No final fix for cyber security

There really is no final fix solution endgame when it comes to cyber security.

There really is no final fix solution endgame when it comes to cyber security, according to security industry veteran and chief research officer at F-Secure Mikko Hypponen.The claim was made by security industry veteran and chief research officer at F-Secure Mikko Hypponen and two of the most valuable lessons in cyber security are to know your enemy and not to rely on users to be secure.

“We will always have cyber security problems because we will always have bad people, which means job security in security is likely to continue for ever,” he told the Wired Security conference in London.

Cyber attackers are continually evolving their techniques and capabilities to steal and monetise data in new ways, which means the goalposts are continually moving.

“If we were still fighting the enemy of 10 years ago, we would be in great shape,” he said, alluding to the security tools that have been developed since then, as well as the security improvements in software.

“Attackers will always have the upper hand because they have the luxury of time to study our defences, while defenders do not have that luxury, so it is an unfair contest – a never-ending race.”

Reflecting on lessons learned over his 25 year career in information security, Hypponen said the most important thing is to understand the adversary.

However, he said the days of being able to do that easily are long gone, with most organisations finding themselves faced with a whole range of attackers.

They are all looking to gain something, said Hypponen, whether they are hacktivists supporting a cause, nation state actors or criminals.

“But for most organisations, criminals are the most likely to be attacking them,” he said, noting that of the 350,000 to 450,000 new malware samples that F-Secure sees on a daily basis, 95% comes from organised cyber crime groups.

“It is different when you get targeted by foreign intelligence agencies, because they are really bad, but most organisations are not targeted by foreign spies because most organisations are of no interest to them,” he said.

Although these cyber criminals like to portray themselves as Mafiosi, Hypponen said most are just “geeks” looking to make money from selling things such as hacked PayPal accounts and credit card details along with step-by-step guides on how to use them to make money.

Ransomware most popular form of cyber crime

Ransomware that encrypts victims’ data and demands payment in return for restoring it is fast becoming the most popular way for cyber criminals to make money.

“This is a simple business model based on the principle of selling data to the highest bidder, which is often the person or organisation that owns the data in the first place,” said Hypponen.

F-Security is currently tracking more than 110 different ransomware groups operating around the world and competing for market share.

“Ransomware has become very competitive, with the result of some groups seeking to expand into new markets by translating ransomware campaigns into 26 different languages,” said Hypponen.

Another evolution of ransomware attacks is the shift away from consumers to target enterprises.

“As soon as an infected computer is connected to the corporate network, the attackers enumerate and mount all the file shares the user can access and dynamically set the ransom based on how many files they manage to encrypt on the network,” said Hypponen.

The biggest concern about ransomware for enterprises is that it will stop business operations. With continuity in mind, some enterprises are even setting up bitcoin wallets to be able to pay ransoms quickly and minimise the impact on business continuity.

“This idea of continuity is really backwards, because it does not address the problem,” said Hypponen. “The more enterprises pay these ransoms, the greater and more entrenched this problem will become.”

EDPR and customers data protection

We follow on from our Cyber Security Force’s post yesterday about 96% of firms being unprepared for tougher data protection laws.

We follow on from our Cyber Security Force's post yesterday about 96% of firms being unprepared for tougher data protection.While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security.

Nearly three quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.

Equally concerning, the report said, is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data.

These results show there is a significant disconnect with consumer priorities, the report said, with 88% of European consumers regarding data security as the most important factor when choosing a company with which to do business. In fact, 86% consider it more important than product quality.

Unsurprisingly, the study found that 55% of businesses are not confident they completely meet customers’ data security expectations.

The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.

Some 9% of businesses admitted that all employees are able to access customers’ personal information, while 6% admitted that all staff can access customers’ payment details. Only 14% believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR, the report said.

Under half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27% of businesses polled said they are planning to overhaul their approach to security in response to the GDPR.
Technical readiness

The majority of respondents (91%) have concerns about the ability of their organisation to comply with the GDPR, due to factors such as the complexity of processing data correctly in time and costs involved.

Only 28% of IT and business decision makers realise the right to be forgotten is part of GDPR, while 90% of businesses say customers requesting their data be deleted will be a challenge for their organisation.

Only 9% of respondents have already received requests to be forgotten, but 81% believe their customers would exercise their right for data to be deleted, and 60% of businesses do not currently have a system in place that enables them to respond to these requests.

With less than two years before the EU data protection rules come into force, there are 10 key areas businesses need to focus on to ensure they will be compliant.

The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.

Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.

Nearly all European businesses unprepared for new data protection laws

96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

Lack of consumer and regulatory understanding, combined with low technical and cultural preparedness, represents a major threat to revenue and brand value, according to a Symantec state of privacy report

As a result, 91% of 900 businesses and IT decision makers polled in the UK, France and Germany have concerns about their ability to become compliant by the time the GDPR comes into force on 25 May 2018, according to Symantec’s State of Privacy Report.

The report coincides with a call by the Payment Card Industry Security Standards Council (PCI SSC) for firms to act now to avoid exponentially increased penalties under new European Union (EU) data protection regulations.

UK businesses could face up to £122 billion in penalties for data breaches when new EU legislation comes into effect, the PCI SSC has warned.

The Symantec study also revealed only 22% of businesses consider compliance a top priority in the next two years, despite only 26% of respondents believing their organisation is fully prepared for the GDPR.

Nearly a quarter of those polled said their organisation will not be compliant at all, or will be only partly compliant, by 2018.

Of this group, only a fifth believe it is even possible to become fully compliant with the GDPR, with nearly half believing that while some company departments will be able to comply, but others will not.

This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines, the report said.

These findings show businesses are not only underprepared for the GDPR, they are under preparing,” said Kevin Isaac, senior vice-president, Symantec.

“There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation, but only if firms take immediate action,” he said.

National Cyber Security Centre (NCSC) launched today

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.The government outlined what the NCSC would do, how it would work and who it would work for in May this year, but had not given a precise date for the official opening of the centre until now.

The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ, and the technical director will be Ian Levy, formerly technical director of cyber security at GCHQ.

The NCSC will be run from new offices in London as well as from offices near Cheltenham, Gloucestershire.

The primary goal of the NCSC is to simplify the complicated cyber security picture across government that made it difficult for organisations to know who to talk to.

It brings together all the key organisations under a single organisational umbrella to provide better support and bridge the gaps between government, industry and critical national infrastructure.

There were four main goals for the NCSC, which began preparatory work and conducted trials and pilot studies over the summer:

  • These are to reduce cyber security risk to the UK;
  • To respond effectively to cyber incidents and reduce the harm they cause to the UK;
  • To understand the cyber security environment, share knowledge and address systemic vulnerabilities and;
  • To build the UK’s cyber security capability, providing leadership on key national cyber security issues.

The NCSC has five areas of focus: engagement, strategy and communications, incident management, operations, and technical research and innovation.

In the next six months, the NCSC will test its strategic plan and refine it further based on feedback received.