Cyber Security Trends and Predictions 2019

Ludmila Morozova-Buss has rightly said “People and organizations need to trust that their digital technologies are safe and secure; otherwise, they won’t embrace the digital transformation.
Digitalization and cybersecurity must evolve hand in hand.”

By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts(to 2025) at well over $1 trillion. (Cybersecurity Ventures). We are already in mid of year, here some of the trends in cybersecurity so far.

1. Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019, $5 billion in 2017, and just $325 million in 2015, according to Cybersecurity Ventures. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online), this is followed by Manufacturing, BFSI, Retail and Telecom Verticle.
2. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media). Hence Organisation need to plan for passwordless and password management solution for authentication.
3. Over 8.4 billion IoT devices are currently in use and this figure is expected to rise to 25 billion by 2020.By 2020 its estimated that 25% of all cyber attacks will target IoT devices, and with more industries adopting IoT technologies, we can expect to see a continued rise in these attacks unless manufacturers prioritize the security features within these devices.
4. As per a report from Gartner, nearly 40 percent of enterprise-level businesses will be using RASPs – Run time application self protection to some extent by 2020.
5. A report from the Cyber Threat Alliance (CTA) indicates a 459 %. increase in the rate of Cryptojacking, through which hacker use unauthorized access to organization server in their data center for utilization of computer processing power to mine cryptocurrencies.

These are the five trend and prediction for Cyber Security. As been said by Kirsten Manthorne “You are an essential ingredient in our ongoing effort to reduce Security Risk.” as we all have own role to play in making our organizations secure.

SIEM 3.0

SIEM 3.0

Technology is evolving and evolving fast, the processor and computation speed are enhancing cloud and mobile devices which has made data anywhere possible. IaaS, PaaS, SaaS has brought integration of data to different application and platform along with new security challenges. IIOT, OT, IOT further bring high velocity, varsity, and volume of data which when converted to information with analysis brings in high value to companies and takes them toward digitalization and Industrial revolution 4.0. Cyber Security too has to evolve and so has the Security Operation Center.

We can no longer rely on Descriptive analytics but need predictive and prescriptive analytics of Security landscape.

As per Gartner, 30% of global enterprises would have been directly been compromised by cybercrimes by 2020.

There has been a serious information security breach in recent years and hacking- as-a-service has further lead to the organization in need of more effective tools. These platform service providers to hackers have sophisticated tools already, leave lone the state-sponsored attacks. So even if your mission is to put a sign that hacker a not welcome as against a sophisticated infrastructure to protect your business the door and lock should be visibly giving the message to the hacker that you are prepared and they are not welcome. The hacker is constantly coming with a higher ladder and you need to have higher walls.

A typical organisation would have logs coming from the firewall, IPS/IDS, Antivirus, Email Gateway, Web Gateway, DLP, IDAM, PAM etc. These would be real-time log in a different format about internal and external threats. The incident source needs to be identified, along with type, weigh the consequences, target system, the priority of handling and countermeasures and mitigation solution with the impact. The 13 years since SIEM is been rated by Gartner has seen two evolutions of SIEM – SIEM 1 and SIEM 2.

SIEM system is ruled based or policy based. Rule-based are time-consuming as hundreds of rules need to be kept updated with too many false positive/negatives due to innovative techniques used by hackers. The Policy based on the other hand everything is based on timelines and correctness of writing policy alternatively they have statistical correlation engine to establish the relationship between event logs entries.  A typical architecture is mentioned below:

Credit: Designing blockchain -Natalia Miloslavskaya

There are two opposing approaches for SIEM, Agentless where logs are directly transmitted to SIEM or agent-based with software agent installed on each host that generates a log.

SIEM 1.0 was log-centric and detected IS events through preset rules and correlation implemented for IP address and less often for ports, protocols, and users. Log file lack details to understand what truly was happening. Another drawback of SIEM 1.0 is the usage of a relational database with a limitation like a very simple structure, little semantic richness, no support for recursion and inheritance, lack of processing/triggers. These had led to the need of second-generation SIEM system – SIEM 2.0.

SIEM 2.0 includes integration of Security Intelligence Center – SIC with Security Operation Center – SOC allowing organization to get tailored predictive network security management. This help companies to align IS risk management with business needs, constant monitoring of users and application. Real-time detection a collection of data on event form all sources, tracking the complete lifecycle of IS incidents, automation in the generation of reports and recommendation. Usage of big data and analytics. SIC and SOC now work together were SIC is the brain and SOC is the management Eyes. We further integrate the OT and IIOT data now to SIEM for Security Monitoring.

SIEM 3.0

Digitization, Cloud, Platform and Industry 4.0 has meant data is distributed and event taking place are distributed and scattered. Those lead to 4 silos data locked in disparate security devices, application and DB, Data from endpoints products, application – email, phone records, web-based content, digitized audio and video, GPS location etc., data in streams like network traffic, website clickstreams and data segregation by organization business units and working groups. Apart from this the configuration of Network devices, confirmation etc. The correlation between various Silos needs to be established and there has to be an extract that leads to discovering knowledge. We already know that most of the OT or plant attack originated from Spear Phishing enter the plant, hackers took control of plant HMI and SCADA system and remediation was further blocked by DDoS Attacks. There are similar case studies when it comes to confidentiality for data for banks or availability for Telecom companies when considering CIA triangle of cyber security - Confidentiality,  Integrity and Availably. Hence historic data of the company along with deep dark web and social engineering too has to be monitored for insider threat and with threat intel for external attacks and threat hunting with the use of machine learning and Artificial intelligence. The most important component would be block chain the distributed ledger that can record various events and correlate to formulate an incident, these would include IOT, OT, IIOT devices like CCTV cameras, access control cards, PLC, sensors, Wi-Fi, IDAM, DLP, IPS/IDS etc logs.'

SIEM 3.0 is need of the hour and companies need to plan their roadmaps from SIEM 1.0 or SIEM 2.0 toward SIEM 3.0 and ride the benefits of Digitalization and Industrial 4.0 while securing their organization. 

Sanjay Vaid

Industrial 4.0 and IT & OT Security.

Pierre Nanterme - CEO of Accenture has rightly said during World Economic Forum in Davos in 2016 on the Forth Industrial revolution that Digital is the main reason just over half of the companies on the Fortune 500 have disappeared since the year 2000.

Business today may it be Government, Mining, Energy, Oil & Gas or Public Utility, Manufacturing, Telecom, Retail, Banking, Healthcare, Insurance, Hitech, Pharma or travel are affected by security threats. Digital in opening the new markets, platform and better efficiency but the cyber threat looms large on business. How do we protect? Well to start with Cyber Security is constantly moving target and we need adapt. Primarily the threat can be segregated into IT threats and OT threats. With Industry 4.0 the fine line between IT and OT is further diminishing.

IT or Information Technology threat is primarily to do with the threats to Personal computer, Laptops, Server, Network Device, Data Centre, Mobile, Communication, Cloud security, Enterprise Resource Planning, (ERP) Application Security and Governance Risk and Compliance.

OT or Operation Technology threats are to do with the Internet of Things, Communication like Bluetooth, WIFI, Near Field communication, Machines, Pigs, Secure Industrial Control System (ICS), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control System (DCS) Programmable Logic Controllers (PLC), Industrial Automation and Control Systems (IACS), Printers, Sensors, Electronic Control Unit (ECU) etc.

Some high-level steps that can be taken are to have an IT and OT Security Policy and make sure there are awareness and training about them and the awareness group should not just include employees but also the supplier, partner, distributor etc in the ecosystem. Have right tools like End Point protection, Email and Web protection, IPS & IDS, NAC along with Firewall in place, for insider threat and access control an Identity and Access management tool, Privilege assess management along with multifactor authentication and a password generation tool and for cloud CASB. In case of Critical Infrastructure, Banks, Government, Public sector and Energy Oil and Gas sector it is advisable to have an Advance threat protection and an endpoint detection and response as these are sectors prone to targeted state-level attacks.

For Operational Technology it is advised that a monitoring tool is deployed at the PLC – Programmable logical controller layer to monitor the threats to OT assets or any change in the configuration that can lead to accident, monitoring of compliance along with any device that is connected to the OT network which is not meant to be connected. Hence the Network discovery and assets management play a crucial role, it is critical to identify if all patches are up to date and there are trusted software and hardware in the network. The security threat needs to be monitored with Intrusion detection and prevention from HMI – Human Machine interface to OT or from OT to the IT network. Man in the middle attack and DDOS attack etc.

Behavior analytics and anomaly is an essential element for both IT and OT security.
Once the IT and OT network are appropriately secured one should target to set up a security operating centre and collect the IT logs in form of Event Per Sec – EPS and OT logs as Packet per Sec – PPS and monitor the threat and monitor them through the SIEM tool while integrating it to their call ticketing system and possibly with Artificial intelligence and SOC Orchestration.

Conclusion:
I have mentioned the high-level summary of steps that can be taken to secure your network and uphold the CIA – Confidentially, Availability and Integrity of your network. Other things that can be done as a Hygiene factor are to do a secure transaction with updated digital certificates both for IT & OT. The communication, especially via wireless LAN, needs to be secured and any communication which is critical, confidential, to the cloud or outside the network needs to be encrypted including email, messages, and documents. It's very vital that a standard operating procedure is put in place for any software installation or patch updates.

My message for companies that think they haven’t been attacked is: “You’re not looking hard enough”.

Cyber Security and Privacy in the Digital Age - 10 Threats and 10 Solutions.

Charles Darwin the famous English Naturalist and Geologist has said that

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change”

The digital age had uplifted human efficiency to a new level which has not been at any point in history. The digital age has provided real-time data which helps individuals and business, this data is at high velocity, varsity, and volume. At the same time data is getting originated by the internet of things, Mobile, tablets, Personal computer, laptops, servers. Along with the great benefits that come with digital there is also need for caution to protect personal data.

I am going to highlight 10 every day threat we face to our security and privacy and 10 Solutions.

Our Security and Privacy is threatened in the following Ten ways:

1.      Virus, Malware, and Ransomware in PC and computers.

2.      Outbound Spam emails.

3.      Mobile devices

3.1.   Mobile devices used in public unsecured network.

3.2.   Connecting Mobile device for power in public places using a data cable.

4.      Man, in middle attack like:

4.1.   Session Hijacking.

4.2.   SQL Injection.

5.      Sharing sensitive data over the phone.

6.     Sharing password, brute force attacks or being uncareful with a password like writing the password at the place where everyone can see or using a weak password.

7.   Social Engineering: Social media contacts with fake accounts or compromised social media accounts or bots.

8.      Identity Theft: Email or social media identity theft.

9.      Insider threat: the threat from disgruntled employees.

10.  Trusted software: We use many software and hardware, we need to be careful with corrupted or software with bugs in them which can affect data privacy.

The Ten Solutions are as follows:

1.      Use an appropriate antivirus software.

2.      Never use auto selected public network on your smart phone but instead manually choose a public network.

3.      Try to connect to a  public network on a WAP2 network protocol.

4.      Never transfer critical or confidential data in public network, especially banking information

5.      Always opt for an https rather than HTTP, this means is encrypted to help mitigate session hijacking to an extent. Hypertext Transfer Protocol (HTTP) for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL).

6.      Never share confidential information on Social media.

7.      Always use trusted software or hardware provided by the trusted source.

8.      Always download and use the trusted application on mobile phones.

9.      Configure you WIFI device on WAP2 protocol and have a strong password.

10.   Use a strong password for your social media or email accounts and be careful with your password, do not share or do not write your password on sticker note. If possible use anti-glare screen.

Baton Gellman the American Journalist and best-selling author has said 

‘Privacy and encryption work, but it's too easy to make a mistake that exposes you.’

Digital Certificates

Digital Certificates

We do most of our transaction digitally right from our Banking transaction to our Mobile eCommerce transaction, or IOT based transaction etc., hence to do a secure digital transaction we use the digital certificate. Digital Certificate is a certificate issued by a Certification Authority validating the individual or organisation. The Certificates validates that a website or mobile transaction platform is trusted and safe.

Some of the important things to look out are:

-  Who issued the certificate?

-  Who the certificate is issued to.

-  Valid to

-  Public Key 

-  Digital Signature.

Certificate are used for identification and encryption which grants the right to access information or other services online. It includes ensuring the identity of all parties involved. They include public key that is used of encryption of data like email document, secure web transaction etc.

Public Key Infrastructure (PKI): As mentioned above PKI is also known as trusted hierarchy, public key infrastructure is a system of Digital certificates, Certification Authorities (CA’s) and other registration authorities (RA’s) used to verify and .authenticate the validity of parties involved in an internet transaction.

Digital Signature: A Digital Signature is based on asymmetric cryptography. Digital Signature has a Hash function which represents the digital signature which is mathematical value for that certificate. It’s a one-way process using a private key to generate a digital signature, the same can be checked by using a public key for Decryption which again is a mathematical value and outcome should be the original Hash value which would ascertain that the certificate is not altered or damaged. If the hash value is not correct, it would mean that the certificate is corrupt or is tampered with. 

A private key is paired with the Public key; however, the private key is stored separately.

A certificate includes the certificate holder's public key, information about individual, computer, or organisation to which the certificate is issued, information about certification authority (CA), the date of issue and expiry of certificate and the serial number of certificate.

Certification Authority: Certificate is essentially a file with data in it. Hence the trust model work in certification to validate the data and Certification Authority role is important. The Certification Authority does the checks before issuing the certificate and that it’s trusted. The Certification authorities certify and create an electronic document that is a Digital certificate that verifies individuals and organization are who they say they are. Hence is also important that Certification Authority is also a Trusted Source. The organization can have an additional level of certification authority normally followed is Root SA and child SA trust model. 

A CA essentially is a hierarchical system composed of software, hardware, procedures, policies and administrators who validate the request and generates certificates. 

Now with sources of the transaction happening over Mobile & IOT apart from Web Digital Certificate has high importance for security while we do digital transactions.

Hardware Security Architecture.

Hardware Security Architecture.

Hardware security is an important aspect, firstly any one who is using machine today is getting some form of protection from hardware, secondly there are more security oriented properties that are coming in new chips in market in couple of years, and thirdly there are important properties that can only be build on hardware and software can build on those.

Machines today are connected and vulnerable to cyber threat. The type of threats we have are Memory corruption, data disclosure, code injection, control flow diversion, return oriented programming. The types of method attacker today can use are Type – Instruction, data, pointer, Extent – Base, Bounds and Ownership – component, access right. Architecture grantees that every thing would be right.

A lot of security issue we face today is because of the hardware security Architecture issues. Originally Multics was a machine designed for security, however machines that we have today security is an after thought. Multics was originally a project between MIT, which was designing things, General electric who was making hardware and Bell labs who was the user. However bell labs got little nervous and wanted some thing that work then and they designed a much simpler system on a less expensive piece of hardware and the system was called Unix, which was a trimmed down, lesser feature output of Multics. Unix was later widely used and is the predecessor of Linux and variety of system we used today.

In this transition what we lost was the idea of segmentation, we lost the idea of rings. What it carried forward was some ideas from Multics, ideas of permission and level of privileges, which in most machines that's just at the kernels as against user made distinction in Multics. Multics was programmed in a higher level language called PL/1, whereas Unix moved to a very low-level language called C, which is also the reason of lot of problem we face today.

Multics had some very important, very high leverage usage particularly in defense system. It work on fundamental three principles, first of these is of complete mediation, Secondly, separate privileges, and thirds principle is of least privileges. The fundamental principle was to do its job most of the time the Kernel does not need to read your data, segmentation at memory and use of access control rings.

Multics was much earlier a project in MIT, the idea of which was to develop a computer utility which could share its very expensive resources and people could access these resources. And the next leap today, which is now taking forward Multics is Cloud computing a network computing of all different kind of client server architecture.

The other things thats happening is at processor level it can make sure that only high users can access high data and thing that’s coming now is is fat pointer which means that every pointer to the memory is bounded above and below which bounds of the object which the pointer is pointing into and Intel has a feature MPX which helps enforce this property.

GDPR Summit London 2017

I today attended GDPR Summit 2017 in London, I am intrigued by GDPR as it gives power and rights to common citizens and many countries are following the same. As one of the speakers put it IT  has  led societies transformation and evolution however it has to now be balanced or normalized with other aspects of life. GDPR is primarily meant for the good of the citizen, and the society, the purpose of GDPR is to make sure that companies use personal information with the consent of individual which can be their employees (current, past or people they might have interviewed), suppliers and customers. The Individual would have the right to take back their consent as and when required and their data would be deleted from company’s system. 

The deterrent for GDPR non-compliance is not just the 4% or 20 million Euro fine but also the fact that the companies can also be barred by the regulator from processing data temporarily or even permanently. The positive side is making Data ethics a competitive advantage.

The stake holders in organisation GDPR implementation are Legal, Human Resource, Information Technology and Marketing. DPIA – Data privacy impact assessment under article 35 of GDPR is another aspect. High-risk processing activity under article 35(7)a of GDPR processing is an important factor. Employee consultation and survey for the customer is recommended. Also in case of cloud computing the responsibility would be with the controller. Some of the addition to Article 30 include article 7, article 15-19, article 20, article 32, article 44 – 46.

Data Privacy Officer is the mandatory position for all companies, and privacy officer and Data privacy officer is two different roles. Data Privacy officer can also be a part-time role. Another aspect was right to be forgotten, and the fact that ERP does not delete the data but red flags it and the data do not pop up in the system but resides in the system is understood. Hence analyzation and tokenization of data are recommended. In tokenization audit, trail and Login function match should be conducted analyzed and blocked.

Another aspect of data privacy came out on Application security and IoT – Internet of things. While Application security primarily included session hijacking, phishing, etc., IoT can also lead to a possible source of infiltrating into the network and accessing the data. Hence Application level and IoT security are an important aspect. Security monitoring is another key aspect function of data privacy. Cloud is another area where need for security  was  emphasized. While Ben Westwood - Data protection Officer of  eBay explained the complexity involved in data privacy management for an eCommerce company.

Marketing is further another function that gets impacted by GDPR, email campaign, cookies tracking, search engine optimisation can no longer be conducted without the consent of the customer, and customer consent form should be simplified for the understanding of an ordinary computer or smart phone user. It was also acknowledged that the Personal data of non-corporate users is almost around 80% of the data under GDPR which is processed by companies, while 20% is the employee data and hence solutions need to be planned and designed basis same. 

It was acknowledged that countries like India, Singapore, Hong Kong have also adapted data privacy apart from Europe. Countries like South Africa have their own data privacy law POPI.

The IT adaptation in every individual life has penetrated to a large extent, in fact, it has impacted the way we live our lives and conduct our business, and this has rapidly involved in past 15  to 20 years and needs some form of governance hence idea to bring principles and ethics into the equation. The intent and heart to introduce GDPR is in the right place and companies would need to live with this new reality and comply. However to over seeing GDPR regulation would require highly intellectual indivituals with high integrity and conviction as there is possibility of alternative narrative been given and they would have to distinguish between narrative in interest of people and society against vested interested.