FStech rounds up Infosecurity Europe 2016
Written by Dave Adams
The themes that dominated 2016’s Infosecurity Europe (held at London Olympia in June), such as security threats associated with the cloud, mobility, social networks and the Internet of Things, should all resonate with financial companies facing competition from new entrants and alternative finance providers, particularly in relation to products and propositions based on digital technologies.
Financial organisations also need to ensure compliance with data protection regulations, in particular the EU General Data Protection Regulation (GDPR), which comes into effect in May 2018 and will apply where either the controller/processor of data or the subject of that data (an individual) is resident in the EU. GDPR formed the backdrop to a Tech Talk given on the first day of the show by David Cahill, security strategy and architecture manager at Allied Irish Bank (AIB), explaining how the bank is securing cloud technologies, both those used internally and in customer-facing applications. The bank is building a hybrid architecture, with some resources and data kept completely separate from the public cloud, and has been working with Skyhigh Networks to identify and securely manage the use of multiple cloud technologies, in particularly software as a service (SaaS) applications, by AIB’s 15,000 staff.
AIB discovered more extensive use of cloud than it had expected to find: 2,471 different cloud technologies were in use, including 131 services and 336 activities that Skyhigh classified as high risk. AIB has been able to analyse the findings, discuss the potential risks with business units and users; and create a list of authorised services. When users attempt to use an unauthorised SaaS application today the system prevents them from doing so and suggests use of an authorised alternative.
On the Strategy Talks stage, Tim Porter, domain IT security engineer at Lloyds Banking Group, explained how Lloyds is working with TITUS (formerly Titus Labs) to classify information within the organisation, making it easier for users to comply with security policies and to ensure that the highest level of protection is applied to the most sensitive information. The major challenge is identification and classification of unstructured data, held in so many different forms across its networks. Ultimately every piece of structured and unstructured data in the bank’s networks will be classified under four headings: public, internal, confidential and highly confidential. Metadata attached to these pieces of data can be integrated with the bank’s other business tools – so any item marked highly confidential will be encrypted automatically, for example. Porter believes one of the most important lessons the project has provided to date is a reminder of the value of keeping things simple. “Don’t try to make it over-complex,” he said. “We just have four classes of data. We start simple and can make things more complicated in the future if we need to.”
Meanwhile, on the Keynote stage, Mikko Hypponen, chief research officer at F-Secure looked back on 25 years of work battling online threats and showed how history can repeat itself. He pointed out that some of the first Trojans, created in the late 1980s, were versions of what we now call ransomware – which is also arguably the biggest malware-related problem that the world faces today, in part because Bitcoin has made it so easy to process payments from victims. F-Secure currently tracks over 100 different ‘families’ of ransomware, the creators of which are competing fiercely against and stealing from each other. Hypponen also discussed recent cyber crime incidents committed using the SWIFT network, starting with the $81 million stolen from the central bank of Bangladesh in February. He believes there have probably been more fraudulent transactions perpetrated in this way by well-resourced criminals – with the banks, not SWIFT, hacked and the SWIFT network used to steal perhaps $1 billion in total – than the handful made public so far. He explained a couple of the theories as to who perpetrated these attacks, with one of the most plausible being that it was the government of North Korea.
Finally, he told the story of a recent F-Secure security testing challenge, set by a nameless bank in northern Europe, to break into a specific IBM mainframe in a secure building. The team conducted a tailored social engineering attack to find user credentials that would allow them to access the mainframe, then one member registered as a journalist to attend a press conference in this building, hid in the bathroom for 45 minutes, then found an empty cubicle, connected to the network and completed his objective. It then occurred to him that it might be fun to find the machine itself and take a selfie standing next to it. On the way to the mainframe he ran into the person who had left him in the bathroom. Initially claiming to be lost, the F-Secure employee decided to come clean and explained he was conducting a security audit of the building. “The host says ‘Oh! OK, you have a good day!’ – and leaves him to it!” laughed Hypponen. The attacker was then free to head off and get his selfie by the mainframe. Readers: ensure your organisations learn from this. As Hypponen said: “There is no patch for stupidity”.
The second day of the conference began with a keynote address from former Foreign Secretary William Hague, now Baron Hague of Richmond, during which he tried to reassure delegates that governments were trying to find the right balance between privacy and surveillance, but also made it clear that, in his opinion: “In a world where private information can ... stop a multitude of crimes or save lives, in my view there can ultimately be no absolute right to privacy.”
The question as to how governments can or should control or monitor online technologies and data was addressed in another keynote address, by cryptographer and security guru Bruce Schneier. He spoke of his concerns about the development of the Internet of Things (IoT). One problem facing those seeking to counter cyber vulnerabilities within the IoT, Schneier suggests, is that the security gap – the time between the first exploitation of a vulnerability and application of countermeasures – is likely to be much longer for some IoT devices than for conventional workplace technology or consumer electronics. His fear is this will mean “fewer attackers can do more damage with better technology”; and that an increase in catastrophic risks will drive demands from consumers and the media for government action, possibly leading to increased surveillance and restrictions individual freedoms online. “Our choice is between smart government involvement and stupid government involvement,” Schneier said. “We need to bring together policymakers and technologists... that’s how we’re going to solve these problems.”
Day two also saw an interesting discussion aimed at CISOs and managers with responsible for security, asking how best to turn greater security awareness at board level – the result of a constant stream of security breaches being reported in the media – into a more effective approach to security. Participants included Matt Palmer, CISO at Willis Tower Watson, who stressed the importance of being straightforward and transparent. “They can spot a mile off if they’re not being given the whole story,” he said. “You need to present the whole picture in an accurate and transparent way. As soon as they start to hear [false reassurances] you lose all credibility.” Palmer thinks most boards now understand what a breach might mean – what executives want to know is “how we balance that risk against the other risks that we have”. Indeed, creating the conditions within which effective, informed risk decisions are possible is surely the top priority for anyone seeking to secure financial organisations of all kinds, in an ever more dangerous world.