5 Basics of Cloud Security

The basic objective of a cloud security strategy is to provide a method to monitor and protect the flow of information to and from cloud hosted services. There has been and will continue to be a shift towards public and private cloud services as the age of digitisation is increasingly being embraced by organisations. 

 

According to Cisco’s Annual Cyber Security report, one of the principle reasons why organisations are deciding to host corporate applications in the cloud is increased security. 

 

On the other hand many small and medium organisations are adopting cloud technology without a clear strategy resulting in the blurring of edges of responsibility between the cloud provider and the organisation. In the eyes of cloud security providers, there are clear responsibilities and boundaries as illustrated in the graphic below. 

 

Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas 

Cyber attackers are increasingly taking advantage of this blurring of the boundaries to exploit systems. It is important to undertake a proper risk assessment before cloud services are adopted. This will enable a clear understanding of the risks and a consequent strategy to mitigate the risks.  

 

The basic approach to cloud security will be based on the risk profile, it essentially needs to address the different phases of the cyber security threat, namely before, during and after an attack. It should be an extension of the organisations security approach to the on-premise information systems and data which generally address the question, who is allowed access to what information. 

 

Some of the key features that need to be addressed with a cloud cyber security approach include; 

  • Visibility and Control
  • Securing Cloud Applications
  • Extended Protection
  • Virtualise the Security Architecture
  • Threat intelligence

 

Visibility and Control 

Users will try to use whatever they can to get the job done. Organisations need visibility and control of what applications are being used in the cloud and remotely, especially with the growth of new SaaS applications. Visibility enables an understanding of what is being used in line with policy, what is out of policy and what is a threat. Visibility is the first step to controlling and securing the organisations environment based on what services should be provided. 

 

Securing Cloud applications 

As SaaS applications are increasingly being deployed in public clouds such as Amazon Web Services and Azure, it is vital to ensure that the cloud platform is secure. Even though the cloud providers will deploy their own security solutions, organisations also need to implement independent security systems to secure the user and the data as this is not the responsibility of the cloud provider. In it’s recent cyber security report, Cisco identified that a major growth area for cyber attacks was the misuse of legitimate cloud services to host malware. Hence the need to secure services in public clouds cannot be understated. 

 

Extended Protection

As remote connectivity and branch networking trends increase in popularity, the security solution should be adaptable to extend the necessary features such as firewalling, threat management and anti-malware capabilities to the edge of the network as opposed to the current centralised deployment model. This functionality should be provided on endpoints, remote connections and remote offices and vitally to devices working off site such as Internet Cafes. 

 

Virtualise the Security Architecture 

The need for security is now pervasive at the client, the branch, the HQ as well as public and private clouds where SaaS applications are located. This necessitates the capability for a virtualised security architecture where the panoply of security functionality can be deployed easily at any location. This approach also enables the organisation to scale security at speed which will meet business demands for rapid deployment of new services while avoiding security being an afterthought. 

 

Threat intelligence 

Most organisations deploy security components from multiple vendors. An intelligent approach to securing information and systems in the emerging environment must make use of threat intelligence to overcome any cross vendor incompatibilities. This is the ability to take intelligence feeds from other sources such as other security vendors feeds and make context based threat assessments relating to your organisation and what it means for you. This assessment can naturally feed into automated protection mechanisms. 

 

In our next blogs in this series, we will cover off some best practices approaches to cloud security and discuss some of the technologies being used. 

 

Cyber Attack Simulation: the new test in town

 

When was the last time you had a penetration test of your network or a vulnerability assessment? Penetration testing has traditionally been an annual event for most organisations. Of late we have seen vulnerability assessments delivered as a service with the ability to run tests on demand. Invariably vulnerability assessments are still run once a year oftentimes due to resource shortage and in many instances it’s just not a high priority because nothing bad has happened – or at least we are not aware of it. 

 

On the other hand, industry security statistics would indicate that the general approach to security could well be a disaster waiting to happen, or worst still a disaster that has happened but just not discovered yet. Yes we know that enterprise organisations and some medium sized organisations have a highly security regime in place and manage security according to best practices. Despite the efforts of the aforementioned organisations the numbers are still overwhelmingly in favour of the bad guys as illustrated below. 

 

  • 100% of organisations interact with known malware sites – simply put, everyone is likely to be infected at some stage 

 

  • 99 days average time to detect a breach of a pool of known vulnerabilities  

 

  • 4 hours average time it takes cyber attackers to steal data 

 

  • 365 days – time between vulnerability assessments and penetration tests 

 

For sure both vulnerability assessments and penetration test have proven to be valuable tools in the arsenal for protecting IT systems from compromise, but only when used effectively and frequently enough. 

 

One challenge however that either approach may find very difficult to keep up with is the rate of change as newer, more sophisticated and persistent threats and exploits appear on an almost daily basis. 

 

An emerging approach to confront the threats head on while enabling organisations to take the initiative is to deploy a solution that conducts a series of simulated attacks based on known and emerging threat vectors. With this type of approach, you can now address the question “how do you know your security systems are working?”.  

How many times have you seen a detailed and impressive list of access control lists only to be undone by the second to last line “permit ip any any”. 

 

Without comprehensive and persistent testing, any assurance of cyber security is based purely on assumption and best guess.  

Yes you have defences in place such as firewalls, endpoint security, anti-malware solutions but how do you know that they are really effective against known/unknown cyber threats. The assumption is that you have the right defences in place to protect from vulnerabilities and they security solutions are optimally configured. You only truly know for certain when an attempted breach has been attempted, detected and blocked. On the other hand you may have been hacked and you either never know or you don’t know for months after the event when the hackers have stolen day and moved on to other victims. 

 

 

A simulated attack is a method of safely checking whether your systems are safe and your data is protected from vulnerabilities. The simulation can run a range of attack vectors to test your defences against a range of vulnerabilities. Simulated attacks that are successful will give you a clear understanding of your current vulnerabilities and how to mitigate them – it gives you actionable intelligence of the holes in your cyber defences. It can also validate the security controls that are in place and be used to test your security incident response procedures. Remember cyber defences is not just about preventing attacks, it’s also about what you do when the attacks occur to remediate and recover. 

 

A simulated attack service can also be used to undertake real time validation especially when changes are made or as you become aware of new vulnerabilities. When run as a cloud service, it can be run repeatedly to provide ongoing security posture assurance. A simulated attack service is definitely a service worth considering augmenting a comprehensive security posture assessment approach that includes penetration testing and vulnerability assessment. Simulated attacks can be seen as an emerging solution that is geared to match the rapid and changing nature of cyber threats. 

 

 

Cyber Risk Assessment– get good at it

Today’s reliance on IT technology is unparalleled and will only increase. While some businesses are pondering the benefits of IoT deployment or bespoke business applications, others are ploughing ahead and pioneering their initiatives. Some of these initiatives are stuttering and some are big winners that have transformed their business. Digitisation and it’s attendant benefits is the new game in town and it is not going away soon.  

The constant question that new initiatives will always raise is, what about cyber security? These new initiatives also need to be balanced against new compliance regimes such as GDPR which can levy punitive fines for breaches involving sensitive personal data. IoT means a greater footprint or attack surface; a new cloud application means potential exposure of data or the possibility of unauthorised access. While these risks and others exist, this should not hinder businesses taking advantage of the potentially major opportunities from digitization. What is therefore of paramount importance is a way to effectively assess and mitigate the risk from these initiatives and other IT activities that will enable the businesses to safely adopt new technology. 

 

Cyber security is everyone’s concern 

Cyber security is no longer just an IT issue, now it is definitely everyone’s concern. Responsibility is now being devolved as applications move to the cloud. More departments are involved in selecting and implementing their apps, therefore they also need to have security at the forefront in both the selection and operational processes. 

 

Comply with regulation or become extinct 

Regulation is now gaining real teeth and therefore compliance is no longer an optional nuisance. Consider the Carphone Warehouse breaches recently. If the recent 6m records breach occurred under the watch of GDPR, the fine could be a whopping £428m, compared with the max £500k fine which could have been levied under the previous Data Protection Act. Compliance is now an imperative and failure could mean business extinction due to the punitive fines.  Compliance should be seen as an opportunity to get your business in shape in which case everyone benefits. 

 

Cyber risk assessment is a specialism 

Change is another constant in IT, therefore risk assessment should be constant and continuous. Oftentimes risk assessments are left till the end of an initiative when in fact it should feature right at the beginning and be a part of the “go/no go” decision. If risk assessment is built into project implementation, the end result will definitely look a lot better than if it were an after thought. The struggle is to find the skills where there is a good understanding of IT risk management. It is an area where businesses need to invest in training staff at all levels of the organisation. 

 

Risk assessment and mitigation needs to be a continuous process where all departments in a business are engaged in continuing assessment, monitoring and improvement of the risk exposure.  

 

An interesting development in this light is a joint solution offered by Aon, Apple, Cisco and Allianz. The components of the solution include the following; 

  • Risk Assessment with a target output of an analysis of the businesses level of insurability, its security posture with recommendations on how to correct any gaps.  
  • Those wishing to improve their security posture receive a plan that includes an enterprise ransomware solution incorporating, advanced email security, endpoint protection and DNS layer security.  
  • The business will also deploy Apple MacOS and iOS endpoints.  
  • Businesses choosing this solution will receive favourable terms from Allianz who consider this combination to be a more secure solution.  

 

While it may not be practical for all businesses to adopt this solution, the method/approach is a useful indication of a what can be done. The importance things is the assessment needs to be continuous and reflect the status of the business and it’s use of IT at any point in time which of course is a moving goal post.

5 Takeaways from the Carphone Warehouse Breach

The Carphone Warehouse breach is the biggest so far announced in the post GDPR era.

What are the salient points to note from this breach? 

  1. 6 million records accessed 
  2. NCSC, ICO, FCA investigating 
  3. 3 million records accessed in 2015 breach 
  4. Cyber security risk identified by board in last FY report 
  5. If GDPR applies, maximum fine of £420m could apply 

 

A recently announced massive cyber attack at Dixons Carphone Warehouse has resulted in significant unauthorised access to millions of records including personal data. It appears that two breaches occurred which resulted in; 

 

  • 6 million customer records being stolen including 5.9 million payment card details  
  • 1.2 million customer records including name, address, email 

 

In January Carphone Warehouse were fined £400,000 for a breach that occurred in 2015 when 3m customer records (including personal details) and 1,000 employee records were stolen. 

 

Dixons say the breach was only discovered in the week leading up to the announcement and it actually occurred in the July 2017. Under the Data Protection Act they would be liable to a maximum fine of £500,000. Under the new GDPR regulation the fine could rise to a maximum of £420m based on last years’ global turnover of £10.5bn. 

 

In their most recent report, Dixons identified information security as a risk and their potential vulnerability to malware and cyber attacks. They identified potential consequences that could include reputational damage, reduced cash flow, financial penalties, reduced revenue and profitability, loss of competitive advantage. Dixons did appear however to be heading in the right direction to manage the risk ensuring senior management oversight including a Strategic Improvement Plan and increased investments targeted at managing the information/cyber security risk. 

 

The independent regulator the ICO is investigating the current breach along with the FCA and NCSC. The ICO has said it is yet to determine whether GDPR or the 1998 Data Protection regulations will apply. 

 

The NCSC is working on how the breach has impacted UK citizens and what measures can be taken to prevent such a breach re-occurring. They have also published guidance on what to do for people who think they have been affected by the breach. 

 

The CEO Alex Baldock has apologised saying that they have fallen short of expected standards. He confirmed that they have called in cyber experts to investigate as well as relevant authorities and the unauthorised access has now been blocked. 

 

Anyone affected or concerned about their personal data being accessed and how it could be used should contact Action Fraud. 

 

The breach came to light as a result of a massive attempt to compromise the cards in a card processing system, this means that someone tried to use the card details to take unauthorised payments. 

 

Dixons shares fell 6% following the announcement of the breach. 

 

Useful Resources

GDPR Readiness Test [Checklist]
GDPR 12 Step to take NOW [Infographic] 
9 Steps to Implement a Security Management Tool [eBook]

 

 

5 Cyber Security Threats Businesses are Facing in 2018

We all know the cyber threat landscape is rapidly evolving and it is a real struggle to keep apace with the threats much less get ahead of them, which ideally is where we should be.
Organisations especially those small to medium sized ones have limited resources in terms of people, money and time to commit to all the areas they need to focus on.
It is therefore vital that their approach to cyber security is focused on the areas that will have the greatest impact in terms of threat prevention. Let’s discuss the most common cyber threats that organisations are likely to face which therefore should help to determine the main areas where protection efforts need to be focused. These threats are;
  • Socially Engineered Malware
  • Password Phising
  • Unpatched Software
  • Social Media Threats
  • Advanced Persistent Threats

Socially engineered malware

Every year, hundreds of millions of successful attacks are conducted by socially engineered malware programs. A typical form of this is data encrypting ransomware which is downloaded either in email attachments or trojan horse software downloaded from a site hosting malware. The unsuspecting user is enticed into clicking a link or opening a document which then installs the malware, oftentimes the user is prompted to bypass security controls if they are in place for this particular type of exploit. The malware is installed on the host machine and can then disable defences  such as anti-virus, conduct callbacks to command and control centres which then lead on to the exploits. Exploits could include data gathering and exfiltration or encryption of data and horizontal propagation of the malware.
This type of threat sometimes requires the use of elevated privileges. Techniques that could be used to help prevent this type of threat include;
  • avoiding giving elevated privileges for daily tasks
  • constantly educate users about these type of threats
  • deploying advanced endpoint protection
  • not relying solely on traditional anti-virus

Password phishing

Phishing has become a huge industry for cyber scammers and it is estimated that approximately 80% of global email is spam. Anti-spam techniques deployed by email providers are becoming better are blocking spam how ever the attackers are constantly refining their approach and inevitably some is still getting through to user’s inboxes. Most of us are so busy we do not bother to hover over the links to check for a valid url and
sometimes they are so well crafted it is so easy to miss.
The best protection against phishing apart from good anti-spam software is user education along with policies that encourage the use of 2 factor authentication such as smartcards, sms messages, etc.

Unpatched software

Unpatched software is a major threat due to the existence of known vulnerabilities that could be protected from if the latest available patch is applied. This problem while common for client applications such as web browsers, and ancillary apps such as adobe and java are also quite common on server systems. I am sure you have seen many instances where critical servers running core business systems are unpatched and carry literally hundreds of vulnerabilities.
Software patching needs to be a part of the IT operations processes and undertaken in a regular and systematic manner to avert an easily avoidable vulnerability.

Social media threats

Social media is pervasive and an essential part of an organisations digital presence. It has therefore become a target for cyber attackers to find exploits and cause reputational damage or extort money from unsuspecting users and owners. The threats could start off as simply as a friend request or application install which then develops into something completely different. One example is a response to a post where a visitor may voice
dissatisfaction with a service. The response offers to provide assistance and redirects the person to a fake site where their usernames and passwords are requested and then exploited on the real social media site.
Yet again user education is a must to help protect against this type of threat and 2 factor authentication could also prevent compromise of username and passwords.

Advanced Persistent Threats

The majority of large organisations have been the subject of advanced persistent threats but that is not to say that small-medium organisations are not affected by this also. The attacker may initially use phishing or trojans to infect one machine but once they get hold of a machine, they extend their reach throughout an organisation and steal data within hours oftentimes remaining undetected for months.
The best way to combat advanced persistent threats is to deploy next generation detection and protection capabilities. Typically such measures will profile the normal network traffic and behaviour thus creating a baseline against which anomalous behaviour can be profiled and alerted.
You may have noticed an underlying theme in terms of the best way to
mitigate most of these threats involved user awareness. The benefits of this cannot be understated and there are some low cost good user training subscriptions that could save organisations a ton of money in costs associated with a successful cyber attack.
It is also however very important to do the basics well such as patching, endpoint protection, password policy and network security.

Is Cyber Security still a Maze?

InfoSecurity Europe 2018
I attended Infosec2018 this week at London Olympia. It was a vibrant event as you can imagine with every exhibitor enthusiastic to promote their wares. They were also eager to grab your details with their ‘GDPR compliant’ badge scanner. As a technologist of too many years to mention (I started in IT when 5-inch floppy discs were the rage), what really dawned on me is that it is understandable why many small businesses are not fully engaging in a comprehensive cyber security strategy.
There are many vendors with absolutely great solutions targeted at fixing some particular problems or protecting a specific area of potential exposure. And of course, there were many GDPR compliant or GDPR enabling solutions on view. The information security landscape is increasingly becoming more challenging as technology becomes more pervasive, as the cyber attack surface increases and as the sophistication and scale of attacks also increases to match.
Cyber Security really needs to be demystified to a large extent to make it more accessible to organisations. What would have really been a helpful approach from vendors would be a means of sharing a common language of Cyber Security. A means of easily identifying where each vendors solution sits in the Cyber Security stack and what it talks to vertically and horizontally.
This would be akin to placing their offering in a Cyber Security jigsaw puzzle so that organisations can clearly see where it sits, what problems it solves and importantly what problem it doesn’t solve. Such an approach would make it easier for decision makers to engage and fully commit to adopting and implementing a comprehensive strategy for effective Cyber Security.
It has been an ongoing bug bear of mine that businesses don’t easily have a conversation about their security needs. There are some obvious reasons for this such as lack of resource, lack of understanding or no buy-in at senior management level. There is also a tendency to not want to do anything because “we’ve been OK so far despite all the doom and gloom”.
This was reinforced in a very enlightening conversation I had with the team at the National Cyber Security Centre (the public face of GCHQ). They strongly advocated that cyber security ownership now has to be at CxO level of organisations. It will only be taken seriously, and the right strategy and resources effected when CxOs understand the business imperative of getting this right and the consequences of not doing what needs to be done.
He lamented the fact that too many organisations are sitting back and waiting until it’s too late before they do something.
He also advised rightly so that it was not actually so difficult to achieve a respective level of Cyber Security. The NCSC have published guidelines on this in terms of 10 Steps to achieve Cyber Security and this really is very straightforward practical actionable guidance.
I must say of all the people I spoke to during the day at Infosecurity, he was the most impassioned and engaged individual (long live our public services).
On a final one of my reasons for going to InfoSec was to research products that I think are unique and can fulfil customer needs. I actually met a supplier that has been named Cool Vendor by Gartner. Being my usually cheeky self I said “you guys don’t look cool”, however after spending some time understanding what the product is able to do to expose Cyber Security gaps, I am convinced that every organisation connected to the Internet needs such as service. Literally within seconds of clicking a button you can test for a range of exposures and vulnerabilities. Lack of visibility is a challenge we all face when it comes to digital communication but it is actually ‘cool’ if you can see your exposures and do something about them before it’s too late. We are in the process of signing up with this cool vendor and will bring you news about the service in the near future.

Cyber Resilience | The Framework you Should Follow

Have you sometimes found yourself bewildered by the sheer volume of bad news out there especially about emerging cyber threats and actual attacks. It is not uncommon to wonder when you will come under a similar threat or worst still is it happening already but you just haven’t detected it yet. What would give us more comfort is understanding that we were cyber resilient to threats to a large extent, sure nothing is ever 100% guaranteed but it would sure be good to a high a high level of confidence about our ability to survive such an eventuality.

So what would good cyber resiliency actually look like?

Cyber resiliency is really about keeping the business operational despite an attack or incident. It is about the organisation having the systems, processes and controls in place to detect an attack, contain it, recover or maintain operations despite the attack and clean up the affected systems.
Some specific objectives of cyber resilience would include the following.
  • Prevention–apply basic cyber protection mechanisms as well as more advanced cyber security controls to reduce the risk. In addition, threat intelligence is applied to keep the protection relevant
  • Cyber response preparation– create and maintain cyber incident scenarios to train staff and maintain a good level of readiness. If an incident happens, there is a plan and people know what to do
  • Minimise service degradation- in the instance of an attack
  • Identify potential damage- and change resources to limit further damage
  • Maintain trust relationships- and review trust of restored systems
  • Effective controls- understand the effectiveness of cyber security controls in relation to the nature of the adversaries
  • Review systems architecture and restructure to reduce risks
The NIST have published some recommendations that could help with achieving cyber resilience and some of these are outlined below.
A word of caution, this is not for the faint hearted as it reads as if from a military manual.
Adaptive Response- maximise the ability to respond in a timely and appropriate manner to adverse conditions thus limiting business impact and maintaining operations.
Analysis and monitoring– maximise the ability to detect attacks by extensive monitoring that can reveal the extent and scope of an attack. We have seen how AI and Machine Learning is playing an increasing role in this area
Coordinated Protection– implemented a range of protection measures that follow the defence in depth principles thus ensuring that attacks will need to overcome multiple mechanisms in order to be successful
Deception– conceal critical equipment or resources from the attacker, this could include techniques such as encryption or multi-layered firewall approach
Diversity– limit the likelihood of successful attacks on common replicated systems forcing attackers to breach different systems necessitating multiple variants of malware
Dynamic Positioning– distribute and dynamically relocate system resources, this could easily be achieved in a resilient cloud environment, this could go a long way to supporting recovery and continuity as well as making it more difficult for attackers to determine the infrastructure topology
Non Persistence– generate and create resources as needed and avoid the likelihood of intrusions through backdoors left on unused resources
Privilege Restriction– restrict access privileges based on attributes of users and systems as well as environmental considerations i.e. do not give admin rights to a user connected via an Internet café or via a country you have no business with
Redundancy–provide multiple instances of critical business systems to aid recovery from failure of primary systems
Segmentation– define and separate elements of your systems based on their criticality and attribute permissions accordingly. This will help to prevent the spread of malware and give further protection to critical systems
Unpredictability– make random and unpredictable changes to increase uncertainty for attackers thus making it more difficult for them to determine their attack sequence
These techniques put together will go a long way to achieve a high degree of cyber resiliency, which will result in the ability to manage the cyber risk and maintain operational services especially in times of persistent attack

GDPR compliance: technology and data handling explained

The GDPR regulation is ultimately about good data/information management and governance. Though many organisations acknowledged previous iterations of data protection regulation, GDPR demands that everyone step up their game and take responsibility or face severe consequences. The innovative use of technology aligned with the data handling processes and procedures will go a long way to achieve and maintain GDPR compliance.
Compliance with GDPR has strong data governance at its foundation.
Data governance should have executive ownership at its core and necessitates strong commitment is communicated and actioned. It involves auditing and risk management where data is identified, classified and managed in a controlled manner. Technology can inevitably be used to automate and scale this process especially where data volumes are extensive.

Data analysis and classification

One of the early steps on the GDPR journey is the analysis of data that is held, and identification and tagging of personal data. Organisations may hold a combination of structured and unstructured data, oftentimes data is held in multiple locations as multiple copies of records are made. Once identified, organisations will need to tag personal data and link pieces of data together that relate to the same individual. Systems will then also need to manage the consent element of GDPR enabling all data being held to be collated in accordance with access and consent requirements of GDPR.

Data management and security

Systems need to be in place that manages data quality throughout its lifecycle. Data location needs to be accurate, duplicates need to be detected, records need to be accurate and should be updated including corrections, amendments and deletions when requested including backup copies which are no longer required.
To support the data security requirements, systems functionality need to be in place that manages data records including encryption, deduplication, backup, deletion and providing access to complete records in a transferable manner. Applications that manage the data also need to be secure ensuring
that user access policies are enforced, and users do not get access to data they are not authorised to. Manual processes are likely to be inadequate and therefore technology will inevitably need to be in place to support this requirement.
In a cloud environment, this will need to be provided by cloud providers whose systems are GDPR compliant. The organisation, however, will still be responsible for securing the data and policing user access irrespective of the cloud providers security controls. For an on-premise scenario, the organisation will have total responsibility for ensuring the systems are in place.

Breach detection, response and reporting

GDPR requires that certain types of breaches are notified to the relevant authorities within 72 hours of the breach occurring. The notification will also require details of the breach such as; how many records were accessed, mitigating measures to counter the breach, consequences of the breach, risks to the individual, categories of data breached. To fully comply with this requirement, organisations will need to have excellent cyber security protection mechanisms and controls in place. This will include at least the following components;
  • Network Security to ensure only authorised devices are able to access the networks
  • User authentication mechanisms to ensure only authorised users have access to systems
  • Intrusion Prevention Systems that detect and block unauthorised network access
  • Monitoring systems to identify and alert if unauthorised activities are detected
  • Logging capabilities to ensure all activity is logged and the information is available to undertake a forensic investigation should the need arise
These are just a few areas where technology applied effectively will greatly assist with GDPR compliance. Implementing the above technologies may well require additional investment if the systems are not yet in place, or it may just be a case of fine-tuning and optimising systems that are already in place.
Inevitably changes need to be made if anything more than lip service is to be paid to GDPR. There is, however, a positive spin on GDPR because it’s not about preventing business but about handling data properly, which must be a good thing for all concerned.

7 infographics from the Cisco 2018 Cyber Security Report explained

In our final part of Cisco’s 68 page 2018 Annual Cyber Security Report, we summarise the key findings and highlight the main takeaways contained in the report.
While most of the information is already known, put in context it gives a thorough view of the changing landscape and importantly identifies some of the steps that Information Security teams could take to mitigate the growing risk.
The reports highlights include;
  • Self-propagating ransomware is a growing trend
  • Legitimate cloud platforms are increasingly being exploited for cyber attacks
  • Cyber attackers are exploiting gaps in security coverage as organisations move to the cloud
  • Lack of skilled cyber security staff is a growing problem
  • Security is more effective when policies governing technology, processes and people are synced
  • Scalable cloud security, advanced endpoint protection and threat intelligence can be deployed to reduce the cyber threat risk
According to the Cisco report, cyber attackers are amassing their techniques and capabilities at an unprecedented scale.
Ransomware is the most profitable form of malware and has evolved into self-propagating network based cryptoworms as witnessed by Nyetya
and WannaCry. These ransomware variants took down whole regions and
sectors of infrastructure such as the Ukraine and the NHS.
Cyber attackers are weaponizing the cloud and using legitimate cloud services from well known vendors such as Google, Amazon, Twitter to host and conduct malware attacks. They are in fact capitalising on the benefits of cloud platforms such as security, agility, scalability and good reputation, oftentimes repurposing their sites before they are detected.
Cyber attackers are exploiting gaps in security coverage including IoT and cloud services especially where the organisation has not extended their security controls to include securing users and data in the cloud. Another growing obstacle to more effective cyber security is lack of skilled cyber security personal and inadequate budgets.
Cisco’s report also provides some essential guidance that organisations
should adopt in order to meet the growing challenge and provide more effective cyber security protection. Some of these measures include;
  • Implementing scalable cloud security solutions
  • Ensuring alignment of corporate policies for technology, applications and processes
  • Implementing network segmentation, advanced endpoint security and incorporating threat intelligence into security monitoring
  • Reviewing and practising security response procedures
  • Adopting advanced security solutions that include AI and machine learning especially where encryption is used to evade detection
While the security report is essential reading for all personnel responsible for an organisations information assets, in many areas it reiterates what we have been hearing about in the news and trade publications. The essential call to action is really to make a good start by doing the essentials. If you have already done this, then keep testing, refining and improving your cyber security posture.

5 Takeaways from the Cisco 2018 Annual Cyber Security Report

Cisco Annual Cybersecurity Report 2018

Cloud abuse on the rise according to Cisco Security Report

Cisco’s Annual Cyber Security Report 2018 provides an insightful account into the changing cyber security landscape. This article summarises some findings of the report pertaining to cloud security.
Some main take aways from the report that will be discussed in this blog include:
  • Legitimate cloud services such as Twitter and Amazon being used by attackers to scale their activities
  • Machine-Learning is being used to capture download behaviour
  • Cloud Security is a shared responsibility between organisations and its provider
  • There is an increase of belief in the benefits of cloud security
  • Cloud abuse is on the rise
According to the report, increased security was the principle reason security professionals gave for organisations deciding to host corporate applications in the cloud.
Fifty seven percent believe the cloud offers better data security
Organisations who have a security operations team are likely to have a well defined cloud security approach that may include the adoption of Cloud Access Security Broker (CASB) as they deploy to the cloud.
Many smaller organisations however are adopting cloud services without a clear security strategy, there is therefore a blurring of the security boundaries where many organisations are not certain about where their responsibilities end and where the responsibility of the cloud provider starts.
Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas
Security in the cloud is a shared responsibility
Cyber attackers are increasingly taking advantage of this blurring of the boundaries to exploit systems.
An increasing trend amongst cyber attackers is to use legitimate cloud services to host malware and command and control infrastructure. Public clouds that have been used for malware activity include Amazon, Google, DropBox and Microsoft.
This makes it doubly difficult for security teams to identify bad domains and take protective measures without risking significant commercial impact caused by denying user access to legitimate business services.
Examples of legitimate services abused by malware for C2
The misuse of legitimate services is attractive to cyber attackers for a number of reasons;
  • Easy to register a new account and set up a web page
  • Adopt use of legitimate SSL certificate
  • Services can be adapted and transformed on the fly
  • Reuse of domain and resources for multiple malware campaigns
  • Less likely that infrastructure will be ‘burned’ (service can just be taken down) with little evidence of its purpose
  • Reduce overhead for attacker and better return on investment
Cyber attackers are effectively using legitimate and well known cloud infrastructure with their attendant benefits; ease of scale, trusted brand and secure features such as SSL. This enables them to scale their activity with less likelihood of detection if current protection methods are retained.
The challenges posed for the security teams defending organisations from these new threats call for a more sophisticated approach because in effect you need to block services that users are trying to access for legitimate work such as Amazon or Dropbox. Furthermore, the legitimate services are encrypted and so malware will be encrypted and evade most forms of threat inspection techniques– the threat will only become apparent after it has been activated on a host.
Intelligent cloud security tools will need to be deployed to help identify malware domains and sub-domains using legitimate cloud services. Such tools can also be used to further analyse related malware characteristics such as associated IP addresses, related domains and the registrant’s details.
An emerging and valuable approach to detect anomalous behaviour is machine learning.
Machine learning algorithms can be used to characterise normal user activity, unusual activity can be identified, and action taken automatically.
Machine-learning algorithms capture user download behaviour 2017
To meet the range of challenges presented by cloud adoption,
organisations need to apply a combination of best practices, advanced security technologies, and some experimental methodologies especially where they need to overcome the use of legitimate services by cyber attackers.

Would you like to learn more? Claim your Free copy of our latest eBook “A View of the Cyber Threat Landscape”. Click here.