Gallagher wins 2021 Fortress Cyber Security Award

Global security manufacturer Gallagher has been recognised in the 2021 Fortress Cyber Security Awards as a winner in the Authentication and Identity category for its MIFARE DESFire key migration enhancement. The US award recognises the world’s leading companies and products that are working to keep data and assets safe amid increasing threats from hackers.

Designed in response to the growing sophistication of cyber attacks upon credential security, Gallagher’s MIFARE DESFire key migration enhancement helps organisations to mitigate the risk of card cloning or tampering through the improved management of key encoding used to read card credentials. This intelligent enhancement allows for cardholder credentials to be silently updated with newly defined site-specific keys for a secure and seamless cardholder experience.

• 

Steve Bell

“There’s no doubt that cyber crime is evolving rapidly and that this is a growing concern for many organisations around the world,” said Steve Bell (pictured), Chief Technology Officer at Gallagher. “What was produced a decade ago may present weaknesses today. This was the basis for developing the DESFire key migration enhancement so that we could give our customers an easy way in which to securely migrate site access control keys.”

As part of its commitment to cyber security, Gallagher’s security solutions are fully authenticated and encrypted to meet global standards, including the FIPS-201 standards in the US, Type 1A in Australia and also the Centre for the Protection of National Infrastructure’s Cyber Assurance of Physical Security Systems standard here in the UK.

“Cyber attack fears delaying business innovation” reveals HackerOne survey

A survey conducted by HackerOne has revealed that IT projects are being stifled due to security concerns. More than 80% of UK CISOs and CTOs who were interviewed revealed software IT projects have been hindered due to concerns over inevitable security issues. 90% also agreed that software vulnerabilities pose a significant risk to their organisation.

“Organisations need to find a balance between driving innovation and keeping data safe,” said Laurie Mercer, security engineer at HackerOne. “It’s not surprising that fear around cyber security is hindering this, but by moving beyond traditional cyber security strategies, businesses can start to feel empowered. When I started writing code, new releases of software would take six months to develop and test. Today, new software is released every hour. This new pace of innovation poses a problem for security teams but, by implementing a strategy that supports continuous security, businesses can ensure they’re on alert for any vulnerabilities that software might have. The key is to ensure that security is constantly evolving.”

Manpower and budgets are also a key concern for security professionals, with 63% believing security team resources are not able to keep up with the pace of development. Lack of budget and other resources including skill sets were also cited as key barriers to creating a well-rounded cyber security strategy by over a third of respondents.

Despite the significant number of concerns around vulnerabilities and limited resources, the survey highlighted that 62% would rather accept the risk of software vulnerabilities than invite unknown hackers to find them, while 63% say they’re only comfortable accepting bug submissions from vetted hackers.

A HackerOne customer and CISO of an international health and beauty retailer said: “I understand first-hand the nature of remaining cautious. As we all know, though, traditional cyber security methods alone are not sufficient. CISOs find themselves in a tricky position, needing to embrace innovation, but while ultimately remaining responsible for cyber security. The security landscape is ever evolving so we need to approach defensive strategies in the same way. By working with ethical hackers, it gives organisations the freedom to work on new projects, spin-up new applications and try different ways of working, while at the same time there’s peace of mind that continuous and ongoing testing is taking place. With ethical hacking, these vulnerabilities can be fixed immediately.”

The research was conducted by Opinion Matters and included input from 200 UK CISOs and CTOs. The findings revealed what CISOs believe to be the biggest risks to businesses, which areas are hindering growth and what kind of technology respondents are likely to implement in order to overcome these challenges.

Radware reports increase in companies targeted by nation state hackers

Radware, the provider of cyber security and application delivery solutions, has released its 2019-2020 Global Application and Network Security Report. The report finds that more than one-in-four respondents attribute attacks against their organisation to cyber warfare or nation-state activity. In 2018, 19% of organisations believed they were attacked by a nation state. That figure increased to 27% in 2019. At 36%, companies in North America were more likely to report nation state attribution.

“Nation state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of potential zero day exploits and the patience to plan and execute operations,” said Anna Convery-Pelletier, chief marketing officer at Radware. “These attacks can result in the loss of sensitive trade and technological or other data. Security teams may be at a distinct disadvantage.”

These findings come at a time of heightened anxiety for security managers. Organisations are increasingly turning to microservices, server-less architectures and a mix of multiple cloud environments. Two-in-five managers reported using a hybrid environment that included cloud and on-premises Data Centres. Two-in-five said they relied on more than one public cloud environment. However, only 10% of respondents felt that their data was more secure in public cloud environments.

As organisations adapt their network infrastructure to enjoy the benefits of these new paradigms (such as microservices and multi-cloud environments), they increase their attack surface and decrease the overall visibility into their traffic.

For example, 22% of respondents don’t even know if they were attacked, 27% of those who were attacked don’t know the hacker’s motivations, 38% are not sure whether an Internet of Things (IoT) botnet hit their networks and 46% are not sure if they suffered an encrypted DDoS attack.

Convery-Pelletier added: “This report finds that security professionals feel as though the battlefield is shifting under their feet. Companies are increasingly adding and relying upon new paradigms, which means the infrastructure is harder to monitor for attacks. These new technologies force a shift in security implementation into the development teams. Security is often an afterthought as businesses march forward, and there’s a misconception that ‘good enough’ is enough.”

In addition, the report also found the following points of note:

The emergence of 5G networks As the push for 5G grows, there exists an important opportunity to build security into networks at its foundations. Despite the increasing buzz around 5G networks, only 26% of carriers responded that they felt well prepared for 5G deployment, while another 32% stated that they were somewhat prepared

Be careful what you wish for in terms of the IoT 5G promises to advance organisations’ implementation of (and the value they derive from) IoT technologies, but that promise comes with a corresponding increase in the attack surface. When it comes to IoT-connected devices, 44% of respondents said malware propagation was their top concern, while lack of visibility followed at 20% and Denial of Service at 20%

Data loss is top concern About 30% of businesses stated that data theft as a result of a breach was their top concern following an attack, which is down from 35% the previous year, followed by service outages at 23%. Meanwhile, 33% said that financial gain is a leading motivation for attacks

Three tools to avoid cyber crime on Black Friday outlined by Imperva

As the biggest day of the year for online shopping looms large, malicious attackers are using online retail websites as a hotbed to exploit customer data. On that basis, retailers need to take action on Black Friday to protect their websites and their customers.

With Brits now spending more money on their mobile phones than in every Shopping Centre in Britain combined, more needs to be done to ensure that personal information is protected. 

“Unique to e-commerce is gift card fraud,” commented application security and data protection solutions specialist Imperva. “Scammers use bots to test millions of combinations of gift card numbers on retail websites. Once the gift card number is validated as having a balance, that number can be used to buy goods and the balance stolen. Both account takeover and gift card abuse shakes the confidence of the customer so much that many will no longer use the e-commerce site.”

Imperva has outlined three tools retailers should invest in to help reduce the likelihood of these attacks: 

*Install a bot management solution which collects and analyses bot traffic to pinpoint anomalies in your system

*Intrusion prevention systems and a web application firewall should be used to minimise the likelihood that a hacker can exploit a vulnerable website

*Distributed Denial of Service (DDoS) attack prevention should be used to decrease the likelihood of an attack for ransom during this time of the year. Any investment in a DDoS mitigation solution should be accompanied by a DDoS attack plan or playbook such that, in the event of a DDoS attack, all parts of the organisation do what’s necessary to minimise the effects.

Imperva concluded: “It’s paramount to not wait until the last minute to safeguard your website. The time is now to test your security before consumers come flooding in and before attackers monetise on data.”

Major life-threatening cyber attack on UK “in little doubt”

The National Cyber Security Centre (NCSC) has published its second Annual Review, in turn revealing that the organisation has prevented Britain from falling victim to nearly 1,200 attacks in the past two years. The NCSC has also warned of the likelihood of a major life-threatening cyber attack on the UK in the near future.

The NCSC states that the UK is hit by ten serious cyber attacks every week. 70% of these attacks are “undertaken by groups of computer hackers directed, sponsored or tolerated by the Governments of [hostile] countries”.

Commenting on these figures, Mishcon de Reya’s cyber security lead Joe Hancock informed Risk Xtra: “1200 attacks may seem like a large number, but the reality is that this is the tip of the iceberg. The majority of these attacks on business, Government and third sector organisations go unreported and often undetected. Behind these high profile attacks there are the millions of online crimes that affect individuals every day.”

Focusing on that last point, Hancock continued: “We routinely deal with the often unreported issues. More needs to be done to back law enforcement in supporting both victims and responders to better detect and recover from cyber episodes. A focus on critical infrastructure is welcomed by everyone, but it doesn’t help the millions of victims of cyber fraud. The recent Facebook breach shows the potential downsides of large-scale data collection and reliance on single points, provided by social media to access a wide variety of services across the Internet which can act as a gateway for attackers to further data and services.”

Further, Hancock observed: “Cyber security practices are not consistent globally and an attack against a weaker link in the supply or data chain can have unanticipated consequences for companies and individuals. More is needed to help protect everyday victims of these crimes, and especially so in the international arena. It’s difficult to see how mass cyber crime can be tackled without an international consensus and consequences for nations that turn a blind eye.”

Also, Hancock outlined: “Many of the cyber incidents we deal with have a financial component, often involving the traditional banking system and not only cryptocurrencies such as Bitcoin. Driving cyber criminals out of the financial system will have an impact on cyber crime levels.”

Actions and behaviours

There are specific actions and behaviours that should be adopted now to aid readiness for inevitable cyber attacks. Steve Mulhearn, director of enhanced technologies for the UK and Ireland and DACH at Fortinet, has listed them as prevention, the harnessing of Artificial Intelligence (AI) and adaptive technology and better visibility across the network.

Prevention

Prevention is easier when all employees in the business, not just the IT Department, take responsibility for the security of the business. For example, breaches like the Bupa or Waymo hacks have raised the appreciation of the number of breaches that occur because employees are targeted. The Fortinet Global Enterprise Security Survey 2017 found that 67% of businesses say they’re planning IT security and awareness training for employees in 2018.

Harness AI and adaptive technology

Harnessing the power of AI to learn from breaches, as well analyse data and automate reactions to shut down breaches when they occur, are vital actions. Threats evolve and adapt over time as applications, technologies, configurations, controls and behaviours change, making security an arms race wherein a static solution simply will not do.

Better visibility across the network

A vital tool in this struggle is visibility. You cannot secure what you cannot see. This means control across the distributed network, including endpoints, the Internet of Things and the cloud. According to the Fortinet 2017 Survey, only a small cohort of respondents feel confident that they have full visibility and control of employee access.

*The National Cyber Security Centre’s Annual Review can be accessed online at https://www.ncsc.gov.uk/news/annual-review-2018

BT to lead creation of 2017 Cyber Security Challenge UK Masterclass

Cyber security experts from BT, Airbus, the National Crime Agency, the Bank of England, Cisco, McAfee, Checkpoint, De Montfort University’s Cyber Technology Institute and 4PumpCourt have announced that they will stage “the most advanced Cyber Security Challenge UK Masterclass ever” on 12-14 November in London.

Spanning two-and-a-half days, Masterclass is the culmination of a year’s worth of nationwide face-to-face and online competitions designed to unearth and nurture new talent for the cyber security industry and address a critical skills shortage that affects Government, businesses and the public.

Led by BT in partnership with Airbus, the competition will see dozens of the UK’s top cyber enthusiasts face each other in a battle that will test their capabilities to deal with cyber attacks and their understanding of business know-how. The challenges will evaluate contestants’ technical, business and soft skills, in turn mirroring the different ways in which professionals communicate today.

This year’s Masterclass will demonstrate how cyber security can be an accessible career choice that has a number of different facets and pathways. BT recently identified 87 different roles in the cyber security industry, each requiring a different skill set, which will be reflected in this year’s competition.

Highly experienced professionals from Government as well as public and private sector organisations across the country will judge the contestants for a number of aptitudes that will rank their suitability for jobs in the sector. The best performing candidate will be crowned Cyber Security Challenge UK Champion.

Thousands of pounds’ worth of career-enabling prizes will be issued to those who take in the finale including training courses, tech equipment and even a fully paid-for Master’s degree sponsorship at De Montfort University, allowing one lucky contestant the chance to study for an MSc in Cyber Security.

Over the years, more than half of the contestants in the Challenge’s face-to-face and Masterclass competitions have moved into jobs in the industry after demonstrating their skills in front of assessors.

Competitions like this are crucial for identifying top quality recruits that could reduce the skills deficit. Industry association (ISC)² predicts the skills gap will reach 1.8 million unfilled positions by 2022, leaving a lack of professionals able to defend our infrastructure from hackers.

Nigel Harrison, acting CEO at Cyber Security Challenge UK, said: “This year’s consortium of sponsors is working on taking Masterclass to the next level, adding new dimensions and levels of game-play that we’ve yet to see in our competitions to date. We’re always trying to match our challenges to the way in which industry is evolving and ensure that they test for the skills industry requires. We look forward to seeing how the finalists fare in a modern cyber security scenario.”

Rob Partridge, head of BT’s Cyber Academy, added: “Filling the cyber security skills deficit is immensely important for the long-term safety of the UK’s digital economy. We need to make sure that industry and Government are collaborating such that young people are engaged and switched on to the breadth of roles in cyber security and the various career paths available to them. These competitions are vitally important for unearthing hidden talent and helping to develop the next generation of UK cyber talent to the standard being set in many other countries.”

Kevin Jones, head of cyber security architecture and innovation at Airbus, explained: “In order to continue protecting vital UK infrastructure and businesses from both current and future cyber threats, it’s particularly important that we address the skills shortage. Competitions such as Cyber Security Challenge UK help to provide a safe and representative environment for contestants to gain experience and learn from industry experts, which in turn will help them understand the variety of skills needed and the careers available within the cyber security sector.”

“Watering hole-style cyber attacks on the rise” warns High-Tech Bridge

On Sunday 12 February, security firm Symantec released an analysis of a new wave of attacks that has been underway since at least October 2016 and came to light when a bank in Poland discovered previously unknown malware running on a number of its computers.

The bank then shared indicators of compromise with other institutions and a number of those other organisations confirmed that they too had been compromised.

These ‘watering hole’ attacks attempted to infect more than 100 organisations in 31 different countries.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico have been blocked, 11 against computers in Uruguay and two against computers in Poland.

Preliminary investigations suggested that the starting point for the Polish infection could have been located on the web server of Poland’s financial sector regulatory body, namely the Polish Financial Supervision Authority (www.knf.gov.pl).

Commenting on this news, Ilia Kolochenko (CEO of High-Tech Bridge) said: “We should expect that cyber criminals will find more creative and reliable ways to compromise their victims. Trustworthy websites, such as governmental ones, represent great value for cyber criminals, even if they don’t host any sensitive or confidential data.”

Kolochenko continued: “In the past, hackers used one-off or garbage websites to host malware, but as corporate users become more educated and vigilant, attackers need to find more reliable avenues to deliver malware and enter corporate networks. That’s why Gartner, as well as other independent research companies, continuously say that the risk posed to corporate web applications is very high and seriously underestimated. Spear phishing and watering hole attacks against high-profile websites will grow significantly in the near future.”

Cyber Streetwise survey reveals 75% of Britons place online safety at risk

A new survey conducted by Cyber Streetwise has revealed that most people are not taking the necessary steps to protect their identity online, with 75% of those who took part in the study admitting they don’t follow Best Practice to create complex passwords.

The figures have been released during Cyber Security Awareness Month to mark the launch of the latest phase of the UK Government’s Cyber Streetwise campaign. In partnership with the police service and industry experts, Cyber Streetwise aims to raise awareness of wise and unwise behaviour in the online space.

Despite 95% of Britons saying it’s their own responsibility to protect themselves online, two thirds are risking their safety by not using symbols in passwords. Nearly half (47%) exhibit other unsafe password habits such as using pet names or significant dates as their password.

Modern Slavery and Organised Crime Minister Karen Bradley MP explained: “When passwords are compromised, financial and banking details can be stolen and cause problems for the person affected, for businesses and for the economy. There’s an emotional impact caused by the loss of irreplaceable photos, videos and personal e-mails, but even worse these can be seized to extort money.”

Bradley added: “We can and must play a role in reducing our risk of falling victim to cyber crime. Most attacks can be prevented by taking some basic security steps, and I encourage everyone to do so.”

Vulnerability to ID theft, fraud and extortion

This latest research shows that 82% of people manage more online accounts that require a password than they did last year, with the average Briton dealing with 19. Over a third (35%) of those questioned admit that they do not create strong passwords because they struggle to recall them. However, poor passwords leave people vulnerable to identity theft, fraud and extortion.

Cyber crime presents a serious threat to the UK and the Government is taking action to increase public awareness of the risk, dedicating £860 million to this issue over the next five years through the National Cyber Security Programme. In essence, the Government is working hard to transform the UK’s response to cyber security.

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

Jamie Saunders – director of the National Crime Agency’s (NCA) National Cyber Crime Unit – commented: “The NCA is working closely with law enforcement colleagues all over the world to target and disrupt cyber criminals. We should be clear that the criminals will target weaknesses. On that basis, having weak passwords will leave people vulnerable.”

Saunders continued: “Nobody wants their personal financial details, business information or photographs to be stolen or held to ransom, so simple things like using three or more words, a mixture of numbers, letters and symbols and upper and lower case letters will make it much more difficult for hackers to access personal information.”

Creating strong and memorable passwords

Advice on creating strong and memorable passwords can be found at http://www.cyberstreetwise.com along with other easy tips for staying safe online. Tips for creating and remembering passwords include the following:

Loci method
Imagine a familiar scene and place each item that needs to be remembered in a particular location (ie a red rose on the table, a book on the chair, a poster on the wall). Imagine yourself looking around the room in a specific sequence. Re-imagine the scene and the location of each item when you need to remember

Acronyms
Use a phrase or a sentence and take the first letter from that sentence

Narrative methods
Remember a sequence of key words by creating a story and littering it with memorable details (for example, ‘The little girl wore a bright yellow hat as she walked down the narrow street…’)

Further information on Cyber Security Awareness Month is available at: http://www.staysafeonline.org/ncsam/