With no security system impenetrable and the definitions of ‘good guys’ and ‘bad guys’ blurred, IT security professionals face a daunting task in securing data, delegates were told at the 9th annual ITWeb Security Summit in Sandton.

The two-day event attracted around 800 local and international information security professionals for in-depth talks on the biggest IT security risks facing the world today.

Noting that the past 12 months had seen some of the most significant events the information security sector has ever witnessed, SensePost MD Charl van der Walt highlighted the recent Target breach, in which 70 million client accounts were compromised, even though the company’s infrastructure was PCI compliant. “This is a complex and slightly terrifying new environment. Let’s stop kidding ourselves, we can’t stop all attacks,” he said. “Let’s focus on those we can stop and those posing the greatest risk to our specific organisations.”

<a href=

Jacob Appelbaum" src="http://www.iweek.co.za/images/stories/2010/June14/Jacob_Appelbaum.jpg" />Keynote speakers Jacob Appelbaum, an independent international hacker and researcher, and Christopher Soghoian, principal technologist and senior policy analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union, focused on state surveillance and civil liberties in their opening talks. They noted that state surveillance was not just a privacy issue – it also presented a threat to the national security of countries, as well as to entire businesses that are built on a promise that the data they manage will be kept secure.

Christopher Soghoian

Speakers noted that if data can be accessed by state security agencies, it can also be accessed by anyone and used for any purpose.

Appelbaum said: “Where Internet protocols are intentionally weakened because it is useful for one party, we forget that this is useful for other parties too. This whole ‘black hat/white hat’ thing is just too simplistic.”

Soghoian said: “What does it mean for an industry like yours, when you are promising to keep data safe or ‘bad guys’ out, when you can be given coercive orders to give governments access to this data?”

They also pointed out that hardware and software bought from nations with a vested interest in surveillance could easily have surveillance tools built-in. Free and open source software and free and open hardware could present a solution to that exposure, they said.

Haroon Meer, founder of Thinkst, echoed this sentiment at a media briefing on the sidelines of the conference; he said South Africa is largely a technology consumer, and needs to develop a home-grown technology sector to avoid the risk of this kind of vulnerability.

Effective cryptography can also reduce the risk of monitoring and exposure, speakers said. However, they noted this could only be truly effective when applied across all communications tools – including landline and cellphone communications.

Not all doom and gloom in infosec world

<a href=

Charlie Miller" src="http://www.iweek.co.za/images/stories/2010/June14/Charlie_Miller.jpg" />While at first glance the information security situation may look dire, some things are getting better, says Charlie Miller, security engineer at Twitter.

Miller conceded there were many reasons to be concerned about the state of IT security: “In the seven years I have been actively involved in speaking about IT security, little has changed. You’d think we would have solved the problems we were talking about seven years ago, but we haven’t,” he said.

“We’re still finding bugs that are 20 years old, enterprises that do everything right are still vulnerable, and the products we use are still insecure,” Miller said.

He pointed out that in an environment where virtually everything could be hacked, there was little incentive for vendors to invest too heavily in the security of their products. “Back in 2010, I released a super-cool exploit – the iPhone SMS bug. In its day, it was the world’s coolest exploit. It made headlines. But did it harm Apple? No – in fact Apple’s stock went up that week. Companies don’t feel any pain when their products are shown to be insecure, so why should they work to address this?”

Fighting the information security battle means understanding you cannot make an enterprise 100% secure, Miller said. “So the goal has to be to drive up the cost and pain of an exploit. But if attackers have money, they will get in, and governments will always be able to outspend you. On the other hand, governments aren’t likely to be stealing credit card information. You need to target your defence against the real threats,” he said.

Miller said reasons for optimism included the fact that it was becoming harder to fi nd bugs. “The security of our products has improved, with fewer bugs and better technology to protect us.” More money is being put into research, crowdsourced audits and ‘bug bounties’, in which rewards are paid to those who can find bugs and vulnerabilities, he said.

“Right now, we might be losing the battle, but there are some things we’re doing right and things are going to get better,” said Miller.

Steve Jump

Steve Jump, head of corporate security governance at Telkom, spoke at the ITWeb Security Summit on the issue of communicating information security value to business.

Hacking: no tools required

Jason Jordaan

Corruption is so prevalent in countries like South Africa that criminals can easily access networks with no hacking tools needed, said Jason Jordaan, head of South Africa’s cyber forensic laboratory special investigating unit.

“Hacking the human is easy, because we are fallible,” he said. Jordaan pointed out that corruption is pervasive in South African society, and organised criminals use corruption as their basic model for operations. Organised crime simply makes use of the human element, he said, noting that where social engineering fails, it is relatively simple to use corruption to gain access to enterprise networks and data. “No real hacking tools required, and corruption is a silent crime, so it’s harder to detect,” he said.

“Everybody has his price,” Jordaan said. “Whether that price is money, benefits, or even threats to a person’s family, criminals can target key individuals and find their price quite easily.”

Jordaan cited a case study of a recent breach of a critical state financial system, in which a systems administrator was paid R10 000 to install keyloggers to steal government user credentials and give criminals access to the financial system. Over R11 million was stolen in around three days. “This case is still in progress, but the upshot of it is – this guy sold his soul for R10 000,” said Jordaan. Mitigating the ‘human element risk’ isn’t easy, Jordaan told delegates. However, there are measures to reduce the risk. “You need to know your people well, and be alert to changes in their behaviour or lifestyle. You also need to keep them happy, and strive to instil a strong culture of ethics throughout the organisation,” he said.

Worst-case scenarios in an always-visible environment

Ritasha Jethva

State surveillance is a double edged sword presenting more risk than benefits, speakers at the ITWeb Security Summit said. Addressing a media briefing alongside the summit, international speakers focused on questions of privacy and data security following the Snowden revelations.

Keynote speaker Jacob Appelbaum, an independent international hacker and researcher, said intelligence agencies have a great deal of power in a post-9/11 world, and live “outside the law”, with companies becoming secret agents of the state. “There are legitimate things intelligence agencies must be allowed to do,” he said, “but all their capabilities must be brought within the rule of law.”

Fellow keynote speaker Christopher Soghoian said: “There is no magic encryption that allows the police or the NSA to access your data, but still keeps other countries’ surveillance out. If the local authorities can access your mails, so can every foreign hacker.”

Appelbaum noted: “When everyone’s communication is insecure, you face the risk of even the communications of government leaders, police and all their families and friends being open to anyone. In an environment of highly advanced malware and targeted attacks, combined with RFIDs and smart passports, we are going down a path towards personalised bombs. We have transitioned to an advanced knowledgebased society where you can selectively apply the violence.”

Francis Cronjé

Governance, risk and compliance experts Dianne Stigling, an independent consultant, Ritasha Jethva of Liberty, and Francis Cronjé of InfoSeal, elaborated on POPI preparedness in a panel discussion at the ITWeb Security Summit.

SA unprepared for cost of breaches

Dianne Stigling

South African enterprises are slow to understand that security breaches could cost them literally hundreds of millions of rands, says cyber insurance specialist Natalie van de Coolwijk, MD of Cygeist. “Global risk reports are citing cyber as one of the top 10 risks companies should be considering, but in South Africa, specialist cyber insurance is a new concept to most,” she said.

Natalie Van De Coolwijk

She pointed to incidents such as the Target breach in the US last year, where there is talk that the company’s entire $100 million cyber policy and $65 million directors’ and officers’ policy will be eroded. “In South Africa, enterprises know cyber risks are serious, but they don’t foresee the extent of the costs involved in managing an incident,” she said. Van de Coolwijk said cyber insurance differs from traditional liability cover in that traditional policies tend to cover tangible assets and material damages.

David Taylor

Legal consultant Prof David Taylor discussed the legal obligation to report IT security compromises at the ITWeb Security Summit.

No limits to surveillance

There are a multitude of backdoors, monitoring programs and products that already have been and could continue to be compromised by the National Security Agency (NSA), said Jacob Appelbaum, independent computer security researcher, hacker and core member of the Tor project. He said the NSA aims to have utter surveillance of everything it wants, and there is no boundary or limit to what it wants to do.

Greg Sinclair, associate practice leader at IBM Security Services, outlined enhanced proactive security through security research, in his talk at the ITWeb Security Summit.

An architectural approach to security

To mitigate the risks posed by today’s complex threat environment, organisations must adopt an architectural approach to security, said John McCormack, CEO of Websense.

He explained that the Internet of Things is presenting more security challenges: “If we can’t keep a simple credit card safe, what about the data from the Internet of Things?”

Citing a recent study, McCormack said 57% of the respondents revealed they are not protected from advanced cyber attacks; 63% can’t stop theft of corporate information; and 74% don’t trust their security programs. “The end-game of most modern cyber attacks is the theft or destruction of data,” said McCormack. “Cyber criminals steal intellectual property, personally identifiable information or other valuable data for financial gain, for use in other attacks or sometimes to destroy.”

He said the best techniques for catching these attempts exist in a full data theft prevention solution, and include scanning outbound content for proprietary material, scanning images with OCR technology, and using “data drip protection” technology.

Build on open source to reduce risk

Open source isn’t complicated anymore, so it presents a golden opportunity for SA to build on open source to reduce its dependency on imported technologies, said Haroon Meer, founder of Thinkst.

“The Snowden revelations made it clear that South Africa is not part of the ‘inner circle’ of FVEY (Five Eyes Surveillance), an alliance comprising Australia, Canada, New Zealand, the UK and the US. We have Stockholm Syndrome if we think we are exempt from spying,” he said.

SA is so deeply dependent on foreign technology that the country is almost forced to ignore the risk of
surveillance built in to the technology it buys, he said. The solution is to grow the local technology sector, Meer concluded.

Jeremy de Bruyn, senior penetration tester at SensePost, discussed taking penetration testing into the malware arena.

Walls fail, fight back instead

Kevin Kennedy

If organisations are to win the war against cyber crime, they must turn the tables against the malware economy and make it difficult for the cyber criminals to operate, said Kevin Kennedy, Juniper Networks’ senior director for security and product management.

“For several years, we have been focusing on building high walls to keep hackers out, but this has failed,” said Kennedy. “We have to change the approach.” According to Kennedy, the malware economy comprises sophisticated, highly skilled individuals as well as elite researchers, exploit developers, zero-day researchers, malware writers, identity collectors, programmers and technology experts.

He revealed that, over the years, the malware economy has seen an increase in activities like spam and hacking. Changing that economy would require organisations to ensure cyber criminals get less return on their investments.

He noted that investing in cyber crime currently has a high return, and, as an example, a $500 investment in malware can see a criminal evading malware as well as advanced anti-malware
solutions. That investment can also be useful for stealing source code and sending it to a server over an
encrypted channel, he added.

Taking legal measures against the spammers can also go a long way in destabilising the malware economy, said Kennedy.

Technology can also be used to break the malware economy, said Kennedy. “Organisations can do this by assuming their systems are breached and adopt counter-intelligence techniques like deception and anti-evasion.”

Another way to disrupt the malware economy will be to prosecute black market banks, said Kennedy.

Nils

Nils, security researcher for MWR Labs, and Jon Butler, head security researcher at MWR InfoSecurity, assessed security vulnerabilities in mobile point-of-sale devices in their presentation at the ITWeb Security Summit.

Counter-intelligence to sway balance of power

Cyber counter-intelligence has the potential to sway the balance of power, said Prof Basie von Solms, director of the Centre for Cyber Security at the University of Johannesburg. He said that, correctly understood, the call for cyber counter-intelligence was a call for legitimate co-operative action by state and private sector role-players in breaking the traditional security mould that is proving so ineffective against sophisticated adversaries.

“We need to draw on successful strategies from history to devise new models for cyber security. Now, we need to be more proactive – and possibly even slightly aggressive – in our approach. We need to go to the next level and gather counter-intelligence that allows us to know our enemy and plan our defences accordingly,” he said. ”The more information you can gather, the better you can defend yourself.”

Infosec seen as a grudge purchase

Misdirected information security spending is leading enterprises to see information security as a grudge buy, said Maiendra Moodley, divisional head (GM) of Financial Systems and Processes at SITA.

Moodley said the pace of information security adoption was impacted by issues such as budget, as well as external factors such as new legislation and the fact that companies overlook the importance of information security when all is running well and there are no breaches.

He said achieving the right levels of security should begin with a thorough risk assessment encompassing both information and physical security, which combines a firm grasp of processes under the enterprise governance and risk banner, along with a holistic security strategy. “Implement measures around mitigating these risks,” he said.

Changing role for CISO

<a href=

Andrew Mpofu" src="http://www.iweek.co.za/images/stories/2010/June14/Andrew_Mpofu.jpg" />Enterprises are now wholly dependent on their IT systems, making the chief information security officer (CISO) a critical link between IT and business, said Andrew Mpofu, IT security audit manager at the South African Post Office. Mpofu said: “Enterprises now need to realise that IT is the medium of doing business.”

This means the CISO must now be a C-level business executive with multidimensional skills combining business and technology, rather than the traditional systems administrator only worried about systems availability, Mpofu said. “The CISO needs to be a risk manager as well as an advocate for security, identifying opportunities to deliver an enterprise’s cyber footprint in a secure manner that bears compliance to applicable regulations.”

Legitimate apps expose data

While malware makes headlines, the risk of legitimate mobile apps exposing enterprise data to unauthorised third parties should be of greater concern to enterprises, said Nader Heinen, security advisor at BlackBerry’s security group.

Heinen noted that vast numbers of mobile applications connect to users’ personal information and contact lists. “While these applications may be legitimate, they may share the data on a mobile device – such as contact lists – with a third party, without the consent of those contacts. This could be in contravention of privacy laws,” he said. Heinen said in a BYOD era, having enterprise data on the same devices as vulnerable consumer apps raises serious governance, risk and compliance issues for the enterprise.

BlackBerry believes the solution lies in multi-layered security, careful management of the app store, and the segregation of enterprise content from personal content on the mobile device.

Information security: SA lacks the ‘how’ component

<a href=

Guy Golan" src="http://www.iweek.co.za/images/stories/2010/June14/Guy_Golan.jpg" />South African enterprises are taking information security increasingly seriously, but in many cases they lack an understanding of practical steps to mitigate risk, said Guy Golan, CEO of event sponsor, the Performanta Group.

Golan said: “Recent high-profile international events and actual breaches with associated financial losses have renewed the focus on information security. For years, the information security industry has been warning of the risk of industrial espionage and hacking, but only now that we see actual incidents resulting in substantial financial losses, are companies taking the risk seriously.” These losses, combined with new legislation that makes the board accountable for data security, is driving greater interest in information security from business management too.

However, Golan said there is a shortage of practical information available to guide local enterprises on the tools and strategies needed to mitigate risk.

Companies disregard need for response teams

Matteo Michelini

Companies that do not have a computer security incident response team (CSIRT) in place will have a problem when it comes to containing a security incident, said Matteo Michelini, senior security consultant at MWR InfoSecurity.

Many firms do not believe they need a CSIRT, because they have business continuity, risk management,
an incident manager or security operations centres, which fill the same function, said Michelini. However, this leaves companies in a precarious position when incidents, such as unauthorised access to a core system, happen, he said.

He explained that without a CSIRT, no one is responsible for containment of issues, and the question of who is responsible for fixing the incident is also left hanging.

Cyber resilience demands strategic action

Cyber resilience now calls for strategic action if enterprises are to mitigate risks, said Antonio Forzieri, EMEA cyber security practice lead at Symantec. “The problem with the emerging technologies is that organisations have to embrace them or they die,” he said.

He noted that modern-day attacks are being driven by hacktivism – mostly characterised by DDOS attacks and Web defacement. Cyber criminals are also being motivated by the need for financial gain and they have developed tactics like banking Trojans, extortion and scams to steal money.

Espionage and sabotage are the other drivers, with the cyber criminals making use of targeted attacks to meet this end, he explained.

Thus, we can call 2013 “the year of the mega breach”, said Forzieri, explaining that eight of the top 10 breaches involved more than 10 million identities, while the average number of identities exposed was four times greater than 2012.

“Faced with risks such as these, organisations must break through the glass ceiling between IT and the business,” he urged. “They should also review their security programme and become risk-aware by involving technology, people and processes.”