Addressing tomorrow’s challenges – today
Written by Alison Ebbage
Increasing usage of hosted web applications can make for a security nightmare. On the one hand using hosted service represents a cost saving, regardless of the way it is accessed, and takes away capacity issues. But on the other, there is the potential for secure data to end up in a public cloud and thus vulnerable to leaks or cyber attacks.
Ed Macnair, CEO of Overtis, comments: “Up until two years ago the cloud was not really deemed to be something that the financial community would ever actually go over to because of the inherent loss of control and security risks. In essence it requires a need to downgrade to a ‘one size fits all’ security instead of a firm specific risk- based security assessment that allows bespoke checks and balances.”
Accordingly, the cloud and hosted services have not yet become the default model. Big SAS vendors such as Oracle and Saleforce have not yet, according to Macnair, enjoyed a huge uptake.
An important initial improvement for any firm looking to convert to hosted services, according to Amichai Shulman, co-founder and chief technology officer of Imperva, would be a review of firewalls.
“Protecting the hosted applications themselves via a web-based firewall is one of the best things a firm can do to protect itself. Installing a firewall around key databases is also important as it not only prevents attacks but also allows monitoring of activity by tracking every SQL query and thus creating of audit trails. In turn this satisfies the regulators. By employing a number of firewalls you can track almost all data repositories,” he says.
The security issue of hosted services is compounded by the move to multi-channel access with employees and customers alike now wanting to access services via the internet or smartphone. This move to a variety of mobile devices in a variety of locations means that security also needs to evolve from a singular point of access over a gateway or network to more context-based security around the user, the device and the location.
One useful tool is a web application plug-in (such as the one to be launched at the conference by Overtis) that allows bespoke permissions to be granted depending on context. So for example a firm could set up normal behavior and not allow any deviation from it, or allow certain information to be downloaded in the office or during office hours, but not remotely or at night. This works by authenticating at the time of access and depending on the device used rather than simply having a single log-in and set of permissions.
Macnair comments: “The browser plug can react to the end device used and the context in which the connection is being made. For example, a Swiss banker would not be able to take core client data out of the country or a sales director would not be allowed to download database information unless they were in the office. It gives a single yet flexible sign-on for web applications, gives a granular view of user activity and leaves a full audit trail.”
A third approach to security is by looking at the device itself and protecting it as well as any network or web application it connects to from intentional or unintentional data leakage or cyber attack. This applies in particular to mobiles.
John Walker, managing director at Secure Bastion, comments: “Last year security was not even on the radar of mobile technology but with £29bn of fraud in the UK, industry would be wise to think about how we are using smartphones and whether we are thinking enough about protecting them and being secure.”
Indeed for banks’ customers using phones to access their accounts the risks are enormous, not from the connection with the bank itself but rather the potential for that connection to be hacked via other apps that might be installed on the phone. And firms also need to be able to screen and reject any rogue applications that their employees may try to install on mobile devices.
Unknown applications can be from hackers themselves, or can be hacked into and pull data from other applications installed on the phone working in just the same way as a rogue programme on a computer. Phones have the additional security risk of allowing premium rate texts to be sent to them. In addition they often automatically connect when in a place where Wi-Fi has previously been accessed, such a bar or train. This has obvious security implications.
Chris Wysopal, co-founder and chief technology officer of Veracode, adds: “If applications are not secure then they are at risk from Trojan applications that install hidden spyware, phishing UI, or unauthorised premium dialing. The balance has to be between the super convenience of the phone and the need to be vigilant and secure. Multi-layered access needs to be standard and people need to be aware of what they have on their phone.”
Ultimately, however, the answer may lie in better user awareness and education. Walker thinks this is the key: “There are a number of security tools such as multi-layered passwords, software security, mobile lockdowns; but essentially users really need to think about what they are downloading onto their device and whether it is a good idea to give an app permission to access everything else on that device,” he says.
FSTech Magazine – stand M76
Come and meet the team at FSTech and find out what events are coming up, the features we’re working on and how we can strengthen our partnerships with you.
SafeNet – stand C50
Information Security firm, SafeNet, provides technology solutions that secure online financial transactions, payment settlements, documentation submission, bill calculation and stock trading. Currently, over 80 per cent of the world’s fund transfers – $1 trillion per day – are protected by SafeNet.
Visitors can hear how SafeNet hardware security modules (HSMs) protect large and dynamic electronic funds
payment (EFT) processing environments for credit, debit, chip card, and Internet applications; and discover more about how SafeNet provides the only fully automated, secure web-based
PIN issuance and management solution. SafeNet will present its Trusted Cloud Fabric – a practical framework designed to
deliver the trust, security, and compliance financial services companies demand when moving data, applications and systems to the cloud. There are three new cloud-based solutions: ProtectV™ Instance, virtual machine encryption; ProtectV™ Volume, virtual storage encryption; and SAM 8.0, authentication for SaaS applications.
FireEye – stand A41
FireEye Inc., the specialist in combating targeted, sophisticated cyber attacks, will be previewing its next-generation
Malware Protection Systems (MPS) that protect against the
zero-day and targeted cyber attacks which evade traditional security defences.
Using FireEye’s Web Malware Protection System (MPS), organisations can secure their networks against inbound,
zero-hour malware, outbound data theft callbacks, and dynamically inoculate their networks from future attacks. The FireEye MPS blocks targeted attacks, zero-day exploits, advanced persistent threats, and provides accurate, actionable forensics that detail the exact nature of an inbound attack or
outbound callback, such as keylogging and other data theft or fraudulent transaction activities. FireEye’s new Email MPS features the Real-time Attachment and URL Analysis engine that
evaluates emails for zero-hour malware using virtual machines that run a cross-matrix of operating systems and applications, such as various web browsers and plug-ins. This dynamic
analysis enables FireEye to detect and stop spear phishing email attacks aimed at known and truly unknown OS and application vulnerabilities.
Titus Labs – stand J61
To comply with FSA regulations, companies must ensure
their emails and documents are fully protected against accidentally or maliciously getting into the wrong hands. Anyone using Outlook will know how easy it can be to send an
email to the wrong person, or to a whole list of people. The consequences can be serious – not least loss of clients’ confidence and heavy fines.
Now a new technology, seen in Europe for the first time at Infosecurity, is set to make the job of compliance much easier – both for users and for financial services providers. Titus Aware from Titus Labs validates all emails and any attachments for policy violations and regulatory compliance before they leave the desktop. A sister product – Titus Classification – does the same for shared files, ensuring they can never be copied, viewed or opened by unauthorised people.
Qualys – stand E70
On their stand, Qualys will be presenting two products. IronBee Open Source Web Application Firewall: IronBee is a new
open source project to provide the next-generation of web application firewall (WAF) technology. Led by the team who designed and built ModSecurity, this new project aims to
produce a web application firewall sensor that is secure,
high-performing, portable, and freely available – even for commercial use. Hosted at the web site www.ironbee.com, the project is open to all parties interested in joining the
QualysGuard Policy Compliance 3.0: Providing more comprehensive policy compliance scanning capabilities without the need to install agents. The latest version expands support for new operating systems and adds support for scanning databases and network devices - providing customers with a full, in-depth view of IT policy compliance across all assets.
Attachmate/NetIQ – stand E80
Attachmate® and NetIQ® are an enterprise software company. Their comprehensive portfolio of integrated Security & Compliance, Enterprise Fraud Management and Identity and Access Management solutions enables customers to reduce risk, and efficiently protect critical data. With a relentless focus on customer success, their unique solutions help achieve strategic value, business improvement and cost savings. Attachmate/NetIQ are sponsoring the event, and delegates can hear presentations from their representatives looking at Secom (Wednesday), EFM and Insider threat, and IAM – DRA Advanced (both Thursday).
Grid Tools – stand H42
Grid Tools, the leading test data management vendor internationally, will be alerting the information security industry to the risks associated with using unmasked, live production data in testing and development arenas.
Headquartered in Oxford and with offices in Chicago and India, Grid Tools specialise in data masking, data creation and
test data management solutions, and works with leading financial services institutions, large health care providers and government agencies.
At InfoSecurity, Grid Tools will focus on the importance of provisioning secure data for use in non-production environments, and will showcase three solutions: Data Maker™, Simple Data Masking™ and Fast Data Masking™.
Dell SecureWorks – stand A74
Cybercrime is a rapidly evolving, and very profitable,
phenomenon with multiple layers of sophistication. It can be difficult for any organisation to keep up with present and emerging threats, or anticipate cyber criminals’ next move. With the advent of stricter compliance and regulatory laws
affecting most industries, in particular the financial sector, managing cyber risk to your organisation is becoming more
and more critical.
Cybercriminals have their sights on the industries where money can be made. Confidential information about customers, trade secrets or other intellectual property is always at risk. In the past eighteen months, we have seen the evolution of cybercrime from meddling teenagers earning their ‘hacker stripes’ to full blown cyber gangs and the enterprising international crime rings they have built. At InfoSecurity, Barry Hensley, Vice President of the Dell SecureWorks’ Counter Threat Unit research team, will be discussing identity theft, sources of cybercrime attacks by country, recent changes in criminal-to-criminal activities, as well as examples of the inner workings of the highly developed cyber attacks of today.
pin+ – stand J96
A system which will allow the information security industry to ditch passwords, PINs and tokens is to debut at this year’s Infosecurity Europe Show.
pin+TM utilises the power of matrix-pattern authentication (MPA) to generate one-time codes without hardware tokens or card readers, and is arguably the most exciting advance in computer security since the invention of tokens over 20 years ago. pin+ brings standardisation and essential comfort/familiarity for users. Its highly recognisable (trademarked) shield-shaped matrix offers ease-of-use combined with high security, thanks to its unique 6X6X6X6 format (6X6 matrix, six-digit one-time
codes, using only numbers 1-6). Powered by new patent-pending IPR from Winfrasoft, pin+ offers users a raft of powerful