor: Steve Mansfield-Devine foreign elections”. new threats such as targeted attacks and E-mail: [email protected] According to excerpts from the ransomware, the biggest pain point for Senior Editor: Sarah Gordon document published by The Intercept: the majority (56%) of ICS organisations Columnists:International Tim Editoral Erridge, KarenAdvisory Renaud, Board: Colin Dario Forte, Edward Amoroso,Tankard AT&T Bell Laboratories; “Russian General Staff Main Intelligence is still conventional malware. FredInternational Cohen, Fred Cohen Editoral & Associates; Advisory Jon David,Board: The Directorate actors … executed cyber- There is a mismatch surrounding Fortress;Dario BillForte, Hancock, Edward Exodus Amoroso, Communications; AT&T Bell Laboratories; Ken Lindup, ConsultantFred Cohen, at Cylink; Fred CohenDennis & Longley, Associates; Queensland Jon David, University The espionage operations against a named US employee errors and unintentional ofFortress; Technology; Bill Hancock, Tim Myers, Exodus Novell; Communications; Tom Mulhall; Padget Ken company in August 2016, evidently to actions, which are far more threatening Lindup,Petterson, Consultant Martin Marietta;at Cylink; EugeneDennis Longley,Schultz, Hightower;Queensland EugeneUniversity Spafford, of Technology; Purdue University; Tim Myers, Winn Novell; Schwartau, Tom Mulhall; Inter.Pact obtain information on elections-related to ICS organisations than actors from the PadgetProduction Petterson, Support Martin Marietta; Manager: Eugene Lin Schultz,Lucas software and hardware solutions. … The supply chain and partners, and sabotage Hightower;E-mail: Eugene [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact actors likely used data obtained from that and physical damage by external actors. SubscriptionProduction Information Support Manager: Lin Lucas operation to … launch a voter registration- Yet it’s the external actors that are in the An annual subscriptionE-mail: [email protected] Network Security includes 12 themed spear-phishing campaign targeting top three of what ICS organisations worry issues and online access for up to 5 users. Prices: US local government organisations.” about the most. Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan The attackers first targeted an e-voting On the positive side, the security strate- issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date system vendor. The company is not gies adopted by ICS practitioners look (Prices valid until 31 June 2017) payment is received. To subscribe send payment to the address above. named in the NSA document but there quite solid. The majority of companies More information: www.elsevier.com/journals/ Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 institutional/network-security/1353-4858 are other references to Florida-based VR have already given up on using air gaps Email: [email protected], or via www.networksecuritynewsletter.com Systems whose voting solutions are used in as a security measure, and are adopting SubscriptionsPermissions may run be for sought 12 months, directly fromfrom Elsevierthe date Global payment Rights is received.Department, Periodicals PO Box 800, postage Oxford isOX5 paid 1DX, at UK;Rahway, phone: NJ+44 07065, 1865 eight states. The attack used a Microsoft comprehensive cyber-security solutions. USA.843830, Postmaster fax: +44 1865send 853333, all USA email: address [email protected]. corrections to: Network You Word document containing malware. In the next 12 months, the surveyed firms Security,may also 365 contact Blair Global Road, Rights Avenel, directly NJ through 07001, Elsevier’s USA home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright The spear-phishing campaign against plan to implement industrial anomaly & permission’. In the USA, users may clear permissions and make Permissions may be sought directly from Elsevier Global Rights payments through the Copyright Clearance Center, Inc., 222 local government employees involved detection tools (42%) and security aware- Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 843830, fax: +44 1865 853333, email: [email protected]. You sending emails purportedly coming from ness training for staff. 8400, fax: +1 978 750 4744, and in the UK through the Copyright may also contact Global Rights directly through Elsevier’s home page Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright the e-voting system vendor and contain- There’s more information here: Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: & permission’. In the USA, users may clear permissions and make +44 (0)20 7631 5500. Other countries may have a local repro- ing links to a fake Google page. http://bit.ly/2riCXqG. payments through the Copyright Clearance Center, Inc., 222 Rosewood graphic rights agency for payments. Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 The NSA document was allegedly leaked Researchers at ESET who have exam- 750 4744, and in the UK through the Copyright Licensing Agency Rapid Derivative Works Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P by Reality Winner who had served in the ined a piece of malware they have dubbed Subscribers may reproduce tables of contents or prepare lists 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other of articles including abstracts for internal circulation within their US Air Force before joining a company ‘Industroyer’ say it is capable of attacks countries may have a local reprographic rights agency for payments. institutions. Permission of the Publisher is required for resale or Derivative Works that works for the NSA as a contractor and such as the one that brought down part distribution outside the institution. Permission of the Publisher Subscribers may reproduce tables of contents or prepare lists of arti- is required for all other derivative works, including compilations who has now been charged with offences of Ukraine’s power grid in December cles including abstracts for internal circulation within their institutions. and translations. Permission of the Publisher is required for resale or distribution outside that could result in a 10-year jail term. 2016. In fact, it’s possible that attack was the institution. Permission of the Publisher is required for all other Electronic Storage or Usage derivative works, including compilations and translations. She had already served at the NSA’s head- a large-scale test of the malware. Permission of the Publisher is required to store or use electronically Electronic Storage or Usage any material contained in this journal, including any article or part of quarters in Fort Meade as a cryptologic According to ESET: “Industroyer is Permission of the Publisher is required to store or use electronically an article. Except as outlined above, no part of this publication may any material contained in this journal, including any article or part of language analyst. It’s alleged she printed a a particularly dangerous threat, since be reproduced, stored in a retrieval system or transmitted in any form an article. Except as outlined above, no part of this publication may or by any means, electronic, mechanical, photocopying, recording or be reproduced, stored in a retrieval system or transmitted in any form copy of the NSA document and that the it is capable of controlling electricity otherwise, without prior written permission of the Publisher. Address or by any means, electronic, mechanical, photocopying, recording or permissions requests to: Elsevier Science Global Rights Department, agency’s printer logs helped identify her. substation switches and circuit break- otherwise, without prior written permission of the Publisher. Address at the mail, fax and email addresses noted above. permissions requests to: Elsevier Science Global Rights Department, at ers directly. To do so, it uses industrial the mail, fax and email addresses noted above. Notice communication protocols used world- Notice No responsibility is assumed by the Publisher for any injury and/ Attacks on industry No responsibility is assumed by the Publisher for any injury and/or dam- wide in power supply infrastructure, or damage to persons or property as a matter of products liability, lthough the majority of indus- age to persons or property as a matter of products liability, negligence negligence or otherwise, or from any use or operation of any meth- or otherwise, or from any use or operation of any methods, products, trial organisations believe they transportation control systems, and other ods, products, instructions or ideas contained in the material herein. A instructions or ideas contained in the material herein. Because of Because of rapid advan ces in the medical sciences, in particular, critical infrastructure systems (such as rapid advan ces in the medical sciences, in particular, independent are well-prepared for cyber-security independent verification of diagnoses and drug dosages should be verification of diagnoses and drug dosages should be made. Although water and gas).” made. Although all advertising material is expected to conform to incidents, around half of firms using all advertising material is expected to conform to ethical (medical) ethical (medical) standards, inclusion in this publication does not standards, inclusion in this publication does not constitute a guarantee industrial control system (ICS) technol- In addition, the malware is capable constitute a guarantee or endorsement of the quality or value of or endorsement of the quality or value of such product or of the claims such product or of the claims made of it by its manufacturer. ogy experienced between one and of data wiping and its modular design made of it by its manufacturer. five incidents last year, according to means it can be repurposed for a wide 12987 Pre-press/Printed by research by Kaspersky Lab, and 4% range of attacks against critical national Digitally Produced by Mayfield Press (Oxford) Limited experienced more than six. Meanwhile, infrastructure. There is more information Mayfield Press (Oxford) Limited a major new threat has emerged. here: http://bit.ly/2rq4Ng0.

2 Network Security June 2017 NEWS

In brief

WannaCry payments major breach in early 2016 in which nearly Worst year ever According to Elliptic, a company that monitors $82m was stolen. Using a combination of If the current trend in data breaches keeps the use of Bitcoin in illicit activities, by 12 June malware and a knowledge of Swift processes, up, 2017 is on track to be the worst year 2017 the WannaCry ransomware campaign had the criminals were only just prevented from ever. The first three months have set records, made just over $142,000 for the criminals run- stealing close to $1bn from the Bank of with more than 1,250 breaches resulting in ning it. Most of the payments had been made by Bangladesh. Most of the money they did steal the exposure of 3.4 billion records. The fig- mid-May. While WannaCry hit organisations was never recovered. There were other attempts ures come from the ‘Q1 2017 Data Breach and individuals around the world and attracted in 2016 using similar techniques which led to QuickView Report’ from RiskBased Security. huge press attention, the malware turned out the Bank of England launching a review of One particular trend noted by the report is to be flawed – not least because it contained the system. Greater investments in security cyber-criminals using data stolen via phish- a ‘kill switch’ option that was triggered when by Swift are a large part of the reason for pre- ing attacks to fraudulently file W-2 tax forms a security researcher registered a domain name tax profits (which are disbursed as rebates to in the US to claim rebates. Business email hard-coded into the software. The malware also owner-members) falling 31% to E47m. compromise (BEC) has also seen a sharp rise. contains a number of other coding errors that And there has been an increase in the sale of make file recovery possible in some circum- IoT security standards large datasets of stolen information on under- stances. There’s more information at SecureList The EU’s information security organisation ground markets. The report is available here: here: http://bit.ly/2s5wMDq. ENISA is urging the tech industry to devel- http://bit.ly/2s6i4fD. op and adopt security standards for Internet Healthcare breaches of Things (IoT) devices. A report, produced Vulnerability disclosure The healthcare sector accounts for just under half in collaboration with semiconductor firms Threat intelligence company Recorded Future (43%) of all data breaches in the UK, accord- Infineon Technologies, NXP Semiconductor says that three-quarters of software vulner- ing to figures obtained from the Information and STMicroelectronics, highlights the failure abilities are publicly disclosed – on blogs, social Commissioner’s Office (ICO) by security firm of industry so far to harden IoT products media, code-sharing sites and underground Egress. Between January 2013 and December against hacking and malware. With malware forums – before they make it into NIST’s 2016, healthcare organisations suffered 2,447 campaigns, such as Mirai, now targeting unpro- centralised National Vulnerability Database incidents and consistently led all other sectors tected IoT hardware, this could lead to an ero- (NVD). This is based on the firm’s study of over in the number of breaches. And the number of sion of trust in the market as well as allowing 12,500 Common Vulnerabilities and Exposures incidents rose year on year, with a 20% increase, for further outbreaks of ransomware, denial of (CVEs). This is making organisations vulner- from 184 incidents in the last quarter of 2014 to service attacks and other forms of criminal activ- able to exploits that leverage these vulnerabilities 221 in the last quarter of 2016. However, most ity that could harm consumers. ENISA says that if the firms rely on just the standard published of the data leaks were the result of accidents standards are required so that devices can come sources to assess their exposure. Additionally, and incompetence rather than external threats. with a ‘trust label’, helping to steer customers to the vulnerability content available on the dark Taking the 221 breaches that occurred between secure products and raise confidence. The report web illustrates that the criminal community is October and December 2016, the top-ranking is available here: http://bit.ly/2rdlw6N. actively monitoring and acting on the broad incident types included: theft or loss of paper- set of sources where vulnerability information work (24%); data faxed or posted to incorrect FBI dark web probe in danger is initially released, says Recorded Future. The recipient (19%); data sent by email to incorrect Large amounts of evidence gained during an median lag between public disclosure and pub- recipient (9%); and failure to redact data (5%). investigation into child abuse imagery shared lication on the NVD was seven days. This time However, Egress warns that while healthcare via the dark web may become inadmissible in lag also significantly differs between vendor had the highest volume of incidents, other court following a judge’s ruling that the FBI announcements and NVD publishing, with the sectors are increasing more rapidly. Across all misused a warrant. The agency took over a fastest vendor having an average delay of one sectors, the total number of security incidents dark website called Playpen which then acted day and the slowest 172 days. Some 5% of vul- reported has increased by almost one-third as a honeypot and placed tracking software nerabilities are detailed on the dark web prior to (32%) since 2014. The courts and justice sector (acting much like malware) on any PCs con- NVD release and these have the highest severity has experienced the most significant increase in necting to it. During the 13 days of its con- levels. There’s more information here: http:// incidents – a 290% hike since 2014, placing it trol by the agency, Playpen recorded the IP bit.ly/2sx7noP. in the top five worst affected industries by the addresses and other data belonging to more last quarter of 2016. Other significant increases than 8,000 computers. This led to the arrests Mac ransomware can be seen in the central government and of nearly 900 people worldwide. However, in Ransomware is now available for Apple’s finance sectors, with 33% and 44% increases, one of these cases – that of Terry Lee Carlson macOS platform, although the standard respectively. The human element, where inter- from Minnesota – a federal magistrate judge doesn’t appear to match the many varieties nal staff made mistakes, accounted for almost in Minneapolis said that evidence seized in found on Windows. Security firm Fortinet half of total data breach incidents, ranging from Carlson’s home, including data on hard drives, said it has seen MacRansom being offered as 44% to 49% in the period studied. And data should be suppressed. This is because the war- ‘ransomware as a service’ so that would-be shared accidentally is the single highest con- rant that allowed the FBI to gain access to cyber-criminals can simply sign up via an tributor to breaches resulting from human error, information on computers visiting Playpen online portal stating the ransom they want to causing roughly one-third of incidents. doesn’t have jurisdiction outside of Virginia, extort from victims and the time and date they where it was issued. Magistrate Judge Franklin want the malware to take effect. The creators Swift profits down after hack Noel also ruled that the warrant doesn’t allow will provide samples and even offer a demon- The Swift interbanking network has seen its for the seizing of data and described the FBI stration video. There’s more information here: profits drop by nearly a third as a result of a operation as “misconduct”. http://bit.ly/2rWiLtv.

3 June 2017 Network Security REVIEWS

Reviews

and that’s Bruce Nikkel’s focus here. He BOOK REVIEW BOOK REVIEW explains how to use the Linux platform and a range of readily available tools to acquire and secure digital evidence. As the title sug- gests, it’s a hands-on procedural guide – a ‘how to’ manual, if you like – with pretty much all of the action taking place on the command line. If working only with command-line tools makes you think that the techniques described here might be limited in scope, think again. For one thing, as Nikkel points out, many of the platforms that investiga- The Plot to Hack America Practical Forensic Imaging tors face today are embedded or single- Malcolm Nance. Published by Skyhorse board systems such as the Raspberry Pi, Bruce Nikkel. Publishing. ISBN: 9781510723320. where working on the command line is the Published by No Starch Press. Price: $18.99, 216pgs, paperback. only option available. The book also tackles ISBN: 978-1-59327-793-2. E-book editions also available. many of the latest interfaces and tech- Price: $49.95, 320pgs, paperback. ny doubts about whether Russia nologies, such as NVME and Sata Express, really did attempt to meddle in the E-book edition also available. Thunderbolt, hybrid SSDs and more. A 2016 US presidential election are rapidly igital forensics have come a long As is usual with this kind of book, it evaporating. Although attribution for Dway. But then so has technology, starts with describing how to set up your meaning that forensic examiners face platform with all the necessary tools and actions in cyberspace is tricky, the evi- ever-more complex environments in how to go about planning and preparing dence is being piled high. So Malcolm which digital evidence must be pre- for a forensic examination. From that point Nance’s book is a useful summation of served and analysed. on, though, it’s possible to treat this as a what was known at the time he wrote it. This used to be so much easier. There workshop manual, dipping into the bits you But there’s a problem with this type of was a time when police officers, say, could need to perform specific tasks. book. It was rapidly rendered out of date. The haul away a suspect’s floppy disks and There’s plenty that isn’t covered here – main part of the book was written before the examine them at their leisure. (Although I enterprise-class storage, proprietary devices, result of the election was known. And there know of one instance in which said officers cloud data and so on. But the book does have been several important developments seized a suspect’s twin-floppy PC but left cover the most common platforms and in since, such as the leaks by Reality Winner and the disks behind.) a very accessible way. That approach and the ongoing congressional investigation. Today, forensic practitioners are faced the fact that the books revolves around low- This book has all the hallmarks of some- with devices that are rarely switched off. cost tools, is significant because the need to thing dashed out to exploit public interest in a And the complex operating systems they acquire forensic data now extends beyond hot topic. It’s not just that there are frequent run are constantly making invisible changes law enforcement agencies and the forensic typos and repetitions, with the same informa- – reading and writing data in the back- specialists that support them. For example, tion often being restated within just a few ground, updating parameters and refresh- security practitioners within enterprises now paragraphs; the book also fails to frame the ing state. And this presents a challenge for find themselves having to do far more foren- issues in a coherent way. Nance is an intel- the forensic examiner who wants to make sic investigation (if they ever did any in the ligence community insider and so presumably a copy of the target machine’s data and be first place) as a result of the sheer number has a good grasp of the concepts (although his able to say – in court, if necessary – that the of attacks and breaches that are occurring. explanations of some things, such as water- copy is a true representation of the condi- While Nikkel has partly aimed the book at hole attacks, are dubious at best and suggest tion of the machine and the data on it at existing forensic practitioners who want to that even he doesn’t understand them fully). the time of seizure. hone their Linux command-line skills, he However, in rushing through the story, the One of the key steps in digital forensics is had also targeted systems administrators and author often fails to convey the full signifi- acquiring an image of the machine’s persis- incident response teams who may not previ- cance of some aspects. tent storage – hard disks, solid-state drives, ously have carried out this kind of work. In the end, this book lacks depth and real memory sticks and optical storage – as a It’s commonly said, these days, that you analysis. It’s already well behind this con- means of preserving evidence. (Copying the should assume the bad guys have already stantly unfolding story. And the structure contents of memory is also, and increas- breached your networks. The ability to is somewhat chaotic. It does, nonetheless, ingly, a critical step but beyond the scope carry out forensic examinations is one of offer a handy précis of the situation up to of this book.) Tools for achieving this have the key skills you’ll need to respond to that. a point in time and manages the occasional been with us for a long time but most of This book is a solid introduction to acquir- insight, particularly in terms of how the them – such as the EnCase range – are typi- ing those skills. Russian intelligence services operate. cally very expensive, proprietary solutions. For more information, go to: For more information, go to: As is so often the case, open source http://bit.ly/2sT6t3o. http://bit.ly/2rgOQNQ. software provides a low-cost alternative, – SM-D – SM-D

4 Network Security June 2017 FEATURE Fighting application threats with cloud-based WAFs Daniel Shugrue Daniel Shugrue, Akamai Technologies

Companies that conduct business online must ensure that their websites, web applications and APIs are protected from attack. They understand that any vulnerabilities, however small, could render not only their site, but also their website offline, a successful applica- applications unavailable for use by customers, staff or partners. They also tion attack is sneaky in that when data understand that vulnerabilities provide a doorway for hackers that can lead to is exposed or stolen there are often no the exposure and loss of sensitive data, such as personal information entrusted tracks left behind to the casual observer to the company by customers, or confidential documents. or even the security practitioner. Make no mistake, application layer As we have seen in the media, this to provide services to customers, or to attacks in all their forms are a major can lead to reputational damage, loss share data with business partners. These threat to businesses, potentially leading of brand confidence and millions of points, coupled with the need to ‘connect to the theft or destruction of customer pounds of lost revenue or regulatory from anywhere’, mean that the attack sur- or corporate data, creating significant fines. At the time of writing, financial face is vast and vectors varied. difficulties for the business. Even enter- services company Wonga has become prises that believe they have deployed the latest UK victim, with a reported Application security sufficient security solutions can inad- 270,000 customer details stolen. When vertently expose themselves through TalkTalk was hacked in 2015 to the The attacks that often grab the head- poorly coded application programming tune of 150,000-plus customer records, lines are distributed denial of service interfaces (APIs), resulting in DDoS it later received a fine of £400,000 from (DDoS) attacks and it would be easy and parameter-based attacks. Total web the Information Commissioner’s Officer to be tricked into thinking that they application attacks increased 27% in (ICO), but the company admitted the are the ‘most critical’ threat, especially Q4 2016, compared to Q3 and a 33% breach has cost it over £42m.1 when data from Q4 2016 showed increase in SQLi attacks was observed. However, protecting an online opera- that the size of DDoS continued to For UK companies, it’s notable that the tion is no mean feat, regardless of its grow and the number of attacks sized UK remains one of the top five coun- size, market or location. There are three at over 100Gbps increased by 140% tries targeted in this way. main reasons for this: first, the availabil- compared to the previous year.2 The ity of automated tools and knowledge largest attack measured an astonishing Considering APIs among the hacking community means 623Gbps. that it is easier, quicker and cheaper Application attacks happen ‘behind It’s worth considering APIs more spe- than ever before to launch an applica- the scenes’ and thus don’t grab as many cifically, mostly because for the past tion layer (or other) attack against an headlines as DDoS attacks do. While few years, APIs have been growing in organisation. Second, the ubiquity of a successful DDoS attack will take a influence, enabling companies to extend bitcoin has made ‘cashing out’, formerly the most difficult part of an online fraud operation, relatively easy. The other significant change is the way in which companies utilise their online presence. We no longer live in a world of static web pages delivered to desk- top computers: content is dynamic and responsive and capable of being delivered to many different devices. Equally, appli- cations rely on the web to communicate, whether with other business applications, Attacks of over 100Gbps seen in Q4 2016. Source: Akamai.

5 June 2017 Network Security FEATURE

ing their APIs. The exploits of known vulnerabilities such as SQL injection, as well as denial of service by an excessive rate of calls and slow POSTs, require APIs to have an additional layer of pro- tection, ideally with a positive security model that is designed to easily identify and block any abnormal requests or calls that may be attempting to exfiltrate data or otherwise cause harm or havoc. In addition to updating for new vul- nerabilities, a web application firewall (WAF) solution needs to be continuously updated to reflect changes in the applica- tions that it protects. This requires con- tinuously scanning new web applications as they are first deployed as well as exist- Top 10 target countries for web application attacks, Q4 2016, with numbers of attacks in millions. ing applications when they are updated, Source: Akamai. identifying new vulnerabilities and con- figuring rules to address those vulner- their core assets and services and add However, their rapid evolution has abilities. Web applications are constantly new revenue streams. As a result, they meant that security companies are now changing and most organisations do not now comprise over 25% of the Internet having to come up with new solutions to have the resources or expertise necessary traffic that Akamai sees and they have provide appropriate protection and com- to manage a WAF solution over time. become a popular component for deliv- panies need to be aware of the specific ering native mobile applications. weaknesses when it comes to deploy- Barriers to implementing firewalls There is a common theme that runs through the challenges we have raised above – scale, whether it is the threat landscape, traffic volumes or the ability of staff to scale to a point where an internal team can gather the intelligence needed to manage a WAF effectively. With an on-premise WAF, scale is a big issue from a technology perspective. It is not hard to hit a datacentre with a big enough volumetric attack (application or network layer) that will either bring a network down completely, or seriously hinder network performance. Ultimately the pipe connecting the business to the rest of the web will be blocked. Even if staff can respond quickly enough to patch a hole, the traffic continues to block the pipe. This scale issue is why the traditional WAF, with its very specific role, is no longer up to the job. The cloud is the answer to this challenge, where scale is not only not a problem, it provides an overwhelming benefit. A cloud-based WAF benefits from the intelligence gained by a dedicated security team and SQLi and LFI combined accounted for 88% of observed web application attacks in Q4 2016. often some form of data analysis engine, Source: Akamai. while enabling a level of automation

6 Network Security June 2017 FEATURE that can outmanoeuvre the most agile A cloud-based web application fire- specific issues that can benefit from in-house team. It also has the benefit of wall, driven by a data analysis engine, cloud-based protections. being able to absorb attacks in the cloud, can automatically respond to pre-deter- 4. Self-service management: it should rather than blocking the pipes serving the mined threats, matching the pace of the be possible to easily and fully manage datacentre, so availability is not impacted. hacker tools looking for cracks in the the deployment and ongoing protec- And cloud-based WAFs usually cache armour. But allowing that level of auto- tion of websites and APIs without content at the edge of the Internet and mation requires a company to have con- any dedicated third-party resources. thus have the benefit of improving per- fidence in the solution and the actions it formance. Finally, every customer of that would take in certain situations. Constant change WAF provider feeds the firewall, making For those firms that have partnered it stronger and more intelligent, to the with a cloud provider – and this is a sen- The security landscape changes constant- advantage of every customer. sible option, particularly for sites with ly and it is imperative that enterprises very heavy traffic – there is the necessity that rely on the web to communicate “A cloud-based WAF benefits to take into account – and act on – the with, or sell to, their customers are in from the intelligence gained findings of that partner’s intelligence. a position to adjust quickly and with by a dedicated security There is little point in simply using the agility. For example, the threat posed by team and often some form WAF rule set to ‘alert’ or running them Internet of Things (IoT) devices is seri- in listen mode, rather than taking action. ous and should not be dismissed as just of data analysis engine, In the same way that hackers are using a problem for homeowners with smart while enabling a level bots to constantly identify weak points, TVs. The vulnerability of IoT devices of automation that can new targets and adapting their attacks, has already been exposed with devastat- outmanoeuvre the most companies must take advantage of the ing effect and yet there is still a lack of agile in-house team” intelligence available to them. urgency among manufacturers to imple- ment appropriate security for each indi- Of course, the idea of handing over Making a real difference vidual connected device. the care of something so critically impor- While this remains unresolved, com- tant as security to a third party fills some For those with responsibility for ensuring panies need to be focused on reducing people with fear and this is understand- that their websites and APIs are fully pro- the downtime, defacement and data theft able. We’re IT people – we like control! tected, there are a number of ‘must haves’ risks, staying ahead of threats through But keeping control in-house has issues when assessing vendors to ensure they can automatic rule deployments. Unless an as well: problems, including DDoS out- stand nose to nose with the threat. It is organisation is already in the business of ages, latency and excessive warnings and worth giving particular consideration to developing cyber-security solutions, it alerts, put a huge strain on staff resourc- four specific requirements for any success- will not have visibility into new vulner- es. The decision to be made requires ful cloud-based security solution: abilities and attacks that are constantly balancing of risks. Is the risk of handing evolving. An organisation can choose to responsibility for DDoS and application 1. Application layer protection: regu- implement and manage its own WAF to security to a third party outweighed by larly and automatically updated appli- block DDoS and web application attacks, the risk of leaving those controls on the cation firewall ‘protection groups’ that but aside from the lack of visibility can it inside of the upstream pipe to your ISP? eliminate the need for companies to afford the investment required in terms of There are other benefits too, such as manage individual rules. The addition hardware and skilled security profession- adding additional services including in- of new protection capabilities without als? There is an economy of scale achieved cloud DDoS mitigation, caching or site requiring configuration changes. Core by working with specialist partners, where fail over. A tightly integrated cloud-based protections against SQLi, XSS, RFI, the perceived loss of control is greatly WAF will allow you to do a lot more LFI and CMDi attacks. outweighed by the skill and speed with than simply monitor Layer 7 traffic. 2. DDoS protection: the facility to which they can react to the most chal- implement a reverse web-proxy that lenging attacks. The bots are always will automatically drop all non- Whichever route a company takes to HTTP and HTTPS traffic regardless protect itself, what is clear is that any hunting of volume. Additional application WAF must itself be constantly evolv- Most web attacks are opportunistic, with layer rate controls, slow POST pro- ing and gather the intelligence needed bots searching sites at random to look tection and DoS protection group to protect against the known and for vulnerabilities. Too many enterprises controls round out the DDoS pro- unknown from application layer and are aware of the risk they are putting tection capabilities. DDoS attacks – and to do it with great themselves in but simply cross their fin- 3. Custom rules: the ability to deploy speed and scale. gers that it won’t be their website that multiple custom rules, providing the The problem is not going away: the comes onto the bot radar next. flexibility to address any application- scale of a company’s internal defences is

7 June 2017 Network Security FEATURE starting to become irrelevant – if there is was principal product marketing manager The Guardian, 12 May 2016. a crack, however fine, it will be found. for RSA, the security division of EMC. Accessed Jun 2017. www.the- As historian C Northcote Parkinson put Shugrue now drives the marketing activities guardian.com/business/2016/ it “Delay is the deadliest form of denial”. for Akamai Cloud Security Solutions, which may/12/talktalk-profits-halve- provide cloud-based website protection servic- hack-cyber-attack. About the author es for many of the world’s largest companies. 2. ‘State of the Internet/Security: Daniel Shugrue is a director of product Report for Q4 2016’. Akamai. marketing at Akamai. He has 15 years of References Accessed Jun 2017. https://content. experience working in telecom and security 1. Monaghan, Angela. ‘TalkTalk akamai.com/pg7969-q4-soti-security- technology. Prior to working at Akamai, he profits halve after cyber-attack’. report-uk.html. GDPR: a milestone in convergence for cyber- security and compliance Jesper Zerlang

Jesper Zerlang, LogPoint

One of the greatest misconceptions in business today is that compliance equates to good business practice – particularly with regard to security. In reality, compliance ensures a base level of security to which companies must adhere in in a continuously evolving digital land- order to ‘tick the box’. Cybercrime, however, is evolving at an exceedingly rapid scape, the regulation should remain pace, meaning it is often difficult for regulations and legislation to keep up relevant to modern business practices with a changing security landscape. The result is outdated requirements that for some years to come. A key result are often unfit for purpose. of this shift will be the adoption of cyber-resilience, a change in perception The General Data Protection security in the modern economy, the that acknowledges that cyber-attacks Regulation’s (GDPR) predecessor, the baseline set forth by the Data Protection will occur. Under GDPR it is now the European Data Protection Directive, Directive has fallen short as time has responsibility of each business to proac- was adopted in 1995. While ensur- progressed. The GDPR presents an tively prepare for and mitigate the dam- ing compliance with this Directive was opportunity to level the scales and drive age caused by an attack, getting back to not mandatory, it did help to ensure greater convergence between cyber-secu- business-as-usual as soon as possible. industry-wide best practice. But since its rity and compliance – two areas often At its core, GDPR’s primary objective implementation over 20 years ago, the seen as disparate by business leaders. is to strengthen and harmonise data pro- digital landscape has changed drastically. tection for individuals as well as to sim- From a proliferation of data, to increas- Impact on modern plify regulatory environments for organi- ingly interconnected technologies and sations. GDPR contains several new a growing amount of processing power, business requirements regarding how all organisa- it had become clear that the EU Data One of the biggest benefits of the new tions should process, store and safeguard Protection Directive was in urgent need GDPR is the open wording. The regu- personally identifiable information (PII), of modernisation. lation is designed with the future in with financial penalties to ensure they Businesses have been reaping the mind, specifying the minimum security are implemented. Data breaches must rewards from this new digital landscape, baseline to which data will be subject, now be reported to relevant authori- utilising the increased amounts of data as opposed to the minimum require- ties within 72 hours; Data Protection created each day to inform high-level ment to secure it. The focus is far more Officers must be employed; and Subject decision-making. What has not kept up broad than its predecessor, motivating Access Requests must be met. with this shift, however, are the regula- companies to secure their systems to Failure to comply with GDPR legisla- tions and security essentials that coin- avoid data breaches where possible and tion could result in fines of up to E20m, cide with its use. While the majority of effectively reporting on them when or in the case of an undertaking defined organisations do attempt to ensure data mitigation has failed. This means that as a ‘business grouping’, 4% of annual

8 Network Security June 2017 FEATURE worldwide group turnover – whichever scenario, the smaller amount of data outcome is a staggering level of cyber- is higher. created meant that a siloed approach was risk. Further than the inherent repu- In theory, this regulation has been in feasible. This practice was influenced tational damage, the rising amount of force since its introduction in April 2016. by the regulations and directives at the data with which organisations must now As of May 2018, however, GDPR will be time, with organisations following guide- work also correlates with greater levels fully enforced, giving companies just over lines and maintaining compliance. of compliance failings and security risks. a year to make the necessary changes and The fault for this by no means rests with ensure compliance. At its core, GDPR “By requiring greater businesses alone. is a regulation that encourages digital categorisation and reporting The rising amount of data created transformation. By requiring greater cat- standards on data held, data and used within the private and public egorisation and reporting standards on becomes far easier to find sector has created the perfect environ- data held, data becomes far easier to find ment for a new breed of cyber-attacker. within an organisation – both within an organisation – both for the In recent months, the use of ransom- organisation and – unfortunately – hack- for the organisation and – ware has increased exponentially – par- ers. In case of an attack, the final security unfortunately – hackers” ticularly against large-scale institutions hold-out, security through obscurity, is such as hospitals, where one target now broken down. With all data mapped Should this siloed approach be utilised recently paid $17,000 to recover files.9 and accounted for, GDPR turns security today, however, companies would very When increasing cyber capabilities are from a consideration into a necessity. In quickly find themselves falling victim to combined with a greater financial moti- meeting these requirements, organisations data breaches. For example, the recent vation to attack companies, the result is are presented with the opportunity to go TalkTalk hack resulted in the company a pressing requirement for businesses to beyond compliance, integrating modern losing over 100,000 customers and ensure security. cyber-security practices to drive opera- enduring costs of £60m.6 This hack was tional efficiency. revealed to be the work of a single teen- “While the majority of ager, who exploited the organisation’s organisations do attempt Connected landscape failure to implement basic security meas- to ensure data security in 7 ures. Notably, the company experienced the modern economy, the The business landscape has changed £20m in lost revenue due to the reputa- baseline set forth by the since the implementation of the first tional damage and a reduced customer Data Protection Directive. It has taken a base in its fourth quarter in 2016.8 Data Protection Directive number of years, but businesses are now Whereas in previous years, the chal- has fallen short as time has being incentivised to shift with it through lenge posed by cyberthreats would be met progressed” GDPR. In 2011, the amount of data solely by the department against which created reached 1.8 zettabytes per year; the attack was perpetrated, the appoint- In meeting the challenges posed by currently, 90% of the total data in exist- ment of a Data Protection Officer repre- GDPR, organisations will be required ence has been created within the past two sents a recognition that data is now cen- to vastly increase the security of their years alone.1,2 By 2025, the amount of tral to an organisation’s success. As a facet data, systems and processes with modern data created yearly is predicted to rise to a of GDPR compliance, this new role will technologies such as security information staggering 44 zettabytes. This will in turn go a long way towards providing a holis- and event management (SIEM) acting put greater security pressures on organisa- tic overview of the technologies required as an enabler. While GDPR adherence tions in the public and private sectors.3 and data possessed by a company: driving may be a costly process for organisa- This will be particularly apparent within towards analytics and big data utilisation, tions focusing solely on ‘ticking the box’, healthcare organisations, which are espe- as well as ensuring cyber-resilience. This the process can go beyond compliance. cially vulnerable to phishing and social overview will be essential to ensuring Instead, businesses can take advantage engineering attacks, where valuable stolen the security of data across an entire busi- of the digitalisation process that GDPR data is sold at a premium online.4,5 ness, as opposed to individual, disparate encourages, utilising advanced tools to Following the financial crisis of 2007 departments. The challenge, however, analyse the big data on offer. and 2008, new technologies were almost will come from implementing this shift in exclusively focused on compliance – organisations which solely look to meet Beyond compliance looking at who is doing what with data compliance – with the added requirement and which people are accessing it within of breaking down silos in the process. Notably, in light of GDPR integration individual departments. During this and compliance, cyber-security spend- period, organisations were invariably Meeting the challenge ing across EMEA is expected to grow working in silos – different departments to $15.9bn by 2020.10 The benefits with disparate capabilities and data stor- When exponential data growth is com- of integrating GDPR across a business age methods. While far from an ideal bined with outdated regulations, the are clear, however the drive to digital

9 June 2017 Network Security FEATURE transformation will require significant access into otherwise secured networks.13 impossible for a human to make or planning and review around the people, With so many threats and a myriad of detect. If a file is not catalogued correctly, systems and processes necessary to secure entry methods, single, unsecured elements the baseline of monitored data is mud- it. Once this has been achieved, the of a firm can act as a staging ground for died, with attacks going un-noticed until convergence between the once separate much broader attacks. the damage is already done. However, practices of cyber-security and compli- When cyberthreats are able to hit any should a qualifying number of files be ance will become clear. element of a network, the solutions must changed in a short period of time, alerts Within the financial sector, for exam- be equally as all-encompassing. Air- can be sent to relevant stakeholders and ple, compliance is becoming increasingly gapping a network, as recently attempt- damage can be mitigated. complex – due not only to the amount ed by the Singaporean Government, is GDPR represents a demand for effec- of data to process but also the increas- only a viable solution until an employee tive data management practices, with ing requirements to keep it secure. This plugs an infected USB into a port.14 cyber-security fast becoming synonymous complexity is exacerbated by the rising To adhere to GDPR going forward, with compliance. Where data threats may number of cyber-attacks in the sector. businesses must shift towards digitalisa- have not previously been identified due In 2016 alone, 80 million cyber-attacks tion, ensuring a holistic overview of to disparate, non-communicative systems, were detected against financial services – all data held within a company and an the rapid response allowed by technology- netting an estimated £8bn in fraudulent all-encompassing security focus on that enabled normalisation can assist with transactions.11 basis. Once this is achieved, the onus proactive cyber-security. Cyber-attacks therefore pose a direct can shift away from damage control and With under one year until GDPR threat not only to businesses, but also to towards mitigation and cyber-resilience. comes into force, many businesses are the data they hold, which is frequently yet to fully implement an effective personally identifiable in nature. Despite Proactive security digitalisation strategy – not only risking holding a wealth of personal information non-compliance, but missing out on and a greater motivation to ensure its Data normalisation is fast becoming the business benefits inherent in a data- security, just one in five organisations is an essential for modern business under driven organisation. Beyond compli- confident it could detect a data breach.12 GDPR, with SIEM technology playing ance, GDPR represents an opportunity a key role. Often, the data held is stored for companies to shift towards a digital Budgetary limitations in different formats, meaning that a huge future, effectively utilising big data to amount of time is required to manually make informed business and security What poses extreme difficulty in the detect a breach or event. Once this data is decisions. It is now the responsibility of public sector is the consistent theme of normalised, however, searching for anom- each individual organisation to ensure fixed budgets, which are invariably set in alies and identifying threats is a much that they benefit from this shift through advance. When ensuring cyber-security more streamlined process, allowing rapid innovative technologies, instead of fall- within an organisation to meet com- response times, preventing or minimising ing foul of GDPR fines. pliance, this budgetary system can be the quantity of data stolen and avoiding ineffective. Should a business fall under fines from delayed reporting. About the author attack, a yearly budget may be quickly Further to this, one of the key ele- Jesper Zerlang, CEO at LogPoint (www. drained in restoring server status, report- ments of GDPR compliance is meeting logpoint.com), has a background in larger ing on any data that has been lost and Subject Access Requests (SAR). The pro- corporates such as Telia, Dell, HP and AP upgrading defences to ensure that the cess of normalisation not only allows for Moller Maersk – always with a strong cus- threat is mitigated in future. This allows a greater level of proactive security, but tomer focus. His entrepreneurial interests no further in-budget scope for proac- the easy access to available data means have driven him to smaller organisations to tive network defence, leaving businesses that once a SAR is received, the recipi- spark innovation and growth – with experi- open to social engineering attacks such ent can accurately access every piece of ence in businesses such as private equity, IP as CEO fraud. information held on them. telephony, IT hardware technologies and IT Due to budgetary constraints, organisa- Once normalisation is in place, intel- security. Zerlang serves on the board of direc- tions have in the past chosen to secure ligent technology is essential to maximise tors of other high-potential software com- only the most mission-critical elements its potential through big data. Network panies and has supplemented his academic of their business. In today’s digital land- monitoring and analytics, enabled background with executive management pro- scape, there exists a greater number of through this normalisation process, can grammes from Harvard Business School. threat actors, methodologies and entry go further than compliance. Ransomware points. Any device an employee uses attacks, for example, are one of the most References within the office represents a potential prolific attacks affecting business glob- 1. Mearian, Lucas. ‘World’s data will threat. Internet of Things devices, which ally. These are identified through high grow by 50x in next decade, IDC are hacked an average of 360 seconds frequency file changes on a computer or study predicts’. ComputerWorld. after going online, provide backdoor network, changes which happen at speeds com, 28 Jun 2011. Accessed Mar

10 Network Security June 2017 FEATURE

2017. www.computerworld.com/ Feb 2016. Accessed Mar 2017. www. 11. Ashford, Warwick. ‘Cyber-criminals article/2509588/data-centre/world-s- theguardian.com/business/2016/ net £8bn from financial services in data-will-grow-by-50x-in-next-decade feb/02/talktalk-cyber-attack-costs- 2016’. ComputerWeekly.com, 27 Feb – idc-study-predicts.html. customers-leave. 2017. Accessed Mar 2017. www.com- 2. Wall, Matthew. ‘Big Data: Are 7. Jones, Sam; Thomas, Daniel. puterweekly.com/news/450413850/ you ready for blast-off’. BBC. ‘Experts say TalkTalk had 11 serious Cyber-criminals-net-8bn-from- co.uk, 4 Mar 2014. Accessed Mar website vulnerabilities’. FT.com, 30 financial-services-in-2016. 2017. www.bbc.co.uk/news/busi- Oct 2015. Accessed Mar 2017. www. 12. Coumaros, Jean; Chemin, Marc. ‘The ness-26383058. ft.com/content/e5eead0c-7f0b-11e5- Currency of Trust: Why Banks and 3. Turner, Vernon. ‘The Digital Universe 98fb-5a6d4728f74e. Insurers Must Make Customer Data of Opportunities’. IDC, Apr 2014. 8. Hall, Kat. ‘TalkTalk admits losing Safer and More Secure’. Capgemini Accessed Mar 2017. www.emc.com/ £50m and 101,000 customers after Consulting, 2 Feb 2017. Accessed Mar leadership/digital-universe/2014iview/ THAT hack’. The Register, 2 Feb 2017. www.capgemini-consulting. executive-summary.htm. 2016. Accessed Mar 2017. www. com/resources/data-privacy-and-cyber- 4. Whittaker, Zack. ‘A hacker is advertis- theregister.co.uk/2016/02/02/talktalk_ security-in-banking-and-insurance. ing millions of stolen health records hack_cost_60m_lost_100k_custom- 13. Leyden, John. ‘Sweet, vulnerable IoT on the dark web’. ZDNet.com, 27 ers/. devices compromised 6 min after Jun 2016. Accessed Mar 2017. www. 9. ‘Three US hospitals hit by ransom- going online’. The Register, 17 Oct zdnet.com/article/hacker-advertising- ware’. BBC News, 23 Mar 2016. 2016. Accessed Mar 2017. huge-health-insurance-database/. Accessed Mar 2017. www.bbc.co.uk/ www.theregister.co.uk/2016/10/17/ 5. Donnelly, Laura. ‘Largest NHS news/technology-35880610. iot_device_exploitation/. trust hit by cyber-attack. Telegraph. 10. ‘New Regulations Impact EMEA 14. Wagstaff, Jeremy; Aravindan, co.uk, 13 Jan 2017. Accessed Cyber-security Market in 2016, IHS Aradhana. ‘Mind the air-gap: Mar 2017. www.telegraph.co.uk/ Says’. IHS, 11 May 2016. Accessed Singapore’s web cut-off balances news/2017/01/13/largest-nhs-trust- Mar 2017. https://technology. security, inconvenience’. Reuters.com, hit-cyber-attack/. ihs.com/578184/new-regulations- 24 Aug 2016. Accessed Mar 2017. 6. Farrell, Sean. ‘TalkTalk counts costs impact-emea-cyber-security-market- http://uk.reuters.com/article/us-singa- of cyber-attack’. The Guardian, 2 in-2016-ihs-says. pore-Internet-idUKKCN10Y2F1. How automating data collection can improve cyber-security Jay Botelho

Jay Botelho, Savvius

The fallout from a data breach can be catastrophic. We have yet to understand the full impact of the massive Yahoo breach, but that doesn’t mean that smaller while cyber-criminals have a clear motive and equally damaging breaches aren’t taking place every single day. to make money by stealing data. To illustrate how lucrative cybercrime can The scale of Yahoo’s breach may be already spend up to 12% of their annual be, we need only look at the Darknet. unparalleled, but the problems are not. IT budget on security.1 The reasons This seedy underbelly of the Internet The simple fact is that it takes way too behind this kind of spend include a vari- is a haven for an incredible volume of long to discover and resolve breaches. ety of business drivers, including the need hidden criminal commerce. In congres- And something has to be done about it. to protect sensitive data, improve inci- sional testimony in September 2015, dent response, and of course to comply FBI director James Comey referred to Security drivers with legal requirements as defined by the the darknet as: “A world full of crimi- General Data Protection Regulation.2 nals, which is why investigators for the According to a report by the SANS Security technologies have evolved FBI and our partners spend a whole lot Institute, the majority of companies as a means to defend against hackers, of time there.” Putting a dollar figure on

11 June 2017 Network Security FEATURE

hacker to quietly gain access to an enter- prise network and sit there undetected for many months while looking around and preparing to exfiltrate valuable data. Overwhelmed analysts

We know that organisations are in a constant arms race with hackers and we shouldn’t expect this to change any time soon. In fact, it will probably get worse. The latest IBM and Ponemon 2016 Cost of Data Breach Study found that malicious and criminal attacks took an average of 229 days to discover and an additional 82 days to resolve.3 Why so long? This is a complex issue, but a lot of the blame lies in the fact Mean time to identify and contain breaches. Source: IBM/Ponemon Institute. that security analysts are overwhelmed with data. As more and more alerts are their activity is difficult, but according only becoming more common against generated by an enterprise’s IDS/IPS to the United Nations Office on Drugs enterprises and SMBs, but they’re also devices, analysts can only investigate a and Crime, cybercrime was estimated to increasingly sophisticated. A common handful each day. rake in $600bn in 2017, more than any way for a hacker to gain a foothold other form of crime, even exceeding the in a network is to use email or other “A common way for a value of the drug trade. forms of communication that cause a hacker to gain a foothold So we know that there is money in victim to reveal sensitive information, in a network is to use cybercrime. A logical question to ask, then, click on a malicious link, or open a file email or other forms of is whether security methods can keep up. with a malicious attachment. These emails are often disguised to look like communication that cause Under the radar legitimate messages from someone a victim to reveal sensitive inside the organisation. With hackers information, click on a In the past, traditional security meth- deploying increasingly realistic ways malicious link, or open a file odology relied almost exclusively on to fool employees and individuals into with a malicious attachment” incremental improvements and updated handing over valuable company data or signatures in firewalls; intrusion detec- passwords, enterprises need to be sig- Turning again to recent well-known tion and prevention technologies (IDS/ nificantly more diligent if they want to incidents helps to illustrate this prob- IPS); and security information and event get ahead of cyber-criminals. lem. An obvious one is the breach that management (SIEM) devices. Without Contrary to what we see in movies, took place at big-box retailer Target. being disparaging about these devices – most successful hacks are generally not Security expert and blogger Brian because they are fantastic at what they the result of bad actors trying to exploit Krebs was the first to break the news do – they are far from perfect. In recent technical flaws or zero day vulner- of the Target breach, in which the card years, hackers have become much bet- abilities. Rather, they target people who data of 40 million cardholders and the ter at developing (and sharing) smarter, accidently give them access to a network. phone numbers and email addresses better targeted and more automated Symantec claims that only about 3% of of 70 million customers were compro- tools that help them fly ‘under the radar’ the malware it encounters is an attempt mised during the 2013 holiday shop- without having to bombard an enter- to exploit a technical vulnerability. The ping period.4 He described the Target prise security system (unless their goal other 97% is aimed at tricking users incident as an APT, or advanced persis- is a distributed denial of service attack). through some kind of social engineering tent threat, in which hackers were able Attackers understand how IDS/IPS/ scheme. The most common of these is a to access Target’s network via one of SIEMs work, so they have become much phishing or spear-phishing attack, which the company’s third-party vendors. The more adept at avoiding those known may rely on things such as fake court hackers then remained undetected for detection techniques. notices or IRS refund ransomware to months, waiting for an advantageous One of the most common meth- prompt an individual to respond. time to strike. ods used by hackers today is social Ultimately, it takes just one chink More recently, Yahoo’s massive breach engineering. These attacks are not in an enterprise’s security armour for a went undetected for years, ultimately

12 Network Security June 2017 FEATURE compromising hundreds of millions of models assume the hacker is already go to something like a SIEM dashboard users’ data and damaging Yahoo’s repu- present and focus efforts on finding and and log into a host machine or other tation and value. Even after being alerted removing his outposts(s) and determin- UI, switching between multiple software to the breach, it took Yahoo months to ing the compromised resource and the applications or devices to access informa- announce the true extent of the damage. extent of the damage. tion. This is ridiculously time consuming The fact is that sophisticated hackers will In practice, this means two things; and inefficient. use any means they can to gain access being able to discover and remove infil- The security industry needs to develop to an enterprise network and they often trations faster and having the best data automated processes that automatically won’t be detected for many months. available to unequivocally determine collect relevant ‘suspicious’ packet data the damage done. This is not the time and make it readily available for analysts. Two-part solution for the kind of imprecision we’ve seen This will make their jobs more efficient, over and over again - first report: two while helping them to investigate more So what’s the solution? The answer is million records were compromised; alerts each day. If that can happen, I twofold. First, for those who continue after a bit more research, it turns out think it’s reasonable to expect analysts’ to subscribe to the theory of real-time to be really 20 million; and in the final productivity to increase significantly, detection and prevention, security ana- analysis, the real damage was 80 mil- whether searching for bad actors on the lysts need tools and processes that enable lion records compromised. For both a fly, or retracing their steps long after them to work much more efficiently. It’s security professional and a victim, this they’ve gained access. amazing that companies deploy security is unacceptable. solutions to produce all these alerts, but About the author they don’t have the bandwidth to ana- “Critical network packet data Jay Botelho is director of products at Savvius lyse them. The most logical reasons are can be stored for months, (www.savvius.com), which offers packet that security analysts don’t have access allowing security analysts to intelligence solutions for network perfor- to the right data and they cannot access work on the premise that the mance management and security inves- it quickly enough. This is a huge prob- hacker is already present and tigations. He holds an MSEE and is an lem. Current solutions require a multi- industry veteran with more than 25 years of step process where security analysts go has been for a while” experience in product management, product to multiple systems for aggregated yet marketing, programme management and uncorrelated data, then to specific com- Just as in the real-time case, the best complex analysis. From the first mobile puters for detailed information, and then data to address the imprecision we see computers developed by GRiD Systems to must correlate all the data manually. The today in security forensics is network modern day network infrastructure systems, very best data is in the network packets, packet data. As alerts are received from a Botelho has been instrumental in setting but none of it is indexed to the alert, security system, a computer should parse corporate direction and specifying require- and access to such data is typically a net- them, storing only the network packet ments for hardware and software products. work function, not a security function. data that correlates with the source of the He is based at Savvius’ headquarters in And if the alert is older than a few days, alert. By doing so, critical network packet Walnut Creek, California. then the original packet data have prob- data can be stored for months, allowing ably been discarded. Security engineers security analysts to work on the premise References need access to all of the packets related that the hacker is already present and has 1. ‘IT Security Spending Trends’. to an alert right at their fingertips, at the been for a while. Security-relevant packet SANS Institute. Accessed Jun 2017. click of a button. data, along with log data from a SIEM, www.sans.org/reading-room/white- can be pulled together in the background, papers/analyst/security-spending- “It takes just one chink in an automatically, making it easier for an trends-36697. enterprise’s security armour analyst to access the data with a single 2. EU GDPR Portal, home page. for a hacker to quietly gain click and evaluate whether an issue needs Accessed Jun 2017. www.eugdpr.org/. further investigation. If, for example, the 3. ‘2016 Ponemon Cost of Data Breach access to an enterprise log and packet data don’t match, then a Study: Global Analysis’. IBM/ network and sit there deeper look may be warranted. Ponemon Institute. Accessed Jun undetected for many months” 2017. https://www.ibm.com/mar- Automating data keting/iwm/dre/signup?source=mrs- But second, and even more impor- form-1995&S_PKG=ov49542. tantly, while there is still a widely-held collection 4. Krebs, Brian. ‘Sources: Target investi- mythology that rapid response to hacker Automating alert-related data collection gating data breach’. Krebs on Security, attacks is possible, all of the evidence will allow that data to be stored in a cen- home page. Accessed Jun 2017. https:// indicates that there is little chance of tral location, but that one place doesn’t krebsonsecurity.com/2013/12/sources- catching a bad actor ‘on the fly’. Better exist yet. Currently, analysts typically target-investigating-data-breach/.

13 June 2017 Network Security FEATURE Leaks and ransoms – the key threats to healthcare

Steve Mansfield- organisations Devine

Steve Mansfield-Devine, editor, Network Security Of all the personally identifiable information (PII) that could be leaked, health- care data is arguably the most intimate and worrying. You would think that healthcare organisations would try their hardest to protect that information and records. We’re looking at traditional yet they are constantly in the headlines following leaks and successful cyber- hacking. This could get quite serious, attacks. In this interview, Niall MacLeod, sales engineering manager EMEA at with the proliferation of medical devices Anomali, explains how healthcare organisations are getting better at managing that are out there. We’ve got a lot of information security, but that the road ahead isn’t easy. critical systems within hospitals that are Internet connected these days – on a “Healthcare organisations globally are included test results and treatment network and possibly vulnerable, run- facing the same challenges,” he says. plans, were mishandled by NHS Shared ning on legacy systems.” “We’re seeing data breaches across sectors Business Services (NHS SBS), a private increasing everywhere. The Information company co-owned by the Department Ransom demands Commissioner’s Office [ICO] says there of Health and French firm Sopra Steria were 239 data security breaches from June that provided document delivery services Notoriously, the healthcare sector has to October last year, covering the NHS for NHS England. Following the dis- also been heavily targeted in ransomware and other UK healthcare providers and covery, NHS England set up a team to attacks. Some of the first victims to be cyber breaches accounted for about 74 address the problem, but did so in secret, identified in the recent WannaCry (aka of those. We’re seeing, within the UK, leading to accusations of a cover-up. WannaCrypt0r 2.0) spree were UK health- breaches of health providers probably However, while there is certainly the care organisations, leading to the mistaken account for most of those reported to potential for harm with such accidental assumption – at least early in the campaign the Information Commissioner’s Office. exposure, it’s often difficult to point to – that the attackers behind WannaCry Partially that’s to do with the NHS’s man- concrete examples of damage caused by were specifically targeting the NHS.3 datory reporting requirements, but as a the breach of information per se. (In the However, just because the WannaCry generalisation, I think that attacks focused case of the NHS SBS incident, the harm campaign turned out to be rather more on healthcare providers are on the increase is most likely to have arisen from the catholic in its taste for victims, the fact that globally and definitely within the UK.” non-delivery of the documents.) healthcare organisations were hit – and were among the first – is not without sig- Accidents and malice “We’re looking at attacks nificance. That’s because WannaCry was focused on electronic health unusual. The vast majority of ransomware Not all data breaches are the result of records. We’re looking at campaigns have used spamming and mass malicious attacks. Many are the result traditional hacking. This phishing attacks to achieve their infec- of carelessness resulting in the acciden- tions. WannaCry, however, is now known could get quite serious, with tal loss of data. MacLeod mentions the to have employed both carefully targeted incident in Orkney in 2014 when patient the proliferation of medical spear-phishing in the initial phases as well notes were left on the pavement outside devices that are out there” as the direct compromising of Internet- Balfour Hospital.1 And in February connected devices with weaknesses – spe- 2017 it was discovered that a company The same cannot be said where data cifically, the use of outdated SMB proto- responsible for delivering correspondence breaches are the result of malicious activity. cols – that could be remotely detected. As from National Health Service (NHS) “We’re looking at attacks focused we’ll see, many healthcare organisations are services – including hospitals, clinics and on personally identifiable information, particularly vulnerable here. GPs – had instead stored many of the let- maybe details of NHS employees them- WannaCry was far from being the ters and reports in a warehouse.2 Around selves,” says MacLeod. “We’re looking first ransomware campaign to hit 500,000 pieces of correspondence, which at attacks focused on electronic health healthcare organisations. In fact, they

14 Network Security June 2017 FEATURE

hit by ransomware.7 One of the organi- “At one stage, an electronic health sations – Imperial College Healthcare – record with a lot of PII information had 19 attacks in one year. And of the was actually worth something, it actu- 15 organisations that were able to offer ally had a monetary value,” he says. “It additional information on the nature of was probably worth about 10 times the the attacks, 87% said that a networked amount that a credit card detail was NHS device was compromised and worth. But there have now been many 80% said the attack involved phishing. large-scale breaches in the US, includ- These attacks can be devastating. ing the Anthem attack back in early “The very big one reported last year 2015, where they lost almost 80 million was North Lincolnshire & Goole NHS records – this is larger than the popula- Foundation,” says MacLeod.8 “They tion of the UK. There are just too many were hit by a large ransomware attack [records] out there, so the price of PII – a piece of malware called Globe 2, coming through from hospitals has Niall MacLeod, sales engineering manager which is fairly sophisticated. It uses the dropped dramatically in value. Things EMEA at Anomali, has been involved in Bluetooth-encryption algorithm. That that people were advertising for $75 or cyber-security since the early 2000s, work- ing across sales engineering, consulting and attack caused a four-day IT shutdown $100 back in 2015 are now going for architecture. His first SIEM installation was and 2,800 appointments or procedures $20 to $50.” back in 2004 and other roles have covered were cancelled and many patients, securing web-facing infrastructure for gov- ernment; evaluating disaster recovery plans including high-risk patients such as “Think how this sort of for an investment bank; and PCI audits of women in labour, were sent to neigh- information could be used retail organisations. MacLeod joined Anomali in 2016, where he works with platforms bouring hospitals. That was a serious against you: you have all addressing threat intelligence. He holds CISA cyber-attack.” of your medical history and CISSP certifications and was previously a PCI QSA. available, but if that was Value of data given to your employers, that were among the earliest targets when Strangely, the targeting of hospitals could be harmful to you” cyber-criminals decided to switch the with ransomware is partly a response, focus of ransomware campaigns from MacLeod believes, to massive breaches That still makes the information worth individuals to businesses. Early in 2016, in the past that have flooded the under- having, from an attacker’s point of view. the Hollywood Presbyterian Medical ground markets with PII. The cyber- But the criminals who are acquiring Centre, a large hospital in Los Angeles, crime world is a free market and this has healthcare PII are not necessarily doing fell victim and ended up paying the had an effect on the value of that data. anything with it themselves. attackers.4 Other hospitals soon fol- lowed, both in the US and Europe. By October 2016, 14 hospitals had been attacked in the US alone.5 It can be difficult to get exact figures to judge the scale of the problem. Security firms have used Freedom of Information requests in the UK in an attempt to get NHS Trusts to reveal if they have been affected by ransomware attacks, but the results are incomplete. One such sur- vey, by the NCC Group, queried 60 NHS Trusts, of which 31 refused to respond, citing patient confidentiality.6 Worryingly, of the 29 that did reply, all but one said they had been hit by ran- somware in the past year. And that one admitted it had also been affected – just not in the preceding 12 months. A subsequent survey by SentinalOne obtained responses from 94 out of 129 trusts contacted. This found that a Many healthcare organisations were hit as part of the global WannaCry/WannaCrypt0r ransomware third (30%) admitted to having been campaign.

15 June 2017 Network Security FEATURE

“A lot of them do have very good back- up systems, to be honest,” says MacLeod. “And there have been a lot of cases in the UK where the hospitals and trusts have managed to avoid paying ransoms altogether. The problem isn’t really the financial loss, it’s just the disruption. If we look at that previous example – four days of computers being offline, while they were restored from back ups and cleaned, 2,800 appointments and proce- dures cancelled – just think of how much that costs. In that sort of case, paying a ransom may even have been cheaper! So it’s not the case that organisations cannot recover from these attacks – it’s whether they have the time to do it.” The idea that outdated systems, result- Where digital healthcare breaches occur. Source: Accenture (see box). ing from a lack of investment, made NHS organisations highly vulnerable “We track a lot of threat actors out all recipients. Most (730) of the addresses gained a lot of traction in the press and there,” says MacLeod. “One of the also included the recipients’ full names. social media. Much of the speculation famous ones in the US is an organisation To make matters worse, the people listed turned out to be unfounded. But are called the Dark Overlord. Very often, were all patients of 56 Dean Street, a healthcare organisations struggling with they just look at this as an asset and Soho-based sexual health clinic, who had legacy equipment? they’re not looking to monetise it them- signed up for an HIV newsletter. This selves. They’re just looking to sell that is not the kind of information you want “The legacy systems out information on to the highest bidder. going to the wrong place. there are quite incredible – “What the highest bidder does with Nonetheless, it still takes a lot of effort 15% of workstations still use it then is up to them. It might just be to exploit this kind of data. And if the Windows XP. That hasn’t been identity fraud – to use medical infor- people mounting the cyber-attacks can’t supported since about 2014” mation as background information to get a good return for their efforts, then it allow [them] to open bank accounts. may be better to try something else. But the implications for medical data “What’s happening now is that the “Healthcare organisations are really are quite incredible. There have been hackers are looking for other ways to jacking up their cyber-security efforts,” reports of things like prescription medi- monetise their skills,” says MacLeod, “and says MacLeod, “but you’ll probably find cation being ordered through false pro- ransomware definitely seems to be the that they’ve fallen a bit behind the curve. files. In the US, we’ve seen fraudulent flavour of the moment. Targeting a hos- They’re probably behind places like insurance claims being launched. Think pital means you’re targeting somewhere financial services organisations, so there how this sort of information could be that cannot do without computer systems. is a lot of spending, a lot of work they used against you: you have all of your There could be life-or-death decisions have to do around cyber-security.” medical history available, but if that being based on uptime of certain systems. He adds: “The legacy systems out there was given to your employers, that could And if hackers can get into and disable are quite incredible – 15% of worksta- be harmful to you. It could contain those, there’s a very good chance that they tions still use Windows XP. That hasn’t your sexual history; it could contain will get their ransom paid.” been supported since about 2014. You your drug use, illegal or not; informa- have a lot of very specialised equipment tion to be used by life assurers. There Uniquely vulnerable – this could be x-ray machines and other are a number of different ways that this scanners – and very often these are con- information could be used.” It’s believed that several healthcare nected to the suppliers, sometimes via the He gives the example of the Chelsea organisations, having fallen victim to a Internet, sometimes via VPNs. But very & Westminster NHS Trust, which was ransomware attack, have paid up. Given often they’ve been installed and set up fined £180,000 by the ICO.9 The trust that the most effective solution to ran- with default passwords, so that’s another sent an email to around 780 recipients, all somware is to have good back-ups, does area that hackers could look to exploit. of whose email addresses were included in this suggest that some of these organisa- They are a great target for ransomware- the To: header of the message, instead of tions are ill-prepared for an attack? Or style attacks, because of the time critical- the Bcc: field, making them readable by do they have unique vulnerabilities? ity of the data that they hold.”

16 Network Security June 2017 FEATURE

Inappropriate sharing There are other ways that data can be abused. Recently, a deal between the NHS and Google’s DeepMind operation has come under attack.10 The deal was made in 2015 and provides DeepMind with anonymised patient records for use in its Streams app. This monitors for signs of kidney problems and is used in the Royal Free London NHS Foundation Trust and other hospitals. However, there are now strong con- cerns over the legal basis of the deal and whether the use of the 1.6 million patient records is appropriate. “The data that was provided to DeepMind went with certain caveats Who people trust with their healthcare data. Source: Accenture (see box). in place,” explains MacLeod, “but it appears that those caveats were probably organisations are becoming dependent system, known as Spine, used by health legally unenforceable and the scope of on it for developing their services and and social care professionals.12 It man- how that data was used by DeepMind products. And it’s now common for ages summary care records, electronic went a lot further than the original patient records to be passed around – for prescriptions and referrals. However, as intention of the trust.” example, from a GP to a hospital or a fast as healthcare service providers push Data is a two-edged sword. It’s obvi- consultant – in order to ensure that all for greater use of technology, it seems ously valuable, both in terms of utility practitioners have access to the fullest members of the public and privacy pro- and commercial worth, but can cause and most accurate information. But it’s fessionals push back – which is what led great damage when leaked or used in the easy to see how that movement of data to the demise of Care.data. wrong way. That latter point is important can introduce vulnerabilities. because we increasingly acquire and store “That information is being shared, Across the pond data without having a clear-enough idea whether we like it or not,” says of why we are doing that and whether it’s MacLeod. “It has to be stored some- The picture in the US is different, necessary. MacLeod points to a system in where. The problem is mainly around MacLeod points out – perhaps ironically use in 2,700 medical practitioners’ prac- how comfortable we are with it being because the healthcare system there is tices around the UK where a single click shared and who has access to it. We’re much more disjointed. decides whether a particular record can be covered by various legalities and things “They have numerous independent included in ‘advanced data sharing’. “But like the Data Protection Act. GDPR organisations, mostly run on a com- by simply switching that button, you [the EU General Data Protection mercial basis,” he says. “You also have a open up the potential to expose confiden- Regulation] will cover this as well.” number of healthcare plan providers – tial data to people with no need to have However, there is a history of how insurance people. They’ve a whole com- it,” says MacLeod, “and that would be a things can go wrong, says MacLeod. He mercial organisation behind healthcare breach of the Data Protection Act.” points to the NHS England Care.data in the US that we don’t have here, so scheme, which was pronounced dead a lot of information is shared between “That information is being in the middle of 2016.11 The intention people like healthcare plan providers, shared, whether we like it was to store anonymised patient data in hospitals, etc.” or not. It has to be stored a central repository to be managed by With any disjointed system tied somewhere. The problem the Health and Social Care Information together with IT there is usually a lot Centre (HSCIC). The plan was paused of scope for security issues to creep in. is mainly around how several times because of concerns over Does this mean that the UK, with its comfortable we are with patient confidentiality and the clumsy more homogenous environment is in a that data being shared and and chaotic approach to patient opt-outs. better position to make itself secure? who has access to it” “People were uncomfortable with the “You would think so,” says MacLeod. amount of sharing,” says MacLeod, “and However, it’s not quite as simple as that. This is a critical issue not just because the amount of people with no [valid] rea- He points out that even in the UK there the volumes of data being collected are son that may have access to that data.” are 20,000 organisations involved in the increasing but because many healthcare The NHS does have a data-sharing NHS. While the number in the US is

17 June 2017 Network Security FEATURE

recognise it,” he says. “If I’m hit with a NHS Digital through the CareCERT Data breaches and piece of malware, I might want to share programme – maybe having them act consumer confidence that file hash out to the wider commu- as a central point for cyberthreat intel- nity, so that other organisations, other ligence. But it really takes the involve- A recent survey by Accenture found hospitals, can proactively scan their ment of each and every organisation, that 13% of consumers in England networks to see if it has infected them NHS trust and hospital to use that data have had personal medical infor- already.” and to contribute to it, to make sure mation stolen via some form of Much of this sharing is enabled by that everyone is aware of what threats technology. Perhaps surprisingly, the HITRUST Alliance, a not-for-profit are affecting them.” more than a third (35%) of these organisation founded in 2007.13 As well breaches occurred in pharmacies, as threat intelligence sharing, it also devel- Moving forward followed by hospitals (29%), urgent ops risk and compliance management care clinics (21%), physician’s offic- frameworks. And it provides a portal This sounds like healthcare organisations es (19%) and retail clinics (14%). through which healthcare organisations are at least making efforts. The question Also, more than one-third (36%) can share information directly between is, is it enough? discovered the breach themselves or themselves, “almost like an informa- learned about it by noting an error tion sharing analysis centre [ISAC] “Organisations may have on their health records or credit type of community,” says MacLeod. to look at the next attacks card statement. Only a fifth (20%) Organisations can share data such as IP that are coming through. were alerted to the breach by the or email addresses used in attacks, file Those could be things like organisation where it occurred and hashes for malware and so on. even fewer (14%) were alerted by a “They can also collaborate to build up large-scale denial of service government agency. more strategic intelligence,” MacLeod attacks. It could get a lot Nevertheless, most consumers adds. more sinister, though” still trust their healthcare providers There’s nothing quite like this in the (84%), labs (80%) and hospitals UK yet, although NHS Digital did “They’re on the right track,” says (79%) to keep their healthcare data launch CareCERT, which provides MacLeod. “Budgets are always an issue, secure, although the level of trust an emergency response team security but it really is a case of bolstering your isn’t so good for the government assessment, awareness training and defences as much as possible. There’s a (59%) or health technology compa- other information security services to lot of work that’s come up through the nies (42%) to do so. the health service.14 With the preva- Care Quality Commission, that speaks In response to a breach, nearly lence of phishing in attacks targeted at about addressing legacy systems within all (95%) of the consumers who healthcare organisations, that security organisations. [UK Health Secretary] were data-breach victims reported awareness training could be one of the Jeremy Hunt last year announced a that the company holding their most effective tools. £4bn investment in NHS technology data took some type of action. “The easiest vector into a hospital is over the next five years.15 And of that, Some organisations explained how via spear-phishing,” says MacLeod. “If about £1bn was earmarked for infra- they fixed the problem causing the we haven’t educated the people who are structure, data consent and cyber-secu- breach (cited by 29%), explained receiving those emails – what to look out rity. So it’s a great time to start putting how they would prevent future for, how to spot a fraudulent email, how plans in place in terms of what defences breaches (23%) or explained the not to click on attachments if you’re need to be bolstered, to start looking consequences of the breach (22%). unsure what they are – a lot of the other at getting rid of machines within an There’s more information available things, like perimeter security devices, organisation that are no longer support- here: https://accntu.re/2sgOi7k can be got around.” able – those Windows XP boxes – and In the US, MacLeod believes health- to evaluate relationships with third-party care organisations are doing quite suppliers, such as how they connect up greater – and many of them are in direct well in terms of carrying out vulner- remotely to systems, whether they have commercial competition with each other ability assessments and penetration done due diligence in disabling default – they have actually seen the advantage testing, exploiting the benefits of next- passwords and securing those boxes of collaboration when it comes to shar- generation firewalls and implementing themselves.” ing security information. defences against distributed denial of He adds: “Security awareness is still “If a hospital in one state sees a par- service attacks. And they are leveraging very important: teaching the staff how ticular spear-phishing attack, it would be cyberthreat intelligence. to recognise phishing emails, recognising good for them to share that information “Within the UK, everything’s a top- what to do with them and then tying with a wider community so that the next down approach,” he says. “I would that into a cyberthreat intelligence pack- hospital to receive a similar attack might hope to see some sort of initiative from age where they have the ability to take

18 Network Security June 2017 FEATURE those spear-phishing emails and forward News, 15 Jul 2014. Accessed trust cyber-attack’. Computing, 5 them directly to the platform.” May 2017. www.bbc.com/news/ Dec 2016. Accessed May 2017. Using such solutions, staff can play a uk-scotland-north-east-orkney-shet- www.computing.co.uk/ctg/ part in building up incident reports and land-28314887. news/2479109/globe2-ransomware- identifying indicators of compromise. In 2. Campbell, Denis; Duncan, Pamela. blamed-for-lincolnshire-nhs-trust- the US, with systems such as HITRUST, ‘NHS accused of covering up huge cyber-attack. these can then be shared with other par- data loss that put thousands at 9. ‘London NHS trust fined for HIV ticipants. “I’d love to see something simi- risk’. The Guardian, 27 Feb 2017. newsletter data breach’. Information lar in the UK,” says MacLeod. Accessed May 2017. www.theguard- Commissioner’s Office, 9 May 2016. When it comes to what we can ian.com/society/2017/feb/26/nhs- Accessed May 2017. https://ico.org. expect next in this sector and the chal- accused-of-covering-up-huge-data- uk/about-the-ico/news-and-events/ lenges that are on the horizon, MacLeod loss-that-put-thousands-at-risk. news-and-blogs/2016/05/london- believes that it all depends on how we 3. Gayle, D; Topping, A; Sample, I; nhs-trust-fined-for-hiv-newsletter- respond to what’s happening now. The March, S; Dodd, V. ‘NHS seeks data-breach/. switch in focus from stealing and selling to recover from global cyber-attack 10. Burgess, Matt. ‘DeepMind accused patient data to ransomware is all about as security concerns resurface’. The of accessing NHS data on an “inap- monetisation. Guardian, 13 May 2017. Accessed propriate legal basis”’. Wired, 17 “Everything has moved across to ran- May 2017. www.theguardian.com/ May 2017. Accessed May 2017. somware attacks and the way we respond society/2017/may/12/hospitals- www.wired.co.uk/article/deepmind- to those will probably dictate how across-england-hit-by-large-scale- nhs-data-sharing-privacy-concerns. attackers treat us next,” says MacLeod. cyber-attack. 11. Evenstad, Lis. ‘NHS England scraps “If they’re able to monetise ransomware 4. ‘California Hospital Pays $17,000 controversial Care.data programme’. attacks, they will continue to happen. To Hackers In ‘Ransomware’ ComputerWeekly, 6 Jul 2016. But if we start defending ourselves Attack’. CBS, 18 Feb 2016. Accessed Accessed May 2017. www.com- against them, hospitals and healthcare May 2017. http://sanfrancisco. puterweekly.com/news/450299728/ organisations may have to look at the cbslocal.com/2016/02/18/california- Caldicott-review-recommends-eight- next attacks that are coming through. hospital-ransomware-attack-hackers/. point-consent-model-for-patient- Those could be things like large-scale 5. Davis, Jessica. ‘Ransomware: See the data-sharing. denial of service attacks. It could get a 14 hospitals attacked so far in 2016’. 12. Spine, home page. NHS Digital. lot more sinister, though. A lot of seri- Healthcare IT News, 5 Oct 2016. Accessed May 2017. https://digital. ous medical equipment is connected up Accessed May 2017. www.healthca- nhs.uk/spine. to the Internet and is potentially vulner- reitnews.com/slideshow/ransomware- 13. HITRUST Alliance, home page. able. People hacking into those systems, see-hospitals-hit-2016. Accessed May 2017. https://hitrustal- changing settings, could have the ability 6. ‘47% of NHS Trusts in England liance.net. to cause loss of life.” admit to falling victim to ransom- 14. Hoeksma, Jon. ‘NHS Digital to roll ware’. NCC Group, 24 Aug 2016. out new CareCERT cyber-security About the author Accessed May 2017. www.nccgroup. services’. DigitalHealth, 15 Sep Steve Mansfield-Devine is a freelance trust/uk/about-us/newsroom-and- 2016. Accessed May 2017. www.dig- journalist specialising in information events/press-releases/2016/august/47- italhealth.net/2016/09/nhs-digital-to- security. He is the editor of Network of-nhs-trusts-in-england-admit-to- roll-out-new-carecert-cyber-security- Security and its sister publication falling-victim-to-ransomware/. services/. Computer Fraud & Security. He also 7. Leyden, John. ‘Ransomware brutes 15. Metzger, Max. ‘£4bn investment blogs and podcasts on information security smacked 1 in 3 NHS trusts last year’. for NHS digital transforma- issues at Contrarisk.com. The Register, 17 Jan 2017. Accessed tion’. SC Magazine, 8 Feb 2016. May 2017. www.theregister. Accessed May 2017. www.scmaga- References co.uk/2017/01/17/nhs_ransomware/. zineuk.com/4bn-investment-for- 1. ‘Probe after NHS Orkney patient 8. Burton, Graeme. ‘Globe2 ransom- nhs-digital-transformation/arti- records found on pavement’. BBC ware blamed for Lincolnshire NHS cle/531430/. A SUBSCRIPTION INCLUDES:

•฀ Online฀access฀for฀5฀users •฀ An฀archive฀of฀back฀issues 8 www.networksecuritynewsletter.com

19 June 2017 Network Security COLUMN/CALENDAR

The Firewall EVENTS CALENDAR

Securing emails – 4 July 2017 Cyber Security Summit Colin Tankard, Digital Pathways London, UK http://www.cybersecurityconference. Of all the millions of emails sent each allows companies to share sensitive day, how many senders even think data in-house or to external clients/ co.uk/ about whether their messages are partners through a highly secure pro- 8 July 2017 secure? Traditional email has the confi- cess of user identification, authorisa- dentiality level of a postcard – anyone tion and secure delivery without the Steelcon involved in its transport can easily read need to replace any existing systems. Sheffield,UK it. Lack of care becomes even more of Furthermore, if the recipient likes the http://bit.ly/2oj2h9X a problem when the sender is attaching solution they can adopt it and use confidential or sensitive data. Is it being their credentials to invite others to 11–13 July 2017 sent to the correct person? Should the join. This is something you can’t do International Conference on attachment be allowed? Even if it is all with other secure email systems. Digital Security and Forensics right to send, how do you know it was Secure storage is often advertised, Kuala Lumpur, Malaysia received, when was it read and has it but who holds the key is rarely dis- http://bit.ly/2n6jPGd been forwarded? Current system notifi- cussed, as it is complicated to set up cation is not good enough. a system that enables the data owner 22–27 July 2017 With General Data Protection to hold the key and even more com- Black Hat USA Regulation (GDPR) fines looming, plicated to share the key, to enable Las Vegas, US now is the time to gain control of collaboration. www.blackhat.com emails. The creator of an individual secure- With a secure email system, cor- box electronically invites other mem- 27–30 July 2017 respondence is protected and veri- bers and assigns user rights. Upon DefCon fied, giving information on the date acceptance of an invitation, the user Las Vegas, US opened, etc. It gives you peace of will be admitted to this securebox and www.defcon.org mind. The flaw in many of these will also receive online web access. secure email systems is that they are The user may also choose to auto- 31 July–7 August 2017 on a one-to-one basis – ie, a company matically replicate parts, or all, of the IEEE Cyber 2017 to an individual or a company to a securebox onto their own infrastruc- Hawaii, US company – which means no collabora- ture, from smartphone to server. http://ieee-cyber.org/2017/ tion outside of these groups. One of the most criticised facts about What is required is a way to trans- cloud services is the lack of security of 4–8 August 2017 form your email into a confidential stored data. In order to make sure that SHA2017 and auditable electronic letter that can your securebox data is always secured, Amsterdam, Netherlands collaborate with any email box, ena- all encryption and decryption is done https://sha2017.org/ bling one single credential accessible ‘on the fly,’ so that even the provider to all. Such systems are emerging but who hosts the data is not able to peek 8 August 2017 the key to their success will be ease of into your files. Cyber Security Summit use, level of encryption and the other The way email and the sharing of Chicago complementary services they offer, documents is handled needs to be re- Chicago, Illinois, US such as secure collaborative storage. thought, especially with GDPR and https://cybersummitusa.com/2017- One system available works by using its requirement to track and disclose chicago/ your existing email address and pre- sensitive data. The excuse that an email vents any third party accessing or stor- went astray will no longer be tolerated. 12 August 2017 ing the content of your email. After It is now time to implement secure ser- 3rd International Conference registering, you can read and write vices so that, come May 2018, all elec- on Cyber Security secure emails on the web portal or you tronic communications will be secure Kota, India can use client software. This service and auditable. www.iccs2017.iaasse.org

20 Network Security June 2017