wednesdayapril242013 intelligenceim.ft-static.com/content/images/e2e355d2-ab0e-11e2... ·...
TRANSCRIPT
Global politicsFears of warand espionageraise internationaltensionsPage 2
Inside »
IntellectualpropertyThe biggestdangers comefrom withinPage 3
Supply chainIncreased vigilanceover access canhelp protectcomputer systemsPage 4
PersistentthreatsCrooks turn to‘spear-phishing’techniquesPage 4
Title here 13/15More copy hereplus more overfour lines plusmore 13/15Page 10/15
FT SPECIAL REPORT
The Connected BusinessWednesday April 24 2013 www.ft.com/reports | twitter.com/ftreports
Online security has moved tothe top of both the politicaland corporate boardroomagendas in the past year,and there are dire warn-
ings about the consequences of ignor-ing the threats posed by financiallymotivated criminals, state-sponsoredindustrial spies and politically moti-vated “hacktivists”.
Many of the most dramatic warn-ings have come from current andformer US and UK security andintelligence officials, who areconcerned about the theft of intellec-tual property (IP) and the impact ofcyber-based industrial espionage onbusiness competitiveness. There are
also fears of state-sponsored andother attacks on critical infrastruc-ture, such as utilities, banks and hos-pitals.
For example, Leon Panetta, then USsecretary of defence, warned last yearof the danger of a “cyber Pearl Harborthat would cause physical destructionand the loss of life, an attack thatwould paralyse and shock the nationand create a profound new sense ofvulnerability”. (See “Fears of war andespionage raise tensions”, Page 2.)
John “Mike” McConnell, a formerUS intelligence chief, now vice-chair-man of Booz Allen Hamilton, echoedthe warning, adding the west has hadits “9/11 warning” on cyber security
and that, unless urgent action istaken, the US faces a “cyber equiva-lent of the World Trade Centerattack” that could bring the country’sbanking system, power grid and otheressential services to their knees.
Asked whether such warnings arejustified, Edward Stroz, a former FBIagent who was responsible forthe formation of the bureau’s compu-ter crime squad in New York and co-founded Stroz Friedberg, a companythat advises corporate clients on secu-rity issues, says simply: “They are notcrying wolf.”
Mr McConnell’s warning came aftera cyber attack on Aramco – the SaudiArabian oil group – that wiped the
hard drives on about 30,000 desktopPCs, a move Saudi and US officialsbelieve was designed to disrupt oilproduction.
Similarly, a dozen large US banks,such as Wells Fargo, JPMorgan Chaseand Bank of America, were last yearthe victims of sustained distributeddenial of service (DDoS) attacks – inwhich many infected computerstarget data at one website causing itto crash. These appear to have beenorchestrated overseas. The attackersmade use of one or more of the esti-mated 1,500 “botnets” (collections ofhijacked PCs) that have been infectedby computer viruses or other mali-cious software. These are available
for hire in the cyber underworld.But while many such attacks
appear to be politically motivated,security experts say most are con-ducted by cyber criminals for mone-tary gain, or in order to steal intellec-tual property and trade secrets.
For example, in February the Man-diant Intelligence Center, a US-basedcyber security firm, published areport identifying a group linked tothe Chinese military as being respon-sible for “a multiyear, enterprise-scalecomputer espionage campaign”.
Mandiant claimed it was: “Oneof the most prolific [groups it tracks]
Continued on Page 3
Intelligencechiefs warnof increasedcyber risks
Paul Taylor discovers security experts onboth sides of the Atlantic are calling for closerco-operationwith businesses to prevent attacks
Brussels’ plans to overhaulEurope’s outdated data pro-tection laws are set to entera complicated negotiationphase during the comingmonths, as lawmakers andmember states lock hornsover the controversial rulesaimed at toughening pri-vacy rules.
Draft rules unveiled lastyear by the European Com-mission, the EU’s executivearm, which aimed to find abalance between bolsteringprivacy rights and fosteringinnovation in the era of theinternet, are coming underattack from many sides.
The European Parliamentwants to toughen the com-mission’s proposals byimposing stringent rules toprotect citizens’ privacy – amove that could affect thebusiness model of the grow-ing number of companiesthat depend on their cus-tomers’ data.
The European Council,representing EU states, ispushing for a softerapproach. It wants tolighten the regulatory bur-den for business at a timeof recession – a move thatcould leave citizens vulner-able to companies misusingtheir digital avatars, forexample.
What has muddied thewaters further is the lobby-ing effort conducted by theworld’s largest technologi-cal groups, as well as smalland medium-sized compa-nies, which have been furi-ously campaigning to waterdown the entire legislation.
They fear that the exces-sive one-size-fits-all regula-tory approach could dam-age the future of business,which is daily becomingever more data-driven.
Brussels’ main objectiveis to update the EU’s cur-rent privacy rules, whichwere agreed in 1995, a pre-Facebook and pre-Googleera, when the internet hadpractically no role in peo-ple’s everyday life.
Viviane Reding, the EU’sjustice commissioner, pro-posed a series of new rulesearly in 2012 to achieve this.
The overarching goal forMs Reding’s departmentwas to create a single set ofcoherent rules that wouldapply across member states.At the moment each coun-try has to guarantee a mini-mum standard but thedegree of application variessubstantially from state tostate. Everybody likes thisas it sets certainty andremoves any regulatorybartering.
Companies will have todeal with only one regula-tor, the one in the countrywhere they have setup their European head-quarters.
This move is also wel-comed by internet groupsthat have a presence inmultiple countries as theywill not have to deal with aplurality of data protectionagencies. Given the samerules apply everywhere it isimmaterial which watchdogthey interact with.
Individuals will now begranted the right to accessto their data whenever theywant. This is seen as funda-
mental right for privacyadvocates, who are con-cerned about the enormousamount of information weeffectively hand over toprivate companies.
Businesses, in particularsocial media companies,take a different view. The“right to be forgotten” –which grants individualsthe right to ask an onlinecompany such as Google or
Facebook to remove anycontent related to them onthe web – is seen lessfavourably by many busi-nesses. None are concernedabout removing items fromsites that they have fullcontrol over but the chal-lenge becomes more diffi-cult once something goesviral.
Many member states
would scrap this rule butthe parliament is adamantit wants to to make it astough as possible.
Online groups will alsohave to seek explicit con-sent from people whenusing their data for com-mercial purposes.
This is not a problem inprinciple but many compa-nies, in particular advertis-ers, are concerned by theendless amount of timesthey will have to seek con-sent from users when usingcustomer data for advertis-ing purposes.
All companies with morethan 250 employees thathandle data will have toname a data protectionofficer.
This is fine for large techgroups, which already haveprivacy officers, but for amid-sized manufacturer itcould become a nightmare.The European parliament isalso keen to extend this tosmall companies but mem-ber states fear it couldaffect small businesses,such as a local butcher orcorner shop with a clientmailing list.
The other major change isthe size of penalties forthose companies thatbreach the regulation. Atthe moment, national regu-lators can barely fine com-panies up to €1m but underthe new rules fines wouldgo up to 2 per cent of agroup’s annual global reve-nue. For some companiesthat could be worth close to€1bn.
Ireland, which holds theEU’s rotating presidency, iskeen to reach an informalagreement on the data pro-tection regulation by theend of the year.
However, many of theEU’s 27 members have seri-ous concerns over the draftlaw, and the parliamentmade more than 3,000amendments to the commis-sion’s original text. Thissuggests it will take timeand much debate before acompromise is found.
In the end, the commis-sion’s plan might representthe true middle ground.Whether this will be also atrue middle ground for bothprivacy advocates and busi-ness interests in Europeremains to be seen.
EU’s lawmakers and states takesides over privacy regulationsData protection laws
James FontanellaKhan on Europe’splans to strengthenindividual rights
Companies fearan excessiveone-size-fits-allapproach coulddamage business
Continental drift: EU commissioner Viviane Reding Getty
Online threatsPaul Taylor looks atthe top 10 dangersFT.com/video
On FT.com »
2 ★ † FINANCIAL TIMES WEDNESDAY APRIL 24 2013
Masons, a law firm, saysthe trend for legislation onreporting began 10 yearsago in California. “Sharinginformation was seen as agood way to bring problemsto light and to protect cus-tomers,” he says. “The over-riding concern of all regula-tors is the potential harm toaffected individuals. That iswhy they like you to reportincidents, even when notrequired to do so.”
The UK’s InformationCommissioner’s Office saysinforming people about abreach is not an end initself. “Notification shouldhave a clear purpose,” itsays, “whether this is toenable individuals who mayhave been affected to takesteps to protect themselvesor to allow the appropriateregulatory bodies to per-form their functions, pro-vide advice and deal withcomplaints.”
Not reporting an incidentrisks regulators thinkingthe company is trying tohide something. Rob Cot-ton, chief executive at NCCGroup, an informationassurance firm, says report-ing puts the data ownerback in control. “It removesthe fear that informationwill be reported by awhistleblower or appearonline,” he says.
The best defence is toinclude reporting policiesand procedures in theorganisation’s securitystrategy. This may need toset out the “lowest commondenominator” of regula-tions, which could result insome over-reporting.
But it is also importantthat a focus on reportingdoes not stop companiesacting to reduce the risk ofloss in the first place.
Ruggero Contu, researchdirector for security solu-tions at Gartner, the ana-lyst, says any strategy
The Connected Business
Paul TaylorEditor, theConnected Business
James BlitzDefence anddiplomatic editor
James Fontanella-KhanBrussels correspondent
Maija PalmerSocial mediacorrespondent
Jane BirdMichael DempseyRod Newing
Paul SolmanJessica TwentymanFT contributors
Adam JezardCommissioning editor
Andy MearsPicture editor
Steven BirdDesign
For advertising details,contact: James Aylott,+44 (0) 20 7873 3392,email: [email protected], oryour usual representative
Contributors »
For most of the past decade,western security chiefs havebeen mainly concerned aboutthe threat from jihadist ter-rorism and affiliates of al-
Qaeda. But top security officials arealso having to pay greater attention tothe threat of cyber warfare and cyberespionage from foreign state actorsand their proxies.
It is the prospect of an epic cyberwar that generates most alarm. LeonPanetta, the former US defence secre-tary, said last year that a “cyber PearlHarbor” might one day take place.
Experts conjure up the possibility ofa cyber war, with enemy statesexploding fuel refineries or sabotagingair traffic control systems. Nato evenproduced an advisory manual oncyber warfare in March, declaringstate-sponsored cyber attacks mustavoid civilian targets such as hospi-tals, dams and nuclear power stations.
Yet much of this discussion is spec-ulative and the work being done bydefence ministries to build up capabil-ities remains secret. In contrast, thereis a real and present concernabout cyber espionage, focusing in
particular on allegations China andRussia have state agencies that are“exfiltrating” billions of dollars’worth of intellectual property fromwestern governments and companies.
Both nations deny these allegations.But the issue is fuelling diplomaticfriction in relations between Washing-ton and Beijing, with consequencesthat may not have been fully realised.
The threat of cyber war – the possi-bility states could launch attacks thatdestroy infrastructure – should cer-tainly not be ignored. The world wit-nessed an attempt at industrialdestruction via the internet when theStuxnet worm was launched in thelate 2000s, almost certainly by the USand Israel against Iran’s nuclear pro-gramme. Stuxnet did limited damageto Iran’s facilities and the programmerecovered. But the incident threw aspotlight on the possibility of majorpowers inflicting serious damage oninfrastructure through the internet.
Meanwhile, the world’s leading mili-tary powers are secretly puttingmoney and effort into cyber war capa-bilities. Jarno Limnéll, a directorof Stonesoft, a computer security
company, says cyber war will beincreasingly attractive for three rea-sons: “It is a predominantly offensivetype of engagement that can be hardfor a defending nation to contain; itcan do the same damage as conven-tional weapons; and it provides a highlevel of deniability.”
We have not yet had a full-scalecyber war. For now, it is the damagebeing done by state-sponsored cyberespionage that is worrying westerngovernments and UK and US busi-nesses. Two issues are of concern.First, western states have pointedincreasingly to the damage done by
such activity, which involves the theftof intellectual property by what aretechnically called advanced persistentthreats (APTs) that infiltrate compu-ter systems.
In the US, a classified NationalIntelligence Estimate, which repre-sents the consensus view of the USintelligence community, is said tohave reported a wide range of sectorshave been the focus of hacking overthe past five years, including energy,finance, information technology, aero-space and motor manufacturing.
In the UK, BAE Systems Detica, acompany that specialises in cybersecurity, has calculated that UK com-panies lose £27bn a year throughcyber espionage. Sir Jonathan Evans,the former head of MI5, the UK secu-rity service, said last year that oneUK company had lost £800m of intel-lectual property in a single attack.British ministers say they know of aUK company that lost 100GB of datain a single incident, roughly equiva-lent to a 20m page Word document.
Second, there is a growing suspicionthe Chinese state plays a huge role inmuch of this activity. China strongly
denies these allegations, and BarackObama, the US president, mindful hiscountry depends heavily on its eco-nomic relationship with China, hasbeen careful not to identify it by namein public.
Still, in recent weeks western offi-cials have started to get more vocal intheir criticism. In the US there hasbeen a strong focus in particular onwork done by Mandiant, a securityfirm, which suggests that China’s Peo-ple’s Liberation Army has been themain sponsor of an entity carryingout thousands of APT attacks onNorth American targets. It puts afocus on a PLA unit (number 61398)operating out of Shanghai as it carriesout these activities.
China is not the only concern.Russia is privately thought by west-ern security agencies to be stealinginformation from energy and defencecompanies. Iran is also becomingincreasingly active, not in espionage,but in carrying out highly disruptive“denial of service” attacks on regionalstates. It is the suspected sourceof the Shamoon virus that crippledthousands of computers at Saudi
Arabia’s Aramco and Qatar’s RasGaslast August.
Still, western states cannot justpoint the finger at China, Russia andIran. Some experts say the US and UKare also carrying out such activity.“The truth is that everyone is spy-ing,” says Mr Limnéll of Stonesoft.
But this is of little relief to US andUK companies facing the growing Chi-nese threat. For now, the fundamentaltask facing governments and busi-nesses is to build up protectionagainst foreign cyber attacks. US law-makers are preparing to create newpunishments for companies fromChina and elsewhere that use tradesecrets stolen by hackers.
In the UK, security services haveentered into an information sharingpartnership with the top 200 UK busi-nesses, providing them with real-timeinformation when threats appear.
But these are early days. Critics saythere is nowhere near enough collabo-ration between western governmentsand businesses to face down thethreat from foreign state actors – andthat the worst of the dangers is yet tocome.
Fears of war and espionage raise tensionsGlobal politics Internet sabotage is rivalling jihadist terrorism as themost pressing threat to governments and businesses, writes James Blitz
Spammer in the works: Mahmoud Ahmadi-Nejad, Iran’s president, on a visit to the Natanz uranium enrichment facility in 2008. The US government is believed to have targeted the site with the Stuxnet worm Getty
When it comes to cybersecurity, it seems the bestadvice is that only theparanoid survive. So here isa guide to the three mostimportant things you can doto secure your system.
1 Assume you have alreadybeen hacked“Organisations shouldassume they have beencompromised, or that someof the devices connected toyour system arecompromised,” says AmichaiShulman, chief technologyofficer and co-founder ofImperva, a data securitycompany.The growth in the number
of different types of devices– from staff using personaliPhones to smart metersmeasuring electricity usage –that may be connected to acorporate IT network hasincreased exponentially, andthese are not necessarilycontrolled or vetted by the ITdepartment.Companies are also
collaborating and sharingdata with more customersand suppliers, leaving theircomputer networks moreopen to attack. As a result,security professionals nolonger believe you can keepthe bad guys out of thesystem. The truth is mostcompanies have already beenhacked. They just might notknow it yet.The latest Data Breach
Investigations report fromtelecommunications companyVerizon, published thismonth, found 66 per cent ofall breaches remainedundiscovered for severalmonths. Yet the IT securitycommunity is not completelydefeatist. A security breach isalmost inevitable. But thereare still plenty of things acompany can do to securedata and thwart hackers.“Saying you are
unhackable is foolish, butcontaining, controlling, andpreventing repeat attacks isstill possible,” says JoergWeber, head of attackmonitoring at Barclays. “We
are still in a position to makeour opponents’ lives verydifficult.”Or, as Mr Shulman puts it:
“It is not about preventingbreaches, it is how fast youreact to them. Even if youcan respond in a week ratherthan months, you have doneso much better andprevented a lot of damage.”The other good news is
many of the attacks andmuch of the malware arerelatively basic.Mr Weber says: “A lot of
people focus on the bleeding-edge computer threats suchas Flame [a computer wormdiscovered last year]. Butthat was highly targeted andonly touched a few thousandpeople.“Meanwhile, everyone else
is dealing with older, moremundane issues. Boring stuffis still going on. It doesn’thave the sexy factor but it isstill dangerous,” he says.Computer worms and
viruses such as Confickerand Slammer, which werefirst detected more than fiveyears ago, are still an issuefor IT security experts, andone of Mr Weber’s dailyproblems is the Blackholeexploit kit, malicious softwarethat has been around forsome time.According to research by
the Center for Strategic andInternational Studies, a US-based public policy research
institution, more than 90 percent of successful breachestook place using the mostbasic techniques.
2 Be vigilantTo a large extent, protectioncomes down to monitoring,monitoring and moremonitoring. Leon Ward, fieldproduct manager atSourceFire, a securitycompany, says businessesshould start with acomprehensive assessment
of how their IT system issupposed to behave.“People do not know what
normal looks like, whichmakes it hard to pick outwhat is malicious.” Here, bigdata tools can helpcompanies analyse theirsystems quickly and morethoroughly than before,helping pick up trends theymay not have otherwise seen.Then it is a case of trying
to spot anything out of theordinary quickly. Technologycan help perform a “snifftest” on information coming
in and out of a system. But,say analysts, nothing beatshuman eyes.“The best intrusion
detection system is a vigilantsystems administrator,” saysConrad Constantine, researchteam engineer at AlienVault.Hackers will always be ableto circumvent the “sniffer”technology by creating newprogrammes, but a goodsystems administrator willknow the computer networkintimately, and pick up oneven subtle changes.
3 Make IT more employeefriendlyEmployees remain thebiggest weakness of ITsystems. The best securityprotocols are useless if staffsimply work around them.One of the biggest
difficulties for securityprofessionals is staff usingwhat is known as “shadowIT” – computer programsthat may not have beenofficially provided by thecompany but whichemployees install themselvesbecause they help them dotheir jobs.“Often there are whole
departments doing stuffoutside the governing eye ofthe company. But you can’tprotect what you don’t knowabout,” Mr Constantine says.Somewhat counter-
intuitively, perhaps, theanswer is not to clamp downbut to make IT departmentsmore permissive andresponsive to staff needs, hesays. “Ask yourself why theyeither weren’t aware, or wereunsatisfied with, yourorganisation’s own IT serviceofferings. When IT enablesprojects instead of acting asa barrier, there is lessincentive for people to createdangerous exceptions ingovernance.“Think of it as a needle
exchange. You are notpreventing people from usingdrugs, but you are saying, ifthey are going to do it, let’shelp them do it safely.”
Maija Palmer
Survival guide Three ways to keep the bad guys out
‘To a largeextent, protectioncomes down tomonitoring andmore monitoring’
Consumer advocates, politi-cians and regulators arestepping up the pressure onorganisations to report datasecurity breaches – theunintentional release ofdata that should be keptsecure – in a timely fashion,especially when customerinformation is compromisedor privacy is an issue.
It sounds like a relativelysimple requirement, but theactual reporting process isextremely complex.
There is no clear defini-tion of what constitutes asecurity breach, what typeor size of breach should bereported, the time limit,who to report to, what toreport and so on. Eachcountry has enacted differ-
ent rules; each state in theUS has separate rules; theEU has yet to harmoniseand different sectors havetheir own rules.
“It is a minefield,” saysMark Waghorne, a seniormanager in the informationprotection team at KPMG,the consultancy. “Some ofthem align and some con-flict.”
He says an internationalbusiness could be put intoan invidious position. If abreach occurs in one coun-try it could be told by localsecurity services to keep itsecret, but might be obligedto report in other countries.
Organisations may needto report breaches to thoseaffected, such as employees,customers or suppliers.They may also need toreport to banks, stockexchanges, industry bodiesand the police. Reportingmight be compulsory or vol-untary, and the mediamight need to be informed.
Marc Dautlich, head ofinformation law at Pinsent
should include having thetools to report and revealthe effect on data. If dataare properly encrypted, aloss may not need to bereported at all, he adds.
Prompt reporting, oftenwithin 24 hours, may seema reasonable demand. But itdoes not give much time toidentify if the incident isgenuine, or the nature ofthe loss and its effects.Reporting internally andbringing in forensic aid canalso take time. However,confirming a breach tooearly could result in reveal-ing unimportant incidentsor giving too little detail tosatisfy all parties.
Although all communica-tions should be honest andopen, it is also important totell those affected whataction they should take.This could involve chang-ing a password, cancellingaccounts and opening newones, for example.
Rik Ferguson, vice-presi-dent for security researchat Trend Micro, a securitysolutions provider, saysthat any internal investiga-tion into a breach shouldassume it is dealing with acrime scene.
Evidence gathering proc-esses must ensure that any-thing found could be admis-sible as evidence, includingmaking sure evidence andfacts are not inappropri-ately communicated exter-nally to preserve theirintegrity.
“Failing to reportbreaches makes it difficultfor policy makers to under-stand the overall impact,root causes and possibleinterdependencies of cybersecurity incidents,” saysSimon Bain, chief technol-ogy officer of Simplexo, asecure search company. “Italso prohibits people under-standing and addressingthem.”
Data breach reports should aidthose who have been affectedCompliance
Any leakage ofinformation shouldbe treated as a crime,writes Rod Newing
On FT.com »IT & BusinessSmart meters signalnew era for utilitiesFT.com/video
FINANCIAL TIMES WEDNESDAY APRIL 24 2013 ★ 3
The Connected Business
in terms of the sheer quan-tity of information it hasstolen.”
China has consistentlydenied the country’s mili-tary has been involved incyber attacks on US corpo-rations and governmentagencies. Nevertheless, theUS administration, whichhas until recently avoideddirect accusations againstits economic rival, appearsto have adopted a tougherpublic stance on the issue.
Just last month TomDonilon, the White Housenational security adviser,spoke of the “targeted theftof confidential businessinformation and proprietarytechnologies through cyberintrusions emanating fromChina on an unprecedentedscale”. It was the first pub-lic denouncement of Beijingby a senior US official onthis subject.
More generally, the past18 months have seen afurther dramatic increase inthe scale and financialdamage caused by cyberattacks. As the 2012 DataBreach InvestigationsReport, published by Veri-zon Communications, notes:“Perhaps more so than anyother year, the large scaleand diverse nature of databreaches and other networkattacks took centre stage.”
Verizon’s latest report isbased on analysis of morethan 47,000 reported secu-rity incidents and 621 con-firmed data breaches in thepast year. The report says37 per cent of breachesaffected financial organisa-tions, and notes “a definiterelationship exists betweenindustry and attack motive,which is most likely abyproduct of the data tar-geted”. So, for example,retailers would be targeted
Continued from Page 1 by groups looking to stealcredit card details and man-ufactures would be the vic-tims of industrial spiesseeking IP information.
The report supports thecontention that, not onlyhave the threats facingcompanies increased innumber, they have alsogrown in sophistication toinclude both advanced per-sistent threats – groups thathave the ability to makefrequent and repeatedattempts to break into sys-tems and launch DDoSattacks.
While it is difficult tomeasure the full effect ofcyber attacks, Symantec,the security software com-pany, estimated the global
cost of cyber attacks in 2011was $338bn in financiallosses and remediation.
What is clear is thatcyber criminals, includingstate-sponsored elements,now have access to enor-mous resources. “Early lastyear, a different type ofDDoS attacker emerged:one with considerablebotnet resources, but alsoan intimate understandingof how the internet routingtopology works,” saysProlexic Technologies,which specialises in DDoSprotection services.
“When you have average– not peak – rates in excessof 45 gigabits per secondand 30m packets-per-second,even the largest enter-prises . . . are going to facesignificant challenges,”
says Stuart Scholly,Prolexic’s president.
The proliferation ofemployee-owned mobiledevices in the workplace,coupled with much moreporous networks designedto accommodate remoteworkers, supply chain part-ners and customers, meansold security models such ascorporate firewalls nolonger work.
Experts instead suggestthat, in addition to invest-ing in the latest generationof cyber security tools,including those that aredesigned to spot unusual orunexpected behaviour, com-panies need to identify theirmost valuable digital assetsand focus on protectingthem.
David Burg, a partner atPwC, says: “It is extremelyimportant for companychief information securityofficers today to foreseethreats, protect dataand intellectual property,respond efficiently to crisis,and offer strategies andsolutions for staying securein an increasingly danger-ous environment.”
Hugh Thompson, chiefsecurity strategist for tech-nology company Blue CoatSystems, says: “We’re at apivotal time in informationsecurity. Technology hastransformed the way weshop, the way we bank, theway we socialise, the waywe run an enterprise andthe way we live.
“Along with the powerfultransformation that tech-nology has fuelled, therecomes the risk that attack-ers will try and leveragetechnology to disrupt ourway of life.
“The rash of highly tar-geted attacks over the pasttwo years is testament tothe fact the adversaries weface are sophisticated anddetermined.”
Intelligence chiefs warn ofincreased cyber risks
‘Along withtechnology comesthe risk attackerswill try to disruptour way of life’
One of the common frustra-tions investigators of cybercrime face is finding a vic-tim of industrial espionagehas not maintained a clear
audit trail of who has accessed sensi-tive data.
Especially when, as Jason Straight,New York managing director forcyber investigations at Kroll, says, theprimary threat to corporate intellec-tual property (IP) comes from within.
“You can buy a USB stick that willdownload a terabyte of data or use filetransfer programs like Dropbox topull down someone else’s IP withouthaving to hack into anything. Thesetechnologies are very effective forindustrial espionage. Malicious insid-ers now have unprecedented opportu-nities to steal from a company.”
He adds: “We don’t see different per-sonal profiles in different parts of theworld, we find the insider espionagestory playing over and over again.”
Businesses need to avert their gazefrom high-profile, state-sponsoredcyber threats and look at their people.A good employee passed over for pro-motion can become a vulnerability,for example, or people can be placedin a business just to steal data.
When investigators are called in tofind the source of a leak, they oftenstart with an access log detailing whohas seen and used information – ifthat log exists.
Software to keep centralised accesslogs is easily available, and it givesinvestigations an immediate startingpoint. Simple precautions can help.USB ports can be disabled, so only
staff needing to use them can do so.Awareness training will let peopleknow why these steps have beentaken to reduce a risk of resentment.
The scale of the cyber espionageassault and the alarming technicalarmoury available to IP thieves canappear daunting.
Some criminals are even using tele-phone advice lines attached to mali-cious programs known as malware,which are designed to penetrate net-works. They operate by breachingcompany security and then offering atour of the victim’s internal secrets ona pay-by-the-hour basis.
Cyber security specialist BAE Sys-tems Detica estimates the cost ofinternet-enabled IP theft from UKbusinesses at £9.2bn a year withanother £7.6bn stolen in industrial
espionage aimed at contract bids andother sensitive data.
The group has long worked withintelligence agencies on both sides ofthe Atlantic and has expanded itscommercial activities since a 2008acquisition by defence company BAESystems. “It’s important not to giveup hope,” says David Garfield,Detica’s managing director for cybersecurity. “The internet is an enablingtechnology and you can use it toredress the balance in your favour.”
There are some sectors that feelindustrial spies will not target them.The defence and aerospace sector isaccustomed to the threat, but otherparts of the economy have been slowto respond to the dangers.
“Some companies think if they arenot in defence, they won’t be the
target of espionage. But IP theftis pretty systematic and, in aknowledge-based economy like theUK, the removal and copying of IPcan have a long-term impact,” MrGarfield says.
Sectors at high risk include pharma-ceuticals, biotechnology, IT and chem-icals. Mr Garfield’s advice is toadvance the status of espionage to arisk worthy of board level attention.That task should become easier as theUK government’s Cyber SecurityInformation Sharing Partnership(CISP), launched in March, swingsinto action.
CISP will allow about 200 UK com-panies to open up over cyber intru-sions and work with intelligence agen-cies and Detica to counter the threat.A Fusion Cell at the heart of CISPinvolves Detica and will assess sensi-tive intelligence material to improveinformation about the threat for part-ner companies. A revelation last yearby the head of the MI5, the UK Secu-rity Service, that one national com-pany had lost £800m through IP theftlooms large over this initiative.
One former intelligence officer sumsup the divide between his world andthe private sector by saying: “We [theintelligence community] are indoctri-nated in the need for IT security, butthat is not necessarily the case forpeople in industry. For me that’s thegreater concern.”
CISP is meant to bridge that gap.Yet the former intelligence manpoints out many government initia-tives so far have concentrated onfinancial cyber crime, leaving busi-ness unaware that “it’s the industrialespionage side of things that’s themain target”.
He also warns that the recentemphasis on the idea of the defence ofcritical national infrastructure, suchas hospitals and power plants, hasalso distracted attention. “The onlypeople who’ll attack your infrastruc-ture and succeed are other nations,but industrial espionage can becarried out by a whole host of players,and that’s a far more important con-sideration.”
As Kroll’s Mr Straight says:“Chinese hacking may be the least ofyour worries.”
Biggest dangerto intellectualproperty comesfrom within
CrimeWhen it comes to stealing data fromcompanies, terrorists andChinese hackers areway down the list, reportsMichael Dempsey
A good employee passedover for promotion canbecome the weak point ina company’s security
Business link: MI5’s Londonoffices. The UK securityservice is working moreclosely with companies onIT security issues Alamy
4 ★ FINANCIAL TIMES WEDNESDAY APRIL 24 2013
The Connected Business
Corporate IT departmentsonce frowned on the use ofpersonal devices at work,though they often turned ablind eye to “shadow IT” –personal WiFi hotspots,external hard drives andother paraphernalia setup inside corporate fire-walls by frustrated buttechnology-savvy workers.
Many IT professionalsalso looked askance at theproliferation of laptops,smartphones, tablets andother consumer devicesthat have found their wayinto offices as part of atrend known as “consumeri-sation” and BYOD (bringyour own device).
IT departments used toview such devices – particu-larly those linked to corpo-rate networks, with or with-out company approval – asa security threat and a sup-port nightmare.
According to a study byOvum, a UK-based marketresearch firm, commis-sioned by the data servicescompany Logicalis UK, 57per cent of employees takepersonal devices to work.
Significantly, 18 per centof respondents said theiremployer’s IT departmentsdo not know they are usingpersonal devices, while 28per cent said their ITdepartments ignore it.
But times and attitudes,have changed. Many ITdepartments realised thatinstead of blocking a trendoften backed by senior man-agers because of the flexi-bility and productivity asso-ciated with it, they may aswell embrace and assist it,while seeking to improvesecurity.
Security experts say suchmeasures are essentialbecause of a shift in the cor-porate security model.“There has been a genera-tional change,” says DavidMurphy, chief operatingofficer of Blue Coat Sys-tems, a web security spe-cialist. As access to theircorporate IT systems hasexpanded to include cus-tomers, partners and suppli-ers, it is no longer sufficientto secure the corporateperimeters, he says.
The scale of the chal-lenge, particularly relatedto mobile devices, is daunt-ing. IDC, the IT researchfirm, estimates more than1.19bn workers – 34.9 percent of the global workforce– will use personal technol-ogy this year.
Businesses of all typesand sizes are consideringhow best to protect sensi-tive data and bolster pri-vacy. In some cases thismeans working with manu-facturers, service providersand third-party softwarevendors to devise a strategyfor securing mobile devices.
Samsung has introducedschemes to help companieschoose devices that meetsecurity needs, while allow-ing employees to use bothpersonal and corporate datasecurely and safely.
Similarly, third-partymobile device managementsoftware from Good Tech-nology and others allowsIT departments to securelyand remotely manage
mobiles, while the latestversion of BlackBerry’senterprise server, BES 10,lets users of BB10 smart-phones – such as the Z10 –toggle between secure per-sonal and work modes.
Vincent Geake, director ofsecure mobility at BAE Sys-tems Detica, says: “In thedays of the PC, the enter-prise was able to mitigate[risks] by implementingindustry-standard securityacross each desktop compu-ter, providing a known levelof protection using provenproducts. Now employeeswork on a range of personaldevices, so a company mustassess the risk from devicesthat hold important infor-mation, and considerwhether they have investedin the necessary securitymeasures to protect thatinformation; these meas-ures should include a com-bination of technology,usage policies and train-ing.”
Significantly, a growingnumber of industry associa-tions are rising to this chal-lenge in an effort to helpmembers. For example,BITS, the technology policydivision of US-based Finan-cial Services Roundtable,has published a papercalled Security for BringYour Own (Mobile) Device,outlining best practices forfinancial institutions want-ing to allow employees touse their their devices toaccess corporate resources.
“As employees increas-ingly push to use their ownmobile devices in the work-place, it is critical for insti-tutions to clearly definetheir BYOD policy,” saysDan Madsen, vice-presidentat US Bancorp, a financialservices company.
“A well-designed policyand effective policy man-agement will allow institu-tions to take advantage ofemerging mobile technolo-gies,” he says.
Others, including Google,whose Android operatingsystem now powers themajority of smartphones,argue that while consumeri-sation and mobility canmake it more difficult tosecure a business, they con-stitute less of a securityconcern for organisationsworking in the cloud.
“Using a cloud-based serv-ice such as Google Apps forBusiness to store and shareinformation means thatimportant information isaccessed through devicesbut is stored in the cloud,”says Marc Crandall, head ofglobal compliance forGoogle Enterprise.
“This way, the risk of los-ing company data on a lostor stolen device is signifi-cantly reduced,” he adds.“If organisations are work-ing in a BYOD environ-ment, we encourage themto put strong internal secu-rity policies in place.
“With proper policies,even tablets or laptops lefton a train or in the back ofa taxi pose less of a threat,as they can be locked andwiped remotely.”
Personal deviceuse is challengefor IT bossesConsumerisation
Training and policieswill boost security,says Paul Taylor
‘Tablets left on atrain pose less of athreat, as they canbe locked andwiped remotely’
In the early days of theworld wide web, sustainedand frequent attacks by out-siders against corporatenetworks often took theform of viruses and mal-ware – software that isdesigned to cause harm.
A computer user mightopen an email and unwit-tingly launch a programthat would spread throughthe machine or network,deleting files or rewritingcode. Such threats remain,but as the internet hasevolved so have hackers’tactics, and organisationsface increasingly sophisti-cated attacks.
One problem is the spreadof social media. The price ofthe revolution in businessand personal communica-tion has been that new ave-
nues have opened thatallow cybercriminals topenetrate networks.
“The social media threathas become very preva-lent,” says Simon McCalla,chief technology officer ofNominet, the UK internetregistry.
Sites such as Facebookand LinkedIn often providecyber criminals with thekind of personal informa-tion that allow them to tar-get employees directly.
“We have seen quite a lotof high-profile attacks onbig businesses, where theperpetrators were able tolog into systems and makechanges without having towrite a single line of code,”says Mr McCalla.
This so-called “spearphishing” is the cyber crim-inal’s favoured means ofinfiltrating networks,according to research byTrendMicro, the IT securitygroup. Personal details,often gleaned from socialnetworks, are used to tailorphishing emails to a per-son’s interests and convincethem to take the bait.
Mr McCalla says: “We’veall seen those phishingemails that come frombanks asking for ouraccount details. Usually,they are quite easy to spot,especially if they’re from abank you don’t even havean account with. But spearphishing is a much moretargeted attack and can bevery effective.
“If somebody called atyour front door trying tosell you a fake watch, youwould send them awayimmediately, but we let ourguard down a bit when wego online because it’s notan environment that we’vebeen used to and trained upto spot fraudulent activitiesin.”
Another increasinglywidespread threat comesfrom the trend of “bringyour own device”, or BYOD,where employees use theirown devices such as smart-phones and tablets toaccess their employer’s net-work.
Ninety-three per cent ofemployees admit to violat-ing policies designed to
prevent breaches and non-compliance, according to arecent report by the CEB,the US-based business advi-sory group.
“BYOD opens up an addi-tional channel for the crimi-nal,” says Robert Siciliano,US-based online securityexpert for McAfee, the IT
security group. “BYODdevices don’t have the samesecurity as the enterprise’snetworks.
“Whatever data are con-tained on them can becomeaccessible. They canbecome infected withviruses, and these canspread to the network.”
Not that the threatfrom malware and viruses –
programs designed to harmor subjugate computers to ahacker’s control – has goneaway. Indeed, hackers’ tech-niques have becomeincreasingly innovative.
“The technical threat isstill large-scale,” says MrMcCalla. “Denial of serviceattacks, the ‘hacktivist’attacks that we’ve seen inrecent years, which tend tobe co-ordinated and organ-ised by groups. Clearly thatthreat is still significant.And it is challenging to pro-tect yourself against – evenbig companies struggle.”
Malware attacks havebecome so successful atpenetrating defences that,on average, malware eventsoccur at a single organisa-tion once every three min-utes, according to FireEye,a network security pro-vider.
“If you receive somethingthat looks unusual, or fromsomeone you don’t know, orif it’s too good to be true, orasks you to change yourpassword, that should ringthe alarm bells,” says MrMcCalla.
“Malware and viruses areessentially an arms race,”he adds. “You can mitigatethe risk a lot by just mak-ing sure your systems andpatches are up to date. A lotof these hacks exploit weak-nesses where users haven’tchosen to upgrade or installthe latest patches. Olderversions of software aremore vulnerable.”
This is a point echoed byMr Siciliano, who empha-sises that employees shouldmake sure their home net-works and personal devicesuse security procedures –virus protection, firewalls,password protection – thatare comparable with thoseat their workplaces, espe-cially if they are using themto access work-related infor-mation. He advises extracaution when using publicWiFi connections.
“Devices such as smart-phones, tablets and comput-ers should be shells so thatdata are held not on thedevice but on company net-works or in the cloud,” headds. “If the device is stolenthen no data will be lost.”
Crooks turn to ‘spear-phishing’ to reel in targets
It seems that even shrink-wrappedproducts on retailers’ shelves maynot be free from the risk of infec-tion by malign forces. As Europe’shorsemeat in beef burgers scandal
has shown, the complexity of supplychains can make it almost impossibleto guarantee the integrity of a productassembled from many remote sources.
According to Amrit Williams, chieftechnology officer of California-basedLancope, a network security com-pany, Russian criminals have hiredscientists to create pirate copies ofMicrosoft’s Windows. “They seeminnocuous because they are shrink-wrapped and [hologram protected].But once loaded in corporate environ-ments, they can easily bypass securitycontrols.”
Microsoft has long warned aboutcounterfeit software, which it says“lurks around every corner and canfind its way into business settings”.
Counterfeiters spend a lot of time, itsays, making illicit software-purchas-ing sites look like the real thing.
An investigation Microsoft con-ducted into pirate software in Chinafound 91 per cent of fake productscontained malware – programsdesigned to do harm – or deliberatesecurity vulnerabilities.
Concerns that malware that couldbe used to damage or steal data mightbe incorporated into computer hard-ware or software before leaving thefactory were highlighted in a reportfrom the Intelligence Committee ofthe US House of Representatives lastyear.
This followed a year-long investiga-tion into two of China’s biggest
telecoms companies, Huawei and ZTE.The report was scant on hard evi-
dence, and the companies denied theallegations.
However, in a television interviewlast month, Barack Obama, the USpresident, said the country had seen“a steady ramping up of cyber secu-rity threats. Some are state-sponsored.Some are just sponsored by crimi-nals.”
But the creation of a “back door”for hackers in the supply chain maynot be deliberate. Last year, someSamsung Galaxy S III smartphoneswere sold with an accidental vulnera-bility that could have been exploitedby criminal gangs.
To tackle deliberate hackingattempts, companies need to checkthat suppliers meet rigorous securitystandards, says Garry Sidaway, globaldirector of security strategy at Inte-gralis, a subsidiary of NTT Communi-cations.
This means having legal agree-ments that document your require-ments with suppliers and checkingregularly to ensure compliance isadhered to.
However, to check each supplier cantake a week and the costs will mountup. Additionally, many supply chainsare now so long that it is almostimpossible to know who all your sup-pliers are.
Steve Keifer, vice-president of globalmarketing at GXS, a cloud-based inte-gration company, says the introduc-tion of electronic “pedigrees” is start-ing to improve traceability.
GXS is developing a commercialsupply chain risk management tool.
This will help companies identifysuppliers by showing how they areinterconnected, rather like findingcontacts on LinkedIn or friends onFacebook.
Another good measure is to imple-ment the principle of “least privilege”.This means you grant access to yourdata only to those who need it andregularly review who is authorised toview it.
Using updated firewalls to restrictthe applications outsiders can use alsohelps – rather like giving them keysthat only open specific rooms in abuilding.
Without restrictions individuals canroam free, says Brian Laing, vice-pres-ident at AhnLab, a US antivirus spe-cialist. It is as if you had left a tunnelinto your business unguarded.
He recommends isolating serversused for crucial data, such as productdevelopment, and using servers fordistribution of information that aremonitored and have limited access.
“Hackers are looking for the weak-est link, even if it’s just one server
letting them in,” Mr Laing says.Many businesses inadvertently
expose information about their supplychain, says David Gibson, vice-presi-dent of strategy at Varonis, a datastorage specialist.
A survey by his company of 200organisations found 30 per cent wereconfident information they held aboutsuppliers and customers was pro-tected.
Some 27 per cent of respondents didnot know who was using the informa-tion in their organisations; only 22 percent knew who was responsible for it;and just 37 per cent regularlyreviewed access rights.
Companies should assume goodsfurther up the supply chain havealready been compromised, says Lan-cope’s Mr Williams. This means con-stantly looking for anomalous orillicit behaviour.
“For example, you need to knowwhether your computers should becommunicating with hosts in Ukraineor Taiwan and, if not, recognise thisas evidence of malicious activity.”
Vigilance oversupply chainswill reducecontamination
Minimising riskConstantmonitoring is thebest form of protection, reports Jane Bird
All thepresident’s data:Barack Obamahas warnedof cybersecurity threats
Getty
Information security hasalways been a high-stakesgame but for the personcharged with safeguardingan organisation’s data it isone that is daily becomingharder to win.
Recent cyber attacks onbanks in the US, the Neth-erlands and South Koreahave put the entire finan-cial services industry onalert. At the same time,they demonstrated to chiefinformation security offic-ers just how difficult it has
become to anticipate therules of engagement theiropponents will use.
These cases involveddenial-of-service attacks,fuelled by political motives,which took online servicesoffline for hours. However,the issues that the averagefinancial services data secu-rity leader faces daily aremore wide-ranging, accord-ing to David Cripps, chiefinformation security officerat specialist bank Investec.
He says: “It’s a constantbattle to understand thetypes of attack we’re seeing,keep one step ahead of theattackers, and communicatethe risks we face to employ-ees and customers withoutbombarding them withinformation.”
He says he and his teamscan a constantly changingregulatory landscape, in
which rules have becomefar more stringent andmore rigorously enforced inrecent years, to ensure theorganisation is securing itsdata in a way that will sat-isfy banking authorities.
Across all industry sec-tors, about 42 per cent oforganisations now employ aspecialist who has ultimateresponsibility for informa-tion security, according tomanagement consultancyPwC. In financial servicesthat proportion is likely tobe significantly higher.
But the information secu-rity leader role is changing.A report from US-basedWisegate, an online commu-nity for IT professionals,says the role has evolvedfrom “a glorified IT securityadministrator, babysittingfirewalls and cleaning mal-ware from infected systems,
to holistic risk manage-ment, firefighting securitybreaches and anticipatingfires before they start”.
Holding down the roletoday is less about patchingup systems and analysingnetwork traffic and moreabout being able to under-stand, influence and imple-ment business risk deci-sions, from privacy policiesto disaster recovery plans.
In its annual Global Infor-mation Security WorkforceSurvey, ISC2, an industrymembership organisation,found communication skillsare now a more critical suc-cess factor for post holdersthan technical knowledge,although “a broad under-standing of the securityfield” still tops the list ofdesirable attributes.
The evolution from atechnical to a strategic role
is reflected in the course MrCripps’ career has taken. Hehas a degree in electronics,and started as a networkmanager, but more recentlyhe completed a master’sdegree in internet and tele-communications law. “Hav-ing that kind of understand-ing of international legisla-tion has been essential tome in terms of being able tofulfil the role as it is today.”
This is a view echoed byStephen Bonner, now apartner at managementconsultancy firm KPMG,but previously global headof information risk manage-ment at Barclays. “I startedout in very technical roles,but over the course of mycareer, I’ve had to get togrips with things likerecords management anddata privacy.”
A rapidly evolving threat
landscape, he adds, meanseducation and professionaldevelopment continuesat a frantic pace formost post holders.
Mr Bonner says: “Thechange I see com-ing now is verymuch in linewith whatwe’ve seenover recentweeks: therise of so-called ‘hack-t i v i s t s ’l a u n c h i n gd e n i a l - o f -service attacksto push politicalviews, or nationstates trying togain economicadvantage
by stealing information.Broadly speaking, organisa-tions that are compliantwith even the most strenu-ous regulation are still vul-nerable to those things, so
that’s driving a realchange in the chief
information secu-rity officer’srole.”
Post holdersalso need to belevel-headed,credible influ-encers in theirorganisations,translating per-
ceived risks intoreasonable defence
strategies.Those that do well,says Mr Bonner,
are “those
that can convince othersfrom outside the specialismof the validity of their con-cerns, without constantlyclaiming the sky is falling,the outlook is terrible andno investment is ever goingto be enough to counteractthe risks”.
But the denial-of-ser-vice attacks launchedagainst banks since thestart of 2013 show thatthere is no room for com-placency. As PwC’s secu-rity survey says: “Today’sinformation securityleaders . . . know thatthe very survival ofthe business demands thatthey understand securitythreats, prepare forthem and respondto them quickly.”
Increase in danger level has forced security leaders to evolve
Persistent threats
There are definitetimes when alarmbells should ring,says Paul Solman
Management
The problems forchiefs can changedaily, writesJessica Twentyman
‘Ninety-three percent of employeesadmit to violatingpolicies designed toprevent breaches’
Stephen Bonner: the sky isnot always falling